EU – Slovenia Adopts Biometric Passports

Slovenia started issuing its new biometric passports, featuring a biometric facial scan, at the end of August. This is in accordance with EU Regulations requiring all Member States to include facial scans on their passports as of August this year. It is also in response to requirements set by the USA for countries with a visa-free entry regime (Visa Waiver Programme). Slovenian citizens will not need to replace their passports immediately as current documents will remain valid until their expiry date. All new passports issued as of 1 September 2006 will, however, conform with the new regulations. [Source]

CA – Information Commissioner Raises Alarm on Ad for his Job

The federal government is moving to curtail the independence of the information commissioner’s office, outgoing commissioner John Reid complained this week. That runs counter to the Conservatives’ election promise to bring more openness to government. John Reid said taht a recently posted job notice strongly suggests the Conservative government wants to fill the coming vacancy with a senior bureaucrat rather than someone more independent. “Although it appears to be what the government is seeking, a bureaucrat is the last thing Parliament and the public need as their information commissioner,” Reid said in his last official speech to the National Press Club. Reid, who’s scheduled to end his term Sept. 29, noted the Privy Council Office posted the job vacancy on an obscure government website on the Friday before the Labour Day weekend, and allowed just seven days for interested citizens to deliver their applications. The web posting has since been removed. [Source] [Source]

CA – Government Too Lax on Spam, Task Force Member Says

An antispam crusader fears Industry Minister Maxime Bernier is ignoring the spiraling threat of unsolicited e-mail, but a government official says substantial progress is being made. Technology consultant Neil Schwartzman, a member of Industry Canada’s spam task force, said he’s worried about Bernier’s silence on the issue since being appointed minister in February. “Nothing has moved forward,” Schwartzman said in an interview. “He has ignored the [task force] report.” Members of the task force will step up efforts to pressure Bernier to deal with the spam dilemma in the fall session of Parliament, Schwartzman said. [Source]

AU – Company’s Reputation Suffers After Spammers Assume its Identity

A Queensland Australia company is suffering from the fallout of a spam attack that spoofed its good name. Clients of the National Online Talent Management (NOTM) agency as well as people unfamiliar with the company have deluged it with angry email messages about unsolicited commercial email that appeared to come from NOTM. The phony email had copied large portions of text from a legitimate NOTM email. NOTM is unsure how to repair its professional relationships and redeem its reputation. The individuals responsible for the phony email messages reside outside of Australia. [Source]

US – First Felony Conviction Against Spammer

A Virginia Court of Appeals has upheld the first felony conviction of illegal spamming in the U.S. In its unanimous ruling, the state appeals court wrote that Virginia has a “legitimate public interest” in policing unsolicited e-mail advertising and that the state anti-spamming law’s impact on interstate commerce “is incidental and clearly not excessive.” The appellate ruling upheld the criminal conviction of a North Carolina spammer who intentionally misidentified himself in bulk email ads, in violation of the nation’s first and toughest anti-spam law. [Source]

AU – Australia Health Project in Disarray

Australia’s health IT strategy is in disarray, with the peak HealthConnect governance and advisory bodies caught up in another round of deckchair rearrangement. The Australian Health Information Council, which is supposed to be responsible for introducing the $128 million nationwide e-health record program, has been in abeyance since its former chair, Professor Andrew Coats, resigned earlier this year. The council and the National Health Information Group, which provides independent advice to Australia’s health ministers, have apparently fallen foul of a review and their committees have been disbanded. Last week, the council’s website, and all the information on it, disappeared without trace, even though HealthConnect still links to the site. Meanwhile, all federal funding for HealthConnect projects ended on June 30, and no new contracts have been put in place for 2006-07. [Source]

US – IBM Engineers Develop New Technology

To strengthen an organization’s ability to protect sensitive data, IBM engineers in Tuscon have developed an encrypted tape that offers advanced features to protect data. Users will have the ability to turn the encryption device on or off at the drive and the key can be changed if it is compromised. Sun Microsystems is planning to offer an encrypting tape drive soon. [Source]

