Biometrics

US – FBI Launches $1 Billion Project to Build World’s Largest Biometric Database

The FBI is poised to award a 10-year contract to build the world’s largest biometrics computer database. The Washington Post reported recently that the agency already has started collecting digital images of faces, fingerprints and palm patterns. The FBI also will store the fingerprints of employees at an employer’s request. [Source] See also: [DHS Fingerprint Scanning at Airports Treats Tourists Like Criminals] and [DHS puts cybersecurity toward top of 2008 to-do list]

Canada

CA – Canada, Greece and Romania Have Best Privacy Records, Global Report Says

Individual privacy is best protected in Canada but is under threat in the U.S. and the E.U. as governments introduce sweeping surveillance and information-gathering measures in the name of security and border control, an international rights group said in a report released last week. Canada, Greece and Romania had the best privacy records of 47 countries surveyed by London-based watchdog Privacy International. Malaysia, Russia and China were ranked worst. Both Britain and the U.S. fell into the lowest-performing group of “endemic surveillance societies.” The report said the trends “have been fuelled by the emergence of a profitable surveillance industry dominated by global IT companies and the creation of numerous international treaties that frequently operate outside judicial or democratic processes.” The survey considers a range of factors including legal protection of privacy, enforcement, data sharing, the use of biometrics and prevalence of CCTV cameras. [Source] [PI’s 2007 International Privacy Ranking]

CA – Alberta Privacy Commissioner Slams Ticketmaster Over Marketing

Canadians buying tickets through Ticketmaster will no longer have to divulge their e-mail address after the company was scolded for collecting the personal information by Alberta’s privacy commission. The commission found Ticketmaster was unreasonably collecting personal information from customers so entertainment and sports event organizers could use the data for marketing. [Source]

E-Government

US – Gov’t Info & Services Must be More Accessible, Transparent, Interactive: Lieberman

Homeland Security and Governmental Affairs Committee Chairman Senator Joe Lieberman has called on the federal government to learn from technological innovations used by the private sector to improve the delivery of government information and services. At a hearing titled “E-Government 2.0: Improving Innovation, Collaboration and Access,” leading public- and private-sector witnesses discussed the challenges of making federal government information more accessible, transparent, and interactive. At the heart of the discussion was the E-Government Authorization Act of 2007, S. 2321, which would extend for five years legislation Lieberman originally authored in 2002 to improve the federal government’s presence on the Internet. The Act of 2007, introduced by Lieberman, passed the Committee on November 14, 2007, and is awaiting a Senate vote. It would increase government accessibility and transparency by, among other things, requiring the OMB to work with federal agencies to make sure their information and services can be found by search engines. [Source] [E-Government 2.0: Improving Innovation, Collaboration, and Access] [Video webcast] See also [Wiki-Government: How open-source technology can make government decision-making more expert and more democratic]

US – Government Records Routinely Contain SSNs

The Washington Post reports that Social Security numbers are readily available in government databases, Web sites and in files, including public records in courthouses. There is little uniformity among states about the protection of sensitive personal data. Some states have passed laws to better protect SSNs. Since 2001, the federal courts have prohibited the display of SSNs on public records. However, millions of paper records filed before that time contain the information, and court clerks acknowledge that it would be difficult, if not impossible, to redact all the SSNs from those records. The reporter also easily found the SSNs of high-profile public figures. [Source].

US – Ohio Sec. of State Calls for Replacing eVoting Machines

In response to a report she commissioned, Ohio Secretary of State Jennifer Brunner has called for replacing all voting machines in the state. According to the report, all five systems used in Ohio contain critical flaws that could be exploited to alter election results. Brunner wants the state to replace the problematic machines with optical scan machines. People gathering information for the study were able to pick locks and gain access to memory cards, use portable storage devices to insert phony votes into machines and in some cases, install malicious software on the machines. Brunner wants the new machines to be ready for use in the November 2008 presidential election. [Source] [Source]

