EU – Europe Explores Use of Biometrics to Screen Airline Passengers

EU authorities are making a push to use biometrics in a program that would ease airport congestion and improve security by encouraging frequent fliers to volunteer for pre-screening. The EU officials would like to explore a security screening system similar to the new Registered Traveler program in the U.S. Privacy advocates have raised questions about the reliability of the technology and whether a voluntary program would be made mandatory. [Source]

UK – Primary Schools Fingerprinting Children as Young as Five

Primary and secondary schools in the Yorkshire region are beginning to collect biometric details from their pupils at alarming rates - in many cases breaking Government guidelines by not first asking for parental permission. And campaigners, who insist the technology is an erosion of civil liberties and yet another step towards a “Big Brother” state, claim the greatest problem is that no one knows the true extent of the spread of such systems, because no authority or Government department has bothered to monitor it. Mounting concern led the Information Commissioner’s Office to reveal this week that it would soon publish new guidance for schools. [Source]

US – Advocates Raise Questions About Fingerprint Scans at Disney Theme Park

Disney is upgrading technology that will scan fingerprint information as a way to prevent people from reselling multi-day ticket passes. The company said the numeric information gleaned from the biometric technology will remain separate from data in other systems and will be purged from the system after it is used or 30 days after the ticket expires. Privacy advocates are concerned that the company has not disclosed to visitors the purpose of the new system. [Source] [Source]

CA – Privacy Commissioner Seeks Public Feedback on PIPEDA

The federal privacy commissioner, Jennifer Stoddart, is seeking the public’s feedback on PIPEDA. Parliament is reviewing the law this fall. Public comments are due by Sept. 7. Stoddart’s office is seeking comment on whether PIPEDA should be amended to require a company to notify consumers when their information will be disclosed or after a security breach. Public comment is sought on other aspects, including whether the law should allow businesses to transfer or disclose personal information to a business partner or purchaser without prior consent. [Source]

CA – Ontario Privacy Chief Rules on Software Use

Ontario Information and Privacy Commissioner Dr. Ann Cavoukian has issued a report that clears Ontario care providers to use a Chicago company’s software for an electronic health record application. Privacy advocates were concerned about the confidentiality of Canadian health records because the software used to sort the records was developed by a company with financial connections to a private firm that helps the CIA identify and acquire new technologies. Cavoukian said the Cancer Care Ontario allows the company “extremely narrow, on-site access to personal health information, under tightly controlled and limited conditions.” [Source][News Release][Report][Executive Summary] See also: CIA software raises privacy concern in Canada

CA – BC Privacy Commissioner Says “Stop Enacting Laws that Violate Privacy”

BC privacy commissioner David Loukidelis has issued a report calling attention to the expansion of businesses that municipalities are requiring to pass personal information to police. Many pawn-shop owners and second-hand dealers have long been required to turn over the personal information of customers to the authorities. But Loukidelis is concerned about municipalities approving bylaws that expand the scope of the information-sharing. Loukidelis said the issue should be left to the courts to determine when businesses should turn over customer information. [Source] [Letter] [Media Release] [Discussion Paper]

CA – Privacy Commissioner Expresses Concern Over Net Surveillance

Canada’s privacy commissioner is questioning the need for proposed legislation that would allow police to spy on Internet users without obtaining a warrant. “As privacy commissioner, I want to have a lot of questions answered about why this is necessary because, up to now, I haven’t been convinced,” Jennifer Stoddart said in an interview. [Source]

CA – Privacy Law Keeps 90,000 Dead Ontarians on Voter List

Elections Canada has identified more than 90,000 dead people on municipal voters lists in Ontario, The Free Press has learned. But many months after the dead were identified by Elections Canada, they remain on the lists thanks to privacy laws and red tape. The Ontario agency that keeps lists of the dead, the Ministry of Government Services, will share that information with Elections Canada, but not with the agency that assembles municipal voters lists, Ontario's Municipal Property Assessment Corp. (MPAC). [Source]

UK – Ministers Set to Announce Change in Data Protection Principle

Ministers are expected to announce next month that they are changing a data protection principle which currently requires public agencies to provide a legal reason every time they want to share data within the government. The new policy, according to an article in the Guardian, would allow data sharing among agencies if it is “in the public interest.” [Source]

