Privacy News Highlights
15–28 June 2007
Contents:
EU – European Union Countries to Share DNA and
Fingerprint Evidence
UK – UK Proposes Global Foundation for Biometric Border
Checks
US – GAO Report: Prospects for Biometric US-VISIT Exit
Capability Remain Unclear
US – NIST Feasibility Study of Secure Biometric
Match-On-Card: Invitation to Participate
AU – Biometrics and Privacy Can Work Together in
Australia
WW – Keeping Data Secure With Biometrics
CA – Privacy Watchdogs Want No-Fly List Suspended
CA – Senate Amends Election Bill to Shield Voter Birth
Dates
WW – OECD: More Cross-Border Co-operation Needed in
Enforcement of Privacy Laws
CA – Ontario Group Challenges Adoption Privacy Laws
US – Data Breaches Could Take a Toll on E-Commerce:
Ponemon Study
US – Organizations Falling Short When It Comes to
Reducing Risks of Data Loss
CA – Eye-Tracking Device Developed for Billboards,
Screens
UK – The Future of the Internet - Survey Reveals Nation’s
Wish List for Online Services
US – White House Aides’ E-Mail Records Gone
CA – Ontario Trails in Electronic Health Record System:
Cavoukian
EU – EU Widens Privacy Probe to All Internet Search
Engines
EU – Half of Europeans Show Support for ID Cards: Study
EU – Art 29 WP Adopt a 26-Page Opinion on Concept of
Personal Data
CA – Survey Reveals ID Theft on the Rise in Canada, Costs
Canadians $16.3 Million
US – The Known and Unknown Costs of a Security Breach
CA – Ontario Tories Seek Confidentiality for Lottery
Winners
RU – Russians say Quicken Backdoor Could Give Feds Access
to Finance Data
EU – EU-US Reach pact on Retention of SWIFT data: Five
years
EU – Customers Must Be Told of US Bank Transaction
Monitoring, Say Privacy Chiefs
CA – Ontario's Watchdog Slams Government Organizations
UK – MPs slam Government FOI proposals
US – CIA Releases Documents Detailing Illegal Activities
from 1950s to 1970s
UK – Over 100 Children Under 10 Now Logged on National
Police DNA Database
US – GAO: Comprehensive Privacy Approach Needed for
National Strategy on Health IT
US – New Privacy Policy in the Works for Government
Health IT Efforts
US – Stolen Ohio Data Storage Device Held Taxpayer
Information Too
US – U.S. Officials Delay Passport Requirement
UK – ID Cards a “Public Good,” Says UK Government
CA – Workers to Carry New IDs on Canadian Docks
WW – Google Chief Executive Talks Privacy and Trust
WW – Information Card Icon Unveiled
CA – Information Campaign on Internet Security and
Personal Information Protection
WW – Facebook Private Profiles Not As Private As You
Think They Are
US – Federal Defamation Lawsuit to Test Online Anonymity
EU – Swedes Worry About Online Privacy Issues
US – Court Protects Email from Secret Government Searches
US – Travelers Deserve Court Protection from Baseless
Laptop Searches: EFF
US – Raising Privacy Alarm Over RFID Chips in California
AU – Australian Prison Trial: RFID Tags & Integrated
CCTV
WW – Trusted Computing Group Announces Draft Spec for
Accessing Sensitive Data
US – Survey: Many Merchants Fail to Implement PCI DSS by
Initial Deadline
AU – Australia Govt Toughens Access Card Privacy
Protections
EU – Nordic Bank to Distribute Smart Card Readers for Web
Banking, E-Government
US – EU and U.S. Reach Tentative Deal On Passenger Data
US – DMA Issues Revised Guidelines for “Data Compilers”
US – ACLU to Hand Out Cameras to Monitor Police
US – Senate Committee Issues Subpoenas for Key NSA Spying
Docs
US – ACLU Skeptical of New FBI Privacy Guidelines
US – Airlines Think Fingerprinting Plan Won't Fly
US – New ID Theft Bill Heads to Oregon Gov's Desk
US – Arizona Divisive DNA Plan Nearly Law
US – Michigan Lawmakers Consider Bills to Protect
Off-Duty Workers
European Union countries have agreed to allow police
to share DNA and fingerprint data across national borders. The aim of the
agreement, sealed by EU interior ministers meeting in Luxembourg, is also
"to introduce procedures for promoting fast, efficient and inexpensive
means of data exchange". Aside from biometric data, police will also be
able to share vehicle registration information, all via a contact point in each
country. Police in different EU states will be able to set up joint,
cross-border operations. States will have three years to make their databases
available. [Source]
[Police will share data across
Europe against privacy chief's advice]
The UK has proposed a transatlantic arrangement for
sharing biometric data about travellers as US coalition countries in the
"war on terror" push for a global system to control migration. The
initiative officially lays the first brick in a concerted effort to establish a
common border. Launching the UK's borders and immigration strategy in
Washington this week, Home Secretary John Reid said the UK and US should
"routinely share information about travellers of interest", as well
as people caught with fake passports, or those trying to side-step immigration
controls. The UK Borders and Immigration Agency's Strategy to build stronger
international alliances to manage migration, published
today, proposes establishing the international legal basis to share
biometric immigration data. It said the UK would "rapidly" bring
forward plans to use other technologies to pick undesirables out of queues at
UK borders. It proposed "voice analysis" as one example. New
technologies would be used for the "scientific and technical
identification of nationality" and to "fix people's identities".