Electronic Records

AU – Nonprofit Company Expands Effort to Launch Digital Medical Records

The National E-Health Transition Authority, a non-profit company, has been exploring the launch of e-medical records for the past 2½ years. However, an independent review of the company’s efforts determined that the health and IT professionals did not consult broadly enough about its plans. The company is now engaged in a concerted effort to consult more closely with the medical profession and other potential users of electronic health records. The company has signed a contract with Medicare Australia to design and build “special identification markers for consumers and healthcare providers,” according to the article. [Source]

Encryption

CA – Ontario Health Ministry Implements Tumbleweed to Secure Transfer of Patient Data

Tumbleweed Communications, a managed file transfer and content security firm, has announced that the Ontario Ministry of Health and Long Term Care has selected Tumbleweed’s SecureTransport to ensure the secure transfer of electronic medical records and to eliminate the risk of accidental loss of personal health data. With SecureTransport in place, the Ontario Ministry of Health expects to have granular control over the security and management of data transfers while having mitigated the vulnerabilities associated with previous approaches like basic FTP or courier services. SecureTransport may also reduce service desk calls related to file transfer, freeing up staff previously charged with overseeing and analyzing data transfers and sending tapes to focus on much more strategic projects. Moreover, SecureTransport is expected to pay for itself in a year in courier savings alone. [Source]

EU Developments

EU – Germany Okays Sharing of Flight Passenger Data with US Secret Service

Germany’s upper chamber, the Bundesrat, has approved a measure under which German authorities could pass data of flight passengers to US intelligence agencies. As part of the controversial legislation, US officials are authorized to record personal data of air passengers for 15 years. Germany’s lower house, the Bundestag, gave green light to the bill last month. German privacy advocates have repeatedly criticized the recording and passing of personal information, saying it would violate the privacy rights of people. [Source]

EU – EU Wants Examination of Privacy in Google-DoubleClick Deal

In an unusual move, European lawmakers will press fiercely independent antitrust regulators next month to look at data privacy issues surrounding Google’s takeover of online ad tracker DoubleClick. The $3.1 billion deal has already spurred rivals and consumer advocates to complain about the control they say it would give Google, the world’s largest search engine, over Internet advertising and personal information.

[Source] [EU group says Google-DoubleClick deal will harm privacy] [EU Lawmakers to Hold Hearing Next Month on Google-DoubleClick Deal] See also: [Google-Doubleclick Merger Opponents Threaten Legal Action] See also: [Google replies to lawmaker’s concerns on privacy]

Facts & Stats

WW – Breach Disclosure Laws Shed Light on Inventory of Lost Records in 2007

Two organizations, Attrition.org and the Identity Theft Resource Center, have tracked the number of lost records in 2007. While it is unclear exactly how many records were compromised in security breaches, the tallies of both groups indicate that 2007 was a record year for the number of lost records. Attrition.org found that third parties reported more than 163 million records lost or stolen last year. The Identity Theft Resource Center estimated that security breaches were responsible for more than 127 million compromised records. [Source] [Security hall of shame lists winners for 2007]

Filtering

US – University Ban on Videotaping Without Permission is Unconstitutional: ACLU

In a letter sent to Central Michigan University (CMU), the ACLU urged its president to recognize the right of individuals to videotape public figures in public places on the campus. Since August, Dennis Lennox, a junior at CMU, has periodically videotaped Gary Peters, a Democratic congressional candidate and CMU professor while on campus. In October 2007 University officials gave Lennox a letter barring him from videotaping anyone on campus without expressed permission. The ACLU of Michigan is asking CMU to lift this restriction because it violates Lennox’s First Amendment right to engage in political advocacy. [Source] [Letter]

FOI

US – Open Government Act Sent to President

The Open Government Act, intended to strengthen the Freedom of Information Act (FOIA), has been passed by Congress and sent to the President. The Act should increase agency responsiveness to FOIA requests, impose deadlines on agencies, and ensure agencies keep FOIA requesters up to date on the status of their requests. The bill is intended to improve the accountability of executive branch agencies and improve government transparency. Source: [Ari Schwartz’s testimony on FOIA]

