Privacy News Highlights
07–20 July 2007
Contents:
EU – German Test of Facial Recognition by
Computer Fails
EU – New Technology Records Emotions of Passers-By
US – U.S. Building Database on Iraqis - Biometrics Key
Part of Tracking Suspects
AU – Unisys Survey: Australian Travellers Happy With Bio
Checks
IN – India Gov’t to Launch Biometric PAN Cards
CA – U.S. Data Broker Fooled Canadian Phone Companies
Into Giving Up Personal Data
CA – Privacy Commissioner May Investigate Trans-Border
Flow of Private Information
WW – 30 Countries Sign OECD Document to Protect Consumers
Online
US – Consumers Eligible for $14 Million Settlement for
Alleged Privacy Violations
UK – Survey: Anti-Spam Solutions Get Battering From
Business
US – VA to Expand Encryption to In-House Removable
Storage
UK – UK Firms “Guilty of ‘Horrifying’ Breaches in Data
Privacy” – Richard Thomas
UK – U.K. Politicians Push for Data Policy Debate
UK – Survey: 3 in 10 PCs Dumped With Sensitive Data
WW – Survey: Companies Continue to Feel Vulnerable to
Security Attacks
WW – New RSA Research: Criminals Set Up Phishing Sites in
Seconds
US – Survey Finds Information Requests Can Take Years
CA – B.C. Can Keep Contracting Out Medical Records, Court
Rules
UK – NHS Looks at Tagging Hospital Patients with RFID,
Barcodes, Biometrics
US – Breach Exposes Personal Data for 27,000 Online
Customers
US – Personal Data on 80,000 Exposed on Louisiana
Internet Site
UK – Assistant Commissioner Bamford: ID Cards Must Keep
Public Confidence
WW – Anonymizer.com Web Service Discontinued
WW – Microsoft Windows Patent Will Spy for Advertisers
US – FBI Remotely Installs Spyware to Trace Bomb Threat
WW – Google Announces Shorter Lifespan for Cookies
EU – Nintendo Revises Privacy Policy; EU Users Must Agree
or Cancel Membership
US – Security Researcher Wants AstroGlide Maker Fined For
Slippery Privacy Practices
WW – “I’ve Got Nothing to Hide” and Other
Misunderstandings of Privacy: Solove Essay
US – Court OKs Pat-Down Searches of Football Fans
EU – European Task Force Lists RFID Privacy Threats
US – AMA Issues Ethics Code for RFID Chip Implants
US – Think Tank Makes Case Against RFID Regulation
US – OMB, DHS Outline Data Security Best Practices
US – Survey: Employees Pose the Biggest Security Risk
CA – Payment Industry Preps for Ontario Chip Card Trial
EU – Report: Public Surveillance a Threat to Fundamental
Rights
UK – Police Gain Data Protection Exemption for London
Surveillance
US – New York Plans Surveillance Veil for Downtown
US – Feds Scramble to Meet Data Breach Deadline
US – Ambitious US e-Government Project Targets Secure
Data Sharing
US – FBI Plans More Data-Mining, Profiling
US – Senators Introduce Stringent Health Records Privacy
Bill
US – House Panel Slaps Limits on Sale of SSNs
US – Coalition of Groups Urges FTC to Investigate
Background Checks on Rail Workers
The German Federal Criminal Police Office (BKA) this
week presented sobering research results of its visual-image search systems
project, concluding that biometric visual-image search systems are not advanced
enough to be used by the police to search for persons. Given the present state
of the technology the system was unfit to be deployed, the Office concluded.
