Privacy News Highlights
24 November–30
November 2006
Contents:
EU – New Biometric ID Cards Are Not
Secure, Warns EU FIDIS project
US – DHS
Holds Biometrics Conference With Focus On Privacy
US –
Disneyland Launches Biometric Ticketing
CA – Federal Privacy Commissioner Speaks to Parliamentary
PIPEDA Review
CA – Legislation Would Protect Manitobans From Identity
Theft: Selinger
CA – One in Three Canadians Surveyed Not Protecting Their
Identity: Survey
CA – Billions Blown on IT Deals: 5 of 7 Major Tech
Projects Mismanaged
WW – Report:
Spam Messages Have Tripled Since June.
EU – Up to
80% of E-mail in Europe is Spam; EU Mulls New Spam Legislation
US – Privacy
Advocate Wins $19,500 In Telemarketing Dispute
AR –
E-Voting Stirs Suspicion in Venezuela.
CA – OPC Fact Sheet: Digital Rights Management and
Technical Protection Measures
EU – Hungary
State President Returns Data Act to Parliament
EU – EU
Considers Legislation to Require Telecoms to Report Security Breaches
CA – Canadian ISPs Agree to Block Child Porn Sites
EU – Data
Supervisors Warn Banks to Notify Consumers About Data-Sharing With U.S.
UK – Most
Patients Reject NHS Database in Poll
CA – Entrust to Help Secure Canadian Provider of
Electronic Health Records
WW – Stolen
Computer News Roundup (3 Items)
WW –
Anti-Phishing Toolbars Not Doing Their Job: Study
WW – ICANN
Launches Public Comments on Whois Task Force Report
CA – RCMP Gets New Tracking Tool to Hunt Down Online
Predators
UK – Police
Want High-Powered Microphones on CCTV Cams
WW – GoDaddy
Receives Patent for Domain Privacy Services
AU –
Australia Money Laundering Bill: Everyday Purchases Could be Recorded
US – Groups
File Brief In Support Of Email Privacy.
US –
Taxpayers Shy From Sharing Info Online: Study
CA – Industry Canada’s Binder says RFID brings up policy
issues
UK – Visa to
Introduce Contactless Payment for Small Purchases in UK
US – Utah
Colleges, Universities Need More Formal Security Policies
JP – Japan
Weighs a New Smart Card ID
AU –
Australia Privacy Warning over PM’s Card Plan
NZ – Echelon
Spymasters Meet: 50th anniversary of SIS
UK – Licence
Plate Cameras May Be Unlawful
US –
Cingular Gets $1.1 Million Award in Case Against Hackers
US –
Carriers Seek to Capitalize on New Ad Revenues Without Igniting Privacy
Backlash
US – TIVO to
Insert Ads at End of Programs
US – Callers
Can Communicate by Telephone With Privacy Features
AU – Privacy
Concerns Over Phone Databases
US – DHS
Privacy Report: “Secure Flight” Needs Improvements
US – Privacy
Oversight Board Receives Briefing on Eavesdropping Program
US – USDA
Abandons Mandatory Animal ID Database.
US – New
Jersey DL Scanning Illegal, Bar Must Delete Data
The EU-funded FIDIS (Future of Identity in the
Information Society) has issued a stark warning that implementation of the
current generation of biometric travel ID will dramatically decrease security
and privacy, and increase the risk of identity theft. In an open
declaration, adopted at the project’s last meeting in Budapest (hence
called the Budapest Declaration), FIDIS calls for short-term damage control
measures to be taken and for “a new convincing and integrated security concept”
to be developed within the next three years. It further states that: “by
failing to implement an appropriate security architecture, European governments
have effectively forced citizens to adopt new European passports which
dramatically decrease their security and privacy”. FIDIS claims that the new
biometric passports, currently being introduced throughout
Department of Homeland Security (DHS) agencies
sponsored a conference in
1. distaste that people might feel about
unfamiliar, invasive technologies such as fingerprinting;
2. concern that biometric information gathered
for identification purposes could also reveal other information, such as
vulnerability to a health problem; and
3. concerns about the expansion of the
categories of uses for personal information, such as when information gathered
for counterterrorism purposes might later be applied to problems such as
tracking down people who don’t pay child support or speeding tickets
Baker went on to state that keeping biometric
information in discrete systems to maintain privacy, as was the practice before
the September 2001 terrorist attacks, is no longer an acceptable limit on
counterterrorist methods. [Source]
In her opening statement to the Standing Committee on
Access to Information, Privacy and Ethics on the Statutory Review of PIPEDA on
November 27, 2006, Commissioner Stoddart focuses on six issues, which are
canvassed in greater detail in the background document:
1.
