US – DHS Now Collecting 10 Fingerprints >From Foreign Travelers

The Department of Homeland Security is now collecting scans of all 10 fingerprints from foreign travelers entering the U.S. at Dulles International Airport, and plans to extend the program to all international airports in the country by the end of next year. The US-VISIT program had previously used only two fingerprints. The 10-print system gives the U.S. the ability to compare fingerprints of travelers with criminal and terrorist databases compiled by the FBI, the Defense Department and others. [Source] [Remarks by Homeland Security Secretary Michael Chertoff on the Beginning of 10 Fingerprint Collection at U.S. Airports: News Release From DHS]

CA – N.B. Health Minister Fends Off Resignation Calls Over Missing Patient Files

Opposition politicians in New Brunswick are demanding the health minister’s resignation following the revelation that hundreds of confidential medical files vanished about two months ago. Health Minister Mike Murphy was the target of tough questions in the legislature this week as he responded to complaints that his department failed to maintain proper security for sensitive data. Billing and treatment information for 485 New Brunswickers and 133 British Columbians was lost in transit in early October when computer tape cartridges containing the information were sent by courier to Richmond, B.C. [Source]

CA – Adoption Legislation Would Allow Parents, Adopted Children Veto Power

Amended legislation would prevent some adopted people in Ontario from getting access to basic information about their health history, according to advocates for adoptees. The revised legislation would allow parents and adopted children to have veto power over the release of personal data, according to this Canadian Press article. Adoption laws in BC, Alberta and Newfoundland already include a disclosure veto. The amended bill most likely will not be debated until March, according to the article. [Source]

US – Acxiom Brings Consumer Profiles to the Internet

Privacy advocates are concerned about a new practice in which users’ online and offline activities are being blended for a powerful profile that advertisers can tap to target them with specific ads. Acxiom’s new online program, know as Relevance-X, will match users who give information online to the company’s partners with its offline records. The user’s computer will then be tagged with a cookie that identifies a life stage that indicates what advertising to show based on the type of site the user is visiting. Jennifer Barrett, Acxiom’s Global Privacy Officer, said the program will allow consumers to receive advertising content relevant to them. Barrett said the program has built-in privacy protections and offers an opt out on its Web site or by calling a toll-free number. [Source]

UK – Britons Feel Private Data at Risk

Some 60% of British people feel their personal information is at risk, according to research from security firm Symantec. The survey of 1,000 people showed that government and the private sector are of equal concern. “People don’t believe government departments keep data in a safe and secure manner... but consumers don’t believe that corporations take greater measures than government.” The study also found that half of respondents were afraid of becoming a victim of identity theft of online fraud. No surprise then, that 46% of those polled said they would like to see tighter legislation in place, especially when it comes to disclosure of data breaches. [Source]

UK – Information Commissioner: PIAs Needed to Restore Public Confidence

The Information Commissioner’s Office (ICO) is recommending that firms undertake Privacy Impact Assessments (PIAs) to restore public confidence. ICO Deputy Commissioner David Smith said before the introduction of new systems and technologies, “full consideration” should be “given to the impact on individuals and that safeguards are in place to minimize intrusions.” The ICO launched a new PIA tool at the conference. Researchers at Loughborough University developed the PIA software for the ICO.[An International Study of PIA Law, Policies and Practices] There are 9 appendices of which 5 are country reports [PIA Handbook] [ICO Calls on Organizations to Implement New Privacy Safeguards] See also [Understanding the ICO’s Recent Guidance On What Constitutes Personal Data]

UK – Consultation on Use of Personal Information Under Way

Information Commissioner Richard Thomas has launched a consultation into how the private and public sectors use personal information. The consultation is part of an independent review ordered in October by Prime Minister Gordon Brown. The review also will assess whether existing data protection legislation is adequate to protect personal data. The results of the effort are expected during the first half of next year. [Source] ee also: [New Law Would Require CEO to Certify Data Protection Safeguards]

EU – Irish Privacy Complaints Spike in 2007

By the end of this year, complaints could exceed 1,000 to the Irish Data Protection Commissioner. Assistant Commissioner Tony Delaney emphasized that while some complaints may not be legitimate, the increase in complaints indicates an increased awareness about the importance of data protection. Many of the complaints relate to text messages and unsolicited commercial communications. There were 658 complaints in 2006, and 300 in 2005. The Data Protection Commissioner also is unveiling a new training program for data protection practitioners to encourage data protection compliance. [Source]