EU – EC Proposes Law Changes for Data Breach Notification

The European Commission is proposing changes to European law that would require “electronic communications networks or services” to notify customers of security risks. Specifically, the changes would require subscribers to be informed of the nature of the risk, appropriate measures to take to safeguard against risk, and the likely costs subscribers will endure. [Source] [EC working document]

US – Top Corporations Web Sites Evaluated

The Customer Respect Group evaluates the performance of the Web sites of 100 Fortune 500 companies, rating them on the site’s functionality, communications and trust. This year’s top scorers were Intel and Sears & Roebuck. The evaluations also revealed that fewer companies are sharing personal data with business partners or third parties now than were doing so in the past. [Source]

WW – Credit Card Companies Update PCI Security Standards

The five major credit card companies, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, have formed the Payment Card Industry Security Standards Council, marking the first time all have agreed on a common framework for payment card security. Their first order of business was to update the current PCI Data Security Standard by providing instructions for implementing the requirements and clarifying the language, for instance, replacing vague terms, such as “regularly,” with specifics, such as “annually” or “quarterly.” The council’s goal is “to enhance payment account security by fostering broad adoption of the PCI Data Security Standard.” [Source] [Source]

CA – Supreme Court Ruling Opens Door to Freedom of Information

The Supreme Court of Canada struck a blow for freedom of information and the right to pursue a lawsuit last week, opening up a potential gold mine of information to future litigants. The 5-2 judgment was vindication for a man who has spent 10 years battling the government for files it had suppressed relating to his prosecution on environmental offences. The court said the government must hand over the material so the man can pursue a lawsuit for fraud, perjury, conspiracy and abuse of prosecutorial powers. Legal experts said the ruling is a major boon for litigants who launch legal action after a criminal or regulatory offence has been resolved, and who want access to the strategies used by authorities. Those who could benefit include groups who launch product-liability class actions, plaintiffs seeking damages arising from a government program; or citizens who believe they were unfairly prosecuted. [Source]

US – GAO Report: Healthcare Records Need Stronger Privacy Protections

A report from the GAO titled “Domestic and Offshore Outsourcing of Personal Information in Medicare, Medicaid and TRICARE“ says that more than “40% of federal health insurance contractors and state Medicaid agencies reported experiencing a privacy breach involving personal health information in the past two years.” The report also indicates that services involving healthcare data are commonly outsourced. The report suggests that there is inadequate privacy protection for health care records. The GAO report recommends that privacy breach notifications should be extended to more Medicare contractors that deal with personal health information and to state Medicaid agencies.” [Source] [Source] [GAO Report] [CMS should tighten privacy of health data held by contractors]

US – Chase Bank Puts Credit Card Data in the Trash

A division of J.P. Morgan Chase has said that personal information on 2.6 million past and current Circuit City credit card holders was mistakenly thrown out as trash. Chase Card Services said last week that it mistakenly tossed out computer tapes with the personal information of Circuit City card holders. It said it believes the tapes, inside a locked box, were compacted, destroyed, and buried in a landfill. [Source]

US – Security Breach at Fantasy Site Loses 660,00 Credit Card Numbers

Second Life, a three-dimensional virtual world for entrepreneurs, is asking its 660,000 members to change passwords after a security breach may have exposed users’ confidential data, including credit card numbers and passwords. The company has determined that a hacker accessed at least one Web server for up to several hours. [Source]

CA – BMO Laptop With Customer Account Info Stolen

Hundreds of banking customers have been told to monitor their accounts after a laptop containing personal information was stolen from a downtown Ottawa branch. Stolen computer contains personal data for 900 of bank’s clients A spokesman for BMO Bank of Montreal confirmed yesterday that a laptop

containing clients’ personal information went missing last May. [Source]

CA – Canadians Won’t Need Passports to Visit U.S.: Rice Promises Cheaper, Easier ID