The OPC does not ask for enhanced enforcement powers, but believes the
ombudsman model to be the appropriate one for now.
2.
The OPC states that applying PIPEDA to the workplace has been
challenging, but does not advocate for adopting the Alberta and B.C. models without
more thought and asks the Committee to consider if and how PIPEDA might be
amended to deal more appropriately with employee information.
3.
The OPC raises the issue of transborder flows of personal information,
and states that this issue can best be addressed by additional guidance rather
than through changes to PIPEDA.
4.
The OPC asks the Committee to consider amending PIPEDA to make it easier
for the OPC to deal with complaints involving other jurisdictions, through
info-sharing with other authorities.
5.
The OPC raises the possibility of breach notification requirements and
states that they “look forward to discussing with the Committee whether it is
possible to fit a notification requirement into the PIPEDA framework.” The
background document states that the OPC “supports the notion of a duty to notify
individuals, but recognizes the difficulty of choosing the appropriate model.”
6.
The OPC raises a specific, pressing concern arising out of a court
decision limiting the OPC’s powers to review documents claimed to be
solicitor-client privileged, and asks for an amendment as soon as possible to
remove the ambiguity in PIPEDA about its powers in this respect. [Source]
Although the above six issues were highlighted, the
background document also discusses submissions received by the OPC on the
following additional issues and provides, in some cases, the OPC’s
recommendations: · collection and disclosure for law enforcement and national
security purposes; · designation of investigative bodies; · attempted
collection without consent; · individual, family and public interest exceptions
to consent requirements; · blanket consent; · disclosures of personal
information before transfer of businesses; and · work product.[Background paper]
Proposed legislation that would give
Nearly one in three Canadians surveyed are putting
their identity at risk by not shredding their personal documents before
throwing them in the garbage according to internet research issued this week by
Royal & SunAlliance Insurance Company of
The Canadian government is spending billions of
dollars a year on hefty computer systems without the proper controls to keep
project costs from ballooning many times over. Examining just seven of $8.7
billion worth of IT projects approved in the past three years, Auditor General
Sheila Fraser found that five lacked adequate business cases. A $2.5-million
Canada Revenue Agency project aimed at prioritizing tax-collection work has
inflated to a revised price tag of $147 million -- a 58-fold increase over five
years. Four of the projects were launched by departments without the
appropriate skills and experience to handle projects of such scope, the
auditor’s report states. It goes on to point out that this is the fourth time
the office has expressed concern about the lack of controls over expensive IT
projects. [Source]
[Source]
The European Commission has issued a report on spam
that identifies the
Diana Mey of
Under pressure from opponents of President Hugo
Chavez,
The OPC has issued a Fact Sheet on DRM and TPM.
Excerpt: “There has been recent media coverage of the use of rootkit-like
techniques as a technical protection measure in music CDs and movie DVDs. This
has focused public attention on the subject of digital rights management (DRM),
and in particular technical protective measures (TPM), from both a security and
privacy perspective.” The OPC Fact Sheet discusses what is digital rights
management? What are technical protection measures? How do they work and why
are they a concern?” [Source]
President
László Sólyom this week returned an act on the relaying of EU-American
passenger-registration information back to Parliament for reconsideration, as
he held that it breached constitutional laws on data
privacy. Sólyom asked the House to add a specification
that those concerned must assent to the forwarding of their data abroad. The
president sent the act back to the House just one day after
A security breach involving a stolen laptop that
contained customer data is focusing attention on whether companies should tell
consumers when their personal information has been jeopardized by exposure.
European Commission legislation is expected to pass next year to address
security breaches. The legislation would require telecoms to notify regulators
and customers when their data was compromised during a security breach. [Source]
The Article 29 body has advised that European
financial institutions share some responsibility with the Society for Worldwide
Interbank Financial Telecommunication (SWIFT) for privacy violations related to
the sharing of private financial transactions with
A national
As more service sectors move to storing records, data
and information online, the need for strong security solutions continues to be
a priority. Following that trend, Canadian-based Aristex Health Solutions
selected worldwide security expert Entrust to deploy Entrust IdentityGuard for
strong protection of their online environment. In a first for the Canadian
healthcare system, Aristex will provide patients with online access to their
comprehensive health records and medical history. Aristex sought a strong,
cost-effective authentication solution that would not only provide mutual
authentication to all parties, but also help protect sensitive information and
maintain patient confidence. [Source]
Stolen
Laptops Hold Scotland Yard Officers’ Financial Data
Three
laptop computers stolen from the offices of LogicaCMG hold sensitive financial
information belonging to more than 15,000 London Metropolitan Police officers
(Met – often called Scotland Yard, the name of its headquarters.) LogicaCMG is
an outsourcing company that manages payroll and pension payments. One man has
been arrested in connection with the theft. [Source] [Source] [Source]
Stolen
Laptop Holds
A
laptop computer stolen from the Ontario Science Centre contains a database with
members’ registration data, including names, addresses and credit card
information. The laptop and the database are protected with separate passwords.
