Privacy News Highlights
30 March–06 April 2007
Contents:
US – NIST Report: Technology
for Computerized Facial Recognition is Improving
UK – Blair: Border Security Requires
All Foreign visitors to be Fingerprinted
US – Bank of Hawaii Deploys System
to Scans Faces of People Entering its Branches
CA – U.S. Financial Snooping Did Not
Break Canadian Law: Stoddart
CA – Manitoba Legislation to Protect
Whistleblowers Comes Into Effect
US – Survey: Travelers Wary of
Registered Traveler Program, Privacy Concerns Cited
US – Zogby Poll: High Anxiety Over
ID Theft
CA – Le Canada, toujours aux
premières loges en gouvernement en ligne: Accenture
US – SEC Filing Reveals Limits of
Encryption to Protect Consumer Information
WW – German Researchers Crack WI-FI
Encryption Network in 60 Seconds
EU - Data Privacy at Risk in EU-US
Air Data Talks: Frattini
US – COPA Struck Down, Again; Judge
Says Filters Are Very Effective
US – Nevada Legislators Vote Against
Data-Mining Companies
AU – Australia Photo ID Needed for
Cold and Flu Remedies
US – 500 IRS Laptops Missing or Stolen;
IRS Data Not Adequately Protected: Audit
US – Privacy Advocate Prompts
Colorado to End Web Access to Some Public Docs
UK – One in Three UK Firms Fails to
Report Security Breaches
US – Audit Finds Fault with Computer
Controls at DOE Counterintelligence Directorate
WW – Two-Factor Authentication Won’t
Last
UK – A Third ‘Will Refuse ID Checks’
UK – Fraud Victims Must Now Report
Crimes to Banks
WW – How to Crack the Problem of
Internet Password Security
AU – Australia Landmark Ruling on
Privacy “A Free-Speech Threat”
NZ – New Zealand Opposition Grows
Re: Births Deaths Marriages Privacy Bill
WW – Privacy is Good for Business:
Harriet Pearson – IBM Chief Privacy Officer
EU – EU Declines to Issue New RFID
Rules
US – California Lawmakers Try Again
to Create RFID Protections
AU – New RFID Tag Aims to Protect
Consumer Privacy
US – GAO: IRS Slow to Fix Numerous IT
Security Gaps
UK – Employees using Web 2.0
Technologies Increase Security Risks, Experts Say
UK – BBC Program has Child Put
Keylogger on MP’s Computer
WW – Websense Opinion Poll
Highlights Lax Attitude Toward Data Security
AU – Australia ID Card Hearings
Cancelled: “A Lack Of Interest”
AU – Australia Passport SmartGate
Goes Ahead
RU – Russian Duma to Wiretap Every
Home in Russia
UK – ‘Talking’ CCTV Scolds Offenders
US – FCC Issues New Rules to Prevent
Telephone Pretexting
US – South Carolina Senate Votes to
Reject Real ID
US – Census Bureau Turned Over
Sensitive Info on Japanese-Americans During War
US – Lawmakers Approve Bill to Help
Protect Taxpayers from ID Theft, Phishing
US – Colorado Lawmakers Drop Bill To
Create Massive Database
US – Federal Appeals Court: Search
of Employee-Owned Computer at City Hall Is Lawful
EU – EU Court Rules Monitoring of
Employee Breached Human Rights
US – Walmart Backs Security After
Surveillance Practices Revealed
Technology for computerized facial recognition is ten
times more accurate now than it was four years ago, and the best of the systems
outperform humans, the National Institute of Standards said. The federal
government has pressed the private sector to improve facial and iris
recognition technology dramatically so as to pave the way for improved
biometric systems, and NIST has overseen the process in tests called the Face
Recognition Vendor Test (FRVT) 2006 and the Iris Challenge Evaluation (ICE)
2006. The facial-recognition test has compared vendor systems on in their
ability to recognize high-resolution still images and three-dimensional facial
images, under both controlled and uncontrolled illumination. The ICE 2006 test
reported iris recognition performance from left and right irises. The study
compared the facial recognition test results with an earlier evaluation called
the FRVT 2002. ICE 2006 reported iris recognition performance from left and
right irises. [Source]
UK PM Tony Blair hosted a seminar last week with
leading biometric and immigration experts as the government published a new
strategy for securing the UK’s borders. Under the plans, all foreign visitors
from outside the EU will be required to give a biometric sample before they
arrive, or upon arrival. The PM said biometric technology was an integral
aspect for securing Britain’s borders. Critics say all Blair’s program will do
is make traveling more a hassle, which could have a negative affect on tourism