[Source]
[Strategy
Document] [EU,
U.S. Reach Deal on Passenger Data] [U.S.
to Fingerprint E.U. Visitors]
The U.S. Government Accounting Office (GAO) has
released a study on the Department of Homeland Security (DHS) U.S. Visitor and
Immigrant Status Indicator Technology (US-VISIT) program. After investing about
$1.3 billion over 4 years, DHS has delivered essentially one-half of US-VISIT,
meaning that biometrically enabled entry capabilities are operating at almost
300 air, sea, and land POEs but comparable exit capabilities are not. During
this time, GAO has continued to cite weaknesses in how DHS is managing US-VISIT
in general, and the exit side of US-VISIT in particular, and has made numerous
recommendations aimed at better ensuring that the program delivers clearly
defined and adequately justified capabilities and benefits on time and within
budget. The prospects for successfully delivering an operational exit solution
are as uncertain today as they were 4 years ago. The department's latest
available documentation indicates that little has changed in how DHS is
approaching its definition and justification of future US-VISIT exit efforts. [Source]
and [Mocny sets 2008
deadline for biometric exit program]
The National Institute of Standards and Technology
(NIST) will conduct a feasibility study of Secure Biometric Match-On-Card
(SBMOC) technology, and invites providers of such technology to submit devices
to be tested. The goal of the feasibility study is to determine if the
state-of-the-practice in smart card products and biometrics technology have
advanced to enable a new mode of operation. To implement this mode, certain
functional and security properties must be achieved by the SBMOC technology
while meeting performance requirement for a biometric authentication
transaction. Complete technical requirements are presented in the Test Approach
document. [Source]
Privacy has had a rare victory in one of Australia's
most successful public biometric roll outs by health insurer Australian Health
Management, which has registered more than 13,000 members to its voice
verification platform since last December. The system was deployed last
December to boost the companies' call centre user authentication process, which
receives some 420,000 calls each year through its main telephone number, and to
reduce fraudulent access to customer data. [Source]
Apricorn Inc. has released a new portable biometric
hard drive that accesses encrypted data after validating a fingerprint. Swiping
your finger over a fingerprint reader provides access to encrypted data on the
hard drive. Software that comes with the drive registers three fingerprints,
and any finger can be swiped to access data on the drive. Apricorn’s strong
128-bit authentication prevents theft of sensitive data, according to the
company. [Source]
See also: [DocuSign
& BioPassword Combine Electronic Signing and Strong Authentication] and
[Encryption and
Biometric Technology Partnership Breeds New Generation of Secure External Data
Storage Products]
Federal, provincial and territorial privacy guardians
have called for suspension of the Canadian government's new no-fly list until
it can be overhauled to ensure strong privacy protections for Canadians. The
information and privacy commissioners and ombudsmen issued a joint resolution
Thursday outlining reforms urgently required for Passenger Protect, the new
program designed to keep security threats off airplanes. “The Passenger Protect
Program involves the secretive use of personal information in a way that will
profoundly impact privacy and other related human rights such as freedom of
association and expression and the right to mobility," the privacy
officials, who are meeting in Fredericton, said in a joint statement. "We
are particularly troubled that Canadians will not have legally enforceable
rights of appeal, to independent adjudication or to compensation for
out-of-pocket expenses or other damages. Commissioners and ombudsmen are
unanimously of the view that the use of such lists in the interests of airline
security should only occur in a manner consistent with Canadian values in the
area of privacy protection." [Source] [Resolution of Canada’s
Privacy Commissioners and Privacy Enforcement Officials] [Fact Sheet: Passenger Protect Program] [Government
Not Ruling Out Using Biometric Data to Reinforce No-Fly List] See also: [Critics
Alarmed By Canada’s No-Fly List] and [Canadian
Government reiterates its commitment to passenger protect] [Alberta’s Frank Work
Headed To Re-Appointment]
The Senate added a last-minute wrinkle as the Commons
rushed legislation through this week in advance of a summer recess, amending a
government electoral bill that proposed to give political parties access to the
birth dates of every registered federal voter in Canada. The amendment may be a
blessing in disguise for the Conservatives after witnesses and senators from
both sides condemned the provision as a violation of privacy rights that could
increase identity theft. The Senate returned Bill C-31 to the Commons with
several amendments late Thursday, after MPs wrapped up an emergency debate over
contaminated river water entering Manitoba from the U.S. and sped several
bills. [Source]
[Privacy
Commissioner Welcomes Steps to Safeguard Voter Privacy]
OECD governments have agreed on a new framework for
co-operation in the enforcement of privacy laws. The initiative is motivated by
a recognition that changes in the character and volume of cross-border data
flows have elevated privacy risks for individuals and highlighted the need for
better co-operation among the authorities charged with providing them
protection. Embodied in the new OECD Recommendation on
Cross-Border Co-operation in the Enforcement of Laws Protecting Privacy,
the framework reflects a commitment by governments to improve their domestic
frameworks for privacy law enforcement to better enable their authorities to
co-operate with foreign authorities, as well as to provide mutual assistance to
one another in the enforcement of privacy laws. The Recommendation was
developed by the OECD Committee for Information, Computer and Communications
Policy (ICCP), through its Working Party on Information Security and Privacy
(WPISP). The work, conducted in close cooperation with privacy enforcement
authorities, was led by Jennifer Stoddart, Privacy Commissioner of Canada.