The crime researchers are placing their hopes on 3D recognition facial systems,
the development of which is still in its infancy, however. The Federal Data
Protection Commissioner Peter Schaar is also warning against the use of an
immature technology. In his statement
on the final report of the BKA on the project Commissioner Schaar made it
clear that biometric facial recognition technology must on no account, even if
at some point in the future the point of maturity was reached, lead to an
all-round surveillance regime. “Especially problematic are false positives,
which, in the event of a genuine hunt, render innocent people suspects for a
time, create a need for justification on their part and make further checks by
the authorities unavoidable,” Mr. Schaar declared. [Source]
This would generate a pervasive climate of surveillance, which in turn would
impact upon the behavior of citizens. The Commissioner also demanded legal
safeguards against the linking of the image data recorded by surveillance
cameras with the digital passport photographs stored in the passport and ID
registers. [Source]
[Source] [Source]
German researchers have developed a new tool to
recognize emotions as they flicker across the human face. Rapid facial analysis
has huge potential for advertisers, but some are concerned about protecting
privacy. Usually, advertisers can only guess at the public’s reaction to a new
ad campaign. But new technology under development by German researchers makes
that type of data instantly accessible to advertisers. A small video camera
records the face of each person who passes and registers whether the person
looks happy, surprised, sad or angry. Complex algorithms find faces in a video
image, count the number of people watching an ad, distinguish between men and
women and analyze their expressions. Plus, it all happens in real time. [Source] [Source] [Demonstration
version of the face detection and analysis software package] See also: [Homeland
Security Sees Lasers and Heart Sensors in the Future of Anti-Terror Screening]
The U.S. military is taking fingerprints and eye scans
from thousands of Iraqi men and building an unprecedented database that helps
track suspected militants. U.S. troops are stopping Iraqis at checkpoints, workplaces
and sites where attacks have recently occurred, and inputting their personal
data using handheld scanners or specially equipped laptops. In several neighbourhoods
in and around Baghdad, troops have gone door to door collecting data. The
rapidly expanding program has raised privacy concerns at the Pentagon, although
it has met little resistance from Iraqis. [Source]
Research by biometrics technology firm Unisys suggests
that 98% of Australians are prepared to use a photograph to establish their
identity, while three in four are happy to have their fingerprints taken and
69% would agree to iris scans. Unisys found more than half of domestic
travellers would be prepared to pay a higher ticket price if it produced
tangible security improvements, and 71% would be prepared to provide biometric
data to airlines. The technology company, which is helping develop facial
recognition and fingerprint technology for border security in Australia,
believes the acceptance of the increased security measures means it will only
be a matter of time before there is a registered traveller scheme in Australia.
The company says its research shows more than two-thirds of travellers would be
prepared to participate in some sort of scheme if they thought they would
benefit. [Source]
[Biometrics
New Australian Border Guard by 2010]
All the new income tax payers in the country will soon
begin to get biometric Permanent Account Number (PAN) cards with enhanced
security features like fingerprints or retinal scans, aimed at checking
duplicate cards and better tax compliance. “The process of eliminating about 13
lakh duplicate PAN cards is in last mile. Once that process is completed
shortly, then we will set a date, after which all new PAN cards will only be
biometric,” When asked whether the date of launching biometric PANs could be
October, the Indian Finance Minister said, “it could be.” Referring to the fate
of current PAN card holders, Chidambaram said, “they will be persuaded to
switch over to biometric PAN cards in their own interest. Earlier PAN cards
will, of course, remain valid.” [Source]
The Canadian Privacy Commissioner says a U.S.-based
data broker tricked Canadian telephone company personnel into divulging
confidential information about customers. A probe by Jennifer Stoddart found
staff at broker Locatecell.com obtained the personal details by pretending to
be people entitled to the information. The probe was prompted by a November
2005 article in Maclean’s alleging the magazine had been able to purchase the
phone records of Stoddart and a senior Maclean’s editor from Locatecell.com.
Stoddart concluded Bell Canada, Telus Mobility and Fido did not follow their
own procedures and had not adequately trained staff to protect customer info.
