IS – Israel Pushes Biometric Database Initiative

Israel’s government approved a bill earlier this week that would require all residents to obtain biometric identity cards and passports. The cards would include two fingerprints and a facial scan, and would be stored in an Interior Ministry database. The Ministry says this will combat counterfeiting and improve government services, but some believe such a database will be rife with privacy risks. “Every database can be breached,” said Dan Hay of the Israeli Bar Association. “Insiders can leak sensitive information, so other people can use fingerprints in order to forge documents or imprint fingerprints in crime scenes to incriminate others,” he added. Parliament is expected to pass the bill this fall. [Source]

UK – Airport Fingerprint Plan Sparks A Domestic Dispute

Human rights and data protection organisations have criticised Government plans to introduce fingerprinting at all British airports where departure lounges are shared by international and domestic travellers. The Home Office claims fingerprinting would prevent incoming international passengers switching tickets with domestic passengers and then flying to other parts of Britain without passing through immigration checks. It says any data collected would be destroyed after 24 hours and would not be handed to police. The proposal is supported by the British Airports Authority (BAA), which says it would allow domestic passengers to use all the facilities open to international passengers. However Liberty, the human rights group, has questioned BAA’s motives. “Is this really about airport security or the ease of selling duty-free to a captive audience?” The Information Commissioner has questioned why fingerprinting is needed at all, arguing that photographing passengers - which is done already at Terminals 1 and 5 at Heathrow - is effective and less intrusive. [Source]

UK – ID Card Scheme Faces New Hurdle· Scientists say Fingerprints Too Poor

The national identity card scheme faces fresh problems following a warning from the government’s top scientific advisers that the quality of fingerprints from 4 million people aged over 75 may be too poor to be used to prove their identity. The “gold standard” integrity of the national identity scheme would depend on all 10 digits of the hands of everyone in Britain over 16 being accurately recorded on the central register, but experts have now told Home Office ministers that it is “hard to obtain good quality fingerprints” from the over-75s. They warned that “exceptional handling” arrangements would have to be made to handle the registration of those whose fingerprints are not up to scratch. This would have a “large impact not only on the technical elements of the scheme but [also] on businesses processes, schedules and costs”. American experts estimate between 2% and 5% of adults have poor quality fingerprints, which means ridges on the fingers are not sharply defined enough to be reliably copied by an automatic scanner. The warning is contained in a report slipped out before Parliament rose for the summer recess from the biometrics assurance group, which is made up of independent experts from Whitehall, the industry and universities and chaired by the government’s chief scientific adviser, Professor John Beddington. The group was set up to review the science behind the ID card scheme. The group said urgent research was needed into the problem. It told ministers they needed to make available alternative identity checks based on electronic iris scans, for those unable to enrol using fingerprints.. The Home Office, however, has ruled out the use of iris scanning because it is too expensive. The group of independent scientific and technical experts also said that proper attention needed to be paid to issues of privacy and consent across the national identity scheme, and urged the public to be well-informed about how their data could be used and shared with certain government bodies without the consent of the individual involved. [Source]

CA – RFID-facial Recognition Combo Comes to Canada

A Montreal-based radio frequency identification consulting and engineering company has partnered with a Chicago-based manufacturer of RFID technology to sell in Canada a multi-authentication platform that can combine, among other options, facial recognition and RFID. The combination, the companies said, eliminates the risk of copying presented by physical contact such as fingerprint recognition. The technology platform, Trusted eSentry Security (TES), is provided by American RFID Solutions and Canadian market expertise by RFID ProSolutions. The platform allows other options like fingerprint, iris and voice identification plus a number pad. But the out-of-the-box package combines facial recognition and RFID because of its enhanced security rendered by lack of contact. But additionally, said Clampitt, employees doing menial labour can easily present their face for access and not be concerned about injuries or grease to the hands in the case of a hand or print reader. [Source]

CA – Privacy Commissioner Rules USA Patriot Act Privacy Risks Mirrored in Canada

Assistant Privacy Commissioner has ruled that the privacy risks posed by the USA Patriot Act are similar to those found in Canada and therefore not grounds to rule that the privacy protection afforded by a U.S. email provider is not comparable to Canadian-based providers. The finding arises from a complaint launched by CIPPIC against Canada.com over the use of a U.S.-based provider. In assessing the USA Patriot Act issue, the Assistant Privacy Commissioner found that: The risk of a U.S.-based service provider being ordered to disclose personal information to U.S. authorities is not a risk unique to U.S. organizations. In the national security and anti-terrorism context, Canadian organizations are subject to (and may be just as likely to receive) similar types of orders to disclose personal information of Canadians to Canadian authorities. There are also several former bilateral agreements in place between analogous Canadian and U.S. organizations that provide for the cooperation and exchange of relevant information. In light of such arrangements, there are many alternatives to a Section 215 Order to obtain information about Canadians. [Source] [Source]

CA – Federal Privacy Commissioner Launches Essay-Writing Competition

The Office of the Privacy Commissioner of Canada has announced the 2008-2009 Essay Competition: “Think Privacy!” This essay competition is designed to encourage students in law schools and legal studies programs across Canada to join us in exploring the challenges, critically reflecting on the issues, and contributing to the expanding community of thought on privacy. For this year’s competition, students may submit essays on any one of the Office’s four strategic priorities:

Information technology and privacy
National security and privacy
Identity integrity and protection
Genetic privacy

The winner will be eligible to receive up to $5,000 and publication. [Source]

CA – CBA, Commissioner Want Privacy Act Updated

A resolution proposed by the Canadian Bar Association (CBA) has the potential to strengthen privacy protections for Canadians, says Privacy Commissioner Jennifer Stoddart. From its 2008 Legal Conference in Quebec City, the CBA has called for reforming 25-year-old federal public sector privacy legislation, which the commissioner describes as “unbelievably inadequate.” Stoddart says the call is the latest in a string of appeals from privacy experts to bring the law into accordance with the digital age. The CBA resolution calls for restrained collection and rigorous protection of personal information, a breach notification requirement and cross-border data transfer limitations. [Source] [CBA resolution]

CA – ‘Trash’ Case Tests Privacy Rights

It may be garbage, but a single bag can tell the story of our lives. Those banana peels, letters, pill bottles and razors can reveal intimate details about the occupants of a home, from their medical and financial health to political or religious affiliations - not to mention fingerprints and DNA. How would you feel if a neighbour rifled through your refuse to better understand your habits? What if those rummaging were police? That’s happening already in Canada, with some officers even masquerading as garbage collectors. But not everyone is convinced the practice should continue. The issue is headed for the Supreme Court of Canada, with federal and provincial prosecutors, criminal lawyers and civil libertarians now preparing for a crucial legal battle this fall over the question of whether our garbage is private. Is our trash - like our phone conversations and homes – constitutionally protected from the prying eyes, ears and hands of the state? “When Canadians give their household trash over to the municipality for waste management and recycling, they believe that’s what the municipality is going to do with it,” said Jonathan Lisus, a lawyer representing the Canadian Civil Liberties Association. “They don’t expect and would be offended to learn that the police - or other law enforcement agencies - can intercept our trash and mine our personal information to investigate us,” Lisus said. [Source]

WW – Consumer Reports Publishes State of the Net 2008

According to Consumer Reports’ State of the Net 2008 report, the odds of becoming a victim of cybercrime have dropped over the last year from one in four to one in six. Of the 2,071 online households polled for the study, 19% do not have antivirus software on their computers, 36% do not have antispyware software on their computers, and 75% do not use anti-phishing toolbars. While the incidence of spam, spyware and serious viruses have declined, phishing is on the rise, and threats overall are becoming more insidious. Consumer Reports has also compiled a list of the top security blunders Internet users make, including accessing accounts through email links, downloading free software, and assuming security software is protecting the computer, but letting antivirus and antispyware subscriptions expire. [Source] [Source] See also: [WIRED: Face-Based Advertising, Coming Soon to Store Near You]

US – U.S. to Ban Prerecorded Sales Messages

After a barrage of consumer complaints, the U.S. government is banning phone calls of prerecorded sales messages unless consumers agree to receive the calls. The Federal Trade Commission also announced that by December all prerecorded calls must provide an opt-out selection to make it easy for consumers to stop getting those calls. Effective Sept. 1, 2009, sellers and telemarketers may place prerecorded calls only to consumers who have provided signed and written agreements to receive them. The FTC said the rules will not affect informational prerecorded messages, such as messages to notify consumers of appointments and cancellations, because they do not attempt to sell goods or services. A report by the FTC said there were more than 13,000 consumers comments that objected to the telemarketing industry’s request to gain more flexibility to make recorded sales calls. Mark Cooper, director of research for the Consumer Federation of America, said Wednesday the rule closes a loophole that “was part of the intrusion of unwanted calls.” “Callers did not think they were bound by the Do Not Call list, and now they are,” said Mr. Cooper. “The FTC finally addressed it.” [Source]