CA – Public Archives Face ‘Monumental’ Problems

Provincial archives across Canada are finding it highly difficult to manage their historical records amid changing technology that is leaving some files at risk of being lost forever. Following a report by the Ontario Auditor-General highlighting serious concerns with the way the province manages its $400-million collection, archivists across the country are raising concerns about the state of historical documents – warning the 1990s and 2000s are poised to be the “lost information decades.” According to the past chairman of the Canadian Council of Archives, provincial collections are not adequately financed to deal with documents, artwork or recordings, let alone the millions of electronic files being generated each year by governments. Add to that ever-changing technology to access electronic files and it suggests problems ahead. [Source]

Health / Medical

US – “Best Practices” for Personal Health Records Released

The Health Privacy Project, the California Healthcare Foundation, the CDT and a number of prominent employers have put out “Best Practices” guidelines for employers considering adoption of Personal Health Records ( PHRs) for their employees. The best practices document addresses a void in policy and practice guidelines for employers and is intended to ensure that the privacy and confidentiality of employee health records. [Health Privacy Project “Best Practices” press release, December 18, 2007] OTHER: [Commentary: Health Care Privacy and the Surveillance State: The Struggle for Balance] [Australia: Nursing home staff resign over macabre party game]

Horror Stories

UK – Three Million Records Lost in Another UK Government Data Scandal

The UK government has revealed that a US-based IT contractor has “lost” the records of three million British learner drivers in the latest missing data scandal to hit Whitehall. Transport secretary Ruth Kelly was forced to confess to the second major security breach involving personal records from a government department in statement to MPs. She said a private contractor had informed the agency that a hard disk drive had gone missing from its secure facility in Iowa. And she revealed that the company had not even initially called in local police to investigate the breach. Kelly admitted that her department has kept the loss of the records secret since May. The data includes the driver’s name, postal address, phone number, the test fee paid, their test centre, a code indicating how the test was paid for and an email address. [Source] [UK Civil Servants Face Prison for Leaving the Public Open To Identity Theft] See also: [Missing Laptop Holds UK Parliament Security Details]

JP – Government Notifies More Than 8 Million People About Missing Pension Records

The Japanese government is seeking to recover from a security breach that has shaken the public’s confidence in the country’s ability to take care of its elderly. Earlier this year, the government acknowledged that it has lost track of pension records related to 64 million claims. The Social Insurance Agency is asking people who have filed claims to verify their pension data and personal information, and then make any necessary changes or corrections before sending the notice back with supporting documentation. The pension breach has led to widespread political ramifications. [Source]

WW – Tens of Thousands of Adult Website Accounts Compromised

A popular software program called NATS, which powers the backend of about 35% of all adult paysites online has reportedly been in a compromised status for several months while the company that owned and manages the software did little to nothing to correct the issue. NATS is made by New Jersey-based Too Much Media and is used to provide a management and reporting interface that adult paysite owners use to report affiliate sales and earned commissions to affiliates as well as track and manage sales of memberships. The violation so far appears to be limited to e-mail addresses, with an avalanche of spam e-mail hitting Web site customers’ inboxes. No credit-card information was affected by the October incident. [Source] [Porn Industry Frets Over Security Breach]

UK – UK Insurance Company Gets Record Fine for Poor Data Security

UK insurance company Norwich Union has been fined ₤1.26 million by the Financial Services Authority (FSA) for failing to provide adequate protection of customer data. Eleven people have been arrested in connection with a scheme in which thieves were able to impersonate Norwich Union customers by calling the company’s call center and attempting to cash in policies totalling ₤3.3 million. Some bank account data were exposed. The fine levied against Norwich is the highest ever by the FSA for data security issues. [Source] [Source] [Source] [Source]

