Privacy News Highlights
25 August—06
September 2006
Contents:
EU – Europe
Explores Use of Biometrics to Screen Airline Passengers
UK – Primary Schools Fingerprinting Children as Young as
Five
US – Advocates Raise Questions About Fingerprint Scans at
Disney Theme Park
CA – Privacy Commissioner Seeks Public
Feedback on PIPEDA
CA – Ontario Privacy Chief Rules on
Software Use
CA – BC Privacy Commissioner Says “Stop
Enacting Laws that Violate Privacy”
CA – Privacy Commissioner Expresses Concern
Over Net Surveillance
CA – Privacy Law Keeps 90,000 Dead
Ontarians on Voter List
UK – Ministers Set to Announce Change in Data Protection
Principle
UK – Privacy Row Erupts Over Child Database
UK – Information Commissioner Provides Guidance on Direct
Marketing
UK – Britain’s Privacy Chief Launches Probe Into eBay
Allegations
WW – PI Announces the 2006 Stupid Security Competition
EU – European Privacy Chiefs Consider Legal Options After
SWIFT Data Sharing
US – President Bush Signs Executive Order Affecting
Federal Agencies
US – AT&T Exposes 19,000 Identities in Data Hack
US – Verizon Sends Excel File with Customer Info by
Mistake
UK – UK’s Home Office Admits to Database Breaches
US – U.S. Student Aid Site Exposes Borrowers’ Data
US – Medical Lab to Notify Patients Affected by Theft of
Computer
US – Stolen Laptop Holds Chicago City Employees’ Data
US – E-government ID Management Group forms within
Liberty Alliance
WW – Security Firm Warns of “SMiShing” Text-Message
Attacks
NZ – NZ Government Identifies DRM and Trusted Computing
Risks
CA – Sony Settles Canadian Class Actions
Over Rootkit
WW – Survey: Consumers Need to Use Better Data Cleanup
Before Selling Phones
US – FBI Shows Off Counterterrorism Database
WW – Watchdog Group Labels AOL’s Free Software “Badware”
UK – eBay Faces Heat on Privacy Breaches
WW – New Browser Taps Into Web Privacy Fears
BR – Google to Give Data to Brazilian Court
WW – Microsoft Using New Technology to Thwart Phishing
Attacks
AU – Australian Privacy Chief Calls for Privacy Reviews
of Government Projects
AU – More Disciplinary Action Against Government
Employees For Privacy Breaches
UK – Royal Mail ‘Is Keeping Secret Way of Avoiding Junk
Post’
US – Bank Fined US$50 Million for Buying Florida Drivers’
Data
US – NIST Issues Guidelines for Sanitizing Used Media
US – U.S. Retailers Slow to Adopt RFID Technology
US – Chip Maker Seeks to Implant Microchips in Military
Personnel
US – Peg Pérego to RFID Tags Toys
US – NIST Issues Three Security-Related Draft
Publications
AU – Victorian Privacy Commissioner Chadwick Slams Police
Information Breaches
WW – Consumer PC Security Products Getting Better,
Cheaper
AU – No Function Creep: Australia Access Card for Access
Only
CA – BC Hydro: 18,000 Grow-Ops Suspected
CA – CRTC Issues Statement of Key Consumer
Rights re: Home Phone Service
US – Education Dept. Officials Shared Personal Student
Data With FBI
US – New Internet Privacy Bill Proposed
US – California Passes Wi-Fi User Protection Bill
US – Advocates Oppose Federal Breach Bill That Would
Supersede Stronger State Laws
EU authorities are making a push to use biometrics in
a program that would ease airport congestion and improve security by
encouraging frequent fliers to volunteer for pre-screening. The EU officials
would like to explore a security screening system similar to the new Registered
Traveler program in the U.S. Privacy advocates have raised questions about the
reliability of the technology and whether a voluntary program would be made
mandatory. [Source]
Primary and secondary schools in the
Disney is upgrading technology that will scan
fingerprint information as a way to prevent people from reselling multi-day
ticket passes. The company said the numeric information gleaned from the
biometric technology will remain separate from data in other systems and will
be purged from the system after it is used or 30 days after the ticket expires.