The computer was stolen from a locked office on September 18. The Ontario
Science Centre notified affected members by letter. An investigation is
ongoing. [Source]
Stolen
Computers Hold Women’s Health Information
Two
computers stolen from an
Kaiser
Permanente laptop with info on 38,000 patients stolen
A
laptop computer containing private medical information on 38,000 Kaiser Permanente
members in the
A study of 10 anti-phishing toolbars conducted by
ICANN is launching a public comments period on the
Preliminary Task Force Report on Whois Services. The public comment period will
last from 24th November, 2006 to 15 January, 2007. The draft report sets out
the key findings that have emerged during the work of the Whois Task Force,
including determining what data collected should be available for public access
in the context of the purpose of Whois, how best to access data that is not
available for public access, and how to improve the process for notifying a
registrar of inaccurate Whois data, and the process for investigating and
correcting inaccurate data. [Source]
[Preliminary
Task Force Report on Whois Services] [View comments]
Sexual predators victimizing minors online have
counted on the Web’s anonymity and lack of boundaries for years. But those
protections may not be available to them anymore. Software engineers and police
investigators are working together to further enhance Child Exploitation
Tracking System (CETS), an evidence gathering and analytics tool developed in
UK Police and councils are considering monitoring
conversations in the street using high-powered microphones attached to CCTV
cameras. The microphones can detect conversations 100 yards away and record
aggressive exchanges before they become violent. The devices are used at 300
sites in
GoDaddy has been awarded a patent for its domain
privacy services. The company sells domain privacy services, which allow
registrants to hide their data from the WHOIS database. The services were
initially intended to help people evade stalkers and spam, but many people who
own trademark and typo domain names use the services to make it harder for
attorneys to find them. [Source]
Top law firms, privacy groups and shopping giant
Westfield fear low-risk and low-value items such as gift cards, phone cards and
toll road passes could be subject to the Anti-Money Laundering and
Counter-Terrorism Financing Bill, which was passed in the Australian House
of Representatives this week. The Bill requires financial agencies, gaming
organizations, pawnbrokers, bookmakers, jewelers, lawyers, accountants, real
estate agents and any operator handling thousands of dollars in cash to make
“risk assessments” of clients. If there is even a slight suspicion of money
laundering or terrorism funding, operators must report details of a client’s income
and assets to the Federal Government’s AUSTRAC database. Privacy Commissioner
Karen Curtis told the inquiry there were concerns over the 2700 people
authorized to access the AUSTRAC database, with more than half from the ATO.
“Information collected for the purpose of enforcing serious crime, such as
terrorism, should generally only be used for such purposes.” [Source]
The Electronic Frontier Foundation, the ACLU, and the
Center for Democracy and Technology have filed an amicus brief in
federal court to support the protection of email stored online from unreasonable
search and seizure. The brief argues that users of online email services have a
“reasonable expectation of privacy” for their stored emails. The amicus takes
the position that the Fourth Amendment protections against unreasonable search
and seizure that cover telephone calls and postal mail should extend to email
as well. [Source]
[Amicus brief] [Order] [Warshak Brief] [Government Brief]
A majority of taxpayers still feel insecure about
sharing personal financial information online, but they are comfortable with
shopping online, a new survey found. Released this week by the Internal Revenue
Service Oversight Board, the survey shows that 73% of 1,000 taxpayer households
strongly/somewhat agree that they were not secure in sharing personal financial
information via the Internet, even if the information was going to a government
agency such as the Internal Revenue Service. The top reason - cited by 46% of
742 respondents - was concern that the Internet was not secure. 37% said they
were not confident their privacy was protected, and 6% feared identity theft. [Source]
Spectrum, privacy and interoperability need attention,
GS1 Canada told. Industry
Visa is slated to introduce contactless payment in the
The first in-depth information technology audit for
the state public college and university system indicates a need for improvements
to protect students’ private information. The report recommends that each
school update its information technology policy to include 19 elements,
including how to report a security breach and acceptable use of technology. The
report also recommends that the chief information officer organize an annual
audit of each institution’s security policy. [Source]
Privacy groups have warned that a new single smartcard
to be issued to 17 million Australians to replace cards such as those used for
Medicare could result in increased identity theft and fraud. Consumers have
been told the proposed Access Card is a fraud risk because it would include a
digitized photograph, signature and personal number displayed on the card as
well as encoded on a microchip. Privacy advocates say the Federal Government
has ignored several key recommendations of the Consumer and Privacy Taskforce,
set up to investigate privacy and security concerns. [Source]
The leaders of an elite Anglo-Saxon global spying
network known as Echelon have been meeting in
The UK Home Office is reviewing the legal status of
automatic number plate surveillance cameras after the Chief Surveillance
Commissioner advised that they could be operating unlawfully. In his annual
report, Chief Surveillance Commissioner Sir Andrew Leggatt has warned that
automatic number plate recognition (ANPR) cameras could qualify as covert
surveillance, and be illegal. “The unanimous view of the Commissioners is that
the existing legislation is not apt to deal with the fundamental problems to
which the deployment of ANPR cameras gives rise,” he wrote in his report to the
Prime Minister and to Scottish Ministers. [Source] [Surveillance
Commissioners’ Report]
In a victory
over data miners who used fraud, computer hacking and “social engineering” to
collect the private cell phone numbers and calling histories of its customers,
Atlanta-based Cingular Wireless has been awarded $1,135,000 in federal court.