Initiatives to implement the Recommendation are already underway. The OECD has
developed two model forms to facilitate privacy law enforcement co-operation.
The first is a form to
assist in the creation of a list of contact points in each country to
co-ordinate requests for assistance. The second is a form for use by an
authority in requesting assistance to help ensure that key items of information
are included in the request. [Source]
[OECD Recommendations]
[Further materials] [Coverage]
Allowing birth parents and adopted children to freely
access information about one another amounts to an unconstitutional invasion of
privacy, according to a Charter of Rights challenge argued in the Superior
Court of Ontario. A group of four litigants contend that the last thing in the
world many individuals want is to suddenly be contacted by a birth parent or
the child they gave up for adoption. “Their identifying information may now be
disclosed to arguably the person they would least want to have access to it,”
says a legal brief prepared by Toronto lawyers Clayton Ruby and Caroline
Wawzonek. The challenge maintains that Ontario’s
Adoption Information Disclosure Act, which allows birth parents and
adoptees to access information about one another, breaches their right to life,
liberty and security of the person. The four litigants argue that the law
retroactively reverses the situation for Canadians who gave up their child for
adoption or who were themselves adopted in years past. [Source]
[Ont. Judge: More
Than Privacy Argument Needed]
Faced with security breaches and personal data
hemorrhages from retailers and a variety of educational and medical facilities,
consumers are now becoming more skittish about the potential dangers of
e-commerce. That was one of the findings of a new survey on consumer privacy
conducted by the Ponemon Institute and Vontu. One of the most sobering survey
statistics was that a whopping 62% of the participants had been notified by an
organization holding their private data that some of their information had been
breached. In addition, 84% of that group felt “anxiety” over the data loss,
according to the Ponemon Institute. The 5 categories of private data that
generated the most concern among consumers were medical records, pharmaceutical
history, credit card and debit card information, and SSNs. The majority of
respondents also said they’d be most concerned if it was a health care
provider, pharmacy or employer who lost their private information. [Source]
The Ponemon Institute has released a survey that found
that nearly half of IT and compliance professionals indicate that their
organizations are not doing enough to reduce the risks of a security breach.
The study, commissioned by Oracle, found that 45% of the more than 1,000
respondents said they didn’t believe that their organizations would be able to
notify users and customers in the event of a security breach. Both compliance
and IT professionals predict that the current inadequacies will worsen in the
next 12 to 18 months. [Source]
See also: [TECH//404 Data
Loss Cost Calculator] [Eight
Security Tips That Every CIO Should Know]:
This week a Canadian startup company is testing the
high-tech billboard technology that can detect when people are looking and when
they turn away, in Kingston, Ont., where a 107-centimetre plasma screen has
been outfitted with an eye-tracking sensor and positioned in front of a Tim
Hortons restaurant at Queen’s University. The palm-sized device, called an
Eyebox2, works by soliciting the red-eye effect you get in flash photography.
Eyeballs aimed in its direction reflect light back to a camera, in effect
telling the device that someone is looking at it. But even though a camera is
part of the device, creators insist that no identifying information is
captured. The gadget only retains data concerning the number of people looking
and for how long. Still, the technology raised alarm bells for the Consumers’
Association of Canada, who questioned what guarantees the public would have
that the device would not compromise privacy. “It reeks of big brotherism,”
said a spokesman. “We’ve looked at these things in more extensive forms in the
past and we’ve always reacted in basically the same manner... they’re all
intrusive.” [Source]
Reporting crime and bad drivers, having job
interviews, calculating carbon emissions and truancy alerts for parents are
just some of the services that Britons long to have access to online, according
to research released 5th June 2007. The national study commissioned by public
services supersite asked people what one online service they want from the
internet in future. One in five over 50s most desire a guide to local services
for their age group, including transport, leisure, learning and health, while
one in six most want to stay in better touch with friends and family via
webcams and video conferencing. Planning for retirement, tracking pensions and
making money online also featured highly. [Source]
[http://datalibre.ca]
The U.S. House Oversight Committee said this week that
e-mail records are missing for 51 of the 88 White House officials who had
electronic message accounts with the Republican National Committee,. The
committee’s Democratic chairman said the Bush administration may have committed
“extensive” violations of a law requiring that certain records be preserved,
adding that the panel will deepen its probe into the use of political e-mail
accounts. [Source]
Ontario is far behind other provinces when it comes to
implementing electronic health records and it’s a problem in need of immediate
action, says Ontario’s information and privacy commissioner. “We’re the largest
province, surely we should be able to figure this out and come up with an
action plan,” Ann Cavoukian said. According to Canada Health Infoway, the
widespread use of such records can reduce wait times, create fewer adverse drug
reactions and provide better prescribing practices. Still, the Ontario
government says it doesn’t know when residents can expect a full electronic
system that would give every person in the province a health record that all
authorized health-care workers can access. [Source]
See also: [Nova
Scotia - Electronic Patient Records Introduced in Ambulances] [New Brunswick - New
Medicare system will be key piece to e-health strategy]
An EU probe triggered by concerns over how long Google
stores user information has widened to include all Internet search engines. The
EU’s panel of national data protection officers said it is now concerned over
the retention of data that the companies use to deliver more relevant search
results and advertising. Some fear the data could be targeted by hackers and
governments. [Source]
According to a recent European study, most Europeans
support electronic and biometric identification methods, but indecision
remains. Over half of the 500 respondents said they would voluntarily join a
government biometric identity registration scheme, while 30% were undecided.