UK – Yahoo’s Fire Eagle Location Data Services a Privacy Concern

Yahoo recently launched Fire Eagle, an application that lets users expose their location on the Web--right down to the street address, if they choose. Although Yahoo insists users have control over what location data they share, some worry about the fact that third-party developers using Fire Eagle may retain user information even after users opt-out of the service. Others have voiced concerns that the privacy policies for such third-party developers may differ from Yahoo’s, and that may confuse users. “While this is an opt in service, you have to be clear about the consequences of what you are opting in to,” said Paul Stephens of the Privacy Rights Clearinghouse. “Privacy policies differ from Web site to Web site and they can be changed without warning.” [Source]

US – Residents Can Track Local Crime

The Loudoun County Sheriff’s Office unveiled an online tool this week that allows users to map recent crime reports in any part of the county under the sheriff’s jurisdiction. The information, updated nightly, is provided in conjunction with a Utah company called CrimeReports.com. The crime information is presented on Google maps and includes the dates, times and descriptions of the reported incidents, along with block numbers. Some incidents, such as sexual assaults, crimes against children, domestic violence and medical calls, will not be displayed on the Loudoun maps. Mapping such incidents could compromise victims’ privacy. The Sheriff’s Office will continue to publicize such crimes through news releases and the sheriff’s e-mail alerts, which residents can sign up to receive. The partnership with CrimeReports.com also allows residents to sign up for free e-mail crime alerts that can be customized. Users can choose to receive alerts for crimes occurring in certain neighborhoods, for example, or within a certain distance from any address. [Source] [Technology’s Toll on Privacy and Security - Scientific American special issue] and [California: Immersive GIS to Engage Citizens Like Never Before]

US – Consumer Reports Warns Public About Government ID Leaks

While Americans trust government officials to safeguard sensitive personal and financial data, government is among the biggest sources of ID leaks, according to a Consumer Reports (CR) investigation. The report ID Leaks, A Surprising Source is Your Government at Work, in the September issue claims that penalties are also rarely imposed on those who are negligent. CR analyzed records of publicly reported data breaches compiled by the nonprofit Privacy Rights Clearinghouse and found that more than 230 security lapses by federal, state, and local government from 2005 through mid-June 2008 resulted in the loss or exposure of at least 44 million consumer records containing Social Security or driver’s license numbers and other personal data. That represents almost one out of five ID breaches of all types reported during that period, said CR in a release. CR reports that a 2006 investigation by the House Oversight and Government Reform Committee found that 788 breaches had occurred in the three and a half years between January 2003 and July 2006 at 17 federal departments and agencies. Few of these incidents were publicly disclosed. [Source]

CA – Court Rulings Posted Online Puts Privacy at Risk: Commissioner

In an era of powerful Internet search engines, Privacy Commissioner Jennifer Stoddart is sounding an alarm about federal tribunals and other quasi-judicial bodies throwing open the electronic doors by posting names of people online in decisions and other documents. The commissioner weighed in last week on a growing debate over whether posting rulings on the Internet is an affront to privacy and needs to be reined at the cost of the sacred tenet of open courts. “The open court rule, which is extremely historically important, has now become distorted by the effect of massive search engines so that documents containing all sorts of personal information find themselves searchable worldwide,” Stoddart told reporters at a gathering of the Canadian Bar Association. “That wasn’t really the context in which this rule evolved.” The privacy commissioner has jurisdiction over such federal tribunals as the Canadian Human Rights Tribunal and the Canadian International Trade Tribunal.. She noted that the nation’s courts are also reflecting on the issue, but she cautioned she has no jurisdiction over them. Stoddart proposed that decisions and other documents should only identify people by their initials or reversed initials and that tribunal heads omit personal information from their decisions, such as addresses, social insurance numbers or private details about a person or their family members. [Source]

UK – Machines to Scan Faces of Travellers at UK Airports

Air passengers travelling to British airports are to have their faces scanned and identities checked by machines under plans to be announced. However if the trials prove successful, ministers want the machines to replace most front line airport immigration officer over the next five years. As well as improving security, ministers hope the computers will cut passenger congestion. The machines take 13-15 seconds per passenger, while a human takes 20 seconds. Eleven pilot “walk-in” machines have been introduced at Manchester Airport to check passports automatically. Home Secretary Jacqui Smith is expected to be in Manchester airport to unveil the new plans this week. The new machines take instant photographs of the holder, which are then electronically matched against the 2D digital pictures in their documents to check their identities.. If the pilot schemes are a success, the technology is expected to be rolled out to airports and ports nationwide. But critics said last night that the technology is unproven and could cause innocent passengers to be rejected. [Source]

US – Health Information Trust Alliance

A group of nine healthcare companies interested in enhancing the privacy and security of electronic patient information above and beyond what the Health Insurance Portability and Accountability Act (HIPAA) requires have created a consortium dedicated to delivering best practices on electronic medical records. Charter members of the Health Information Trust Alliance (HITRUST), including GE Healthcare, Highmark Inc., Pitney Bowes Inc., Cisco Systems Inc. and others, will deliver a Common Security Framework--a toolkit for protecting information and managing risks--early next year. A HITRUST survey revealed that 85% of health information technology executives want a uniform framework for dealing with sensitive information. [Source]

US – Authenticating Hosts Via Self-Signed Certificates (New CMU Tool)

In his blog, Lauren Weinstein argues for the expanded use of self-signed security certificates, and against the multiple alarming hoops that Firefox 3 now puts in the way of their use. He considers self-signed certificates to be an extremely valuable mechanism toward the deployment of pervasive Internet encryption, despite their native inability to provide host authentication in the manner of (usually commercial) certificates signed by traditional external authentication entities. He’s especially pleased to learn of a new tool - “Perspectives“ - from CMU, that may offer a means to provide a very useful level of host authentication while still permitting the use of free self-signed certificates. [Source] [‘Perspectives’]

WW – Groups Offer Tools for Travelers to Circumvent Chinese Internet Censoring

The Chaos Computer Club is making available USB sticks with technology that will allow visitors to China for the Olympics to circumvent Chinese Internet censorship measures. The sticks contain copies of the TorBrowser and Torprojects software and will be available only for the duration of the Olympic Games. Chaos has also set up a website where people can download the software. Another group, FoeBuD, is selling similar devices. TOR is a network of servers around the world that allows anonymization of data sent over the Internet. The Global Internet Freedom Consortium is also offering a package of tools to help Beijing Olympic visitors evade Chinese censorship. [Source] [Source] [Source]

[Website of The TOR Project ]

EU – Secret EU Security Draft Calls to Pool Policing and Give U.S. Personal Data

Europe should consider sharing vast amounts of intelligence and information on its citizens with the US to establish a “Euro-Atlantic area of cooperation” to combat terrorism, according to a high-level confidential report on future security. The 27 members of the EU should also pool intelligence on terrorism, develop joint video-surveillance and unmanned drone aircraft, start networks of anti-terrorism centres, and boost the role and powers of an intelligence-coordinating body in Brussels, said senior officials. The 53-page report drafted by the Future Group of interior and justice ministers from six EU member states - Germany, France, Sweden, Portugal, Slovenia, and the Czech Republic -argues Europe will need to integrate much of its policing, intelligence-gathering, and policy-making if it is to tackle terrorism, organised crime, and legal and illegal immigration. The report was submitted to EU governments last month following 18 months of work. The group, which also includes senior officials from the European Commission, was established by Germany last year and charged with drafting a blueprint for security and justice policy over the next five years. [Source]

EU – ICO Issues Breach Response Guidelines

The UK Information Commissioner’s Office has published guidelines to help organisations respond appropriately when a data security breach occurs,. The guidelines emphasize the importance of having a breach management plan in place before such an event happens. According to the report, such a plan should include information on containment and recovery; assessment of ongoing risk; notification of breach; and evaluation and response. Although there is no breach notification law in the UK, the guidelines also advise organisations on what factors might merit proactive notification. [Source]

EU – Irish Insurance Sector Gets Data Protection Code

In light of the revelation that insurance companies in Ireland have been using private investigators to obtain personal data held by the Gardai and the Department of Social and Family Affairs, the Irish Data Protection Commissioner’s office has issued a Code of Practice on Data Protection for the Insurance Sector. In a note announcing the publication of the code, the Data Protection Commissioner’s Office says that “The Data Protection Acts provide for the preparation of sector-specific codes of practice to allow for a better understanding of the requirements of the Acts. ...In some instances the basic statutory data protection requirements as they are applied within particular sectors can benefit from more detail.” [Source] [Source]

