Privacy News Highlights
01–07 June 2007
Contents:
WW – Iris RecognItion Study 2006
(IRIS06) Draft Final Report Released
WW – G8 Gives Green Light for Global Biometric Database
UK – Call for Controls on School Fingerprinting
CA – B.C. Privacy Chief Probes Company's Tenant Screening
List
CA – Justice Minister Plans to Table Identity Theft Bill
CA – Parliamentary Inquiry Told Of No-Fly List Danger
US – Carnegie Mellon Study: Shoppers Will Pay Extra for
Privacy
UK – Survey: 60% of Companies Failing to Encrypt
Sensitive Data on Mobile Devices
HK – Hong Kong Anti-Spam Law Criticized as Ineffective
US – State CIOs Release Digital Record Preservation Study
EC Outlines EU-Wide Cybercrime Measures, Anti-Identity
Theft Proposal Is Due in 2008
EU – French Privacy Officials Warn Hotels, Other Firms on
Financial Records Retention
US – AmEx Sends Notices of Proposed Settlement in
California Privacy Class Action
UK – 40% of Large Organisations Don’t Watch Databases for
Suspicious Activity
EU – CNIL Eases Money Laundering Regulation for Data
Transfers of Financial Services
EU – CNIL Fines Bank for Privacy Violation in Reporting
Outdated ‘Bad Credit’ Clients
UK – DNA Kits to Trace Spitting UK Passengers
EU – French Data Privacy Authority Approves Electronic
Pharmacy Database Experiment
EU – Drug Makers Finance Nurses for U.K. Doctors
EU – Lost CD-ROM Contains Personal Details for 62,000
Bank Customers
WW – IDM Vendors Seek Unity on Identity Protocols:
Concordia Project
WW – iTunes Music Files Contain Personal Information
WW – Google 'Street View' Sparks Privacy Concerns
UK – European MPs Demand Controls on Euro Police
Databases
WW – Group Rips Microsoft Over Internet User Profiling
Research
JP – Japan Parliament Limits Access to Resident Registry
WW – Best Buy Must Prove RFID Benefits to Consumers, Says
CIO
US – USDA Releases RFID Animal-Tracking Project Report
CA – Canada’s First Masters in IT Security Graduate
US – Survey: Unofficial Work at Home is Data Security
Risk
AU – Australia Access Card Put on Backburner
US – Immigration Services Shops for Full-Service ID Card
Vendor
US – Alliance: NIST Smart Card Evaluations Insufficient
CA – Unsecured Wireless Video Surveillance at Methadone
Clinic Sparks Health Order
UK – Police Want Licence-Plates Chips Linked to ANPR
UK – Public Supports Use of CCTV
US – FCC Seeks Tougher E-911 Rules, Adopts Notice of
Proposed Rulemaking
US – Government Security No Better One Year After VA Data
Breach
US – OMB Issues New Data Security Rules
US – House Approves Second, Stricter Anti-Spyware Bill
US – California Considers New Data Security and Breach
Notification Law
US – New Hampshire, Maine Laws Ban Real ID
EU – Portugal Bans Collection of Data to Identify Workers
as Being on Strike
Authenti-Corp has announced the release of the Iris Recognition Study 2006 (IRIS06) draft final report for public review. The study was sponsored by the US National Institute of Justice and the US Department of Homeland Security. The draft final report documents the standards-based evaluation of online, offline, and off-axis performance for three commercially-available iris recognition products. The salient results of the detailed 168-page report are summarized in the 3-page Executive Summary. IRIS06 results indicate that the current crop of commercial iris recognition products can recognize cooperative and uncooperative individuals rapidly, reliably, and interchangeably in a variety of criminal justice and border control applications. The IRIS06 report can be downloaded in Microsoft Word and PDF formats at www.authenti-corp.com/iris06/report/. Comments on the draft report are solicited and will be accepted through 31 July 2007 after which the report will be finalized. [MS Word format] [PDF format]
G8 Justice and Interior Ministers this week endorsed a
range of vital policing tools proposed by Interpol Secretary General Ronald K.