All 3 companies have since revised their customer authentication procedures. [Source] [News Release]
[Commissioner’s
Finding]
The Federal Court has ruled that the Personal
Information Protection and Electronic Documents Act (PIPEDA) gives the
Privacy Commissioner jurisdiction to investigate the trans-border flow of
personal information, according to the decision. The ruling stemmed from a
complaint that a U.S.-based Web site was advertising that it could provide
background checks, telephone numbers, license plate numbers, psychological
profiles and other information on individuals, including Canadians. The Office
of the Privacy Commissioner said it was unable to investigate, citing the lack
of jurisdiction in the U.S. The Canadian Internet Policy and Public Interest
Clinic’s Executive Director, Philippa Lawson, said she was surprised that the
privacy commissioner declined to investigate her organization’s complaint. A
spokeswoman for the privacy commissioner said the office was “pleased with the
decision that gives us the jurisdiction to investigate the matter.” [Source]
Spurred to find ways to protect consumers as online
shopping grows, the 30 countries belonging to the international economic and
social-development group Organization for Economic Co-Operation and Development
(OECD) this week announced an accord on dispute resolution. After two years of
wrangling over the policy document, the Paris-based OECD said its 30 members
have signed off on a legal framework intended to lead to better policing and
resolution of consumer complaints, particularly in cross-border disputes
involving e-commerce. [Source]
Bank of America (BofA) has agreed to a settle class
action lawsuit for $14 million that alleged consumer privacy violations. The
bank has agreed to changes related to its privacy policies, Web site and
opt-out procedures. The bank also agreed to pay $10.75 million on waiving fees
for certain bank products and services and for credit monitoring coverage to
protect people from identity theft. The lawsuit, which was filed in September
1999, alleged that the bank engaged in “unlawful, unfair and fraudulent”
conduct by “disclosing consumers’ personal, private, confidential information
to third parties without consumers’ consent or without making proper disclosure.”
The bank has agreed to provide $3.25 million for privacy programs, including
$1.5 million for nonprofit organizations that work to protect consumers’
privacy. Consumers who had a BofA card at anytime from Sept. 9, 1995 until May
31, 2007 are eligible to file a claim by Oct. 1. [Source]
Most businesses are unhappy with the performance of
their anti-spam technologies, a survey
has found. The survey, entitled The Spam Index Report, found that most
customers were not fully satisfied with the service they received from
anti-spam vendors. Over 500 businesses were polled by IT consultants Brockmann
& Company, with 40% of the respondents having IT responsibilities. Respondents
found anti-spam services provided by ISPs to be the least effective of all
solutions. Spam filters were found to be the next most ineffectual method of
killing spam. Only 21% of respondents were “very satisfied” with their
user-trained PC email client spam filters. Open-source and proprietary email
client filters were almost equally ineffectual, according to the survey. [Source]
[The
Spam Index Report]
The Veterans Affairs Department will now require
encryption for portable storage devices used internally effective in December
because of a data breach at its medical center in Birmingham, Ala., earlier
this year. VA already requires the use of encrypted flash drives, hard drives
and other removable devices when employees have permission to take personally
identifiable data off site. Now the agency will coordinate with the Office of
Management and Budget and the President’s Identity Theft Task Force to develop
governmentwide criteria for determining under what conditions potential
identity theft victims should be notified and offered free credit monitoring,
said Robert Howard, VA’s chief information officer, in a letter to the agency’s
Office of Inspector General in late June. [Source]
A ‘horrifying’ number of organisations have breached
data-protection rules, according to a report by the UK information
commissioner, Richard Thomas. Company bosses must take the security of
employees’ and customers’ personal information seriously, he warned. In his
annual report, Mr Thomas criticises a catalogue of security lapses. ‘The
roll-call of banks, retailers, government departments, public bodies and other
organisations which have admitted serious security lapses is horrifying,’ he
said. ‘My message to those at the top of organisations is... to be sure you are
not the business or political leader who failed to take information rights
seriously.’ The information commissioner’s office received nearly 24,000
inquiries and complaints about personal information issues in 2006-2007. [Source] [Annual
Report] See also: [UK
UK Information Commissioner’s Office to set up own IT forensics department to
support its enforcement activities] and [Experts:
UK Businesses Fall Behind On PCI Compliance] and [The
Guardian Praises UK Information Commissioner]
As the result of new data sharing proposals by UK ministers,
Liberal Democrats are seeking a debate on government use of its databases. after
uncovering details of disagreements within the government about moves to pass
automated number plate recognition (ANPR) data from congestion charging and
future road pricing cameras to police. Details of the plans – and disagreements
– were in a document inadvertently released by the Home Office as it made a
formal announcement that Transport for London would share the ANPR data
gathered for the capital’s congestion charging scheme with police. Said an
opposition MP: “Bit by bit, vast computer databases are being made
interoperable and yet the government seems to be running scared of a full and
public debate on the safeguards needed to make such information-sharing
acceptable.” And “The government appears to be using the London cameras as a
Trojan Horse to secure unprecedented access to information on car drivers’
movements without full public scrutiny or debate. “It is high time for a full
debate on the use of information databases by this government.” [Source]See
also: [UK
PM urges relaxed privacy for U.K. data sharing bills]
As much as a third of corporate PCs sent for disposal
by UK companies could contain sensitive data, according to a survey conducted
by Vanson Bourne on behalf of Lenovo, the PC maker. The survey of 300
businesses reveals these lapses in data security occur across the board in
equal measure in both mid-size and large enterprises. Most companies have
little idea about what is being stored on their computers. More than half of
the respondents said they allowed employees to save all types of file to their
computers, including company financial and legal information. Only one in ten
had strict guidelines for employees on how to regularly clean up and audit
their hard discs. Lenovo also used the survey launch to promote its Secure Data
Disposal product, which removes data from hard drives. [Source]
Two-thirds of 1,101 survey respondents in the U.S. and
89% of those surveyed in China are feeling as vulnerable to security attacks
this year as they were during the previous 12 months, according to
InformationWeek Research’s 10th annual Global Information Security survey.
Conducted with consulting firm Accenture, the survey found that one of the
major concerns for companies is “managing the complexity of security” and a
system that has overlapping technologies “that don’t handle security in a
straightforward manner.” [Source].
Hackers are able to create a fully-working phishing
site within two seconds, warns the latest Online Fraud Report from IT security
specialist RSA. Researchers at the company’s Anti-Fraud Command Centre (AFCC)
said that phishing gangs can get a fully-functional phishing website installed
on a compromised host in a matter of seconds. The hackers simply have to double
click on a single file to do so. [Source]
See also: [Hackers steal
government, corporate data with fake job postings]
On July 2, the National Security Archive posted on its
Web site the latest Knight Open Government Survey, entitled "40 Years of
FOIA, 20 Years of Delay: Oldest Pending Freedom of Information Requests Date
Back to the 1980s." The survey once again highlighted the prolonged
problem of undue delays and extensive backlogs accumulating under the FOIA request
for information mechanism. The survey found FOIA requests in the federal
government dating back to the 1980s.
Five agencies have pending requests older then 15 years, and 10 agencies
misreported their oldest pending FOIA requests to Congress in their Financial
Year 2006 Annual FOIA Reports. [Source]
B.C.’s appeal court has ruled that the province can
continue contracting a private company to maintain public health records,
rejecting claims that the practice violates federal and provincial laws. It’s a
victory for Premier Gordon Campbell and his Liberals and a defeat for the B.C.
Government and Service Employees Union. [Source]
The National Patient
Safety Agency has issued a report that found 24,382 incidents of patients “being
mismatched with their care.” To improve patient safety, the NHS is considering
biometric, RFID and other technologies that could reduce these treatment and
medication errors. However, the Information Commissioner’s Office said that use
of any technologies that require the collection and storage of biometric data
requires careful consideration beforehand. [Source]
[How
RFID will improve patient safety] [Source]
Names, addresses and credit card information for
27,000 online customers of computer memory vendor Kingston Technology Company
Inc. were compromised during an intrusion into the company’s computer system
that occurred in September 2005, according to coverage of the breach in
Computerworld. A spokesman for the California company said after the company
confirmed what data was compromised and what customers were affected, the
company “had to gather the appropriate contact information and arrange for
consumer protection services and materials to notify the impacted consumers.”
