UK – ID card ‘Will Drown In A Billion Mismatches’ : Biometrics Expert

The government has underestimated the likely failure rate of the ID card scheme, according to a biometrics expert who reviewed the system. The ID card scheme will guard against one person having multiple identities by checking the two fingerprints and facial scan held on a chip on the ID card against biometrics in a central database, the National Identity Register. But John Daugman, a former member of the Biometrics Assurance Group (BAG) which reviewed the scheme, says its reliance on fingerprints and facial photos to verify a person’s identity will cause the system to collapse under the weight of mismatched identifications. Daugman, an expert on iris recognition, says fingerprints and facial photos are not distinctive enough to be able to tell the UK’s 45-million-strong adult population apart. Daugman said that even if the error rate was as low as one in a million, the 10 to the power of 15 comparisons needed to verify the IDs of 45 million people would result in one billion false matches. “The government was badly advised by its internal scientists in the Home Office when it took the decision to base the biometric system on fingerprints instead of iris patterns. Only iris patterns have enough randomness and distinctiveness to survive so many comparisons without making false matches.” The Home Office refuted allegations that the scheme would be swamped with false matches, citing the example of two already operational schemes larger than the ID card - the FBI’s fingerprint database with more than 50 million records and the US-VISIT database with more than 80 million records. [Source] see: [Govt. biometrics use still raises privacy concerns] and [NYT article Sum of the Parts? (facial Beautification Engine) ]

CA – Hutterites Challenge Post-9/11 Security Rules

Post-9/11 security measures will be thrust squarely in the sights of the Supreme Court of Canada by a small Hutterite community seeking an exemption from the use of mandatory photographs on driver’s licences. The 252 Hutterites claim that adhering to the post-9/11 security provision would force them to violate a biblical commandment forbidding idolatry. If none of their members can drive to nearby cities for jobs or in medical emergencies, their rural settlement and way of life will be destroyed, the Hutterites argue. However, they have run headlong into security-conscious provincial and federal officials, who express dire concerns about terrorists stealing the identities of the Hutterites and placing the entire country in danger. In their brief, federal lawyers cautioned the court against opening the floodgates to anyone who cares to claim a similar religious belief. By making freedom of religion “absolute,” the federal brief said, the court would jeopardize the security of other documents such as passports and citizenship certificates. The federal brief also criticized the Alberta Court of Appeal for a ruling in favour of the Hutterites, in which the court demanded proof that the Alberta Legislature had debated the photo requirement. Setting a constitutional precondition for open legislative debate “is unprecedented in the jurisprudence and inconsistent with our constitutional traditions,” the brief said. However, an intervenor in the case, the Canadian Civil Liberties Association, maintains that “tearing apart the fabric of a religious community and ending their communal way of life exacts too high a price for the benefit of including 252 Hutterites in Alberta’s data base.” “The reason the province says they want the photographs is that they have new facial recognition technology, and want to use it in order to prevent terrorism and identity theft,” said the CCLA. “In other words, this is an identity-card regime which has nothing to do with traffic safety, but which the province created through a traffic safety regulation, and without any public consultation,” he said. [Source] [SCC’s fall term jammed with novel civil cases]

CA – Consumers’ Reluctance Slows Retail Adoption

Retailers’ use of biometrics promises to speed checkouts, cut costs and help reduce fraud. But shoppers’ reluctance may slow widespread adoption. A recent TNS Retail Forward study revealed that shoppers in Germany, Japan, the United States and Canada are hesitant to use the technology, likely due to privacy concerns. Consumers in China and Spain are more open to a biometric-based checkout experience. TNS attributes this to the fact consumers in those nations are already exposed to biometric technology applications in banking and the workplace. [Source]

CA –Two Million Canadians Register for Do Not Call List

Within 60 hours of its launch, two million citizens registered their telephone numbers on Canada’s national Do Not Call List, crashing the system temporarily. Telemarketers, with some exceptions, must refrain from calling the numbers of those registered within 31 days, or face a fine. [Source]

