Privacy News Highlights
14–20 September 2007
Contents:
CA – Calgary Shelter Eyes Fingerprint Scans, ID Cards for
Homeless
CA – Public Safety Minister Says Warrants Required for
Access to Internet User Data
CA – Privacy Commissioner of Canada Launches Blog
WW – Survey: Governments World-Wide Fail to Keep Track of
User Data
US – GAO Report: Veterans’ Data Remain at Risk
WW – Will Users Ever Smarten Up About Phishing?
US – Study Finds Electronic Health Records Vulnerable
WW – Dell to Offer Encryption Option on Business Latitude
Laptops
EU – Europe Claims UK Botched One Third of Data
Protection Directive
UK – Survey Reveals Ongoing Difficulty in Responding to
Data Protection Inquiries
WW – Explosion of Data Increases Security Vulnerabilities
WW – Survey: Severity of Security Breaches on the Rise
CA – Consumers Fail to Meet Banks’ Online Security
Demands: Study
UK – Eminent Lawyers and Scientists Call For DNA
Restrictions
CA – Ontario Court Strikes Down Law on Adoption
US – Drug Researchers Leak Secrets to Wall Street
US – Ameritrade Announces Hacking Incident that Exposes
Personal Information
US – Stolen Ohio Backup Tape Contains Details on Conn
Agencies’ Bank Accounts
CA – Canadian Privacy Commissioners Say Its OK To ID
Credit Card Users
CA – CIPPIC Releases Major Study on DRM and Privacy
WW – EPIC and PI Say Google Global Privacy Standard
“Weak”
UK – London's 10,000 Security Cameras Don't Help Reduce
Crime: Study
WW – Research: Social Network Users Will Trade Privacy
for Features: Study
WW – Rogue Nodes Turn TOR Anonymizer into Eavesdropper’s
Paradise
US – Senior DHS Privacy Official Defends U.S. Satellite
Surveillance Plan
JP – Japanese Media And Others Call For Changes To
Privacy Law
CH – China Privacy Law Due Next Year
US – Hawaii Schools Panel OKs Locker-Search Plan
US – News Regulations Mean Profs Can't Use Names of
Students
WW – Cybercriminals Becoming Increasingly Professional
UK – Survey: UK Businesses Take Key Risks Seriously
WW – Employees are Organisations’ Weakest Security and
Privacy Link: Study
WW – Experts: Data Loss Tops List of Concerns for
Security Groups
UK – UK Unveils ‘Smart-Card’ National Bus Pass for Older
& Disabled People
CA – New Interac Card Chip to Cut Fraud
US – US Spy Czar Urges Extension of Warrantless Wiretap
Law
US – Surveillance Law Must Protect Privacy and Security –
US Testimony
US – ALCU Surveillance Clock Introduced to Tick Down U.S.
Privacy
UK – Survey: Half of Britons say UK a Surveillance
Society
AU – Australian Spy Laws Will Allow Warrantless Mobile
Phone Tracking
US – Congressman Pursues Permanent Do Not Call List
US – U.S. Airport Screeners Are Watching What You Read
US – California to Add Card Controls and Liabilities to
Data Breach Law
A Calgary homeless shelter is considering a high-tech
security system that would require fingerprint scans and photo ID cards from
people looking for a warm, safe place to spend the night. A spokeswoman for the
city's Drop-In Centre said Thursday the shelter is pricing new security
measures that could include biometric technology, such as fingerprints. The
effort to ramp up security comes after a survey at the shelter showed more than
half of 284 users were concerned about their safety while there. [Source]
Public Safety Minister Stockwell Day said the
government would not introduce legislation forcing ISPs to give customer
information without a warrant. “We have not and we will not be proposing
legislation to grant police the power to get information from internet companies
without a warrant. That’s never been a proposal,” Day said last week. “It may
make some investigations more difficult, but our expectation is rights to our
privacy are such that we do not plan, nor will we have in place, something that
would allow the police to get that information.” Day’s announcement comes after
news organizations obtained copies of a consultation document from Public
Safety Canada and Industry Canada that was looking into ways law enforcement
and national security agencies could gain lawful access to personal information
from ISPs. The consultation, which was distributed to only a limited number of
stakeholders, called for submissions by Sept. 25. Privacy advocates, however,
expressed displeasure over both the content and the process of the
consultation. In response to the outcry, Public Safety Canada extended the
deadline for submissions to Oct. 12 and posted the consultation document on its
website. Day said that the original document sent to a select group of
stakeholders “never would have gone out if I had seen it” and that it “somehow
went out without my approval.” [Source]
[Public Safety Canada’s
announcement of a broader consultation around lawful access - specifically
regarding access to customer ID information] [Original
Consultation document] [Police
Chiefs Blast Day on Warrantless Search Nix] [Letter
from BC Privacy Commissioner] [Source]
[CBC Search Engine] [MP3 Podcast with Minister Day]
The Office of the Privacy Commissioner of Canada has
launched a new blog. The Office says it hopes “to make the activities of the
Office of the Privacy Commissioner more accessible to Canadians and to increase
contact between the Office and Canadians interested about privacy issues and
