Privacy News Highlights
01–16 April 2008
Contents:
CA – U.S. Security Czar Pushes Biometrics; Critics Raise Privacy Issues
CA – Federal Privacy Commissioner writes to Minister re: Fingerprints
UK – ID Card Rebels Offer £1,000 for P.M. Brown’s Fingerprints
IN – India to Deploy Biometric Identity Cards
TW – Biometric E-Passports Set to Launch in Taiwan
UK – School Forced to Halt Fingerprint Roll Call
US – Arizona Approves Bill to Collect Fingerprints from School Kids
CA – Alberta Privacy commissioner Raps Home Depot for Collecting DL Info
CA – Civil Liberties Group Says B.C. School Survey Violates Privacy Rights of Students
CA – US Patriot Act Deters Ontario Profs and Coeds from Google Service
US – Consumers Indicate a High Level of Awareness that Tracking and Targeting Occur
CA – Mixed Opinions on Facebook’s Social Value: Canadian Survey
CA – Federal Government Applying Social Media to a Public Sector Environment
CA – CMA Unveils Website for Patient-Doctor Communication
CA – MDs’ Prescribing Habits Can Be Public: Ruling
US – Software to Protect Toll Payers’ Privacy
US – NIH to Crack Down on Encryption
EU – Article 29 Working Group Makes Data Retention Recommendations
EU – Google Responds to EU’s Data Recommendations
EU – EDPS Recommends Breach Notification Law for EU
EU – Germany Moves Ahead With Computer Surveillance Guidelines.
WW – Stolen Identities Going Cheap
UK – British ISP Says it Won’t Adopt BPI’s Anti-Piracy Suggestions
WW – Google Enlists Video ID Tools to Combat Child Porn
US – Majority Uncomfortable with Web Sites Customizing Content
US – Buckeye Profs Have Access to Student Records
US – Agencies Making FOIA Progress, But More Guidance Needed: GAO Report
US – House Staffers Livid Over Site that Posts Salaries
CA – Toronto Chief of Police Calls for Wider DNA Dragnet
CA – B.C. Introduces Law for E-Health Records and Privacy
US – White House Panel Report: Amend HIPAA
US – UCLA Employees Snooped In Governor’s Medical Files
UK – Lost Disk Holds Data on 370,000 HSBC Customers
UK – WellPoint Customer Information Exposed
US – Groups Urge Expansion of Child Privacy Laws
WW – Identity for the Internet Will Balance Security and Privacy
US - IRS Chief to Tackle Identity Theft
US – Pentagon to Phase out SSNs on ID Cards
WW – U-Prove: Microsoft Acquires Powerful Online-Privacy Technology
CA – B.C. Launches Online Ordering for Birth Certificates
AU – Aussies Hit by ID Theft: Study
US – Avatars Attend House Hearing on Virtual World
US – MIT Student Fights to Protect Activists’ Privacy
UK – Policing Internet ‘Not ISP’s Job’
US – FTC Should Strengthen Behavioral Advertising Principles: CDT.
US – Microsoft Proposes Tiered Privacy in Online Advertising
UK – BT Admits Spying on 36,000 Internet Users
UK – ICO Says Phorm Must be Opt-In
WW – ISPs Conducting Deep-Packet Inspection
UK – Survey Says Kids Don’t Use Privacy Settings
US – Online Rivals Unite In Opposition to Anti-Ad Bill
AU – Draft Australian Guidelines Issued for Reporting of Data Breaches
NZ – Drivers Licence Data to Fight Crime
AU – Australia’s Labor Party to Revamp Privacy Act
JP – Companies Establish World’s First Info Security Ratings Company
PH – Philippine IT Sector Wants Privacy Laws, Commissioner
US – Bush Makes Privacy and Civil Liberties Board Vanish
US – NYC Lawyers Subpoena Code - Text Messages of Demonstrators.
US – Video Blog Posting: Congestion Pricing in NYC: The Civil Liberties Perspective
US – Supreme Court Overturns Goshen Pot Conviction, Set Precedent
EU – Dutch RFID Transit Card Crippled by Multihacks
US – Washington State Governor Signs Anti-Skimming Law
WW – FDA, EC Considering RFID for Drug Pedigrees
US – California Not Ready for Drug Pedigrees – Is RFID?
CA – BC Facility to Use RFID to Track Patients
EU – Four Italian Hospitals Use RFID to Share Blood and Monitor Transfusions
WW – Companies, Agencies Use Clandestine RFID Systems to Catch Thieves
US – American Apparel Going to Item-Level RFID in Stores
WW – Malware Threats Have More Than Quadrupled
WW – Ten-Fold Increase in New Malware for 2008 Forecasted
US – Hannaford Breach Blamed on Malware
UK – Don’t Blame ‘Stupid Users’ for Data Breaches
WW – Anti-Theft Technology for Laptops
US – Homeland Security Blinks on Real ID: No Hassles on May 11
US – CDT Corrects the Record About Security of Personal Data on REAL ID Cards
US – Government Slow to Implement ID System
CA – Ruling May Lead to More Digital Surveillance
US – U.S. Set to Launch Domestic Spy Satellite Program
US – ACLU Challenges National Security Letters in Congress and Court
CA – Winnipeg Police Planning Surveillance Cams
WW – Board Should be Liable for Breaches, Say Security Professionals
SK – South Korean Police to Use GPS and RFID to Track People
US – Lawmakers Proposing Millions for Elementary School Surveillance Cams
UK – Net Snooping Rife Among Spouses
US – FCC to Look Into Firms’ Use of Customer Data
CA – Website Thwarts Exempt Telemarketers
WW – Researchers: GSM Mobile Security on the Ropes
US – Defense Department Uses FBI’s Spying Powers
US – Lawmakers Seek FBI Data Access Limits
US – Fusion Centers Tap Into Personal Databases
CA – Safety, Law and Order Trump Privacy in New Manitoba Legislation
US – Alaska Latest to Pass ID Theft Law
US – Iowa House Fights Identity Theft
US – Senator Seeks to Amend Privacy Law
WW – Employers Defy Privacy by Using Facebook
WW – Recording Everything in the Workplace Soon to be in Vogue, Say Researchers
EU – Two More German Chains Caught Spying on Employees
AU – Bosses Could Read Your E-Mail
The U.S. homeland security czar says Canadians shouldn’t fear plans to expand international sharing of biometric information such as fingerprints. Michael Chertoff says a person’s fingerprints are like footprints. “They’re not particularly private,” Chertoff said last week during a brief visit to Ottawa. “Your fingerprint’s hardly personal data, because you leave it on glasses and silverware and articles all over the world.” Canada is working with the U.S., Australia and the U.K. on the systematic exchange of biometric data - unique identifiers such as fingerprints, facial images and iris scans. The four countries have agreed to begin swapping identity information to improve border and immigration controls by 2009. They hope to create a swift means of sharing such data, using electronic matching programs, by 2010. At an international meeting next month, the U.S. FBI plans to present further details of a project known as the “Server in the Sky” that would allow the four countries to compare biometric records on known or suspected terrorists. Chertoff says the sharing of fingerprints, which are difficult to fake, actually enhances privacy because it can prevent someone from pretending to be another person. “Why would I not want to have that? The people who argue against information sharing don’t understand that information sharing in many ways is the best protection for privacy, and not a threat to privacy.” Chertoff says he’s confident the countries can put in place a system of secure driver’s licences, with the help of provincial and state governments, before the deadline. [Source]
The Privacy Commissioner of Canada, Jennifer Stoddart, has sent a letter to the Minister of Public Safety and Emergency Preparedness Canada, regarding her concern about remarks made by the U.S. Secretary of Homeland Security Chertoff suggesting that fingerprints are not “personal data”. [Source]
Two of Britain’s leading civil liberties groups are to offer a £1,000 reward for the fingerprints of the Prime Minister or Home Secretary. The anti-ID cards group No2ID and the campaign organisation Privacy International will this week take out spoof ‘Wanted’ posters in tube stations and pub lavatories offering the cash to anyone who can lawfully obtain either the fingerprints of Gordon Brown or Jacqui Smith. The posters, resembling those issued by US sheriffs hunting outlaws in the Wild West, are backed by an internet campaign and accuse Brown and Smith of ‘identity theft’. They stipulate that ‘the fingerprint must be obtained lawfully and can be located on a beer glass, doorknob or any object with a hard surface. Corroborating evidence is required to ascertain the identity of these thieves.’ The £1,000 reward will then be paid to the charity of the ‘bounty hunter’s choice’, as the posters put it. The poster continues: ‘As fingerprint technology spreads, this government will essentially have back-door access to your computers, files, wallets and even cars and homes. We are offering this bounty to teach these individuals a lesson about personal information security.’ Phil Booth, of No2ID, said the campaign was designed to highlight the increasing sensitivity of fingerprinting as a political issue. ‘Having committed the largest data breach in history, the government is about to perpetrate the largest identity theft in history,’ he said. ‘I’m sure the government will seek legal advice to see if we can be prosecuted,’ said Simon Davies, director of Privacy International. ‘But it would be a foolish government that would try to charge civil rights groups.’ [Source]
Every citizen in the world’s second most-populous nation will carry a national ID card integrated with finger biometrics and photographs within the next five years. Indian officials will issue Multi-purpose National Identity Cards (MNIC) to every citizen over the age of 18 after the nation’s 2011 census. The Home Ministry will now begin looking at issues related to card management, such as loss, damage and acceptable usage. [Source]
23 million Taiwan citizens will be issued biometric e-passports by the second half of 2008, under the new National Identity System (NIS) developed by Hewlett-Packard. To meet international security standards, the NIS would integrate specialist solutions from Entrust, Safenet, 3M and Cryptometrics, with contactless chips of ICAO security standard embedded in the e-passports. [Source]
At least six public high schools in NSW conduct “roll call” by scanning student fingerprints, but the Department of Education last week suspended the project at Ku-ring-gai High School as it investigates complaints that parents were not properly consulted. [Source] SEE ALSO: [Australian High School students ‘forced’ to accept ID scans]