U.S. Secretary of State Condoleezza Rice sought to reassure Canadians this week that they will be able to travel to the U.S. with documents other than a passport once new travel security rules take effect in 2008. “It will not be the necessity of a passport. We are looking for an authentic document, a document that can authenticate identity, but one that is relatively cheap and easy to acquire, but that can help to keep the border secure, and we will be getting those rules out very soon,” Ms. Rice said during her visit. When asked to be more specific, Ms. Rice acknowledged people are confused about what will be required and said only that it needs to be clarified quickly. [Source]

US – AOL to Offer ID Theft Insurance to Subscribers

Free insurance coverage for identity theft and computer damage is among the premium security offerings AOL is making available to its dwindling base of paying subscribers. The move follows last month’s decision to give away AOL.com e-mail accounts, software, and other features once reserved for paying subscribers and remove key reasons for millions of customers to keep paid accounts. [Source]

EU – Warnings Exchanged in EU, Microsoft Over Vista

EU officials warned Microsoft yesterday not to shut out rivals in the security software market as the company plans to launch its Windows Vista operating system with built-in protection from hackers and malicious programs. Meanwhile, Microsoft warned EU regulators to avoid attempting to block the in-house security upgrades it is making to the long-delayed Windows upgrade now scheduled for release to companies in November and consumers in January. [Source] [Microsoft gives go-ahead to open-source Web services: Company won’t assert patents related to 35 Web services specs--a move designed to ease developers’ legal concerns] [Microsoft Open Specification Promise (OSP)]

US – CDT Offers Framework for Evaluating DRM

The Center for Democracy & Technology (CDT) this week released a document designed to help promote a greater public understanding of the choices and tradeoffs associated with products and services that include Digital Rights Management (DRM) technology. The paper details a series of “metrics” for evaluating DRM that fall into four major categories: transparency, effect on use, collateral impact, and purpose/consumer benefit. The paper is aimed at fostering greater public understanding and discussion of DRM, on the assumption that marketplace pressures from an informed consumer base can help promote a market for digital media products that is diverse, competitive, and responsive to reasonable consumer expectations. [Press Release] [Evaluating DRM Paper] [Quick Reference Guide] See also: [NZ Govt Identifies DRM and Trusted Computing Risks and associated document: Trusted Computing and Digital Rights Management Principles & Policies

EU – Report: Privacy Safeguards Needed in a World of Ambient Intelligence

A recent EU report concluded that personal data protection is vital to future civil liberties. How will we safeguard our personal privacy in a society characterized by ubiquitous intelligent sensors? SWAMI project researchers aimed to find out. Product miniaturisation is fast reaching the level where tiny, intelligent devices can be embedded into virtually any part of our environment. This is the era of ambient intelligence (AML), where microelectro-mechanical sensors no larger than a grain of sand will be capable of detecting everything from light to vibrations. These advances place us on the threshold of a civilization in which our very surroundings are intelligent, in which our every action is accompanied by a host of invisible interactions. In an environment of continuous communication surrounding everything we do and where we go, how can our security, personal privacy and civil liberties be protected? These are the issues that the partners in the IST project SWAMI set out to examine. [Source] [SWAMI site] [Final Report]

US – Facebook Revamps Website After Privacy Criticisms

Facebook, a popular Web-based hangout for students, revamped its site to let users disable or modify a new feature that had touched off protests from hundreds of thousands of members. The changes came a few days after the site launched a service that prominently displayed changes members made to their Web profiles on the pages of others in their Facebook social networks – a move that critics said called too much attention to personal information, such as when a relationship ended. [Source] [Source]

US – Company to Pay $1 Million to Settle Child Privacy Charges

Xanga.com, a social-networking and blog site, has been ordered to pay $1 million in a settlement with the FTC for violating the Children’s Online Privacy Protection Act. The FTC said that Xanga, which has been in operation since 1999, had been letting people create accounts even if the dates of birth they entered indicated that they were under the age of 13. [Source]

US – Companies to Pay $2.05 Million for Creating Spyware Programs

Two California companies have agreed to pay $2.05 million to the FTC to settle charges that they created spyware programs that reached 18 million computers worldwide. The payment is the second-biggest spyware settlement collected by the agency. Industry experts contend the problem is difficult to contain despite enforcement efforts. One problem is that many users still do not protect themselves by installing or updating anti-spyware programs. Last month, Webroot researchers indicated that 89% of computers used by consumers were infected with an average of 30 pieces of software. [Source] [Source] [COPPA background info]