Noble aimed at enhancing global security. “The absence of a global protocol on
sharing vital information such as fingerprints and photographs of escaped
prisoners, including terrorists, constitutes a serious threat to the safety and
security of citizens worldwide,' said Noble, who sought G8 support for the
creation of an international missing persons and unidentified bodies database.
Hosted by Interpol, this centralised database would enable police around the
world to maintain and access information on unidentified persons and bodies on
a day-to-day and long-term basis. Mr. Noble also provided an update on the
International Child Sexual Exploitation (ICSE) image database being developed
by Interpol at the G8’s request. Endorsed by the G8 in 2005, the creation of
the ICSE image database at the General Secretariat in Lyon will assist national
investigators across the globe to identify and potentially rescue victims of
child sexual abuse whose images have been posted on the Internet or retrieved
from seized computers. Interpol has progressed with the initiative and a pilot
project with three G8 countries, Canada, Germany and the United Kingdom,
will be launched by the end of 2007. [Source]
The UK government was criticized this week for not
setting clear guidelines for fingerprinting pupils after figures showed that
nearly 300 schools in England were using some form of biometric system. A
survey of local education authorities, conducted by the Liberal Democrats,
found at least 285 schools were now fingerprinting their pupils for
registration, using the library or buying school meals. The Lib Dems claim that
only a quarter of LEAs had details about the use of fingerprinting in their
schools and the government has no idea how many children were having their
details stored. [Source]
British Columbia's privacy commissioner has opened an
investigation in response to a Globe and Mail story that raised questions about
a company's registry of problematic tenants. The company's president said the
firm complies with B.C.'s privacy laws as well as other laws in the Canada and
the U.S. [Source]
Rob Nicholson, Canada’s Justice Minister, said he
plans to table a federal bill that would update Canadian law to make identity
theft a crime in Canada. Currently, there is no federal law that makes it a
crime to possess someone else’s information. Nicholson said one of the main
reasons he plans to file the bill is to better protect seniors, who often fall
prey to scams. The House of Commons finance committee and Privacy Commissioner
Jennifer Stoddart also have called for such a change. [Source]
The fact Canada's new no-fly list will be shared with
airlines and possibly other countries presents a real danger for people on the
list or those who are victims of mistaken identity, the Air India inquiry heard
this week. "We have to take tremendous care when we are talking about mere
probability," David Lyon, director of the surveillance project and
research chair in sociology at Queen's University, told the inquiry. Canada's
new no-fly list takes effect June 18 and anyone named will be prevented from
boarding any domestic or foreign airlines because of the apparent terrorist
threat they pose. Lyon said Maher Arar stands out as a beacon as to what
happens when "flimsy" information is shared.” [Source] See also: [No-fly
list could end up in foreign hands, Air India probe is told] and [Kids
who fly in Canada will need government ID] and [Passenger
profiling likely to prove controversial, expert tells inquiry] and [Controversial
body scanner could arrive this year, inquiry hears] [Canadian
airports to test controversial full body scan]
Privacy costs extra - and online shoppers are willing
to pay a premium to protect their personal information, a new study by Carnegie
Mellon University finds. Study participants who were asked to go on the Web to
purchase two items – a package of batteries and a vibrating sex toy - were more
likely to buy from sellers with good privacy policies. On average, they were willing
to pay about 60 cents extra on a $15 purchase when they were satisfied with the
seller's privacy policy. Previous studies have found that people willingly give
up private information in return for lower prices, but Carnegie Mellon
researchers hypothesized that shoppers care about privacy but simply don't know
where to get information on a Web site's policies. The study findings will be
presented Friday at the Workshop on the Economics of Information Security at
Carnegie Mellon. [Source][Privacy Finder Search engine]
A recent survey conducted by Sybase iAnywhere shows
that the majority of companies are still failing to encrypt company-sensitive
information on mobile devices. 60% of IT professionals surveyed had sensitive
business information, such as emails and passwords, stored on their mobile
devices. Results from the same survey last year indicated that 62% of companies
encrypted this mobile device data, but this number had slipped to just 45% in
