Privacy News Highlights
18–25 April 2008
Contents:
US – DHS Will Require Carriers to
Collect Fingerprints
US – Arkansas Uses Program to Check
Faces for ID Cards
CA – Report of Legislative review
of BC Personal Information Protection Act
CA – Privacy Commissioner Releases
Annual Report and Survey on Privacy Attitudes
CA – Privacy Commissioner Concerned
With Ticketmaster’s Privacy Practices.
CA – Canadian Businesses to Have
Leeway Under Security Breach Law
US – After Breach, Consumers Vote
With Their Feet: Study
US – Privacy Advocates: Consumer
Education Isn’t Enough
NZ – Central Lab Tests Database
Worries New Zealand GPs
EU – EU Vows No Privacy Breaches
With US Visa Accords
UK – ICO Privacy Watchdog to Get
New Powers
UK – British Public Wary of Data
Centres
UK – Government Considering
Outlawing Disclosure or Loss Of Data
US – U.S. Consumers Concerned about
ID Theft Risk
UK – FSA Warning: Financial
Companies Underestimate ID Fraud
US – Canadians Detained at U.S.
Border Will Be Ordered to Provide DNA Samples
US – Feds to Collect DNA >From Every
Person They Arrest
AU – Whistleblower Airs Privacy
Concerns over Health Data
US – Personal Info on 2.1 Million
University of Miami Patients Stolen
CA – The New Transparency:
Surveillance and Social Sorting
EU – File-Sharing Should Not Be A
Crime, Says European Parliament
EU – Google Starts Street View in
Europe
UK – RIPA’s Creeping Effect on
Privacy
UK – British Police Use Facebook to
Gather Evidence
US – Probation for Sergeant Who
Misused Databases
US – Behavioral Targeting Working
Group Launched
US – Suit accuses Blockbuster,
Facebook of Privacy Law Violations
PH – Philippine Bill Filed to
Tackle ‘Identity Theft’ from Internet
AU – Aussies Follow Canadian Lead
On Breach Notification
US – FBI Tells ISPs: Keep
Subscriber Data
US – CDT Calls for Judicial
Oversight of FBI Information Demands
US – Appeals Court Upholds Search
of Laptop at LAX
US – Boulder District OKs Cell
Phone Search Limits
US – Consumers Don’t Understand
RFID Risks: Study
UK – RFID Hacks Defeat New British
Passport Security
US – Federal Bill Introduced
Regulating US Passport Manufacturers
US – Demand “High” for RFID-Enabled
U.S. Border Cards
US – NIST Releases Draft Info
Systems Risk Management Document for Comments
UK – Firms Treble IT Security
Spending Since 2002
EU – Company Passwords Traded for
Chocolate
WW – IBM Recommends Global Security
Organization
CA – Chip and PIN Card Deployment
Reaches 200,000
EU – Secret Pact Allows the US to
Spy on UK Motorists
UK – Video Cameras Give Police Head
Start In Cracking Crime
US – NJ Court Finds Users Can
Expect Privacy from Internet Providers.
US – Gov’t Must Reveal Watch-List
Status to Constantly Detained Americans: Court
US – Naked Scanners Deployed In
NYC, LA
AU – Australian Bill to Allow
Employers to Intercept Employee Communications
The
U.S. Department of Homeland Security (DHS) will require airlines and cruise
ship operators to collect fingerprint data for the federal government under a
new proposed rule of the U.S. Visitor and Immigrant Status Indicator Technology
program. Under the new rule, non-immigrant foreign travelers would have their
biometric data and other information collected and handed over to DHS for
cross-checking with anti-terror databases. DHS is collecting public comment on
the new rule, which is scheduled to go into effect in January 2009. [Source] [US-VISIT Air-Sea
Biometric Exit, Notice of Proposed Rulemaking] [Fingerprinting
proposal rankles travel companies]
The
state of Arkansas is using a facial-recognition program on every image recently
captured for driver’s licenses and identification cards to check for matches, a
step they say will ferret out fraud while raising privacy fears among others..
The program, funded by a federal grant, already allowed state employees to scan
through 2.6 million images, said the state Department of Finance and Administration.