UK – Privacy Row Erupts Over Child Database

Plans for a government database holding personal details on ten million children could be illegal and will hand a dangerous weapon to paedophiles, according to a report. Ministers are spending £200 million to create a file on every child in England and Wales, detailing personal information on their health and education. More than 400,000 civil servants and council workers will have access to the Childrens Index, which by the end of 2008 will link up with 2,000 databases currently run separately by doctors, schools and social services. But the report by the Information Commissioners Office warns that Labour’s plans will contravene data protection laws because parents will not be given a say over whether information on their children can be passed on. [Source] [Source] [Source] [Source] [Source]

UK – Information Commissioner Provides Guidance on Direct Marketing

The Information Commissioner’s Office is publishing two new guides aimed at educating consumers and organizations about direct marketing. “Stopping Unwanted Marketing” is designed for consumers seeking to prevent their personal details from being used to facilitate direct marketing as well as steps to take if they believe that marketing efforts may have violated the law. The second guide outlines how organizations can register on the Corporate Telephone Preference Service to reduce the number of unwanted direct marketing calls. [Source]

UK – Britain’s Privacy Chief Launches Probe Into eBay Allegations

The Information Commissioner’s Office (ICO) is looking into allegations that eBay is passing personal details to third parties and a practice that prevents users from deleting their information from the site’s system. The 1998 Data Protection Act requires companies to allow users to delete their personal information. Privacy International filed the complaint with the ICO’s office. [Source ][Complaint by Privacy International] [PI report on online privacy -- Dumb Design or Dirty Tricks?] [Summary of PI Report] [eBay Faces Heat on Privacy breaches]

WW – PI Announces the 2006 Stupid Security Competition

Privacy International is running an international competition to discover the world’s most pointless, intrusive, stupid and self-serving security measures. The “Stupid Security Awards” aim to highlight the absurdities of the security industry. The awards were first staged in 2003 and attracted over 5,000 nominations. Privacy International is calling for nominations to name and shame the worst offenders. The competition closes on October 31st 2006. The award categories are:

Most Egregiously Stupid Award
Most Inexplicably Stupid Award
Most Annoyingly Stupid Award
Most Flagrantly Intrusive Award
Most Stupidly Counter Productive Award

The competition will be judged by an international panel of well-known security experts, public policy specialists, privacy advocates and journalists. The competition is open to anyone from any country. Nominations can be sent to stupidsecurity@privacy.org [Source] [Previous Award Winners]

EU – European Privacy Chiefs Consider Legal Options After SWIFT Data Sharing

Representatives of European privacy commissions met last week in Brussels to mull legal options after financial information of European bank customers was shared with U.S. law enforcement to investigate possible terrorist financing. EU officials initially took the position that the data sharing was legal. Since growing public concerns, Privacy International filed complaints about the data sharing in 38 countries and government privacy officials have launched probes in the EU, Australia and Canada. [Source]

US – President Bush Signs Executive Order Affecting Federal Agencies

Federal agencies that sponsor or administer health programs will be required to adopt and use standards-based IT, such as e-medical records. The order, which takes effect Jan. 1, also will impact entities that contract with affected federal agencies. However, some observers say the order will do little to encourage reluctant private-practice physicians to convert to an e-medical records system. Bush signed the last health-IT order in April 2004, which established a federal health IT chief. Dr. David Brailer held the position for two years, before resigning this past spring. No replacement has been named. [Source]

US – AT&T Exposes 19,000 Identities in Data Hack

AT&T on Tuesday said hackers broke into one of its computer systems and accessed personal data on thousands of customers who used its online store. The information that was illegally accessed includes credit card numbers, AT&T said in a statement. The cyberattack affects about 19,000 customers who purchased equipment for high-speed DSL Internet connections through AT&T’s Web site. [Source] [Source] [Source] [Source] [Source] UPDATE: AT&T Data Thieves Used Info for Targeted Phishing Attacks: After thieves stole personally identifiable information of 19,000 AT&T DSL customers, they immediately began to use some of that data to launch a sophisticated phishing attack. The phishing emails tried to elicit more data from their targets by including authentic-looking AT&T order numbers, the targets’ home addresses and last four digits of their credit card numbers. The recipients were provided a link to a spoofed site where they were asked to update their credit card information. [Source]

