Privacy
News Highlights
19—26 January 2007
Contents:
US – NIST Publishes Biometric Data
Specification for Personal Identity Verification
WW – Brain
Activity Provides Novel Biometric Key.
US – NYC
Unions Vow To Resist Efforts to Track City Workers With Biometrics
IN – Indian
Government to Install Biometric ATMs At Village Kiosks
CA – CIPPIC
Files Complaint in TJX Data Breach Case
CA – Yukon
Privacy Commissioner Calls it Quits
CA –
Domestic No-Fly List Strategy Casts Too Wide A Net, Critics Fear
US – Companies,
Groups Address Global Civil Liberties Challenges
US – CIO
Council’s Plan Details Milestones
US – N.Y.
Issues ID Management Guides
WW – This
E-Mail Will Self-Destruct After 10 Minutes
EU –
European Commission Considers New Standards for Data Breach Notification
EU – New
Group Calls for European Privacy Institute
UK –
Security Experts Criticize Government Database Plans
US – More
Banks Offer Free Help for Victims of Identity Theft
WW – OECD
Workshop on Access to Public Sector Information and Content
CA - Ontario
Ministry to Automate Information Management Processes
UK – Bill
May Allow MPs to Escape FOI inquiries.
US –
Washington State Bills Require DNA from ALL Crime Suspects
US – NJ High
Court Upholds Constitutionality of DNA Testing For Felons
US – Federal
Government Plans to Greatly Expand DNA Database
US –
Massachusetts State Requires Name Reporting for HIV Testing
US – Law
Restricting Access to Doctors’ Prescriptions Faces Federal Court Challenge
CA – Toronto
Firm Offers Online Health Record Access For Patients, Doctors
US – TJX
Retail Security Breach May Be Biggest in U.S.
IS –
Israel’s Interior Ministry Wants Investigation into Data Leak
US – IRS
Tapes Missing In Kansas City
US – Thieves
Targeted Thrift Savings Plan Participants
US – Stolen
Computer Holds Info of KB Homes Site Visitors
US –
Information of Nationwide Insurance Customers Taken In Theft
US – Chicago
Elections Board Misplaces CDs Containing Personal Information
US – WA
State Utility Fined $1 Million For Selling Customer Info
WW – IBM
Donates New Privacy Tool to Open Source
UK – ID
Theft Nets £85,000 a Head, Says Study.
US – Cato
Book: “Identity Crisis: How Identification Is Overused and Misunderstood”
US – Vermont
Sec. of State Removes Links to Docs Containing SSNs
WW – Liberty
Alliance Announces openLiberty Project
US – New
Jersey Aims to Stop Misuse of Drivers License Data
CA – B.C.
Privacy Commissioner to Rule on ID Scans In Bars
US – Montana
Lawmakers Object to Federal ID cards
US –
Washington State Bill Would Put Brakes on National ID Cards
US – First
ID Theft Database Launched
WW – MySpace
To Distribute Amber Alerts & Add Privacy Features
WW –
Microsoft, Google to Work On Free Speech, Privacy Rights
WW – NSA,
Microsoft Alliance Gives Rise to Privacy Fears
US – NJ
Court Favors Privacy for Net Users
CA – Police
and Victims’ Advocates: Limit Net Privacy
WW –
Anti-Spyware Coalition Offers Best Practices, Conflict Resolution
WW –
Australia Hosts APEC Privacy Framework Meetings
US – ACLU
and CNSS Seek Records on Mail Surveillance
US –
Subcommittee Will Examine Information Privacy, Security
US – CSIA
Renews Call to Congress to Pass a National Data Security Law.
WW – RFID
Tattoos: Great Idea for Livestock; Dumb Idea for Humans
AU – AMA,
Privacy Task Force Concerned Over Australian Access Card
US – Details
of ISP Snooping Yet To Be Determined
CA –
Montreal City Plan To Add More Street Cameras Ignites New Debate On Privacy
US – U.S.