EU – Germans Urge Tougher Laws After New Privacy Scandal

German politicians called for tougher privacy laws after officials revealed personal and financial information on millions of Germans was readily available for cash on the Internet. The scandal over the illegal trading of bank account and phone data came just months after snooping cases at some major German corporations raised alarms. The new debate was triggered by reports that a call centre employee alerted authorities to a problem with his company’s data collection practices by handing over data on some 17,000 addresses and bank account details to a privacy protection office in the northern state of Schleswig-Holstein. Prosecutors have launched an investigation. On Monday, privacy officials also said they were able to buy 6 million pieces of personal data, including bank and phone details, undercover on the Internet for 850 euros ($1,248). Officials have said the information seemed to have been stolen from lottery firms’ files or mobile phone contracts. [Source]

UK – Average Briton is Being Recorded 3,000 Times a Week

With every telephone call, swipe of a card and click of a mouse, information is being recorded, compiled and stored about Britain’s citizens. An investigation by The Sunday Telegraph has now uncovered just how much personal data is being collected about individuals by the Government, law enforcement agencies and private companies each day. In one week, the average person living in Britain has 3,254 pieces of personal information stored about him or her, most of which is kept in databases for years and in some cases indefinitely. The data include details about shopping habits, mobile phone use, emails, locations during the day, journeys and internet searches. In many cases this information is kept by companies such as banks and shops, but in certain circumstances they can be asked to hand it over to a range of legal authorities. This newspaper’s findings come days after the Government published plans to grant local authorities and other public bodies access to the email and internet records of millions. Phone companies already retain data about their customers and give it to 650 public bodies on request. [Source]

UK – Government Publishes New, Wider Data Retention Regulations

The UK Government has published a draft law that mandates the retention of data by ISPs and telecoms companies. The proposed Regulations will replace an earlier law that applied to non-internet data only. If approved by both Houses of Parliament, the Electronic Communications Data Retention (EC Directive) Regulations 2008 would come into force on 15th March 2009. They will revoke the 2007 Regulations of the same name and complete the UK’s implementation of an EU Directive. The new Regulations were published as part of a Home Office consultation. According to the Home Office paper, the cost of compliance will reach almost £50 million over eight years. The Home Office confirmed that access to 12 months’ worth of call, text, email and internet records will be open to all bodies covered by phone tap law the Regulation of Investigatory Powers Act (RIPA). That includes local councils, health authorities and the Post Office. The Directive gave member states discretion to mandate the keeping of records for a fixed period as short as six months or as long as two years.. The UK’s retention period under the new rules is set at 12 months from the date of a communication, as in the 2007 Regulations. However, a telco or ISP can be served with a written notice by the Secretary of State to vary that period to anything between six and 24 months, a variation that the current rules on non-internet data do not provide for. [Source] See also: [AT&T’s Big Google Lie]

US – U.S. Red Flag Rule Spillover for Canada

New regulations under the U.S. Fair and Accurate Credit Transactions Act (FACTA) to protect consumers from identity theft are expected to impact Canadian banks. The regulations--called “red flag” rules--require that financial institutions implement programs to let them detect foul play, thereby reducing instances of identity theft. Some believe the rules will have a spillover effect on Canadian banks that do business in the U.S., and may even spawn a similar measure in Canada. “Invariably, every time there is a piece of legislation that gets introduced, especially in the U.S., there is some consideration for its application in Canada,” said Adel Melek of Deloitte. [Source]

US – Changes to PCI Security Standard Expected

The group that administers the Payment Card Industry Data Security Standard — or PCI, for short — this week released a summary of the changes that are being made to the requirements in a revision scheduled to be published in October. As expected, the modifications that the PCI Security Standards Council is implementing in the upcoming Version 1.2 of the standard are largely incremental in nature and appear unlikely to cause any major new compliance challenges for companies, analysts said. [Source]

UK – UN Report Says Terror and Libel Laws Are Interfering With Human Rights

The UK government has been accused of creating laws that have a chilling effect on freedom of expression in the UK in a sharply critical report from the United Nations’ committee on human rights. The report calls for the reform of Britain’s libel laws and controls introduced under recent terrorism laws. The government’s use of the Official Secrets Act to prevent issues of public interest being published is also condemned in an intervention from the UN which warns that public servants are being gagged even where national security is not at risk. The criticisms are made as part of the committee’s analysis of a report which the UK is required to submit to the UN every three years, appraising human rights in its jurisdiction. Among the problems identified, the UN says:

§ Terrorism Act 2006 provisions covering encouragement of terrorism are too broad and vague, and should be amended so that their application does not lead to “a disproportionate interference with freedom of expression”.

§ Libel laws should be reformed to end so-called “libel tourism”, whereby wealthy foreigners have gone to the high court to sue over articles that would not warrant action in their own country.

§ Powers under the Official Secrets Act have been “exercised to frustrate former employees of the crown from bringing into the public domain issues of genuine public interest, and can be exercised to prevent the media from publishing such matters”.

The committee also warns that, in the age of the internet, Britain’s unduly restrictive libel laws create the danger of affecting freedom of expression worldwide, contrary to a UN covenant on civil and political rights which guarantees the right to freedom of speech and to exchange ideas and information “regardless of borders”. [Source]

CA – Ontario Privacy Commissioner Rules on Citizens’ Tax Roll Data

The office of the Ontario Information and Privacy Commissioner has admonished Vaughan City for allowing a third-party to use tax roll information in promotional materials mailed to city residents. The city allowed MuniCard--the credit card company that offers “points” towards tax bills-- to include citizens’ tax roll numbers in its mailing. The privacy commissioner’s office investigated after hearing from a resident. The office concluded that the city was in violation of the Municipal Freedom of Information and Protection of Privacy Act. “In my view, promoting a credit card, albeit with benefits to taxpayers, is not consistent with the collection of taxes,” wrote investigator Cathy Hamilton. The commissioner’s office forbid the continued use of such information to promote the MuniCard and ordered city officials to review its policies for handling personal information when working with third parties. [Source] [Privacy Commissioner Issues Cease and Desist Order]

AU – Right to Sue Disputed

Media organisations are criticising one of the recommendations made by the Australian Law Reform Commission (ALRC) in its report on updating the nation’s privacy laws, released yesterday. The recommendation would allow people to sue for gross invasions of privacy. The Right to Know Coalition, which includes Fairfax Media, the ABC and News Ltd and other media organisations, says that such a law would restrain the media’s responsibility to keep the public informed, the report says. The ALRC said that strong public support for such a law is what compelled them to include it in their recommendations, and that suing would be limited to “egregious circumstances.” [Source] [Overview]

UK – 39,000 Innocent Children on National DNA Database

The national DNA database contains the profiles of almost 40,000 innocent children, the Home Office said. Junior minister Meg Hillier said the profiles of an estimated 39,095 10 to 17-year-olds who “had not been convicted, cautioned, received a final warning/reprimand and had no charge pending against them” were on the database. Opposition parties said it was evidence the Government was building a national DNA database by stealth and called for a parliamentary debate on the issue. Last month a Government-appointed advisory body said there should be a more straightforward system for innocent people to have their samples removed from the database. The Ethics Group said samples obtained during police investigations should be destroyed at the end of an inquiry rather than loaded on to the NDNAD. At present, people who voluntarily agree to have their samples put on the database cannot have their details removed. Suspects who give samples after being arrested but who are later either not charged or cleared can apply to the Chief Constable who can agree to remove the listing in “exceptional circumstances”. The Ethics Group said this was “potentially inconsistent and discriminatory and contrary to an individual’s privacy rights”. A Government-funded inquiry also said innocent people should have their profiles deleted from the database, arguing that even guilty people who have served their time should eventually have their DNA records erased because retaining the profile “continues to criminalise them”. [Source] See also: [Australian police reopen 7,000 cases after DNA error]

US – Prescription Privacy in Vermont Court

The Washington Legal Foundation (WLF) is contesting a Vermont law that regulates how private companies use physicians’ prescription data, reports the Brattleboro Reformer. The federal court in Brattleboro last week heard arguments regarding Act 80, which contains a clause forbidding the use of such data for marketing and advertising purposes. The law intends to protect the privacy of prescription drug users and keep medical costs down. But the WLF, which filed on behalf of IMS Health, Verispan and Source Healthcare Analytics, said the clause violates the First Amendment rights of companies who collect and distribute such information. [Source]

