UK – UK Can Take Global Lead on Biometrics

The UK could take a global lead in the biometrics industry, but is currently too fragmented in its approach and lacks an independent focal point, according to new research from the University of Kent and the UK Biometrics Institute (UKBI). The report, commissioned by the government-backed Cyber Security Knowledge Transfer Network (KTN), argued that UK small and medium sized firms are carrying out innovative work in the area, and that consumers are willing to accept biometrics despite some privacy concerns. However, it found that SMEs are struggling to sell their ideas into the mass market, suppliers could do more to answer public concerns, and the government is not doing enough to stimulate the sector. [Source]

US – Face-Recognition Tool Nabs ID Theft Suspect

Privacy advocates have long charged that the use of facial-recognition technology not only is a threat to privacy, it is also has proven to be ineffective. Despite a number of high-profile implementations over recent years, few if any arrests can be directly attributed to face-recognitions systems. Score one arrest for the Pierce County (Wash.) Sheriff’s Department, which successfully used the Sagem MorphoFace Investigate (MFI) system to break up a local identity theft ring, the company announced. The department had been investigating cases of identity theft that involved the theft of ATM cards and subsequent withdrawals from victims’ bank accounts. The only evidence obtained by detectives was a grainy photograph taken of a suspect by an ATM camera during one of the illegal transactions. Using the MFI system, detectives searched the county’s 350,000-mug shot digital database and returned two possible matches in less than 5 seconds. It turned out that both matches were to the same person, who had a history of identity theft. [Source]

CA – CSIS Monitoring Calls Between Suspects and Their Lawyers

Canada's spy service has been listening to telephone conversations between terrorism suspects and their lawyers for the past 18 months as part of a strict monitoring program developed by the government. The revelation enraged defense lawyers who argue that intercepting these calls breaches the fundamental right of solicitor-client privilege. "I feel as though my house was broken into," said Toronto lawyer Barb Jackman. "It's incredibly invasive." The issue arose in the case of Egyptian refugee Mohamed Zeki Mahjoub, who is accused of conspiring with Al Qaeda and has fought the government's attempts to deport him for the past eight years. Mahjoub's case is one of five under the controversial immigration law known as "national security certificates." In April 2007, Mahjoub was released on stringent bail conditions after seven years in custody. Mahjoub's lawyers recently became concerned that their calls were also being monitored and pressed for answers. On Wednesday, a senior agent with the Canadian Security Intelligence Service testified in a secret Ottawa hearing that the agency was monitoring calls on behalf of the Canadian Border Services Agency. Justice Carolyn Layden-Stevenson released a two-page public summary of the testimony in a Toronto courtroom. It noted that calls to lawyers are monitored, "to the extent of being satisfied that the communication does not involve a potential breach of the terms of release or a threat to national security." "It is a privilege of the highest order and protected at the highest levels," said Jackman's co-counsel, Toronto lawyer Marlys Edwardh, regarding communication between lawyers and their clients. "It is a principle of fundamental justice itself." Edwardh said she cannot continue with the case until lawyers' calls are no longer monitored. [Source]

CA – EDL RFID ID Cards Raise Security Concerns

Security experts say they have managed to “steal” personal data from passports embedded with radio-frequency ID cards, the same technology embedded in some B.C. driver’s licences for the purpose of speeding up border crossings. And Canada’s privacy commissioner, Jennifer Stoddart, says she fears the cards may leave people vulnerable to similar breaches of privacy, which could allow your personal data to fall into the wrong hands. The more of your personal information crooks obtain, the greater chance they have of stealing your identity for financial gain. The U.S. unveiled RFID card-reading technology for border crossings at Blaine, Wash., as part of its Western Hemisphere travel initiative and a bid to allay concerns that the main B.C./Washington border crossing would be jammed during the 2010 Winter Games in Vancouver and Whistler. Stoddart said in a recent interview: “My office is involved in doing privacy impact assessments of [enhanced licences.] We remain concerned about the security around the distance-reading capacity. [Source]

CA – CBSA Changes EDL Data Housing Plans

The Canada Border Services Agency (CBSA) says a database containing the personal information of Canadian enhanced driver’s licence (EDL) holders will not be housed in the U.S., reports the Canadian Press. Canadian privacy commissioners had objected to the agency’s plans, citing data security concerns. Originally, the CBSA planned to transfer CDs with EDL-holders’ personal information to the U.S. Customs and Border Protection service to ease the border crossing process. But now the agency will keep the data. Despite this, federal Privacy Commissioner Jennifer Stoddart said the passport is still the ideal travel document for Canadians. [Source]

CA – Canadian Government-Funded Org Pushing APEC ID Card

The head of the Asia-Pacific Foundation of Canada is calling for the creation of a single identification-card system that can be used by frequent business travellers in both North America and Asia. If Yuen Pau Woo gets his way, the NEXUS card, now used to help Canadians and Americans cross the 49th parallel more quickly, will be expanded to Asia and added to the Asian Business Traveller Card (ABTC). “Having ABTC as an add-on to NEXUS will greatly expand the range of countries that business people can travel to without the need for a visa,” said Woo in an e-mail interview from Lima, Peru, where he was attending an APEC-sponsored (Asia-Pacific Economic Co-operation) Pacific Rim economic summit. “In particular, it will provide privileged access to 18 APEC-member economies without compromising the integrity of the U.S.-Canada border.” The Asia-Pacific Foundation is a national not-for-profit organization that conducts research on Asia and Canada’s trans-Pacific relations, and promotes dialogue on economic, security, political and social issues to help form public policy. It’s funded by Ottawa and the B.C. government. NEXUS holders currently avoid lineups and long wait times at borders by flashing their cards through biometric-recognition technology. The Canada Border Services Agency (CBSA) and U.S. Customs and Border Protection jointly administer NEXUS. Ottawa has three years to install the infrastructure required for ABTC, which aims to speed up the flow of travellers across borders by eliminating visa requirements, increase the number of days to at least 60 that visitors can stay without a visa, and reduce customs-clearance times. Some ABTC measures are already in place at major airports, but identification-card eligibility rules have not been finalized. However, “there are no immediate plans to expand NEXUS,” says a spokeswoman for the Canadian Border Services Agency. [Source]

CA – Alberta Commissioner: Proposed Amendments Diminish Privacy

Proposed amendments to Alberta’s health information act worry provincial Information and Privacy Commissioner Frank Work, reports the Calgary Herald. Work says the amendments would prevent Albertans’ from keeping their medical information out of the province’s electronic health record. Work also cited a lack of rules on how researchers can use the sensitive information contained in such records. The proposed legislation is being considered by an all-party policy committee. [Source]

CA – B.C. Health Minister Says Government Aware of Criminals Changing Names

Health Minister George Abbott says the B.C. government is aware that some violent criminals have been changing their names and that the province has already taken steps to try and keep an eye on them. NDP public safety critic Mike Farnworth has raised concerns that violent offenders try to hide their past by changing their identities. Farnworth said it’s outrageous that offenders can hide their past crimes with a name change and wondered what’s to stop a child sex offender from working with kids if they’ve changed their identity. But Abbott said the government invoked changes in 2002 that better track criminals seeking a new identity. “Anyone with a criminal record who proposes to change their name have to provide the RCMP with their original name, with their proposed changed name and fingerprints as well,” he said. Abbott added the provincial government is open to new ideas when it comes to tracking such people. [Source]

CA – Privacy Training in the Federal Public Service Needs Comprehensive Approach

The Privacy Commissioner of Canada writes in her latest annual report that providing all employees who handle personal information with privacy training is one of the key ways in which governments can prevent data breaches. Recent OPC audits underscored the need for comprehensive privacy training for employees who handle personal information in federal government departments and agencies. Part of the problem lies in the fact that there is no mandatory core curriculum for educating public servants who process or manage personal information about their basic duties and responsibilities under the Privacy Act. Nor is there a mandatory core curriculum for training these employees on widely recognized privacy fair information principles, which govern the appropriate collection, use, disclosure, and disposal of personal information within government. The OPC is of the view that a coordinated and comprehensive strategy needs to be developed and implemented by key players in the federal government: the Canada School of Public Service (CSPS); Treasury Board Secretariat (TBS); and ATIP offices in every federal government department and agency. [Source]

WW – Study: Identity Theft, Organized Retail Crime on the Rise

Identity theft, organized retail crime, and the effects of terrorist attacks are among the most urgent threats facing security managers in the near future, according to a new report issued in December. The report was conducted by the nonprofit Urban Institute’s Justice Policy Center and funded by ASIS Foundation, a charitable fund managed by the ASIS International security professionals’ association. It offers a broad look into security’s crystal ball, including patterns in computer crime, end user behavior, and security staffing. On the crime trends front, the report projects increases in identity theft, organized retail crime, and new terrorist attacks. “In the next five to 10 years, identity theft and fraud will continue to be the fastest growing crimes,” it states. “However, the nature of identity theft is likely to shift to more organized, high-stakes, global attacks.” [Source] [Report] See also: [Forecast: Security threats for 2009]

ES – Estonia to Use Mobile Phones to Simplify E-Voting

A decision in the Estonian parliament has opened the door for mobile phones to be used for authenticating voters in its 2011 election. Estonia has been at the forefront of electronic voting for a number of years. In 2005 it started using a national ID card for authenticating voters and giving the go-ahead for using mobile phones is a continuation of that, according to Silver Meikar, a member of the Estonian Parliament and a longtime proponent of e-voting. Voters will be authenticated using a digital certificate stored on SIM (Subscriber Identity Module) cards, which are already available to Estonians. "You still need a computer and the Internet, but now you will have a choice of using your ID card plus card reader or a mobile ID to authenticate yourself," said Meikar. What Estonia will not do anytime soon is allow mobile phone use for the whole voting process because security can't be guaranteed. The biggest challenge is the large number of operating systems that are currently used. It's not possible to develop secure software for all of them, according to Meikar. [Source]