US – Verizon Sends Excel File with Customer Info by Mistake

Verizon Wireless last week accidentally distributed a file with limited details on more than 5,000 customers outside the company, potentially giving identity thieves a toehold. The Microsoft Excel spreadsheet file was e-mailed on Monday and includes names, e-mail addresses, cell phone numbers, and cell phone models of 5,210 Verizon Wireless customers. [Source]

UK – UK’s Home Office Admits to Database Breaches

The UK’s Home Office has admitted that the security of its ID and passport service database has been compromised several times, but denies that remote hackers were responsible. In a response to a parliamentary question at the end of last week, the Home Office said it had had five security breaches in five years, mostly caused by civil service staff. Each of the instances resulted in the dismissal of the employee responsible. [Source] [Source]

US – U.S. Student Aid Site Exposes Borrowers’ Data

The U.S. Department of Education has disabled the online payment feature for its Federal Student Aid site, following a security breach that could affect up to 21,000 borrowers. Federal Student Aid recipients who between Sunday and Tuesday accessed one of six Web pages on the Department of Education site may have had their personal information exposed to others. [Source]

US – Medical Lab to Notify Patients Affected by Theft of Computer

A computer stolen from a medical laboratory’s sample collection center in Jersey holds personally identifiable information of an unspecified number of patients. LabCorp is sending letters to notify individuals whose data were on the machine, which was stolen in early June; the data include names and SSNs but not test results. [Source]

US – Stolen Laptop Holds Chicago City Employees’ Data

A laptop computer stolen from the home of a contractor for the city of Chicago holds personally identifiable information, including names and SSNs, belonging to thousands of city employees. Nationwide Retirement Solutions (NRS) is notifying people whose data were on the computer by mail and will offer them one year of free credit monitoring along with US$25,000 of identity theft insurance. The computer was stolen in April 2005; local police and the company were notified promptly. However, the division of NRS that investigates computer thefts did not learn of it until July 2006. Since the theft, NRS has deployed encryption on all laptop computers. [Source]

US – E-government ID Management Group forms within Liberty Alliance

A new group within the Liberty Alliance will address government concerns with federated identity projects, the organization said this week. The Liberty Alliance is a consortium of companies and organizations working on technology and policy standards for identity projects. The eGovernment Group will focus business, technical and policy issues, with an emphasis on privacy and security issues. The alliance has supported a range of protocols and standards that companies can implement to allow users to move easily from one Web site to another without having to key in a login and password again, among other functions. Companies stand to gain greater efficiency in dealing with passwords by federating identities while also streamlining how their Web sites interact. The eGovernment Group includes representatives from Denmark, Finland, France, Korea, New Zealand, the U.K. and the U.S. [Source]

WW – Security Firm Warns of “SMiShing” Text-Message Attacks

Cell phone users should watch out for text messages containing a Web site link which, when visited, could download a Trojan horse, security experts have warned. In a blog posting, McAfee Inc. dubbed the new development “SMiShing,” referring to a phishing attack sent via SMS. [Source]

NZ – NZ Government Identifies DRM and Trusted Computing Risks

New Zealand’s lead state-sector authority has drawn a line in the sand to ensure government information security is not compromised by new “trusted computing” and digital rights management (DRM) technologies. The policies, released by the New Zealand State Services Commission, are an acknowledgement of the risks posed by the trusted computing and DRM initiatives being driven by international IT vendors and media organisations. [Source] [Report]

CA – Sony Settles Canadian Class Actions Over Rootkit

Sony has settled several outstanding Canadian class action suits launched in the wake of the Sony rootkit controversy last year. Settlement terms are similar to those reached in the United States. The settlement must still receive court approval. Settlement information at http://cdtechsettlement.sonybmg.ca/en/

WW – Survey: Consumers Need to Use Better Data Cleanup Before Selling Phones

Trust Digital, a security software company, said consumers need to “hard” wipe their mobile devices before selling them. The company bought 10 mobile devices on eBay and was able to retrieve almost 27,000 pages of sensitive data. The data included banking records, corporate information on sales and product plans. [Source] [Source] [Source] [Source]