WW – Engaged Citizens Key to Government Success, Says EIU Survey

Many government managers believe citizen engagement is important to ensure the success of their agency, yet only a fraction of them attest that their constituents are deeply engaged. This was one of the findings of a recent survey by the Economist Intelligence Unit (EIU) entitled, The Engaged Constituent: Meeting the challenge of engagement in the public sector. The survey probed 376 government and public sector executives from different parts of the world, including those from national, regional and local governments. According to the EIU report, public sector agencies worldwide are seeing advances in information technology as a vehicle for getting closer to constituents. Unlike the private sector, however, government managers believe citizen engagement will lead to better transparency and accountability, faster processing times and increased service uptake. When asked what barriers were preventing them from attaining greater engagement with the citizenry, 50% of government managers surveyed cited the difficulty in measuring engagement, followed by lack of financial resources with 47%. [Source]

WW – Research: Sensitive Consumer Data Widespread in Application Testing

A survey released this week by the Ponemon Institute showed an overwhelming majority of organizations surveyed risk compromising critical information by using actual customer data for the development and testing of applications. The Insecurity of Test Data: The Unseen Crisis report found that 62% of companies surveyed use actual customer data instead of disguised data to test applications during the development process. Of those companies using actual customer data, 89% use customer files and 74% use customer lists. Examples of the live data often used include employee records, vendor records, customer account numbers, credit card numbers, SSNs and other credit, debit or payment information. While organizations may think that test data is immune from privacy threats because testing occurs in a non-production environment, these environments are less secure than production environments. Testing data may be exposed to a variety of unauthorized sources including in-house testing staff, consultants, partners and offshore personnel. In fact, 52% of respondents outsourced their application testing, and 49% of those respondents shared live data with the outsourced organization. The report found that half of the companies using actual customer data for testing purposes do not take steps to protect that information. Other significant findings included:

· 50% of respondents have no way of knowing if the data used in testing had been compromised.

· 41% of respondents reported they do not protect live data used in software development.

· 38% of respondents were unsure if live data their organization used for testing or development had been lost or stolen.

· 26% of respondents said they did not know who was responsible for securing test data, 26% believed the development organization was responsible and 21% said the testing organization was responsible, suggesting no clear ownership for sensitive test data. [Source]

[The Insecurity of Test Data: The Unseen Crisis]

US – Data Breach Prompts Ohio to Encrypt

Still reeling from a massive data breach caused by a stolen backup tape, the state of Ohio is planning to provide government agencies and schools with access to encryption software in 2008 to help protect sensitive data. State officials announced late last week that they have agreed to purchase about 60,000 licenses of McAfee Inc.’s SafeBoot encryption software. The state will begin rolling out SafeBoot’s policy-based encryption technology to government offices beginning early next year, according to the Ohio Department of Administrative Services (DAS). Terms of the deal were not disclosed. [Source] See also: [Data Encryption Fuelled By Data Breaches, Regulations]

EU – EC Ready to Advance PETs

European Commission (EC) Vice President Franco Frattini has announced that the EC favors offering funding increases for the development of Privacy Enhancing Technologies (PETs). Frattini said that the commission “will encourage consumers to use PETs through awareness-raising campaigns.” The EC also will use money for data protection and privacy projects. Frattini added that the EC would support studies on the technologies’ economic benefits and establishing standards for the use of PETs. The EC also would devote resources to promote the developments of PETs through large pilot demonstrations. [Source] [ICT Work Programme]

US – Records Compromised In Breaches More Than Triples In 2007

An analysis of security breaches in 2007 reveals that more than 162 million records have been reported lost or stolen in 2007. That number is triple the amount of records jeopardized in 2006 breaches. The USA Today article looked at statistics compiled by tech security Web site Attrition.org. The site logged more than 300 cases this year. [Source]

CA – Rogers Accused of Hijacking Other Web Pages

Rogers Communications is drawing fire for what critics are calling the company’s violation of net neutrality principles. Technology consultant and internet activist Lauren Weinstein wrote on his blog last weekend that Rogers had spliced into and “hijacked” customers’ web traffic. He included a screen capture showing content from the company inserted onto Google’s home page. The screen grab, forwarded to Weinstein by a “concerned customer,” shows a branded Rogers-Yahoo customer service message at the top of the Google page warning the customer that they are near their download limit. Weinstein said the warning was evidence that internet service providers are spying on customers and modifying how they are using their service. A Rogers spokeswoman confirmed that the company is experimenting with the technique as a customer notification system. Internet chat groups were abuzz with angry customers. One user posted on the Net Neutrality Squad board that Rogers was running afoul of the Telecommunications Act, which states that “a Canadian carrier shall not control the content or influence the meaning or purpose of telecommunications carried by it for the public.” [Source] [Source] [Source] See also: [ISPs Spying On and Modifying Web Traffic -- With Patent Application]