The funding initially went toward halting fraud among commercial driver’s
licenses, but quickly expanded. [Source]
and see also: [Face
recognition scans for air passengers to begin in UK this summer]
The
Special Committee to Review the Personal Information Protection Act has
just tabled its review report, with 31 recommendations. The only significant
recommendation is that there should be mandatory breach notification, bringing
the report into line on that score with both the Alberta and federal reviews. [Report]
[Review
of PIPA] See also: [New
BC health law could lead to privacy abuse]
The
Privacy Commissioner of Canada has issued her annual Privacy Act report, which chronicles the year in privacy from a
public sector privacy perspective. The report places the spotlight on the
ongoing frustration with a woefully outdated privacy law and the mounting
concern with identity theft, cross-border data transfers, and Internet harms
such as spam. The Commissioner has also released the results of a nationwide
Ekos study on Canadians’ attitudes toward privacy. The results make a
convincing case that good privacy is also good politics. Among the more notable
results:
§
80% of Canadians place
great importance on having strong privacy laws, despite the fact that more than
half of Canadians are not aware that Canada actually has privacy laws in place.
§
77% of Canadians believe
in security breach disclosure laws where sensitive information is compromised
and 66% believe such laws are needed even for non-sensitive information
§
Only 17% of Canadians
believe the government takes protecting personal privacy seriously. That number
dips to 13% of Canadians who believe businesses do so.
§
72% of Canadians believe
spam is a significant problem. [Source]
The
federal Privacy Commissioner launched an investigation into the information
collection practices of Ticketmaster Canada after a private citizen filed a
complaint alleging that the company’s policies and practices on the collection,
disclosure and use of customers’ personal information did not comply with
[PIPEDA]. The Information and Privacy Commissioner of Alberta, Frank Work,
investigated a similar complaint into how Ticketmaster obtained consent to
collect its customers’ personal information and released an investigation
report late in 2007. ... “I am now satisfied with the measures Ticketmaster
undertook to resolve the complaints that were brought to our attention,” says
Jennifer Stoddart. “But I am very concerned that, seven years after PIPEDA was
enacted, a major online company operating throughout Canada was found to be in
violation of the legislation. ...” [Source] [Backgrounder -
Ticketmaster Investigation]
The
federal government is proposing to leave it up to companies to decide when to
tell customers of a loss of personal information and only in cases where
businesses determine there is a “high risk of significant harm” from the
security breach, according to a draft legislative plan obtained by Canwest News
Service. After a wave of high-profile cases of lost or stolen data from company
computers and rising concerns over identity theft, Industry Canada last fall
announced plans to reform the data protection law to include a clause about the
mandatory notification of breaches involving personal information. [Source] [Source]
See also: [Watchdog
monitors Chrysler’s data loss]
Survey
results show that nearly one-third of consumers terminate their relationship
with an organization following a security breach, according to a U.S. survey by
The Ponemon Institute. 31% of those surveyed said they terminated their
relationship with the organization that suffered the breach. Following a
breach, consumers should not only cease shopping or using the services of the
organization, they should let the organization know why. Also, according to the
survey, 26% of respondents took no action after being notified and 57% said
they lost trust and confidence in the organization. Other key findings include:
§
55% of respondents had
been notified of two or more data breaches in the previous 24 months, including
8% with four or more notifications;
§
More than 55% of
respondents state that the notification about the data breach occurred more
than one month after the incident, and more than 50% of respondents rated the
timeliness, clarity, and quality of the notification as either fair or poor;
§
Less than one-third of
respondents said that the organization offered services to protect them from
further harms; of those who opted into such services, 97% rated them good to
excellent; and,
§
2% of respondents that
had been notified of a data breach experienced identity theft as a result of
the breach, while 64% were unsure if they were a victim of identity theft. [Source] [Source] [Source]
Two
more advocacy groups have signed on to the notion that Congress should pass “do
not track” legislation to protect consumers from having data gathered about
their online habits. The Electronic Privacy Information Center (EPIC) and the
Center for Digital Democracy yesterday voiced their support for a new law. EPIC
Executive Director Marc Rotenberg said, “I don’t think people are wrong to
believe a privacy policy means that their personal information won’t be
disclosed to others. I think that’s a common-sense understanding of what a
privacy policy means. I think businesses are wrong to post a privacy policy and
then believe that provides a basis to disclose that information to others.” [Source]
Auckland
GPs are worried about a regional repository for all hospital and community lab
test results. The shared repository, called TestSafe, was introduced in June
2006. Since then, results of all tests ordered by GPs have automatically gone
into TestSafe, unless the GP ticks an “opt-out” box on the lab form. More
recently, general practices have been able to access TestSafe, after signing
agreements covering privacy and other issues. Despite this, some GPs in the
Auckland region either didn’t know anything about TestSafe or believed they
hadn’t been involved with it, when contacted this month. Some general practices
have reacted by requesting none of their patients’ results are ever shared..