Identity Issues

UK – BBC Presenter Stung After Bank Prank

TV presenter Jeremy Clarkson has lost money after publishing his bank details in his newspaper column. Clarkson revealed his account numbers after rubbishing the furore over the loss of 25 million people's personal details on two computer discs. He wanted to prove the story was a fuss about nothing. But Clarkson admitted he was "wrong" after he discovered a reader had used the details to create a £500 direct debit to the charity Diabetes UK. [Source]

Internet / WWW

CA – Facebook Suing Ontario Porn Firm

A Canadian company specializing in Internet porn is being sued by Facebook amid allegations it hacked the popular social networking website’s computers and tried to access the personal information of users, court documents show. A numbered Ontario company, which does business online under the name SlickCash, along with several people in the Toronto area, are named in an amended complaint filed by Facebook in San Jose, Calif. The hugely popular information sharing website alleges that, for two weeks last June, the defendants attempted to access Facebook’s servers at least 200,000 times. “Each of these requests sought to direct Facebook’s computers to send information on other Facebook users back to (the company’s Internet Protocol) address,” the court documents say. [Source]

Law Enforcement

CA – Constable Disciplined for Misuse of RCMP Databases

An RCMP officer has been docked five days’ pay after he used police computers to run the name and licence plate of his ex-girlfriend’s new boyfriend. In a recent decision, an RCMP disciplinary board found Const. Pablo Maciuk guilty of “disgraceful” conduct for using police databases to check up on the boyfriend and then confronting his ex with the information he found.” Confidential police information is entrusted to us under strict rules and only for the purposes of carrying out our legitimate duties,” the board wrote in its decision. “Obtaining and sharing it for clearly non-duty purposes with the potential for its misuse in a variety of ways is disgraceful,” added the board. [Source]

Online Privacy

US – FTC Issues Online Ad Privacy Guidelines

US federal regulators said industry needs to be more transparent about how consumers’ Web-surfing habits are tracked. The FTC proposed guidelines by which advertisers would voluntarily fess up to Web surfers about whether their online behaviors are monitored and used to personalize ads. Privacy experts said the guidelines could be helpful, but only if industry enforces them. Consumers are largely in the dark about companies tracking them through these ads, the agency said, adding that companies should give people a realistic choice in whether they want to be tracked or not. The FTC is seeking public input about the guidelines by Feb. 22. [Source]

WW – Pew Study: People Sharing More Personal Information Online

A Pew Internet & American Life Project survey released last week indicates that nearly half of the online adult population has researched themselves or someone they know online. The survey indicated that 36% said they have searched for someone from their past, and 9% have found information online about a dating partner. While privacy advocates have expressed concerns about how much personal information is online, the survey found that 60% of Internet users are not worried about how much digital information is available about them. [Source] [Digital Footprints Online identity management and search in the age of transparency ] [Study Finds More Americans Run Net Searches on Themselves] [Source]

WW – Researcher Says Sears Downloads Spyware

Sears and Kmart customers who sign up for a new marketing program may be giving up more private information than they’d bargained for, a prominent anti-spyware researcher claims. According to Harvard Business School Assistant Professor Ben Edelman, Sears Holdings’ My SHC Community program falls short of U.S. FTC standards by failing to notify users exactly what happens when they download the company’s marketing software. And given the invasive nature of the product, Sears has an obligation to make its behavior clearer to users. “The software is not something you’d want on your computer or the computer of anyone you care about,” Edelman said in an interview. “It tracks every site you go to, every search you make, every product you buy, and every product you look at but don’t buy. It’s just spooky.” Edelman has written up an analysis of Sears’s software. [Source]

Privacy (US)

US – Tech Workers to Government: Keep Out of Internet Regulation, Including Privacy

A recent poll of 600 IT workers conducted for the Computing Technology Industry Association has found that its members are generally hands-off when it comes to government regulation of the Internet. The poll found that, when it comes to online privacy, just 12% of the tech workers said that the government should be involved in protecting consumer privacy online. 60% said that users should be responsible for protecting their privacy online. The survey also found that 19% said “businesses that provide Internet services” should take the primary responsibility for protecting users’ privacy. [Source] [Report]