AU – Australian Privacy Commissioner: Be Wary Of New Anti-Money Laundering Laws

Privacy commissioner Karen Curtis has urged businesses to consider the privacy of consumers when collecting personal information under the Anti-Money Laundering/Counter-Terrorism Financing Act 2006 (AML/CTF), amendments which came into effect this week. The AML/CTF Act requires businesses in the financial, bullion and gambling sectors such as banks, casinos and TABs to implement an anti-money laundering/counter-terrorism financing program which will be upheld by the Australian transaction Reports Analysis Centre (AUSTRAC). However, privacy commissioner Karen Curtis fears businesses may invade the privacy of ordinary citizens: “Businesses … should be careful not to over-collect, as this may breach their customers’ privacy rights. Most importantly, businesses should adopt a sound risk-based approach to ensure that all information collected for AML/CTF Act reporting obligations is strictly necessary, and they should not try to apply an ‘arbitrary standard’ to their collection processes.” [Source] See also: [New laws bring small business into spying business] See also: [Canadian Banks Struggle With Data Management as Customer Touch Points Increase]

US – Vital Government Information “Hiding in Plain Sight”

CDT and OMB Watch have jointly released “Hiding in Plain Sight,” a report highlighting a critical gap in online access to vital government information. The report, presented to a Senate panel this week, exposes a simple technological roadblock as the culprit and notes the problem has an equally simple technological fix. The problem comes to light as the E-Government Act of 2002, which promotes access to government information and services, is up for reauthorization. [Hiding in Plain Sight [PDF], December 11, 2007] [Testimony -- Ari Schwartz [PDF], December 11, 2007] [Press Release -- Hiding in Plain Sight Report, December 11, 2007]

CA – FIPA Holds First Annual Whistleblower Awards

The Freedom of Information and Privacy Association (FIPA) and the Campaign for Open Government held the first annual 2007 Whistleblower Award Ceremony on December 11, 2007. The Award was presented to Gordon McAdams, a former government ecologist with the Ministry of Water, Air and Land Protection. After working for 34 years in the Ministry, Gord filed an affidavit in the Supreme Court of British Columbia to stop a Minister approved road from being built through Grohman Narrows Provincial Park. The road was to be constructed through an endangered painted-turtle habitat, and Gord brought to the Supreme Court government documents proving the negative impacts the road would have on the painted-turtles. As a result Gord McAdams was fired hours before he retired, causing him great financial loss. The Supreme Court ruled that the Minister responsible, Minister Barisoff, had made “an unauthorized exercise of his statutory power” and the road was cancelled. Mr. McAdams was later able to settle out of court with the government for wrongful dismissal. [Source] [Source]

CA – B.C. Commissioner Investigating Health Ministry’s Loss of Computer Tapes

Information and Privacy Commissioner David Loukidelis has announced that his office is investigating the B.C. Ministry of Health over a breach of privacy involving the loss of unencrypted magnetic tapes containing the personal information of over 100 B.C. residents. The tapes were apparently shipped from New Brunswick’s health department under an agreement for reimbursement of expenses incurred by the New Brunswick government for health services provided to B.C. residents visiting New Brunswick. The tapes never arrived at B.C. Ministry of Health. It is not clear to the Commissioner’s office when the tapes went missing. The Commissioner was notified only this week of the situation and immediately opened a file. “I am appalled that health information is being transmitted in such an insecure way,” the Commissioner stated. “Even if the tapes require proprietary hardware and software to read them, this puts the privacy of British Columbians at risk.” [Source]

US – New York: Punitive Damages Ruled OK For Patient Privacy Breach

A New York appeals court ruling affirms that patients’ privacy rights are paramount and makes it clear that the stakes for violating confidentiality could be high. In a 3-2 decision, the Supreme Court of New York, the state’s appellate level, allowed a patient to recover punitive damages from a surgical clinic for a privacy breach. The patient had an abortion at a Long Island Center in 1999 and verbally instructed the staff to contact her on her cell phone because she did not want her parents to know about it, court records show. But after the procedure, a nurse called the patient’s home to check on her and spoke with her mother. The nurse didn’t mention the abortion but shared enough information for the mother to surmise what occurred. Judges acknowledged that the breach didn’t appear intentional but found enough evidence that the facility’s conduct could be considered grossly negligent -- a standard sufficient to warrant punitive damages. “There was no justification whatsoever offered for the remarkably casual way in which the center handled the plaintiff’s sensitive medical information, and the need to deter other medical providers from engaging in similar conduct could hardly be clearer,” the Sept. 25 opinion states. “As a result, when a state-licensed entity breaches that right – and especially when it does so in connection with a particularly sensitive medical procedure – more may be involved than simply a private wrong,” the majority wrote. [Source]

US – Federal Panel Recommends New Protections for Personal Health Data

The U.S. National Committee on Vital and Health Statistics, the nation’s top advisory board to the federal government on healthcare privacy, is recommending an overhaul in current laws and rules to bolster protections for personal health information. The committee is recommending a new framework for the protection of health data. Specifically, it is suggesting an approach that would enhance “protections for all uses of health data by all users, independent of whether an organization is covered under HIPAA.” The panel is seeking an expansion in the type of organizations that would be subject to privacy and security regulations and laws. [Source] [Influential Federal Privacy Committee Proposes Massive Changes in HIPAA’s Protections for Personal Health Information]