US – HIPAA Enforcement Questioned

The majority of the 38,000 Health Insurance Portability and Accountability Act (HIPAA) complaints filed over the past five years have never been investigated. Citing healthcare employee snooping and misuse of patient information, the report highlights how the potential lack of enforcement may be contributing to privacy breaches. “Until serious fines and penalties are levied, people are not going to take this law seriously,” said Abner Weintraub of the HIPAA Group, a company that advises healthcare providers on the law. [Source] See also: [US: Hospitals See Attention to Patient Privacy as Competitive Advantage; Breaches Can Harm Patient Satisfaction]

US – Insurance Companies Using Health Databases to Make Coverage Decisions

Some life and health insurance companies are starting to use information from commercial medical databases to make their decisions on individual consumer coverage. The databases mined for information include those that contain prescription drugs and those gathered by clinical and pathological labs. Traditionally, insurers gather information from physicians’ offices. The new developments present privacy concerns because they take place outside the protections offered by federal health regulators and legislators. Also of concern is the fact that information gathered for one purpose is being sold for another purpose. Two companies that provide the information say they release only data that have been released by patient consent as per HIPAA (Health Insurance Portability and Accountability Act); however, the companies themselves are not bound by HIPAA regulations. [Source] [Medical identity theft spreads]

US – Medical Social Network Raises Privacy Concerns

A new employer-sponsored social network for patients and healthcare providers aims to help companies evaluate their corporate health plans, but has many concerned about patient privacy. The Washington Post reports that a beta version of Point to Point Healthcare will be launched this month. The site lets employees create personal networks comprised of insurance claims managers, doctors and pharmacies. WellNet Healthcare, creator of Point to Point, says the network will conform to Health Insurance Portability and Accountability Act (HIPAA) requirements, and that, like Facebook, users can determine who sees their medical profile. But concerns around security and employers’ access to and use of such information remain. [Source] [Consent No Cure For Health Info Privacy Issues]

UK – Government Depts. Lost 29 Million Records in One Year

In the last 12 months, UK government departments have lost 29 million records containing personal data. The government asked for departments to include data loss on their financial statements after the loss of two disks containing personally identifiable information of 25 million child benefit claimants last year. The remaining four million lost records include those of three million driving test candidates reported by the Department of Transport and 620,000 on an unencrypted Ministry of Defence laptop. In a related story, the Home Office learned earlier this week that an outside contractor lost a memory stick containing personal information about thousands of criminals in England and Wales. The Information Commissioner has been notified. [Source] [Source] [Source]

UK – Data on 130,000 Criminals Lost

Confidential information on almost 130,000 prisoners and dangerous criminals has been lost by the Home Office, sparking yet another Government data crisis. The loss of the details, which were stored on an unencypted computer memory stick, has raised fears that the taxpayer may now face a multi-million pound compensation bill from criminals whose safety may have been compromised and police informants who could be at risk of reprisals. The home addresses of some of Britain’s most prolific and serious offenders - including those who have committed violent and sexual crimes - are understood to be among the missing data. A full investigation is now underway to find the memory stick – containing information on all 84,000 prisoners in England and Wales, including some release dates, plus details of 43,000 most serious and persistent offenders – which was descibed as a ‘toxic liability’ by David Smith, the Deputy Information Commissioner. [Source]

EU – Unencrypted Laptop Exposes 380,000

The Irish Department of Social and Family Affairs has revealed that a laptop computer stolen last year contained the personal details of 380,000 social welfare recipients. The laptop was unencrypted. The department is contacting all of those affected, including 100,000 whose bank account details were exposed. Data Protection Commissioner Billy Hawkes will meet with officials involved this week. Hawkes said he expects all major holders of personal data in the public and private sector to “fully examine all their policies in relation to the collection and storage of data to ensure that incidents of this scale and nature can be avoided in the future.” [Source]

US – FTC Approves Data Breach Settlements, Without Monetary Penalties

The Federal Trade Commission (FTC) has finalized two separate settlements, one with discount retailer TJX, and another with data brokers Reed Elsevier and Seisint. The settlements arise from the companies’ failures to provide reasonable and appropriate security for sensitive consumer information, resulting in the exposure of the sensitive personal information of over 500,000 consumers and millions of dollars in financial fraud. The final settlements announced this week impose security and audit responsibilities on the companies, but no financial penalties. [EPIC’s comments on the FTC consent orders with TJC, Reed Elseivier and Seisint] [FTC announces settlement with TJC, Reed Elsevier and Seisint for failing to provide adequate security for consumers’ data ] [FTC approves final Consent Order] [For more on data breaches and ID theft, see EPIC’s Identity Theft: Its Causes and Solutions page]

US – Snooping on Medical Files of the Famous Continues to be a Problem

An unspecified number of Sparrow Hospital employees were disciplined or fired for attempting to view the computerized medical files of Michigan Governor Jennifer Granholm. Gov. Granholm was admitted to the hospital for surgery in late April. The breach was detected during a routine audit; Gov. Granholm has been notified of the incident. In a separate story, the number of UCLA Medical Center employees who improperly accessed patient files of celebrities was higher than the initial estimate. Between January 2004 and June 2006, the number of employees believed to have accessed celebrity files is 127, nearly double the prior figure. State regulators have chastised the hospital for not taking adequate measures to protect patient privacy. Proposed state legislation to penalize those who improperly access patient files would impose fines of US $1,000 to US $250,000 for individual healthcare workers and US $25,000 to US $250,000 for healthcare facilities for violations. [Source] [Source] See also: [UK justice agency loses 45,000 personal records] and [Breach Forces Irish Banks to Reissue Credit Cards] and [TSA Vendor Laptop Reported Stolen, Then Found]

US – Indictments Handed Down in TJX Breach

Eleven people have been charged in connection with the TJX data breach that exposed the card numbers of about 100 million, reports the Associated Press. The indictment alleges that hackers infiltrated the wireless networks of nine U.S. retailers, and then installed programs to capture customers’ personal and financial information, which they allegedly sold to others or used themselves. The charges include conspiracy, computer intrusion, fraud and identity theft.. The hackers hail from the U.S. Estonia, Ukraine, Belarus and China. Three are in custody, but eight remain at large and one is known only by a pseudonym. [Source]

UK – “Fakeproof’ e-Passport is Cloned in Minutes

New microchipped passports designed to be foolproof against identity theft can be cloned and manipulated in minutes and accepted as genuine by the computer software recommended for use at international airports. Tests for The Times exposed security flaws in the microchips introduced to protect against terrorism and organised crime. The flaws also undermine claims that 3,000 blank passports stolen last week were worthless because they could not be forged. In the tests, a computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports. [Source] [Cloned e-passports fiasco renews calls for £4.7bn ID card scheme to be axed]

US – Special Licenses Offered To Those Who Fear ‘Beast’

West Virginia is offering special driver’s licenses to people who oppose digitized photos because they believe this could be the beginning of the biblical “mark of the beast” prophecy. The Division of Motor Vehicles planned to distribute the special licenses Friday at its Capitol office. Phil Hudok will be one of the first to receive a special license. The Randolph County teacher had refused to require his students wear bar-coded identification badges in 1998 because it violated his religious beliefs. Hudok, pastor Butch Paugh and several others met with DMV Commissioner Joseph Cicchirillo in 2006 after learning that the state was switching to the digitized licenses. The DMV agreed to keep hard copies of the opponents’ license photos instead of digitizing them. [Source]

UK – New British Research Will Help to Ensure Privacy of Personal Data

The Government is to invest over £5.5m in three new research projects that will help to develop the next generation of secure identity management systems. Three new research projects will see businesses, universities, a city council and other research and technology organisations working together to address the challenge of ensuring that privacy and consent is preserved in the next generation of identity management systems. The Technology Strategy Board, Engineering and Physical Sciences Research Council (EPSRC) and Economic and Social Research Council (ESRC) have joined forces to back the projects with an investment of over £5.5 million. The three projects are:

§ EnCoRe, which will focus on the issue of providing more rigorous means for individuals to grant and revoke their consent for the use, storage and sharing of personal data, bringing together technological, procedural and regulatory developments.

§ VOME, a research project that will reveal and utilise end users’ ideas and concepts regarding privacy and consent, facilitating a clearer requirement of the hardware and software required to meet end users’ expectations.

§ Privacy Value Networks (pvnets), will generate a detailed understanding of individuals’ and organisations’ conceptions of privacy and identity across a range of contexts and timeframes - using a range of techniques including in-depth privacy value and devalue chains analysis to model the impact of the personal information.