UK – Scottish Public Lose Faith In UK Government’s Response to Repeated Data Losses

Over 80% of the population in Scotland has lost confidence in the UK government’s ability to look after personal data; this is the stark finding of the first comprehensive survey of its kind into the psychological impact of recent public sector information losses. The survey, commissioned by software company Objective Corporation and conducted by YouGov, has identified a complete breakdown in trust and soaring concerns over fraud and identity theft. Of the sample, 28% are very worried that the loss of personal files and important data such as national insurance information, tax details and banking records would directly impact them. A further 20% feel that such losses would impact them to a certain extent, while 22% of the sample felt that this could impact them but would wait for a response from the government itself before deciding. [Source]

CA – Proposed Bill Aims to Crack Down on Spam

The suspension of Parliament in the ongoing political crisis is not likely to interfere with a much-needed anti-spam bill tabled earlier this year. Bill S-202, which received it’s second reading last week just before Parliament was prorogued, would crack down on spam by prohibiting the sending of commercial emails to Canadians without their prior consent. Introduced by Senator Yoine Goldstein, the bill would also ban practices such as automated “email harvesting,” and would require all commercial email messages - even those sent legitimately - to have a clear subject line, accurate contact information, and an easy way to unsubscribe. Other measures in Bill S-202, or the Anti-Spam Act, cover “phishing” attacks. Phishing occurs when spam messages lure email users to fraudulent websites resembling those of trusted businesses, the aim being to fool them into entering their user names, passwords, or other information that can be used to gain access to their online accounts. The cost of spam-related crime to the Canadian economy is estimated to be in the billions. Penalties proposed by Goldstein’s bill range from a fine of up to $500,000 (or two years in jail), to a fine of up to $1.5 million (or five years in jail) for repeated offences. Additional fines equal to the profits from a spamming operation could also be imposed. Those harmed by spam would also be empowered to seek damages from the perpetrators in court. As well as providing police with new tools, Bill S-202 would equip Internet Service Providers (ISP) with the authority to block, filter and refuse spam messages. Upon giving reasonable notice, ISP’s would also be able to refuse or cancel service or refuse access to any person who has been convicted under the bill or who sends commercial electronic messages that the ISP has reasonable grounds to believe are sent in contravention of the bill. Businesses aware that they were being promoted by spam would also be liable unless they took action to stop the messages or notify authorities. Exemptions would be made for certain groups, such as charities, political parties, polling firms and businesses that have a pre-existing relationship with an email user. However, these groups would still be required to allow users to opt out of further messages. This year marks the 30th anniversary of the first spam email ever sent. [Source] See also: Canada source of over 9 billion spam messages a day: study]

CA – Federal Government and Alberta Announce “One Stop” Newborn Registration

Alberta parents of newborns can now use a single application form to register their child’s birth and apply for his or her Social Insurance Number (SIN). The joint initiative will streamline the birth registration and SIN application processes. There are approximately 50,000 birth registrations in Alberta each year. The province requires the birth of every newborn to be registered with Service Alberta within 10 days. With the Newborn Registration Service, after the birth registration is completed, the information will be sent electronically to Service Canada, which is responsible for issuing SINs to Canadians. The child’s SIN card will be delivered within fifteen business days at no cost to the applicant. [Source]

UK – Boffins Develop Data Provenance App to Prevent Breaches

University of Southampton researchers have put their heads together to develop an application to track the use and security of private data, in order to rebuild public trust in organisations holding sensitive information. Recent - and rather frequent - government data breaches prompted Professors Luc Moreau and Rocio Aldeco-Perez at the university’s school of electronics and computer science to examine how auditing of the processes surrounding the collection, encryption and use of private data can be used to keep information secure. The pair came up with the idea of using the concept of “provenance” - an idea based on finding the origins of a piece of art. “Provenance is a term which comes from diverse areas such as art, archaeology and palaeontology and describes the history of an object since its creation,” said Professor Moreau in a statement. “Its main focus is to establish that the object has not been forged or altered, we have found that we can now do the same audit with private data.” The essential idea is to use an application to track a piece of data as it moves through the system, so its origins and use can be examined, such as following a data breach. “At the moment when data is leaked, there is no systematic way to analyse the scenario,” said Professor Moreau. It could also be used in a more preventative form, according to the paper the pair published at a British Computer Society (BCS) conference. Enforcement agencies - such as the Information Commissioner’s Office - could use auditing to check compliance with the Data Protection Act, while businesses could monitor themselves and set up alarms for when policies are breached and a leak is possible.Essentially, embedding provenance technology into IT systems or with an add-on application could let organisations monitor their policies are being adhered to - key in the battle against such breaches, as many are caused by employees breaking company guidelines. With that in mind, the pair developed a tool to tack onto systems to securely audit such data. A prototype of the tool will be available within six months, the university said. The researchers plan to examine the potential to use middleware to track data. “Part of this work is to develop a provenance-based generic middleware to audit the processing of private information that can be used in applications independently of platforms and programming languages,” the paper said. [Source] Click here to read the top 11 lessons we all should have learned from a year of data breaches. See also: [NYT Opinion: The Push to Build an Electronic Health System (Deborah Peel)]

WW – Adobe Admits New PDF Password Protection Is Weaker

Adobe made a critical change to the algorithm used to password-protect PDF documents in Acrobat 9, making it much easier to recover a password and raising concern over the safety of documents, according to Russian security firm Elcomsoft. Elcomsoft specializes in making software that can recover the passwords for Adobe documents. The software is used by companies to open documents after employees have forgotten their passwords, and by law enforcement services in their investigations. For its Reader 9 and Acrobat 9 products, Adobe implemented 256-bit AES (Advanced Encryption Standard) encryption, up from the 128-bit AES encryption used in previous Acrobat products. But Elcomsoft said the change in the underlying algorithm for Acrobat 9 makes cracking a weak password -- especially a short one with only upper and lower case letters -- up to 100 times faster than in Acrobat 8, Sklyarov said. Despite using 256-bit encryption, the change to the algorithm still undermines a document’s security. Adobe acknowledged the encryption algorithm change on its security blog. The company said brute-force attempts -- where tens of millions of password combinations are tried in hopes of unlocking the document – could end up figuring out passwords more rapidly using fewer processor cycles. [Source]

EU – International Data Protection Agreement Reached

Efforts to improve data protection and data sharing practices between the United States and the European Union took a significant step forward with the declaration of a new set of common principles. The French EU Presidency, the European Commission, and the U.S. Homeland Security, Justice and State departments agreed to a Statement on Information Sharing and Privacy and Personal Data Protection at a meeting in Washington. The statement marks new progress on a set of principles intended to advance data privacy and data sharing in law enforcement circles. Baker said U.S. officials proposed the discussions after divisive negotiations over airline reservation data eventually resulted in an agreement on the handling of Passenger Name Record (PNR) data between the United States and the EU. A central component of the PNR agreement was a set of data protection principles that shield private companies and other countries from punishment for cooperating with antiterrorism data-gathering measures. The new agreement builds on those principles, although discussions are continuing. Negotiators still must fully resolve ways to protect those who cooperate in data-gathering measures. And they are still hammering out issues of redress (how to handle individuals' complaints about how their data was treated) and reciprocity (making sure that the United States and EU do not demand higher data protection standards from others than they demand of themselves and their member states), Baker said. [Source]

UK – Outcry Over Search Powers for Home Office On ID Cards

UK Home Secretary Jacqui Smith has been criticised by unions, campaigners and lawyers this week after the leaking of a confidential document giving her the power to search the homes of staff working on the identity card scheme. The non-disclosure agreement, between the Home Office and five IT firms contracted to work on the programme, allows the Home Secretary at their discretion to order searches of company offices and homes, and take away computers and information in order to ensure that details of the scheme are being kept safe. It was leaked last week to Phil Booth, co-ordinator of the pressure group No2ID. Mr Booth said: “This is something quite extraordinary. The Home Secretary can say, ‘I want to send some people into a private residence’. “It certainly rules out there being a need for a warrant to search the premises. It doesn’t say there will be recourse to law, reasonable discretion or anything like that”. None of the five companies - IBM, Fujistu, EDS, Thales and Computer Sciences Corporation - would comment on the document. Liberty director Shami Chakrabarti said: “This reveals the extent of Home Office arrogance and contempt for individual privacy. now it seems they want companies and employees to contract out of legal rights not to have private security guards trampling through their premises without a warrant”. The Home Office said it needed the agreement to secure data protection, and that it did not introduce any new legal powers. Ministers plan to distribute ID cards for British citizens from 2009. [Source]