US – FBI Shows Off Counterterrorism Database

The FBI has built a database with more than 659 million records, including terrorist watch lists, intelligence cables, and financial transactions, culled from more than 50 FBI and other government agency sources. FBI officials say the system is one of the most powerful data analysis tools available to law enforcement and counterterrorism agents. [Source]

WW – Watchdog Group Labels AOL’s Free Software “Badware”

A leading software watchdog group warned users away from AOL’s free client software yesterday on the ground that it includes bundled software and lacks transparency about the added components. StopBadware.org would like AOL to be more forthcoming about the software components included with its client and to provide users with a straightforward way of declining the components and uninstalling them if they are already on their computers. Among StopBadware.org’s complaints: AOL installs ViewPoint media player without informing the user and it adds the AOL toolbar to Internet Explorer without explicit disclosure. [Source] [Source] [Source]

UK – eBay Faces Heat on Privacy Breaches

UK watchdog group Privacy International has sparked an inquiry into eBay’s handling of personal data, as part of a new campaign against e-commerce sites that may be abusing the privacy of their users. The civil- and cyber-rights group complained to the UK’s Information Commissioner this week about eBay.co.uk, which it claims is breaching the Data Protection Act by making it hard for users to cancel their accounts and delete details of their Web shopping habits and other personal data. [Source]

WW – New Browser Taps Into Web Privacy Fears

The founder of Freeserve has unveiled a Web-browsing tool that claims to preserve the privacy of its users. Browzar is a free application that can be downloaded and either saved to the user’s computer or run directly from the Web site. [Source] UPDATE: Browzar Faces Claims of Ad-Mongering and False Advertising: Browzar has been the target of criticism. Some say the application, which claims to leave no trail of web pages visited by automatically deleting files associated with web sites when the application is shut down, does not work as advertised. Apparently the deleted files are not wiped from the computer and are relatively easy to recover. Others have complained that Browzar’s search engine serves up advertisements within search results. Users are permitted to use other search engines, which should address this problem. [Source] [Source] [Source].

BR – Google to Give Data to Brazilian Court

Google, which refused to hand over user search data to U.S. authorities fighting children’s access to pornography, says it is complying with a Brazilian court’s orders to turn over data that could help identify users accused of taking part in online communities that encourage racism, pedophilia, and homophobia. The company says that the difference in Brazil is with the scale and purpose of the request. Brazil is looking for information in specific cases involving Google’s social networking site, Orkut. [Source]

WW – Microsoft Using New Technology to Thwart Phishing Attacks

Microsoft is using data-mining techniques from a third party in its Internet browsers to guard against “phishing” attacks, where dubious Web sites try to harvest personal information from unknowing victims. Digital Resolve announced that Microsoft is licensing data that comes from its Trusted Server technology, which crawls the Internet and builds lists of Web sites and their legitimate IP addresses. [Source]

AU – Australian Privacy Chief Calls for Privacy Reviews of Government Projects

Federal Privacy Commissioner Karen Curtis told attendees at a Privacy Awareness Week event in Sydney that government agencies should conduct privacy impact assessments (PIAs). PIAs are new to Australia, but federal Attorney-General Philip Ruddock said the privacy review ensures that “privacy considerations are at the core of project development, and that privacy obligations are built-in, rather than bolted on.” Agencies are not required under the Privacy Act to conduct PIAs. However, Curtis said the government’s new smartcard should undergo privacy testing before its launch. [Source]

AU – More Disciplinary Action Against Government Employees For Privacy Breaches

The Australian Taxation Office (ATO) has taken disciplinary action against 27 employees for accessing taxpayer files without permission. The tax breach is the second time in a week that government employees have been in the news for breaching privacy at work. Last week, more than 100 Centrelink employees lost their jobs after they snooped on welfare records related to friends, neighbors and others. Labor said the incidents raise concerns about the federal government’s plan to implement a new smartcard, which would contain citizens’ health and welfare information. Privacy Commissioner Karen Curtis was asked to investigate the ATO breaches. [Source]

UK – Royal Mail ‘Is Keeping Secret Way of Avoiding Junk Post’