Explaining the background to the decision to invest in the three projects, the Technology Strategy Board’s Chief executive, Iain Gray, said: “The next few years will see governments and businesses around the world making substantial investments in identity management infrastructure. In order to prepare UK businesses for competition in this global market, practical and cost effective solutions need to be developed which inspire public confidence by improving privacy and enabling consent as an integral part of future procurements.” [Source]

US – The New Identity Crisis

Undocumented workers, car thieves, organized criminals and addicts all contribute to California’s identity theft crisis, reports Help Net Security. The report highlights the results of a study released yesterday by Identity Theft 911. The study reveals that nearly 1.5 million Californians were victims of identity theft in 2007 and the problem is growing. However, the results also show that California is a “model state for identity theft deterrence,” says the report, citing the continued passage of pro-consumer legislation to prevent ID theft and collaboration among public and private entities to combat the crime. [Source]

WW – Bill Gates: Privacy Poses “Interesting Software Challenge”

While speaking at the tenth anniversary of Microsoft Research Asia, Microsoft Chairman Bill Gates said that privacy issues pose “an interesting software challenge.” Gates said that recent natural interaction software developments have made technology more pervasive. “When interaction gets more natural, computers can be everywhere to listen to you,” he said. Gates added that “society will have to have more explicit rules” governing privacy boundaries, adding that Microsoft has made a US$7 billion research investment in this direction. [Source]

US – Registered Traveler Program Halted After Data Breach

The Transportation Security Administration (TSA) announced that it is suspending new applications to the Clear Registered Traveler Program after vulnerabilities were discovered in the storage of applicants’ sensitive personal information. The security flaws came to light after an unencrypted laptop computer was stolen from San Francisco International Airport on July 26. The computer was owned by Verify Identity Pass (VIP), the company which operates the registered traveler scheme. It contained unencrypted personal information regarding approximately 33,000 travelers, including names, addresses, and passport and driver’s license numbers. In the wake of the data theft, government officials suspended new applications to the Clear program, and also asked that the subcontractor for the program immediately notify the individuals impacted. In addition, San Francisco and all other airports using Clear have been instructed to ensure that VIP suspends enrollment, ceases use of any unencrypted computers, and secures the devices until encryption can be installed. TSA requires registered traveler service providers and sponsoring entities to encrypt all files containing participants’ sensitive personal information. [TSA’s press release on the suspension of the Clear program] [Clear] [EPIC’s page on passenger profiling] [EPIC’s Spotlight on Surveillance Regarding Registered Traveler Programs]

WW – IE 8 Will Offer Cross-Site Scripting Protection and Privacy Mode

Microsoft’s Internet Explorer 8 (IE 8) browser, which is presently in beta testing, will include a cross-site scripting filter to help protect users from attacks. Firefox users can install the NoScript plugin, but IE users have had no way to protect themselves from cross-site scripting attacks. The new release of IE will also allow users to decide how much information the browser keeps about their web surfing habits. Most users can already do this manually each time they want to clear the data, but IE 8 will have a privacy mode which will automatically clear the data every time. [Source] [Source] [Source]

WW – Even Security Pros Vulnerable to Scams

Computer security professionals tend to be a highly paranoid bunch, seeing potential threats everywhere. It turns out that some aren’t cautious enough, though. Two researchers demonstrated at the Black Hat hacking conference how they had gotten computer security experts to let their guard down online the same way they advise the average Internet user not to, especially on social-networking websites. A relatively simple ruse persuaded dozens of prominent security analysts to connect on their social networking Web pages with people who weren’t friends at all. They were fake profiles, purportedly of other well-known security pros. The scam was designed to expose the trust that even some of the most skeptical Internet users display on some of the most insecure sites on the Web. Some social networking sites can be dangerous because they allow people to post programming code - used for good or evil - on other people’s pages. Even networking sites that don’t allow that step carry their own security risks, because it’s relatively easy for someone to masquerade as a “friend” who isn’t actually friendly - and recommend malicious Web sites to click on. [Source] See also: [MySpace, Facebook suddenly not so friendly] See also: [Researchers Crack Medeco High-Security Locks With Plastic Keys] and [Now at Black Hat: a lawyer to vet your hacking]

WW – Free Background Criminal Searches Available on the Net

Want to vet a baby sitter? Need to peek into the background of a prospective employee? Curious about the past of a potential date? Last month, PeopleFinders, a 20-year-old company based in Sacramento, introduced CriminalSearches.com, a free service to satisfy those common impulses. The site, which is supported by ads, lets people search by name through criminal archives of all 50 states and 3,500 counties in the United States. In the process, it just might upset a sensitive social balance once preserved by the difficulty of obtaining public documents like criminal records. [Source]

UK – £68m ‘Snooping’ Database: Little Impact On Serious Crime

Powers to snoop on the UK’s email and internet records will be of limited use in tackling serious crime, the government has admitted. Home Office proposals for phone, email and internet records - including VoIP - to be kept for 12 months are expected to cost taxpayers up to £68m to set up and £39m per year to run. Consultation papers released this week show the government wants to keep the “who”, “when” and “where” of communication to “assist in the investigation, detection and prosecution of serious crime”. But a spokeswoman for the Home Office admitted the proposals would be of restricted use against organised criminals or terrorist organisations, as they were likely to disguise their communications. Hiding internet or email traffic is relatively simple using methods such as logging on using unregistered 3G dongles, using third party wi-fi networks and by sending email using a secure tunnel and proxy. The spokeswoman suggested the information may be of more use against ordinary citizens and minor criminals. [Source]

CA – RCMP Push National Police Data-Sharing Project

Canadian Law enforcers are working on a searchable index of record management systems and a query tool that will encourage greater information exchange. The National Integrated Interagency Information (N-III) system, a new information sharing initiative for police, public safety and federal agencies across Canada, will be a topic of discussion at the CACP annual conference in Montreal on August 24. Headed by the RCMP, N-III will initially consist of two tools: the Police Information Portal (PIP) for law enforcement agencies and the Integrated Query Tool (IQT) for federal government departments and public safety agencies. IQT will provide access to police information through a governance-based access control (GBAC) filter, which aims to ensure that various information sharing laws are respected and agencies only access the data to which they are legally entitled. The project began roughly four years ago and is scheduled for implementation in the spring of 2009. Currently, 172 of the 192 police agencies across Canada will participate. The remaining 20 are expected to join after resolving technology-related issues. As many as eight federal agencies may also be involved. [Source]

US – Congressional Leaders Address Corporate Behavioral Profiling

Senior members of Congress have requested details of Internet companies’ efforts to spy on their customers. In a letter sent to 33 companies, including AT&T, Time Warner, Microsoft, and Google, the Congressmen ask whether the companies have experimented with certain behavioral advertising techniques which impinge on consumer privacy and may fall afoul of federal law. The inquiries come after Congress criticized two companies (Charter, Embarq) that publicly announced their own plans to spy on their users. Members of Congress are now taking a preemptive step to determine whether other leading telcos and Internet firms are experimenting with similar invasive techniques. [Letter from members of Congress to 33 telecom companies] [Letter from senior members of Congress to Charter Communications] [EPIC’s page on Deep Packet Inspection and Privacy] Update: [Some Web Firms Say They Track Behavior Without Explicit Consent]

WW – Yahoo to Make Targeted Ads Optional

Yahoo! says it won’t target you to your face. On Aug. 8, the Internet giant announced that it will allow users to opt out of behavioral targeting on its site. But in fact, that change only affects behaviorally targeted ads that users see. The company will still collect information on the Web sites visited by unique computers, it just won’t serve ads to individual users based on the info. “This isn’t rejecting cookies outright, you are just preferring not to see the ads,” says Anne Toth, Yahoo’s head of privacy and vice-president of policy. So Yahoo will still know that you looked up Fannie Mae’s stock on Yahoo Finance and then checked out foreclosed homes on Yahoo’s real estate site. It just won’t serve you a mortgage ad based on that info when you’re checking e-mail. It will also still serve ads to you based on your location and the content of the page that you are on. Yahoo’s response follows Google’s rollout on Aug. 7 of DoubleClick tracking across its network and a way to opt out of tracking on the Google content network and DoubleClick tracking. Microsoft also allows users to shut off targeted ads. [Source] [Source]

AU – Google Launches Street View Surveillance Project in Australia

On August 4, 2008, Google Street View added Australia to its roster of countries subjected to 360-degree photographic surveillance. Google Street View enables users to view and navigate 360-degree street level imagery originally taken from cameras mounted on vehicles. In the past, Google Street View has posted compromising images that remain publicly available until someone files an online complaint. Privacy advocates worry that Google’s images invade an individual’s right to privacy. The Australian Privacy Foundation’s expressed concerns regarding: the posting of individuals’ images on the Internet without their consent; the unwanted identification of individuals’ presence in a specific location; and the use of inappropriate or illegal photo collection techniques. [Google Street View Australia] [Australian Privacy Foundation’s Policy on Google Street View] [Privacy advocates say Google’s gone too far] [Policy Framework for Analyzing Location Privacy Issues]

WW – Tech Giants Near Agreement On Human Rights Code

Some of the biggest technology and internet companies in the world have agreed a set of standards to protect human rights online that they hope the whole IT industry will adopt. The move could affect companies’ privacy policies worldwide. [Source] [Samway’s letter]

EU – EU to UK: Does Phorm Service Conform to Privacy Laws?