RFID

US – Passport Card Technology Criticized by Privacy Groups

Passport cards for Americans who travel to Canada, Mexico, Bermuda and the Caribbean will be equipped with technology that allows information on the card to be read from a distance. The technology was approved last week by the State Department and privacy advocates were quick to criticize the department for not doing more to protect information on the card. The technology would allow the cards to be read from up to 20 feet away. This process takes one or two seconds. The card would not have to be physically swiped through a reader, as is the current process with passports. The technology is “inherently insecure and poses threats to personal privacy, including identity theft,” said Ari Schwartz. The State Department said privacy protections will be built into the card. The card’s chip will not contain biographical info. And the card vendor - which has yet to be decided - will also provide sleeves for the cards that will prevent them from being read from afar. [Source] [Federal Register Draft Rule Text]

Security

US – New Study Recommends Reforms for Security Breach Notification Laws

A Samuelson Law, Technology & Public Policy Clinic study of chief security officers finds that security breach notification laws have had profound effects on practices within companies. The study found that breach notification laws drive information exchange among organizations, and within organizations themselves. The laws also have empowered chief security officers to implement new technologies, including encryption and auditing measures. The chief security officers interviewed also reported that security hasn’t permeated the consumer marketplace, and accordingly, consumers don’t consider security in comparing products and services. Several recommendations are made, including the creation of a centralized, publicly available database where security breaches are disclosed. [Study]

WW – Deloitte & Touche, Ponemon Institute Release Breach Survey Results

The Enterprise at Risk: 2007 Privacy and Data Protection Survey reveals that 66% of 827 security and privacy professionals in North America say they know of six to 20 privacy incidents in their organizations in 2007 that involved the exposure or mishandling of sensitive personally identifiable information. The survey also found that in the past 12 months, 85% of the respondents said there was at least one significant breach that required notification. The survey also found that privacy professionals earn an average salary of $125,427, while security professionals earn an average of $100,694. [Source] [Report]

WW – Study: Data Security Policies Not Enforced IT Practitioners Say

Companies are not following simple data security procedures in seven high-risk scenarios, according to a study released in December by the Ponemon Institute. According to the study’s report, “Data Security Policies are not Enforced,” 39% of employees surveyed said they have lost a PDA, cellular phone, USB memory stick, zip drive, or laptop computer that contained sensitive or confidential business information. 56% believe their employer would never be able to determine the type of data contained on a lost device. The study identifies problems with the current rules in effect at the workplace, as well as the problems with enforcement of those rules. Most importantly, it shows employee naivete towards this problem, with most staff members unaware of the rules in place, or uncaring due to lack of obvious consequences. [Source] See also: [US – Federal Security: Six U.S. Programs to Watch]

UK – Data Security Procedures Not Shared with Junior HMRC Staff

In an ironic twist in the HM Revenue & Customs data loss case, information about how to share information safely was kept from junior staff because it was believed that the manual contained too much sensitive information to be widely distributed. Following the presentation of an interim report on the HMRC data loss, Chancellor of the Exchequer Alistair Darling said that the department needs to establish “clearer lines of responsibility for data.” [Source]

UK – Primary School Data ‘At Risk’

Personal details of some two million primary schoolchildren in England is being put at risk by staff taking home unprotected data, it has been claimed. A survey of almost 1,000 primary schools found that almost half, 49%, were backing up pupil data onto discs, memory sticks or tapes which were taken off the school premises, exposing the material to loss or theft. IT experts. Just 1% or respondents encrypted the data. The ‘at-risk’ material, carried by school managers commuting to and from work, was said to include names, addresses and dates of birth pupils, contact numbers for parents, details of pupils’ attendance and behaviour, and academic records. A further 4% of schools were leaving sensitive and unprotected data at unsecured locations on the school premises. [Source]