Privacy advocates are concerned that the company has not disclosed to visitors
the purpose of the new system. [Source]
[Source]
The federal privacy commissioner, Jennifer Stoddart,
is seeking the public’s feedback on PIPEDA. Parliament is reviewing the law
this fall. Public comments are due by Sept. 7. Stoddart’s office is seeking
comment on whether PIPEDA should be amended to require a company to notify
consumers when their information will be disclosed or after a security breach.
Public comment is sought on other aspects, including whether the law should
allow businesses to transfer or disclose personal information to a business
partner or purchaser without prior consent. [Source]
Ontario Information and Privacy Commissioner Dr. Ann
Cavoukian has issued a report that clears
BC privacy commissioner David Loukidelis has issued a
report calling attention to the expansion of businesses that municipalities are
requiring to pass personal information to police. Many pawn-shop owners and
second-hand dealers have long been required to turn over the personal
information of customers to the authorities. But Loukidelis is concerned about
municipalities approving bylaws that expand the scope of the
information-sharing. Loukidelis said the issue should be left to the courts to
determine when businesses should turn over customer information. [Source]
[Letter]
[Media
Release] [Discussion
Paper]
Elections
Ministers are expected to announce next month that
they are changing a data protection principle which currently requires public
agencies to provide a legal reason every time they want to share data within
the government. The new policy, according to an article in the Guardian, would
allow data sharing among agencies if it is “in the public interest.” [Source]
Plans for a government database holding personal
details on ten million children could be illegal and will hand a dangerous
weapon to paedophiles, according to a report. Ministers are spending £200 million
to create a file on every child in
The Information Commissioner’s Office is publishing
two new guides aimed at educating consumers and organizations about direct
marketing. “Stopping
Unwanted Marketing” is designed for consumers seeking to prevent their
personal details from being used to facilitate direct marketing as well as
steps to take if they believe that marketing efforts may have violated the law.
The second
guide outlines how organizations can register on the Corporate Telephone
Preference Service to reduce the number of unwanted direct marketing calls. [Source]
The Information Commissioner’s Office (ICO) is looking
into allegations that eBay is passing personal details to third parties and a
practice that prevents users from deleting their information from the site’s
system. The 1998 Data Protection Act
requires companies to allow users to delete their personal information. Privacy
International filed the complaint with the ICO’s office. [Source][Complaint
by Privacy International] [PI
report on online privacy -- Dumb Design or Dirty Tricks?] [Summary
of PI Report] [eBay
Faces Heat on Privacy breaches]
Privacy International is running an international
competition to discover the world’s most pointless, intrusive, stupid and
self-serving security measures. The “Stupid Security Awards” aim to highlight
the absurdities of the security industry. The awards were first staged in 2003
and attracted over 5,000 nominations. Privacy International is calling for
nominations to name and shame the worst offenders. The competition closes on
October 31st 2006. The award categories are:
The competition will be judged by an international
panel of well-known security experts, public policy specialists, privacy
advocates and journalists. The competition is open to anyone from any country.