EU – Privacy Storm Descends on Dutch Health Care Database

The Dutch Data Protection Authority is investigating claims that a medical database set up by health insurance companies reveals details about nearly every Dutch citizen. Birth dates, social security numbers, health insurance information, and addresses of Dutch celebrities, MPs, and even well-known criminals can be easily traced by doctors, dentists, or suppliers of health care aids who use the database. The Vecozo medical database is used by health care workers to make payments easier and to check Dutch medical insurance data. At least 80,000 people are able to search the database. Vecozo, which is secured with a password and a certificate, stresses that no phone numbers can be found in the database. Celebs are able to change their personal information, so they cannot be traced under their own name. Anyone that abuses the database will be punished, Vecozo warned this week, but computer security expert Bart Jacobs of Radboud University Nijmegen and TU Eindhoven told Trouw there is simply too much information in the database. “You don’t need all that data in order to verify certain procedures,” he said. [Source]

US – Tricare Europe Customers Notified of Data Security Breach

Approximately 4,700 households that submitted health insurance claims through the Tricare Europe office are being notified that their personally identifiable data, including SSNs, names, dates of birth, and medical diagnoses associated with the claims were possibly compromised. The breach affects claims made since 2004; many of those affected no longer live in Europe. [Source] [Source] [Source]

US – Lab Says ‘Sophisticated Cyber Attack’ Netted Personal Data

The Oak Ridge National Laboratory revealed this week that a “sophisticated cyber attack” over the last few weeks might have allowed personal information about thousands of lab visitors to be stolen. The assault appeared to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country. [Source]

US – Stolen Laptop Contained Blood Donor Data

A laptop stolen during a recent blood drive contained sensitive information on 268,000 Minnesota-region blood donors. The laptop was in a briefcase that was stolen just before 7 a.m. Nov. 28 as workers were setting up a blood drive. [Washington Post]

EU – Irish Bank Customer Data on Stolen Laptop

A laptop computer stolen from a Citizens Advice Bureau employee’s car in Ireland contains personally identifiable information belonging to as many as 60,000 individuals. The data include bank account numbers, National Insurance numbers, names, addresses and dates of birth of people who contacted CAB for advice; the data were encrypted. The chief executive of Ireland CAB has apologized to affected customers. The data pertain to people from the Belfast area and go back four or five years. [Source]

EU – Data on Northern Ireland Motorists Missing

Two unencrypted computer discs containing the names and addresses of 7,685 Northern Ireland motorists are missing. The discs disappeared after they were sent from two motor vehicle agency offices after several vehicle manufacturers requested contact information for drivers. The vehicle manufacturers were attempting to notify drivers about potential problems with their cars. The agency has informed the affected motorists and has set up a hotline. [Source]

UK – DVLA Sends Confidential Documents to Wrong Drivers

The UK Driver & Vehicle Licensing Agency sent about 100 questionnaires containing birth dates and motor vehicle driving records to the wrong people. 1,215 questionnaires were sent to drivers. The agency is contacting all of the questionnaire recipients about the error. Agency officials are flagging all of the affected records in the system to prevent any fraudulent activity, according to the article. [Source]

UK – Thieves Steal Data Center Equipment

Thieves dressed as police told employees at a Verizon data center in Kings Cross in London that they were looking into reports of people on the roof of the building. The thieves then tied up the employees and stole computer hardware from the facility. The data center is used by a number of financial institutions. [Source] [Source] [Source]

CA – New Alberta Birth Certificate Designed to Thwart Identify Theft

A new birth certificate too big to carry in a wallet is designed to protect Albertans from fraud and identity theft, touted provincial officials. This week, the province unveiled the new “high-security” document that is embedded with 24 security features already found in Alberta driver’s licences and Canadian passports. It is not mandatory to get a new one, but the province is encouraging people do so and destroy their old certificate or store it in a secure place such as a safety deposit box. [Source]

WW – Unisys Security Survey: ID Theft Still Chief Among Concerns in Asia

83% of respondents in the fourth edition of the Unisys Security Index said they remain worried about identity theft. The company polled nearly 900 people between the ages of 18 and 64 in Singapore about their views on security threats. Scott Whyman, Asia South Vice President and General Manager at Unisys, said those polled in the past few surveys this year have consistently been “identity theft and credit/debit card fraud.” [Source]