legislation.” The blog can be found at: http://blog.privcom.gc.ca
[Source]
Just three out of 10 public sector organisations have
an accurate account of the user data they store and what location or
jurisdiction this data is held at, according to the 5th
annual Global State of Information Security Survey (GSIS) 2007, a worldwide
study by CIO Magazine, CSO Magazine and PricewaterhouseCoopers. The survey,
which is the largest of its kind, was launched last week at the 2007 Info
Ireland conference and contains the results of questioning 7,200 IT, security
and business executives in 119 countries. The report further found that of the
public sector organisations worldwide who were questioned over 50% said that
there was a disconnect between their physical and information security
organisations with no policies to integrate them. These government specific
figures reveal an underlying trend observed by the report across all sectors:
although most organisations have IT security policies in place, they don’t
necessarily fit with the overall company policy. Many employees aren’t trained
on these policies, or the effectiveness of these security strategies is not
monitored. [Source]
[Source]
[GSIS
2007]
Veterans’ personal data and health information remain
at risk of identity theft because the Veterans Affairs Department has yet to
implement several safety measures, government investigators say. The report by
the GAO, released this week, comes more than one year after the VA pledged
renewed security efforts after the loss of personal information for 26.5
million veterans and active-duty personnel. It found that the VA had not yet fully
secured access to its computer network and department facilities nor worked to
ensure that only authorized changes and updates to VA computer programs were
made. Moreover, the VA has operated without a chief information security
officer since June 2006 to oversee changes and still lacks clear and adequate
procedures for quickly notifying veterans when their sensitive data is lost,
the report said. “Because these recommendations have not yet been implemented,
unnecessary risk exists that the personal information of veterans and others,
such as medical providers, will be exposed to data tampering, fraud and
inappropriate disclosure,” investigators said. “Until VA addresses
recommendations to resolve identified weaknesses, it will have limited
assurance that it can adequately protect its systems and information,” the GAO
said. [Source]
Phishing researchers will congregate at Carnegie
Mellon University Oct. 4-5 to debate whether users ever will get a clue about
the dangers of phishing, among other issues pertaining to online crime. Also on
the agenda of the second annual Anti-Phishing Working Group’s eCrime
Researchers Summit will be presentations and discussion about the security
threats posed by online multiplayer games. Also on the schedule will be a panel
discussion of the potential for phishing-oriented, political dirty tricks
online during the 2008 presidential election campaign season. As for whether
user education has an impact on reducing security breaches and phishing
attacks, the jury is out. [Source] [Paper] [Paper]
The results of a 15-month study accessing the time to
patch software associated with electronic health record (EHR) systems were
published this week by the eHealth Vulnerability Reporting Program. The program
is a collaboration of health care industry organizations, technology companies
and security professionals that is attempting to establish best practices
within the emerging field of electronic health records in the adoption and
reliance of eHealth systems, including electronic medical records (EMR),
picture archiving and communication system (PACS), and medical devices. The
39-page report focused mainly on how medical equipment providers currently disclose
vulnerabilities to customers, preventing hospitals and doctors from
appropriately managing risk, finding much room for improvement. The eHealth
Vulnerability Reporting Program would like to see eHealth vendors collaborate
with security software vendors to establish ethical testing and reporting,
along with better disclosure, vendor certification and more public education of
the problem. [Source] [39 Page Study] See also: [New MUN report on privacy
and EHRs] and [Inquiry
into the electronic patient record and its use - response from the British
Medical Association]
Dell has unveiled new security options for its
Latitude laptop computers which the PC maker claims makes them the “world’s
most secure laptops.” Dell claims its encryption is both faster and more secure
than software-only solutions. Administrators can securely manage encrypted
drives, set up and recover passwords, manage users and deploy pre-boot
authentication using the bundled software. It also enables IT departments to
quickly ascertain that all data on a lost or stolen laptop was safely
encrypted. [Source] See also: [Difficult-to-Hack Laptop
Software Introduced]
The UK’s Data Protection Act
does not implement European law properly, according to the European Commission
which is investigating problems in the UK’s implementation of 11 of the Data