this year's results. Only 22% of respondents were lucky enough to get their device
back after it was lost or stolen, compared to 49% last year. Additional survey
questions this year asked respondents if their company offered security
training and support to employees using mobile devices - only 47% said yes. Overall,
a massive 76% of respondents are relied on to undertake at least one security
task for their mobile device themselves. These figures indicate that
organisations are still placing a large burden of responsibility for security
in the hands of their user, and not automating the processes. [Source]
See also: [Six
Laws of Mobile Security] and [VA limits use of
portable data]
The Standard reports that Hong Kong’s new anti-spam
law might do little to curb unwanted e-mails. Under the law that took effect
June 1, people in Hong Kong may be fined HK$1 million and jailed for five years
for sending unsolicited messages if they obtained the e-mail addresses through
“unscrupulous” means, such as address-generating software. Offshore spammers
may be prosecuted if they use Hong Kong-based computers. The law also applies
to phone calls. [Source] [Source]
[Source]
[Source]
The National Association of State Chief Information
Officers (NASCIO) May 30 released the first of a three-part series on records
management and digital preservation. “State governments create, receive,
transmit and store electronic information at an alarming rate,” the report
said, and proactive management of that information is necessary to retain
information that can become an asset and purge information that can become a
liability. This first report in the series provided a general overview of state
digital records management, including privacy and identity management concerns.
The second and third releases in the series will include discussion of
off-shoring of data and the economics, legalities, technology and organization
of digital records preservation, NASCIO said. [NASCIO report: “Electronic
Records Management and Digital Preservation: Protecting the Knowledge Assets of
the State Government Enterprise PART I: Background, Principles and Action for
State CIOs”] See also: [Six
Steps to Data Governance Success]
On May 22, the European Commission outlined a range of
anti-cyber crime measures that include stepped up cross-border law enforcement
and new legislation. While the EU has limited legal competence when it comes to
criminal law, Information, Freedom and Security Commissioner Franco Frattini
said the Commission was due to propose EU-wide legislation against identity
theft in 2008. Other specifics outlined in a Commission strategy paper called
for the following:
§
improved
European law enforcement cooperation including reinforcing the structures for
operational law enforcement cooperation;
§
increased
European public-private cooperation starting with a major conference in
November of 2007 to consider how cooperation can be strengthened;
§
international
cooperation that builds on initiatives such as the Council of Europe treaty
against cybercrime and the Group of Eight Roma-Lyon High-Tech Crime Group; and
§
EU
legislation in 2008 that would make identity theft a crime throughout the EU.
The French Data Protection Authority (CNIL) May 29
warned hotel operators and other private sector firms against excessive
collection and long-term storage of client financial information, notably
credit card numbers. The CNIL warning came after a recent spot inspection at a
French hotel chain uncovered evidence that management was not adhering to
guidelines on conservation and protection of client banking data. The
CNIL decision (in French)
American Express has started sending announcements to
California customers of a $6 million proposed settlement in a class action
alleging cardholders’ privacy was violated when American Express Travel Related
Services and American Express Centurion Bank improperly disclosed customer information
for marketing purposes to third parties and affiliates. Under the proposed
settlement, American Express will pay $3.9 million into a fund that will be
distributed among nonprofits and universities. Up to $500,000 in administration
fees and $7,500 in incentive fees to two named plaintiffs will be deducted from
the settlement fund before it is distributed to the nonprofits and
universities. The ACLU, Southern California Chapter; Samuelson Law, Technology,
and Public Policy Clinic at University of California, Berkeley, Boalt Hall
School of Law; Harvard Law School’s Berkman Center for Internet and Society;
and Privacy Rights Clearinghouse each will receive 20% of the remaining
settlement fund total. The California Public Interest Research Group and the Rose
Foundation for Communities and the Environment each will receive 10% of the
fund. “The organizations will use the funds to promote and preserve the privacy
rights of California consumers and residents, among others,’’ the notice said.