Customs Tries to Minimize No-Fly Watch List Misidentifications
US – House
Bill Would Expand Powers Of DHS Privacy Chief
US – Maine
Legislature Rejects REAL ID Act
US – CDT
Releases 2007 Legislative Agenda
US –
Security Freeze Bills Introduced in Arkansas, Montana and Michigan
UK - Info
Commissioner Backs “Danger” File Markers for Employees
NIST has announced the release
of NIST Special Publication 800-76-1, Biometric Data Specification for Personal
Identity Verification. This document is a revision for the earlier version of
February 2006. The changes include incorporation of the published errata
document and public comments, clarification on performance testing and
certification procedures, and caution regarding fingerprint minutiae
generation. Additional typographical fixes and aesthetic changes have been
incorporated in this document. [Source] [Source]
Researchers
at the Center for Research and Technology Hellas
in Greece plan to test a biometric system that is able to identify people
based on their brain activity this year as a security system for a laboratory
in Germany. Dimitrios Tzovaras and colleagues make use of
electroencephalography (EEG) to measure the electrical activity in the brain as
part of the authentication process, in which individuals wear a cap to
wirelessly communicate their uniquely identifiable brain data. The researchers
believe such an authentication system could serve as a building or computer
security system. Their work is part of a larger initiative in Europe, the Human
Monitoring and Authentication using Biodynamic Indicators and Behavioral
Analysis (HUMABIO) project, which is
integrating various biometric strategies to develop a more effective security
system. Although the approach has been found to have an accuracy rate of 88
percent, there is still some criticism that using the cumbersome and invasive
EEG cap is not practical. “Wearing a wired helmet with sensors on one’s scalp
might change the ambiance of the workplace somewhat,” says John Daugman, a
biometrics researcher at the University of Cambridge in the U.K. Another
Cambridge researcher, Olaf Hauk, questions its accuracy. “EEG varies greatly
depending on a person’s alertness, or mental operations,” says Hauk, a
neuroimaging specialist. [Source]
The
NYC administration is devoting more than $180 million toward state-of-the-art
technology to keep track of when city employees come and go, with one agency
requiring its workers to scan their hands each time they enter and leave the
workplace. The scanning, which began in August at one Department, has created
an uproar. At a City Council hearing this week, several unions vowed to resist
the growing use of biometrics. The unions called the use of biometrics
degrading, intrusive and unnecessary and said experimenting with the technology
could set the stage for wider use of biometrics to keep tabs on all elements of
the workday. [Source]
[New York City
Puts Millions Into High-Tech Worker Tracking]
The
Indian government is launching a pilot program to install biometric ATMs that
would use fingerprint scanners instead of ATM cards and PINs. Supporters say
increased use of biometric ATM cards across the country would prevent theft of
government funds intended for low-income workers that sometimes are siphoned
off by middle managers. Critics cite privacy issues, especially with
suggestions from law enforcement agencies eager to access the data to prevent
fraud and to track criminals by examining their fingerprint transactions.
Biometric ATMs are already in use in Colombia and a few locations in Japan, but
haven’t caught on in much of the rest of the world. As a result, biometrics
companies are watching the experiment closely as a potential watershed for the
industry. [Source]
The Canadian Internet Policy and Public Interest
Clinic has filed a formal complaint with the Canadian Privacy Commissioner,
requesting a formal investigation into the widely-reported security breach suffered
by the Winners group of companies, and affecting consumers who shop at any
Winners or HomeSense store in Canada. CIPPIC is concerned that
Winners/HomeSense may be collecting customer information that they don’t need,
storing it for longer than they need to, and sharing it with other companies
for secondary marketing purposes without the customers’ full and informed
consent. [Complaint]
[Privacy breaches
expose flaws in law] [Irate card users left in
dark; Security breach may have occurred 8 months ago, Winners’ U.S. parent says
] [FCAC
urging Credit Card Holders to be Vigilant and Careful] [Source] [Privacy
Proponents Push for Security Breach Notification Rule in Canada]
After 10 years as the Yukon’s
ombudsman, Hank Moorlag is stepping aside, saying it’s time to let someone else
take on the sometimes frustrating position. Moorlag is also stepping down from
his position as the Yukon’s information and privacy commissioner. “I think it’s
time to step aside and let somebody else see if they can make the gains that
I’ve been unable to make,” he said in an interview. For the last six years,
Moorlag has been trying to get the government to review the Access to
Information and Protection of Privacy Act, which he says has a number of
flaws. Moorlag’s last day is April 8. [Source]
Ottawa is contemplating
spending hundreds of millions of dollars to create a system that would allow
the RCMP and CSIS to determine who is barred from planes taking off and landing
within Canadian airspace. The federal government already screens international
flights, but hopes to lay the foundations of a domestic system starting this
year. While the government says its no-fly list will be tightly focused,
privacy groups fear the government is casting too wide a net. “Moving it to
domestic airlines is a huge expansion, from what normally is a border-control
issue,” said Mary O’Donoghue, senior counsel for the Privacy Commissioner of
Ontario. This month, her office released a series of
recommendations aimed at minimizing the state’s intrusion. Canadians should
pay attention, she said. “Are we going to set controls for movements within the
country? Flying has to be an everyday right and need,” O’Donoghue said. “It has
a huge impact . . . What you’re dealing with is a list. Once people are on
lists mistakes can be made. “Look at the story about Mr. Arar,” she added. “He
can’t get off the [U.S.] list. And he doesn’t have any way to appeal.” There is
currently no timetable for introducing the program, as Ottawa is still
investigating its feasibility. One of the studies it has commissioned found
that the proposed screening system could cost between $95 million and $270
million. “The government will need to spend significant personnel resources to
both clean up the data and clear passengers who have been falsely identified
and allow them to continue travelling,” reads the IBM Global Services study,
recently released under Access to Information laws. [Source]
[Source]
[IPC Submissions
Regarding the Proposed Federal Identity Screening Regulations and the Interrelated
Passenger Protect Program] [IPC
Recommendations]
A broad group of companies,
investors, academics, and human rights groups have joined to address the free
expression and privacy challenges facing companies that do business
internationally. That process – which aims to produce a set of principles
guiding company behavior when faced with laws, regulations and policies that
interfere with the achievement of human rights – marks a new phase in efforts
that the groups began in 2006. [Source]
[CDT Press
Release]
The CIO Council has issued an
ambitious strategic plan for 2007 to 2009 outlining four major goals, 19
milestones and key performance indicators for every goal. A working group
developed the plan over the past five months to provide accountability and
performance metrics to the council’s activities. [Source]
The New York State Office for
Technology has issued a best practices guideline to help state agencies and
local governments manage employee and citizen access to online applications and
transactions. The NYS Trust Model establishes basic standards and processes
that will govern the way identity credentials are managed and is intended to
serve as a foundation for future identity and access management policies. The
guidelines, which were a collaborative effort by the NY CIO and the NY State
CIO Council, were issued to address the need for better information security.