EU – Bank of Ireland Will Refund Phishing Victims’ Losses

Bank of Ireland (BOI) has apparently had a change of heart, agreeing to restore funds of nine customers bilked out of a total of €160,000 with phishing emails. The nine customers had threatened to sue the bank after it initially said it would not refund the money that they had lost. Some people have expressed concern that BOI’s willingness to refund the money will encourage other phishers to launch attacks and cause other customers to expect the same compensation should they fall victim to phishing attacks. Banks are likely to begin implementing more stringent security measures for online banking, including placing some of the onus of protecting account details on the customers’ shoulders. [Source]

US – N.J. Prosecutors Defend Bid for Phone Company Records

The State of New Jersey argued last week that it has the right to obtain information about a federal domestic surveillance program because that program is no longer a secret. New Jersey prosecutors subpoenaed 10 phone companies in May because of suspicion that state consumer protection laws may have been violated if phone companies were turning over records to the NSA. The federal government sued the New Jersey attorney general’s office in federal court June 14, claiming compliance with the state’s subpoenas or even acknowledging the existence of such a program would threaten national security. [Source]

US – Investigations Underway in HP Phone Records Scandal

After confidential information about Hewlett Packard’s (HP) long-term strategy was leaked to the media, HP chairwoman Patricia Dunn hired a consultant to investigate board of directors members’ communications and determine the source of the leak. The directors were unaware of the investigation. The consultant obtained the directors’ home and private cell phone records through “pretexting,” or deceiving the phone company into believing he was the account holder. HP has filed a report with the SEC acknowledging an internal investigation into the matter. Meanwhile, the California Attorney General is investigating whether the actions violated state laws against identity theft or theft of computer information. [Source] [Source] [Source] [Source] [Source] [Source] [Pretexting] [Pretexting] [Experts: Companies Should Keep a Close Eye On Consultants, Vendors] [California Bill against pretexting phone records on track] [HP Chairman to Step Down]

US – HP Probe Is Spurring Efforts to Tighten Phone Protections

In the wake of disclosures that HP investigators obtained private phone records of board members, the FCC is redoubling efforts to toughen rules requiring phone companies to protect customer information. By the end of October, the FCC plans to propose rules that will require phone companies to strengthen security procedures and close loopholes that have allowed private investigators and others to access private records. [Source]

US – Lawmakers, U.S. Attorney Join HP Leak Probe

The U.S. Department of Justice has launched a probe into the techniques HP used to identify the source of media leaks. Meanwhile, a House of Representatives committee has also requested the computer maker to turn over documents and to provide certain information by Sept. 18. [Source]

WW – EPIC Publishes Privacy & Human Rights 2005

The Electronic Privacy Information Center and Privacy International have issued the 2005 edition of their massive Privacy and Human Rights, reporting on the state of data protection in 70 countries. “Many countries have pursued new identification schemes, increased the monitoring of private communications, and launched assaults on data protection laws,” said EPIC director Marc Rotenberg. “At the same time, there is a growing political debate about these proposals and creative efforts by non-governmental organizations to stop new systems of surveillance. Citizens around the world still care deeply about the right of privacy, which is found in virtually every constitution of a modern nation state. How well governments succeed in protecting this fundamental right is the question that the annual Privacy and Human Rights report seeks to answer.” [Source]

US – California Legislature Passes RFID Privacy Bill

The California legislature has passed the Identity Information Protection Act, which requires that ID documents issued by state agencies with remotely readable RFID chips must contain adequate security features to prevent them from being read by unauthorized parties. The bill, SB 768 by State Sen. Joe Simitian, would require a higher level of security when the state ID document includes personal information. The bill also requires the California Research Bureau (CRB) to conduct a research study on the use of RFID in government-issued identification documents as well as the security and privacy of the new technology The bill awaits consideration by Gov. Arnold Schwarzenegger. Other bills to prevent RFID tagging of children or restrict RFIDs in non-state IDs are pending before the legislature [Source] [Industry View]