An Arizona Senate bill to require parental consent for collecting biometric data on schoolchildren received preliminary approval last week. The bill’s sponsor, Arizona Senator Karen Johnson, said that because biometric data could fall into the wrong hands, the law is necessary to protect students’ privacy and prevent identity theft. “You can cancel a credit card, but you can’t cancel a fingerprint,” said Johnson. “Fingerprints are forever.” The original legislation called for a complete ban on biometrics in Arizona schools, but that bill was amended on the floor to the current parental consent language. [Source]
Alberta’s privacy commissioner has ordered Home Depot Canada to stop collecting driver’s licence information and storing it on its American database. Commissioner Frank Work has ruled that the multinational hardware chain required more personal information than was necessary when it asked a woman who wanted a refund to produce her driver’s licence and the store put the licence information into its database. [Source] [Order]
The B.C. Civil Liberties Association says a survey of provincial high school students violates the privacy rights of students. The association has filed a complaint with B.C. Privacy Commissioner David Loukidelis, challenging the use of the Safe School and Social Responsibility Survey. The association says the survey asks students whether they have committed any criminal acts. It says while the survey claims to be confidential and anonymous, there are no protections for students from police asking to look at the files and tracking any crimes back to individual students. They also say that the University College of the Fraser Valley, which administers the survey, has refused to take steps that would make sure student privacy is protected. The association is urging school boards across B.C. not to allow the survey. [Source] See also: [Straight or gay? U.S. court says Web site can’t ask]
Lakehead University staff and students are upset by the fact their university has outsourced its email infrastructure to Google systems that route through the U.S. Concerns that American government authorities may intercept and read their communications under U.S. Patriot Act rules led staff to file an official grievance with university officials. Canadian privacy lawyer David Fraser said, “The big concern with the Patriot Act is that certain demands and certain searches that used to require a warrant from a court and therefore were subject to court oversight and supervision now can be done with something similar to an administrative subpoena, something called a national security letter.” Fraser said that many Canadian provinces have introduced laws preventing public bodies from transferring personal data outside the country. [Source]
Consumer privacy organization TRUSTe announced the results of a study regarding American Internet users’ knowledge, attitudes and concerns about behavioral targeting and its implications on their online privacy. Overall results indicate a high level of awareness that internet activities are being tracked for purposes of targeting advertising, and a high level of concern associated with that tracking, even when it isn’t associated with personally identifiable information. [Source] [Truste Press Release] See also: [Ralph Nadar on Consumer Privacy - Video]
Nearly one-quarter of Canadians believe Facebook has played a more negative than positive role in society, a new poll suggests. The Canadian Press Harris-Decima survey, conducted March 27–30, asked more than 1,000 people about the social networking site’s impact on society. While 40% said Facebook was a positive force, 24% said it played a more negative role. The remainder declined to take a stand. The poll also suggests there is a generation gap in how Facebook is perceived, with younger people more likely to value the service. [Source]
The Chief Information Officer Branch of the Treasury Board of Canada (Secretariat) is conducting a Proof of Concept to pilot the use of new social media tools – commonly known as Web 2.0 collaboration tools – across the Government of Canada. The initiative was launched last fall and so far has included the use of a blog and a wiki. Objectives have been threefold: (1) enhance breadth and agility in consulting with functional communities in departments and agencies for Enterprise policy development, (2) establish a code of conduct and acceptable use guidance (re ATIP, Official Languages, Accessibility, etc.) and (3) help create a modern, vibrant government workplace to attract bright, young talent to the public service. The pilot has involved 400 registered users from more than 80 departments and agencies. The wiki currently contains 10 different topic areas with a total of over 700 pages and there have been over 39,000 page views since its inception late last fall. [Source]
A secure website for patients to interact with their family doctors was launched last week by the Canadian Medical Association. CMA president Dr. Brian Day said the Mydoctor.ca portal will empower patients to take a more active role in their health care. The new online tool focuses on tracking tools for three key areas: asthma, high blood pressure and obesity. Patients using the system can call up their personal profile online and enter information about their conditions. That information is forwarded to their doctors’ offices and then the physician monitors and assesses it. More conditions, such as diabetes, will be added as time goes on. The portal can also include health records and a secure messaging system between doctor and patient. About 200 physicians and several hundred patients are already using the site. [Source] [Media Release] [Overview of the mydoctor.ca Health Portal by Dr. Jay Mercer] [Coverage]
An Alberta judge has ruled that information revealing the names of doctors and the drugs they prescribe can be legally bought and sold, ending a drawn-out court battle over physician confidentiality. Doctors had argued that IMS Health was unlawfully violating their privacy by disclosing physicians’ identities when it sold prescription-drug data to its clients. In a ruling released this month, however, a Court of Queen’s Bench judge said the practice does not violate provincial privacy legislation. In 2003, the Alberta information and privacy commissioner ruled that the practice contravened the province’s Health Information Act, citing a part of the law that deals with “health-provider” information. IMS appealed the decision, which allowed the disclosure of names to continue pending the outcome of the case. In her judgment earlier this month, Justice June Ross ruled that the prescription data did not fall under the definition of health-provider information contained in the Alberta law, so whatever happened to it could not be a violation of the act. [Source]
A University of NSW researcher has developed technology to safeguard motorists’ privacy when passing through electronic tollgates. UNSW researcher and software engineer Usman Iqbal said electronic tolling hastened travel times but made it simpler to track a driver’s movements on a database. “The convenience of a faster trip is at the cost of loss of anonymity,” Mr Iqbal said. “You have a unique identifier, like your E-tag, that broadcasts your ID to a toll gantry and it stores that in a database.” Mr Iqbal has developed a post-pay toll collection method that uses cryptography to ensure motorists can pass electronic tollgates and pay a toll without generating identifying data. The system assigns a motorist a list of random, untraceable identifier codes, with one code used each time the driver passes a tolling point. Each list of identifier codes has a unique digital fingerprint, which links the list of codes to the motorist for billing purposes. All information on the time and place of each toll payment remains stored on the electronic tag in the motorist’s car. Mr Iqbal said Swedish tolling authorities were interested in the system. [Source]
The director of the National Institutes of Health has notified employees to expect random computer audits as the agency works to ensure full compliance with its security policies. NIH discovered that a stolen laptop PC belonging to NIH contained medical data and Social Security numbers of 1,200 patients involved in medical research. [Source]
The EU’s Article 29 Working Party has issued a set of recommendations for data retention by search engine operators that derive revenue from search-based advertising. The 29-page opinion outlined a number of provisions related to data retention, recommending destruction of data collected about users after a period of 6 months. Other provisions of the paper included destruction and anonymization of data that is no longer useful, user notification of data collection and use policies, cookies set to an expiration of “no longer than demonstrably necessary,” transparency for data collected about individuals, and prevention of revealing personally-identifiable information through search results. [Source] [Source] [Source] [Source] [Source] [Source] [Source] [Opinion on data protection issues related to search engines] [Europe mulls six-month limit for search engine data storage]
Following the issuance of a set of data retention recommendations by the EU’s Article 29 Working Party last week, Google responded to defend its practices stating in a written response by Peter Fleischer, the company’s global privacy counsel, “We believe that data retention requirements have to take into account the need to provide quality products and services for users, like accurate search results, as well as system security and integrity concerns.” Among the contended provisions, Google retains search data for 18 months, while the EU recommends only six months; and the EU’s inclusion of IP addresses as personally identifiable information is also at issue. [Source]