and education, as well as create more bureaucracy. “Fingerprinting someone who
lands on our shores for the first time will achieve precisely nothing, and
trying to match the fingerprints of an unknown to the records of the over 90
million per year who pass through our borders is a technical impossibility.” [Source] [EU: Two Fingerprints or
Ten?] [UK –
Benefit Claimants to Face Lie Detector Tests]
The Bank of Hawaii is using facial recognition
technology in an attempt to bolster security in its branches. The 3VR Security
system could potentially thwart bank robberies by recognizing bank robbers from
previous hold-ups. Bank security officials also are relying on the system to
detect suspects who pass stolen or forged checks - which costs the average bank
branch more than $100,000 a year, according to one expert interviewed. [Source] See
also: [India
Deploys Biometric Cash Machines]
In her report of findings, Canada’s privacy
commissioner says it was perfectly legal for an international banking
co-operative to supply information about Canadians’ banking activities to U.S.
intelligence without their knowledge or consent. But Commissioner Jennifer
Stoddart has written the Finance Minister to ask him to contact U.S.
authorities to request that in the future they use established channels of
information sharing, which are more transparent and less open to abuse. The
privacy office launched the investigation after revelations last June that the
U.S. had secretly subpoenaed financial records routed through European-based
Society for Worldwide Interbank Financial Telecommunications, called SWIFT. A
separate complaint was launched against six Canadians banks that used SWIFT to
process money orders into and out of the U.S. According to the complainant and
Canadian privacy advocate, Pippa Lawson, the Privacy Commissioner’s ruling
highlights flaws in current Canadian privacy legislation: “These flaws have led
to Canadians’ personal data being divulged to foreign governments that don’t
have the same sensitivity to privacy issues as we do”, she noted. For instance,
she said, in this case, data such as customer names, account numbers, and other
personal identifiers were provided to SWIFT, as the request was deemed lawful. “We
are allowing foreign states to determine our privacy when our personal
information is transferred to another country,” says Lawson. [Source] [News release]
[Executive
Summary] [Report of
Findings] [SWIFT
scandal exposes privacy vulnerabilities] [Banks cleared of handing
over information to U.S.] [SWIFT
Ruling Highlights “Gaps” In Canada’s Privacy Laws]
The Manitoba Finance Minister has announced that the Public
Interest Disclosure (Whistleblower Protection) Act to protect
whistleblowers who report wrongdoings within the public sector is now in
effect. “Public sector employees including those in departments, Crown
corporations, regional health authorities (RHAs), statutory child and family
services agencies and authorities, and independent offices of the legislative
assembly will now be covered under the broadest provincial legislation of its
kind in Canada.” The legislation provides protection to employees from
reprisal. The legislation empowers the Manitoba Labour Board to determine
whether there has been a reprisal against an employee for making a disclosure
under the act and grant remedies including reinstatement. Anyone found to have
taken a reprisal against an employee or found to have contravened other
sections of the act could also face a fine of up to $10,000. [Source]
The vast majority of travelers don’t plan to enroll in
the Registered Traveler Program, despite the fact that their biggest security-related
complaint is long lines at airports, according to a recent Tourism, Hospitality
& Leisure survey commissioned by Deloitte & Touche USA. According to
the survey, 61% of travelers were unaware of the program. However, even after
reading a description of the program, 83% were not interested in enrolling,
despite the program’s goal of enabling travelers to quickly move through
security checkpoints. “Privacy concerns may be to blame for the lack of
interest, since 75% of survey respondents expressed concern about privacy
issues related to the program,” said Deloitte & Touche. [Source]
[Registered
Traveler Programs Dispute D&T Survey]
An online poll of 6,703 U.S. adults found that 91%
said they are concerned that their identities might be lifted and used to