CA – Radical Change Needed In Privacy Protection, Ontario Watchdog Says

Ontario Privacy Commissioner Ann Cavoukian says that profound changes in information and communications technologies require a new, radical approach to how we protect our privacy. Privacy protection must be built into new technologies right from inception, Cavoukian said in a paper delivered at the University of Waterloo. In the paper, titled Privacy and Radical Pragmatism: Change the Paradigm, Cavoukian stressed that she does not believe enhancing surveillance and security in society need to come at the expense of privacy. “Conversely,” she said, “I am deeply opposed to the viewpoint that privacy must be viewed as an obstacle to achieving other technical objectives. “I do not believe it is advisable that privacy advocates reject all forms of technology possessing any surveillance capacity, overlooking their growing applications and potential benefits. The problem can be solved by building privacy measures right into surveillance systems, she said. “I call this ‘privacy by design,’” Cavoukian said. “The effect is to minimize the unnecessary collection and use of personal data by the system while at the same time strengthening data security and empowering individuals to exercise greater control over their own information. “This can result in a technology that achieves strong security and privacy.” [Source] [Paper and news Release] See also: [Cloud computing is a trap, warns GNU founder Richard Stallman] [Coming to grips with an Internet that never forgets]

CA – Alberta Auditor: Health, Drivers’ Licence Records Not Well Protected

Alberta’s auditor general says that the government needs to step up its computer security. Fred Dunn yesterday released the findings of an audit conducted in response to hackers gaining access to the system recently. Dunn halted the audit of 400 government computers at 69 due to “frequent” and “severe” data security issues. “Confidential or sensitive information may be at risk of compromise without warning,” he wrote in his report. Alberta Information and Privacy Commissioner Frank Work said: “The government holds a lot of personal information about Albertans. If that information falls into the wrong hands, it could be used for criminal purposes, including identity theft.” [Source]

WW – Understanding Privacy in the Marketplace

An article originally published in The Journal of Consumer Affairs sheds light on the absence of a privacy “marketplace.” Researchers Joseph Turow, Michael Hennessy and Amy Bleakley compiled the findings of several studies to deliver “Consumers’ Understanding of Privacy Rules in the Marketplace,” which examines in detail the concept of “limited knowledge” as a factor in consumers’ failure to protect their online privacy. The researchers discuss a two-pronged approach involving education and mandatory labeling to help Americans manage their privacy in the digital age. [Source]

WW – Consumer Reports Issues Online Security Guide

This consumer education guide to making online experiences safe includes information about auction scams, spam, viruses, spyware, phishing, ID theft and a special section regarding keeping children safe online. There are also ratings for security suites and antiphishing toolbars, an interactive phishing quiz, and videos about cell phone spam, phishing and methods CR uses to test the security suites. [Source]

UK – Home Office Publishes Data-Sharing Guidance

The Home Office has published a code of practice designed to help public authorities protect information. Data Sharing for the Prevention of Fraud is designed to aid public authorities on disclosing information to third-party anti-fraud organisations, the report states. Information Commissioner Richard Thomas wrote the foreword to the code, saying: “fraud prevention is a key priority for the public and private sectors alike.” At least one security expert says the code is too vague and criticized its absence of encryption requirements, but the Home Office said the code was written to be “overarching” and not too prescriptive. [Source] See also: [CIPPIC Comments on data- matching of geo-demographic data with White Pages data to compile and sell consumer lists requires consent, under PIPEDA]

US – Senate Passes E-Government Act Reauthorization

For five years, the E-Government Act has promoted improvements in the federal government’s use of information technology, including increased transparency for government information. The Senate is expected to pass the E-Government Reauthorization Act of 2007 by unanimous consent. CDT believes that the reauthorization includes two key improvements to the E-Government Act in a call for the development of best practices for Privacy Impact Assessments, and to make online government information more accessible to search. [Source] [E-Government Reauthorization Act of 2007]

US – FTC Shuts Down World’s Largest Spam Network

The FTC shut down what it said is the largest spam network in the world after receiving more than 3 million complaints about a bombardment of e-mails touting bogus drugs such as male-enhancement pills. According to the FTC, the network included spammers from the U.S., Canada, Australia, New Zealand, China, India and Russia. Computer security researchers told the FTC that the spamming was so pervasive that at one point nearly one-third of the world’s spam came from this network of compromised computers, also known as a botnet. The FTC said the defendants recruited spammers from around the world to send billions of spam messages that directed consumers to Web sites operated by an affiliate program called “Affking.” The FTC said the accused spammers also used false header information that hid the origin of messages, failed to provide an opt-out link and failed to list a physical postal address, all in violation of the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act of 2003. [Source] See also: [New Mix of Spam Techniques Uses “Read Receipts” and “Unsubscribe” Links] and [Spear Phishing Scam Targets LinkedIn Users]

US – HHS Exempts Systems from Privacy Act Provisions

Four federal computer systems are now exempt from Privacy Act provisions. The Department of Health and Human Services (HHS) has published a final rule to exempt HITS, the system that tracks alleged violations of certain HIPAA provisions, and three other “systems of records,” including two complaint tracking systems and a fraud investigation database. [Source]