Privacy commissioner Marie Shroff said, in a written statement, she is aware
privacy issues within the TestSafe scheme have been taken very seriously and
carefully considered. [Source]
The
European Commission has pledged that any pact with the U.S. to allow visa-free
transatlantic flights for all Europeans would respect privacy rights cherished
in Europe. Most old EU states are already part of the US visa waiver program,
which allows their citizens to travel without visas. However, Greece and 11 of
the 12 mostly ex-communist countries that joined the bloc in 2004 and 2007 are
not, and the EU has set a target of concluding pacts for all 27 states by
October. However, the United States has given no assurances on the EU target of
clinching visa waiver programs for all EU states by October, arguing that some
states still had much to do to meet standards required. [Source]
The
UK Information Commissioner’s Office (ICO) has received expanded powers to
conduct spot checks on government departments beginning later this year. Gordon
Brown granted the added inspection powers on the heels of an ICO-sponsored
report showing that 94 serious data breaches have occurred since the HM Revenue
and Customs breach last November, where the personal information of 25 million
families was lost. A third of the 94 breaches occurred in central government
and associated agencies. [Source]
[Privacy chief notified of 94 data
breaches since HMRC debacle]
58%
of Britons surveyed in a recent poll indicated they believe data centres hold a
great deal of sensitive personal data, such as credit card payment data, and
nearly 76% of those surveyed worry about the security risks these centres pose.
The results showed that many citizens are unfamiliar with data centres’ backup
procedures, as well. [Source]
A
new law making it an offence to “intentionally or recklessly” disclose personal
data is being considered by the UK government. The Ministry of Justice said it
would “reflect carefully” on whether to accept a Liberal Democrat amendment,
passed by the House of Lords last night in a defeat for the government, which
would make it a criminal offence to release or lose personal data. Peers voted
by 134 to 130 to accept the Liberal Democrat amendment to the criminal justice
and immigration bill. [Source] [Govt
suffers Lords defeat over data protection]
A
new study by Bankrate reveals that 80% of U.S. consumers are concerned about
the potential of falling victim to identity theft, and a third said they knew
someone who had already been victimized. Data theft over the Internet was the
biggest fear cited by respondents, while leaks by businesses ranked second. Of
the 77% of those surveyed who said they had Internet access, 36% said ID theft
fears kept them from shopping online, and another 48% said they avoided online
banking for the same reasons. [Source]
Financial
services companies must change their attitude to security to curb the rise in
identity fraud, the Financial Services Authority says. The FSA issued the warning
following a review of data security systems and controls at 39 firms including
banks, building societies, insurance companies and financial advisers. Although
it found examples of good practice across the industry, it said firms
underestimated the risk of data loss and fraud to their businesses – especially
to their customers. The call comes just days after Information Commissioner
Richard Thomas said companies and government departments had suffered an
“inexcusable number” of security breaches since the loss of millions of
personal details last year. The FSA said that, on occasions of significant data
loss, firms seemed more concerned about adverse media coverage than on being
open and transparent with their customers. [Source]
Canadians
suspected of offences at the U.S. border will be ordered to provide DNA samples
starting later this year. The new U.S. policy will require that DNA swab
samples be taken from anyone arrested in the U.S. and from foreigners detained
at the border who are not legal U.S. residents. Detained Canadians would only
be subject to DNA collection “if there were sufficient grounds to justify an
arrest or detention,” said U.S. Department of Justice spokesman, adding that an
illegal presence in the United States would be one such ground. “If any person
is arrested, or a non-U.S. person is detained, the circumstances in which DNA
would be collected would, as a general rule, be congruent with those in which
the person would be fingerprinted under current practice.” DNA profiles,
collected to fight and solve crime, go to the FBI and are entered in the
national law-enforcement DNA database. [Source]
Going
forward, those arrested by a federal law enforcement agency will leave a piece
of their DNA with authorities before release, since federal efforts to expand
the CODIS DNA database got a Congressional green light. Currently, only
convicted felons arrested by federal authorities have DNA collected. The new
effort, which is intended to prevent violent crime, means that the 140,000
individuals arrested each year will undergo a cheek swab DNA collection
procedure, whether later convicted or not. Supporters of the database expansion
believe it could help get violent criminals off the streets, while others raise
concerns about the privacy of innocent people. [Source]
See also: [Calif.
attorney general wants to expand use of DNA results] and [State Laws on DNA Data
Banks] and [Newborns’
DNA targeted for state research, profiling] and also: [Police DNA Expert in
Britain Calls for Database of Young Offenders]
A
two-year overdue patient medical records system for Australian public hospitals
may leave patient data vulnerable. A Melbourne doctor who was briefed on the
$323 HealthSMART project late last year says that patients’ most intimate
details could be accessible to “literally anyone in the world” once the system
launches. HealthSMART is set to debut in May 2009. A government spokesperson
said: “Health services are fully responsible and accountable to ensure the data
they collect for, or about, their patients is in line with the Health
Records Act. [Source]
Computer
tapes containing confidential information of 2.1 million University of Miami
patients was stolen last month when thieves took a case out of a van used by a
private off-site storage company, UM said Thursday morning. “Anyone who has
been a patient of a University of Miami physician or visited a UM facility
since Jan. 1, 1999, is likely included on the tapes,” the university said in a
news release. ``The data included names, addresses, SSNs or health information.