The guidelines are part of a larger governance framework that is still evolving.
The governance model, when completed, will address such issues as compliance
review and dispute resolution. [Source]
A new free online service
offers disposable e-mail address that expire after 10 minutes. According to the
site: “By clicking on the link below, you will be given a temporary e-mail
address. Any e-mails sent to that address will show up automatically on the web
page. You can read them, click on links, and even reply to them. The e-mail
address will expire after 10 minutes. Why would you use this? Maybe you want to
sign up for a site which requires that you provide an e-mail address to send a
validation e-mail to. And maybe you don't want to give up your real e-mail
address and end up on a bunch of spam lists. This is nice and disposable. And
it's free. Enjoy!” [Source]
SEE ALSO: [Fake
Name Generator]
The European Commission is
considering adopting new rules for data breach notification that would require
companies to notify customers and regulators in the event of a security breach.
[Source]
An initiative has been
launched to lobby for a permanent European institute to foster a synthesis
between technology and privacy. The European Privacy Institute Initiative
already involves nearly 40 experts - mainly academics but also business
associates and an official from the European Commission. Driving the initiative
is a desire to examine how values like privacy and ethics can be integrated
into future product designs and technologies. The group points out that a
number of global companies, such as IBM, Microsoft and KPMG are conducting
research into privacy issues. In Europe, a number of EU-funded projects are
doing the same. These include PRIME (Privacy and Identity Management for
Europe), FIDIS (Future of Identity in the Information Society), and BITE
(Biometric Identification Technology Ethics). Universities around Europe are
also carrying out their own research projects. A permanent institute would be
in a position to raise awareness of the issues involved, and could be the motor
behind the establishment of centers of excellence to support both EU Member
States and industry, the initiative maintains. The institute should be
organised around a set of research themes addressing major challenges that are
too complex for individuals or small groups of researchers to tackle on their
own. An Executive Committee has been created to present the idea to the EU institutions.
The three Committee members represent a university, the director of a research
consortium and the CEO of the European Biometric Forum. A Scientific
Advisory Committee has been established to assist the Executive Committee. The
initiative quotes various officials from the European Commission as being in
favour of an institute. Said Jean-Claude Burgelman of the Joint Research Centre
(JRC). ‘The future of privacy and identity is a research topic (and policy
issue) at the heart of our interest and work here as it is a necessary step
towards facilitating widespread user adoption of the information society.’ [Source]
[Further Info]
Security experts are hugely
nervous about the U.K. government’s latest database plans, and have pointed out
numerous grave security concerns over two of its proposed schemes, one to store
people’s biometric and biographic information in a single large database, the
second being last week’s proposals to relax data-sharing laws that govern how
civil servants access and share citizens’ personal data. Security vendors see
problems common to both initiatives. Principal among them are the increased
opportunities for data theft, if more civil servants are accessing more data. [Source]
To stand out from the
competition and attract depositors, a number of community banks and credit
unions are joining insurers and a few major banks in offering customers free
identity theft recovery service. The service is aimed at helping victims close
compromised accounts, place fraud alerts and prevent additional damage. In the
past year, about 130 credit unions and community banks rolled out free identity
theft recovery services to their customers, according to Identity Theft 911,
which contracts with businesses providing the service to customers and
employees. [Source]
See also [Australian
Banks Not Lobbying ASIC for Customer Liability]
OECD Workshop Report:
“Knowledge is a source of competitive advantage in the information economy. The
public sector is a large producer of knowledge-related content (including
data/information, images, film, etc., excluding administrative and e-government
content, and personal data). This content has a range of established and
potential new commercial and non-commercial uses. Moreover, governments need to
ensure that citizens can access cultural heritage and national public content
and information. Greater use of public sector information (PSI) through
digitization and the use of ICT is likely to require changes in public sector
approaches to PSI and reorganisation of the structure, management, distribution
and access to public information. There are further challenges in financing
these new approaches and changing budgetary practices to deal with these new
challenges.” [Source]
The Ontario Ministry of
Environment (OME) hopes to alleviate the high demand of FOI requests with the
implementation of tracking and case management applications. The OME announced
it had chosen Ottawa-based Privasoft in an effort to improve response rates
with citizens. Privasoft is set to assist Ontario in managing infrastructures
as well as ATIP requests more efficiently by automating processes and standard
tasks with their web-based solutions. Documents can now be stored
electronically in a clean and streamlined process, eliminating the need to go
through boxes of files manually. It also ensures that legislation is applied
consistently as no sensitive information is released to requestors and
different requestors receive the same kind of information.” [Source]
A bill to exempt MPs from
inquiries made under the Freedom of Information Act was sneaked through
the Commons last week without any debate. MPs approved on the nod the second
reading of a bill to exclude parliament from the Freedom of Information Act.