commit fraud. Half of the respondents said they were “very” concerned about ID
theft. The survey also found that the respondents are concerned about what
companies may do with personal information collected from customers. 91% said
are concerned that businesses could sell their personal information for
marketing purposes. 83% said they worry that information they provide to stores
could end up in the wrong hands. [Source]
Accenture et d’autres firmes d’analyse placent le
Canada dans le peloton de tête pour ce qui est de la mise en oeuvre des
concepts et des technologies de gouvernement en ligne. La firme de
services-conseils en gestion et TI Accenture classe depuis 2001 le Canada en
première position sur une liste de 22 pays pour ce qui est de son utilisation
des concepts et des technologies de gouvernement en ligne. En 2005, le Canada
obtenait un score de 68% au classement de la firme, devançant ainsi les
États-Unis qui occupaient la deuxième position, avec un score de 62%. Ensemble,
ces deux pays constituent ce que la firme appelle des « faiseurs de tendances
», lesquels se caractérisent par un score de 61 % et plus au classement de l’entreprise;
le score moyen était de 48% en 2005. La note reflète l’efficacité avec laquelle
l’administration gouvernementale a relevé les défis inhérents à la mise en
oeuvre des concepts et des technologies du gouvernement en ligne. Les
gouvernements ayant obtenu un score de 51% à 60% font partie des « défieurs »,
alors que ceux ayant décroché une note de 41% à 50% sont qualifiés de «
suiveurs ». Les autres sont à l’étape de l’apprentissage. [Source]
[Source]
TJX’s filing with the Securities and Exchange
Commission (SEC) last week sheds some light on how hackers were able to
overcome encryption and other security measures undertaken by the company to
protect customer data. Despite efforts to beef up security in April 2004, the
SEC filing indicates that the hacker or hackers sidestepped encryption by
capturing information at the time of transactions -- when the data was not
encrypted. Furthermore, the filing indicates that the hacker may have obtained
the company’s decryption software. An expert points out in this Boston Globe
story that encryption is “only as good as your process for protecting the keys.”
[Source]
[Source]
The Wi-Fi security protocol WEP should not be relied
on to protect sensitive material, according to three German security
researchers who have discovered a faster way to crack it. Mathematicians showed
as long ago as 2001 that the RC4 key scheduling algorithm underlying the WEP
(Wired Equivalent Privacy) protocol was flawed, but attacks on it required the
interception of around 4 million packets of data in order to calculate the full
WEP security key. Further flaws found in the algorithm have brought the time
taken to find the key down to a matter of minutes – not necessarily fast enough
to break into systems that change their security keys every five minutes. Now
it takes just three seconds to extract a 104-bit WEP key from intercepted data
using a 1.7-GHz Pentium M processor. The necessary data can be captured in less
than a minute, and the attack requires so much less computing power than
previous attacks that it could even be performed in real time by someone
walking through an office. Anyone using Wi-Fi to transmit data they want to
keep private, whether it’s banking details or just e-mail, should consider
switching from WEP to a more robust encryption protocol, the researchers said.
[Source]
[Technical
Details of Cryptographic Attack] [Source]
See also: [Secure
links offer new threat: Hackers manage to exploit encrypted SSL connections]
Data privacy will be weakened if Washington pushes to
replace an EU-U.S. air passenger data deal with individual deals with EU states
or airlines, the bloc’s top security official said ahead of talks in Berlin.
Under a temporary agreement reached as part of U.S. efforts to combat
terrorism, European airlines must pass on up to 34 items of data on passengers,
including their addresses and credit card details, to be allowed to land at
U.S. airports. That deal expires at the end of July. [Source]
[EU,
U.S. commit to swift air passenger data deal]
Congress’ efforts to muzzle pornography on the Web
were dealt another serious setback last week, when a federal judge ruled a 1998
law was unconstitutional and violated Americans’ First Amendment rights. A U.S.