While 52% of those surveyed believe it should be legally compulsory to join
such schemes, 21% were undecided. Most of the Europeans surveyed also said they
would be happy to register their own biometric data, with 83% saying they would
willing provide fingerprints and 66% willing to give a digital photo of their
eyes. According to the study, Europeans expect biometric ID cards will prevent
identity theft, make transactions with governments easier, and speed travel
across borders. However, the survey warns against ignoring the concerns of the
large number of undecided respondents. “A significant proportion of people
remain undecided and it now falls to both the biometrics industry and those
organisations that want to deploy the technology to reach out to these groups
and demonstrate the benefits biometrics and electronic identity technology can
bring.” Europeans are most concerned with loss of personal privacy and are
afraid the information taken might be used in ways not originally intended, the
study found. [Source]
[Survey:
More Than Half of 500 Respondents Would Volunteer Biometric Data To Registry]
See also: [German
Data Protection Commissioner Deplores “trend towards Big Brother state”]
The EU Art. 29 Working Party has conducted a deep
analysis of the concept of personal data. The outcome of this analysis of a
central element for the application and interpretation of data protection rules
is bound to have a profound impact on a number of important issues, and will be
particularly relevant for topics such as Identity Management in the context of
e-Government and e-Health, as well as in the RFID context. The objective of the
present opinion of the Working Party is to come to a common understanding of
the concept of personal data, the situations in which national data protection
legislation should be applied, and the way it should be applied. Working on a common
definition of the notion of personal data is tantamount to defining what falls inside
or outside the scope of data protection rules. A corollary of this work is to
provide guidance on the way national data protection rules should be applied to
certain categories of situations occurring Europe-wide, thus contributing to
the uniform application of such norms, which is a core function of the Article
29 Working Party. This document makes use of examples drawn from the national
practice of European DPAs to support and illustrate the analysis. Most examples
have only been edited for proper use in this context. [Opinion
4/2007 on the concept of personal data]
Telephone assistance company Sigma Assistel had an
identity theft survey carried out on its behalf. The survey found that nearly
one in 15 Canadians has been a victim of identity theft and nearly half of them
indicated they thought they would be an ID theft victim in the future. However,
the survey found Canadian consumers taking steps to protect themselves. The
survey indicated that 45% of them had bought a shredder, 30% had installed a home
alarm and 30% had rented a safety deposit box. 38% of the respondents said they
didn’t feel the need to take steps to prevent ID theft. 28% indicated they did
not know how to protect themselves or know enough about ID theft. 18% indicated
they did not think it was possible to prevent ID theft. The survey also found
that ID theft costs Canadians $16.3 million. [Source]
This piece looks at the TECH//404 Data Loss Cost
Calculator as a way to measure the costs of a security breach. The
calculator generates an average cost and a plus/minus 20% range, for expenses
related to internal investigation, notification/crisis management and
regulatory/compliance. A security risk that exposes 400,000 records costs a
range of $5.3 million to $7.9 million, which does not include damages from
civil lawsuits. The author, Carl Weinschenk, says that while the calculator is
helpful, it is unable to measure the “greatest price of a security failure: the
cost to a company’s reputation.” [Source] [TECH//404 Data Loss Cost
Calculator]
Ontario Government Opposition MPP Bob Runciman called
on Ontario’s privacy commissioner to intervene to insure that lottery winners
who wish to keep their identity secret can be allowed to do so. Runciman’s call
comes in the wake of news that a Quebec resident has been charged in an alleged
extortion plot involving the winners of a $27 million jackpot. The individual
arrested by Montreal police has been charged with, among other charges,
conspiracy to commit murder. “Privacy is a major concern in today’s world and I
have to wonder why lottery winners’ have fewer rights than others in society”
asked Runciman. Runciman has asked Privacy Commissioner Ann Cavoukian to review
the privacy policies of Ontario Lottery & Gaming. [Source]
[Loto-Quebec
may allow privacy for jackpot winners]
A Moscow-based password-recovery vendor today accused
Intuit Inc. of hiding a backdoor in its popular Quicken personal finance
program that gives it – and perhaps government agencies – access to users’ data
files. Intuit called the charges baseless, and said that although there is a
way to unlock Quicken’s encrypted data, it’s only used by the company’s support
team to help customers who have forgotten their passwords. [Source]
See also: [EU,
U.S. reach preliminary deal on SWIFT data: EU]
Under a deal reached yesterday, U.S. Treasury
officials will be able to keep financial data collected in terrorism probes for
no more than five years, according to this AP story. The agreement must be
approved by 27 EU nations. The 2,000 banks and other shareholders that rely on
the Society for Worldwide Interbank Financial Telecommunication must inform
their customers by Sept. 1 that U.S. officials will have access to their data,
EU officials said. U.S. and EU officials also reached a provisional agreement
on airline passenger data sharing.[EU-U.S.