Peter Hustinx, Europe’s data protection supervisor, has recommended that the European Commission adopt mandatory data breach notification law, following the lead of those states in the U.S. that have already taken the step. Hustinx believes current law does not go far enough in establishing standards for data breach notice, saying that current proposed amendments to the e-Privacy Directive are “not as ambitious as they should be.” Hustinx has also recommended that the EC grant greater power to authorities responsible for prosecuting violators of the EU’s anti-spam laws. [Source] [EPDS Opinion]
Germany’s top security and law officials agreed this week to new guidelines regarding the surveillance of personal computers in cases of terrorism or other serious crimes, the Interior Ministry said. The new framework will conform with a legal ruling from the country’s highest court. It was the last stumbling block in putting together new guidelines for Germany’s national intelligence services, which will now be sent to the country’s states for further discussion. In February, Germany’s Constitutional Court established the privacy of data stored or exchanged on personal computers as a basic right protected by the nation’s constitution, allowing surveillance only in exceptional cases. The court ruled online surveillance could only be used when it could be established that there was a concrete danger, such as the planning of terrorist acts or other attacks on life or freedom. [Source]
Fierce competition among identity thieves has driven the prices for stolen data down to bargain-basement levels, which has forced crooks to adopt mainstream business tactics to lure customers, according to a new report on Internet security threats. Credit card numbers were selling for as little as US40 cents each and access to a bank account was going for $US10 in the second half of 2007, according to the latest twice-yearly Internet Security Threat Report from Symantec released Tuesday. [Source]
Carphone Warehouse-owned Internet service provider (ISP) TalkTalk has vehemently rejected the British Phonographic Industry’s (BPI) suggestion that ISPs monitor customers downloading habits and impose a “three strikes and you’re out” policy for repeat offenders. According to Carphone Warehouse chief executive Charles Dunstone, “The music industry has consistently failed to adapt to changes in technology and now seeks to foist their problems on someone else.” [Source] [Source]
Google is enlisting the same image-recognition technology the company uses to trace copyright violations on its YouTube video site to fight online child pornography. Google said it is working the NationalCenter for Missing & Exploited Children (NCMEC) of Alexandria, Virginia to help automate and streamline how child protection workers troll through millions of pornographic images to identify victims of abuse. [Washington Post]
A majority of U.S. adults are skeptical about the practice of Web sites using information about a person’s online activity to customize Web site content. However, after being introduced to four potential recommendations for improving Web sites privacy and security polices, U.S. adults become somewhat more comfortable with the Web sites use of personal information. These are some of the results of a nationwide online survey designed in collaboration with Dr. Alan F. Westin. Westin commented: “The failure of a larger percentage of respondents to express comfort after four privacy policies were specified may have two bases – concerns that Web companies would actually follow voluntary guidelines, even if they espoused them, and the absence of any regulatory or enforcement mechanism in the privacy policy steps outlined in the question.” [Source]
Professors at Ohio State University have access to student financial records, according to campus newspaper The Lantern. The professors have access under the state’s Family Educational Rights and Privacy Act, which does not distinguish between academic and financial information, allowing instructors to determine if students are attending classes for which they have not paid. In one instance, a professor told a student in front of the entire class that her class fees were unpaid. [Source]
GAO was asked, among other things, to determine trends in FOIA processing and agencies’ progress in addressing backlogs of overdue FOIA requests since implementing their improvement plans. To do so, GAO analyzed 21 agencies’ annual reports and additional statistics. Based on data reported by major agencies in annual FOIA reports from fiscal years 2002 to 2006, the numbers of FOIA requests received and processed continue to rise, but the rate of increase has flattened in recent years. The number of pending requests carried over from year to year has also increased, although the rate of increase has declined. The increase in pending requests is primarily due to increases in requests directed to the Department of Homeland Security (DHS). In particular, increases have occurred at DHS’s Citizenship and Immigration Services, which accounted for about 89% of DHS’s total pending requests. [Source]
Working from a cramped loft apartment a mile from the U.S. Capitol, a small Internet company has sparked a privacy rights battle with hundreds of angry top House staffers upset that the Web site has begun posting details about their personal finances. In an unusual conflict over constitutional rights, the aides argue that the recent disclosures leave them highly vulnerable to identity theft. However, the Web site, LegiStorm, contends that it has a First Amendment right to publish already public information about some of the Capitol’s most powerful players – the high-level staffers – and is creating a new check against potential corruption. [Washington Post]
Toronto police Chief Bill Blair hopes that, as soon as 2011, police will have the power to demand DNA samples from anyone charged – not just convicted – of serious crimes. Blair is championing a broadened genetic data bank even as police and privacy advocates throughout the Western world spar over who should be forced to surrender their DNA. In a move that left civil libertarians aghast, the U.K. recently began collecting samples from suspects when they’re charged – even shoplifters. More than 10 U.S. states have followed suit. There are now more than 40,000 DNA samples from crime scenes in the Canadian database – many from unsolved cases. But taking samples when people are charged inevitably means the DNA of innocent people will be catalogued. “Where do you draw the line?” asked criminal defence lawyer James Lockyer, who regularly represents the wrongfully convicted. “You could, on the basis of the public interest, justify rounding up the entire population and securing a DNA sample. [Source] See also: [Defense Lawyers Fight DNA Samples Gained on Sly]
British Columbia Health Minister George Abbott introduced legislation that, if passed, will give residents online access to their health records. The move makes BC the first Canadian province to create a legislative framework surrounding access to and privacy of electronic health information. The e-Health Personal Health and Information Access and Protection of Privacy Act could enable paperless physician’s offices and greater patient control over records. For example, patients may block their information from health data banks. “I’m pretty confident we got it right here,” said Abbott. [Source] [Source] [Bill 24, the E-Health (Personal Health Information Access and Protection of Privacy) Act] See also: [New Brunswick Prescription Monitoring Program a Violation of Customer Rights]
The President’s Council of Advisors on Science and Technology (PCAST) wants Congress to amend the Health Insurance Portability and Accountability Act of 1996. Specifically, in a report being prepared on personalized medicine, the council will call for better protection of genetic information. Personalized medicine uses a patient’s genetic information to better diagnose and tailor treatments to individuals. It is a method expected to grow in popularity but, as PCAST member Kathleen Behrens said, “Privacy legislation is imperative to the advancement of personalized medicine.” [Source]
California Governor Arnold Schwarzenegger said he will continue pressuring hospitals to better protect patients’ privacy. His comments followed a story in the L.A. Times disclosing that the medical files of as many as 32 high-profile clients –including the governor, California first lady Maria Shriver, and TV-celebrity Farrah Fawcett– have been viewed by unauthorized UCLA Medical Center employees. “Everyone’s medical history ought to be protected,” the governor said. “That is the responsibility of the hospital. So we are going to work with them and find a way.” [Source]
The UK’s Financial Services Authority will investigate the loss of a disk containing personally identifiable information of 370,000 HSBC customers. The compromised data include names, dates of birth, and life insurance information, but no bank account information. The disk was being sent from HSBC to a reinsurance firm. The disk was not encrypted. Normally, the data are transferred electronically, but because the system was down, HSBC sent the information on disk through the post. [Source] [Source] SEE ALSO: [TJX Reaches Tentative Settlement with MasterCard]
Personal information that may have included Social Security numbers and pharmacy or medical data for about 128,000 WellPoint Inc. customers in several states was exposed online over the past year, the health insurer said. WellPoint, which has had other data security issues in the past, recently learned about the problem, fixed it and is notifying customers, a spokeswoman said. The nation’s largest health insurer by membership is offering free credit-monitoring services for those customers. The latest security lapse stems from two servers maintained by an outside vendor that specializes in data management. WellPoint had learned early last year that a server was improperly secured, and that information on about 1,350 customers may have been exposed online and was vulnerable to Internet search engines. But the company recently learned that a second server had problems which exposed information for more than 128,000 customers to Internet access for about a year. That data had some code protection and could be found by people using search engines. [Source] See also: [UK: NHS documents found dumped] [Georgia Patients’ Records Exposed on Web for Weeks] and [Pfizer Data Security Breach] and [Vermont ski area reports Hannaford-like theft of payment card data] [Video surveillance of school teachers’ locker rooms was potentially unreasonable]