Protection Directive’s articles. The articles of the directive which the
commission claims have not been implemented properly are articles 2, 3, 8, 10,
11, 12, 13, 22, 23, 25 and 28 –just under a third of the directive’s
34 articles. These articles relate to the:
Data Protection expert Dr Chris Pounder of Pinsent
Masons said the extent of the objections reflects official attitude towards
data protection policy. “All UK Governments involved in implementing the
Directive have had a policy of minimising the Data Protection Directive’s
effect,” he said. “The number of problems raised by the Commission seem to
indicate that the UK Government may have misjudged the situation and minimised
the effect of too many obligations.” Pounder continued: “Instead, there are
unexpected issues, for example, in relation to transfers, fair processing
notices, exemptions, powers of the Commissioner, penalties and remedies.” [Source]
Agency Marketing Improvement conducted a survey of 50
companies from the FTSE 100 list of the UK’s biggest publicly traded firms to
determine the efficiency of dealing with data protection inquiries. The third
of its kind since 2003, the survey found that the UK’s largest companies
continue to have difficulty with customers seeking to determine what
information a company holds about them. The survey also found that 25% of the
companies did not have a privacy policy posted on their Web site. Overall, the
survey found that major companies have improved their data protection track
records in the four years since the first study, but continued improvements are
necessary. [Source]
Market analysis company IDC predicts that in just
three years, the bytes of data generated by digital photographs, mobile phones,
IT systems and other devices will equal the number of grains of sand on the
world’s beaches. Stephen Minton, IDC’s VP of worldwide IT markets and
strategies, said that the explosion of data will force companies into decisions
about how to best store data, find the information and comply with regulations.
Minton added that many companies are “still a long way short of being able to
analyze the unstructured data on their networks,” meaning the data that is not
clearly labeled. [Source]
Research commissioned by the Computing Technology Industry Association has found that the severity of breaches has increased over the past year, according to study results released this week. The average security level of breaches among organizations measured 4.8 on a 0-10 scale, with 10 being very severe. The security level rating for the past two years was 2.3 and 2.6. [Source] [Source]
Many consumers who manage their money through online
banking services may be unaware of their financial institution’s strict
security requirements, thereby jeopardizing their eligibility for fraud
reimbursement, according to a study out of Ottawa’s Carleton University. “We
found that many security requirements are too difficult for regular users to
follow, and believe that some marketing-related messages about safety and
security actually mislead users,” the study said. Banks will demand proof that
you met their security requirements should a breach occur. “With credit cards,
there is a maximum liability of $50 and with most cards it’s just waived … But
with online banking, it may not be that simple. The bank may ask ‘Did you
fulfil these requirements?’ [Source]
A group of eminent UK lawyers and scientists is
calling for anyone not convicted of a crime to have their details wiped from
the DNA database. The Nuffield Council on Bioethics said it is “unjustified” to
keep people on the National DNA Database when they have not been convicted of
any offence. In its report, the Nuffield Council recommended that police should
only keep the DNA of convicted criminals. Said Professor Sir Bob Hepple QC,
chairman of the body. “Innocent people are concerned about how their DNA might
be used in future if it is kept on the National DNA Database without their
consent … We would like to see the police put more resources into the
collection of DNA from crime scenes, rather than from individuals suspected of
minor offences.” The body said the only exception to this tightening of rules
should be suspects of serious violent or sexual offences. [Source] [Council Report] [Police
must not store DNA details of the innocent] [DNA
database ‘puts innocent under suspicion’ ]
Ontario’s new adoption disclosure law, which only came
into effect this week, has been struck down because it violates the privacy of
adoptees and birth parents who want their records to remain sealed. Justice
Edward Belobaba of the Ontario Superior Court of Justice this week released a
ruling saying the law breaches the Charter. “A small minority of adoptees and
birth parents that wish to protect their privacy ... have every right to do
so,” he wrote. His decision was lauded by lawyer Clayton Ruby, who challenged
the law on behalf of three adult adoptees and a birth parent. “This kind of
information about adoption and birth is the most private information you’re
ever going to have,” Ruby said. “It’s not like buying a house, where you go
look up how much you paid from the transfer tax. This is really personal stuff.”