US – DOJ Awards ID Theft Grants

The U.S. Department of Justice (DOJ) has announced $1.7 million in grants aimed at helping victims of ID theft and fraud. The grants were awarded to national, regional, state and local service groups that assist ID theft victims. An official quoted in a news release announcing the grants said that the “financial toll exacted by identity theft can be as devastating and emotionally traumatic as violent crime.” The awards will expand existing services and strengthen law enforcement’s response to victims of identity theft and financial fraud nationwide, according to the DOJ news release. [Source]

UK – More Debate Needed About Plan to Launch National ID Cards: Report

Demos, a think tank, has released a report that calls for “serious renewed debate” about the government’s plan to launch a new ID card system. The report, The New Politics of Personal Information, says that the current plan has not been vetted properly. More consideration is needed to determine what information the cards should hold and how they would be used. The report estimates that the average British adult has personal information and details stored in 700 databases. [Source] [Report]

CA – New Canadian Copyright Law Starts Web Storm

The Canadian government is expected to release the latest version of a new copyright law this week, but it has already whipped up a storm of negative publicity on the Internet – a blogosphere and Facebook tsunami with Industry Minister Jim Prentice at the center. The Facebook group has more than 12,000 members after just one week, and helped to generate a small but opinionated crowd of vocal critics who gathered at an open house event held by the Industry Minister in his home riding in Calgary last weekend. [Source] See also: [Ten Questions For The Canadian Industry Minister] UPDATE: [Canadian Gov’t Retreats On Copyright Reform]

US – Google’s Street View Launches In Boston

Internet users will be able to see street images of Boston and surrounding communities on Google Maps. Privacy advocates have expressed concerns about the service, which already is up and running in 15 other cities across the U.S. The Product Manager for Google Maps said that the company takes “privacy concerns seriously.” But he added that the “images are taken on public streets” and are “exactly what you could see walking down the street.” The Boston launch is part of a debut in 8 other U.S. cities. [Source]

UK – Report Looks At Web Sites Popular With Children

The National Consumer Council has released a report that found nearly all of the 40 most popular Web sites visited by children between the ages of seven and 16 “bombard” them with advertising and employ information-gathering tactics that may violate data protection rules. Researchers determined that the majority of the sites are seeking some personal information from users. Privacy polices were written in such a way that children would be unlikely to understand them, according to the report. [Source] See also: [Texas AG Sues Two Web Sites For Alleged COPPA Violations]

UK – UK Chiefs: Not Enough Cybercrime Prosecutions

Members of the Corporate IT Forum are pressuring the Home Office to organize a specialized group of investigators to deal with high-tech crime rings. The Home Office said that it has devoted funds to facilitate the reporting of cybercrimes. But critics say that since the disbanding of the national High Tech Crime Unit in 2006, victims are forced to report crimes to local police departments that lack the expertise to investigate the cases. [Source]

WW – Ask.com to Allow Purge of Searches

Ask.com is unveiling a new privacy control known as AskEraser, which kills users’ search requests from the search engine’s systems within a few hours. The Oakland-based search engine pledged five months ago to offer users more privacy at a time when search engines were facing increasing scrutiny about data retention policies. Doug Leeds, the company’s Senior VP of Product Management, said “this level of control is unprecedented and unmatched.” [Source] [Google Keeps What Ask.com Erases]

NZ – Privacy Commissioner Questions Quality of Data-Matching Program

Privacy Commissioner Marie Shroff is has detailed in her annual report three incidents in which a new government data-matching program has led police to intercept the wrong people at airports in an effort to collect overdue fines. Shroff said that the incidents “raised concerns about the quality of the matching results being acted upon and the impact on innocent travelers who have to prove their identity to the police.” [Source]

BA – Minister Urges Bahamians to Use Newly Launched Data Protection Web Site

Minister of State for Finance Zhivargo Laing has unveiled a new Web site for the Office of the Data Protection Commissioner. The Data Processing Act of 2003 took effect April 27, 2007. The law aims to “protect the privacy of individuals in relation to personal data and to regulate the collection, processing, keeping, use and disclosure of certain information relating to individuals,” according to this article in The Bahama Journal. Laing said the Web site will provide the Bahamian public with “access to information about the supervision and regulations of the Data Protection Act.” He added that the Web site will provide the commission with “an effective medium to keep the public informed as it relates to government policy and the development of international standards for the use and disclosure of personal information.” [Source] [ www.bahamas.gov.bs/dataprotection ]

US – U.S. Court: Taking Computer in for Servicing Waives Expectation of Privacy

Trial court erred in finding that defendant did not waive his expectation of privacy in the child porn on the video files on his computer when he took it to Circuit City for installation of a new DVD drive. Installers always check to see if the video files will load after installation, and that was how it was discovered. Commonwealth v. Sodomsky, 2007 PA Super 369, 2007 Pa. Super. LEXIS 4113 (Dec 5, 2007). [Source]