In addition, the settlement provides $2.1 million in attorneys’ fees. American
Express also will post an informational brochure regarding consumer privacy
rights online at www.consumerprivacytoolkit.com for a one year period, which
will start once the settlement receives final approval from the court. The
74-page stipulation of settlement is available at http://op.bna.com/pl.nsf/r?Open=dapn-73jjz4
The Ponemon Institute conducted a survey of 649 IT
professionals about data security challenges. Sponsored by Application
Security, the study found that 40% of those companies do not monitor their
systems for suspicious activity, and that 57% of IT professionals said their
organizations lack adequate safeguards to fend off insider attacks. Overall,
the survey found that 55% of respondents say their organizations are falling
short when it comes to protecting against data loss. The IT professionals said
they are trying to balance the need to protect data from external and internal
threats while simultaneously granting greater access to the data to fulfill
business priorities. The survey reveals that:
·
40%
percent said their organizations don’t monitor their databases for suspicious
activity, or don’t know if such monitoring occurs. Notably, more than half of
these organizations have 500 or more databases – and the number of databases is
growing.
·
“Trusted”
insiders’ ability to compromise critical data was cited as the most serious
concern – with 57 percent perceiving inadequate protection against malicious
insiders and 55 percent for “data loss” by internal entities.
·
78%
believe that databases are either critical or important to their business.
Customer data represents the most common data type contained within these
databases.
·
Customer/consumer
and employee data ranks 3rd and 4th respectively in regard to organizations’
prioritization of what must be protected. [Source]
[Survey:
IT Professionals Struggle With Competing Priorities] [Study -
Database security needs work]
The French Data Protection Authority (CNIL) May 28
announced a modification of data transfer rules that will allow greater
cross-border cooperation between financial sector firms in the fight against
money laundering and the financing of terrorism. The CNIL decision
(Deliberation No. 2007-060, 4/24/07) will allow designated personnel within
French financial sector firms to freely share information on suspicious
transactions—including personal and financial data on participants—with
similarly designated employees in other divisions or subsidiary operations,
including those outside France. Financial data will only be transferred to
non-European countries that have been certified by the European Commission as
meeting “adequate” standards for privacy protection, CNIL said. [CNIL
summary of the decision (in French)]
The French Data Protection Authority (CNIL) announced
May 28 a Euro20,000 fine against French bank Crédit Agricole, after determining
that the company had ignored repeated requests to do away with bad credit
reporting systems that violate client privacy. The dispute dates to 2006, when
a Crédit Agricole client asked CNIL to investigate why her name had been
forwarded for inclusion in a “bad credit list” operated by the French Central
Bank (Banque de France). [CNIL
decision]
Bus drivers are to be issued with DNA kits so that
passengers who spit on them can be traced by police. The "spit kits"
are already supplied at all 275 Tube stations and are expected to be rolled out
this summer across London's 7,000-strong bus fleet. It is the latest initiative
against anti-social behaviour on buses and has coincided with the Mayor's
introduction of free bus travel for under-16s. The DNA kits will allow drivers
to take swabs of saliva that can be passed to the police and checked against criminal
records. Transport for London says that about seven out of 10 samples provides
a match. [Source]
The French Data Protection Authority (CNIL) May 15
authorized a six-month pilot project that will allow selected pharmacies to
pool their clients’ drug purchase activity into a linked electronic database.