Nominations can be sent to stupidsecurity@privacy.org
[Source]
[Previous Award
Winners]
Representatives of European privacy commissions met
last week in
Federal agencies that sponsor or administer health
programs will be required to adopt and use standards-based IT, such as
e-medical records. The order, which takes effect Jan. 1, also will impact
entities that contract with affected federal agencies. However, some observers
say the order will do little to encourage reluctant private-practice physicians
to convert to an e-medical records system. Bush signed the last health-IT order
in April 2004, which established a federal health IT chief. Dr. David Brailer
held the position for two years, before resigning this past spring. No replacement
has been named. [Source]
AT&T on Tuesday said hackers broke into one of its
computer systems and accessed personal data on thousands of customers who used
its online store. The information that was illegally accessed includes credit
card numbers, AT&T said in a statement. The cyberattack affects about
19,000 customers who purchased equipment for high-speed DSL Internet
connections through AT&T’s Web site. [Source] [Source] [Source] [Source] [Source] UPDATE: AT&T Data Thieves Used Info for
Targeted Phishing Attacks: After thieves stole personally identifiable information
of 19,000 AT&T DSL customers, they immediately began to use some of that
data to launch a sophisticated phishing attack. The phishing emails tried to
elicit more data from their targets by including authentic-looking AT&T
order numbers, the targets’ home addresses and last four digits of their credit
card numbers. The recipients were provided a link to a spoofed site where they
were asked to update their credit card information. [Source]
Verizon Wireless last week accidentally distributed a
file with limited details on more than 5,000 customers outside the company,
potentially giving identity thieves a toehold. The Microsoft Excel spreadsheet
file was e-mailed on Monday and includes names, e-mail addresses, cell phone
numbers, and cell phone models of 5,210 Verizon Wireless customers. [Source]
The
The U.S. Department of Education has disabled the
online payment feature for its Federal Student Aid site, following a security
breach that could affect up to 21,000 borrowers. Federal Student Aid recipients
who between Sunday and Tuesday accessed one of six Web pages on the Department
of Education site may have had their personal information exposed to others. [Source]
A computer stolen from a medical laboratory’s sample
collection center in
A laptop computer stolen from the home of a contractor
for the city of
A new group within the Liberty Alliance will address
government concerns with federated identity projects, the organization said this
week. The Liberty Alliance is a consortium of companies and organizations
working on technology and policy standards for identity projects. The
eGovernment Group will focus business, technical and policy issues, with an
emphasis on privacy and security issues. The alliance has supported a range of
protocols and standards that companies can implement to allow users to move
easily from one Web site to another without having to key in a login and
password again, among other functions. Companies stand to gain greater
efficiency in dealing with passwords by federating identities while also streamlining
how their Web sites interact. The eGovernment Group includes representatives
from
Cell phone users should watch out for text messages
containing a Web site link which, when visited, could download a Trojan horse,
security experts have warned. In a blog posting, McAfee Inc. dubbed the new
development “SMiShing,” referring to a phishing attack sent via SMS. [Source]
New Zealand’s lead state-sector authority has drawn a
line in the sand to ensure government information security is not compromised
by new “trusted computing” and digital rights management (DRM) technologies.
The policies, released by the New Zealand State Services Commission, are an acknowledgement
of the risks posed by the trusted computing and DRM initiatives being driven by
international IT vendors and media organisations. [Source] [Report]
Sony has settled several outstanding Canadian class
action suits launched in the wake of the Sony rootkit controversy last year. Settlement
terms are similar to those reached in the
Trust Digital, a security software company, said
consumers need to “hard” wipe their mobile devices before selling them. The
company bought 10 mobile devices on eBay and was able to retrieve almost 27,000
pages of sensitive data. The data included banking records, corporate
information on sales and product plans. [Source]
[Source]
[Source] [Source]
The FBI has built a database with more than 659
million records, including terrorist watch lists, intelligence cables, and
financial transactions, culled from more than 50 FBI and other government
agency sources. FBI officials say the system is one of the most powerful data
analysis tools available to law enforcement and counterterrorism agents. [Source]
A leading software watchdog group warned users away
from AOL’s free client software yesterday on the ground that it includes
bundled software and lacks transparency about the added components. StopBadware.org
would like AOL to be more forthcoming about the software components included
with its client and to provide users with a straightforward way of declining
the components and uninstalling them if they are already on their computers. Among
StopBadware.org’s complaints: AOL installs ViewPoint media player without
informing the user and it adds the AOL toolbar to Internet Explorer without
explicit disclosure. [Source] [Source]
[Source]
The founder of Freeserve has unveiled a Web-browsing
tool that claims to preserve the privacy of its users. Browzar is a free application
that can be downloaded and either saved to the user’s computer or run directly
from the Web site. [Source]
UPDATE: Browzar Faces Claims of Ad-Mongering and False Advertising: Browzar has
been the target of criticism. Some say the application, which claims to leave
no trail of web pages visited by automatically deleting files associated with
web sites when the application is shut down, does not work as advertised. Apparently
the deleted files are not wiped from the computer and are relatively easy to
recover. Others have complained that Browzar’s search engine serves up advertisements
within search results. Users are permitted to use other search engines, which
should address this problem. [Source] [Source] [Source].