David Maclean, the former Tory chief whip, introduced the measure in a private
member’s bill. Mr. Maclean said yesterday the main reason for his bill was to
prevent MPs’ letters on behalf of constituents being released to the press and
public. He acknowledged the effect of the bill would be to exempt parliament
from the act at a time when the parliamentary authorities have lost a case at
an information tribunal after trying to block more detailed disclosure of MPs’
expenses. [Source]
Washington legislators are
looking to expand the state’s DNA database to aid police investigators, but
civil rights advocates are concerned that the proposals would violate people’s
Fourth Amendment protections against unreasonable search and seizure. A bill in
the House would require police to take DNA samples from anyone convicted of a
felony or a gross misdemeanor, while a more aggressive bill in the Senate would
require a DNA sample from anyone arrested for those offenses. Existing law
requires DNA samples to be taken only from convicted felons. The Washington
State Patrol’s DNA database feeds the one used by the FBI. Supporters say the bills
would help authorities catch people who start by committing small crimes and
move on to more serious ones, such as murder. But opponents argue that the
proposals would infringe on people’s right to privacy – especially if someone
is required to give up his or her DNA upon arrest. [Source]
The New Jersey law that
mandates DNA testing for felons is constitutional and can be used to solve
crimes committed before the sample was taken, the state Supreme Court ruled
this week. A pair of 6-0 decisions, issued in two similar cases, upheld the New
Jersey DNA Database and Databank Act of 1994, which had been affirmed by
lower courts. Similar laws are in place federally and in all other states. One
case was brought by John O’Hagen, who pleaded guilty to a drug charge in 2002
and objected to the collection of his DNA. He asserted it violated federal and
state constitutional rights against unreasonable search without a warrant and
equal protection. In rejecting his argument, Justice John E. Wallace Jr. wrote
for the court, “Because of the impracticality of imposing a warrant requirement
and individualized suspicion in this context, the overriding public need for
the uses of DNA data, the lessened expectation of privacy of a convicted felon,
and the minimal nature of the physical intrusion, we find no violation of defendant’s
constitutional rights.” [Source]
[Source]
The U.S. federal government
could add DNA from tens of thousands of immigration violators, captives in the
war on terrorism and others accused but not convicted of federal offenses to
the FBI’s crime-fighting database under a plan being finalized by the Justice
Department. A Justice Department spokesman, confirmed the plan, which hasn’t
been publicly disclosed, and said details are expected to be completed soon.
Opponents, such as the ACLU’s Washington office, say such mass seizures of DNA
violate privacy and do little to improve law enforcement. [Source]
Beginning this month,
Massachusetts will require doctors to report to the state health department the
name of anyone testing positive for the human immunodeficiency virus (HIV),
rather than using the code the agency has used for the past 20 years. A spokeswoman
for the Massachusetts Department of Public Health said the change is being made
because in 2006 the federal government began distributing funds from the Ryan
White Care Act--the 1990 law providing care to HIV patients—only to states
using name-based reporting systems. 45 states already use name-based systems.
Of these, California, Delaware, Illinois, Maine, Oregon, and Rhode Island
switched to name-based systems in 2006. “We would not want to jeopardize $15
million in federal funds,” the spokeswoman said. [Source]
A year-old New Hampshire law
that restricts data mining companies from obtaining information on the
prescriptions written by individual doctors will undergo a challenge next week
in U.S. District Court. Two companies (IMS Health and Verispan LLC) that collect
and sell the information sued the state shortly after the law took effect in
June on the basis that the measure violates the U.S. Constitution. The law is
intended to contribute to the exchange of public health data while protecting
patient privacy and preventing doctors from facing pressure from pharmaceutical
representatives. The trial begins Jan. 29. [Source]
[Source]
[Source]
The Department of Veterans
Affairs has begun populating veterans’ personal health records with live information
from the electronic medical records (EMRs) that the department maintains in its
Veterans Health Information Systems and Technology Architecture. Beginning with
medications last month, the Veterans Health Administration (VHA) will introduce
new portions of the medical records every few weeks. By December, “most of the
key portions of this information will be available to them electronically” in
their MyHealtheVet records, said Ginger Price, director of the MyHealtheVet
program. “This is the beginning of the Big Bang,” Price said. MyHealtheVet is
available to all 7.6 million VA patients, she said. [Source]
A young company named Aristex
Health Solutions this week announced the launch of Global Lifeguard, a
Web-based application that will allow patients and physicians alike access to
their medical records online. The program is a proprietary, Web-based, content
management system application, according to Aristex's vice-president of product
management, Jeff Johnston. Started only a year ago, Aristex does systems, risk
management and privacy consulting in the health care industry, but Global
Lifeguard is its flagship product. The company got the inspiration for the
program in the wake of the Canadian health care system reports from the Kirby
and Romanow committees in 2002. “We saw the opportunity to create something so
that Canadians are actively engaged in managing their own health care - we want
to give Canadians control of their health management,” said Johnston. [Source]
Tens of millions of credit and
debit cards may have been compromised by a computer security breach at the
retailer that operates T.J. Maxx and Marshall’s stores in what could become the
biggest case of stolen consumer data in the U.S. While the investigation is in
its early stages, the number of accounts potentially exposed at TJX could
exceed the 40 million involved in a data breach at the payment processor CardSystems
Solutions in 2005. [Source] [Source] [TJX
Hack Highlights Payment Information Insecurity] The cost of data breaches,
whether the information is lost or stolen, continues to escalate, costing
companies an average of $182 per compromised record. [Banks
expand warnings on TJX] [Bankers:
Customer data stolen in TJX hack used in frauds]
Israel’s Interior Ministry has
called for an investigation into how sensitive personal information of all Israeli
citizens was leaked to the Internet. Citizens could be at risk of identity
fraud. The leaked data include addresses of government and security officials.