The project will allow operators of about 100 pharmacies in six of France’s 100
administrative districts to access a given client’s complete drug purchase
history over a preceding three-month period. Pharmacy industry leaders say the
e-registry will allow pharmacists to guard against distribution of incompatible
medications—responsible for 130,000 hospitalizations annually—while reducing
duplicate drug orders and other forms of unnecessary prescriptions. CNIL will
require pharmacists to win prior consent from clients before enrolling them in
the e-pharmacy project. [CNIL
decision (in French)]
Drug companies are paying for nurses to study patient
charts to identify people with chronic illnesses. The nurses, who come from
nursing contractors, then recommend which patients should be called in for a
check-up and perhaps prescribed new treatment – sometimes a medicine made by the
company funding the nurses. The work is part of what the industry calls
“disease-management programs,” which the companies say improve care for people
with illnesses like diabetes, asthma or heart disease. The risk, however, is
that companies use the programs as a back door for marketing their pills. The
programs also raise concerns about patient privacy. [Source]
The Bank of Scotland is apologizing to 62,000 mortgage
customers for the loss of a CD-ROM that contained names, addresses, birth dates
and mortgage account numbers. However, the bank said that the risk of identity
theft was "almost impossible." [Source] [Data “Dysprotection”
Weekend Roundup of Privacy Horror Stories in the news for Week Ending June 1]
Microsoft
Corp. will participate in a meeting later this month with vendors and
organizations that are backing several different identity management systems,
an indication that cooperation between the software giant and its peers is
improving. The meeting, part of an initiative called the Concordia Project,
strives to improve interoperability between Microsoft's CardSpace and OpenID,
two identity management systems, and protocols for identity management
supported by an industry trade group, the Liberty Alliance, said Roger
Sullivan, president of its management board. [Source] The Concordia Project, set
up by the Liberty Alliance, hopes to release its first set of open standards by
the end of the year. The meeting will
take place on June 26 at Catalyst
2007, an enterprise IT conference in San Francisco. [Concordia
Project Advances Interoperability Among Digital Identity Management Solutions]
where the Identity Community will focus on the
development of use cases and interoperability scenarios. Individuals and
organizations interested in joining the public forum, submitting a use case or
viewing use cases contributed to date can visit the Concordia Project wiki at http://www.projectconcordia.org [Liberty
Alliance seeks common ground with Microsoft on ID]
Music tracks sold through iTunes have been found to
contain the buyer’s personal information. Names, account information, and email
addresses are embedded in the purchased tracks, both those with digital rights
management (DRM) protection and those without. Some have speculated that this
is a measure to fight piracy; if the tracks appear on a file sharing network,
they provide a simple way to find out who originally bought the music. [Source] See also:
[iTunes
Now Selling DRM-Free Music] and again [here]
and [EFF: Should
Apple Embed Your Name and Email in iTunes Songs?]
A street-level imagery feature of Google's mapping
service has sparked a web-wide search for people who have been unwittingly
photographed in the wrong place at the wrong time or just at an awkward moment.
But it has also raised concerns that by putting millions of these images on the
internet, Google is overstepping the mark and trampling on people's right to
privacy. Google Maps Street View is a feature on a free service that enables
users to call up photos taken on the streets that then can be panned 360
degrees, zoomed in and out and tilted up and down. Most of the shots capture
people engaged in innocuous activities. However, anyone in the world with an internet
connection can now pop up a photo of a woman exposing her G-string as she leans
over, or a man striding towards an adult bookshop. The feature is only available for parts of
San Francisco, New York, Las Vegas, Miami and Denver. A Google spokesman said
the company intends to provide StreetView imagery for regions throughout the
world, but would not specify when that would happen. [Source]
[Source]
[Australia
Fed.P.Commish will look into Google View] [Google's Street View could be unlawful
in Europe]
The Home Affairs Select Committee has advised
government to put its weight behind neglected European efforts to hold the
rapidly emerging system of police databases answerable to human rights
legislation. The committee's proposals, published this week in a report on EU
police and judicial co-operation, include a bar on agreements like the
controversial PNR (Passenger Name Records) and Swift data sharing arrangements
that the EU formed with the US in the name of the "war on terror". It
also recommends the government seeks to restrain EU efforts to share data
between police forces by ensuring decent data protection laws are adhered to.