Reach Pact on Retention of SWIFT Data]
Privacy chiefs have given Europe's banks a September
deadline for alerting customers that their financial transactions could be
tracked by US security agencies. Customers must be warned that even
transactions within Europe could be monitored, they said. The new rules come
from the Article 29 Working Party, a committee of European data protection
officials, and it has said that banks must inform customers when there is a
danger that transactions could be monitored by authorities in the US. [Source][EU,
U.S. reach preliminary deal on SWIFT data: EU]
Ontario Ombudsman Andre Marin had harsh words for
government organizations that he said are over-promising and under-delivering.
In Marin's second annual report released this week, he said that grandiose
promises made by these organizations have been revealed to be "puffery"
under close examination by his office. "Puffery is antithetical to open
and transparent government, corrosive of public trust and even harmful to
meaningful democracy," warned Marin. "It is therefore serious
business when government departments and agencies make promises they cannot or
will not keep, or attempting to paper over their failings with ostentatious
claims." The Ombudsman's 2006-2007 report examines investigations into
provincial organizations that did not deliver on their public commitments,
according to Marin. These organizations include: the Municipal Property
Assessment Corporation, the Family Responsibility Office, the Criminal Injuries
Compensation Board and the Ontario Lottery and Gaming Corporation. Though the
annual report has no title, Marin said he was tempted to call it The Year of
Overpromising and Underdelivering. Marin emphasized the need to "put the
'serve' back in public service through leadership and innovation." [Source]
[Annual
Report]
The UK Government's plans to limit requests under the
Freedom of Information (FOI) Act should be blocked, according to a
parliamentary committee. It also said that watchdog the Information
Commissioner's Office (ICO) should be better funded. The constitutional affairs
select committee said that government plans to limit FOI requests did not
adequately balance the costs and the public's rights to know about public
bodies. It said that the proposed limitations would not be transparent or
accountable to the public. [Source]
Hundreds of pages of decades-old documents
declassified and released by the CIA yesterday revealed a 1970s-era agency in
the throes of unaccustomed self-examination, caught between its traditional
secrecy and demands that it come clean on a history of unsavory activities.
Partly disclosed yesterday, the documents chronicle activities including
assassination plans, illegal wiretaps and hunts for spies at political
conventions. One document spoke of a plan to poison an African leader. Another
revealed that the CIA had offered a Mafia boss $150,000 to kill Cuba's Fidel
Castro. [Source]
[Source]
[NYT]
[NYT: Comparing
Today's Tactics With Those Used in the Past]
More than one hundred children under the age of 10
have their details stored on the UK DNA database. The figures show that 108
children under 10 are on the database, along with 883,888 people aged between
10 and 17, and 46 people more than 90 years old. One UK MP said: “The Government’s
onward march towards a surveillance state has now become a headlong rush. “As
an increasing number of very young children well under the age of criminal
responsibility appear on the database it is clear the Government sees no limits
to its invasion of our privacy. “Worse still, by harvesting the data of many
people who are not even charged with an offence, let alone convicted, the
fundamental principle that we are innocent until proven guilty is further
undermined. “Why should anyone be on this database if they are entirely
innocent of any wrong doing?” [Source]
See also: [UK – 1/4
of Manchester teens in DNA Database]
The GAO report describes the steps HHS is taking to
ensure privacy protection as part of its national health IT strategy and
identifies challenges associated with protecting electronic health information
exchanged within a nationwide health information network. HHS and its Office of
the National Coordinator for Health IT have initiated actions to identify
solutions for protecting PHI through several contracts and with two health
information advisory committees. [Source]
[Source]
Robert Kolodner, who heads the Office of the National
Coordinator for Health Information Technology at the U.S. Department of Health
and Human Services, told the federal healthcare IT advisory group this week
that his staff is working on a framework of privacy principles. The staff has
prepared a list of privacy policy framework documents. A privacy subcommittee
of the National Committee on Vital and Health Statistics previously had created
a comprehensive list of privacy recommendations after holding six public
hearings, but that document was not included in the framework list. [Source]
[Lack of
Consensus on Privacy of Health Information][Analysis:
Health IT’s Privacy Factor]
Last week, Ohio Governor Ted Strickland announced the
theft of a data storage device holding the personal information of all state
employees. This week, it has been confirmed that the device also contained the
personal information of Ohio state taxpayers. “While it is unlikely that
someone can access the data contained in the device without specialized knowledge
and equipment, we are proactively providing ID theft prevention and protection
services to the people of Ohio now impacted by this situation,” Strickland
said. “However, we have no information to date that the data has been