District permanently barred prosecutors from enforcing the Child Online
Protection Act, or COPA, saying it was overly broad and would undoubtedly “chill
a substantial amount of constitutionally protected speech for adults.” The
lawsuit was filed by the ACLU. In the section of the ruling on “The
Effectiveness of Filters”, the court reviews a number of studies on filters, including
Consumer Reports, the COPA Commission, testimony in CIPA, and the data gleaned
via subpoena from Google and MSN. The judge concludes, “I find that filters
generally block about 95% of sexually explicit material.” [Ruling]
[Background]
A key state Senate panel voted last week for a bill
that would make Nevada the second state in the country to ban data mining
companies from buying doctors’ prescribing information. The Senate Commerce and
Labor Committee voted 4-1 for SB231. Sen. Maggie Carlton, D-Las Vegas, cast the
opposing vote, saying the bill would expand patient privacy rights to doctors
and “I’m not ready to go there yet.” A
handful of data mining companies had been purchasing information about what
doctors prescribe which medications for over a decade, selling the information
to pharmaceutical companies. [Source]
PEOPLE buying cold and flu medicines will have to show
photo ID under a new plan to reduce the use of such products in the manufacture
of illicit drugs. The federal Government and Pharmacy Guild of Australia (PGA)
today launched Project STOP, a national database to record sales and the identification
of people purchasing pseudoephedrine-based medicines. [Source]
According to a March 23, 2007 report from Treasury
Inspector General for Tax Administration J. Russell George, “the IRS is not
adequately protecting taxpayer data on laptop computers and other portable
electronic media devices.” In the period from January 2003 through June 2006,
nearly 500 IRS laptops were lost or stolen. Many of the incidents were not
reported to the IRS computer security office. While there is “limited
definitive information” about the data on the missing and stolen computers, the
IG’s office tested 100 laptops currently in use at the IRS and found 44 with “unencrypted
sensitive data, including taxpayer data and employee personnel data.” IRS
Commissioner Mark Everson says the agency has installed automatic encryption
software on almost all laptops currently in use and all laptops have been
issued locks. [Source]
[Treasury
Audit] [Source]
[Source]
[Source]
[IRS
Laptop Security Shortcomings Places Taxpayers At Risk] [IRS Audits Self
Into Data-Theft Hot Seat]
The Colorado Secretary of State’s business division
shut down online access to certain documents on its Web site after being
notified by a privacy advocate that the site had been posting potentially
thousands of documents with Social Security numbers since 2001. Secretary of
State Mike Coffman took the step to “prevent identity thieves from pulling
personal identifying information from Uniform Commercial Code filings” posted
on the site, according to a statement posted on the agency’s site last night.
The move was identical to one made just last week by California Secretary of
State Debra Bowen, who also shut down online access to UCC documents because of
identity theft concerns. [Source]
A third of U.K. businesses are failing to report data
security breaches and criminal attacks, new research has revealed. The finding
comes from a survey of 285 companies by trade event organizer Infosecurity
Europe. Detailed follow-up interviews with a panel of 20 chief security
officers from large enterprises revealed that businesses are subject to e-crime
attempt every day, but companies found it hard to establish at what point it
became sensible to report an attack. Businesses are seeking to achieve a
balance between their responsibility to report crimes in order to prevent and
predict incidents in the wider commercial community and preventing the clear
material losses that arise from reputation damage. [Source]
A Department of Energy (DOE) inspector general’s audit
found “problems with the control and accountability of desktop and laptop
computers” at the Counterintelligence Directorate. Twenty desktop computers are
missing from the department; of those, at least 14 were used to process
classified data. The audit also found “the department is using [57] computers
not listed in its inventory, and one computer listed as destroyed was in fact
being used.” [Source]
[Report]
US – Texas A.G. Sues Radioshack Over Trashed Customer Records: The Texas Attorney General is suing
RadioShack after the retailer’s employees dumped thousands of customer records
in garbage bins behind a store near Corpus Christi, Texas, on March 21. The
records contained SSNs, credit and debit card information, names, addresses and
telephone numbers, according to investigators. [Source] [Source]
US – EMT Fired for Stealing Patient Data: An emergency medical technician (EMT) has been fired
from the University of Illinois Medical Center at Chicago (UIC) for allegedly
using his position to access sensitive patient data. Leslie Langford was
charged with eight counts of felony identity theft. He allegedly accessed
records of 243 patients, but just eight records were allegedly misused. The
data include SSNs and driver’s license numbers. Langford was arrested on
February 23; the hospital sent affected patients breach notification letters on
March 8. Hospital administrators received a tip about the activity and were
able to determine through the electronic record keeping system which employee
was accessing the data, and which data were being accessed. [Source]
[Source]
US – Missing Computers Hold Navy Data: Three laptop computers have been reported missing from
the Navy College Office in San Diego. The computers may contain sailors’
personally identifiable information, including SSNs, names, rates and rankings.