Google, which refused to hand over user search data to
U.S. authorities fighting children’s access to pornography, says it is
complying with a Brazilian court’s orders to turn over data that could help
identify users accused of taking part in online communities that encourage
racism, pedophilia, and homophobia. The company says that the difference in
Microsoft is using data-mining techniques from a third
party in its Internet browsers to guard against “phishing” attacks, where
dubious Web sites try to harvest personal information from unknowing victims.
Digital Resolve announced that Microsoft is licensing data that comes from its
Trusted Server technology, which crawls the Internet and builds lists of Web
sites and their legitimate IP addresses. [Source]
Federal Privacy Commissioner Karen Curtis told
attendees at a Privacy Awareness Week event in
The Australian Taxation Office (ATO) has taken
disciplinary action against 27 employees for accessing taxpayer files without
permission. The tax breach is the second time in a week that government employees
have been in the news for breaching privacy at work. Last week, more than 100
Centrelink employees lost their jobs after they snooped on welfare records
related to friends, neighbors and others. Labor said the incidents raise
concerns about the federal government’s plan to implement a new smartcard,
which would contain citizens’ health and welfare information. Privacy
Commissioner Karen Curtis was asked to investigate the ATO breaches. [Source]
A mail carrier was suspended after he told people on
his route how they could opt-out of receiving junk mail. Royal Mail, which
delivers bulk fliers and letters to customers, has an opt-out program
available, but it is not publicized and few people are aware of the choice. A
company spokesman acknowledged that Royal Mail had not publicized the methods
to opt-out. The spokesman added that opt-out information would be added to the
company’s Web site. [Source]
Fidelity Bank & Trust has been ordered to pay US$50
million for purchasing 656,000 names and addresses from the Florida Department
of Highway Safety and Motor Vehicles. The bank bought the data to use in a
direct marketing campaign; the purchase violated the Drivers Privacy Protection Act of 1994, which aims to protect drivers’
data from being distributed “because stalkers and other criminals had used
motor vehicle records to locate victims.” In 2004, a US District Court ruled
the plaintiff “had to demonstrate actual damages before obtaining monetary compensation
under the” law, but the 11th Circuit Court of Appeals overturned the lower
court’s ruling. [Source] [Source] [Source]
The National Institute of Standards and Technology
(NIST) has released Special Publication 800-88, “Guidelines for Media
Sanitation.” The draft guide addresses sanitation techniques for magnetic,
optical, electrical and other media types. NIST is careful to note that the “guide
is intended to assist organizations and system owners in making practical
sanitation decisions based on the type of information on their system media. It
does not, and cannot, specifically address all known types of media however;
the described draft sanitation decision process can be applied universally to
all forms of media and categorizations of information.” [Source] [NIST Guidelines]
Dave Hogan, senior vice president and chief
information officer for the National Retail Federation, said most
VeriChip is lobbying the Pentagon to allow the chip
maker to implant military personnel with a tiny chip that would contain medical
and personal information. Former Health and Human Services Secretary Tommy
Thompson, who now sits on VeriChip’s board of directors and is a lobbyist, is
leading the company’s efforts to secure approval for the plan. Some privacy
advocates and members of Congress are closely watching the developments and
analyzing the plan’s privacy implications. [Source]
Peg Pérego
US – Ponemon Study: Many Believe
Data Thefts Can’t Be Prevented
63% of respondents to a new
data security study said they don’t believe they can prevent such breaches.