EU – Counter-Terrorism Measures Must Not Violate the Right to Privacy

“Freedom has been compromised in the fight against terrorism after 11 September. Government decisions have undermined human rights principles with flawed arguments about improved security” said today the Council of Europe’s Commissioner for Human Rights, Thomas Hammarberg, publishing his issue paper on “Protecting the right to privacy in the fight against terrorism.” “Not only terrorism, but also our reaction to it pose a long-term, engrained threat to human rights. The time has come to review steps taken to collect, store, analyse, share and use personal data” said Commissioner Hammarberg. “Data protection is crucial to the upholding of fundamental democratic values: A surveillance society risks infringing this basic right.” “In the war on terror, the notion of privacy has been altered” he continued. “General surveillance raises serious democratic problems which are not answered by the repeated assertion that those who have nothing to hide have nothing to fear. This puts the onus in the wrong place: It should be for States to justify the interferences they seek to make on privacy rights.” Individuals are at risk of being targeted for being suspected extremists or threats to the constitutional legal order. Targets of this kind are moreover increasingly selected through unreliable and ineffective computer profiles. “Large numbers of innocent people are subjected to surveillance, harassment, discrimination, arrest or worse” underlined Commissioner Hammarberg. “This robs targeted individuals of fundamental safeguards, leads to alienation of the groups in question and thus actually undermines security. Moreover, these measures have a negative potential for discrimination which must be averted.” In the issue paper the Commissioner recommends that the response to these trends be a re-assertion of the basic principles of the rule of law as enshrined in international conventions and case-law. “In the fight against terrorism and organised crime, human rights standards and principles should not be abandoned but, rather, re-affirmed” stressed the Commissioner. “Terrorism must be fought, but not at the expense of human rights protection” he concluded. [Source] [Source] [Paper]

EU – European Panel to Review Laws

A panel established to help the European Commission (EC) revise EU data protection laws met for the first time. The panel includes privacy experts Peter Fleischer of Google and Intel’s David Hoffman, CIPP, an IAPP Board member. EC spokesperson Michele Cercone said the panel will identify issues and challenges raised by new technologies. Fleischer, who is “delighted to have been asked,” said that, among other recommendations, he will urge the commission to harmonize data protection enforcement by identifying one national data protection authority, and will also encourage the EC to move away from a location-based approach to data protection. [Source] [Source]

UK – Gov’t Announces Data Strategy to Reduce Risk of Breach

The government has set out plans for a data strategy that will minimise the risk of compromises in data security and reduce the risk of identity verification fraud. Brian Collins, chief scientific adviser to the Department for Transport, and the Department for Business, Enterprise and Regulatory Reform explained to database experts gathered for the conference A Fine Balance that innovative data quality software is set to be introduced. Monitoring measures will be introduced to public sector data systems to flag up every occasion sensitive identity verification data is accessed and alert senior management when such data in transferred. [Source] See also: [Plan to stop ID card leaks is ... leaked] and [Outcry over search powers for Home Office on ID cards] See also: [UK - Gov’t Wants Database of Intimate Info on Every Child]

WW – Survey: The Best Privacy Advisers in 2008

Which are the best firms at helping organizations navigate the complexities of managing customer and employee information? That’s the question posed last month to over 2,000 people responsible for data protection. This was the third year asking this question, so we’re now able to see some trend lines. I was surprised at the results, including a rise in privacy budgets and continued dominance of the legal profession at the top of the charts. The top three vote-getters remain unchanged from last year’s poll, while law firms Morrison & Foerster, Kelley Drye and London-based Bird & Bird moved up a tier. [Source]

AU – Telstra Says No to Child Porn Filtering

Telstra, Australia’s largest ISP, has dealt the Rudd Labor Government a slap in the face by refusing to participate in content filtering trials. Telstra said it is not in a position to participate in the government’s Internet filtering trial, primarily due to customer management issues. The company said it was separately evaluating technology that allowed blocking via defined blacklists. [Australian IT]

US – Equifax to Pay Indiana State $65,000 Of Slow Credit Freeze

Credit agency Equifax will pay Indiana $65,000 as a result of a consent judgment, the Indiana attorney general announced. The state had sued the agency after receiving numerous complaints that it wasn’t putting requested freezes on consumers’ credit reports quickly enough. An Indiana law, passed in 2007, requires Equifax and the other credit reporting agencies to put freezes on credit reports within five days of a consumers’ request. The law is supposed to help consumers avoid identity theft by making their reports unavailable for thieves who would try to open fraudulent accounts. Carter noted that there were about 19 complaints from consumers who said Equifax wasn’t freezing the reports within the required five-day period. In one of those complaints, the agency took 76 days to shut off access to the report. Indiana has one of the strictest credit-freeze laws in the country, Carter noted. Other states give the agencies more time to freeze the reports. There are 40 states with credit-report-freeze laws on the books. [Source]

US – Markel Corporation Announces New DataBreach(SM) Privacy Liability Coverage

Markel Corporation is pleased to announce the launch of DataBreach(SM), its new information risk and privacy liability insurance product. DataBreach(SM) helps businesses manage risk associated with their reliance on information technology systems as it relates to confidential information in their custody or care. DataBreach(SM) was created in response to the increase in identity theft that has been plaguing businesses worldwide in the past few years. It provides coverage for liabilities arising out of the breach of a company’s duty to protect confidential information, whether it’s on their website, network, the hard drive of a laptop, or in a paper file. The coverage also extends to a businesses liability arising out of an employee’s misuse of his/her access to confidential information. [Source] See also: [Over 41 Million Abandoned Canadian Online Accounts are Vulnerable to ID Theft and Fraud]

US – Survey: Insurers Cautiously Moving Toward Pay-As-You-Drive Insurance

Exigen Insurance Solutions, an IT 2.0 provider specializing in rapid implementation of new business initiatives and products for the insurance industry, reported the results of its Pay-Only-As-You-Drive survey. According to the survey, interest in pay-as-you-drive (PAYD) insurance has risen sharply in the past year. Some U.S. insurers are moving quickly to introduce PAYD products, while many insurers are taking a more cautious approach. Key survey findings show that insurers see protection of existing books of auto business as the major driver, and core systems technology as the biggest barrier to PAYD introduction. Despite the potential of PAYD insurance to unbalance prevailing auto rating models, little research on PAYD is currently available. The provider conducted several polls to find out how U.S. insurers are responding to this interest, their plans for PAYD product introduction, and what they see as the biggest market drivers and barriers. Exigen Insurance Solutions polled the 163 insurance company representatives from 91 companies. Some of the facts that emerged include:

59% of insurance company representatives declared their companies
have investigated/considered offering a PAYD product.
Two insurers indicated they would be offering a product by mid-2009,
and 12 stated they had plans to do so before the end of 2009.

“The results indicate that U.S. insurers are adopting a follow-the-leader approach to PAYD that is defensive rather than aggressive,” says the VP of marketing and business development for Exigen Insurance Solutions. “They are clearly monitoring PAYD market developments closely, concerned that if competitors begin to offer a PAYD product, they will have to act swiftly to protect their book of business.” [Source] [Survey]

UK – ‘Access all Areas’ for Media So Justice is Seen to be Done

The secrecy of the UK amily courts – in which nearly 95,000 cases are heard in private each year – is to end under reforms announced that will allow the media access to all levels of the system. The move could mean that social workers and expert witnesses who fail children, and now enjoy the protection of anonymity, will in future be named publicly when criticized by judges. Jack Straw, the Justice Secretary, said that from April the media would be permitted access to all family cases in all courts – from celebrity divorces to hearings over domestic violence or children being removed from families. “A really important veil is being lifted on what happens in these courts,” he said. Crucially, media reporting of the cases will be subject to tight restrictions to protect the welfare and privacy of the children and families involved. The moves follow a campaign by The Times, begun this year, to reform the family justice system and open up the courts amid accusations that they are operating under a “conspiracy of silence”. [Source]

CA – Privacy Commissioner Focuses on Privacy In Accessible Tribunal Records

The Privacy Commissioner of Canada tabled her annual report on the Privacy Act. The Commissioner reports on a whole range of complaints against tribunals and quasi-judicial bodies for publishing sensitive personal information about parties and non-parties. Decisions and tribunal records have always contained such information, but now that more of these decisions are readily available online, complainants are not happy that searching for their names online will bring up these decisions in the results. The Commissioner is hampered by the fact that she can’t order them to change their practices and that many of the disclosures are arguably permissible under the Privacy Act. In any event, she has issued a number of recommendations that have been ignored by many of the tribunals at issue, including:

Reasonably depersonalize future decisions that will be posted on the Internet;
Observe guidelines respecting the exercise of discretion to disclose personal information;
Remove decisions that form the basis of the complaints to the OPC from the Internet; and
Restrict the indexing by name of past decisions by global search engines

[Source] See also: [The Canadian Judicial Council 2005 report: Use of Personal Information in Judgments and Recommended Protocol]

US – New Rule Expands DNA Collection to Anyone Arrested

Immigration and civil liberties groups condemned a new U.S. government policy to collect DNA samples from all noncitizens detained by authorities and all people arrested for federal crimes. The new Justice Department rule, published mid-December and effective Jan. 9, dramatically expands a federal law enforcement database of genetic identifiers, which is now limited to storing information about convicted criminals and arrestees from 13 states. Congress authorized the expansion in 2005, citing the power of DNA as a tool in crime solving and prevention. The FBI created its National DNA Index System in 1994 to store profiles of people convicted of serious violent crimes, such as rape and murder, but the system has been expanded repeatedly, first to include all convicted felons, then misdemeanants and state arrestees. The data bank contained more than 6.2 million samples as of August, and officials estimate that 61,000 cases have been solved or assisted using DNA. The change could add as many as 1.2 million people a year to the national database, U.S. officials said. Supporters equate DNA collection to taking fingerprints or photographs at the time of booking. [Source]