The European Union (EU) wants feedback from the UK government regarding a behavioural tracking application. EU Telecom and Media Commissioner Viviane Reding sent a letter requesting the government’s stance on Phorm’s Webwise System, which lets Internet Service Providers track users’ Web browsing habits so they may target advertising to users based on preferences. Reding wants to know if the government believes the system “is in line with EU data privacy laws,” says the report. The UK Information Commissioner’s Office investigated Phorm earlier this year after British Telecom (BT) was found to have trialed its technology on subscribers without first notifying them, raising privacy concerns. No action was taken at that time. Reding has given UK officials 30 days to respond. [Source] See also: [‘Cloud computing’ trend heightens privacy risks]

SA – Easy Access to Students’ Confidential Data

Officials at Nelson Mandela Metropolitan University (NMMU) are investigating the easy accessibility of students’ personal information on the Internet. By entering a student’s e-mail address and date of birth, Web users can gain access to financial statements, academic records and exam timetables. “I can look at anybody’s personal details if I want to because all I need is an email address and date of birth, which I can get on Facebook,” said Marc Anthony Compton, the NMMU masters student who alerted university officials to the problem. An NMMU spokesperson said the university had not anticipated the public display of dates of birth on social networking sites, and said: “The University is busy investigating the matter and views a possible breach of students’ privacy in a serious light.” [Source]

AU – Australia’s 20-Year-Old Privacy Laws Need a Re-Write: ALRC

The Australian Law Reform Commission has concluded its largest ever research and public consultation exercise ever with the launch of its report For Your Information: Australian Privacy Law and Practice, which recommends a re-write of the nation’s 20-year-old privacy laws to keep pace with the information age. The three-volume, 2700 page report was launched by Senator John Faulkner and Attorney-General Robert McClelland, recommending 295 changes to privacy laws and practices that will be implemented in two stages over the next three years. Weisbrot said the most significant recommendation for reform is a complete restructuring and simplification of the statutory framework of the Privacy Act, so that it is focused around 11 uniform principles as opposed to separate principles for government and private sectors, which left many individuals and businesses wading through massive amounts of complex material to find what laws apply to them. The first stage of reforms, set to be implemented within a year’s time, will address this process of simplifying and streamlining the Privacy Act, while the second stage, which will include statutory course of action for data and privacy breaches, will be looked at in 12-18 months time. The ALRC also made recommendations to give the Privacy Commissioner more power to exact stronger penalties on non-compliant organizations, allowing the Commissioner to seek court orders enforcing compliance, or imposing monetary sanctions or civil penalties for serious or repeated breaches. The recommendations also called for consultation with young people to improve their control of personal information on social networking sites. Walls said the real fight will start once parliament gets a hold of the recommendations and starts trying to trim them into real laws. “Then we’ll see whether enforcement actually occurs. But that is several years out, I think we’re probably looking at three years in terms of real impact,” he said. [Source] [Coverage]

US – Washington State Supreme Court Rules In Favor of Privacy Rights

Last week the Washington State Supreme Court ruled in favor of the privacy rights of teachers accused of sexual misconduct. The lawsuit was brought by 15 teachers asking the judiciary to prevent their districts from releasing their identities in response to a public-records request by The Seattle Times. The court, in 6-3 vote, sided with the accused teachers, finding that the names of teachers must be disclosed only in cases where sexual misconduct has been found or some form of discipline has taken place. In

Unsubstantiated cases, the details of any investigation may be disclosed - but with the teacher’s name redacted, or blacked out. Justice Mary Fairhurst, for the majority, wrote: “The mere fact of the allegation of sexual misconduct toward a minor may hold the teacher up to hatred and ridicule in the community, without any evidence that such Misconduct ever occurred.” Justice Barbara Madsen dissented, writing that as a consequence of the court’s ruling, “predatory teachers may go undetected and unpunished. But the most unfortunate consequence, and one that is completely unacceptable, is that if predatory teachers are undetected, children will continue to suffer at their hands.” [Source] [Decision]

US – World Privacy Forum Comments on Border Crossing Information System

The World Privacy Forum submitted public comments to the DHS regarding its proposed Border Crossing Information System. The BCI system would set up a database of all border crossings via car, rail, air and other means, including collecting identifiable data on the activities of American citizens. Information collected includes biographical and other information such as name, date of birth, gender, a photograph, itinerary information, and the time and location of the border crossing. The WPF comments focus entirely on the proposed Routine Uses of the system. As currently written, the DHS proposal contains some Routine Uses that directly contravene the Privacy Act and are illegal. Other Routine Uses are overbroad and vague, and still others contravene guidance from the Office of Management and Budget (OMB). One example of an overbroad Routine Use is Routine Use J, which will allow DHS to release data collected for the Border Crossing Information System for hiring decisions or contract awards. This information may be requested by Federal, state, local, tribal, foreign, or international agencies. Another Routine Use, G, impermissibly duplicates and weakens the Privacy Act’s condition of requirement for notice when information is disclosed in certain circumstances. [Full text] [Source]

US – Judge Rules on Posting SSNs

A federal judge has ruled that the Internet postings of a Virginia privacy advocate are protected under the First Amendment. The ruling represents a partial win for B.J. Ostergren, who challenged a Virginia state law that prohibits the posting of Social Security numbers (SSNs) on the Internet. Ostergren has been posting the SSNs of court officials and well-known people on her Web site in an effort to reveal the government’s negligence in protecting individuals’ privacy. U.S. District Judge Robert Payne deemed the law unconstitutional, but did not go so far as to overturn it. [Source]

UK – Survey Says: Many Have Disclosed Income Info Online

An America Online (AOL) survey has revealed that 89% of UK residents have disclosed sensitive financial information online. This number swears with previous polls, in which 84 percent of Brits claimed they haven’t disclosed income details online. The AOL survey queried 1,000 residents. “Our research identified a significant gap between what people say and what they do when it comes to protecting sensitive information online” said Jules Polonetsky, AOL’s chief privacy officer. The results come as UK Information Commissioner Richard Thomas calls on Internet providers to educate users about safeguarding their privacy. AOL has launched a campaign for that purpose. [Source]

US – FTC Explores RFID Privacy Concerns

In a continuing exploration of the impact of radio frequency identification (RFID) technology, the Federal Trade Commission (FTC), in conjunction with the Transatlantic Symposium on the Societal Benefits of RFID, will host another workshop on RFID privacy concerns and contactless payments next month in Washington, D.C. The workshop will be free and open to the public. Participants will discuss new payments technology, the security and privacy threats that arise from the new technologies and potential solutions to decrease these threats. [Source]

US – Judge Lifts Gag Order on Subway RFID Hackers

Three MIT students that had planned to demonstrate their hack of Boston’s subway and bus system, which uses RFID ticketing cards, were issued a gag order at the behest of the Massachusetts Bay Transportation Authority (MBTA) to ban them from doing so. This week a judge reversed the ban in the name of academic freedom, arguing that the presentation was tantamount to three researchers publishing an academic paper. Executive director of the American Civil Liberties Union of Massachusetts Carol Rose was quoted, “We need academic freedom and an ability to talk about these things, without fearing legal consequences.” [Source] [Source] [Source]

US – US Intelligence Issues Warning About Traveling Abroad with Electronic Devices

The US Office of the National Counterintelligence Executive (NCIX) issued a strongly-worded advisory for travelers warning them to take special precautions when traveling overseas with portable electronic devices. The warning appears to be aimed specifically toward those travelling to China for the Olympic Games. Security services in China are capable of tracking individuals’ whereabouts through mobile phones and PDAs and of turning on microphones in devices without users’ knowledge; users are urged to remove batteries from the devices when they are not being used. Travelers should not take electronic devices with them unless they are absolutely necessary, and they should assume that if the devices are examined by customs officials or their hotel rooms are searched that the contents of their hard drives have been copied. Travelers should also change all their passwords frequently during their travels and again as soon as they return home. All information sent electronically can be intercepted. The advisory does not name China specifically, but in a television interview and a press release, NCIX head Joel Brenner did mention China. The advisory also says, “In most countries you have no expectation of privacy in Internet cafes, hotels, offices, or public places.” Malware can be placed on the devices with USB drives or other freebies; by the same token, do not use your own USB drive in foreign computers. It may be a good idea to encrypt the data on the devices, but customer officials in some countries may not permit travelers to bring in encrypted data. [Source] [Source] [Source] [Source]

US – Customs / Border Patrol Electronic Device Search Policy Raises Privacy Concerns