US – Government Agencies Expanding Use of RFID

The U.S. Department of Defense, as well as federal and state civilian agencies are increasingly deploying or planning to implement RFID technologies throughout their organizations. In a recent survey of government IT professionals, a significant number of respondents were already using, expanding or about to adopt RFID to enhance personnel ID and access control, asset management and inventory control, and supply chain logistics, among other uses. One in five respondents who are using, or plan to use, RFID said they were now engaged in “full-scale integration” of RFID systems, and two-thirds said they were either in pilots, early-stage implementations or conducting initial evaluations for deployments. 56% of respondents were from federal civilian agencies, 26% from the DoD, 9% from state and local governments and another 8% from other organizations (government suppliers, contractors, consultants and OEMs) working for government agencies. [Source]

US – RFID Security Consortium Receives $1.1 Million Grant to Study Privacy, Security

The National Science Foundation (NSF) has awarded a $1.1 million grant to a consortium studying the privacy and security implications of RFID technology. This group, the RFID Consortium for Security and Privacy (RFID CUSP), is comprised of academics and industry representatives tasked with researching ways in which RFID applications may impact consumer security and privacy. The group will also suggest methods for ensuring that RFID is deployed in a manner that makes it safe both for consumers and for companies incorporating the technology into their businesses. CUSP hopes to develop cryptographic protocols and work with standards bodies to incorporate stronger data protection tools into standard tag and reader protocols, as well. [Source] [CUSP website]

US – IBM “Clipped Tag” Recognized with WSJ Innovation Award

IBM was recognized by the Wall Street Journal this week for its “Clipped Tag” RFID technology, which allows consumers to tear or scratch off the RFID antenna on a tagged item. The WSJ acknowledged IBM’s leadership in RFID technology as part of the newspaper’s annual Innovation Awards. [Source]

CA – Ontario Privacy Commissioner & BMO Release Brochure on Portable Privacy

Thousands of people have found themselves facing the potential threat of identity theft simply because someone took a laptop – packed with personal information – home with them or on a business trip and the laptop was later lost or stolen. A brochure from the Information and Privacy Commissioner for Ontario, Canada, “Reduce Your Roaming Risks: A Portable Privacy Primer“ provides hands-on, practical information on how to reduce risks. [Source] [Brochure] [Robert Ellis Smith’s Laptop Hall of Shame]

US – NIST Releases PIV Card / Reader Interoperability Guidelines

NIST has announced the release of NIST Special Publication 800-96, PIV Card to Reader Interoperability Guidelines. This document provides requirements for PIV card readers in the area of performance and communications characteristics to foster interoperability. Requirements for the contact and contactless card readers for both physical and logical access control systems are provided in this document. The requirements are for the PIV readers designed to read end-point cards. [Source]

EU – EU Releases Discussion paper on Surveillance Technology

The European Commission (EC) has adopted a green paper on surveillance technology used by the civil society in the fight against terrorism that will be open for public consultation until the end of this year. The green paper is meant to find the best technologies to be used “in the service of the security of its citizens”. The EC aims to enhance the collaboration between the private and public sector in finding the best present practices and systems and helping in spreading them within the EU as well as to support the creation of new more efficient surveillance technologies, more available and at lower costs. The green paper admits detections technologies are intrusive into private life and states limitations must be established to this intrusion when developing and using such technologies. However, concerns have been expressed by the defendants of civil liberties who believe the industry already has too much control over surveillance policies in Europe. Green Paper on detection technologies in the work of law enforcement, customs and other security authorities - Press Release - Tell the EC about surveillance – Statewatch report: Arming Big Brother The EU’s Security Research Programme

US – New Rules to Require Automakers to Inform Customers About Black Boxes

The Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) has issued rules requiring automakers to inform car buyers if their cars contain “black boxes” that record and store data and help to determine the causes of accidents. NHTSA’s new rules take effect in 2011. [Source]