US – FERPA Allows Universities to Notify Parents of Student Drug, Alcohol Abuse

Colleges and universities are taking advantage of a provision added in 1998 to the Family Educational Rights and Privacy Act (FERPA) of 1974 that allows schools to contact parents if a student under 21 is accused of an alcohol or drug violation. Despite the reluctance of many colleges and universities to notify parents of students’ conduct or behavior on campus for fear of violating the law, many campuses are carefully examining options in the wake of the Virginia Tech massacre. In addition, many colleges and universities are taking the proactive stance in response to new reports about excessive student drinking on campus. Their new approach also is bolstered by the U.S. Department of Education, which has issued new guidance on FERPA to assist administrators seeking clarifications since the VT student killed 32 people on campus and then committed suicide. [Source]

MY – Malaysia to Introduce RFID Chip-Based Visa

The Malaysian Immigration Department is planning to introduce RFID chips in visas issued to foreign nationals. The new visa would enable the authorities to locate and monitor the movement of foreigners who had overstayed. It would also make it easy for the authorities to verify the authenticity of visas, he said. [Source]

WW – What’s NOT Going to Happen in 2008: Research Report

ABI Research has published its annual What ISN’T Going to Happen in 2008, which includes a section on RFID in which the research firm predicts that 2008 will not bring serious market acceleration: Said the authors: “When I look at the way the RFID market is shaping up, what I see is the continuation of a lot of pilot activity. Closed loop asset management applications have been growing and will continue to plod along. But when you talk about the kind of high volume applications in the retail supply chain that everyone has been waiting for, that isn’t going to happen in 2008. RFID continues to make steady headway into the supply chains in a number of verticals. But while a number of leading European retailers, including Metro and Marks & Spencer have made headway, too few companies have jumped on the bandwagon in the US. There have been three barriers to adoption: A lack of education: “People just don’t understand the technology, what it can do and what it costs”. A lack of mandates: “Customer compliance drives adoption. But for every three steps forward Wal-Mart took, they took two steps backwards. They don’t even call it a mandate any longer.” A lack of ROI: Show me the money could be the mantra for RFID. While some experts have talked about privacy concerns impeding the deployment of RFID at the item-level, the reality is that as of yet, there’s no return on investment. “RFID isn’t getting very close to item-level tagging yet.” While many are looking to California’s ePedigree requirements to drive the adoption of RFID in 2009, “I don’t see it happening. A lot of companies are going to meet those requirements with bar codes and 2D bar codes,” he says. [Source] [Source] [Report]

WW – Authorities Hit Back at e-Passport Critics

The International Civil Aviation Organization, which set the standards for new electronic passports with embedded RFID chips, is responding to what it calls “fantastical” and “baseless” claims that security researchers and privacy groups have made about the security of the documents that travelers in the U.S. and other countries are now being issued. [Source]

US – Survey: Employees Don’t Give a Damn About Security Policies

A startling number of technology professionals often knowingly ignore security policies or break them because they are unaware of them, according to a survey of more than 890 IT professionals by the Ponemon Institute. The survey findings show that it is not just cost cutting or poor understanding of security policies by low grade workers that threaten organisation’s data. “The key takeaway is that information security policies are not being read, or - if they are being read - are not being understood, or if understood, people may not be following it,” said Larry Ponemon. [Source]

WW – Security Firm Predicts 2008 Will Be the Year of the iPhone Attacks

Cybercriminals will focus their efforts on hacking into the popular iPhone, according to security company Arbor Network. The firm predicts that the assaults are likely to take place as the result of malware embedded secretly into images or other media that does damage on the iPhone’s Web browser. The firm said 2007 was characterized by the “browser exploit, the data breach, spyware and the storm worm.” [Source]

CA – Children Demand Lunch-Bag Checks

A group of Toronto-area children are asking the Ontario Human Rights Commission to force their school to launch mandatory lunch-bag inspections to screen out foods to which they have severe allergies, a case which could make all Ontario schools do the same. The six children, ranging in age from 6 to 11, allege that the local school board discriminated against them when it shut down a voluntary lunch screening program at St. Stephen’s Catholic Elementary School in Woodbridge, Ont., aimed at keeping peanuts, egg products or other potentially allergy-inducing foods off school grounds entirely. [Source]

AU – New Australian Labor Government Swift to Dump Access Card

The Labor Government has moved quickly to scrap the Howard administration’s controversial $1.1 billion Human Services identity card. The federal Government has shut down the Office of the Access Card and closed its website, honouring its election promise to scrap the controversial program. The project has languished since mid-year, after an all-party Senate committee rejected the draft enabling legislation as wholly inadequate and lacking in protections against the card’s use as a de facto identity card. [Source] See also: [Is the Access card dead or changing its identity?]