A coalition of child privacy advocates, including the American Academy of Pediatrics, Children Now and the Center for Digital Democracy, is urging the FTC to expand the scope of existing child privacy law and increase the age restrictions on data collection from 13 years to 18 years of age. The groups’ proposals, if adopted, would pose a challenge to the advertising strategies of online social networking utilities such as MySpace and Facebook, whose plans include targeting the social behaviors of teenaged subscribers. [Source] See also: [William E. Kovacic Appointed Federal Trade Commission Chairman]
Authentication, authorisation and user management are some of the oldest problems in security and the level of attention they’re getting at this year’s RSA conference reflects the rise in criminal attacks and regulation rather than developments in technology. Combined with a deluge of data in the enterprise, these trends are forcing the enterprise towards what Symantec chief executive John Thompson calls an information-centric view of security: “the amount of stored data is growing at 50% per year and trying to protect it all is costly and difficult.” To protect what’s most valuable, he predicts DRM from consumer entertainment services will move into the enterprise to protect documents. And in return, “identity management will need to expand beyond the boundaries of the enterprise, to embrace every consumer.” Identifying individuals always raises questions of privacy, as concerns over biometric identification and national ID card schemes have demonstrated repeatedly. Microsoft’s chief research and strategy officer Craig Mundie highlighted the natural tension between security and anonymity. “Increasingly the identity question is part of how we deal with trusting people, and the processes of how we manage people and their operation. Identity, and the claims around identity, are going to be critical in terms of how we find the structural balance between the privacy requirements in a given context and the security requirements.” But he also suggested that pressure for verifiable online identities won’t only come from government or business. “Society will come to demand more reliable presentation of credentials and information about people in order to feel comfort, and we will see the emergence of the need for these new forms of credentialing. I think it’s a natural thing, and as long as people are given the choice between having it and not having it, as a function of what they seek to gain access to, then I think we’ll find a happy medium.” [Source] See also: [New wrinkles for authenticating users]
IRS Commissioner Douglas Shulman has promised lawmakers that within 90 days the service will develop a comprehensive program to fight identity theft. IRS will train employees to assist taxpayers who have problems with identity theft by this fall, said Shulman, who has been in the post about three weeks. IRS has begun to take an enterprise approach to identity theft and a data security issues, including creating the Office of Privacy, Information Protection and Data Security last summer. The service has updated procedures to make sure it treats identity theft victims consistently across the agency. IRS also is implementing an identity theft indicator that tags a taxpayer’s account once identity theft has been established and alert IRS that the account may require special attention. [Source]
Social Security numbers will disappear from the ID cards of military family members by the end of the year, temporarily replaced by the SSN of the military sponsor in a half-step toward better identity-theft protection, defense officials said last week. In 2009, the Defense Department will take the next step of phasing out full SSNs on all ID cards for service members and civilians, replaced by just the last four digits. Using those digits, combined with other identifying information, is a common practice in the private sector. New cards will be issued as old cards expire. [Source]
Microsoft has picked up a powerful new online-privacy technology that it says it wants to share ... eventually. In a move that could extend its already substantial presence in the realm of identity access and management, the software giant recently announced it had acquired the patents to the U-Prove technology developed by cryptographer Stefan Brands and his colleagues at the Montreal startup, Credentica. Implemented properly, the U-Prove algorithms could allow users to exercise absolute control over the information they release online; guarantee that whatever information they did release would not linger indefinitely; and make it impossible to hack, link or trace that information back to them. Unlike other privacy solutions, including Microsoft’s current CardSpace system, U-Prove guarantees a user’s privacy even in the face of collusion by identity providers and relying parties – the very organizations that certify our online identities and require us to prove them. “It allows single sign-on, without every site you sign onto being able to link your account with every other site you sign onto.” Many privacy experts see the acquisition as a shrewd move by the company, and a good thing for online privacy in general. Yet some have also voiced concern that Microsoft might lock Brands’ algorithms into a “proprietary Microsoft-technology silo.” [Source]
British Columbians will now be able to order B.C.-issued birth, marriage or death certificates online through a new, secure, web-based ordering system. Once application details are entered into the system, clients can make payment using a credit card and the application is submitted directly to the Vital Statistics Agency. Individuals will be able to order the following B.C.-issued documents using the new system: · Birth certificates; · Certified photocopies of birth registrations; · Marriage certificates; · Certified photocopies of marriage registrations; and · Death certificates. [Source]
Almost a quarter of the Australian population have been affected by identity theft, a new study has found. The study by Veda Advantage research found 23% had been affected and that, oddly, those in the most tech savvy age group 16-24 years of age were the least likely to have done something to prevent it. As many as nine out of 10 people in that age bracket admitted they had taken no measure whatsoever to protect themselves. [Source]
Second Life founder Philip Rosedale and a handful of other virtual-reality experts, testified recently at a House of Representatives hearing that was also attended by online personas, or avatars, portrayed on a video screen in the hearing room. Some lawmakers raised questions about what operators of virtual worlds are doing to stop them being used to stage real-world crimes such as terrorism, money-laundering, and the exploitation of children. [CNET]
A New York City Law Department subpoena to an MIT graduate student over text messages has raised questions about how the First Amendment protects online speech, and whether the government is allowed to ask service providers for messages they store. Edward A. Hirsch was asked for text messages sent by his TXTmob service during the Republican National Convention in a broad subpoena issued by the New York City Law Department and dated Feb. 4, 2008. The subpoena was issued in response to hundreds of lawsuits filed by arrested protestors against the city and is available online. Hirsch is contesting the subpoena with the help of two attorneys who are representing him pro bono: Matt Zimmerman, a staff attorney with the Electronic Frontier Foundation, and David B. Rankin, a New York attorney. Zimmerman said that the case raised issues of the “right of individuals to be able to speak anonymously online or using new technologies.” [Source]
The head of one of Britain’s biggest internet providers has criticised the music industry for demanding that he act against pirates. The trade body for UK music, the BPI, asked ISPs to disconnect people who ignore requests to stop sharing music. [Source]
The FTC’s proposed behavioral advertising principles aren’t strong enough on their own to adequately protect consumers, according to comments filed jointly by CDT, Consumer Action and Privacy Activism. Although the principles represent a solid first step in the process, protecting consumer privacy interests in this space will require a rigorous mix of self-regulation, enforcement of existing law, and the passage of new general privacy law. The comments include CDT’s finding that there are several practices of concern occurring on the Internet today that remain unaddressed by current self-regulation. Based on this research and other industry developments, CDT and others recommend ways for the FTC to bolster several of its proposed principles. The groups also urge the Commission to explain how it will ensure industry compliance with the principles. [Comments of CDT, Consumer Action, and Privacy Activism, April 11, 2008] [Coverage: Advocates Ask FTC For “Do Not Track” Database] [FTC Proposed Principles, April 11, 2008]
Microsoft has proposed a tiered approach to protecting the privacy of people targeted by online advertising, saying advertisers should get permission before using sensitive, personally identifiable information to deliver ads. Microsoft filed comments on Friday in response to the U.S. FTC’s request for comments on its proposed privacy principles that would be self-administered by the online advertising industry. Among the Microsoft proposals:
§ Companies that keep records of page views or collect other information about consumers for the purpose of delivering ads should post a privacy policy on the home page, implement reasonable security procedures, and retain data only as long as necessary to fulfill a legitimate business need.