US – Black Box Evidence Thrown Out of Court

A jury acquitted a man charged with vehicular homicide after his attorney argued that the black box in his car that prosecutors used to show that he was driving too fast on a snowy road was subject to a recall. The case highlights the privacy concerns surrounding the use of data collected by the devices, which are beneath the hoods of 64% of model year 2005 cars. [Source]

EU – MEPs Attack EU Air Data Sharing Plans

MEPs have attacked controversial EU handovers of air passenger data to US security agencies. European justice commissioner Franco Frattini came under fire last week during a debate on a new EU-US passenger name record (PNR) agreement. “The vast majority of this house is not opposed to strengthening security where necessary. But the majority are opposed to the transfer of PNR,” One MEP declared. “It must be done in a reasonable way and we do not think this is the case in current proposals.” MEPs are concerned the collection of PNR data breaches privacy and may not be used solely to fight the so-called war on terror. “It is not clear that there is use for PNR,” Another MEP remarked. “We need to know what PNR is being used for in the US. Concerns also arise over EU plans for positive profiling.” After heated discussions, the MEPs decided to back the Commission in the negotiations of the interim accord that will be valid by the end of November 2007 on condition they are involved in the negotiations. The EP asked for joint decision-making rights with the Council of Ministers on the negotiations that will take place after November 2007. It also proposed a dialogue between parliamentarians from the EU, US, Canada and Australia by the end of this year in order to have a global approach on the issue of PNR and also to help in the preparation of the 2007 review of the agreement. [Source] [Source] [Source] [EU fights flight data deal with US] [Source] [Source] [Source] [Source] [Source]

US – Oregon Judge Blocks Attempt to Stop NSA Spying Suit

A federal judge in Oregon has rejected the government’s attempt to block a lawsuit against the NSA’s massive electronic surveillance without warrants or court permission as part of supposed anti-terrorism investigations. The decision follows a similar case in Michigan. [Decision]

US – TSA Sends Employee Data to the Wrong Addresses

The error-prone Transportation Security Administration (TSA) says one of its contractors sent former employees’ personal documents to the wrong addresses. The agency said that Accenture, a global technology consulting firm that was contracted to the TSA, had mistakenly mailed nearly 1,200 former employees documents on other employees, including personal information such as names, addresses, Social Security numbers, and salary information. The TSA notified affected former employees by mail in late August. Neither the TSA or Accenture offered a statement explaining or apologizing for the error, though the TSA counseled employees to put fraud alerts on their credit files. [Source] The mail mixup is the latest in a series of privacy-related snafus for the TSA. [Source]

US – Committee Votes to Expand Warrantless Surveillance Authority

The Senate Judiciary Committee approved several NSA bills this week – two of which would radically expand the President’s authority to conduct warrantless surveillance inside the United States. Senator Arlen Specter’s bill (S. 2453), which Specter revised to accommodate White House requests for greater authority, would ratify and dramatically expand the President’s authority to wiretap Americans without judicial approval. Senator Mike DeWine’s bill (S. 2455) would authorize warrantless wiretapping programs without prior judicial approval and under a lower standard than the Fourth Amendment requires. The full Senate could take up the bills as early as next week. [CDT Analysis: Specter and Wilson FISA Bills]

US – Colorado Passes Strong Computer Security Bill

Colorado House Bill 1157 officially creates the position of chief information security officer. Under the legislation, this officer has control over the state’s cyber security policies and procedures to protect computer systems in state agencies and the citizen information on those computers. The governor had made cyber security one of his priorities in the State of the State. [Source]

CA – Biometrics in the Workplace

Blake, Cassels & Graydon LLP have reviewed litigation and court decisions about the use of biometric technology in the workplace. They conclude that recent decisions “make it clear that courts and arbitrators find it challenging to balance the privacy rights of employees and the legitimate business needs of employers in applying privacy laws to the employment relationship.” The review concludes that the “the current state of the law in Canada appears to accept biometric technology in the workplace, so long as it is implemented for a clear business purpose and its necessity is supported by objective evidence.” [Source]

--------