The university will be notifying by mail the 47,000 patients whose data may
have included credit card or other financial information regarding bill
payment.’’ The information was in a container holding computer back-up tapes.
The container was removed from a vehicle in downtown Coral Gables on March 17.
[Source]
Ontario
and Canadian researchers will try to pin down the social effects of increased
monitoring on the fabric of society, on the levels of trust between individuals
and organizations and on “social relations generally when people know that they
are being watched in such an extensive way. Credit card purchases, business
calls monitored for quality assurance and closed-circuit TV in stores. Internet
sales, cellphone calls, BlackBerrys with global positioning systems and Google
searches. They’re all part of the surveillance society we increasingly inhabit
– one in which our movements, identity, transactions and interests can be
tracked. The capacity to manipulate, disseminate and profile personal
information has escalated at an “extraordinary” pace, says University of
Victoria privacy expert Colin Bennett. It’s all very complex, which is why for
the next seven years, Bennett, four graduate students he’ll hire and researchers
from four other universities will take part in a $2.5 million research project
called The New Transparency: Surveillance and Social Sorting, headquartered at
Queen’s University in Kingston, Ont. The grant from the Social Sciences and
Humanities Research Council is a signal that the encroachment on private life
is worth close examination. [Source]
The
European Parliament has said that copyright-infringing music and film
file-sharing should not be criminalised. The Parliament has said that
file-sharers should not be prosecuted as criminal offenders unless they seek to
profit from the sharing. [Source]
[The
Motion]
Google
has started recording the streets of its first non-US city for its Street View
service. Google vans with mounted cameras have been spotted on the streets of
Rome and Milan. [Source] See
also: [US couple sues Google over
house picture] and [Google
changes Street View privacy policy]
A Poole-in-Dorset couple calls their city council’s spying activities “a totally outrageous use of legislation,” says a National Public Radio report. In trying to get their three-year-old into their school of choice, Jenny Peyton and Tim Joyce were shocked to learn during the placement interview that city officials had tracked their daily routine for two weeks to make sure the couple hadn’t falsified residency information. The council conducted the surveillance using their powers under the Regulation of Investigatory Powers Act. Known as RIPA, the 8-year-old act was designed, in part, to combat terrorism, but is increasingly used in Britain to find underage smokers, delinquent dog walkers, and other seemingly petty crimes. “The government, three years ago, introduced legislation which eliminated all distinction between criminal offenses,” said privacy advocate Simon Davies of Privacy International. “So now you can be compulsory DNA tested for littering.” [Video Source]
The
Greater Manchester Police force is looking for friends – on Facebook. It has
created a Facebook application to collect leads for investigations, marking the
first use of the social networking site by U.K. law enforcement. The
application delivers a real-time feed of police news and appeals for
information. Next to that content is a feature to share a particular story with
other friends in a person’s network, as well as post comments. A “Submit
Intelligence” link takes a Facebook user to the police Web site where they can
anonymously submit tips. Another link leads to the videos on YouTube featuring information
on the police force, ongoing investigations and other advisories. So far about
750 people have put the application on their profile, the police said. They
estimate about seven million of the 59 million worldwide Facebook users live in
the U.K. [Source]
A
Fairfax County police sergeant was sentenced yesterday in federal court in
Alexandria to two years’ probation for his admission that he checked police databases
for someone who was the target of a federal terrorism case. [Source]
The
Anti-Spyware Coalition has created a new internal working group to review
privacy concerns raised by partnerships between behavioral targeting
advertising companies and ISPs. The concerns stem from instances in which these
business relationships result in all, or substantially all, user Web traffic
being passed to advertisers. In many instances the activities raising privacy
concerns are taking place by exploiting “borderline” acceptable practices in