accessed.” [Source] [Ohio Hires
Security Expert to Review Likelihood of Using Stolen Identity Data]
Homeland Security Secretary Michael Chertoff said last
week that Canadians will not be required to show a passport when entering the
U.S. by car or boat until the summer of 2008. Under previous rules, Canadians
would have had to present a passport at land and sea border crossings by
January of 2008. The six-month reprieve is the most recent delay for the North
American border security plan. It comes as officials north and south of the
border struggle with a huge backlog in passport applications. Chertoff also
said that by the time passports become mandatory in the summer of 2008,
Canadians may be able to travel to the U.S. using another piece of ID
recognized on both sides of the border. [Source]
[Passport Delays
Suggest One More Reason to Ditch REAL ID] and [Tennessee
- 16th state to pass a resolution against Real ID] [National Anti-ID
Coalition Support GOP Ron Paul]
The controversial national identity scheme will be a
twenty-first century public good comparable to railways and the national grid,
a Home Office minister said this week. Increasing internet use, international
travel and databases of personal information bring benefits, but also risks
which require strong identity technology. “Unless we invest in identity systems
we leave our borders and our economy open to abuse, we leave individuals
defenceless against fraud and we risk leaving the benefits safety nets we’ve
worked so hard for, vulnerable to attack,” Byrne said in his speech. He said
the national identity scheme will become ubiquitous in everyday life in the
same way railways did in the 19th century and the national grid did last
century. The scheme, which includes e-passports and identity cards, is expected
to cost £5.3 billion over the next decade. [Source]
See also: [ID
Theft: U.S. Military Personnel Are Prime Targets] See also: [GAO Report
“SSNs: Federal Actions Could Further Decrease Availability in Public Records,
though Other Vulnerabilities Remain”]
Canada will begin issuing mandatory ID cards to port
workers and truck drivers at three Canadian ports in December, a Transport
Canada official announced. The security cards are being issued under the $115
million Marine Transportation Security Clearance program meant to protect
against terrorist threats. The workers will be vetted through background checks
before receiving the cards. In Phase I, the cards will be issued to workers in
ports in Montreal; Halifax, Nova Scotia; Vancouver, British Columbia; Fraser
River and North Fraser River, British Columbia; and the control centers of the
St. Lawrence Seaway Management Corp., by Dec. 15, 2007, said the director
general of maritime security. [Source]
Google chief executive Eric Schmidt said that his
company is “extremely sensitive” to the issue of privacy and if this meant that
users stopped trusting his company, it would have a problem. He also said that
user content would be critical to the success of future internet applications.
When it comes to privacy, Schmidt said that the trust of users had to be
constantly earned - that they could always easily migrate to a rival service.
“I’m extremely sensitive to this issue,” said Schmidt, “If people stop trusting
Google, then we have a problem. Everything is gated on this issue. Our rivals
are only one click away.” The issue of retaining data and operating globally
was repeatedly raised at the Q&A in Paris. [Source]
Other GOOGLE News: [Google
to Close German Email If Telco Law Passes] [Google Seeks U.S. Support
in Fighting Net Censorship Abroad] [U.S. General Laments Google
Earth Capability]
Microsoft’s Mike Jones has announced that there is now
a graphical icon freely available for people to use to indicate that
“Information Cards are accepted here”. This icon is intended to provide a
common visual cue that Information Cards can be used to provide information to
a site or program, similarly to how the RSS icon is used to indicate the
availability of syndicated content. The guidelines for the use of the icon, a
frequently asked questions document, a set of png images of the icon rendered
in a range of sizes, and the original artwork in Illustrator format are all available
together in a download package. Please consult the
guidelines and the
FAQ before using the icon. [Source]
The ISIQ (Information Security Institute of Quebec),
in cooperation with the Ministère des Services gouvernementaux and 20 other
public and private partners have launched an information campaign on Internet
Security and Personal Information Protection under the theme of “Identity
Theft”. The campaign’s objective is to increase understanding of Internet
security and foster the adoption of best practices when navigating on the
Internet to protect one’s identity and personal information. [Source]
See also: [Quebec:
Mobilisation nationale pour promouvoir la sécurité des renseignements
personnels] and [Users are more
aware of virus threats than Web threats]
"Facebook users who set their profiles to private
aren't quite as hidden as they might think they are, according to a security
researcher, who discovered that Facebook's advanced search features reveals
people's names, pictures, religion and sexual orientation to people who don't
have permission to see their profile. [Source]
[Source]
[Teens
Report Harassment Online]
Two women have filed a defamation lawsuit that legal
experts say is a likely test of the anonymity of the Internet. The two women,
who were the subject of lewd comments and threats from posters on a college
discussion board, have included subpoenas for 28 anonymous users of the site.