It noted how the EU (and largely the council) had been rushing ahead with plans
to link European police databases, while legislation designed to protect
citizens' fundamental rights against abuse from such powerful policing tools
had been left to flounder. [The
Report] [Source]
[UK
Lords tell EU to tighten restrictions on use of PNR] [House of Lords steps
into US-EU data spat] [Airline
passenger data must be restricted, say Lords] [UK Gov't failing on privacy when
sharing our data, say MPs] See also: [Privacy watchdog slams EU-wide sharing
of police data] [EU proposal seeks
greater data sharing between police forces] [EU on web-terror:
Something must be done] [Europe
votes to restrict police data sharing] [House
of Lords Press Release (June 5th)]
The human-rights group Reporters Without Borders is
strongly criticizing Microsoft for developing user-profiling technology that
could be used by repressive governments to track dissidents. Algorithms could help governments finger
critics, says
Reporters Without Borders. [Source]
[MSFT
paper] See also: [Photo Tagging as a Privacy Problem? The Harvard Law
Review, a journal for legal scholarship, recently published a short piece on
the privacy implications of online photo-tagging (pdf)]
and [Daniel Solove has written an essay, "Data Mining
and the Security-Liberty Debate," for an upcoming symposium on
surveillance for the U. Chicago Law Review]
The Japan House of Councilors has passed a bill to
amend the national Resident Registry Law to restrict access rights to personal
information that the government stores in the registry and increase penalties
for violations to ¥300,000. Under the current law, nearly anyone can obtain
copies of Resident Registry-stored personal information. As a result, there
have been numerous alleged cases of abuses of the system and privacy
violations. The new bill (Cabinet submission No. 69) limits unfettered access
to Resident Registry information to the person whose personal information is
stored in the system and their spouse, children and others who live with the person.
Certain third parties may still obtain access to the registry on a limited
basis for “legitimate reasons” to enforce third parties’ rights, such as
lawyers performing their legal duties and financial institutions seeking
information to recover debts. Under the bill, government offices that accept
applications for Resident Registry information must confirm the applicants’
identify with a driver’s license and other identity documents.
Retailers can benefit from RFID technology, but they
must first convince consumers that the technology won't lead to the misuse of
their personal information. In a keynote speech this week for retailers, Bob
Willett, CIO at Best Buy Co., called RFID the "single biggest
opportunity" for the chain of retail stores. At the same time, Willet
conceded that the industry must work to convince consumers that use of the
technology will not be expanded to gather and exploit their personal
information. "We have to do a better job explaining it's not a
nightmare," he said. He said that Best Buy is focused on using the
technology at the front end of the store rather than to improve the back-end
supply chain. Willett said that he has set a goal of using RFID technology to automate
the payment process and thus eliminate checkout lines. He did not disclose
specific plans, but he noted that he expects use of the technology to both
eliminate checkout bottlenecks and free up employees to provide better service
to customers. [Source]
The U.S.
Department of Agriculture (USDA) has released a final report on
16 RFID pilot projects related to the National Animal Identification System
(NAIS), which predominantly uses RFID technology. Overall, the report
concludes, the projects demonstrated "that animal identification and
tracing can be implemented successfully in a production environment." [Final
Report]
Eight Canadian post-graduate students have received
what’s touted as the country’s first-ever Master’s Degree in Information
Technology Security (MITS). Offered by University of Ontario Institute of Technology
in Oshawa, Ont., the full-time full Master’s program commenced in September
2005, and last week, the first batch of enrolees attended their graduation. [Source]
see also [www.SecurityCartoon.com]
It's not federal teleworkers who are a security risk
so much as employees who unofficially work from home on nights or weekends.