US – The Doctor Will See All of You Now

Dr. Gene Lindsey, who this year took over as chief of the Harvard Vanguard Medical Associates health plan, sees his patients only in groups. They sit in a circle as the doctor discusses their ailments, and they listen to what he tells patients with identical symptoms. Patient health histories are sometimes taken beforehand individually. If a patient needs to disrobe for an examination or needs a shot, that is done in another room. If the patient wants to discuss a super sensitive subject, he or she waits until the end of the group session. Many patients, it turns out, are willing to sacrifice privacy and modesty for improved access to doctors. Patients willing to see their doctor in a group visit generally can get appointments far sooner. A waiting list of 400 to 500 patients at the group’s gynecology clinic in Burlington, Mass., was eliminated in several weeks when the practice started offering group visits, according. Many patients have similar problems and questions and can learn from one another in the group visits, according to Harvard Vanguard. Doctors make out better financially. Many insurers generally pay what they would if the doctor were seeing those patients individually. A doctor normally would see four to six patients in 90 minutes if he or she were seeing them one-on-one. Harvard Vanguard found in a survey this year that 77% of patients who had attended a group setting said they would do so again, 15% said they weren’t sure, and 5% said they would not. “The job of the physician has become literally un-doable,” Dr. Zeev Neuwirth, a Harvard Vanguard VP, said. “This is not a novelty; it’s really a necessity for saving primary care.” [Source]

US – Leavitt Announces New Principles for Privacy, Use of Patient Information

The growing computerization, exchange and analysis of patient data offer the potential to improve the quality of care and reduce costs and medical errors, but those benefits won’t be fully realized until privacy concerns are effectively addressed, outgoing HHS Secretary Mike Leavitt said. In a keynote address to the Nationwide Health Information Network Forum, Secretary Leavitt announced key privacy principles and a toolkit to guide efforts to harness the potential of new technology and more effective data analysis, while protecting privacy. Secretary Leavitt emphasized that appropriate privacy and security measures will be an essential sociological enabler of groundbreaking technology. “Consumers need an easy-to-read, standard notice about how their personal health information is protected, confidence that those who misuse information will be held accountable, and the ability to choose the degree to which they want to participate in information sharing,” Secretary Leavitt said. “Over time, consumer confidence in the handling of health information is likely to grow just as consumer confidence in online banking has grown, but that won’t happen without similar protections and transparency about the use of their information.” The privacy principles articulated by Secretary Leavitt are as follows: Individual Access - Correction, Openness and Transparency - Individual Choice - Collection, Use, and Disclosure Limitation -.Data Integrity - Safeguards and Accountability. In addition, Leavitt announced several tools to help consumers and health information exchanges advance toward privacy protection and consumer access to their information. For example, the “Leavitt Label,” modeled after the nutritional labels on food packaging, would allow consumers to quickly compare personal health record products. [Source] For additional information, visit www.hhs.gov/healthit/

US – Colorado to Share Health Information Across Health Care Organizations

Colorado has become one of the first states in the nation to demonstrate that electronic health information can be securely shared between hospitals and health care organizations at a statewide level. This data exchange will benefit more than 1 million Coloradans. The effort, a key component of Colorado Gov. Bill Ritter's Building Blocks to Healthcare Reform, aims to prevent medical errors, streamline care, improve quality, eliminate costly duplication of tests and promote health care affordability through interoperability of health information. Currently, 500 emergency clinicians are being trained to use the system, which shares the following information across emergency departments: Laboratory results; Medication history; EKG images; Radiology text reports; and Simple "problem lists" based on common diagnosis language. The CORHIO interoperability model, which pulls data directly from the electronic health record system of each participating organization instead of a central repository, is believed to be a safer and a more secure way to maintain patient privacy. Participation in the CORHIO program is voluntary. All patients have the option to opt-out of the exchange, which means their medical history information will be blocked from the system. Individuals can do this when they arrive in the emergency department of participating hospitals. The health information exchange officially went live on December 1, 2008. [Source]

US – Cleveland Clinic to Keep Face Transplant Patient ID Private

Tomorrow the Cleveland Clinic will announce the details of the first total face transplant procedure conducted in USA. It was successfully completed, but the clinic will keep the identity of the face transplant patient anonymous to respect patient and family privacy. [Source]

EU – Report: 21 Million German Bank Accounts for Sale

Black market criminals are offering to sell details on 21 million German bank accounts for €12 million (US$15.3 million), according to an investigative report published this week. Reporters for WirtschaftsWoche (Economic Week) managed to obtain a CD containing 1.2 million accounts after a November face-to-face meeting with criminals in a Hamburg hotel, according to the magazine. Posing as buyers working for a gambling business, the journalists were able to strike a price of €0.55 per record, or €12 million for all the data. They were given a CD containing the 1.2 million accounts when they asked for assurances that the information they would be buying was legitimate. That CD contained the names, addresses, phone numbers, birthdays, account numbers and bank routing numbers of the theft victims, they reported. In some cases, the victim’s account balance was also provided. The data was most likely collected from call center employees, the magazine reports. Although banking passwords were apparently not included on the CD, criminals would be able to use this data to withdraw funds from a victim’s account, said an independent security consultant based in Luxembourg. Scammers could use this type of information to initiate a large number of debits from German banks, making each withdrawal small in hopes that it would not be noticed by the victim, he said. [Source]

EU – Berlin Bank Accused of Country’s Largest Data Leak

Consumers in Germany have been affected by what is being calling the country’s largest data leak. A Berlin bank has reportedly lost data on thousands of credit card customers -- including their PIN numbers.

Strictly confidential information on over 10,000 credit card customers of the Landesbank Berlin (LBB) was anonymously sent to the Frankfurter Rundschau, the newspaper claimed on Saturday, Dec. 13. Because the LBB is the country’s largest creditor, said the paper, many customers of other banks are also affected by the data breach. Customers’ names, addresses, credit card numbers, bank account numbers, transaction information and -- in some cases -- PIN numbers were included on the micro-fiches the Frankfurter Rundschau had received. The case “overshadows all previous cases in size and especially in the quality of data,” Thilo Weichert, director of the Independent Center for Privacy Protection in Schleswig-Holstein, told the Berliner Zeitung. He said the LBB mishap was an “unbelievable and unique case.” “The credit card accounts can be maxed out to their credit limit,” added Weichert. [Source]

CA – Vancouver Exec Accused of Taking Data Tape: 3.2 Million Customers

When Nick Belmonte left his $150,000-a-year job at C-W Agencies in Vancouver earlier this month, the owners of the company accused him of taking a computer backup tape containing names and information about 3.2 million customers, potentially worth more than $10 million. The company said the tape also contained credit card and bank account information of more than 800,000 customers. Although the information was in encrypted form, the tape contained information and programs to decrypt the data, according to a company executive. [Source]

UK – Memory Stick With Data on 5,000 Leeds Children Found in Second-Hand Car

Privaate details of thousands of Leeds children were on a computer device found in a second-hand car. The memory stick had been dropped at least a month earlier by a Leeds City Council worker during a taxi trip. Although the employee reported the loss, the council was told there was no sensitive information on the stick. In fact, it contained the names, addresses, dates of birth, ethnicity and phone numbers of an estimated 5,000 children. It also stored information about child protection and whether parents claimed state benefits. Despite strict council rules, none of the confidential details had been encrypted or protected by passwords. The authority has now launched an internal inquiry into the matter. [Source] SEE ALSO: [Cal Poly Pomona apologizes for Internet leak]

US – Florida Agency Accidentally Puts 250K Social Security Numbers on Web

A state agency accidentally put the Social Security numbers of about 250,000 job seekers on the Internet for 19 days in October before another agency noticed the security breach, officials said last week. Data on customers aided by the Agency for Workforce Innovation’s One-Stop Career Centers between January 2002 and November 2007 was placed on a test server, where people searching the Internet might have been able to find it. “We are thoroughly investigating this matter and are making every effort to enhance the security of our computer systems,” said agency director Monesia T. Brown. No one has been disciplined and investigators are trying to determine exactly what happened, said agency spokesman Robby Cunningham. [Source] [Data left exposed for 19 days in Florida’s job-service system] SEE ALSO: [P.E.I. defends putting mortgage information online]

US – MySpace to Gripe about Work

A Pennsylvanian OB/GYN could face penalties for an employee’s comments about patients on her MySpace profile, reports Ars Technica. One of the patients filed a complaint with the Department of Health and Human Services alleging Health Insurance Portability and Accountability Act (HIPAA) privacy violations. The patient claims that, although she was not named in the post, she recognized herself as the subject of certain comments. Under HIPAA’s privacy rules, physicians and other healthcare providers may not share medical information when “there is a reasonable basis to believe the information can be used to identify the individual,” the report states. [Source]

US – Cyberbullying Case May Pose Threat to Online Anonymity

Fabricating an online identity could hold higher stakes going forward if the verdict in a recent cyberbullying case stands, reports the New York Times. A federal jury in Los Angeles last week convicted a woman on three counts of computer fraud for misrepresenting herself on MySpace. Under a false identity, Lori Drew bullied a 13-year-old girl, who killed herself in 2006 after receiving a menacing message. Drew’s lawyers asserted that she had not read MySpace’s terms of service, which require users to be truthful and accurate when registering to use the site. [NY Times] See also: [NY Times: Is lying about one’s identity on the Internet now a crime?] and [MySpace suicide case could chill anonyms Internet speech]

US – Lori Drew Files New Bid for Dismissal on Grounds that MySpace Authorized Access