The Interior Ministry says the information was leaked some time after it was
given to political parties running for the Knesset. [Source]
Twenty-six computer tapes
containing IRS taxpayer data have gone missing from City Hall in Kansas City.
The tapes were originally shipped to the City Hall building in August as part
of an information-sharing agreement between the IRS and the municipality of
Kansas City. [Source]
Attackers surreptitiously
placed keystroke loggers on the computers of some Thrift Savings Plan (TSP)
participants and used the information they gathered to steal about US $35,000.
TSP is a retirement and investment savings plan for federal employees. The
attackers withdrew funds from approximately two dozen accounts and used
electronic fund transfers to forward the money to other accounts. TSP says
their system has not been breached, but it has suspended electronic fund transfers.
. [Australian
Banks Not Lobbying ASIC for Customer Liability] [Source]
A computer stolen from a KB
Home builder’s sales office holds personally identifiable customer information.
The company has sent letters to 2,700 individuals notifying them of the
incident. The computer was stolen from the locked Charleston, SC office on
December 30, 2006. The company believes the data belong only to people who
visited the sales office at Foxbank Plantation and had provided their SSNs to
pre-qualify for loans. [Source]
Computer records containing
medical claim information, health data, and Social Security numbers of 28,279
health insurance customers of Nationwide Mutual Insurance Co. were stolen from
the office of a vendor in Massachusetts. A lockbox that contained computer
backup tapes with information on Nationwide Health Plan customers was taken
during an Oct. 26 break-in at Concentra Preferred Systems in Weymouth, Mass. In
that theft, backup tapes of medical claim data of about 130,000 Aetna Inc.
health insurance members also were taken. [Source]
[Nationwide,
Aetna Customer Data Stolen]
The Chicago Board of Elections
is missing at least six CDs that contain personal information on voters,
including birth dates, addresses and SSNs. A City Council candidate discovered
that about 100 CDs containing information on 1.3 million voters were handed out
by city staff, but at least six are missing. [Source]
[Chicago
loses voters’ personal data]
Washington State utilities
regulators fined Puget Sound Energy nearly $1 million for illegally selling customers’
private data to an outside marketing firm. Under a settlement reached this
week, Bellevue-based PSE said it transferred more than 65,000 phone calls from
new or relocating residential customers to a firm that then tried to sell them
telephone, lawn and newspaper services. [Source]
IBM has developed software
designed to let people keep personal information secret when doing business
online and donated it to the Higgins open-source project. The software, called
"Identity Mixer," was developed by IBM researchers. The idea is that
people provide encrypted digital credentials issued by trusted parties like a
bank or government agency when transacting online, instead of sharing credit
card or other details in plain text, Anthony Nadalin, IBM's chief security
architect, said in an interview. "Today you traditionally give away all of
your information to the man in the middle and you don't know what they do with
it," Nadalin said. "With Identity Mixer you create a pseudonym that
you hand over." For example, when making a purchase online, buyers would
provide an encrypted credential issued by their credit card company instead of
actual credit card details. The online store can't access the credential, but
passes it on to the credit card issuer, which can verify it and make sure the
retailer gets paid. [Source]
Identity fraud can net
criminals £85,000 for each identity stolen, research has found. That is the
average amount which criminals can expect to gain from impersonating a person
in the UK according to anti-ID theft company Garlik. Garlik commissioned
research from consultancy 1871 Ltd which uncovered the value of a single fake
identity. It also discovered that lawyers are a main target of ID fraudsters.