CA – Ontario to Unveil New Secure Driver’s Licence

Ontario will unveil new, more secure driver’s licences to help prevent identity theft, and to serve as the base for a possible passport alternative. The new licences will include at least six new security features, and will be given to every driver in the province when they renew their licences. A government source says the new licence will be more difficult to tamper with, to counterfeit and to use for identity theft. The province also hopes to use it as a passport alternative in about a year, but first has to strike a deal with the federal government to access citizenship data. Once that’s done, drivers will have the choice of having their citizenship data added to the new licence so they can use it as an alternative to a passport to enter the U.S. [Source]

US – Arizona’s High-Tech Driver’s License Debate Gets Heated

A group of Republican lawmakers and the head of the state’s ACLU vowed this week to kill a plan by Gov. Janet Napolitano to create a “technologically enhanced’’ state driver’s license. Sen. Karen Johnson, R-Mesa, the leading foe, said the deal Napolitano inked with the U.S. Department of Homeland Security is a step toward totalitarianism. “This isn’t Nazi Germany,’’ the senator said. “And I oppose requiring people to carry tracking devices in their pockets,’’ she continued, referring to the fact these licenses will have RFID computer chips. At this point Johnson and her allies may have the upper hand: Napolitano admitted she can’t fulfill her agreement with Homeland Security Secretary Michael Chertoff unless the Legislature gives the state Department of Motor Vehicles permission to actually create a new license. The state Senate voted last year to bar Arizona from participating in the federal government’s Real ID program approved two years ago by Congress. The measure also was approved by two House committees but never got a final vote. [Source]

EU – Scotland Extends E-Tagging For Youngsters

The Scottish Executive is to extend the electronic tagging of young people who are at risk of harming themselves and others, after piloting the scheme in seven areas. E-tagging, which involves electronically-monitored movement combined with “intensive support”, is available through Scotland’s Children’s Hearing system as part of an Intensive Support and Monitoring Service (ISMS), for children who are likely to abscond or cause harm. The Executive expects to publish an evaluation of this first phase within the next few weeks. [Source]

CH – IBM Surveillance Will Watch over Beijing Olympics

An IBM system will scan the streets of Beijing for troublemakers and terrorist during the summer Olympics to be held there next summer. The Smart Surveillance System, or S3, uses analytic tools to index digital video recordings and then issue real-time alerts when certain patterns are detected. It can be used to warn security guards when someone has entered a secure area or keep track of cars coming in and out of a parking lot. Beijing’s S3 network is already being rolled out and is expected to be operational by the time the Games begin in August 2008. IBM is also developing a similar surveillance system for lower Manhattan, but has not yet begun deploying that project. Just one year ago, the S3 system was little more than a research project at IBM’s T.J. Watson Research Center, but in the past year the company’s service group has been working hard to develop it into a profitable line of business, selling it to retail and banking customers such as Italy’s UniCredit bank. IBM is also integrating the S3 system into the city of Chicago’s existing surveillance infrastructure, as part of the city’s Operation Virtual Shield emergency response project. [Source] See also: [Eugene Volokh: The Dark Side of Privacy Law]

WW – Santa Putting Children’s Information at Risk, Warn Experts

Santa Claus could be breaking privacy laws in his collection and use of data about British children, experts have warned. Yuletide cheer-bringer Claus could be putting the personal data of millions of children at risk. Data protection laws lay down strict conditions for the use of personal data and there is no evidence that Claus has an adequate compliance programme in place. Children across Britain who write letters to Claus with a list of gift requests are not told for how long that data is kept, or if it will be used for other purposes such as marketing by third parties. The Data Protection Act stipulates that data should not be kept for longer than necessary, which would mean 25th December, though Claus may argue that he needs to keep the letters for six years to use in any gift-related lawsuits. “There is a stream of questions Santa has yet to answer,” said William Malcolm, a data protection specialist at Pinsent Masons. “Is this information used for anything other than present giving? Information passes out of the EU, so does Santa check the letters for unambiguous, specific and informed consent to this overseas transfer?” “What about the naughty/nice database?” said Malcolm. “Are children given notice that behavioural data is being collected about them throughout the year? And does it qualify as covert monitoring, which would breach Article 8 of the European Convention on Human Rights?” People can make a subject access request of databases holding their personal information, but the database operator has 40 days in which to respond. Children are now too late, therefore, to find out before Christmas if they are on the naughty or nice section of the system. [Source] See also: [Santa’s hiring policies may discriminate - Santa Claus could be breaking a raft of employment laws designed to protect exploited and discriminated-against workers, according to one employment law expert] and also: [Reckless Santa could cause yuletide chaos, warn experts - Santa Claus has been accused of putting his life and the lives of others at risk through breaches of health and safety laws. Brandy-loving present-giver Claus behaves recklessly and in direct contravention of UK legislation, experts said]