§ Companies that deliver ads or services to unrelated third-party sites should ensure that consumers receive notice of the privacy practices of those sites.
§ Companies that develop profiles of consumer activity to deliver advertising across unrelated third-party sites should also offer consumers a choice about the use of that information.
§ Third parties should be required to obtain consent from consumers before using sensitive, personally identifiable information, such as health conditions, sexual behavior or religious belief, for behavioral advertising.
Several other companies and groups, including Google, the American Advertising Federation and the Consumer Federation of America, have filed comments on the FTC’s proposed rules. Google’s filing last week appears to look for a narrower scope to regulations, although it said it has in the past called for a federal privacy law that would penalize offenders. Google suggests that the agency narrow its definition of behavioral advertising and distinguish between personally identifiable information and information that’s not personally identifying. The Consumer Federation of America’s filing called for stronger rules than the set of self-regulatory principles proposed by the FTC. “Simply put, there is a fundamental mismatch between the technologies of tracking and targeting and consumers’ ability to exercise informed judgment and control over their personal data,” the consumer group said in its filing. “It is clear that after seven years of industry self regulation, neither the voluntary organizations nor the individual companies’ approaches to privacy protection are working. Only if consumers are strongly interested, extremely literate, well-informed and highly skilled can they negotiate the opaque, inconsistent morass of opt-out procedures.” [Source] [Source]
BT tested secret ‘spyware’ on tens of thousands of its broadband customers without their knowledge, it admitted last week. It carried out covert trials of a system which monitors every internet page a user visits. Companies can exploit such data to target users with tailored online advertisements. An investigation into the affair has been started by the Information Commissioner, the personal data watchdog. Privacy campaigners reacted with horror, accusing BT of illegal interception on a huge scale. Last week, the company was forced to admit that it had monitored the web browsing habits of 36,000 customers. The scandal came to light only after some customers stumbled across tell-tale signs of spying. At first, they were wrongly told a software virus was to blame. Executives insisted they had not broken the law and said no ‘personally identifiable information’ had been shared or divulged. BT said it randomly chose 36,000 broadband users for a ‘small- scale technical trial’ in 2006 and 2007. The monitoring system, developed by U.S. software company Phorm, accesses information from a computer. It then scans every website a customer visits, silently checking for keywords and building up a unique picture of their interests. If a user searches online to buy a holiday or expensive TV, for example, or looks for internet dating services or advice on weight loss, the Phorm system will add all the information to their file. [Source] [ISP eavesdropping on between 38,000 and 108,000 customers - opens door to corporate eavesdropping] and [UK: ‘I was falsely branded a paedophile’]
The UK Information Commissioner’s Office (ICO) says that the Phorm advertisement targeting system must be an opt-in program. Prior to the ICO’s announcement, Phorm said it would operate on an opt-out basis. The ICO plans to monitor Phorm closely during trials and commercial implementation. According to the ICO, Phorm does not violate UK or European data protection laws, but declined to comment on whether or not it violates interception laws, saying that would have to be determined by the Home Office. [Source] [Privacy Watchdog OKs controversial web-tracking service] and [ICO Report – April 8]
The Internet use of at least 100,000 Americans is being monitored by ISPs. They collect the information so users can be targeted with advertisements that are more likely to be of interest to them and advertisers are likely to reach a more receptive audience. The companies involved in what is known as deep-packet inspection maintain that users’ privacy is protected because personally identifying information is not shared. [Source] SEE ALSO: [SANS Report: ISPs monitor what you do on the Internet and sell the information for marketing purposes]
A PC Advisor report says that 41% of children in the UK do not use the privacy settings provided by their social networking site. The data comes from an Ofcom survey, which found that while nearly half of the UK’s eight to 17 year-old population have profiles on sites such as Bebo, Facebook, or Myspace, the majority of them leave their privacy settings open – rendering their photos and personal information available to anyone online. In addition, about 34% of users aged 16-24 give out their phone numbers and email addresses readily. [Source]
An ad hoc coalition of companies with a stake in online advertising have signed on to a letter addressed to New York State Assemblyman Richard Brodsky outlining their opposition to a bill Brodsky has authored that would impose restrictions on data collection for use in online advertising. Google, Yahoo, AOL, Facebook, Comcast, eBay, EDS, Monster and Reed Elsevier are among the signees of a letter that says the proposed law “would have profound implications for the future of Internet advertising and the availability of free content on the Internet.” [Source] [Comments]
The Australian Privacy Commissioner Karen Curtis is seeking feedback from the businesses community in response to the release of a draft Voluntary Information Security Breach Notification Guide this week. Currently there are no specific requirements under the Privacy Act for organizations to notify individuals of an information security breach. However, a proposal to make notification of information security breaches mandatory is being considered by the Australian Law Reform Commission (ALRC) as part of a national privacy review. The draft Guide draws upon voluntary guidelines developed by the Privacy Commissioners of Canada and New Zealand and public submissions close on June 16, 2008. [Source] [Consultation Paper on Breach Guidelines] See also: [Special Minister of State Addresses Privacy]
The peak road-traffic authority for Australia and New Zealand is planning to open up one of its most sensitive databases to help fight crime and terrorism. The agency, Austroads, said it was exploring ways to share information in its National Exchange of Vehicle and Driver Information System to help financial institutions and law enforcement authorities with criminal investigations, including the funding of terrorist activity. [Australian IT]
Australia’s Labor party government is ready to overhaul the 20-year-old Privacy Act and build a privacy regime to serve modern Australia. Federal Privacy Commissioner Karen Curtis said a uniform approach to privacy law would cut through the current confusion over obligations under federal and state laws, inconsistencies and overlap with other legislation. [Australian IT]
A series of recent security breaches among Japanese firms has prompted several of that nation’s businesses to collaborate on developing the world’s first information security ratings agency. The breaches, during which confidential corporate information, including client data, was leaked onto the Internet, prompted Matsushita Industrial Co., Fujitsu, Fuji Xerox and others to create I.S. Ratings, a firm specializing in evaluating levels of corporate information security. The agency will begin operations in July and hopes to see sales of around 800 million yen by March 2009. [Source]
According to a recent survey conducted by the Philippine Data Privacy Technical Working Group, nearly 80% of the Philippine’s IT sector wants more government attention towards data privacy and security. The study revealed that most respondents want to see creation of the post of Privacy Commissioner with powers to “investigate, prosecute, and resolve violations of data privacy,” and with the power to impose fines and damages, and publicize violations of privacy. Philippine Business Processing Association Executive Director Cathy Ileto said, “a data privacy law is needed by the Philippines in order for the country to sustain its momentum in becoming a global hub for outsourced e-services.” [Source]
The Bush administration has failed to nominate any candidates to a newly empowered privacy and civil-liberties commission. This leaves the board without any members, even as Congress prepares to give the Bush administration extraordinary powers to wiretap without warrants inside the U.S.. The failure rankles Sens. Joe Lieberman (I-Connecticut) and Susan Collins (R-Maine), respectively chairman and ranking minority member of the Senate’s Homeland Security Committee. In a 2007 measure implementing 9/11 Commission recommendations, Congress reconfigured the oversight committee, known as the Privacy and Civil Liberty Oversight Board. The intent was to make the board more independent of the White House, require it to be bipartisan and make it more accountable to the public. Those changes came after civil-liberties groups blasted the board for a lack of independence and relevance. The board’s findings about issues such as warrantless wiretapping by the National Security Agency were by-and-large administration-friendly, though the board did issue one informative but overlooked report on redress for erroneous inclusion on terrorist watch lists. Terms for the board’s original members expired on Jan. 30, but no nominations have been sent to the Senate Homeland Security Committee, which must approve appointees for the five vacancies. [Source] [First annual report to Congress] [Second annual report to Congress - Jan. 30]
Lawyers for the city of New York have subpoenaed the text message records of thousands of people involved in demonstrations at the 2004 Republican National Convention. Tad Hirsch, MIT doctoral candidate and creator of the TXTmob code that enabled convention demonstrators to transmit messages to thousands of telephones, has been instructed to release the content of messages exchanged on the service and to identify people who sent and received messages. Hirsch argues that release of such information would be a violation of users’ First Amendment and privacy rights. “I think I have a moral responsibility to the people who use my service to protect their privacy,” said Hirsch. [Source]