It is unclear when the company detected the attack. The company hired a
computer forensics firm to investigate the breach and help Kingston upgrade its
security. It also is offering credit monitoring and other services for affected
customers, according to this article. [Source]
Student names, addresses, birth dates and Social
Security numbers were available publicly for as long as two years on an
internal Internet site run by the Louisiana Board of Regents. The report
indicates that most of the site was password-protected. However, the location
of the sensitive personal data was publicly available. After the television
station informed the board about the breach, the data was taken down from the
site. [Source]
Horror Story Roundup: [Software consultant who stole data on 110,000 people gets five-year sentence] and [Disney Movie Club members victimized in latest data-breach horror show] and [Missing TSA Computer Drive Not Protected] [Texas - Secretary of State Site Leaks Personal Data] [Louisiana - LBR site exposed details of 80,000 + to ID Theft]
The UK government should seek to retain public
confidence in its controversial ID card scheme by placing privacy issues at the
heart of its technology requirements, assistant information commissioner
Jonathan Bamford said at a Kable identity management conference this week, as
this could both improve the effectiveness of the scheme and show the public the
government cares about data protection issues. He added that systems should be
built where data protection compliance can be designed in, rather than being
tacked on ‘as an afterthought’. [Source]
A slashdot user posts: “With no fanfare, and
apparently no outcry from the privacy community, Anonymizer Inc. discontinued
its web-based Private Surfing service effective June 20, 2007. No reason was
given, either on the Anonymizer web site or on founder Lance Cottrell’s privacy
blog. Private Surfing customers are now required to download a anonymizing
client that handles all TCP traffic, but the program is Windows-only (with
Vista support still a work-in-progress).” [Source]
[Anonymizer]
Microsoft has filed a patent that threatens to breathe
life into Bill Gates’ and Ray Ozzie’s Frankenstein-like Windows Live “vision”,
unveiled in November 2005, for putting annoying, in-your-face internet adverts
inside your most important Windows applications. The giant has claimed what it
calls an “advertising framework” that would suck “context data” from your PC so
advertisers can display ads on the client, and to split revenue with the
advertiser and the owner of the application supplying the data. According to
the patent, any application such as a word processor or email client - may “serve
as both a source of context data and as a display client.” Microsoft’s
advertising framework would also stipulate “acceptable” advertising - so no
porn popping up in your Dynamics CRM or ads for SAP - “restrictions on use of
alternate display clients” (so no money for you, Linux), and “specifying
supporting media” - forget Real Player and QuickTime, the future is
Silverlight. The patent, filed with the US patent and trademark office, would
allow for more targeted, relevant and context-sensitive ads, according to
Microsoft. [Source]
[Source]
[Patent
Filing]
The FBI used a novel type of remotely installed
spyware last month to investigate who was e-mailing bomb threats to a high
school near Olympia, Wash. Federal agents obtained a court order on June 12 to
send spyware called CIPAV to a MySpace account suspected of being used by the
bomb threat hoaxster. Once implanted, the software was designed to report back
to the FBI with the Internet Protocol address of the suspect’s computer, other information
found on the PC and, notably, an ongoing log of the user’s outbound
connections. While there’s been plenty of speculation about how the FBI might
deliver spyware electronically, this case appears to be the first to reveal how
the technique is used in practice. [Source] See also: [News.com
survey of 13 security (anti-spyware) vendors on their general policy to detect
police spyware][Verbatim
results of survey].