[Source] [Decision]
[OPC
News Release]
An Aug. 7 article reported that Dr. Ron Garren, who
runs a hedge fund in Carmel, Calif., admits he pays doctors in an effort to get
confidential details about ongoing drug research. Garren's statements were
apparently misunderstood. He discussed the practice of hedge funds – Including
one for which he formerly worked — paying doctors, including some involved in
ongoing clinical trials, as consultants. But Garren says the firm he owns and
operates now, Biotech Insight Management LLC, does not do so. The Aug. 7
article reported that The Times found at least 26 cases in which drug
researchers involved in clinical trials leaked confidential details of ongoing
research to Wall Street firms. The total is accurate because Garren was not
among the 26. [Source]
TD Ameritrade Holding Corp., an online brokerage,
announced last week that a hacker broke into one of its databases and stole
names, email addresses, phone numbers and home addresses. It is unclear whether
account numbers, birth dates and Social Security numbers were stolen. The
company assured customers that no client assets were affected. However, the
company apologized for the increase in spam their customers are receiving as a
result of the breach. The company detected the breach during an internal probe
on stock-related spam. During the investigation, the company found unauthorized
code in its system that provided access to the data. [Source]
[Ameritrade Security Audit Finds
Privacy-Busting Back Door] [Ameritrade
Press Release]
Conn. Gov. M. Jodi Rell said this week that a backup tape
stolen from an Ohio state worker’s car in June contained information on every
bank account held by state agencies as well as state agency purchasing cards,
according to this AP article. A consulting company that worked on computer
systems in Conn. and Ohio apparently transferred the Conn. information by
mistake onto the Ohio computer system. The stolen tape, which contained
information on more than 1 million Ohio residents, also included the names and
SSNs of 57 Conn. residents, who will be offered free identity theft protection
services. Conn. officials have taken steps to make sure that state bank
accounts were not compromised. The state also cancelled 300 state purchasing
cards. [Source]
Privacy watchdogs of Canada, B.C. and Alberta say it’s
OK to ask someone giving you a credit card for their identification. The joint
statement was issued supporting the practice by businesses after numerous
complaints were lodged with the commissioners over several years. The
commissioners issued the statement to instruct businesses on what they’re
authorized to do and to advise consumers that it’s an allowable practice. B.C.
privacy commissioner David Loukidelis says since businesses are ultimately on
the hook for fake credit card transactions, it’s prudent for them to ask for
photo identification. Loukidelis warned business owners that they could be
vulnerable to a privacy investigation if they collect more personal information
than necessary to verify identity. [Source]
[BC Press
Release] [Guidance]
The Canadian Internet Policy and Public Interest
Clinic has released the results of a comprehensive investigation into the
privacy implications of digital rights management technologies, or “DRM”. The
study, funded by the contributions program of the Office of the Privacy
Commissioner of Canada and titled “Digital Rights Management and Consumer
Privacy: An Assessment of DRM Applications Under Canadian Privacy Law”,
investigated DRM used in 16 different digital products and services. The study
concluded that many DRM technologies in fact pose threats to privacy and that
organizations using those technologies often fail to comply with basic
requirements of Canadian privacy law. [Source]
[Media
Release] [CIPPIC
Study] [Executive
Summary]
While Google is leading a charge to create a global
privacy standard for how companies protect consumer data, the search giant is
recommending that remedies focus on whether a person was actually harmed by
having the information exposed. However, a privacy advocate dismissed the move
as a desperate attempt by Google to appear to be sensitive to privacy issues in
the midst of government scrutiny of its proposed $3.1 billion acquisition of
online ad firm DoubleClick. Marc Rotenberg, executive director of EPIC, called
the APEC Privacy Framework “backward looking” and said it “is the weakest
international framework for privacy protection, far below what the Europeans
require or what is allowed for transatlantic transfers between Europe and the
U.S.,” particularly because it focuses on the need to show harm to the
consumer. [Source][Original Article] [Google urges UN to set global internet privacy
rules] [Economist: Inside the
Googleplex] [Google clause gives pause]
[Updated
EPIC petition that started the FTC’s scrutiny of the Google-DoubleClick merger]
[How
law enforcement uses Google Earth]
A comparison of the number of cameras in each London
borough with the proportion of crimes solved there found that police are no
more likely to catch offenders in areas with hundreds of cameras than in those
with hardly any. In fact, four out of five of the boroughs with the most
cameras have a record of solving crime that is below average. [Source]
Facebook and MySpace users are willing to let the
sites sell their personal data in return for access to the sites’ social
networking features, according to new research from Pace University.