CA – Ombudsman Says Privacy Comes First In Paperless Records System

New Brunswick Ombudsman Bernard Richard said the Department of Health must implement proper legislation before the province migrates to electronic health records (EHR). At an Atlantic Privacy and Security Summit in Fredericton, Richard told healthcare and security professionals, lawyers and other stakeholders that New Brunswickers must insist upon the protection of their records before the paperless system goes into effect next year. “We’re heading down the road pretty fast,” Richard said. Assistant Privacy Commissioner of Canada Elizabeth Denham agreed that citizens’ trust in the system is key, and suggested the province look to Alberta’s privacy impact assessment model before launching. [Source]

UK – Appeals Court Rejects Encryption Key Disclosure Defense

Defendants can’t deny police an encryption key because of fears the data it unlocks will incriminate them, a British appeals court has ruled. The case marked an interesting challenge to the U.K.’s Regulation of Investigatory Powers Act (RIPA), which in part compels someone served under the act to divulge an encryption key used to scramble data on a PC’s hard drive. Failure to do so could mean a two-year prison sentence or up to five years if the case involves national security. The appeals court heard a case in which two suspects refused to give up encryption keys, arguing that disclosure was incompatible with the privilege against self incrimination. In its ruling, the appeals court said an encryption key is no different than a physical key and exists separately from a person’s will. [Source]

WW – ‘Unbreakable’ Encryption Unveiled

Scientists at the SECOQC conference in Vienna, Austria demonstrated the first computer network protected by quantum key distribution. The six nodes of the network are connected by fiber optic cables. The basic idea of quantum cryptography was worked out 25 years ago by Charles Bennett of IBM and Gilles Brassard of Montreal University. The essence of quantum key distribution relies on the Heisenberg Uncertainty Principle, which says that quantum information cannot be measured without disturbing it; therefore, if someone were to eavesdrop on communication protected by quantum encryption, the key would be altered, alerting the recipient that the communication had been intercepted. [Source] [NIST backgrounder] [Conference description] [2007 paper]

EU – Freedom Not Fear: 15,000 in Berlin Demonstrate for More Privacy

Some 15,000 demonstrators marched in Berlin to demand greater privacy, accusing the German government of creating a “surveillance state.” The Stop This Surveillance Madness rally ended at the Brandenburg Gate. Organizers said 100,000 people took part, but police on crowd duty said they had not seen more than about 15,000 present at any one time. The German privacy movement is upset at EU data- retention laws that require phone companies to keep for six months computerized lists of the numbers that their customers call. The rally was organized by 117 German groups. A spokesman said the big turnout proved Germans were sensitive about privacy “and never want to live in a surveillance state again.” [Source] [Freedom not Fear Day in Washington, D.C., United States] [Freedom not Fear Day, Worldwide Action Day] [German Working Group on Data Retention] [Freedom not Fear Day in Buenos Aires, Argentina] [Freedom not Fear Day in Paris, France] [Freedom not Fear Day in Guatemala City, Guatemala] [The Public Voice Facebook on Freedom Not Fear]

EU – ‘Internet of Things’ Prompts EU Push for Privacy Rights

European ministers in charge of information technology gathered in Nice, France on 6 October to debate privacy and security challenges related to the transition to a ‘Web of Things’ whereby consumer goods were able to ‘talk’ to one another. The EU ministerial meeting was the first to be fully dedicated to the Internet of the future and will feed into the conclusions of the next EU Telecoms Council at the end of November. France, the current holder of the rotating EU Presidency, wants to introduce new privacy rights for consumers. Among these is the establishment of the right to deactivate RFID tags. [Source]

EU – Article 29 Working Party Agrees to Nine Country Mutual Data Protection

The EU Article 29 Data Protection Working Party approved and agreed that the countries of France, Germany, Ireland, Italy, Latvia, Luxembourg, Netherlands, Spain and the United Kingdom give mutual recognition to Binding Corporate Rules (BCR) on Data Protection. The countries agreed to have the BCRs sent through the BCR coordination procedure. Once the Lead Authority on Data Protection circulates the approved draft, other Data Protection Authorities to recognize it as a policy commitment and permit and authorize the binding corporate rules directly or advice the body which in turn provides that authorization.[Privacy Laws & Business, October 8, 2008]