The research found that most people’s perceptions of how identity fraud works
are wrong. The fraudster commonly does not empty bank accounts but applies for
new credit as another person so that that person may not discover for some time
that they are being impersonated. [Source]
[Podcast]
The Cato Institute held a book
forum last week, at which Jim Harper, the Director of Information Policy
Studies at Cato discussed his new book “Identity
Crisis: How Identification Is Overused and Misunderstood”. In Identity
Crisis, Harper argues that identification does not provide the security
often assumed, and the overuse of identification harms Americans’ interests in
a variety of ways. Harper’s solution is to replace the uniform national
identity system being advanced by the REAL ID Act with a diverse, competitive
identification and credentialing marketplace. [Cato Institute - Jim Harper]
[EPIC page on Real ID]
Vermont Secretary of State
Deborah Markowitz says her office has removed Internet links from its site that
led to files containing individuals’ SSNs. The move came following the
revelation that certain commercial records contained SSNs, including that of an
unnamed state legislator. A Vermont state law that took effect on July 1, 2006
directs state and local government agencies to redact SSNs from public records.
[Source] [Source]
Liberty Alliance, the global
identity consortium this week announced the openLiberty Project, a global
initiative formed to provide resources and support to open source developers
building identity-based applications. With today’s news, Liberty Alliance has
launched openLiberty.org, a portal where developers can collaborate in the
openLiberty Project and access tools and information for “jump starting” the
development of more secure and privacy-respecting applications based on the
widely deployed Liberty Federation and Liberty Web Services standards. [Source] [Coverage] [Coverage]
Bars and retailers would be
prohibited from storing the personal information “swiped” from New Jersey
drivers’ licenses on a database under a proposal being drafted by a state
lawmaker. The proposed legislation follows reports that Trenton nightclub Kat
Man Du amassed a list of 15,000 customers from scanning licenses for a year,
and would make it illegal for businesses to collect such personal information
as name, date of birth, address and license number by swiping a license through
a scanner. “These databases are a privacy thief’s dream come true,” Greenstein
said. “There is no compelling reason for these businesses to compile computer
databases full of information gleaned from customer driver’s licenses,” she
said. “A night out with friends should be something to enjoy without fear that
vital personal information could end up in the hands of criminals.” [Source] [Source]
[Source]
[Source]
Vancouver bar owners who scan
patrons’ driver’s licenses and log their personal information may soon have to
stop, if B.C.’s privacy commissioner decides in February that the practice
infringes on privacy. Information and Privacy Commissioner David Loukidelis has
completed his inquiry into whether bar owners can legally continue using
card-swiping software that stores digital photos of customers and other personal
data for two years, the director of the commissioner’s office said. “If he
finds the collection [of personal data] is not reasonable, he can require [the
database] to be destroyed, for example,” Mary Carlson said. “If he decides this
is a completely permissible practice, then he’ll just confirm the ability of
the bars to collect this information.” [Source]
Lawmakers want Montana to be
the first state in the country to say “no” to federally approved ID cards. Rep.
Brady Wiseman, D-Bozeman, and Rep. Diane Rice, R-Harrison, presented nearly
identical bills to the House Judiciary Committee this week that would reject the
federal Real ID Act of 2005. Both said the act was an attempt by the
federal government to usurp power from individual state governments and
threatened an individual’s right to privacy. State legislatures in Georgia,
Massachusetts and Washington have similar bills pending, and more states are
likely to follow suit, according to the National Council of State Legislatures.
An effort to pass a similar law in New Hampshire failed during its last
legislative hearing. “Our purpose here, members of the committee, is to lead,
is to lead other state legislatures and other governors in a similar effort,”
Wiseman said. Gov. Brian Schweitzer signaled he would support both bills. [Source]
Under a bill heard this week
by the Senate Transportation Committee, the state of Washington could refuse to
comply with a federal mandate that would effectively turn state driver’s
licenses into national identification cards. Senate Bill 5087, sponsored by
committee Chairwoman Mary Margaret Haugen, D-Camano Island, would forbid state
agencies from spending state money to implement the REAL ID Act, passed by
Congress in 2005. The act, which was attached to an emergency appropriations
bill, requires that certain information, including proof of citizenship, be
placed on every state driver’s license in a standard, machine-readable format.
Beginning in May 2008, no federal agency may accept a state driver’s license or
other ID card that fails to meet the REAL ID standard for any official federal
purpose, including boarding an airplane. [Source]
A new service that allows
consumers to check if their personal information has been stolen or compromised
by criminals was launched today. The free scheme, called StolenID Search and
set up by U.S. firm TrustedID, allows anyone with internet access to search a
database of more than two million data entries, including credit card details,
found to be used by criminals in online fraud. To run a search, the consumer
must input their personal data to check it against the information stored on
the database. The search will return with a “found” or “not found” response.