Researchers queried users of Facebook and MySpace in August, asking for their
views of the privacy protections offered by the sites and their feelings about
how much personal information they are willing to post on social networking
sites. Most Facebook and MySpace users said that they’re willing to develop
online relationships even though they believe that trust and privacy safeguards
are weak. Users seem to view the social networking sites as a way to get online
profiles, photos and the like for free while the sites “can take all their data
and do whatever they want with it,” noted the report’s author. “Both sites are
really interested in monetizing this information as much as possible,” the
researcher said. “They don’t exist to give people ways to upload photos … There
is a real disconnect between [the beliefs of] people using these sites and the
way the privacy management is set,” she said. “You transfer privacy to this
digital realm and there are only two states - it is private or it is public,
and there is potential for every single person in the world to know about it.”
[Source]
[New
York Times on MySpace’s plans to use data-mining techniques to gather
information for advertisers seeking to market products to users of its site]
See also: [Family sues Virgin Mobile over
teen's photo in ad]
Wired reported that a Swedish security researcher had
set up a rogue node on the Tor network and snagged over 100 usernames and
passwords. TOR,
also called The Onion Router, a popular online privacy and anonymity tool
distributed by the Electronic Frontier Foundation, relies on a number of nodes
to relay web traffic. But if the end point, where the data is finally
unencrypted, is operated by some malevolent person, privacy and anonymity goes
out the window. See: Rogue
Nodes Turn Tor Anonymizer Into Eavesdropper’s Paradise. [Bruce
Schneier commentary: Anonymity is not privacy]
The U.S. Homeland Security Department has gone “above
and beyond what is called for by law” in assessing potential privacy
implications of its plan to coordinate the use of satellites for domestic
surveillance, a high-ranking official told the agency’s privacy advisory
committee this week. John Kropf, Homeland Security’s director of international
privacy programs, said the department has conducted a full “privacy impact
assessment” on the recently unveiled National Applications Office, even though
security systems are exempt from the federal rule requiring such action. The
department also has been busy responding to a July report from the GAO that
called for the designation of privacy officials in each Homeland Security
mission area. That is “something we’re slowly but steadily developing,” Kropf
said. The privacy office also has been busy preparing and disseminating
internal guidance, Kropf said. A memorandum on reducing the use of Social
Security numbers went out in June, and a report on the mining of databases for
information on suspected terrorists was distributed in July. A privacy
technical implementation primer also has just been released agency-wide, he
told the advisory committee, and a document that provides advice on how to
respond in the event of a privacy breach is “imminent in issuance.” [Source]
From the Japan Times Online comes a call for changes
to the Japanese privacy law, which came into effect in 2005. It appears, from
this following editorial, that the law has been interpreted in a rigid way that
“goes too far”. [Source]:
According to China Daily, China will be enacting a
privacy law in the next year or so. A current review draft clarifies the legal
duty of entities, especially enterprises, to protect personal information by
following some basic principles. For example, it says, an entity must specify
the purpose personal information will be used for while collecting them. The
entity has to make it clear that the information will not be used for any other
purpose without the prior consent of the persons. The draft bans any entity
from providing personal information to a third party without the prior approval
of the persons. Anyone found violating that could be fined and/or imprisoned.
There are exemptions, though. For instance, such information can be divulged to
save a life or in public interest, or for criminal and tax investigations. To
ensure press freedom, the media under certain conditions have also been
exempted. The draft’s review has so far not been included in the legislation
agenda of the Standing Committee of the National People’s Congress, the
country’s top legislature. [Source]
Dismissing privacy concerns, the Hawaiian state Board
of Education is advancing proposals to let school administrators search
students’ lockers for drugs and contraband whenever they want and allow
drug-sniffing dogs on campuses. In a 7-4 vote, the board’s Special Programs
Committee adopted locker inspections “with or without reason or cause” this
week as part of sweeping revisions to the student misconduct code. It also
calls for expanding a pilot program in which a dog found drugs at all three
Maui public schools it visited this spring. Members sent the rule changes to
the full board for final approval despite hearing from the ACLU, the Drug
Policy Forum of Hawaii and a University of Hawaii sociologist – all of whom
raised concerns over the effectiveness and legality of the measures. [Source]
These days, University of Iowa professors, whether
they know it or not, are supposed to get permission before calling on a student
by name in their class. In a new regulation based on the Family Educational
Rights and Privacy Act, or FERPA, that some are calling "bizarre," UI
officials say using a student's name could be a violation of privacy. The issue
is that class lists and course schedules are not considered directory
information, which is public, and therefore must be kept private under FERPA.
This means professors aren't supposed to reveal a student's name to third
parties, including other students in the same class, unless it's been OK'd with
the student. If the student doesn't want their name revealed, they can pick an
alias or pseudonym. [Source]
The latest Internet Security Threat Report, Volume
XII, released this week by Symantec concludes that cybercriminals are
increasingly becoming more professional – even commercial – in the development,
distribution and use of malicious code and services. While cybercrime continues
to be driven by financial gain, cybercriminals are now utilizing more
professional attack methods, tools and strategies to conduct malicious
activity. Additional Key Findings:
§
Credit
cards were the most commonly advertised commodity on underground economy
servers, making up 22% of all advertisements; bank accounts were in close
second with 21%.