According to recently released documents from the US DHS, federal agents have the authority to “detain” travelers’ electronic devices, including laptop computers, for an unspecified period of time even if the traveler is not suspected of any wrongdoing. In addition, the devices’ contents may be shared with other entities, including those who provide translation or decryption services. The policies emphasize the necessity of protecting proprietary business and privileged attorney-client information, but there is no mention made of special handling for medical or financial data. Senator Russell Feingold (D-Wis.) plans to introduce legislation that would require reasonable suspicion for border searches and prohibit agents from profiling travelers by race, religion or national origin. [Source] [Source] [Source]

US – TSA to Deploy Full Body Scan Machines at More Airports

After a year of testing, Transportation and Security Administration (TSA) officials will implement full body scan machines at Boston’s Logan International Airport this fall, and at another 19 of the nation’s busiest airports by the end of next year. The machines – a millimeter wave machine and backscatter machine--will be able to identify inorganic materials, and are expected to be a faster and more hands-off way to detect contraband at security checkpoints. The resulting image, viewed by personnel in a nearby room, reveals a naked picture of the passenger. This, and the fact that passengers’ only known alternative to the method is a physical pat-down, has raised privacy concerns. [Source]

UK – Card Crime Exposed: The True Identity of Card Fraud in the UK

192 and The 3rd Man have joined forces to reveal the most comprehensive picture of card fraud in Britain. Their research shows where the major fraud hotspots are throughout the UK and also reveals exactly how card criminals ply their trade. Furthermore, users of 192business.com’s customer ID check service have revealed that for every fraud that is reported, a further 8 attempted frauds go unreported and ignored by both law enforcement and the banks. As providers of customer ID check solutions to help retailers prevent fraud, 192business.com has produced some research into the modus operandi of the fraudster. Based on interviews with convicted and unconvicted fraudsters, this research provides a useful insight into the who, the what, the when, the where and the why of card fraud. [Research Report] [Source] [Fraudster’s Modus Operandi] [UK PostCode Map]

UK – UK Passport Chips Easily Cloned

Tests conducted for The Times found that the UK’s new microchipped passports can be cloned in just minutes. The forged passports were not detected as such by Golden Reader, the software recommended for use in international airports. The microchips were designed with the intent of protecting the country from terrorism and organized crime. The findings also raise concerns about 3,000 blank passports that were stolen last week; officials said they posed no danger because passports could not be forged. The tests were conducted by a security researcher at the University of Amsterdam. [Source] See also: [ Government reply to the report from the Home affairs Committee: UK Report: A Surveillance Society?] Background: Report on the “Surveillance society” by the House of Commons Home Affairs Select Committee: Report: [Volume 1] [Evidence Volume 2]

US – President Consolidates Surveillance Authority

On July 30, 2008, President Bush revised a key Executive Order that defines the authorities of the US intelligence agencies. First written in 1981, Executive Order 12333 establishes the “Goals, Directions, Duties, and Responsibilities with Respect to United States Intelligence Efforts” as well as the “Conduct of Intelligence Activities.” The newly amended Order establishes the Director of National Intelligence as the head of the Intelligence Community who bears ultimate responsibility for the production and dissemination of intelligence.. Also, the Director “may enter into intelligence related agreements with foreign governments and international organizations.” The DNI exercises budgetary authority over the National Intelligence Program to create groups and acquire resources that facilitate the task of “lead[ing] a unified, coordinated, and effective intelligence effort.” This Order contains several definitional changes, including the introduction of the terms “civil liberties” and “privacy,” and replacement of the vaguely descriptive “special activities” with the better understood “covert action.” Critics claim that the amended Executive Order 12333 unnecessarily expands Executive power. The ACLU has expressed fears that the new focus on domestic threats allows the DNI to task any agency to spy on American citizens at home. The Electronic Frontier Foundation asserts that the proposed amendments are unnecessary because sufficient mechanisms are already in place to conduct surveillance. Some legislators condemn the Bush administration’s penchant for secrecy and prior violations of existing Executive Orders. Senators Russ Feingold and Sheldon Whitehouse plan to introduce a bill that requires the President to place a notice in the Federal Register upon modification or revocation of a published Order. Senator Feingold cites the administration’s claim that the warrantless wiretapping program constituted a tacit amendment, not a violation, of Executive Order 12333. EPIC previously warned the 9/11 Commission that new surveillance authorities require new forms of oversight. Freedom of Information Act litigation pursued by EPIC found that the Intelligence Oversight Board has routinely failed to investigate unlawful investigations since passage of the Patriot Act and urged Congress to establish a statutory basis for oversight of intelligence abuses within the United States. [2008 Amendments to Executive Order 12333] [Executive Order 12333] [Senate Bill, S. 3405 (introduction pending)] [EPIC Testimony Before the 9-11 Commission] [EPIC FOIA Notes #12: More Reports of Unlawful Intelligence Investigations]

UK – Privacy Regulator Plans Annual Surveillance Reports

The UK Information Commissioner’s Office (ICO) has responded to a Parliamentary report on surveillance and has agreed with the Commons Home Affairs Committee that it should produce an annual review of surveillance. The ICO has also said that there should be an annual Parliamentary debate on surveillance. The ICO said that its powers under the Data Protection Act allowed it to produce a report, but only on some of the areas of concern. It would not, it said, include anything to do with wiretap law the Regulation of Investigatory Powers Act (RIPA). The ICO said that transparency was important, and that the Government should be clearer about what it will use collected data for. “Government should be more open about its intentions in relation to collecting personal information,” it said. “This is of particular importance as in the vast majority of cases, the citizen does not have a genuine choice about what personal information is collected by Government.” The ICO’s response to the Select Committee report said that while information technology had made the creation of massive databases easier, advances in IT are now making it possible to reduce reliance on databases. “We also welcome the recommendation that Government adopt a principle of data minimisation in its policy and in the design of its systems,” it said. “This is of particular relevance as technologies have now advanced to such an extent that the collection, storage and use of large amounts of personal information are no longer necessary in many cases for service delivery.” “Better use of different identity management approaches, more advanced forms of information assurance and technologies that authenticate rights to services rather than identify individuals may bring the days of the large scale “dinosaur databases” to an end,” it said. “Greater use and more effective exploitation of these technologies would begin to address the concerns raised in the report about retaining personal information and also help mitigate security concerns.” [Source]

US – NYPD Seeks to Screen Vehicles Entering Manhattan

The New York Police Department is working on a plan to track every car, truck or other vehicle entering Manhattan and screen them for radioactive materials and other terrorism threats. The ambitious proposal, called Operation Sentinel, is being developed alongside a separate $90 million security initiative to tighten security at the World Trade Center site and elsewhere in lower Manhattan. Police officials say Operation Sentinel would rely on license-plate readers, radiation detectors and closed-circuit cameras installed at the 16 bridges and four tunnels serving Manhattan. About a million vehicles drive onto the island every day. The vehicle data-license plate numbers, radiological readings and photos-would be automatically analyzed by computers programmed with information about suspicious vehicles. There is no estimate yet of the cost, since Operation Sentinel is in just the planning phase. The proposal already has raised red flags among civil rights advocates. [Source] See also: [Quebec Cruiser Scanners Connect Plates, People]

US – Facebook Beacon Lawsuit Filed

Nineteen users have filed a class-action lawsuit against Facebook and its partners for alleged privacy violations. The suit says that Facebook’s Beacon program, which lets users know about their friends’ online purchases, violated various federal and California laws. The plaintiffs say that the opt-out mechanism for the program was neither robust nor accessible enough for them to prevent the program from running. Facebook launched Beacon in November of 2007 and revised the program in December so that members would have to opt-in to Beacon in order for the program to run. [Source]

US – Behavioral Tracking by ISPs May Lead to Digital Privacy Legislation

Written responses to questions from the US House of Representatives Committee on Energy and Commerce indicate that nearly all of the 33 Internet providers contacted have gathered and analyzed data about customers’ Internet usage without their permission and used the information for targeted advertising. Rep. Ed Markey (D-Mass.) says this is reason enough to “create a law that ... includes a set of legal guarantees that customers have with regard to their information.” Markey says that consumers should be able to opt-in to online behavioral tracking rather than having to opt-out or be subject to undisclosed tracking.. Some companies that tested deep packet inspection technology to target online advertising said they did so without the explicit consent of their customers. [Providers’ Responses] [Coverage] [Coverage] See also: [Phorm also worked with US ISPs] and [UK.gov misses deadline on EU Phorm probe]