Eugene Volokh, a law professor at the University of California, Los Angeles,
told a Reuters reporter that the posters “can’t hide behind anonymity while
they are saying scurrilous and menacing things.” [Source]
A Swedish Web site is publishing financial details for
free, but even in a society known for its openness, critics are suggesting that
the anonymous snooping has gone too far. The Swedish Data Protection Board has
pushed for changes, which now include a fee for obtaining information on
personal income and debt. Users also may no longer snoop anonymously. When a
person’s finances are obtained, the person is notified by mail and the
requestor is identified.[Source]
[New Zealand
Code of Conduct for the State Services]
The government must have a search warrant before it
can secretly seize and search emails stored by email service providers,
according to a landmark U.S. Court ruling this week which asserted that email
users have the same reasonable expectation of privacy in their stored email as
they do in their telephone calls – the first circuit court ever to make that
finding. Over the last 20 years, the government has routinely used the federal
Stored Communications Act (SCA) to secretly obtain stored email from email
service providers without a warrant. But today’s ruling – closely following the
reasoning in an amicus brief filed the by the Electronic Frontier Foundation
(EFF) and other civil liberties groups – found that the SCA violates the Fourth
Amendment. ‘Email users expect that their Hotmail and Gmail inboxes are just as
private as their postal mail and their telephone calls,’ said EFF Staff
Attorney Kevin Bankston. ‘The government tried to get around this common-sense
conclusion, but the Constitution applies online as well as offline, as the
court correctly found. That means that the government can’t secretly seize your
emails without a warrant.’ [Source]
[Full
Ruling] [Privacy
advocates hail e-mail ruling]
The government should not search travelers’ computers
at border crossings without suspicion, said the Electronic Frontier Foundation
(EFF) and the Association of Corporate Travel Executives (ACTE) in an amicus
brief filed this week in a U.S. Court. Over the past several years, U.S.
customs agents have been searching and even seizing travelers’ laptops when
they are entering or leaving the country if the traveler fits a profile,
appears to be on a government watch list, or is chosen for a random inspection.
The Supreme Court has ruled that customs and border agents may perform
‘routine’ searches at the border without a warrant or even reasonable
suspicion, but EFF and ACTE argue that inspections of computers are far more
invasive than flipping through a briefcase. ‘Our laptop computers contain vast
amounts of personal information about our lives. You may do your banking on
your computer, for example, or send email to your doctor about health
concerns,’ said EFF Senior Staff Attorney Lee Tien. ‘Travelers should not be
subjected to unconstitutionally invasive searches of their laptops and other
electronic devices just because they are crossing the border.’ [Source] [Amicus
Brief] [Source]
[Coverage]
Attempting to prevent a potential clash between
privacy rights and the latest technological advances, a Palo Alto lawmaker is
trying to dissuade the state government, schools, and private businesses from
tracking people through the use of radio frequency identification devices such
as electronic cards and implanted devices. A legislative package of four measures
by Sen. Joe Simitian was introduced in an Assembly committee that would
prohibit an employer from implanting tiny ID chips in workers, block RFID
technology from being embedded in driver’s licenses, prohibit schools from
issuing ID cards to track student attendance, and make it a misdemeanour to
skim identification cards. [Source] [Source]
A new prison currently being built in Canberra is
planning to trial an RFID tracking program for its inmate population, despite
growing concerns it will infringe on inmates' civil rights. The Alexander
Maconochie Centre (AMC), which opens in August 2008, will employ real-time
prisoner tracking via an RFID chip worn around the wrist or ankle. It will be
the first prison in Australasia to use an RFID system at an estimated cost of
$1.2 million. A department spokesperson said the program will act as a pilot
for other Australian prisons "It's been shown that RFID prisoner tracking
is conducive to good behaviour because inmates know they are being
watched." [Source]
The Trusted Computing Group (TCG) has announced a
draft specification aimed at helping unauthorised access to sensitive data on
hard drives, flash drives, tape cartridges and optical disks. These devices
won’t release data unless the access request is validated by their own on-drive
security function. TCG is a not-for-profit industry-standards organisation with
the aim of enhancing the security of computers operating in disparate
platforms. Its draft, developed by more than 60 of the TCG’s 2175 member
companies, specifies an architecture which defines how accessing devices could
interact with storage devices to prevent unwanted access. Storage devices would
interact with a trusted element in host systems, generally a Trusted Platform
Module, which is embedded into most enterprise PCs. Final TCG specifications
will be published soon. [Source]
[10
companies contracted by GSA to protect data on gov't laptops]
RSA Security has conducted a study that found more
than half of merchants did not meet the initial June 2006 deadline to fully
implement the Payment Card Industry (PCI) Data Security Standard. The standard
requires all merchants that store, process or transmit customers’ credit card
data to put in place security safeguards that protect customer information. The
survey found that most of the large retailers are in compliance. However, just
19% of the smallest merchants are in compliance. The survey found that
achieving compliance takes a significant amount of time to accomplish. Of the
merchants that have adopted the standard successfully, nearly half of them
indicated it took more than a year to adopt; 16 percent reported that it took
18 to 24 months; and 5% said it took more than two years. The survey indicated
that just 9% said it took less than six months. [Source]
[Should
Canada legislate PCI DSS?]