§
Symantec
documented 237 vulnerabilities in Web browser plug-ins. This is a significant
increase over 74 in the second half of 2006, and 34 in the first half of 2006.
§
Malicious
code that attempted to steal account information for online games made up 5% of
the top 50 malicious code samples by potential infection. Online gaming is
becoming one of the most popular Internet activities and often features goods
that can be purchased for real money, which provides a potential opportunity
for attackers to benefit financially.
§
Spam
made up 61% of all monitored e-mail traffic, representing a slight increase
over the last six months of 2006 when 59% of e-mail was classified as spam.
§
Theft
or loss of computer or other data-storage medium made up 46% of all data
breaches that could lead to identity theft. Similarly, Symantec’s IT Risk
Management Report found that 58% of enterprises expect a major data loss at
least once every 5 years. [Source]
UK business owners are better prepared than many of
their global counterparts when it comes to planning for key business risks.
Grant Thornton’s International Business Report, based on a survey of 7,200
business owners in medium to large privately held businesses across 32
countries, asked companies whether they had formal documentation in place for
dealing with key risk areas such as the loss of suppliers/customers, loss of
key personnel, disaster recovery and security of electronic information. UK
businesses appear to be doing well in preparing for risks emanating from modern
and high profile threats. 77% of businesses have documentation in place to deal
with disaster recovery and for a major IT failure, putting the UK in fourth and
fifth place respectively and comparing favourably with global (and EU) averages
of 57% (5%) and 61% (6%). In addition, 81% of business have a plan in place for
dealing with a breach in their security of electronic information, 80% on the
privacy of information and 73% for the loss or destruction of property. [Source]
[Source]
[International
Business Report]
New research from Deloitte Global Security finds that
nearly a third of breaches are inside jobs. Nearly a third of banks and other
financial companies have suffered security breaches due to insider attacks,
according to the latest Deloitte Global Security Survey. The report said that
31% of breaches could be attributed to employees: both through misconduct
(intentional action) and errors and omissions (unintentional action). [Source] [Study]
Security experts exposed what they say are their top
concerns during the Gartner IT Security Summit 2007. Joanna Rutkowska, CEO and
founder of security company Invisible Things Lab, said that “today’s prevention
technology does not always work” even when users are careful about their
personal information online. She added that “detection is still very immature,”
and added that there is an ongoing need for a “systematic way for checking system
compromises.” While Rutkowska focused on improvements needed for operating
systems, another speaker, John Pescatore, Vice President and distinguished
analyst at Gartner, said that as consumer applications become more commonplace
in the business world, there is a need for businesses to go beyond the typical
reaction of banning their uses to directly tackling the security issues they
raise. Bob Gleichauf, VP & CTO for the Cisco Security Technology Group,
said that security groups’ number one concern is data loss. [Source]
UK Department for Transport Secretary Ruth Kelly this
week unveiled a new smart-card pass that will give older and disabled people
free off-peak bus travel across England from 1st April, 2008. Currently, people
aged 60 and over and eligible disabled people are entitled to free off-peak bus
travel within their own local authority area. But from April 2008 the
Government will invest up to an extra £250m each year to extend the scheme to
include off-peak local bus travel anywhere in England. The new passes will also
incorporate ITSO ‘smartcard’ technology to boost the roll out of ‘smart
ticketing’. This will help minimise fraud and ensure that the number of
journeys made by pass-holders are accurately recorded for reimbursement
purposes between local authorities and bus operators. Transport Secretary Ruth
Kelly said: “By introducing smartcard technology from the outset we are paving
the way for full smart ticketing across the country. This would speed up
boarding, cut fraud and open up the possibility of using the same pass to
access a range of other local services such as libraries and leisure
facilities.” [Source]
A new breed of Interac card with an embedded computer
chip will stymie card-skimming criminals and identity theft crime syndicates, say
experts. The cards are being rolled out in Ontario next month and are expected
to pop up in Alberta next year. Industry experts say the goal is to have chip
cards replace all Canadian payment cards with magnetic stripes by 2015. Interac
VP Kirkland Morris called the chip a “little computer” that offers security
encryption magnetic stripes don’t. The chip cards will also be less prone to
read errors, whereas magnetic stripes often go unrecognized by retail card
readers. Morris said magnetic stripes “will remain on new chip cards over the
next five to seven years as the industry adjusts to the new technology.” [Source]
Under grilling from congressional Democrats last week,
the U.S. intelligence chief said he doesn’t know how many Americans’ phone and
e-mail conversations have been inadvertently overheard in the process of
foreign-oriented snooping. Director of National Intelligence Mike McConnell has
previously said only about 100 Americans have been “targeted” for electronic
surveillance, and he emphasized at a hearing this week that none of that
eavesdropping has occurred without a court order. Doing so would be illegal, he
added. But when pressed by the House of Representatives Judiciary Committee
Chairman and other Democrats to estimate how many Americans who weren’t
necessarily “targets” have had their communications scooped up through the
government’s surveillance efforts, McConnell couldn’t say. “I don’t have the
exact number,” McConnell replied, adding, “It is a very small number
considering that there are billions of transactions everyday.” He said he would
look into getting that number and brief the committee in a non-public session.