A mail carrier was suspended after he told people on his route how they could opt-out of receiving junk mail. Royal Mail, which delivers bulk fliers and letters to customers, has an opt-out program available, but it is not publicized and few people are aware of the choice. A company spokesman acknowledged that Royal Mail had not publicized the methods to opt-out. The spokesman added that opt-out information would be added to the company’s Web site. [Source]

US – Bank Fined US$50 Million for Buying Florida Drivers’ Data

Fidelity Bank & Trust has been ordered to pay US$50 million for purchasing 656,000 names and addresses from the Florida Department of Highway Safety and Motor Vehicles. The bank bought the data to use in a direct marketing campaign; the purchase violated the Drivers Privacy Protection Act of 1994, which aims to protect drivers’ data from being distributed “because stalkers and other criminals had used motor vehicle records to locate victims.” In 2004, a US District Court ruled the plaintiff “had to demonstrate actual damages before obtaining monetary compensation under the” law, but the 11th Circuit Court of Appeals overturned the lower court’s ruling. [Source] [Source] [Source]

US – NIST Issues Guidelines for Sanitizing Used Media

The National Institute of Standards and Technology (NIST) has released Special Publication 800-88, “Guidelines for Media Sanitation.” The draft guide addresses sanitation techniques for magnetic, optical, electrical and other media types. NIST is careful to note that the “guide is intended to assist organizations and system owners in making practical sanitation decisions based on the type of information on their system media. It does not, and cannot, specifically address all known types of media however; the described draft sanitation decision process can be applied universally to all forms of media and categorizations of information.” [Source] [NIST Guidelines]

US – U.S. Retailers Slow to Adopt RFID Technology

Dave Hogan, senior vice president and chief information officer for the National Retail Federation, said most U.S. retailers have scaled back plans to implement RFID technology in favor of taking a wait- and-see approach. Supporters highlight the technology’s convenience and efficiency, which they say will help consumers and businesses alike. Hogan notes that one drawback is the cost of the tags and the readers – especially in the grocery store sector where competition is fierce. [Source]

US – Chip Maker Seeks to Implant Microchips in Military Personnel

VeriChip is lobbying the Pentagon to allow the chip maker to implant military personnel with a tiny chip that would contain medical and personal information. Former Health and Human Services Secretary Tommy Thompson, who now sits on VeriChip’s board of directors and is a lobbyist, is leading the company’s efforts to secure approval for the plan. Some privacy advocates and members of Congress are closely watching the developments and analyzing the plan’s privacy implications. [Source]

US – Peg Pérego to RFID Tags Toys

Peg Pérego USA, a manufacturer of toys and other children’s products, will begin implementing an RFID system at the end of October. This new system will automatically tag individual boxes of toy riding vehicles as they are produced in its factory. Eventually, Pérego plans to extend the system to receive automatically the parts it uses to make those vehicles. The company hopes to determine the effectiveness of the system, especially in ensuring a high read rate, before expanding the RFID deployment to its three other conveyors, as well as back to the company’s suppliers. As a bonus, retailers that have deployed RFID interrogators and software would also benefit by being able to use each product’s RFID tag to track inventory at their own distribution centers, back rooms, shelves and point-of-sale terminals. [Source]

US – Ponemon Study: Many Believe Data Thefts Can’t Be Prevented

63% of respondents to a new data security study said they don’t believe they can prevent such breaches. “This group came out much, much more negative than I ever expected,” said Larry Ponemon, the founder and chairman of the Ponemon Institute. “They said they’re bad at detecting [breaches], but even worse at preventing [breaches].” The 11-page study, “National Survey on the Detection and Prevention of Data Breaches,” which was released yesterday, is based on responses from 853 IT professionals, including senior executives, information security managers and others. The study was sponsored by PortAuthority Technologies Inc., a vendor of information leak prevention software. [Source] [Coverage] [Study]

US – NIST Issues Three Security-Related Draft Publications

The National Institute of Standards and Technology (NIST) has released three draft publications for public comment. SP800-45A, Guidelines on Electronic Mail Security, is an update to an earlier publication; comments will be accepted until October 6. Comments on SP800-94, “Guide to Intrusion Detection and Prevention Systems“ are due by October 20, and comments on SP800-95, “Guide to Secure Web Services“ will be accepted through October 30. [Source]