Lori Drew, the woman convicted of three misdemeanors in the MySpace suicide case, can't be guilty of computer fraud, because gaining access to a computer under false pretenses is still "authorized access" as a matter of law, Drew's attorneys argued in a new bid at clearing their client's name. In a written motion, defense attorneys H. Dean Steward and Orin Kerr cite cases in which courts have concluded that if someone gains permission or access to something through trickery or misrepresentation, it is still considered authorization and does not constitute nonconsent. If, for example, someone tricks another party into willingly handing over the keys to a car, the trickster could not be considered guilty of stealing the car. "Because the owner handed over the keys, giving the defendant permission to use the car, the use of the car was authorized rather than unauthorized for purposes of criminal law," the lawyers write. Drew's defense team previously argued that U.S. District Court Judge George Wu should dismiss the charges because prosecutors failed to prove that Drew "intentionally" violated MySpace's terms of service. Steward filed that request several weeks ago after prosecutors rested their case, and Wu has yet to rule on the motion. The new filing adds an additional reason to dismiss. [Source]

WW – MySpace Launches Connect Feature

Last week, Facebook released its ‘Connect’ feature for letting users network across the Web using their Facebook credentials. Now, MySpace is rolling out its own data portability effort--MySpaceID. PC World reports that, as part of the company’s Open Platform suite, MySpaceID brings the site’s features and functions across the Web, allowing users to find friends and publish their activities to and from other sites. “It’s all built on the idea of providing our users with a way to make their personal identity more portable around the social Web and doing it in a way that emphasizes privacy for the user, said Max Engel, MySpaceID product lead. “It’s about making a user-centric identity platform.” [Source] See also: [Children’s social networking site hit over security flaws] and [How to create a security policy for social networks]

JP – New Japanese Juki Card to Have Encrypted Facial Image

In an effort to stem the increasing number of forged Basic Residents’ Registration Network (Juki Net) cards, the government in April will introduce a new card that contains an encrypted image of the holder’s face. At least 70 Juki Net cards were forged in fiscal 2007, with many reportedly used to open accounts at financial institutions or for signing up for new cell phone contracts. According to the Internal Affairs and Communications Ministry, the integrated circuit chip in the new card will store data used to identify the holder, including their name, address and a picture of their face. [Source]

UK – Madonna Wins Tabloid Privacy Case Over Wedding Photos

Madonna won a judgment Monday against a British tabloid that she accused of breaching her privacy and copyright by publishing pictures of her 2000 wedding. Madonna, who says the pictures were stolen by an interior decorator from her home in Beverly Hills, Calif., is seeking damages in excess of five million pounds from the publishers of the Mail on Sunday newspaper. Judge David Eady entered a judgment in her favour but deferred a decision on compensation until the new year. [Source]

UK – Privacy Law Will Grow, Bar Chief Predicts

The law of privacy is likely to continue expanding, according to the bar’s leader, as the media face escalating claims for damages and tougher restrictions. Speaking after Madonna sought £5m in damages from the Mail on Sunday after it published private photos of her wedding, Desmond Browne QC, the chair of Bar Council, said there was a compelling case that newspapers would not be able to continue “riding roughshod over privacy rights”. “If newspapers are going to intrude on privacy without giving notice, they ought only to do so at peril of being milked for exemplary damages,” Browne said. [Source]

CA – Ontario Privacy Commissioner: First Privacy by Design Challenge

The rapid pace of technological development should be something that everyone concerned about privacy can embrace, rather than fear, says Dr. Ann Cavoukian, Ontario’s Information and Privacy Commissioner. “When you embed privacy-enhancing technologies (PETs) into the architecture of new systems, you protect privacy, without compromising performance or security,” said the Commissioner, “which is why we are organizing and sponsoring a special event - the first Privacy by Design Challenge - on January 28.” Privacy by Design is a term the Commissioner coined in the ‘90s when she began her campaign to enlist the support of technology companies to protect privacy, rather than encroach upon it. The Challenge - co-sponsored by the Toronto Board of Trade and being held on international Data Privacy Day - will feature presentations by nine companies on their latest innovations in privacy-enhancing technologies. Presenters, who will be divided into two panels, include: Intel, IBM, Sun Microsystems Inc., Microsoft Corporation, HP, Facebook, Privacy Analytics Inc., Ontario Lottery and Gaming Corporation and GS1. The event begins with registration and breakfast at 7:30 a.m., January 28, 2009 at the Board of Trade, with the program starting at 8 a.m. More information, including registration details, is available at http://www.privacybydesign.ca. [Press Release]

EU – Sweden Considering Law That Would Identify Illegal Downloaders

Proposed legislation in Sweden would allow music and movie companies to obtain court orders to discover the identities of individuals suspected of downloading digital content in violation of copyright laws. The government said that occasional downloaders of copyrighted material will not be identified to the companies. The proposed law requires parliamentary approval. Several other European countries, including Sweden's neighbors Denmark and Finland, already have similar laws in place. [Source]

WW – Social Networking Picked as Cybercrime Threat

Cybercrime is likely to move into the social networking world, taking advantage of sites such as Facebook and MySpace, says cyber-security guru Peter Gutmann. “I would assume internet crime will migrate to social networking sites in the future,” says Gutmann, who also develops encryption toolkits and researches the usability of security software. Social networking sites are incredibly powerful virus platforms in that they allow developers to write specific applications for them, which spread in a viral manner. If these applications were not on a site such as Facebook, they would be considered incredibly fast-spreading viruses, he says. To date, developers have written social networking applications only experimentally, but Gutmann thinks these platforms will be targeted more heavily in the future. “For some unfathomable reason the bad guys haven’t exploited [social networking sites] yet, and I don’t know why - it is so easy,” he says. [Source] See [Computer hackers selling stolen Facebook accounts to gangs for 89p] and also: [Social-networking sites can be an ID thief’s dream]

WW – Facebook Security Warning Leaves Users Confused

Facebook sent out a security warning to some of its users alerting them that their passwords have been changed due to alleged suspicious activities happening on their accounts. The email appears to be a reaction from the social network due to the newest appearance of Koobface, a worm that preys on the paranoia of users and leverages seemingly trusted redirects to infect its victims. In the email, Facebook tells its users that they need to reset their passwords but only after running their current antivirus protection to make sure they aren’t already infected. In the same breath, however, the Facebook Security Team tells its users never to click on suspicious links - even though its own email is suspect. [Source] and see also [Video: Graph Identification and Privacy in Social Networks (Google Tech Talk)] and also: [Australia okays Facebook for serving lien notice]

US – Maryland Court Weighs Internet Anonymity

In a First Amendment case with implications for everything from neighborhood e-mail lists to national newspapers, an Eastern Shore businessman argued to Maryland’s highest court that the host of an online forum should be forced to reveal the identities of people who posted allegedly defamatory comments. It is the first time the Maryland Court of Appeals has confronted the question of online anonymity, an issue that has surfaced in state and federal courts over the past few years as blogs and other online forums have increasingly become part of the national discourse. [Washington Post]

WW – Microsoft Offers to Reduce Search Data Retention Times

In a letter to the Article 29 Working Party, Microsoft said it will reduce the length of time it retains users’ search records if Yahoo and Google agree to do the same, reports the New York Times. The Working Party has recommended that Internet companies destroy their search engine logs after six months. Microsoft currently retains MSNLive Search data for 18 months, while Yahoo and Google retain search data for 13 and nine months, respectively. The three companies are expected to make presentations before the Working Party in February. In separate statements, Google and Yahoo said they would not change their retention policies at this time. [NY Times] [EMEA Press Release]

WW –Yahoo! Sets New Privacy Standard with 90-Day Data Retention Policy

Yahoo! announced a new global data retention policy that sets an industry-leading approach to user data privacy. This new policy strengthens Yahoo!’s relationship of trust with its 500 million users world-wide and enhances its longtime leadership on privacy. Under the new policy, Yahoo! will anonymize user log data within 90 days with limited exceptions for fraud, security and legal obligations. Yahoo! will also expand the policy to apply not only to search log data but also page views, page clicks, ad views and ad clicks. “In our world of customized online services, responsible use of data is critical to establishing and maintaining user trust,” said Anne Toth, Yahoo!’s Vice President of Policy and Head of Privacy. “We know that our users expect relevant and compelling content and advertising when they visit Yahoo!, but they also want assurances that we are focused on protecting their privacy.” [Source]

US – Border Laptop Searches Raise Concern

The AP reports on privacy issues surrounding border laptop searches. Given all the personal details that people store on digital devices, border searches of laptops and other gadgets can give law enforcement officials far more revealing pictures of travelers than suitcase inspections might yield. That has set off alarms among civil liberties groups and travelers’ advocates — and now among some members of Congress who hope to impose restrictions on the practice next year. [SiliconValley.com]

EU – Swedish Sex Offender Website Under Investigation

Swedish authorities are investigating a website for possible violations of the country’s privacy laws after it published the names, personal identity numbers, addresses -- and in some cases pictures -- of several sex offenders. The site, sexoffender.nu, was launched several months ago and has since served as a sort of web-based sex offender registry. Anyone visiting the site can access personal information about those convicted of sex crimes in Sweden, as well as find copies of court rulings and maps showing where the sex offenders currently live. The Data Inspection Board (Datainspektionen), an agency charged with safeguarding Sweden’s privacy laws, has received ten complaints about the site, prompting it to launch an investigation, reports the Svenska Dagbladet (SvD) newspaper. “Those who have contacted us are mostly relatives of the people who’ve been exposed. There is now a supervisory order against the site; we’re going to analyze the publication and see if it violates the personal information law,” said the inspection board’s Jonas Agnvall to SvD. [Source]