The sworn testimony from McConnell came as the Bush administration kicked off a
new push in Congress for permanent expansion of warrantless wiretapping powers.
[Source]
Congress can enact legislation that meets the needs of
law enforcement for defending national security, while still protecting the
fundamental privacy rights of innocent Americans, CDT Policy Director Jim
Dempsey told a congressional panel this week. Dempsey identified a balanced
approach that Congress could use to replace the overreaching Protect America
Act, which was adopted last month and expires next year. CDT also released a
memo addressing the poorly understood concept of “minimization” in the
surveillance context. [Dempsey
Testimony, Sept 18, 2007] [Minimization
Memo, Sept 18, 2007] [The US Bill of Rights Defence Committee has produced
a two-part video on National Security Letters under the USA Patriot Act. There
are additional materials on their website: FBI
Unbound: How National Security Letters Violate Our Privacy]
A “Surveillance
Society Clock“ created by the ACLU will symbolize the encroachment of
government spying on private citizens as part of the war against terrorism and
the ticktock is fast approaching midnight. “The extinction of privacy is a real
possibility,” said Barry Steinhardt, director of the ACLU’s Technology and
Liberty Project. “We believe that privacy is not yet dead it is a patient on
life support.” Midnight symbolizes a total “1984”-style “surveillance society.”
Steinhardt said that an explosive increase in new technology and data mining is
fueling the trend and creating a false sense of security from satellites to
national-identity systems, the NSA’s warrantless surveillance program, DNA
data-banking and Web search engines that store every query, even satellites.
“The false security of a surveillance society threatens to turn our country
into a place where individuals are constantly susceptible to being trapped by
data errors or misinterpretations, illegal use of information by rogue
government workers, abuses by political leaders or perhaps most insidiously,
expanded legal uses of information for all kinds of new purposes … We are far
too close to the midnight of a genuine surveillance society, and the second
hand has not stopped sweeping around the dial.” The “surveillance” clock, a
digital display viewable from the ACLU’s Web site, is now set at six minutes
before midnight.” [ACLU news release]
[Source]
[Surveillance
Society Clock] [Surveillance
Milestones / Timeline] [A
Midnight of Lost Privacy] [Bob Gellman
Data Surveillance Predictions]
Britons are subject to the most intense surveillance
since the beginning of the war on terror, according to a YouGov poll
commissioned by rights
advocacy group Liberty. As part of a larger report, the YouGov poll of
2,500 people found that 57% of respondents believe the UK has become a
“surveillance society” - but only 17% trust the government to keep their
personal details confidential. Nearly half said the government and public
sector holds too much personal information about individuals. The Liberty
report said that authorities are increasingly using surveillance to profile,
rather than to target specific individuals. “In times of heightened insecurity
we quite rightly compromise some of our privacy for public protection, but if
we don’t pause for thought right now, our children will grow up without any
sense of the value of privacy,” said Liberty’s policy director and the author
of the report Gareth Crossman. The report also found that 440,000 personal
communication surveillance authorizations were recorded between June 2005 and
March 2006. The UK leads the world in CCTV cameras, with about 4.2 million, and
has the largest national DNA database, with 3.9 million samples, Liberty said.