Those potentially affected by the data security breach are “Sailors and former
Sailors homeported on San Diego ships from January 2003 to October 2005 and who
were enrolled in the Navy College Program for Afloat College Education.” The
Naval Criminal Investigative Service (NCIS) “is investigating the incident as a
possible theft” and is working with San Diego police to recover the computers.
[Source]
US – California UCSF Probes Possible Data Breach, 46,000 At Risk: A possible computer security breach at the
University of California at San Francisco may have put 46,000 campus and
medical center faculty, staff and students at risk of identity fraud. Personal
information, including names, Social Security numbers and bank account numbers
used for electronic payroll and reimbursement deposits may have been released
from a server located at a University of California data center in Oakland, Calif.,
UCSF said in a statement. [Source]
[Source]
EU – ABN Amro Reimburses Four Customers for Phishing Losses: Netherlands-based bank ABN Amro is
compensating four online banking customers who lost funds in a
man-in-the-middle attack while using two-factor authentication. The victims
received phishing emails with attachments; when the attachments were opened,
they installed malware on the computers, so the next time the users tried to conduct
banking business online, they were redirected to a spoofed site where attackers
used their temporary, token-supplied passwords to withdraw funds from their
accounts. [Source]
A panel at the recent e-Crime Congress in London said
two-factor authentication will not reduce phishing levels. Ross Anderson noted
that two-factor authentication is vulnerable to man-in-the-middle attacks and
predicted “Some banks will introduce it, it will be quickly broken and then
quickly forgotten.” [Source]
One in three people are expected not to cooperate with
identity card checks, Home Office papers from 2004 suggest. Papers revealed
under information laws show officials have worked on the basis 60% of people
would carry a card, during the scheme’s voluntary phase. They assume another
10% would confirm their ID via fingerprint or eye scans but 30% “will refuse”
to voluntarily show their card or biometric data. The Home Office said the
documents were “incredibly out of date”. A spokesman said the identity card
scheme had evolved a great deal since these “historic documents” were produced.
But he declined to say whether the assumptions - which only covers people who
have got an ID card - themselves had changed. [Source]
As of April 1, 2007, the UK’s Fraud Act 2006 directs that, “in most cases, consumers will be
required to report check, plastic card and online fraud offences to their”
financial institutions rather than to police. Those institutions will then
forward the information to the authorities as they see fit. The change was made
“to reduce the level of bureaucracy involved in fraud recording and to
streamline reporting and the initial investigation of such crimes.” There is
concern that the banks will use this new position of authority to hide the
actual incidence of fraud. Furthermore, banks lack the “knowledge, expertise
and powers” to handle the cases. [Source]
[Source]
[Source]
It’s a good bet that if you have 20 online accounts,
you don’t have 20 different passwords. In fact, according to a survey by
Kaspersky Lab, most people (51% of us) only have between one and four passwords
for 20 accounts. We are insecure. But recent developments mean we could be more
secure in the near future. While it’s almost impossible to change people’s
behaviour, it’s not too hard to fix the system so that only one to four
passwords are actually needed. For example, you could get people to sign on to
single service, and then ask other online services to consult that before
letting you in. That way, you can safely use one password for 20 different
accounts, because 19 of them don’t know what the password is. This article goes
on to review and discuss current global IDM initiatives. [Source]
The County Court’s landmark declaration that
Australians have a right to sue for breaches of privacy could threaten free
speech and the media’s ability to expose important secrets, media lawyers say.