NZ – Google ‘Proactive’ with Street View Privacy Fears

The New Zealand version of Google’s StreetView feature launched earlier this week, prompting a number of enquiries to the Privacy Commissioner’s office. StreetView gives viewers a 360 degree, street-level look at cities and towns. “Most people contacting us have raised concerns or expressed their unease about the Web site,” said Commissioner Marie Shroff. Google worked with the commissioner’s office prior to launch to discuss privacy considerations, and Ms Shroff said she has “been encouraged by Google’s proactive approach to protecting privacy, through face blurring and the image removal process.” [Source]

CA – Supreme Court of Canada Set to Consider Privacy Rights

When Ontario Provincial Police Constable Brian Bertoncello spotted a rented SUV being driven sedately along a Northern Ontario highway at precisely the speed limit on Oct. 24, 2004, it immediately set off his internal radar. Switching on his flashing lights, Constable Bertoncello brought the vehicle to a stop. “It’s very rare that you get somebody driving directly on the speed limit,” he explained later. The officer’s suspicions grew as he questioned the nervous-looking occupants of the vehicle. Constable Bertoncello proceeded to rip open two boxes in a storage compartment at the back of the SUV - uncovering 35 kilograms of cocaine, and launching a major Charter of Rights case that will reach the Supreme Court of Canada. Police and criminal lawyers are watching the case intently, as the court will decide whether the immensity of the drug seizure justified it being admitted as evidence at the trial - notwithstanding the damage to his privacy rights. “Rights are not free,” lawyers Frank Addario and Jonathan Dawe argue in a brief to the court on behalf of the Canadian Civil Liberties Association. “The police would catch more criminals if they did not have to obey the law and respect the Charter. “It is one of the inevitable consequences of entrenching rights in the Constitution and taking them seriously that some criminals will escape justice who might otherwise be caught and punished,” they said. All parties are agreed on one point: Constable Bertoncello’s impetuous conduct was irresponsible. But Judge Karam refused to exclude the evidence, concluding that the breach of Mr. Harrison’s rights “paled” in comparison to his criminal conduct. [Source]

HK – UN Urges Hong Kong Prisons to End Body-Cavity Searches

A United Nations human rights body has urged the Hong Kong government to end routine body cavity searches of prisoners, saying the practice is only permissible as a last resort. In its latest report, the UN Committee against Torture expresses concern at what has become a routine practice, saying Hong Kong prison rules only provide for such possibility. The call to allow prisoners some dignity came at the committee’s 41st session held from November 3 to 21 in Geneva to examine reports by China, Hong Kong, Macau and others on the implementation of the Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment. The committee urged the Hong Kong government to “seek alternative methods to body cavity searches for the routine screening of prisoners; if such a search has to be conducted, it must be only as a last resort and should be performed by trained health personnel with due regard for the individual’s privacy and dignity.” [Source]

EU – Microsoft Offers to Reduce Search Data in Europe

Microsoft has offered to abide by a European privacy panel’s request that it reduce the length of time it kept records of Web searches if its rivals, Yahoo and Google, did the same. Google and Yahoo, in separate statements, said that for now they were unwilling to change their policies. Microsoft said it made the offer in a letter to the Article 29 Working Party, a European Commission advisory panel made up of data protection commissioners from each of its 27 member countries. In April, the panel recommended that search engines keep search records no longer than six months before making the data untraceable. Microsoft’s MSN Live Search currently retains search data for 18 months. Yahoo keeps data for 13 months and Google for 9 months. The advisory panel members are postponing a decision on whether to take any action against the companies until at least February, when the companies are to make presentations before the panel. John Vassallo, a lawyer for Microsoft, said Microsoft was not willing to act alone because doing so would create a commercial disadvantage. [Source] [Source]

US – U.S. Sues Sony Music over Children’s Online Privacy

Sony BMG, which is changing its name to Sony Music Entertainment, was sued on Wednesday by the U.S. government, which accused the music company of violating federal rules aimed at protecting the online privacy of children. The music company improperly accepted registrations on its music websites from users who were under 13, without obtaining consent from their parents, according to the lawsuit filed in U.S. District Court in Manhattan. The civil suit, which seeks unspecified monetary penalties, said Sony Music was in violation of the Children’s Online Privacy Protection Rule, which is enforced by the Federal Trade Commission. The case was brought by the U.S. Attorney’s Office in Manhattan. A Sony BMG executive told Reuters that the litigation is in the process of being resolved, with the company agreeing to pay a fine of $1 million, to put in place a screening process that complies with the FTC rules and hire a Web compliance officer to monitor the issue. [Reuters] [Sony Dinged $1 Million for Child-Privacy Breach]

CA – Young Canadians Care about Facebook Privacy

Young people worry more about their online privacy than their reputation suggests, new Canadian research reveals -- but Facebook’s peculiar social scene and the desire to be popular often lures them to share more than they would elsewhere. “There is this popular perception out there that young adults don’t care about their privacy on Facebook and are comfortable sharing all types of information, and what we found is that they were actually concerned and they did care about their privacy settings,” says Amy Muise, a PhD student in the University of Guelph’s psychology department. “But this wasn’t related to how much information they ended up disclosing.” Over three-quarters (76%) of the undergrads surveyed agreed that it’s important to control who sees their online info, but they’re also significantly more likely to reveal personal information on Facebook than in other contexts. The study will be published in an upcoming issue of the journal CyberPsychology and Behavior. [Source]

WW – Paper: The Relationship Between Social Presence & Online Privacy

ABSTRACT: Online privacy may critically impact social presence in an online learning environment. This study examined how online privacy affects social presence in online learning environments and whether e-mail, bulletin board, and real-time discussion affect online privacy. Mixed methods were used to examine the relationship between social presence and privacy. The participants rated computer-mediated communication (CMC) with a high degree of social presence, but the quantitative correlation between social presence and privacy failed to reach significance. Participants shared personal information on CMC knowing that it was risky because the medium lacked security despite the perceived high levels of social presence. This contradictional phenomenon can be explained as “risk-taking” behavior. Among three CMC systems, e-mail was ranked as the most private and followed by one-to-one real-time discussion, then many-to-many real-time discussion. Bulletin board was considered to afford the least privacy. The Internet and Higher Education , Vol. 5, No. 4. , pp. 293-318. [Source]

WW – Private Browsing Beta Released

Mozilla has released a privacy-enhanced version of its Firefox browser. Firefox 3.1 Beta 2 includes the recently added “Private Browsing” feature, which lets users surf without leaving traces of their online activities. Private Browsing also includes an embellished version of the “Clear Recent History” function. Users may now erase their browsing histories in various time increments. Microsoft and Google added browser features to enhance users’ online privacy earlier this year. [Source] [Review]

EU – Investment in Online Safety

The E.U. will spend 55 million euros on boosting children’s online safety over the next five years. “We need to make sure that whenever [children] use online or mobile services, they can recognize potential risks and deal with them,” said EU telecoms commissioner Viviane Reding. The money will fund projects designed to raise awareness about the risks of being online. Seventy-five percent of children in the EU have Internet access. [Source]

CR – Is Filming Someone in the Street a Breach of Privacy?

A 40-year-old woman is suing a Croatian TV station after it filmed her in public and then featured her in a documentary about obesity. Gordana Knezic was shopping in Zagreb and did not know that she was being filmed. “I was absolutely staggered when I turned on the TV to see myself in a film about fat people,” said Knezic, who is suing TV station HTV for £10,000. “I want to show that attacks on human dignity like this cannot be tolerated,” she said. [Source]

US – Education Department Reworks Privacy Regulations

The U.S. Department of Education will publish new regulations that will clarify when universities may release confidential information about a student and reassure school officials that the government will not second-guess their decisions to share information about students who may be at risk of harming themselves or others. The move was prompted in large part by the April 2007 massacre at Virginia Tech. The new regulations represent the most comprehensive reworking of the Family Educational Rights and Privacy Act (FERPA), the federal law enacted in 1974 to protect students’ privacy, in two decades. “What we are attempting to do is to strike a balance on the privacy-safety issue and reassure schools that safety is paramount when it comes to educational institutions.” FERPA has long allowed colleges to share information about a student if there is a “health or safety” emergency, but had stipulated that the definition of such an emergency must be strictly construed. The new regulations strip away this condition that the definition of the emergency must be narrow and emphasize that schools may use this health-or-safety exception as long as there is an “articulable” and significant threat to the student or other individuals. The regulations also specifically state that parents are among the appropriate parties who may be called in case of a health-or-safety emergency. Under the new regulations, an articulated threat by a student against himself or others is covered by the health-or-safety emergency exception. The new regulations are being published about nine months after the Department of Education posted a notice of proposed rulemaking, outlining its intention to tweak the law and soliciting public comments. The department received more than 400 specific comments, from schools, individuals, and state and educational associations. Many, he says, expressed the need for more clarity of the health-or-safety exception. The new regulations will also tweak other parts of Ferpa, including areas dealing with electronic records, students’ Social Security numbers, and outside contractors hired by educational institutions who are given access to student records to perform services for the institution. In addition, they will address the circumstances under which schools may give researchers access to aggregated student records. The regulations will take effect in 30 days. [Source]

US – DHS Creates Privacy Principles for Scientific Research

DHS in a data mining report sent to Congress laid out a set of principles for implementing privacy protections in its science and technology research. The DHS privacy office worked with the department’s directorate of science and technology to develop principles that could be applied to research and development projects involving data mining, to ensure they further the department’s mission while protecting privacy. Some of the principles the department will now use include:

§ Properly assessing the privacy effect of new programs.