AU – Victorian Privacy Commissioner Chadwick Slams Police Information Breaches

Former Victorian privacy commissioner, Paul Chadwick, claims serious breaches in the state police database, following the release of 7,000 confidential records to a prison officer. In a damning 74-page tabled in state parliament, Chadwick report claims that the Victorian Law Enforcement Assistance Program (LEAP) database, in which he states that there have been, "recurring, systematic" breaches of privacy laws. Chadwick has ordered the Australian state’s police chief to build a new data storage facility for the compromised database and submit to an independent audit within 12 months. [Source] [Source] [Report]

WW – Consumer PC Security Products Getting Better, Cheaper

Consumers now are getting more for less of their money when they buy security software. Microsoft’s entry into the consumer security software arena in late May has made PC protection cheaper, according to data from The NPD Group. At the same time, security products are becoming more comprehensive, analysts said. [Source]

AU – No Function Creep: Australia Access Card for Access Only

The government services access card will be just that - an access card, according to Kerri Hartland, the public servant who heads the $1.1 billion project. The card has been stripped of numerous bells and whistles floated during its genesis. “The purpose of the card is to access Commonwealth health and social benefits, and that’s what we’re focused on,” Ms Hartland, Office of Access Card deputy secretary, said yesterday. “We’re focused on preventing function creep in the way the card is used.” Rather than large amounts of information being held on the chip, the card will act as a set of keys that allow individuals to access the various agencies they deal with. The chip and registration database will only hold basic personal details, concession status, a photo and signature. [Source]

BC – BC Hydro: 18,000 Grow-Ops Suspected

Nearly 18,000 homes in B.C. – about the same number of residences as in all of West Vancouver – use suspiciously high amounts of electricity, often a telltale sign of a marijuana growing operation. Under provincial legislation introduced last spring, municipalities can request a list from BC Hydro of all addresses with abnormally high power consumption – making it easier for police and city inspectors to target growing operations. [Source]

CA – CRTC Issues Statement of Key Consumer Rights re: Local Home Phone Service

The CRTC has issued a document which restates key consumer rights with respect to local home phone service, in a clear and comprehensible manner. Traditional telephone companies are directed to include this statement of consumer rights on their website and with their residential telephone directories. This statement clarifies consumers’ key rights which include: the right to a local telephone service, the right to choose a phone company, the right to confidentiality, the right to privacy when calling or being called, and the right to register a dispute or complaint. [Source] [Statement of Key Consumer Rights]

US – Education Dept. Officials Shared Personal Student Data With FBI

A little-known federal program created days after Sept. 11, 2001, examined financial aid records of college students targeted by the FBI in terrorism investigations, but it’s unclear whether it netted any terrorists, according to U.S. Education Department documents. The program, called Project Strike Back, was a joint project of the department and the FBI and was created 10 days after the terrorist attacks, according to the documents from the department’s Office of the Inspector General (OIG). About 14 million students apply for federal financial aid for college each year, the Education Department says. An FBI spokeswoman said the FBI gave the OIG “a small, select list of a couple of hundred names associated with ongoing investigations. [Source] [Source]

US – New Internet Privacy Bill Proposed

The House International Relations subcommittee has introduced legislation that would make it illegal for American Internet companies to share information with foreign governments. Under the new bill, companies could be fined up to $2 million. The legislation also would create an office of Global Internet Freedom to oversee this legislation. [Source]

US – California Passes Wi-Fi User Protection Bill

California’s state assembly has passed a bill to require makers of Internet access gear to warn consumers of the risks of using unsecured wireless connections. Legislators in both houses of the state legislature voted overwhelmingly in favour or the “Wi-Fi User Protection Bill” to inform users how to secure networks against piggybacking, or unauthorized sharing of wireless access. [Source]

US – Advocates Oppose Federal Breach Bill That Would Supersede Stronger State Laws

Sen. Bob Bennett, R-Utah, is sponsoring a data breach bill that would require companies to notify consumers if the information lost is “reasonably likely to result in substantial harm or inconvenience.” The bill also would prevent consumers from suing a company for failure to adequately secure data. It also would prevent state attorneys general from suing a company for violating the breach law. Privacy advocates oppose the bill, which is one of at least 17 data security and privacy bills pending in the House and Senate. [Source]

--------