Individuals who receive notification of a match will be instructed on how to
take the appropriate next steps. However, security analysts have criticized the
service, claiming by making it accessible to anyone it could actually assist
criminal activity. “They can make a terrible problem worse if they freely
disseminate information to anyone who asks for it without properly vetting the
requestor’s identity,” a Gartner analyst warned. [Source]
The social-networking Web site
MySpace.com will now distribute Amber alerts to members notifying them of
missing children in their communities. MySpace also announced two safety
features designed to protect members’ privacy. The site will now require people
signing up for an account to provide a working e-mail address and verify their
identity by responding to an e-mail sent to the listed address. It will also
offer a tool to prevent any member under age 18 from being contacted by adults,
and vice versa. [Source]
[Families
Sue Myspace After Children Abused By Adult Users]
Microsoft, Google, Yahoo and
Vodafone said this week that they will develop a code of conduct with a
coalition of nongovernmental organizations to promote freedom of expression and
privacy rights. The new guidelines are the result of talks with Business for
Social Responsibility and the Berkman Center for Internet & Society at
Harvard Law School. Technology companies have come under fire for providing
equipment or software that permits governments to censor information or monitor
the online or offline activities of their citizens. The groups involved said
they will develop a framework that would hold signatories accountable for their
actions in the areas of freedom of expression and privacy rights. The groups
participating in development of the guidelines include the Berkman Center,
Business for Social Responsibility, the Electronic Frontier Foundation, Human
Rights Watch and Reporters Without Borders. [Source]
[New
Internet Code to Protect Privacy]
Microsoft Corp. and the
National Security Agency confirmed last week that the intelligence agency
helped the company configure Windows Vista so it meets the Pentagon’s security requirements.
NSA spokesman Ken White said the agency has provided guidance on securing
Windows XP and Windows 2000 in the past. But this is the first time the NSA has
worked with Microsoft or any vendor prior to an operating system’s release,
White added. But privacy advocates said it would be tempting for the NSA to
push for a way to gain access to data stored on Vista-based systems. [Source]
In the first ruling of its
kind in New Jersey, a state appeals court has ruled that computer users can
expect the personal information they give their Internet provider will be
considered private. A three-judge panel said a computer user whose screen name
hid her identity has a “legitimate and substantial interest in anonymity.” The
court based its decision in a Cape May County computer crime case on the state
Constitution, recognizing a right to “informational privacy.” [Source][Source] [Decision]
Police and victims’ advocates
have called for tougher laws to ensure personal privacy rights don’t trump the
protection of children from online sex predators. The Canadian Resource Centre
for Victims of Crime says current laws give ISPS “discretion” to force police
to obtain a warrant before giving up basic information about people suspected
of sexually exploiting kids online. President Steve Sullivan said that could
waste valuable time when investigators are trying to nab perpetrators. [Source]
The Anti-Spyware Coalition
(ASC) this week unveiled a comprehensive set of “best practices” for identifying
potentially unwanted technology. Based on more than a year of consultations and
building on all of the coalition’s previous work, the Best Practices document
provides the clearest description yet of how anti-spyware companies determine
whether software may be “unwanted.” Coordinated by CDT, the ASC is comprised of
companies, academics and public interest groups working together in the fight
against spyware. The ASC also today released its Conflict Identification and
Resolution Process. [Best
Practices Document] [Conflict
Resolution] [Press
Release]
Australia’s hosting of 2007
Asia-Pacific Economic Cooperation (APEC) events began with a series of Senior
Officials Meetings in Canberra this month. The protection of transborder flows
of personal data received considerable attention as an issue that is important
for the ongoing economic health and development of the Asia-Pacific. On January
22, the APEC Electronic Commerce Steering Group held a Data Privacy Seminar on
the International Implementation of the APEC Privacy Framework. The seminar focused
on the development of Cross-Border Privacy Rules that would satisfy the nine
privacy principles articulated in APEC’s Privacy Framework. [APEC
2007 news release] [APEC
Privacy Framework] [Government
of Australia Attorney-General’s Office: Data Privacy at APEC 2007] [Privacy
and Human Rights 2005: Transborder Data Flows and Data Havens]
The American Civil Liberties
Union and the Center for National Security Studies filed three Freedom of
Information Act requests on Jan. 22 seeking the immediate release of records
related to President Bush’s authority to search Americans’ mail without a
warrant. [Source]
With privacy concerns
heightened after incidents of stolen laptop computers and information breaches
in 2006, the newly appointed chairman of the House information policy
subcommittee plans to delve into the problems surrounding technology and
privacy. Rep. William Lacy Clay (D-Mo.) heads the House Oversight and
Government Reform Committee’s Information Policy, Census and National Archives
Subcommittee, whose jurisdiction covers public information and records laws
such as the Freedom of Information Act, the Presidential Records Act and the
Federal Advisory Committee Act; the Census Bureau; and the National Archives
and Records Administration. [Source]
The Cyber Security Industry
Alliance (CSIA) released the following statement regarding the TJX data
security breach: “This latest security breach at TJX underscores the urgent
need for Congress to establish a single standard for securing citizens’
personal information wherever the information is held, whether by a government
entity, commercial corporation, educational institution or nonprofit,” said the
CSIA. “Americans are, with good reason, concerned about the security of their