§ Clearly stating & documenting a project’s purpose through an internal/external project review process.

§ Trying to only use personally identifiable information that is reasonably considered accurate and appropriate for its documented purpose and attempting to use as little of that data as possible.

§ Developing and administering a redress program.

§ Providing training. [CNET] [FCW Coverage] AND SEE ALSO: [Data Mining For DoD Health: O’Harrow, Washington Post]

US – Homeland Security Privacy Enhancements

The Department of Homeland Security’s Science and Technology Directorate will employ new privacy protection principles when conducting research. The department announced the new standards in its 2008 report on data-mining activities. The department will now conduct privacy impact assessments on new programs and will use as little personally identifiable information as possible. The DHS will also implement a redress program, among other privacy-enhancing initiatives. According to the report, the principles attempt to “preclude the possibility that research projects could have a negative impact on privacy.” [Source]

US – Board: DHS Computer System Doesn’t Guarantee Privacy

The Homeland Security Department’s privacy policy for its Einstein intrusion-detection system that monitors government computer network gateways does not safeguard the privacy of information collected from visitors to federal Web sites, according to a federal advisory board. DHS’ Privacy Impact Assessment for Einstein suggests that visitors to federal Web sites have no expectation of privacy in the “to/from” address of their messages or in the Internet Protocol addresses of the sites they visit, Ari Schwartz, CDT VP, wrote the White House in a recent letter. Schwartz, wrote the undated letter on behalf of the federal Information Security and Privacy Advisory Board, which operates under the National Institute of Standards and Technology. “We urge OMB to recommend that DHS clarify the above language in the privacy impact assessment to explain that any privacy interest in IP address and other header information is being adequately addressed by DHS through fair information practices, considering the significant law enforcement and national security interest in use of this information by Einstein2,” Schwartz wrote. Schwartz also suggested that federal agency executives draft other documents that would be attached to the DHS privacy assessment, discussing how each agency works with DHS and how each agency handles personally identifiable information. Einstein and the Comprehensive National Cybersecurity Initiative ought to have greater clarity and transparency to allow better oversight of privacy and security law and policy, Schwartz wrote in the letter that became public Dec. 4. [FCW]

US – Building Privacy Policies in Large Organizations a Challenge: HP Study

Building a privacy policy in a large organization would be easy – if there weren’t so many people involved, according to a new study on developing privacy policies by Hewlett-Packard. The study documents the group dynamics involved in creating a corporate privacy policy and how tensions between the various stakeholders can make consensus difficult. “This diversity leads to many tensions” because different members of an organization have different ideas on how a privacy policy can serve the organization. The chief privacy officer (CPO) in most organizations is tasked with looking out for the welfare of customers and ordinary citizens. When it comes to collecting personal data, the CPO’s inclination is to collect as little data as possible. “On the other hand,” the paper says, “marketing organizations like to collect and store as much [customer and prospect data] as possible – and furthermore, [use the information for different purposes] when new marketing and sales campaigns are considered.” [Source]

US – Abrams Receives Privacy Vanguard Award

Martin Abrams received the 2008 Privacy Vanguard Award at a reception in Washington, DC. Abrams is executive director of the Centre for Information Policy Leadership. The award, granted annually by the International Association of Privacy Professionals (IAPP) recognizes excellence in privacy and data protection knowledge and initiatives. Abrams was selected for his major contributions to global privacy policy matters. [Source]

US – Results of Annual Most Trusted Companies for Privacy Survey Announced

Privacy and information security research company Ponemon Institute along with TRUSTe have announced the results of the Ponemon Institute’s 5^th annual survey of Most Trusted Companies for Privacy. The study asked 6,486 U.S. consumers which companies they thought were most trustworthy and which did the best job safeguarding personal information. A total of 706 companies were named by consumers; 211 made the final list of most trusted companies. American Express ranked as the Most Trusted Company for 2008 for Privacy, retaining its place from last year despite the current financial climate. eBay earned a ranking as the second most trusted company, while IBM, Amazon, and Johnson & Johnson rounded out the top five. While the financial services sector slipped amid industry-wide woes, the technology sector showed marked improvement as eBay, Apple, Yahoo!, Microsoft, and HP all bettered previous rankings. Also of note, Facebook moved into the top 20 for the first time, signifying an increased trust in social networking as a mainstream communications tool. [Source] [Coverage] [Coverage: Google off list of 20 most trusted companies]

US – No Campaign in History Compiled More Information on its Supporters

No campaign in history has ever compiled and stored more information on its supporters than the Obama campaign did. For years, Republicans have been able to compile far more information about their potential supporters than Democrats could. The GOP’s “Voter Vault” database was so panoptic that some people joked it knew what kind of pizza each voter preferred. This year, however, all that changed: Barack Obama deployed a campaign database that made the GOP’s data-gathering efforts look like the work of amateurs… [New Republic] See also: [Obama administration to inherit a real mess on Real ID] and [NY Times: Professor Strahilevitz & the case for Zero privacy: Less Privacy Means Less Discrimination]

CA – ID Theft Feared with New B.C. Driver’s Licences

Security experts say they have managed to “steal” personal data from passports embedded with RFID tags, the same technology embedded in some B.C. driver’s licences for the purpose of speeding up border crossings. And Canada’s privacy commissioner Jennifer Stoddart says she fears the cards may leave people vulnerable to similar breaches of privacy, which could allow your personal data to fall into the wrong hands. Stoddart said in a recent interview: “My office is involved in doing privacy impact assessments of [enhanced licences]. We remain concerned about the security around the distance-reading capacity. [Source]

UK – Dementia Patients Get RFID Buttons

Five facilities in Nottingham, England, are sewing RFID- enabled buttons to clothing of dementia patients as a discreet way of making sure garments don't get mixed up. [Source]

US – U.S. Losing Global Cyberwar, Says Commission

The U.S. faces a cybersecurity threat of such magnitude that the next President should move quickly to create a Center for Cybersecurity Operations and appoint a special White House advisor to oversee it. Those are among the recommendations in a 44-page report by the U.S. Commission on Cybersecurity. The bipartisan panel includes executives, high-ranking military officers and intelligence officials, leading specialists in computer security, and two members of Congress. To compile the report, which is entitled “Securing Cyberspace in the 44th Presidency,” commission members say they reviewed tens of thousands of pages of undisclosed documentation, visited forensics labs and the National Security Agency, and were briefed in closed-door sessions by top officials from Pentagon, CIA, and British spy agency MI5. From their research, they concluded that the U.S. badly needs a comprehensive cybersecurity policy to replace an outdated checklist of security requirements for government agencies under the existing Federal Information Security Management Act. The report calls for the creation of a Center for Cybersecurity Operations that would act as a new regulator of computer security in both the public and private sector. Active policing of government and corporate networks would include new rules and a “red team” to test computers for vulnerabilities now being exploited with increasing sophistication and frequency by identity and credit card thieves, bank fraudsters, crime rings, and electronic spies. [Source]

US – Report Urges Obama to Bolster Cybersecurity

A pioneering bipartisan report calls on the incoming Obama administration to set up a high-level office to coordinate the defense of the nation’s computer systems from cyber-attacks by rival nations, industrial spies and criminal syndicates. A yearlong investigation found many potential targets, including such sensitive Houston installations as the port, airports, petrochemical complexes, financial institutions and even NASA’s Johnson Space Center, said U.S. Rep. Michael McCaul, R-Austin, a co-chairman of the group that issued the report. The group began the investigation after the computers at the Pentagon, NASA and the departments of State, Commerce and Homeland Security were breached in 2007. “America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration,” said McCaul, whose district stretches from suburban Houston to Austin. “It is a battle that we are losing.” [Source]

WW – Report: Cybercrime is Winning the Battle Over Cyberlaw

Law enforcement agencies worldwide are losing the battle against cyber crime at a time when criminals are increasingly using the global economic downturn to make headway in recruiting more computers and computer users to further illegal online activities, a scathing new report from security vendor McAfee concludes. McAfee’s annual “Virtual Criminology Report“ notes that the number of compromised PCs used for blasting out spam and facilitating a host of online scams has quadrupled in the last quarter of 2008 alone, creating armies of spam “zombies” capable of flooding the Internet with more than 100 billion spam messages daily. [Source] See also: [NYT: Thieves Winning Online War, Maybe in Your PC]

WW – Survey Finds Database Security Lacking

A survey claims IT decision makers are fooling themselves that their organisation’s sensitive data is secure. Nearly 84% of 179 IT decision makers in large (1,000 employees or more), global enterprises believe that all or most of their confidential data is protected. But the database security controls research report produced by database security vendor Application Security, in conjunction with analyst firm Enterprise Strategy Group, said this perception around data security was disconnected from reality. This is because the same respondents noted they failed major enterprise-wide and industry specific security audits more than 33% of the time, including those to become compliant with the likes of Sarbanes Oxley (SOX), Basel II and Payment Card Industry Data Security Standards (PCI DSS). The research found that over 60% of those surveyed admitted they had suffered at least one data breach in the past 12 months already. “The survey proves that it’s not just about technology, but about taking pre-emptive action and making sure companies have the right people, policies and processes in place too.” [Source] [Source] See also: [Web who's who botches secure sockets layer]