EU – Database Right Prevents More Than Just Cut ‘N’ Paste Copying, Rules ECJ

A judgment by Europe’s highest court has strengthened the rights of database creators to protect their work from being used by third parties without permission. The database right protects against more than just copying and pasting, it ruled. [Source]

US – Reading Privacy Policies Takes 10 Minutes on Average

It takes about 10 minutes to read the average privacy policy, according to researchers at Carnegie Mellon University, who examined the online privacy policies of 75 popular Web sites. The researchers concluded that costs in lost time for those who read the policies, and costs in risk to those who choose not to, means that “Web sites need to do a better job of conveying their practices in useable ways, which includes reducing the time it takes to read policies,” the researchers say. “If corporations cannot do so, regulation may be necessary to provide basic privacy protections.” [Source] [study] [Lost in the Fine Print: It Would Take a Week to Read All Your Privacy Policies]

US – Reported Data Breaches on the Rise

According to statistics compiled by the Identity Theft Resource Center, there have been 516 reported consumer data breaches in the first nine months of 2008, exposing 30 million records; in 2007, the total number of reported breaches was 446. Extrapolated from the numbers so far this year, the total number of reported breaches in 2008 could top 680. 80% of the breaches involved digital media; the remaining 20% involved data recorded on paper. Of the incidents this year, 36% occurred at businesses, 21% occurred at educational institutions, and 16% on military or federal government systems. 20% of the reported braches were due to lost or stolen digital media storage devices, 17% were due to insider theft and 13% were exposed through hacking. [Source]

WW – Surveillance of Skype Messages Found in China

A group of Canadian human-rights activists and computer security researchers has discovered a huge surveillance system in China that monitors and archives certain Internet text conversations that include politically charged words. The system tracks text messages sent by customers of Tom-Skype, a joint venture between a Chinese wireless operator and eBay, the Web auctioneer that owns Skype, an online phone and text messaging service. The discovery draws more attention to the Chinese government’s Internet monitoring and filtering efforts. Researchers in China have estimated that 30,000 or more “Internet police” monitor online traffic, Web sites and blogs for political and other offending content in what is called the Golden Shield Project or the Great Firewall of China. The activists, who are based at Citizen Lab, a research group that focuses on politics and the Internet at the University of Toronto, discovered the surveillance operation last month. They said a cluster of eight message-logging computers in China contained more than a million censored messages. They examined the text messages and reconstructed a list of restricted words. The list includes words related to the religious group Falun Gong, Taiwan independence and the Chinese Communist Party, according to the researchers. It includes not only words like democracy, but also earthquake and milk powder. (Chinese officials are facing criticism over the handling of earthquake relief and chemicals tainting milk powder.) The list also serves as a filter to restrict text conversations. The encrypted list of words inside the Tom-Skype software blocks the transmission of those words and a copy of the message is sent to a server. The Chinese servers retained personal information about the customers who sent the messages. They also recorded chat conversations between Tom-Skype users and Skype users outside China. The system recorded text messages and Skype caller identification, but did not record the content of Skype voice calls. In just two months, the servers archived more than 166,000 censored messages from 44,000 users, according to a report that was published on the Information Warfare Monitor Web site at the university. The researchers were able to download and analyze copies of the surveillance data because the Chinese computers were improperly configured, leaving them accessible. The researchers said they did not know who was operating the surveillance system, but they said they suspected that it was the Chinese wireless firm, possibly with cooperation from Chinese police. [NYT Source] See also: [How a Canadian cracked the Great Firewall of China] UPDATE: [Skype Acknowledges Message Filtering and Retention in China] [Source] Supporting sites: www.greatfirewallofchina.org [Detailed Report]

US – Verizon Breach Study Identifies Industry Specific Threats

In a supplement to its June data breach investigation report, Verizon Business has released information on industry-specific threats in the financial services, high-tech services, retail and food and beverage sectors. Specifics from the study, which looked at the handling of 500 data breaches between 2004 and 2007, show that for financial services firms, insider fraud accounts for most data breaches, while hacking and malware make high-tech firms most vulnerable. In the retail industry, open VPN connections and weak wireless security leaves firms susceptible to hackers, as do point-of-sale system weaknesses in the food and beverage industry.[Source].[Original data breach report] [Supplemental report] [Source] [Outsourcing aids many data thefts, Verizon says]

US – Credit-Card Security Standard Issued After Much Debate

The Payment Card Industry Security Standards Council has issued revised rules in an attempt to better protect cardholders’ data. The rules are the organization’s attempt to clear up confusion on existing guidelines, and include new requirements on WEP, code change reviews and cardholder data destruction, among others. The council said that its 2009 focus will include end-to-end encryption, payment machines and virtualization. [Source] See also: [Bugged Chip-and-Pin Machines Stealing Payment Card Data]