In a quick two-minute video, Robert Perry, the New York Civil Liberties Union’s Legislative Director, discusses privacy concerns over New York City’s congestion pricing plan. The plan, which was just passed by a narrow margin through the city council last week, has the potential to wreak havoc on honest New Yorkers’ privacy rights. Even if you don’t drive, this video describes how the congestion pricing plan affects you. [Source]
The Vermont Supreme Court issued a majority opinion overturning the felony “cultivation of marijuana” conviction of a Goshen man on grounds that the man’s constitutional rights were violated by authorities’ aerial search of his property. The ruling is expected to set a major precedent for how law enforcement in Vermont conducts aerial searches. Extract: “The aerial surveillance in this case was a warrantless search forbidden by the Vermont Constitution. The warrant authorizing the subsequent search of defendant’s premises for marijuana plants was obtained solely on the basis of the aerial observations. The evidence seized upon executing the warrant should therefore have been excluded from defendant’s trial. Since the error was clearly prejudicial, his conviction must be overturned.” [Source]
The introduction of the Dutch public RFID transit pass will be delayed because it can be easily hacked. The final blow was given by researchers from Royal Holloway, University of London, who confirmed earlier findings by Dutch Institute TNO that the card isn’t properly secured. The Dutch Green Party and the Social Party have called for a complete halt to the card’s development. They say introduction of the card would be totally irresponsible. The smart card, known as the OV-chipkaart, is to replace paper tickets on all trams, buses, and trains and is already undergoing trials in Rotterdam. The development of the card, at a cost of $2bn, has been beset with problems. In January, two students at the University of Amsterdam showed how a used single-use card could be given eternal life by resetting it to its original unused state. [Source]
The new law makes it a felony to scan an RFID tag belonging to another person without that individual’s consent, and to use that data for an illegal purpose. The bill’s sponsor plans to introduce additional RFID legislation. [Source]
The US Food and Drug Administration (FDA) is accepting public comments through May 19th to guide development of technology and identification standards to track prescription drugs. The agency is specifically asking for comment about RFID’s suitability for identifying pharmaceuticals, verifying their authenticity, and the practicality of RFID use in the pharmaceutical supply chain. Separately, the European Commission issued a Notice for Comment to help guide its drug anti-counterfeiting efforts. The European comment period ends May 9th. The FDA requests for information were published in a pair of Federal Register notices last month. The first, docket number FDA-2008-N-0120, seeks input “on issues related to standards for identification, validation, tracking and tracing, and authentication for prescription drug products.” The second, FDA-2008-N-0121, seeks input about technologies, and seeks comment specifically about RFID. [Source] [US Pedigree Map]
The California State Board of Pharmacy recently issued a decision to delay implementation of the state’s drug pedigree law until 2011. The law does not require the use of RFID to carry drug pedigrees, but the technology is widely seen as a potentially effective component for pharmaceutical pedigree and other track-and-trace systems. [Source]
Delta View Habilitation Centre, whose nearly 300 patients are unable to care for themselves, has plans to utilize RFID technology to help care for patients suffering from dementia. The nursing facility will first use matchbox-sized RFID transmitters to track medical equipment, but Delta View’s long-term plans to extend the technology into patient tracking, and will use the system to help track the whereabouts of the nearly 100 residents suffering from dementia and are prone to wandering. “It is sometimes difficult to track them physically, but having the digital means would definitely be a bonus to everyone concerned. It would be there in case we need it,” says Delta View’s deputy administrator. [Source]
To help avert errors, the system uses EPC Gen 2 tags to not only identify patients and bags of blood, but also the staff members who draw samples and administer transfusions. [Source]
The NOX system includes RFID readers embedded in walls, surveillance cameras and--in some cases--luminescent dust to track the movement of personnel and assets. [Source]
American Apparel has been piloting item-level garment tracking at a store near Columbia University in New York and plans to have RFID systems installed at all 17 of its in New York City stores by June 1. It expects to expand RFID to all 120 of its North American retail stores eventually. The pilot tracked about 40,000 items. The tags were applied during manufacturing, then programmed when they were received at the store and recorded in the inventory system. Tag volumes will grow substantially as the next 16 stores begin using RFID, so American Apparel may start encoding at the point of manufacturing. A typical store system may consist of fixed-position readers at the receiving door and the POS station, perhaps another in the back room, and two or three handhelds. [Source] SEE ALSO [World’s Largest Item-Level RFID Application Launches] [Germany Sees Another Item-Level RFID Apparel Program] [Finnish Retailer Gets Quick ROI on Item-Level RFID] [METROhttp://www.rfidupdate.com/articles/index.php?id=1450 Unveils Warehouse-to-Checkout RFID System]
There was an explosion in the number of malicious attacks in 2007 conducted largely through exploits on social networking Web sites and browser plug-ins, according to Symantec Canada. The computer security vendor released the 13th version of its Internet Security Threat Report in Toronto last week. The report gives an overview of security threats posed to PCs connected to the Internet over the second half of 2007. With an explosive 468% increase in new threats from 2006 to 2007, and nearly half a million new threats emerging in the six-month period covered by the report, the balance is tipping in favour of malware, says Symantec. Now, more than ever, hackers are seeking to siphon data off infected computers for financial gain. Of the top 50 infections, 68% were designed to expose confidential information, according to the report. The government sector is host to a majority of data breaches that could result in identity theft (60%) followed by healthcare (33%). Data theft or loss accounts for most (61%) of the exposed identities, followed by insider theft (21%) and hacking (13%). “The reason [the government sector is] number one is the data they collect is very valuable,” Symantec explains. “It contains addresses and birth dates – that’s the information needed to create an identity.” [Source] [Internet Security Threat Report]
According to Kaspersky Lab’s analysts, in 2007 the number of new malicious programs recorded on the Internet, including viruses, worms and Trojans, amounted to 2,227,415, which represents a four-fold increase on the results for 2006 (535,131). The overall volume of detected malware reached 354 GB in 2007. Before the year was out, many leading antivirus experts were calling this huge increase in malware an extreme situation. Some antivirus companies were simply incapable of effectively combating the sheer number of threats. However, the year-end results for 2008, according to the experts, will demonstrate a very different trend. They forecast not a four-fold but 10-fold increase in the number of new malicious programs – an increase of more than 20 million. In addition to the quantity, the quality of malicious programs is also improving. New and more complex samples are emerging that demonstrate a wide range of hostile behavior and distribution methods [Source] [Source]
The data breach that exposed the credit and debit card information of 4.2 million Hannaford Bros. supermarket customers earlier this month appears to have resulted from malicious software, says an InformationWeek report. Malware was found on servers at hundreds of Hannaford Bros. stores in the Northeast and Florida. The company has fixed the software, but investigations into the breach continue. At least one industry expert expects that retailers will continue to be data breach targets. One analyst said retail is “where the money is... The security landscape has shifted from people trying to make a name for themselves to people trying to keep hidden. You definitely will see more attacks.” [Source]
Security breaches that can be traced back to the actions of one individual are not the fault of one “stupid” employee but rather a failure to educate and engage the whole workforce around the importance of good security practice, according to a leading academic. Speaking at the Cyber Warfare 2008 event in London a senior research fellow at the Defence College of Management and Technology at Cranfield University, said most companies overlook the importance of employee behaviour when it comes to securing their IT and information systems. “Lots of organisations claim to have a culture of information security but in most cases I would say that this is not true and unfounded,” she told an audience made of military and civilian IT security specialists. “We need to get end users on side. We can’t ignore them anymore. We need to move away from command and control and interact with them.” IT security managers do not like the idea of empowering the end users and would prefer to be able to “lock them down” in the same way employees’ PCs can be locked down. [Source] SEE ALSO: [Schneier: The Difference Between Feeling and Reality in Security]
Intel will release anti-theft technology for laptops later this year. Details are few, but it is believed the new feature, to be added to Intel’s Active Management Technology, will help IT managers protect sensitive data on stolen laptops by making inaccessible the processor and storage. In the event of theft, the technology will “basically lock the system, lock the disk, so people cannot be maliciously using and getting data.” [Source]