order to skirt anti-spyware products. The new working group will convene to
specifically review current guidelines and recommend changes if needed. [Source]
A
class-action lawsuit is brewing over Facebook’s controversial Beacon tool and
Blockbuster’s involvement with it. Texas native Cathryn Elaine Harris has filed
a lawsuit against Blockbuster, alleging that the company is actively and
knowingly violating the Video Privacy Protection Act by reporting users’
activities back to Facebook. The suit seeks to be certified as a class action,
and asks that Blockbuster pay out $2,500 per incident in which it disclosed
personally identifiable information. The complaint, seen by Ars, points out
that users’ off-Facebook activities on Blockbuster are being reported back to
Facebook, regardless of whether users choose to publish the information for
their friends to see. Harris says that Blockbuster’s activities violate the Video
Privacy Protection Act, which prohibits “video tape service providers” from
allowing third parties to access personally identifiable information about
someone’s renting or buying habits without their express, written consent. (The
law was enacted in 1988 after a newspaper published records of 146 videos that
Judge Robert Bork had rented during his consideration for a Supreme Court
vacancy.) Harris says that Blockbuster knowingly violated the law by sending
user information to Beacon when it was first launched, and that the company
continues to do so to this day. [Source]
[Facebook
reevaluating Beacon after privacy outcry, possible FTC complaint] [Facebook
sorry for Beacon slip-ups, offers full opt-out]
Publishing
a person’s personal data retrieved from the Internet might soon be a crime in
the Philippines, if a bill filed yesterday at the House of Representatives is
passed. Under the bill, a stiff penalty would be imposed against “identity
theft” and the “malicious” disclosure of personal information by the media
without the consent of the subject. [Source]
Canadian
data breach notification guidelines - jointly created by the Information and
Privacy Commissioners for British Columbia and Ontario - have made their way to
the land down under. Last week, Australian Privacy Commissioner Karen Curtis
released the Voluntary Information Security Breach Notification Guide, which
aims to assist organizations in effectively responding to information security
breaches. The draft guide credits voluntary guidelines by both the Privacy
Commissioners of Canada and New Zealand. [Source]
FBI
Director Robert Mueller and a number of members of Congress are pushing to
require Internet service providers (ISPs) to retain subscriber activity data
longer in order to provide more options for the investigation of criminal
activity online, according to CNet. Mueller told Congress data should be
retained for a period of two years. “Records retention by ISPs would be
tremendously helpful in giving us a historic basis to make a case on a number
of child pornographers who use the Internet to push their pornography,” Mueller
said. [Source]
The
Center for Democracy and Technology has called for judicial oversight of
National Security Letters (NSLs); the documents are used by the FBI when
seeking records containing sensitive personal information. Successive Inspector
General reports have uncovered abuses and mistakes by the FBI in issuing the
NSLs. In testimony before the Senate Judiciary Committee, CDT’s Greg Nojeim
said that FBI self-policing does not work. CDT and other organizations issued a
letter endorsing the NSL Reform Act, S. 2088, which would place more
restrictions on how NSLs are issued and subject them to judicial oversight. [Greg Nojeim’s
testimony to the Senate Judiciary Committee, April 23, 2008] [Letter from Advocates
on National Security Letters Reform Act, April 22, 2008]
It
may hold our financial records, innermost thoughts and pictures of our loved
ones - but there’s nothing private about a laptop computer at the nation’s
borders, a federal appeals court ruled last week. In a closely watched
search-and-seizure case, the 9th U.S. Circuit Court of Appeals overturned a
lower court’s decision to toss evidence of alleged child pornography found on a
traveler’s computer at Los Angeles International Airport. “[The traveller] has
failed to distinguish how the search of his laptop and its electronic contents
is logically any different from the suspicionless border searches of travelers’
luggage that the Supreme Court and we have allowed,” wrote Justice Diarmuid
O’Scannlain. [Source]
The
Boulder Valley School District won’t search a student’s cell phone without the
permission of the student or parent under an agreement reached with the ACLU..