WW – IBM Introduces Cybercrime Security Services

Describing rising cybercrime activity, corporate budget cutting, and lingering legacy security systems as a “perfect storm of security threats,” IBM has waded into the identity and access management market to broaden its managed security offering for businesses. In addition to promising new identity and access management services, IBM said it is launching a formal program that will allow partners to resell managed security services. It’s also offering a free savings assessment that compares an organization’s existing security infrastructure management costs to projected costs under IBM’s managed security service. Jason Hilling, management and services strategy executive for IBM Internet security systems, said the company has been considering moving into the identity and access management space for a while, but was prompted to accelerate its plans by a surge in security incidents among its 3,700 corporate clients [Source] [IBM Bolsters Security Services] [Report on Canadian Airports Reveals ‘Shameful’ Security]

US – Banks Need to Take Risk-Based Approach to Data Management

Banks need to approach their data privacy and security from a risk point of view, according to experts with New York-based Deloitte. The firm held a webcast that discussed how financial institutions can transform themselves from being compliance-driven organizations to risk-driven organizations, two models that are distinct, Edward Powers, a principal with the firm’s security and privacy practice, said. Powers suggested they become “risk-intelligent enterprises.” What this means is that rather than allowing factors like budgets, laws and regulations, and stakeholders to push the organization to simply meet the minimum requirements by law, a risk-intelligent enterprise takes a more proactive approach to managing security needs. Data becomes the focal point of this model. “A compliance-based approach to data management creates gaps, redundancies and inefficiencies,” Powers explained to attendees. “This may reflect the current regulatory environment but not your organization’s current posture. You end up reinventing the wheel and building redundancies.” He said that for a bank to become a risk-intelligent enterprise, it must incorporate three attributes: 1. Asset inventories and the need to understand the data, along with the data flows. 2. Creating a risk catalogue with a common risk language that takes into account legal requirements, and internal and external standards and policies. 3. Becoming serious about third-party oversight so that the bank’s service providers are held to the same standards of data security as the bank. “A risk-intelligent enterprise is communications-centric. The organization has a common reporting language,” Powers remarked. “It is intended to align the business requirements, compliance requirements and vulnerability management to eliminate overlap and create an efficient risk management environment.” “Data is an asset,” added Richard Baich, also a principal with Deloitte. “It’s the most central asset, besides people, that the financial services industry values. You have to understand data is not just owned by IT or the data warehouse.” [Source] Se also: Nymity Interview with Sandra Smith-Frampton: Privacy Metrics for Measuring Compliance]

UK – ID Cards: ‘Expensive and Intrusive’ and Should be Ditched, says SNP

SNP Westminster Home Affairs Spokesman, Pete Wishart MP, has expressed concern over reports that immigration and citizenship proposals in the Queen’s Speech contain clauses which will give state officials the power, previously reserved for times of war, to demand proof of identity at any time. Currently, state officials can only ask for proof of identity if there is reasonable suspicion that an individual has committed a crime but according to analysis by Liberty , only those who have never been abroad for business or on holiday would be exempt under the new legislation. Mr Wishart said: “This looks like another slippery attempt by the UK Government to introduce ID cards by the back door. “Labour’s abysmal record on data protection is reason enough to abandon ID cards but it is even more absurd pushing ahead with this costly project given the dire state of the UK Government’s finances. [Source]

US – Judge Hears Case Challenging Constitutionality of FISA Amendments Act

A District Court Judge in California has heard arguments in a case regarding the constitutionality of the FISA (Foreign Intelligence Surveillance Act) Amendments Act (FAA), which was passed last July. The Electronic Frontier Foundation (EFF) argued that the recently amended FISA violates Americans' First and Fourth Amendment rights as well as the constitutionally established separation of powers of the federal government. The point of focus is that the FAA gives telecommunications companies that cooperated with US government requests for wiretaps after the 2001 terrorist attacks retroactive immunity from prosecution. Lawyers for the US Department of Justice argued that the information that such prosecutions would expose needs to remain secret to ensure national security. Judge Vaughn Walker did not say when he expects to rule on the case. [Source]

UK – Ex-MI5 Chief ‘Astonished’ at How Many Organisations Use Anti-Terror Law

The Regulation of Investigatory Powers Act (RIPA) was passed in 2000 to regulate the way that public bodies such as the police and the security services carry out surveillance. Originally only a handful of authorities were able to use RIPA but its scope has been expanded enormously and now there are at least 792 organisations using it, including hundreds of local councils. This has generated dozens of complaints about anti-terrorism legislation being used to spy on, for example, a nursery suspected of selling pot plants unlawfully, a family suspected of lying about living in a school catchment area, and paperboys suspected of not having the right paperwork. Now those campaigning against the abuse of RIPA have got a new ally – Lady Manningham-Buller, the former head of MI5. In a speech in the House of Lords yesterday, she said she was “astonished” when she found out how many organisations were getting access to RIPA powers. “When RIPA was introduced … I assumed wrongly that the activities authorised by that legislation would be confined to the intelligence and security agencies, the police, and Customs and Excise. The legislation was drafted at the urgent request of the intelligence and security community so that its techniques would be compatible with the Human Rights Act when it came into force in 2000. I can remember being astonished to read that organisations such as the Milk Marketing Board, and whatever the equivalent is for eggs, would have access to some of the techniques. On the principle governing the use of intrusive techniques which invade people’s privacy, there should be clarity in the law as to what is permitted and they should be used only in cases where the threat justified them and their use was proportionate.” Apparently she also raised a laugh when she told peers how to pronounce the acronym for the act. “Those of us in the intelligence community call it ‘Ripper’, as in ‘Jack the’, and not ‘Reaper’, as in ‘the Grim’,” she said. [Source]

US – Massachusetts Brookline Residents Resist Public Surveillance Cams

Even as eight other cities and towns across Greater Boston prepare to more than double, to 183, the number of security cameras monitoring their streets, Brookline is threatening to reject the cameras, as town officials confront a brewing rebellion of residents decrying the rise of a “surveillance society.” [Source] [N.Carolina: Durham’s surveillance camera system barely functions] and also Commentary: [Law Enforcement Looks to Video Surveillance Networks]

EU – EU Parliament Body Scanners Offer ‘Virtual Strip Search’

The European Parliament has eight scanners “on stock” that can expose body parts if put in use, a parliament spokeswoman has confirmed. MEPs recently opposed an attempt by the European Commission to allow airports to use this type of scanner, already in place in British, Dutch, Swiss, US and Australian airports. The decision to acquire eight full-body scanners was taken by the European Parliament’s administrative body in 2002, following the al-Qaeda attacks of 11 September 2001, as a measure to protect MEPs and visitors. A resolution passed in the parliament at the end of October opposed the daily use of such machines in EU airports. [Source]

US – T-Mobile and AT&T Will No Longer Advertise Their Voice Mail Systems as Secure

T-Mobile and AT&T have agreed to permanent injunctions in a Los Angeles court that prohibit them from claiming that their voice-mail systems are protected from sabotage. The Los Angeles District Attorney's Office says the two mobile service providers advertised that their systems were secure when they were not. An investigation revealed that their voice mail could be easily broken into changed or deleted. [Source]

AU – Businesses say Unions Will Exploit Access to Employee Records

Australian business groups have warned that unions will exploit new access to employee records to pressure non-unionists to join unions and force up the pay rates of workers. The Australian Industry Group said the provisions of Labor’s Fair Work bill allowing union officials to inspect the payroll records of employees – including non-unionists – where there was a suspected contravention amounted to an “unwarranted extension of union rights”. In workplaces where unions have members, unions will be able to inspect records when they suspect there has been a breach of wages and conditions, national employment standards or an industrial agreement. Copying or use of employee records for another purpose will be prohibited by the Privacy Act. [Source]

CA – Ontario Brings In Child Pornography Reporting Requirement

It’s all too common for employers to find child pornography on their computer systems. In Ontario, until now, deciding whether or not to report it to the authorities was difficult. It was important to pay heed to the potential for obstruction of justice charges in some circumstances, but for the most part the decision to report was an employer’s to make based on practical and ethical considerations. This has changed with the December 4th passage of Bill 27, the Child Pornography Reporting Act, 2008. Bill 27 will amend the Child and Family Services Act on a date to be named. The CFSA has long-featured a duty to report a child in need of protection to a children’s aid society. The amendment will mean that any child who is exploited by child pornography will, in most circumstances, be deemed to be in need of protection. The amendment also creates a new duty to report what a person reasonably believes “is” or “might be” child pornography to an entity that will be designated later by regulation. The duty applies to all persons, not just those owning or operating computer systems (such as employers) and those providing risk-related services (such as ISPs and photograph developers). A failure to report will be punishable by fine of not more than $50,000 and/or imprisonment of up to two years. [Source]

WW – Taking GPS Tracking From Big Brother to Guardian Angel

According to a recent study of business managers commissioned by TeleNav,Inc., 48% of businesses with mobile workers have no way of knowing where those employees are located at any given moment. In addition to raising accountability issues, this also makes responding to distressed workers virtually impossible. GPS-based tracking services, such as TeleNav Track™, allow managers to keep tabs on the current locations of employees. Some solutions even have distress alert functions for mobile workers to warn dispatchers if they are in trouble and need help. In fact, TeleNav found that 56% of workers would feel safer working at a remote location if they knew there was an alert system in place. For employees and managers with ‘Big Brother’ privacy concerns about GPStracking, communication is key. While 57% of respondents disliked the idea of their company tracking them or their vehicle’s whereabouts, more than half indicated they would feel more comfortable with a tracking system if they knew it was implemented because of safety concerns. [Source]

+++