Google has announced that its cookies will delete
automatically after two years, significantly cutting the former deletion date
of 2038. However, if a user returns to a Google Web site, the cookie will
re-set for another two years. Peter Fleischer, Google’s Global Privacy Counsel
- Europe, said that the change was made “after listening to feedback from our
users and from privacy advocates.” [Source] [Google
Blogspot] see also: [Mounting
Scrutiny for Google Security] [Google
cookie expiration plans called ‘worthless’] [EU may
push Google further on privacy; Cookies may not be crumbly enough] and,
finally, [Lauren Weinstein’s “I Am the Very Model of a
Modern Major Googler“] Other Google news: [Congress
to scrutinize Google-DoubleClick deal]
Nintendo recently sent out two emails, on June 29 and
July 12, which gave users until July 15 to agree to the new terms of its
privacy policy or face cancellation of their memberships as well as loss of
their Star points. Nintendo said the revised policy allows the company to
gather data regarding users’ online activities on its Web site in an effort to
improve its products and better meet users’ needs. The new policy allows the
company to track users’ browsing habits on the Web site and their use of the
Wii system. [Source]
Security researcher Christopher Soghoian is
petitioning the FTC and state attorneys general to slap millions in fines on
Biofilm, the maker of the popular sexual lubricant Astroglide, following the
company’s accidental release of more than 250,000 customer names and addresses
onto the internet in April. Using a $90 fine per person levied on Victoria’s
Secret by New York for a similar leak in 2002, Soghoian estimates the company
is liable for an $18 million fine. [Source]
In a short essay, written for a symposium in the San
Diego Law Review, Professor Daniel Solove examines the “nothing to hide”
argument. When asked about government surveillance and data mining, many people
respond by declaring: “I’ve got nothing to hide.” According to the “nothing to
hide” argument, there is no threat to privacy unless the government uncovers
unlawful activity, in which case a person has no legitimate justification to
claim that it remain private. The “nothing to hide” argument and its variants
are quite prevalent, and thus are worth addressing. In this essay, Solove
critiques the “nothing to hide” argument and exposes its faulty underpinnings.
[Source]
[Discussion]
[Abstract
and Paper posted at SSRN] SEE ALSO: [Privacy
Isn’t Dead, or At Least It Shouldn’t Be: Q&A with Latanya Sweeney]
A legal challenge to pat-down searches at San
Francisco 49ers home games got a brush-off from a state appeals court, which
said the two fans who filed the suit had consented to the searches when they
bought their season tickets. In a 2-1 ruling, the First District Court of
Appeal in San Francisco sidestepped the question of whether the pat-downs
ordered by the National Football League in 2005 as an anti-terrorism measure
are an invasion of privacy. Instead, the court said spectators waive their
right to privacy when they show up for the games after learning about the
searches. While a government agency can’t require members of the public to
waive their rights in order to receive services, private citizens have more
options and thus fewer rights when dealing with private businesses such as the
49ers, the court said. [Source]
[Commentary]
RFID technology is not yet sophisticated enough to
pose a threat to our privacy. But this could change in the very near future,
and measures must be in place to safeguard personal data and secure personal
freedom for when that change occurs, according to STOA, the European Parliament’s
Scientific Technology Options Assessment body. Through a series of case
studies, the researchers contracted by STOA were able to build up a picture of
how RFID is perceived by consumers and those running the technology. They found
that consumers generally see RFID as little more than an electronic key, while
to the owners of the RFID systems, the technology enables them to register the
movement, spending power, productivity, preferences and habits of the users.
This access to personal information has been the cause for concern by many
consumer protection watchdogs, who have argued that the deployment of this
technology could have a serious adverse effect on people’s privacy. The
researchers found several cases of personal data being abused. The study
concludes by making the following recommendations:
·
RFID
users need to know what the owners of RFID systems can and are allowed to do
with their data;
·
RFID
users should play a role in developing new RFID environments;
·
if
personal data from different RFID systems are merged it should remain clear who
is responsible for handling these data;
·
privacy
guidelines and the concepts of personal data and informational
self-determination need to be reconsidered in the light of an increasingly
interactive environment;
·
governments
should take a clear stance on whether RFID bulk data will be mined for
investigation purposes.