“This group came out much, much more negative than I ever expected,” said Larry
Ponemon, the founder and chairman of the Ponemon Institute. “They said they’re
bad at detecting [breaches], but even worse at preventing [breaches].” The
11-page study, “National
Survey on the Detection and Prevention of Data Breaches,” which was
released yesterday, is based on responses from 853 IT professionals, including
senior executives, information security managers and others. The study was
sponsored by PortAuthority Technologies Inc., a vendor of information leak
prevention software. [Source]
[Coverage]
[Study]
The National Institute of Standards and Technology
(NIST) has released three draft publications for public comment. SP800-45A,
Guidelines on Electronic Mail Security, is an update to an earlier
publication; comments will be accepted until October 6. Comments on SP800-94, “Guide
to Intrusion Detection and Prevention Systems“ are due by October 20, and
comments on SP800-95, “Guide to
Secure Web Services“ will be accepted through October 30. [Source]
Former Victorian privacy commissioner, Paul Chadwick,
claims serious breaches in the state police database, following the release of
7,000 confidential records to a prison officer. In a damning 74-page tabled in
state parliament, Chadwick report claims that the Victorian Law Enforcement
Assistance Program (LEAP) database, in which he states that there have been,
"recurring, systematic" breaches of privacy laws. Chadwick has
ordered the Australian state’s police chief to build a new data storage
facility for the compromised database and submit to an independent audit within
12 months. [Source] [Source] [Report]
Consumers now are getting more for less of their money
when they buy security software. Microsoft’s entry into the consumer security
software arena in late May has made PC protection cheaper, according to data
from The NPD Group. At the same time, security products are becoming more
comprehensive, analysts said. [Source]
The government services access card will be just that
- an access card, according to Kerri Hartland, the public servant who heads the
$1.1 billion project. The card has been stripped of numerous bells and whistles
floated during its genesis. “The purpose of the card is to access Commonwealth
health and social benefits, and that’s what we’re focused on,” Ms Hartland,
Office of Access Card deputy secretary, said yesterday. “We’re focused on
preventing function creep in the way the card is used.” Rather than large
amounts of information being held on the chip, the card will act as a set of
keys that allow individuals to access the various agencies they deal with. The
chip and registration database will only hold basic personal details,
concession status, a photo and signature. [Source]
Nearly 18,000 homes in B.C. – about the same number of
residences as in all of
The CRTC has issued a document which restates key
consumer rights with respect to local home phone service, in a clear and
comprehensible manner. Traditional telephone companies are directed to include
this statement of consumer rights on their website and with their residential
telephone directories. This statement clarifies consumers’ key rights which include:
the right to a local telephone service, the right to choose a phone company,
the right to confidentiality, the right to privacy when calling or being called,
and the right to register a dispute or complaint. [Source] [Statement of Key Consumer Rights]
A little-known federal program created days after
Sept. 11, 2001, examined financial aid records of college students targeted by
the FBI in terrorism investigations, but it’s unclear whether it netted any
terrorists, according to U.S. Education Department documents. The program,
called Project Strike Back, was a joint project of the department and the FBI
and was created 10 days after the terrorist attacks, according to the documents
from the department’s Office of the Inspector General (OIG). About 14 million
students apply for federal financial aid for college each year, the Education
Department says. An FBI spokeswoman said the FBI gave the OIG “a small, select
list of a couple of hundred names associated with ongoing investigations. [Source]
[Source]
The House International Relations subcommittee has introduced
legislation that would make it illegal for American Internet companies to share
information with foreign governments. Under the new bill, companies could be
fined up to $2 million. The legislation also would create an office of Global
Internet Freedom to oversee this legislation. [Source]
Sen. Bob Bennett, R-Utah, is sponsoring a data breach
bill that would require companies to notify consumers if the information lost
is “reasonably likely to result in substantial harm or inconvenience.” The bill
also would prevent consumers from suing a company for failure to adequately
secure data. It also would prevent state attorneys general from suing a company
for violating the breach law. Privacy advocates oppose the bill, which is one
of at least 17 data security and privacy bills pending in the House and Senate.
[Source]
--------