IS – Police Demanding ISP User Details

Israeli Police have been abusing the “Big Brother Law” by forcing telecom companies to give them subscriber information beyond that allowed by law. Officials from an Israeli telecom provider told the Knesset’s Constitution, Law and Justice Committee that police have been circumventing committee approval and asking for information they are not privy to under the law, such as dates customers signed up for service, the type of phones they use and how they make payments. The law, passed last year, allows police to set up a database of telephone and cellular phone numbers and certain other telecommunications data, but these requests fall outside that scope. Committee chairman Menachem Ben-Sasson said: “Our prestige as Knesset members who believe in the law is at stake. We never believed we’d discover such failures.” [Source]

US – Group Decries “Attempts to Circumvent Electronic Privacy Law”

The Electronic Frontier Foundation (EFF) has filed friend-of-the-court briefs in two key electronic privacy cases that the group says threaten to expand the government’s spying authority. In the first case, EFF filed a brief with the 9^th U.S. Circuit Court of Appeals arguing that federal wiretapping law protects e-mails from unauthorized interception while they are temporarily stored on the e-mail servers that transmit them. The second case concerns a request by the Department of Justice (DOJ) to a federal magistrate judge in Pennsylvania for authorization to obtain cell phone location tracking information from a mobile phone provider without probable cause. The magistrate instead demanded that the DOJ obtain a search warrant based on probable cause, and the DOJ appealed that decision to the federal district court in the Western District of Pennsylvania. In an amicus brief filed Thursday, EFF urged the district court to uphold the magistrate’s ruling and protect cell phone users’ location privacy. The American Civil Liberties Union (ACLU), the ACLU-Foundation of Pennsylvania, and the Center for Democracy and Technology (CDT) also joined EFF’s brief. [Source]

US – No-ID Database: US travel

Since June, thousands of fliers have arrived at airport security checkpoints without identification and Transportation Security Administration officials have added their personal information to a database aimed at identifying potential terrorists. The names, addresses, Social Security numbers, nationality, race and physical features of those with no ID have been recorded in the database, along with the information on those who have violated security laws or have been questioned for suspicious behavior, the report states. Civil liberties advocates have raised concerns about the repercussions of such a practice, given that the individuals without IDs have done nothing wrong. In a policy reversal, yesterday TSA chief Kip Hawley told USA Today that, although the database will continue, effective immediately the agency has stopped storing the records of those who arrive at checkpoints without identification, as they pose no security threat. [Source]

US – Ninth Circuit Rules People on ‘No-Fly’ List Can Challenge Status In Federal Courts

The US Court of Appeals for the Ninth Circuit has ruled that those placed on the government’s “no-fly list” can challenge their inclusion on the list in federal district courts. The issue came before the court in a case brought by a woman on the list, in which a district court had ruled that it lacked jurisdiction because of a law exempting Transportation Security Administration (TSA) orders from federal trial court review. Reversing the decision, the Ninth Circuit held that the Terrorist Screening Center which actually maintains the list is a subsection of the Federal Bureau of Investigation (FBI) and is therefore subject to review by the district courts: “Our interpretation of section 46110 is consistent not merely with the statutory language but with common sense as well. Just how would an appellate court review the agency’s decision to put a particular name on the list? There was no hearing before an administrative law judge; there was no notice-and comment procedure. For all we know, there is no administrative record of any sort for us to review. So if any court is going to review the government’s decision to put Ibrahim’s name on the No-Fly List, it makes sense that it be a court with the ability to take evidence.” [Source] See also: [US: Pilot Sues To Get Off Terror Watch List]

US – Citizens’ U.S. Border Crossings Tracked

The federal government has been using its system of border checkpoints to greatly expand a database on travelers entering the country by collecting information on all U.S. citizens crossing by land, compiling data that will be stored for 15 years and may be used in criminal and intelligence investigations. Officials say the Border Crossing Information system, disclosed last month by the Department of Homeland Security in a Federal Register notice, is part of a broader effort to guard against terrorist threats. It also reflects the growing number of government systems containing personal information on Americans that can be shared for a broad range of law enforcement and intelligence purposes, some of which are exempt from some Privacy Act protections. While international air passenger data has long been captured this way, Customs and Border Protection agents only this year began to log the arrivals of all U.S. citizens across land borders, through which about three-quarters of border entries occur. The volume of people entering the country by land prevented compiling such a database until recently. But the advent of machine-readable identification documents, which the government mandates eventually for everyone crossing the border, has made gathering the information more feasible. By June, all travelers crossing land borders will need to present a machine-readable document, such as a passport or a driver’s license with a radio frequency identification chip. In January, border agents began manually entering into the database the personal information of travelers who did not have such documents. The disclosure of the database is among a series of notices, officials say, to make DHS’s data gathering more transparent. Critics say the moves exemplify efforts by the Bush administration in its final months to cement an unprecedented expansion of data gathering for national security and intelligence purposes. The data could be used beyond determining whether a person may enter the United States. For instance, information may be shared with foreign agencies when relevant to their hiring or contracting decisions.. Public comments are being taken until Monday, when the “new system of records will be effective,” the notice states. [Source]

US – Missing Laptop Keeps Traveller Program From Registering New Fliers

The Transportation Security Administration suspended Verified Identity Pass from enrolling travelers in its pre-screening program after a laptop computer containing the records of 33,000 people went missing. The company, based in New York, lost possession of the laptop July 26 at San Francisco International Airport. The laptop contained unencrypted pre-enrollment records of individuals, the TSA said in a statement. The laptop had the names, addresses and driver’s license or passport numbers of mostly online applicants to the Registered Travel program, which allows customers to pass quickly through security checkpoints at 17 U.S. airports, the company said in an e-mailed statement. Verified Identity Pass has more than 200,000 customers. It already started notifying the affected people about the breach. The laptop was stolen from a locked office in the airport, the company said. [Source]

US – Homeland Security Seeks Privacy Act Exemptions

The Department of Homeland Security (DHS) has proposed the exemption of certain departmental systems from Privacy Act requirements. The department will accept comments on the proposition until September 17. DHS wants Fraud Detection and National Security Data System information to be inaccessible to the general public. The department cites the protection of confidential informants as a key reason for the change. Earlier this week, the DHS finalized a rule making its new Pattern Analysis and Information Collection System, used by Immigration and Custom Enforcement officials, exempt from certain portions of the Privacy Act. [Source]

US – Senate Approves Amended ID Theft Legislation

The US Senate has unanimously approved an amended version of the Identity Theft Enforcement and Restitution Act, sponsored by Senators Patrick Leahy (D-Vt.) and Arlen Specter (R-Pa.). It now goes back to the House of Representatives for consideration. The legislation originally passed the Senate in November 2007, but stalled in the House. The Senate tacked the legislation onto a House bill that guarantees former Vice Presidents and their immediate families Secret Service protection for six months after leaving office. If it becomes law, the bill would allow identity theft victims to seek restitution for their time and funds spent fixing their credit and other effects; allow prosecution of thieves who impersonate a business; and give felony status to the crime of using spyware or keystroke loggers to damage 10 or more computers. [Source] [Source]

US – Texas: State Loses Attempt to Argue Anew for Sex Toy Ban

A federal appeals court turned down Attorney General Greg Abbott’s attempt to reinstate a ban on the sale and marketing of sex toys, upholding its previous ruling that the prohibition violated Texans’ right to privacy. The 5th U.S.. Circuit Court of Appeals in February had struck down the Texas law, which made it illegal to sell or promote obscene devices, ruling that it violated the right to privacy guaranteed by the 14th Amendment. The attorney general sought a rehearing on the matter, decided by a panel of judges. The state argued that the full court should have a chance to rule, but the court turned down the request and said any appeal would have to be decided by the U.S. Supreme Court. [Source]

US – Tiny Sensors Can Track You for Your Own Good— or Your Company’s

GOT rhythm? If so, you are likely to be more productive than your arrhythmic colleagues. That was one conclusion drawn from a study carried out recently by Benjamin Waber and Sandy Pentland of the Massachusetts Institute of Technology. Moreover, it did not apply only when the subject of the study was typing away furiously. It also held when he was sitting, wandering, fidgeting or chatting with his colleagues. Those who did so with measured regularity were more productive than those whose activity levels, though the same on average, flitted from high to low to somewhere in between. Mr Waber and Dr Pentland made this discovery using high-tech identity badges that capture a wearer’s movements and interactions second-by-second. Each badge is fitted with a set of motion-sensors, a microphone, a microprocessor and a radio transceiver that allow it to sense and broadcast back to base a person’s location, the direction he is moving in if walking, the movements of his body if he is stationary, and the timbre and inflection of his voice if he is talking—together, of course, with the length of the conversation and the identity of the other party if he, too, is a badge-wearer. This information, when combined with data on productivity, illuminates which habits of work are most effective and illustrates which social networks within a company are of value. [Source]

+++