[Source]
[Source]
[Report] See also: [RFID Symposium, Thursday,
July 19, 2007, University of Washington School of Law]
The American Medical Association (AMA) has officially
established a code of ethics designed to protect patients receiving RFID
implants. The recommendations focus on safeguarding a patient’s privacy and
health, and are the result of an evaluation by the
AMA’s Council on Ethical and Judicial Affairs (CEJA ) regarding the medical and
ethical implications of RFID chips in humans, as well as a follow-up report
recently released. The latter discusses the possible advantages and specific
privacy and ethical issues of using RFID-enabled implantations for clinical
purposes. Entitled “Radio
Frequency ID Devices in Humans,” the report is presented by Robert M. Sade,
M.D., who chairs the CEJA. It
acknowledges that RFID’s use in health care “represents another promising development
in information technology, but also raises important ethical, legal and social
issues.” The report adds, “Specifically, the use of RFID labeling in humans for
medical purposes may improve patient safety, but also may pose some physical
risks, compromise patient privacy, or present other social hazards.” The AMA’s
report identifies three specific recommendations: [Source] [Report:
Radio Frequency ID Devices in Humans]
PRI, a California-based think tank with an openly
free-market bent, this week released a primer on RFID, privacy, and government
efforts at legislation of the technology. Entitled Playing Tag:
An RFID Primer, the 11-page report is a worthwhile and concise wrap-up of
the issues surrounding privacy and RFID. [Source] [PRI Report]
The Office of Management and Budget and the Homeland
Security Department this week explained 10 common mistakes agencies make when
securing data and personal information and offered a host of best practices to
correct each mistake. In a new paper, “Common
Risks Impeding the Adequate Protection of Government Information,” OMB and
DHS discuss common problems in areas such as training, contracting and records
management. OMB and DHS developed this paper as a part of the President’s
Identity Theft Task Force recommendations. [Source] [Paper]
Put simply, the end user is the biggest issue when it
comes to IT security, says Mark Loveless, white-hat hacker who goes by the
handle “Simple Nomad.” It’s a concern echoed throughout InformationWeek
Research’s 10th annual Global
Information Security survey, conducted with consulting firm Accenture. Survey
results indicate that simply educating employees and partners about a company’s
security policies isn’t sufficient to keep generally honest people from letting
customer information leak out through e-mails, instant messages, and
peer-to-peer networks. While the No. 1 tactical security priority for U.S.
companies in 2007, according to 37% of respondents, is creating and enhancing
user awareness of policies, this is down from 42% in 2006. [Source]
“They’ll click on anything, and if anything slows them down, they’ll short cut
it,” said Loveless. [Source]
Canadian merchants may face a significant upgrade to
their point of sale systems following an industry trial of next-generation
debit and credit cards that incorporate a microchip as well as a mag stripe.
Interac Association, MasterCard Canada, Visa Canada Association, and financial
institutions such as TD Bank are planning the trial in September. A number of
merchants throughout the Kitchener-Waterloo area have been set up with
terminals that will accept the chip-based credit and debit cards. TD announced
what it called the first successful transaction with a chip card at a Green
Machine ATM at its corporate office in Mississauga, Ont. [Source]
A new report
from the Council of European Commission for Democracy has warned the
widespread use of public surveillance is a threat to our “fundamental rights”.
The Venice Commission also made recommendations on how personal freedoms could
be protected. Recommendations include authorities and business to state the
zones being filmed and set up a national body to guarantee the lawfulness of
such installations, in line with the requirements of the European Convention on
Human Rights and the international texts governing the gathering and protection
of data. [Source]
[Report]
Police in London have been granted exemption from the Data Protection Act to track the city’s
motorists. Police will be given live access to London’s congestion charge
cameras - allowing them to track all vehicles entering and leaving the zone.