In the long-running Real ID staring match, the U.S. Department of Homeland Security ended up being the first to blink. Homeland Security announced last week that all 50 states and the District of Columbia will be technically Real ID-compliant by the May 11, 2008 deadline—even though many states actually have rejected the concept and have zero plans to embrace a national ID card. This means Americans will face no new hassles when using their licenses to enter federal buildings or fly on airplanes starting on May 11. But the way this turned out is so odd it’s worth repeating. States including New Hampshire, Maine, South Carolina, Oklahoma, Washington, and Montana have enacted laws saying “hell no we’ll never comply with Real ID.” And Homeland Security officials carefully ignored those public votes of condemnation, instead pretending that those states really intend to acquiesce by the next major deadline of December 31, 2009. [Source]
The CDT sent a letter to the Senate Judiciary Committee highlighting Department of Homeland Security Michael Chertoff’s recent testimony in which he wrongly asserted that the personal information stored on REAL ID cards will be safe from unauthorized access, and accused privacy advocates of spreading “misinformation.” In fact, the REAL ID Act and regulations mandate that Americans’ personal data be stored in an unsecured barcode, which can be easily scanned with widely available readers. [Source] [PDF of letter]
Agencies are moving slowly to equip federal employees with new and more sophisticated identification cards, and most have not yet installed the technology needed to use the credentials’ security features, witnesses told the House Oversight and Government Reform Management Subcommittee last week. “We have to be careful, otherwise our eagerness to improve security can increase spending without improving security,” said the subcommittee Chairman. “Agencies aren’t gaining anything from the cards if employees just wave them at a security guard instead of feeding them through a reader.” A GAO study of eight agencies concluded that none met the OMB’s goal of issuing new ID cards to all employees and contractors who had worked with that agency for 15 years or less, and most of those surveyed were not using the cards’ features. [Source]
Canada’s biggest police association says a Supreme Court ruling on who should pay the cost of digital surveillance should clear the way for the federal government to reintroduce legislation that would help authorities to monitor Internet and wireless communications. Canada’s top court last week dismissed an appeal by Telus Mobility, which wanted to be compensated for digging up call records as part of two 2004 criminal investigations in Ontario. The court ruled Telus failed to prove it was forced to take “unreasonable” steps to comply with a court order to hand over the data. The Canadian Association of Chiefs of Police believes the ruling has removed one of the biggest roadblocks that has delayed the reintroduction of so-called “lawful-access legislation.” The association has been lobbying Ottawa for such a law since the late 1990s. [Source] See also: [RCMP Say ISPs Slow Them Down] [Canadian Lawful Access Debate Returns] and for background see [U of T Report: Private sector sharing of personal information with police: retail, telcos, airlines and banks]
The Bush Administration announced plans last week to initiate a domestic surveillance program utilizing the country’s sophisticated spy satellites. Secretary of Homeland Security Michael Chertoff said that the program would be rolled out in stages, and that the program would begin by tracking the effects of climate change, monitoring hurricane damage and generating terrain maps. Once the Department of Homeland Security successfully addresses privacy and civil rights concerns, the satellite network will also be used to aid law enforcement. Members of Congress have voiced concerns over the program’s legality. [Source] See also: [Intelligence Agencies Using Google Technologies] and [Google, UN Unveil Project to Map Movement of Refugees]
The ACLU is challenging National Security Letter (NSL) statutes on two fronts, testifying before Congress and filing a lawsuit in federal court in its fight to end the government’s abuse of NSL powers. NSLs, secretly issued by the government, are used to obtain access to personal customer records from ISPs, financial institutions and credit reporting agencies. Recipients of the NSLs are generally forbidden, or “gagged,” from disclosing that they have received the letters. “As it stands, the NSL statutes invite abuse and both the FBI and Department of Defense have repeatedly accepted that invitation by manipulating the powerful tool Congress gave them,” said the Director of the ACLU Washington Legislative Office. “In the past two years the Department of Justice’s Inspector General has released consecutive reports lambasting the FBI for its systematic exploitation of NSLs. The FBI’s solution of creating stricter internal guidelines is futile since the bureau has proven time and again it cannot police itself. If Congress doesn’t move quickly to bring this authority in line with the Constitution, there’s no doubt there will be further misuse and misconduct.” “The current National Security Letters statutes do not appropriately protect the privacy of innocent people,” said the ACLU National Security Project Director. “Congressman Nadler’s bill would preserve the government’s ability to investigate people who are actually security threats, but it would also provide important – and constitutionally required – safeguards for civil liberties.” The ACLU and New York Civil Liberties Union also filed a federal lawsuit in New York this week to uncover the extent of the FBI’s misuse of National Security Letter powers. Specifically, the lawsuit seeks the release of records pertaining to the FBI’s use of NSLs at the behest of other agencies including the Department of Defense (DoD) as well as documents concerning the FBI’s use of its gag power. [ACLU legal complaint] [ACLU testimony] [Other ACLU documents]
The Winnipeg Police Service laid out a timeline last week for a pilot project that will see public surveillance cameras on city streets by early 2009. Work will get underway in coming weeks to establish a police-involved community safety group to plan the project’s scope, explore privacy issues, technical requirements and who will ultimately pay for the cameras to go up. After the group’s work is complete, police will then consult with communities by the fall to address their concerns before installing the cameras, which police believe will help them in their fight against street crime. [Source] [Winnipeg. Transit gets cash injection for camera plan]
Chief executives of firms that expose customers’ confidential data should be put under arrest and jailed, according to a survey conducted by web security firm Websense. The survey of over one hundred global security professionals was conducted at the annual e-Crime Congress in London. Over a quarter of respondents said that a jail sentence is the appropriate punishment for a serious data breach, while only 3% said they did not believe any legally enforced punishment was necessary. In the 2007 survey, only 74% of the security professionals believed the Board should be responsible for data breaches, but this year the figure increased to 95%. However, less respondents blame IT - only 5% said the IT department should be responsible for breaches, in comparison to last year’s 21%. This change of opinion could stem from the large number of data breaches that have occurred since last November’s HM revenue and customs loss of 25 million data records which were stored on two discs.[Source] See also: [Symantec CEO Calls for Federal Data Breach Legislation]
The recent discovery of the remains of two children who were kidnapped and murdered late last year has prompted a plan from the South Korea National Police Agency to install Global Positioning System (GPS) on all cell phones nationwide. Currently, only 20% of the nation’s mobile phones include GPS technology. Police hope that GPS will better equip them to deal with abductions. They are also encouraging parents to use RFID on their kids’ clothing or bags in order to track them via mobile phone. Currently, this type of RFID is being tested in two Japanese elementary schools. [Source]
This week, federal lawmakers will hold a hearing on a proposal to let public schools use millions in federal grants to blanket the halls of learning with surveillance cameras. Those grants have typically been used to install metal detectors, lights and locks, as well as paying for security training for students and employees. The bill adds closed circuit surveillance cameras to the list of items eligible for Justice Department Safe School grants, ups the funding to from $30 million annually to $50 million and increases the feds share of any outlays to 80%, up from the current 50-50 split. In what seems a plain attempt to arise the ire of Bruce Schneier, the bill would bar schools from using the money for actually assessing what the threats and weaknesses to the school are. That eligible item is replaced in the bill by tip lines for reporting dangerous students. New Jersey congressman Steve Rothman (D) introduced the School Safety Enhancements Act last May, and the measure has 53 co-sponsors. [Source]
A fifth of married internet users regularly snoop on their spouses’ emails and text messages, Oxford University researchers have found. The survey found general agreement between couples about the acceptability of certain online behaviours. But 46% of the 2,401 married people asked by the Oxford Internet Institute disagreed on whether it was acceptable for partner to visit adult sites. Men were more likely to accept such behaviour in their partner than women. Meanwhile, 13% of respondents admitted to checking up on their partner’s browser history. Unsurprisingly, 97% would be unhappy about their partner falling in love with someone else via the internet. [Source]
Staff at the FCC are expected to recommend that it review rules on how phone and cable companies can use customer information as they try to take business from each other. The FCC enforcement bureau will recommend that the commission reject a complaint by cable operators charging that Verizon Communications violated the agency’s customer privacy rules by using customer information to prevent them from switching their phone service to cable. [Source]