[Source]
[Source]
Australian security agencies would be able to secretly
track people via their mobile phones and monitor their internet browsing for up
to 3 months without obtaining a warrant under new laws due to go before the
Senate this week. The powers could be used in a range of even relatively minor
criminal investigations, not just terrorism cases. They would allow ASIO and
federal and state police forces to demand that phone companies and internet
service providers stream information to them in “near real-time” - just a few
minutes after calls are made or websites visited. The information would have to
be provided for up to 90 days for ASIO investigations, and 45 days if state or
federal police are involved. Justified as a counter-terrorism measure, the
legislation has already been passed by government and Labor members of the
lower house. But it remains deeply unpopular with legal experts and privacy
advocates. As well as not requiring a warrant signed by a judicial officer, the
powers could be used in any criminal investigation into a suspected offence
that carries a jail term of three years or more. The regime applies to all
“telecommunications data”, including the time and destination of phone calls
made and received, the duration of the calls and the location of the callers.
For computers, security agencies would be told what website addresses and chat
rooms the user has visited and what files have been downloaded. The laws would
also enable authorities to track internet conversations. [Source]
[Source]
U.S. Rep. Mike Doyle, D-Pa., Vice Chairman of the
House Energy and Commerce Committee’s Subcommittee on Telecommunications and
the Internet, has proposed legislation that would make names registered on the
federal do-not-call list permanent. Under the current law, more than 50 million
names will be deleted from the list this year, according to Doyle. [Source]
International travelers concerned about being labeled
a terrorist or drug runner by secret Homeland Security algorithms may want to
be careful what books they read on the plane. Newly revealed records show the government
is storing such information for years. Privacy advocates obtained database
records showing that the government routinely records the race of people pulled
aside for extra screening as they enter the country, along with cursory answers
given to U.S. border inspectors about their purpose in traveling. In one case,
the records note EFF co-founder John Gilmore’s choice of reading material, and
worry over the number of small flashlights he’d packed for the trip. The
breadth of the information obtained by the Gilmore-funded Identity Project shows the
government’s screening program at the border is actually a “surveillance
dragnet,” according to the group’s spokesman. “There is so much sensitive
information in the documents that it is clear that Homeland Security is not
playing straight with the American people,” he said. [Source] [Identity Project] [Update: Homeland Security Not Interested in Your
Books, DHS Says]
Any business that takes card payments from residents
of California will face strict new duties on the security of card data under
proposals that are just a signature away from becoming law. A breach would
trigger unprecedented reimbursement provisions. Final amendments to the
measure, called Assembly Bill No. 779, were approved by the California State
Assembly last week and it now awaits the signature of Governor Arnold
Schwarzenegger, who is said to back the bill. In passing the measure California
would extend its national lead in security breach notification law to include
some data protection elements. AB 779 forbids retailers from storing
payment-related data unless the business has a data retention and disposal
policy which limits the amount of data held. Sensitive authentication data,
such as the data on a card’s magnetic strip, must not be held after card
authorisation, even if that data is encrypted, says the bill. Payment-related
data must not be sent over the internet unless “encrypted using strong
cryptography and security protocols or otherwise rendered indecipherable,” it
adds. Businesses must also limit access to payment-related data to only those
individuals whose job requires that access. If required to notify a data breach
under the state’s existing legislation, a business must now give more
comprehensive details of the breach. If a business fails to comply with the new
requirements it shall be liable to the owner or licensee of compromised
information “for the reimbursement of all reasonable and actual costs of
providing notice to consumers pursuant to the breach [...] and for the
reasonable and actual cost of card replacement as a result of the breach of the
security of the system.” If the new bill is signed it will come into force on
1st July 2008 to give retailers time to put in place the required security
controls. [Source]
In Copland v The United Kingdom (2007), the European
Court of Human Rights (ECHR) found that the UK had violated Ms Copland’s right
to respect for her private life and correspondence under Article 8 of the
European Convention on Human Rights (“the Convention”), by the way in which it
monitored her telephone calls, e-mail correspondence and internet use. Although
the circumstances of the case took place before employers started introducing
policies covering the monitoring of employee communications as a matter of
course, the case does highlight the care that employers should take in managing
employees’ expectations and in ensuring that policies are applied fairly in
practice. [Source]
See also [Divorce
and Digital Evidence]
A group of cabbies sued city regulators this week in
an attempt to block a new requirement that all taxis be outfitted with global
positioning systems and software that will record where they drive. The move
comes two weeks after thousands of cabbies went on strike for two days to
protest the rule. In the lawsuit, the drivers argue that the city overstepped
its authority and acted unconstitutionally when it mandated the GPS units.
Their lawsuit also makes an unusual claim that the GPS devices will give away
trade secrets by disclosing the cabbies’ driving patterns. Most taxi drivers,
it explained, cruise routes of their own design that they believe lead to the
most lucrative fares. “Each taxi driver regards his or her own pattern as
proprietary,” the lawsuit said. Tracking those patterns would cause the drivers
to give up their competitive edge, it claimed. [Source]
--------