Last week Judge Felicity Hampel became the first Victorian judge to find that a
right to privacy exists, ordering the ABC to pay $234,190 to a sexual assault
victim whose identity it had revealed, and provoking ripples of interest from
lawyers who pored over the case yesterday. The right, as formulated by Judge
Hampel, would allow plaintiffs to win damages if the media published personal
information that they were specifically prohibited from publishing and there
was no public interest justifying publication. [Source]
[Rape
payout creates privacy law]
Opposition is mounting against a controversial bill
that would see official records of births, deaths, marriages and registrations
locked away from public eyes – shifting this information out of reach of
researchers, historians, many genealogists and others. The government bill will
render this public information classified unless an applicant meets a series of
criteria that would satisfy the register’s gatekeeper - a state employee or
civil servant - that lawful access is permitted. Individuals will be able to
access their own records and records of immediate family members. Individuals
will be able to authorize any other person to access their records. Permission
for other “legitimate purposes” will be allowed such as for administering a
deceased person’s estate. The bill is titled: Births,
Deaths, Marriages and Relationships Registration Amendment Bill. [Source]
Harriet Pearson, CIPP, IBM’s Chief Privacy Officer
stresses in this CEOForum Magazine article that privacy and security must be
addressed as strategic issues from the top of the organization. A proactive
approach to privacy is what Pearson refers to as “privacy by design.” At IBM,
this means the company strives to “build privacy-enabling capability into
technology.” Pearson offers some practical steps for companies seeking to build
a privacy team. [Source]
The European Commission may have decided against
imposing new rules on radio frequency identification tags for now, but a top
official warned Monday that regulations are likely if future uses of the
technology don’t protect fundamental privacy rights. Gerald Santucci, head of
the European Commission unit whose domain includes RFID issues, said he feared
that rushing to place restrictions on industries hoping to use the technology
would choke its potentially valuable application in health care, business,
transportation and other realms. [Source] [Source]
[EU’s Decision
Not to Legislate RFID is Conditional]
The California legislature this month is expected to
vote on several bills that would regulate the use of RFID technology in
government documents. Similar legislation was approved by the body last year
only to be vetoed
by Gov. Schwarzenegger in October. The 2006 bill’s sponsor, State Sen. Joe
Simitian, resubmitted the legislation in five separate bills submitted late
last year and early this year. Currently, the bills are working their way
through various legislative committees. Two of the bills will impose a
three-year moratorium on the use of the technology in California driver’s
licenses and in public school ID cards, while a third will create interim
privacy safeguards for any existing RFID-enabled government IDs, such as those
used by students in the state college system. A fourth bill would make it a
crime to “skim,” or surreptitiously read, data from an RFID document, and the
final bill would prohibit forced RFID chip implants in people. [Source]
Mikoh Corp., an Australian provider of tamper-proof seals and other
security solutions, has developed the Smart&Secure Retail Tag, an
RFID-enabled product-identification tag that the company says addresses
consumers’ concern that data encoded to tags attached to items they purchase
could be surreptitiously read by a third party. It addresses this concern by
allowing customers to decrease the read distance of a tag after purchasing the
item to which it is attached. If a customer returns or exchanges a product
bearing a Mikoh tag, the retailer could restore the Mikoh tag’s read range
before reintroducing it into its inventory. [Source] See also: [NYT:
New Bar Codes on Everyday Objects Can ‘Talk’ With Your Cellphone]
The Internal Revenue Service has not corrected
numerous information security weaknesses that impair its ability to ensure the
confidentiality, integrity and availability of financial and sensitive
information, the Government A. These problems constitute a major weakness in
the IRS’ internal controls over its financial and tax processing systems, the
Government Accountability Office said. The tax agency experiences gaps in
access controls related to user identification and authentication,
authorization, encryption, monitoring, and physical security. Data is at risk
from weaknesses in configuration management, segregation of duties, media
destruction and disposal, and personnel security controls. [Source] [Source] [Report: GAO-07-364, March
30] [Highlights]
[Source]
[Report] See also: US –
Information Security: Sustained Progress Needed to Strengthen Controls at the