The Australian Federal Government says it has
toughened privacy protections in the latest draft of legislation to introduce
an access card for health and welfare services. The option to include medical
history and other personal information in the microchip has been scrapped, but
the Government still wants a photo and digital signature on the surface of the
card. The introduction of the card has been delayed, with the Government
overhauling the legislation after a Senate inquiry. Human Services Minister
Chris Ellison says many concerns raised during consultation with industry and
community groups have been addressed in the new legislation. [Source] [No signature,
no number for 'smartcard'] [Ellison
rejects Access agency]
Not all banks are shying away from smart card readers
that connect to their customers’ PCs. Sweden-based Nordea Bank intends to begin
distributing smart card readers to up to 1.1 million customers in the fall. The
new devices, which include PIN pads, will take over for a less-advanced reader
used by about 40,000 of the bank’s customers. Customers will be able to use the
readers to log onto Nordea’s Internet-banking site and, eventually, to access
governmental services over the Web. In addition, Swedish government agencies
are likely to develop Internet security standards that require citizens to use
a reader with a separate PIN pad to access government services over the
Internet. [Source]
PARIS: The European Union and the United States have
reached a tentative agreement that is expected to sharply reduce the amount of
information about trans-Atlantic air travelers that can be shared with the U.S.
authorities but will lengthen the time such information can be retained, EU
diplomats said Wednesday. [Source] [EU, U.S.
reach new anti-terror data sharing deals]
The Direct Marketing Association (DMA) has issued
revised guidelines for data compilers, defined as “any company that assembles
PII about consumers (with whom the compiler has no direct relationship) for the
purpose of facilitating the renting, selling, or exchanging of information to
non-affiliated third-party organizations for marketing purposes.” The DMA’s
executive committee approved the new guidelines this month. As a condition of
membership, all DMA members are expected to comply with the self-regulatory
guidelines. [Source]
[More
information on the new guidelines]
Police who work the Fairground neighborhood will soon
be under video surveillance by the people they serve, an activist group said
Wednesday. The American Civil Liberties Union of Eastern Missouri first
announced in December 2005 its intention to outfit residents to record city
officers. The program, Project Vigilant, has spent one and a half years in
development. Officials with the local ACLU chapter have said that city officers
often mistreat and target blacks and that it hopes cameras would deter police
abuse and smooth out police-neighborhood relations. [Source] See also: [Arizona - Privacy
Worries With 28-Mile Border Surveillance] See also: [Surveillance
Cams + AI = Abuse by authorities] [Network of
surveillance cameras proposed for Pittsburgh] [Tracking
and Video: Coming Soon to a NYC Taxi Near You] [Brampton City will be
installing Webcams downtown] [UK - National
CCTV strategy to tackle integration and data retention] and http://www.camerawatch.org.uk
Having voted to authorize subpoenas for information on
the NSA spying program last week, the Senate Judiciary Committee has now officially issued
them. 'Chairman Leahy issued subpoenas to the Department of Justice, the Office
of the White House, the Office of the Vice President and the National Security
Council for documents relating to the Committee’s inquiry into the warrantless
electronic surveillance program. The subpoenas seek documents related to
authorization and reauthorization of the program or programs; the legal
analysis or opinions about the surveillance; orders, decisions, or opinions of
the Foreign Intelligence Surveillance Court (FISC) concerning the surveillance;
agreements between the Executive Branch and telecommunications or other
companies regarding liability for assisting with or participating in the
surveillance; and documents concerning the shutting down of an investigation of
the Department of Justice’s Office of Professional Responsibility (OPR) relating
to the surveillance.' This is a critical step toward revealing the full extent
of the NSA's illegal spying and the role that telecommunications companies like
AT&T played in it. The deadline for the Administration to respond is July
18. [Source] [links to four
subpoenas] [US
– Lawyers Battle Over Phone Data Sharing Investigation]
The American Civil Liberties Union has expressed
skepticism that new FBI guidelines for use of National Security Letters (NSLs)
will be sufficient to protect the privacy of Americans. The FBI has reworked
their internal methods only because Office of the Inspector General released a
report in March outlining egregious abuses of their NSL authority. To read more
about the ACLU's concerns with NSLs, go to: www.aclu.org/nsl [Source]
U.S. air carriers are fighting a federal proposal that
would require workers to digitally scan foreigners' fingerprints at check-in
areas before departure on international flights. Airline representatives, who
have spent years trying to streamline airport operations and encourage passengers
to use kiosks and print boarding passes at home, worry that collecting
fingerprints would create major snarls. "It creates a choke point in the
check-in process," said Jim May, president of the Air Transport
Association, a trade group that represents the major U.S. airlines. May and
other airline representatives have recently increased their lobbying on the
fingerprinting regulation, which the Department of Homeland Security is
expected to publish for public comment in the next few months. [Source]
A bill that creates a Class B felony of aggravated
identity theft and carries a stiffer penalty heads to Gov. Red Kulongoski's
desk after lawmakers passed it earlier this week. Aggravated identity theft
would apply to perpetrators who commit ID theft 10 or more times in 180 days;
or run up more than $10,000 in a 180-day period; or commit ID theft and possesses
10 or more personal identification documents from 10 or more different victims.
[Source]
Arizona State lawmakers voted this week to expand the
state's DNA database dramatically by requiring all people arrested for certain
crimes to provide DNA samples for state records whether they are convicted or
not. Conservative and liberal lawmakers alike raised alarms that the measure
would violate the civil liberties of people never convicted of a crime and set
a dangerous precedent for government collection of sensitive genetic
information. [Source]
[Gov. defends
stance on DNA database]
Four bills intended to protect workers’ privacy were
debated during a hearing earlier this week. Rep. Lee Gonzales, D-Flint, has
filed a bill that would prevent the firing of employees for off-duty behavior,
such as smoking or participation in political activities. The other bills House
members are considering are measures that would ban companies from using credit
history, physical appearance or family medical histories when hiring or firing
workers. [Source]
--------