Following up on an earlier default judgment, on Nov. 9, Judge Clarence Cooper
of
Sprint Nextel is offering marketers the opportunity to
target ads to the mobile Web page where cellphone users access the Internet
from their phones. The targeting will identify consumers by demographics and
behavior. Marc Lefar, Chief marketing Officer at Cingular Wireless, cautioned
that carriers have to be mindful about privacy concerns when it comes to
targeting advertising to cellphone users. Research conducted at
TiVo has announced a new service that will insert ads
at the end of recorded programs and let marketers track how many people watch
them. With the growth in popularity of DVRs, advertisers and television
networks have become increasingly worried that most viewers skip through
commercials. [Source]
A telephone service start-up known as Jangl offers
consumers the opportunity to connect via telephone without revealing their
personal phone numbers. Consumers obtain a Jangl ID on the company’s Web site
to give out instead of their personal telephone numbers. The service is
conducive to dating services. Online dating company Match.com started offering
Jangl as a free service, which 275,000 people have tried since it was first
offered Nov. 2. [Source]
The Australian Privacy Foundation says proposed
federal legislation to protect information stored in a massive public phone
number database is fundamentally flawed. The protections in the Bill, which
will likely pass the Senate in the next two weeks, only apply to the
Telstra-managed Integrated Public Number Database, which contains constantly
updated information on every individual and business user of any type of phone
line. The group points out that other directories do not use the Integrated
Public Number Database, which means that the legislation would not apply to
them. [Source][Source]
The Department of Homeland Security released its long
overdue annual privacy report last week. The annual
report covers two years. The department condensed its privacy-related
efforts and concerns from July 2004 through July 2006 into 38 pages. The report
to the U.S. Congress covers airline security and airline watch lists, border
security and identification requirements, information sharing between
departments, the use of biometrics, data mining, and the Real ID Act.
The report consists mainly of an overview citing participation in hearings,
workshops, and references to other reports. It covers a period during which DHS
had three chief privacy officers. The report said the Transportation Security
Administration changed its Secure Flight program without the required public
notification. It said the TSA collected commercial data on people without prior
notice and DHS has “strongly urged the TSA to establish a more robust redress
program.” [Source]
[Source]
[2004
DHS Privacy Report]
Members of the Privacy and Civil Liberties Oversight
Board say they were impressed by privacy protections that the government has
built into an eavesdropping program. The National Security Agency last week
briefed the five members of the board, which was created by Congress. President
Bush appointed the members of the group, which praised the government for the
steps it has taken to protect Americans’ privacy in its electronic
eavesdropping program. Several members of the group said they wished that the government
could reveal details of how the government safeguards Americans’ privacy and
civil liberties while fighting terrorism to inspire more trust by the public. [Source] [Source]
The Bush administration is abandoning plans to make farmers
and ranchers register their cows, pigs and chickens in a nationwide database
intended to help limit disease outbreaks. Faced with widespread opposition, the
Agriculture Department said this week the animal tracking program should remain
voluntary. Many cattle ranchers are wary of the program because they want
records kept confidential and don’t want to pay for the system. The industry
estimates it could cost more than $100 million annually to register and report
the movements of livestock and poultry. So far, about 23% of the nation’s
ranches, feed lots, livestock barns and other facilities have registered their
premises. [Source]
The head of the state Motor Vehicle Commission said
this week the growing practice of scanning and retaining driver’s license data
from customers at nightclubs is illegal, potentially criminal, and she is
ordering it to be stopped. Reacting to a story that appeared in a local
newspaper, MVC Chief Administrator Sharon Harrington had a letter
hand-delivered last night to
--------