The only exception is an emergency in which there is an imminent threat to
public safety. Last May, officials confiscated a 16-year-old sophomore’s cell
phone after a school security officer accused him of smoking and parking in the
wrong lot. Officials then went on to transcribe “incriminating” messages found
on the phone. The district defended the actions as an investigation into
possible student misconduct, but the ACLU said officials violated the student’s
rights to privacy and protection against unreasonable searches and seizures as
well as a state wiretapping law. [Source]
A
new study suggests that consumers are ignorant of the data risks inherent with
the use of RFID-enabled identification, according to an article in
RFIDUpdate.com. The study, conducted by researchers at the University of
California-Berkeley, says consumers are not aware that using RFID-enabled
passports, credit cards and other forms of identification may expose them to
eavesdropping by devices more than a few inches away from them. Consumers
responding to the study said they believed direct line-of-sight was required to
read an RFID chip, and that companies provided little information about
security measures or risks involved in their use. Major findings of this study
included:
The
report makes no recommendations and has no formal conclusions section, but does
include some statements about the implications of the findings. One of the
strongest passages reads: ...of particular concern is the reliance of a mental
model based upon optical line-of-sight technology; failing to understand the
omnidirectionality of RF communication may lead users to miscalculate their
level of risk.. [Source]
[Study]
Researchers
have demonstrated new hacking tools that allow easy and fast cloning of RFID
chips, including those used in new UK biometric passports RFID passports are
easily cloned, and in spite of security advances, it remains possible to
‘spoof’ many nation’s new biometric passports, according to security
researchers. Adam Laurie, director, the Bunker, said: “The concept is that all
the biometric files on the passport chips are digitally signed, so cannot be
tampered with. However, the problem is that the digital certificate that proves
this is also stored on the passport, so all an attacker has to do is write
their own certificate. The defence to this was for governments to set up a
directory to verify the real certificates. However, only 15 out of around 55
countries now issuing the passports have signed up to the directory launched
last year, leaving huge numbers of passports unverifiable.” The discoveries
follow a series of exploits to clone RFID tags, and rising concerns among
privacy advocates and security experts. A recent research paper from Lausitz
University of Applied Sciences, Germany and Radboud University, The
Netherlands, found that remotely detecting the presence of a passport and
determining it’s nationality was relatively easy, due to the differences
between each country’s implementation of the international standards. “Although
all passports implement the same international standard, experiments with
passports from ten different countries show that characteristics of each
implementation provide a fingerprint that is unique to passports of a
particular country,” stated the researchers. [Source]
Legislation
was introduced last week to require that all US passports be made with only
US-manufactured technology, including the RFID-chip. The text of the bill reads
as follows… [Source]
Washington
Technology reports that demand is high for the new U.S. border-crossing card
that frequent travelers can use instead of a passport to enter the country at
certain points. To date more than 140,000 applications for the RFID-enabled
cards have been received. Applications for the U.S. Passport Card will be
processed by the State Department, which is scheduled to begin issuing the
cards in June under the Western Hemisphere Travel Initiative. Passport Cards
will contain a photograph and RFID tag containing information about the
traveler. [Source]
The
National Institute for Standards and Technology (NIST) has released the second
public draft of Special Publication 800-39, “Managing Risk from Information
Systems: An Organizational Perspective.” NIST is accepting public comment on
the document through April 30. The new draft includes considerable revisions
based on comments on the previous draft. NIST expects to publish a draft
revision of Special Publication 800-30, “Risk Management Guide for IT Systems,”
in July. [Source]
[Source]
A
survey commissioned by the Department for Business, Enterprise and Regulatory
Reform (BERR) has revealed that UK companies are spending three times as much
of their IT budget on security as they were six years ago. The 2008
Information Security Breaches Survey was carried out by a consortium led by
PricewaterhouseCoopers and the results were revealed in London this week. The
survey showed that the average UK firm spends 7% of its IT budget on security,
compared to 2% in 2002. During that time the total cost of security breaches to
UK firms has fallen 35%, although a quarter of businesses reported a serious
security breach in the last two years. The survey demonstrates that companies
are becoming more security savvy, demonstrated by the more than 90% that back
up critical systems, have implemented spam filters, firewalls, anti-virus and
anti-spyware software and have encrypted wireless network transmissions. 55% of
firms now have a documented security policy, compared to 27% in 2002, while 40%
give their staff ongoing security training, double the amount that were doing
so in 2002. But the survey also reveals many companies have a worryingly
lackadaisical approach to other aspects of security. 84% do not check to
ascertain whether outgoing email contains confidential information and 78% that
had been victims of computer theft did not encrypt hard discs. 72% do nothing
to prevent data leaving on portable memory devices, 52% do not carry out a
formal security risk assessment and 48% have not tested their disaster recovery
plans in the last year. 35% exercise no controls on their staff using instant
messaging, 21% spend under 1% of their IT budget on security and 10% of
websites accepting payment details do not encrypt them. Despite the drop in the
cost of security breaches to the UK economy, only 17% of businesses expected
the numbers of incidents to fall next year. [Source]
[Study]
[Security
breaches down, says IT security report] [UK
government security survey - situation improving?]