Securities and Exchange Commission. [GAO-07-256, March 27] [Highlights]
U.K. firms are at risk of data leakage through their
employees’ increasing use of Web 2.0 technologies and social networking
websites, security experts have warned. A survey of more than 1,000 office
workers found that 42% of those aged between 18 and 29 discussed work-related
issues on social networking sites and blogs. More than a quarter of young
workers spent three or more hours a week -- during their office hours – surfing
blogs and websites such as YouTube and MySpace, the research, carried out by
polling firm YouGov for content security specialists Clearswift found. Nearly
four in 10 admitted accessing such sites “several times a day”. [Source]
A six-year-old girl, accompanied by a reporter from
the BBC’s Inside Out television program, managed to attach a keystroke logging
device to an MP’s computer. The MP, Anne Milton, had agreed to leave her
computer unattended for one minute; the child was able to attach the keystroke
logger within 15 seconds. The girl was able to bring the device undetected into
the House of Commons. [Source]
[Source]
More than half of the 100 respondents to Websense’s
most recent annual opinion poll on data leakage and data ownership believe
their companies would not know if information had been willfully or
accidentally sent outside the company. Forty-six percent said they allowed
family and friends to use work-issued laptop computers and 21 percent admitted
they had tried to access protected files. Almost two-third of respondents said
they had sent confidential information to unsecure personal web-based email
accounts and just over half said they had tried to gain access to a co-worker’s
email account. The poll was conducted online using Survey Monkey. [Source]
Public hearings on the Access Card registration
process were cancelled in Sydney and in Brisbane due to “a lack of interest”.
Consumer and Privacy Taskforce chair Allan Fels said the Sydney hearing would
be rescheduled, probably later next week, while a private meeting would be held
with Electronics Frontiers Australia (EFA) representatives in Brisbane.. Human
Services Minister Chris Ellison said he’d been advised that one-on-one
discussions would be held in light of the small number of people who wished to
participate. [Source]
See also: [Australia
Canberra Sets Standard for Smartcards]
The federal Government will expand its $62 million
SmartGate automated border control program across Australia despite fears the
passport biometric photo-matching technology is flawed and will cause chaos at
airports. Legal obstacles to the SmartGate rollout were resolved last week when
an amendment bill was passed in the Senate with Labor support. But
parliamentary debate revisited an embarrassing list of technical and security
problems that have plagued the pilot since it began at Sydney Airport in 2002.
[Source]
State Duma deputies are to consider a bill that would
give police broader powers in wiretapping homes in Russia, the Novye Izvestia
newspaper reports. The bill sanctions wiretapping homes of people suspected or
accused of crimes as well as of those “who may possess information on crimes in
question”, says the bill. The list includes family and business partners of the
suspects or convicts as well as their former cellmates, according to the
drafter of the bill. These people tend to refuse to cooperate with
investigators, which makes it hard to get the information by any other way,
lawmakers note. [Source]
See also: [Switzerland
- Wider Police Phone-tap/Surveillance Powers] [Australia
Queensland Push For More Phone Tap Powers] and [Queensland’s
Phone Tap Plan Illegal Say Feds] [W.Virginia AG
Appeals Ruling on Warrantless Surveillance] [S.Africa
- State snoopers want everyone’s SIM card info] [UK
ISPs uneasy about data retention; New laws could conflict with Data Protection
Act]
“Talking” CCTV cameras that tell off people dropping
litter or committing anti-social behaviour are to be extended to 20 areas
across England. They are already used in Middlesbrough where people seen
misbehaving can be told to stop via a loudspeaker, controlled by control centre
staff. About £500,000 will be spent adding speaker facilities to existing
cameras. Home Secretary John Reid said there would be some people, “in the
minority who will be more concerned about what they claim are civil liberties
intrusions”. [Source]
[Source]
The Federal Communications Commission (FCC) has issued
new privacy rules that require telephone and wireless carriers to adopt new
safeguards to protect consumers’ telephone records from unauthorized
disclosure. The new safeguards prohibit carriers from releasing a consumer’s
records unless the customer has provided a password. Carriers must provide
mandatory password protection for online accounts. The rules also require
carriers to provide notice to customers of account changes, such as a password;
a back-up for forgotten passwords; an online account; or the address of record.