US – House Approves Permanent Status for Do-Not-Call List

The U.S. House voted this week to make permanent the program protecting people from telemarketer calls, relieving consumers from having to renew their participation in the wildly popular do-not-call registry. After Congress in 2003 created the do-not-call registry shielding millions of people from those dinnertime interruptions from telemarketers, the FTC wrote rules requiring consumers to re-register their phone numbers every five years. The new legislation eliminates that requirement by making the list permanent. [Source]

US – “Fusion Centers” Must Be Open, Carefully Monitored, Subject to Restraints: ACLU

New institutions now emerging in American life – “fusion centers” – are raising many questions about privacy and government openness and must be carefully bounded and monitored to ensure that they remain a legitimate and effective law enforcement tool, according to a new report released today by the ACLU. Fusion centers vary widely, but generally are centers intended to improve the sharing of anti-terrorism intelligence among state, local and federal government agencies and the private sector. To date, over 40 of these centers have been established around the nation. The ACLU’s report, entitled “What’s Wrong With Fusion Centers?” identifies five specific problems with fusion centers:

§ Ambiguous Lines of Authority. Overlapping jurisdictions create the potential for manipulation of differing laws to evade accountability.

§ Private Sector Participation. Fusion centers are incorporating private corporations into the intelligence process, further threatening privacy.

§ Military Participation. Fusion centers are involving military personnel in law enforcement activities in troubling ways.

§ Data Mining. Federal fusion center guidelines encourage wholesale data collection and manipulation processes that threaten privacy.

§ Excessive Secrecy. Public oversight, individual redress and the very effectiveness of fusion centers are threatened by excessive secrecy.

The ACLU concludes its report with recommendations that Congress and state legislatures lift the cloak of secrecy that threatens to envelop fusion centers; impose checks and balances on them; define their mission, concentrating them on focused, effective law enforcement techniques rather than dragnets; and evaluate the ultimate effectiveness of these institutions. [Source] [Report]

US – Maryland Credit Freeze Law Takes Effect Next Month

Despite the decision by the three major credit bureaus to extend credit freezes to all consumers, Maryland’s new credit freeze law will still help consumers. The new state law limits the charge to obtain or lift a credit freeze to $5 – which is half the amount the credit bureaus charge residents in most other states. ID theft victims do not have to pay any fee. [Source]

US – CDT Urges Senate to Exercise Caution About Online Safety

This week the Senate Judiciary Committee will consider a number of online safety bills that pose significant risks for free speech and innovation on the Internet. No less than seven bills relating to online safety are in play in Congress this week; CDT today released an analysis of each. CDT supports S. 2344, which promote online safety education, and H.R. 719, which focuses Internet restrictions on sex offenders who might pose risks to children online. CDT strongly opposes all or portions of five other bills now pending in the Senate. [Analysis--Free Speech Bills in Senate, December 10, 2007]

CA – Canadians Say No to Employee E-Mail Monitoring

People want clearer workplace e-mail and Internet usage guidelines, according to a new poll from Monster.ca, but they could be split down employer/employee lines on whether e-mail and Internet monitoring in the workplace is such a great idea. The online poll asked whether employers should be allowed to monitor staff e-mail and Internet usage to support increased productivity. Respondents weren’t keen on active monitoring—57% rejected the idea of employee monitoring, but they did call out for clearer usage guidelines. [Source]

CA – Angry Vancouver Dockworkers Force Background-Checks Delay

Ottawa has declared a two-month truce in a war over background checks for dockworkers that threatened to shut down Canada’s entire West Coast by next week. Transport Canada had given workers in restricted port areas, and managers and company representatives needing regular access to them, until Dec. 15 to obtain security clearances – or be refused work. About 1,100 management officials have applied. But some 2,300 unionized dockworkers refused to, branding the program a violation of the country’s Privacy Act, its Charter of Rights and its human-rights code. Yesterday, faced with a nervous shipping industry and Port of Vancouver officials scrambling to soothe industry worries around the world, Ottawa extended the deadline to Feb. 20, 2008, while a court challenge of the program is mounted and the federal labour board can issue its own rulings. The background checks are part of Canada’s proposal to comply with international maritime security regulations. While the prevalence of criminal groups in Canada’s ports has long been debated, the clearances are largely aimed at addressing international concerns about terrorism. Applications for a clearance require workers to supply personal information on themselves, their spouses and ex-spouses, and to agree that fingerprints and photos can be shared with Canadian police and intelligence services and with foreign governments. Dufresne said many dockworkers were born outside of Canada. Those from countries with politically troubled pasts faced challenges obtaining official records and would likely be out of work, he said. When West Coast dockworkers refused to apply, the B.C. Maritime Employers Association asked the federal labour board to rule the protest an illegal strike. No ruling has been made yet. Workers in Halifax and Montreal recently agreed, reluctantly, to apply for clearances but continue to support the West Coast challenge. [Source]

--------