Smart Cards

WW – Smart Card Forecast Indicates ‘User Anxiety’ Hurdle

The market for smart cards in North America is expected to grow by 35% each year until 2012, but users are reluctant to use the technology for a variety of reasons, including cost of installation and a misunderstanding of the technology’s security advantages, according to an industry analyst. Frost & Sullivan, a Texas-based market research firm, recently published its predictions for the smart card market in a report, titled World Corporate Security (Physical and Logical Access), which forecasts the total market will reach US$235 million in 2012. The report includes information on the use of smart cards for physical access (such as opening doors) and for logical access, to networks and systems. However, there is “still some element of user anxiety” over smart cards because most cards used to control physical access are contactless – meaning they transfer information wirelessly to the readers. This raises a concern that thieves could get information by stealing the cards or by skimming information from an unauthorized reader. She added the smart card hardware itself is not the only security consideration. “The possibility of fraud and security breaches are also dependant on the processes, backend systems, networks and databases linked to the smart card platform.” [Source]

Surveillance

US – Satellite-Surveillance Plan Aims to Mollify Critics

After delaying a domestic satellite-surveillance program for more than two months, DHS Secretary Michael Chertoff expects to finalize a new charter for it soon, a move that attempts to quell civil-liberties concerns and get the program back on track. Mr. Chertoff also plans soon to unveil a cyber-security strategy, part of an estimated $15 billion, multiyear program designed to protect the nation’s Internet infrastructure. The program has been shrouded in secrecy for months and has also prompted privacy concerns on Capitol Hill because it involves government protection of domestic computer networks. The charter will clarify that the satellite program will follow all current U.S. legal restrictions on technical surveillance. Where a warrant is required, one will be obtained before that activity is approved. Under the charter, the program won’t use technology to intercept verbal communications. [Source]

WW – Kluft Touts Computer Chip Implants

Swedish athletes Carolina Klüft and Stefan Holm have caused a stir on the home front by proposing radical measures to ensure that top level competitors refrain from taking performance-enhancing drugs. Klüft and Holm, reigning Olympic champions in the heptathlon and high-jump events, both agreed that competitors at the highest level should either have computer chips implanted into their skin or GPS transmitters attached to their training bags to help keep track of their movements at all times. According to Klüft, today’s system - whereby athletes provide quarterly advance reports of their probable whereabouts - is not sufficient to tackle the sport’s problems with doping. [Source] See also: [Drug testing ahead for California high school athletes?]

Telecom / TV

CA – CRTC Selects National Do Not Call List Operator

The CRTC announced that it has awarded a five-year contract to Bell Canada to operate the National Do Not Call List (DNCL). The company was the only bidder that was compliant with the requirements of the Request for Proposal. Bell Canada will be responsible for registering numbers, providing telemarketers with up-to-date versions of the list, and receiving consumer complaints about telemarketing calls. In addition, Bell Canada will operate the National DNCL using the fees that telemarketers will pay to subscribe to the list. The contract stipulates that the list should be launched by September 30, 2008. [Reference documents: News release, “CRTC issues Request for Proposal for National Do Not Call List”, July 30, 2007] [News release, “CRTC moves a step closer to establishing a National Do Not Call List”, July 3, 2007] [Telecom Decision CRTC 2007-48]

US Legislation

US – Surveillance Law (FISA) Showdown Postponed Until 2008

Congress won’t decide until next year whether to pass a complex law that would grant immunity to telephone and Internet companies from lawsuits alleging illicit cooperation with federal government spies. After a day of back-and-forth on the Senate floor, U.S. Senate Majority Leader Harry Reid emerged this week and announced he would postpone debate on the so-called FISA Amendments Act. [Source] [Senate Set To Consider Immunity For Telecoms][CDT Letter to Senate re: FISA legislation [PDF], December 17, 2007] [Insider’s Guide to FISA Legislation [PDF], December 04, 2007] [Policy Post on Surveillance Bills [PDF], October 26, 2007]

--------