Carriers also are required to notify consumers and law enforcement when there
has been a breach of customer proprietary network information (CPNI). The new
rules also apply to providers of interconnected voice over Internet Protocol. [Source] [FCC
Report and Order and Further Notice of Proposed Rulemaking] [Prevention of
Fraudulent Access to Phone Records Act, H.R. 936] [EPIC’s Petition to the FCC]
[FCC Privacy
Rules May Block Cable Companies’ Sprint Venture]
The South Carolina Senate voted Tuesday to join the
growing number of states that are rejecting a federal call for a national
driver’s license. Complying with the federal Real ID Act of 2005 would cost the
state 25 million dollars to start, then eleven million a year. Under the bill
the Senate approved Tuesday, South Carolina would not participate in the
program until the federal government agreed to help pay for it and provide
privacy protections. [Source] [Montana
close to denying federal ID bill] [Oregon
Legislators are real doubtful of Real ID]
Historians have found documents that show the Census
Bureau turned over the names of Japanese-Americans after Japan’s Dec. 7, 1941,
attack on Pearl Harbor to the Justice Department, Secret Service and other
agencies. A spokeswoman for the agency said at the release of the names was
legal then, but the law “is very different today.” [Source]
[Source]
[Source]
[ACLU, JACL and ADC
Alarmed that Census Violated Privacy in World War II, Urges Congress to Ensure
Similar Actions Are Not Happening Now]
Members of a House panel that oversees tax laws have
approved a bill that contains a provision that would allow the IRS to contact a
taxpayer when investigators find out that a person’s identity has been used to
commit ID theft. The IRS also would notify parents if their children’s
identities have been misused. The measure’s aim is intended to give consumers a
head’s up that their identities may have been compromised, giving them the opportunity
to take action sooner. The bill’s second provision would provide for penalties
for anyone who sends fraudulent phishing emails or puts up a Web site that
appears to have connections to the IRS or Treasury Department. [Source]
Lawmakers are no longer considering a proposal that
would have allowed a state department to create a database of millions of
Coloradans’ names, SSNs, employers and health coverage information. Health
plans and some lawmakers called it a huge invasion of privacy. The Colorado
Department of Health Care Policy and Environment said it was the best way to
ensure millions of taxpayer dollars aren’t being misused in the Medicaid
program. [Source]
Personal Computer at Work Does Not Guarantee
Reasonable Expectation of Privacy: A former city employee who used his own
laptop at work was sentenced to more than six years in federal prison after a
police officer who searched the computer found child pornography. The employee
had argued that he had an expectation of privacy when he used his own computer
at city hall. However, the 10th Circuit Court of Appeals ruled that despite the
employee’s claim that he intended that his laptop remain private, he took no
steps to achieve any degree of privacy, such as use of a password. [Source]
[Source]
[Source]
The European Court of Human Rights has ruled in favor
of a woman who claimed that her human rights were violated when the publicly
funded Welsh college she worked for monitored her email, phone and Internet
use. The court ordered the UK government to pay damages and legal costs. The
court ruled that the monitoring was not “in accordance with the law.”. A
privacy specialist with law firm Pinsent Masons said the ruling is significant
because it “reinforces the need for a statutory basis for any interference with
respect to private use of a telecommunications system by an employee.” [Source]
[Source]
A fired Wal-Mart security worker confirmed a newspaper
interview yesterday in which he said he was part of a large surveillance
operation that spied on company workers, critics, vendors, and consultants.
Wal-Mart defended its security practices and declined to comment on specific
allegations made by the former security technician. [Source] [Wal-Mart’s surveillance
activities under the microscope] [Wal-Mart denies
large-scale spying effort]
--------