sensitive, personal information and it is up to Congress to pass a national law
to help protect them. This law should accomplish the dual goals of prevention
and notification and establish reasonable security measures, create a
consistent and recognizable notification standard, encourage best practices
such as encryption, and include effective enforcement capabilities. As this
latest breach also affects TJX customers outside of the U.S., we urge other
governing bodies to take action to protect their citizens as well.” [Source]
A company has developed an
RFID tattoo that has all the benefits of RFID implantation, but without the
messy chip. The chip is replaced by a tattoo. The company is touting its
benefits in traceability of the meat supply, but is also suggesting that it may
be useful in soldiers: [Source]
[Source]
RFID Tribe has put together an RFID map of the
world (via The
RFID Weblog) using Google Maps. The map geocodes uses of RFID by
companies, associations, universities, etc. And you can add your own RFID
points of interest. There are 233 points as of this writing. [Source] See also IDTechEx’s RFID case
studies database containing over 2400 instances of projects in 92
countries around the world (as of Dec 23/06). The database is also categorized
by industry. [IDTechEx database]
The Australian Medical
Association (AMA) says draft legislation for the Federal Government's Access
Card for health and welfare services does not address concerns about privacy or
its potential use for other purposes. A Government-appointed consumer and
privacy task force has also highlighted a number of potential problems with the
proposal. The card is expected to be rolled out from next year and will include
personal information in a microchip for access to a range of government
services. Submissions on the draft legislation closed last week and are being
considered by the Government. [Source] [Source]
[Source]
[Source]
[Source]
The Bush administration has
not settled on what data it would like ISPs to retain about their subscribers
or for how long. U.S. Attorney General Alberto Gonzales made it clear last fall
that he planned to seek national legislation requiring the controversial
practice known as data retention. [Source]
A three-year-old Montreal
police pilot project using surveillance cameras on St. Denis St. to discourage
crime is to spread to St. Laurent Blvd. This year, city councillor Claude
Dauphin confirmed this week. The “video surveillance plan” is to see 12 of the
outdoor video cameras placed along St. Laurent this summer. An unspecified
number are to be placed farther south. Another six cameras would be
re-installed on St. Denis for a fourth straight summer, he added. It’s the same
number as last year, he said. The cameras are removed from the street every
fall. The police department must ask for authorization from the city council’s
public safety committee every spring, Dauphin said. He is chairperson of the
committee. The police department will present this year’s plan to the
committee, which meets in public, sometime in March, he said. [Source]
SEE ALSO: [Guelph
has 8 security cameras for every bus. Will GRT follow suit?] [Vancouver
SkyTrain OKs video upgrade]
There
are at least 300,000 names on the U.S. government’s watch lists. People who are
under an unenviable category of false positives are wrongly detained because
some of their personal information matches that of a terrorist or other
suspect. The number of misidentifications is unknown, according to government auditors,
but it has caused headaches for a cross-section of travelers, including nuns,
infants and members of Congress. The U.S. Customs and Border Protection agency,
under the jurisdiction of the Homeland Security Department, said it was trying
to remedy the problem with a system to prevent unwarranted detentions on
international flights. [Source]
The Senate has yet to take up
a House bill that includes expanded authority for the Chief Privacy Officer
(CPO) of the Department of Homeland Security (DHS), including subpoena power.
Hugo Teufel, chief privacy officer at DHS, said the bill also would give the
CPO the power to report directly to Congress. Teufel - who did not express an
opinion on the bill - said the measure would fundamentally change the way the
DHS privacy office operates, making it similar to the department’s inspector
general. [Source]
[Lawmakers decry
firewall limiting DHS agency’s investigations]
The
Maine House and Senate registered nearly unanimous opposition this week to the
federal Real ID Act, which requires states to change their drivers' licenses
into national IDs linked to a central database. The resolution is not binding
on Congress, but says the Legislature refuses to implement the Real ID Act. It
asks Congress to repeal the law. [Source] [Videos of Maine legislators] [Roll
call info] [Text
of resolution] [Real
ID FAQ]
CDT this week urged lawmakers
to adopt an approach to Internet-related policymaking that protects fundamental
civil liberties, reestablishes meaningful privacy protections and paves the way
for the United States’ continued leadership in technological innovation. In its
Congressional Agenda for the 110th Congress, CDT offers both a broad overview
of the challenges associated with policymaking in the Internet space, as well
as granular, issue-by-issue recommendations for lawmakers. CDT is distributing
the recommendations to lawmakers and the press. [Source] [CDT Legislative
Agenda] [Press Release]
Bills to allow ID theft
victims to freeze access to their credit history were introduced in three
states this week. In Arkansas the new AG also is seeking increased penalties
for ID theft, making it a Class B felony that would be punishable by five to 20
years in prison and a maximum $15,000 fine. [Source]
[Source]
[Montana
Bill calls for freezing credit reports to thwart ID theft] [New
Michigan Bill Would Combat Identity Theft Damage]
The Information Commissioner has backed the use
of file markers to highlight the danger posed by certain individuals to
employees. Advice has been published to help those working with the public to
manage the use of violent warning markers and comply with the Data
Protection Act. The markers usually take the form of a piece of text
attached to an individual’s file. The commissioner said they are a useful tool,
but must be used correctly to stay within the law. [Source]
--------