InfoSecurity
Europe reps surveyed 576 people passing through London’s Liverpool Street
Station to find out how much personal information the average individual was
willing to give up for a snack and the promise of a free vacation. 21% of those
surveyed gave up passwords, telephone numbers, and names. That’s down from last
year’s survey during which 64% of those asked gave up their passwords, perhaps
indicating that during the last twelve months office workers have become more
aware of the importance of security. None of the information collected was used
or saved, according to the report. [Source]
Tech
giant IBM’s public sector consulting group says a global security watchdog
organization is needed to provide increased protection to people and
infrastructure worldwide. The organization proposed by IBM in a new whitepaper
is called the Global Movement Management Organization, and its task would be to
coordinate the secure worldwide travel and logistics, including aviation,
travel, cargo, immigration, and the Internet. According to the whitepaper, the
proposed organization would fill gaps in public sector abilities to provide
adequate security and privacy protections to individuals. [Source]
If
the payment industry’s ongoing chip and PIN trial in Ontario’s
Kitchener-Waterloo area is any indication, the new card technology could be
widely deployed in Canada before the end of 2010. Members of the payment card
industry – including Interac Association, MasterCard Canada Inc., Visa Canada,
and virtually every major Canadian bank – announced Tuesday positive
preliminary results for the industry-wide chip and PIN trial in Southern
Ontario. [Source]
[Trial website] [News
Release] [Background]
and [Smart
card forecast indicates ‘user anxiety’ hurdle]
The
UK Home Secretary secretively signed a “special certificate” last year that
gives foreign security agencies real-time access to traffic camera images and
related data monitoring British motorists on highways throughout the UK.
Opposition politicians and civil liberties advocates last week accused Gordon
Brown’s government of attempting to hide from Parliament its covert plans to
facilitate international surveillance of UK citizens in violation of privacy
laws. Under the authorisation signed last July 4 by Jacqui Smith, video feeds
and still images captured from roadside TV cameras, along with personal data
derived from them, can be transmitted out of the UK to countries such as the
US, that are outside the European Economic Area. Home Secretary Smith failed to
mention the exception in a statement she made to Parliament less than two weeks
later on July 17, 2007 outlining Metropolitan Police exemptions to the 1998
Data Protection Act. The dispensation gives British police “anti-terrorism”
officers the permission to transmit images and information overseas, based upon
any representation that the materials are relevant to a “terrorism” threat
either in the UK or elsewhere. Liberal Democratic leader Nick Clegg said last
night, “This confirms that this Government is happy to hand over potentially
huge amounts of information on British citizens under the catch-all pretext of
‘national security’.” UK civil liberties groups are appalled that the UK
government is monitoring the daily movements of British citizens on a wholesale
basis, even more so that it’s willing to provide surveillance images and data
to foreign intelligence agencies. Opponents of what they view as a nascent
surveillance state fear the imposition of a “data mining” programme to filter
and correlate billions of pieces of data to profile individuals, activities and
relationships in ways that might be abused, such as to target minorities and
political groups and suppress peaceful dissent. [Source]
Criminals
are set to be caught on camera more than ever before through the £165,000
scheme to equip each West Yorkshire Police division with a number of new
‘headcam’ cameras to gather video evidence of crimes. PC’s and Police Community
Support officers will be provided with the new cameras which have been funded
by the Home Office as part of a national initiative. The portable cameras can
be worn on headgear and come complete with a digital hard disc recorder which
can store up to 400 hours of video. Footage can be viewed ‘on the go’ by
officers using the equipment and then burnt on to DVD’s for use in interviews
with suspects. [Source]
Internet
service providers must safeguard personal information about users in New
Jersey, even when the police ask for it, the state Supreme Court ruled last
week. New Jersey’s highest court said a valid subpoena is required before
Internet providers can disclose private information to anyone. In doing so, the
court found that the New Jersey constitution gives greater protection against
unreasonable searches and seizures than the U.S. Constitution. The court is the
first in the nation to recognize that anonymous Internet users have a
reasonable expectation of privacy. The high court held that citizens “have a
reasonable expectation of privacy” under the state’s constitution in the
information provided to Internet service providers, “just as New Jersey
citizens have a privacy interest in their bank records stored by banks and
telephone billing records kept by phone companies,” Chief Justice Stuart Rabner
wrote for the unanimous court. A Washington lawyer who handles Internet litigation,
Megan E. Gray, said the ruling “seems to be consistent with a trend nationwide,
but not a strong trend.” [Source]
Eight Americans of south Asian and Middle Eastern descent who were
repeatedly detained at the border for questioning will be able to learn if they
are actually on the government’s terrorist watch list, a federal court in
Illinois ruled last week, marking the first time that citizens have been able
to learn whether they have been added to a sprawling and error-prone list used