Anti-terror officers will be exempted from parts of the Data Protection Act
to allow them to see the date, time and location of vehicles in real time. They
previously had to apply for access on a case-by-case basis. Home Secretary
Jacqui Smith blamed the ‘enduring vehicle-borne terrorist threat to London’ for
the change. [Source] [Source] [UK
Surveillance Watchdog warns over number plate snooping]
By the end of this year, police officials say, more
than 100 cameras will have begun monitoring cars moving through Lower
Manhattan, the beginning phase of a London-style surveillance system that would
be the first in the United States. The Lower Manhattan Security Initiative, as
the plan is called, will resemble London’s so-called Ring of Steel, an
extensive web of cameras and roadblocks designed to detect, track and deter
terrorists. British officials said images captured by the cameras helped track
suspects after the London subway bombings in 2005 and the car bomb plots last
month. If the program is fully financed, it will include not only license plate
readers but also 3,000 public and private security cameras below Canal Street,
as well as a center staffed by the police and private security officers, and
movable roadblocks. [Source]
See also: [Cameras,
Cameras Everywhere] [NPR
Interview] [Surveillance
- the Next Generation] and [NZ
Plane cameras a sign of the times] AND ALSO: [US
Court: License Plate Checks don’t require search warrants]
With only two months left before U.S. government
agencies must figure out how to deal with data breaches and data theft, federal
bureaucrats are scrambling to meet the looming deadline. The deadline was
created by a White House directive published this spring that gave all federal agencies
until September 22 to figure out the wisest way, using their “best judgment,”
to come up with a plan to secure Americans’ personal data and to alert them if
it falls into the wrong hands. [Source]
A new project is aiming to allow U.S. government
agencies to share data securely. The objective of the Secure Information
Sharing Infrastructure (SISA) project is to create a system that allows data to
be shared between the agencies, but in a way that ensures only the people who
are authorized to access data are able to do so. Cisco Systems, Microsoft and
EMC Corp. will provide commercial, off-the-shelf products, with smaller vendors
contributing specific technologies. [Source]
SEE ALSO: [CRS
Publishes Report on Fusion Centers][EPIC's Page on Fusion Centers]
The Federal Bureau of Investigations is developing a
computer-profiling system that would enable investigators to target possible
terror suspects, according to a Justice Department report submitted to Congress
last week. The System to Assess Risk, or STAR, assigns risk scores to possible
suspects based on a variety of information, similar to the way a credit bureau
assigns a rating based on a consumer’s spending behavior and debt. The program
focuses on foreign suspects but also includes data about some U.S. residents. A
prototype is expected to be tested this year. [Source]
A new bill introduced in the Senate today by Sens.
Patrick Leahy (D-Vt.) and Edward Kennedy (D-Mass.) would place stringent
restrictions on disclosures of personal health information and clear up at
least some of the confusion surrounding federal privacy rules. If passed, the
new bill would not supplant the Health Insurance Portability and Accountability
Act of 1996 but would require the Health and Human Services Department to
revise HIPAA rules, according to a six-page summary the senators issued. “In
America today, if you have a health record, you have a health privacy problem,”
Leahy said in a statement. He heads the Senate Judiciary Committee, which is
expected to consider the bill. [Source]
A House of Representatives panel this week approved a
bill that backers say will help fix the problem of Social Security number
misuse and identity theft. By a vote of
41 to 0, the House Ways and Means Committee voted for a 56-page
bill that the panel’s chairman, New York Democrat Michael McNulty, said would
“stop giving access to our Social Security number to every Tom, Dick or Harry
who seeks it.” The bill, called the Social
Security Number Privacy and Identity Theft Protection Act, was introduced
earlier this week. [Source]
[Source]
A group comprised of privacy, civil liberties and
labor advocates are asking the FTC to investigate alleged violations of the
Fair Credit Reporting Act (FCRA) related to the dismissal of about 100 railroad
workers after their employers conducted background checks. The complaint
alleges several violations of the law, including failure to notify the
employees that they were under investigation, according to this Washington Post
story. The groups say FCRA requires “clear and conspicuous” disclosure to
employees. The background checks were conducted at the recommendation of the
Department of Homeland Security and the Transportation Department [Source]
--------