According to a new survey, more than half of all non-teleworking employees
carry data files home and more than 40% log onto their agency's network from
home. What's more, unofficial teleworkers are much less likely to be
security-conscious than teleworking employees, according to the survey released
June 4 by Telework Exchange, a public-private partnership that supports
telework. But teleworkers also are a source of serious security gaps. 13% of
teleworkers are issued computers without data encryption software. That means
that the files and information on their laptops could be accessed if stolen. [Source]
The Australian federal Department of Human Services
has delayed the launch of its $1.1 billion welfare access card by up to 8
months following a series of legislative and procurement stumbles. The
department previously said it would begin registrations for the access card in April
and May next year, but has now conceded it will be late 2008 before it starts
signing up Australian residents. The delay is an embarrassing blow for the
high-profile project, which has already cost $41 million and has come under
fire from the opposition political parties and privacy groups. It also comes as
the Government prepares to introduce new draft access card legislation into
Parliament this month following a decision in March to abandon a first attempt
at passing card laws. [Source]
[Smartcard
delay no surprise for privacy advocates; Laws to be re-introduced to parliament]
[Govt
taking 'easy way out' on smartcard] [Australia
- Gary Nairn endorses a smartcard future] [Australia
- Queensland drivers first to get smartcard]
The US Homeland Security Department is looking for a
contractor to process up to 28 million government identification cards a year
both for existing programs and for new ID cards such as in the proposed
Temporary Worker Program. In a special notice published this week, the
Citizenship and Immigration Services bureau said it wants industry ideas and
comments by June 20 relating to equipment, system integrations and services for
the ID cards. The agency is looking for a contractor to “personalize” existing
and new ID cards by adding the personal identification information to blank
cards. The immigration agency wants to replace its nine-year-old Integrated
Card Production System, which has grown obsolete, with a new system. The system
is used for Permanent Resident Cards (also known as Green Cards), Laser Visa
Border Crossing Cards and Employment Authorization Cards, the notice states. [Source]
See also: [Poland: new
eCard services rolled out]
The National Institute of Standards and Technology
hasn’t sufficiently evaluated a set of technologies about to be used in border-crossing
identification cards, charges a smart card industry group. The group, the Smart
Card Alliance, believes that NIST certified the Generation 2 RFID card
architecture for the People Access Security Services (PASS) Card without using
“the appropriate standards and best practices relevant to human identity
applications,” wrote Smart Card Alliance Executive Director Randy Vanderhoof in
a May 17 letter to NIST Director William Jeffrey. Furthermore, the institute
did not properly evaluate whether the Gen2 RFID technology choice is
appropriate for the context in which it will be used in the Pass Card,
Vanderhoof contended. “NIST has, for the first time, endorsed a technology
without exploring its use in the context of the government mission and
presenting the pros and cons of that technology offering for that mission,”
Vanderhoof wrote. The alliance is asking NIST to revoke its certification and
start over by reviewing the proposed architecture’s compliance with
international standards for ID cards. The Pass Card is part of the Western
Hemisphere Travel Initiative and is intended for use by Americans, Mexicans and
Canadians who frequently cross the border. [Source] [Schneier
commentary]
Ontario’s Information and Privacy Commissioner, Dr.
Ann Cavoukian, issued her fifth Health Order today following an investigation
she conducted after a video image of a woman providing a urine sample in a
washroom at a methadone clinic in Sudbury, Ontario, was inadvertently intercepted
by a wireless device in a car parked near the Clinic. The Commissioner is
urging all health care providers to immediately review any video surveillance
systems they are using. [Order]
[Fact Sheet –
Wireless Communications Technologies: Video Surveillance Systems]
Police chiefs want a radical overhaul of the car
number-plate system - because so many vehicles are being 'cloned' by motorists
trying to beat speed cameras, the London congestion charge and other
road-pricing schemes. They want a clampdown on shops and internet sites selling
registration plates and new rules forcing motorists to fit tamper-proof plates
which shatter if removed. They are also calling for the plates to be fitted
with electronic chips linked to ANPR (automatic number-plate recognition)
systems so that a vehicle's identity can be confirmed against a computerised
national register. Superintendent John Wake, of the Vehicle Crime Intelligence
Service, said: "It's too easy to clone or steal car registration plates,
which in turn makes it easy to commit crime using an innocent person's
identity. It means innocent motorists have to prove they did not commit crimes
in which their vehicles were supposedly involved.” More than 40,000 sets of
plates were stolen last year - a rise of almost 2%, according to police
estimates - and there are thought to be thousands of cloned cars on Britain's
roads. [Source]
Four million security cameras are trained on Britons,
but the public largely accepts the loss of personal privacy in exchange for
increased safety, according to surveys. Nearly two years after the London