for screening at borders and traffic stops. The government invoked the powerful
state secrets privilege in the case, arguing that letting the plaintiffs know
if they are or aren’t on the list would harm national security since that could
alert them to the fact they have been under government scrutiny. But since the
government admits it has stopped the six men and two women more than 35 times,
a federal Magistrate Judge dismissed that argument. Instead he found that the
government “failed to establish that, under all the circumstances of this case,
disclosure of that information would create a reasonable danger of jeopardizing
national security.” The plaintiffs, most of whom are Muslim, filed suit
against the DHS and the FBI in June 2005. They say none of them have any links
to terrorism, but are continually stopped and questioned due to faulty watch
lists. They charge government agents have unjustly restrained, confined and
questioned them, sometimes for more than four hours, because some have been
unfairly put on a watch list, while others say they are continually
misidentified as someone on the list. The court’s rebuff
of the government’s use of the state secrets privilege is highly unusual, as
courts are rarely willing to challenge the executive branch on mattes of
national security. Experts call the state secrets privilege the “nuclear
option,” and the Bush administration has used it widely to dismiss cases
challenging its warrantless wiretapping program and the CIA’s use of secret
overseas prisons. The lawsuit is also notable since it breaks new legal ground
in regards to the government’s terrorist watch list, which lacks any mechanism
for citizens to challenge their placement on the list. Government audits have
repeatedly criticized the operation of the list, which has inadvertantly
snagged high-powered nuns, senators, children and government employees with security clearances.
The Terrorist Screening Center, which runs the list, says it has been pruning
the list and removing errant entries, even as the list grows by an estimated
20,000 names a month. While the TSC says the majority of the names on the list
are foreigners, most of the people compared against the list are Americans, who
are checked against the list when they are stopped for a traffic violation,
enter or leave the country or fly domestically. Additionally, the judge ruled
that the state secrets privilege against disclosing sources and methods does
apply to FBI investigative files and terrorism information in its TIDES
database, but that the government should show those documents to the judge in
secret, so the judge can decide what portions of those files can be safely
released. The potential class-action lawsuit accuses the government of
violating Americans’ Fourth and Fifth Amendment rights by exaggerating the
risks of persons it puts on the list and not having robust ways of dealing with
name mismatches. That, the plaintiffs allege, led government agents to
unconstitutionally detain the men and their families for hours and conduct
illegal pat down searches. But the government denies
that any of the stops were “unjustified,” or that its 800,000 name-long watch
list is overbroad or negligently administered. The plaintiffs are asking the
court to force the government to change how it handles name mismatches, how
Americans are described on the list, and reasonable policies for family members
and children that have to wait for a parent to be released from questioning by
government agents. [Source]
Millimeter
wave scanners, notorious for rendering detailed images that reveal a virtual
naked image of airport passengers as they pass through security checkpoints,
have been deployed at airports in Los Angeles and New York City, according to
Newsday. Los Angeles International Airport and John F. Kennedy International
Airport joined Phoenix’s Sky Harbor this week when they received one scanner
each. While some have criticized the devices as being too revealing, the
Transportation Security Administration says use of the device is less invasive
than a physical pat-down, and procedures have been established to protect the
privacy of individuals who undergo a scan. [Source]
Proposed
legislation in Australia would give employers the power to intercept employees’
email and Internet communications without their consent. The powers are part of
a law aimed at protecting the country’s critical infrastructure from cyber
attacks; the law would amend the Telecommunications (Interception) Act. The
powers would apply to employers who operate elements of the critical
infrastructure; presently, only security agencies have that power. Australian
Attorney General Robert McClelland says he has been told that a major cyber
attack could cause “far greater economic damage than would ... a physical
attack.” Civil rights groups are opposed to the proposed expanded powers,
saying they could be abused. [Source]
The
Nazareth District Labor Court has determined, in a landmark ruling, that an
employer may not access his employees’ e-mail boxes without their explicit
consent. Overturning a previous ruling by the Tel Aviv District Labor Court,
Judge Chaim Armon said that an employer could not take such action on the basis
of “implied consent” by the employee. [Source]
The
Associated Press reports that 39 Whirlpool employees in Evansville, Indiana,
who signed insurance documents stating they did not smoke or chew tobacco, have
been suspended for use of tobacco on company grounds. The workers may be fired
for lying after the company completes an investigation. Whirlpool employees who
are tobacco users are charged an extra annual insurance premium of $500 over
nonsmokers. Lewis Maltby, president of the National Workrights Institute,
protested the move, saying, “We shouldn’t have to give employers complete
control over our private life so they can save a few dollars on medical care.”
[Source]
--------