A new website has been created to fill in the gaps in the upcoming do-not-call telephone number registry. Canadians can register at ioptout.ca, choose the entities from which they don’t want to receive unsolicited marketing telephone calls and the website automatically informs those entities via e-mail. [Source] [Do-not-call faces challenges]
The security of the most widely used standard in the world for transmitting mobile phone calls is dangerously flawed, putting privacy and data at risk, two researchers warned. Researchers David Hulton and Steve Muller showed at a Black Hat event in the U.S. last month how it was possible to break the encryption on a GSM (Global System for Mobile Communications) call in about 30 minutes using relatively inexpensive off-the-shelf equipment and software tools. Hackers could listen in on phone calls from distances of up to 20 miles or farther away. The researchers are still refining their technique, which involves cracking the A5/1 stream cipher, an algorithm used to encrypt conversations. In about another month, they’ll be able to crack about 95% of the traffic on GSM networks in 30 minutes or faster with more advanced hardware. Their research has been motivated in part by the absence of a more secure encryption method despite years of warnings about GSM. [Source]
In an apparent workaround, the Pentagon has colluded with the FBI to gather information on people in the U.S.. Pentagon documents, released after the ACLU sued for disclosure, confirm that the Defense Department took advantage of the FBIs wider domestic spying powers to gather financial and communications data using national security letters, administrative subpoenas that don’t require court approval. The ACLU worries that the Pentagon “is evading the limits on its own power by turning around and asking the FBI to get information for it.” [Source] [Source]
Bipartisan groups in Congress are pressing to place new controls on the FBI’s ability to demand troves of sensitive personal information from telephone providers and credit card companies, over the opposition of agency officials who say they deserve more time to clean up past abuses. Proposals to rein in the use of secret “national security letters” will be discussed over the next week at hearings in both chambers. [Washington Post]
Intelligence centers run by states across the country have access to personal information about millions of Americans, including unlisted cellphone numbers, insurance claims, driver’s license photographs and credit reports, according to a document obtained by The Washington Post. One center also has access to top-secret data systems at the CIA, the document shows, though it’s not clear what information those systems contain. Dozens of the organizations known as fusion centers were created after the Sept. 11, 2001, terrorist attacks to identify potential threats and improve the way information is shared. The centers use law enforcement analysts and sophisticated computer systems to compile, or fuse, disparate tips and clues and pass along the refined information to other agencies. They are expected to play important roles in national information-sharing networks that link local, state and federal authorities and enable them to automatically sift their storehouses of records for patterns and clues. Though officials have publicly discussed the fusion centers’ importance to national security, they have generally declined to elaborate on the centers’ activities. But a document that lists resources used by the fusion centers shows how a dozen of the organizations in the U.S. rely far more on access to commercial and government databases than had previously been disclosed. Those details have come to light at a time of debate about domestic intelligence efforts, including eavesdropping and data-aggregation programs at the National Security Agency, and whether the government has enough protections in place to prevent abuses. [Source] SEE ALSO: [Solove: Paper: Data Mining and the Security-Liberty Debate]
The Doer government will soon introduce two pieces of legislation that put law and order and the safety of health workers ahead of privacy concerns. The first bill will make it mandatory that doctors and health-care workers report to police that they are treating a patient with a gunshot or stab wound. The second will allow for a patient’s blood to be tested without consent for contagious disease like HIV, hepatitis or tuberculosis if front-line medical service workers have been contaminated by body fluids. Both pieces of legislation will be introduced within days and will likely pass without any fuss from the Opposition -- both were earlier Tory private members’ bills. [Source]
The Alaska state legislature has passed a new identity theft law. The new law, three years in the making, was passed by a 20-0 vote in the State Senate after previously passing the House. The new law includes provisions requiring companies to notify the state’s attorney general in the event of a data breach, and gives individuals greater control over their personal credit information. [Source]
Two bills aimed at protecting Iowans from identity theft are making their way through the state house. The first, a measure to let consumers inexpensively put a credit freeze on the personal data held by credit rating agencies, was sent to Governor Culver. The second measure was sent back to the Senate for continued debate. That bill proposes requiring businesses to implement security measures that prevent unauthorized access to customers’ sensitive financial information and to notify consumers when a security breach takes place. [Source] and [New Illinois Bill Aims to Fight ID Theft]
Virginia Senator Jim Webb will introduce legislation aimed at easing school officials’ concerns over when it is appropriate to disclose student medical records. His announcement comes almost a year after a disturbed gunman killed 32 students and himself at Virginia Tech. It addresses one of the key issues raised by a panel formed by Governor Tim Kaine to investigate the April 16, 2007 shootings. The measure would add a “safe harbor” provision to a 1974 federal privacy law. That change would allow school officials to release information if it’s deemed necessary to protect the student or general public. It further clarifies that the law doesn’t prohibit sharing records with off-campus medical providers who also are providing treatment to a student. [Source] and [Music City To Create Homeless Database]
A survey from Toronto, Canada found 12% of employers always or usually use online job search engines and social networking sites to research job candidates. Only 32% report they do so on occasion. The information on the survey came from 281 hiring managers and human resource professionals, and 511 workers. The survey also reported approximately 19% of employers say they are likely to start using or increase their use of these resources to research job candidates in 2008. Vault.com’s Social Networking Web Site Survey of 700 employers showed 44% are using social networking sites as an informal part of the referencing process. [Source] http://tinyurl.com/55wbml
60% of knowledge workers in the U.S., U.K., and Australia will have effectively stopped deleting documents, e-mails, audio, and video files from their hard drives by 2010, and we will soon see this taken to another level with widespread proactive recording in the workplace, according to Australian research company S2 Intelligence. “By 2013, we are going to be confronted with workers who want to record the proceedings in all meetings they attend, and record and keep all their phone calls,” said Dr Bruce McCabe, managing director of S2 Intelligence. “And they won’t always ask for permission.” Additionally, new software technologies will make it increasingly practical to index, search, and retrieve all types of information from personal archives, including snippets from within sound and video files. “Organizing and deleting files takes time, and well-paid workers already find it more attractive to just buy another hard drive when they run out of storage,” said McCabe. “Within two years, we can expect the majority of information workers to keep every file they download, and rely on personal search engines to find what will be useful later.” The type of information kept by workers will also expand, boosted by a trend towards proactive life recording by younger workers, who are capturing more and more extensive digital records on their daily activities. The forecasts were released from the recently completed S2 Intelligence report The Future of Business 2008 - 2018, How Information Technology will Transform Industry, Organizations and Work. [Source] SEE ALSO: [Who’s Watching You at Work? ]
Germany was shocked last week to learn that Stasi-like techniques were used to spy on employees of supermarket giant Lidl. Now a report has emerged showing that the chains Plus and Edeka may have done the same. Politicians are being urged to protect employee privacy. A week after reports emerged that the major German supermarket chains Lidl and Schlecker had been spying on their employees, two other giants – the supermarkets Plus and Edeka – have been accused of doing the same. The Web site of the German weekly magazine Stern reported that the two chains had used similar methods to spy on employees on the job, on cigarette and coffee breaks – and even on the toilet. Detectives from a firm hired by the companies allegedly installed miniature cameras in stores, telling the manager that they were part of an anti-theft campaign. Using the cameras and personal observation, the detectives would fill out Stasi-like observation logs including pages and pages of transcripts and details. Allegations surfaced last week against Lidland Schlecker, Germany’s largest drugstore chain, where, according to union representatives, employees were even surveilled through spyholes. The extent of the spying at Plus and Edeka was, according to Stern, less than at Lidl. [Source] [Source]
Australia’s Deputy Prime Minister Julia Gillard says proposed laws to allow companies to snoop on their workers’ e-mails are needed to protect vital electronic infrastructure from terrorist attacks. The federal government is developing new counter-terrorism measures, which include changes to the Telecommunications Act that would allow companies providing services critical to the economy to read workers’ emails. [Australian IT]
--------