terror bombings, Britain is moving toward giving the government more power and
methods to snoop on people's lives. Some critics are warning that these
erosions of personal privacy are taking place without the public's awareness of
the long-term consequences. [Source] See also:
[Toronto
schools asked if they want surveillance cameras] [Toronto
District School Board fast-tracking CCTV] [Survey:
Norwegians could accept surveillance]
The FCC has proposed tougher E-911 rules, but rather
than adopt final rules for E-911 service, the commission adopted a notice of
proposed rulemaking that made several tentative conclusions. The E-911
rulemaking addresses both the wireless and the VoIP industries, taking into
account recent technological improvements. The commission’s rulemaking first
seeks comment on a proposal which would ensure that wireless carriers are
providing precise location information to emergency call centers. The E-911
proposal was one of three presented to the commission by its new Public Safety
and Homeland Security Bureau and was adopted unanimously. The commission urged
all parties to comment on its proposals. The proposal to strengthen E-911 rules
for VoIP providers has drawn concerns about surveillance or unwanted location
tracking from privacy advocates. [FCC
Notice of Proposed Rulemaking]
One year after the theft of a laptop computer holding
personally identifiable information of 26.5 million US veterans and active duty
members, a study has found that data security in the federal government has not
improved. The study surveyed 258 federal employees. 41% of the respondents use
laptops for work. Of those, 48% said they received training following the theft
of the VA laptop; 16% of the respondents said their agencies did nothing in
reaction to the theft. According to the study, 58% of federal workers who are
not official telecommuters still work at home, many using their own, less
secure computers. 41% of those who are not official telecommuters log on to
government systems from home. [Source]
[Source]
See also: [NIST
updates Web server security guidelines]
The Office of Management and Budget (OMB) has issued
guidance on “safeguarding against and responding to the breach of personally
identifiable information.” However, it could take some time before any dramatic
changes are noticeable in how the federal government agencies handle personal
information. The 22-page memorandum came directly after the President’s Identity
Theft Task Force issued its recommendations in April. The report contained a
recommendation that federal agencies “decrease the unnecessary use of Social
Security numbers.” [Source]
The U.S. House of Representatives this week passed
legislation that would impose new requirements on software companies and
advertisers to protect computer users from spyware. House lawmakers approved an
anti-spyware bill that would require software distributors to clearly notify
and obtain consent from consumers before programs can be loaded onto a
computer. The bill passed by 368 to 48. [Source]
California state lawmakers are considering legislation
that would require any organization in the state that processes credit and
debit card transactions to comply with certain requirements regarding data
security and breach notification. Merchants would be barred from storing
authentication data, including card verification value and personal
identification numbers. Merchants would also be required to use strong
encryption when storing and transmitting card data. Organizations that
experience breaches would be required to reimburse financial institutions for
costs incurred, such as notifying customers of the breach and reissuing cards.
The bill would also allow financial institutions to provide more detailed
information about data security breaches, including what types of data were
compromised and where the breach occurred. The bill is presently in committee;
if it is approved, it will go before the full state assembly for a vote on June
8. From there, it would require state senate approval and the governor’s
signature before it becomes law. [Source]
See also: [Retailers Support
National Data Security Standard But Urge Distinction in Types of Data Held]
and [Consumers
Union: Key Issues on Financial Privacy and Identity Theft in Congress – 2007]
New Hampshire is joining a growing number of states in
passing legislation that rejects the federal government’s Real ID Act. The US
Congress passed Real ID in 2005. The bill requires that driver’s licenses and
other state-issued identification cards include a bar code and a digital
photograph. Citizens would need compliant cards to enter federal buildings and
nuclear power plants and board commercial aircraft. The US government
established a May 2008 deadline for compliance; it can be extended on a
case-by-case basis through December 2009. New Hampshire’s law calls Real ID
“contrary and repugnant” to both the state and US constitutions. The governor
plans to sign the bill into law soon. Among concerns cited are the cost of
implementing the new requirements and the potential violation of citizens’
privacy. [Source]
See also: [Maine Enacts
Real ID Statute]
Portugal’s National Data Protection Commission (CNPD)
May 28 ruled that employers may not use the personal data of individual
employees to identity them as striking workers, deeming it a form of
discrimination. In Decision 225/2007, CNPD ruled that while worker absenteeism
may be mapped as a whole, workers may not be individually identified as
strikers. While the decision itself came in direct response to complaints by
state workers, the agency recognized the data protection concerns were of
immediate relevance to “a vast universe of workers.” Decision
225/2007 (in Portuguese)
--------