CA – Alberta Businesses Top Privacy List

Alberta’s Privacy Commissioner Frank Work says it’s business people that top the list of those accessing information through the Freedom of Information and Protection of Privacy Act.” It’s actually surprising to find that out,” Work said at the launch of the Right to Know Week in Alberta. Alberta businesses have the lion’s share of requests at 52% while the media is the smallest user at about 2% and then private individuals account for 30%. The remaining requests came from researchers and organizations such as political parties. [Source]

WW – Dawn of Low-Price Mapping Could Broaden DNA Uses

The cost of determining a person’s complete genetic blueprint is about to plummet again — to $5,000. That is the price that a start-up company called Complete Genomics says it will start charging next year for determining the sequence of the genetic code that makes up the DNA in one set of human chromosomes. Such a price would represent another step toward the long-sought goal of the “$1,000 genome.” At that price point it might become commonplace for people to obtain their entire DNA sequences, giving them information on what diseases they might be predisposed to or what drugs would work best for them. “It’s a shockingly low price,” said George M. Church, a professor of genetics at Harvard who is an adviser to Complete Genomics and to several other sequencing companies. Then again, the cost of DNA sequencing has dropped by a factor of 10 every year for the last four years, a faster rate of decline than even for computers, Dr. Church said. [NYT Source]

US – Schwarzenegger Signs Bills Creating Hospital Privacy Oversight Office

Hospitals and other health facilities will face harsh new penalties if their employees snoop in the medical records of patients, under legislation signed by Gov. Arnold Schwarzenegger after privacy was breached on celebrities’ files – including his wife’s – at UCLA Medical Center. Schwarzenegger approved two bills creating a state office to police patient privacy and to allow the state to issue fines as high as $250,000 for multiple violations. The governor rejected most other major healthcare legislation aimed at protecting average Californians who face significant medical bills or inadequate insurance. “Repeated violations of patient confidentiality are potentially harmful to Californians, which is why financial penalties are needed to ensure employees and facilities do not breach confidential medical information,” Schwarzenegger said in a statement. Assemblyman Dave Jones (D-Sacramento), the author of one of the bills, AB 211, emphasized that they protect all patients, not just famous ones. “Your private medical information shouldn’t be flapping in the breeze like an open hospital gown,” he said. The other measure, SB 541, was written by Sen. Elaine Alquist (D-Santa Clara). In addition to the higher fines for privacy violations, the measures raise maximum penalties for serious medical mistakes to $125,000 when their occurrence indicates that other patients may also be in danger. [Source]

UK – Missing MOD Hard Disk Contains 1.5m Pieces of Personal Information

The UK’s Ministry of Defense has admitted to losing a portable hard drive which contained the personal details of up to 1.5 million pieces of information including details of over 100,000 active service personnel and 600,000 recruits. The missing disk was not encrypted. Of particular concern is the missing data include details on personnel who served in Northern Ireland and may be terrorist targets. The lost information includes details such as individuals’ passport numbers, addresses, date of birth and in some cases banking details. Over the past four years over 658 laptops have gone missing from the MOS with 26 memory sticks containing sensitive information missing since January 2008. [Source] [Source] See also [Britain mulls a society in which privacy is banned]

IN – Indonesia’s Blunder on Privacy

Amid concern on privacy and security on the Internet, Indonesian Ministry of Education put up a database of students online in details and down-loadable files. There are at least 36 million students database listed on the website in the excel files containing names, date and place of birth and addresses. The database was put online a while ago but Google had already indexed it. [Source] See also: [Verizon exposes the wrong 1,200 e-mail addresses] and [Palin hacking charge flawed, lawyers say]

EU – Drivers’ Private Details Displayed on eFlow Site

Private details of M50 motorists have been displayed on the eFlow website for anyone to see. The sensitive information was left open to abuse after an oversight by the National Road Authority (NRA). The error was discovered after a driver complained he could access details of other motorists. The unprotected information may have left drivers open to identity theft, as it included names, addresses, car registration plates and times when they used the road. However, the NRA says that the mistake was borne out of “good intention” and that it was merely trying to make life simple for customers. [Source] [248,000 in N.C. affected by lost personal data]

US – 11,000 University Records Accessed

The personal information of 11,000 people affiliated with the University of Indianapolis has been exposed. Hackers accessed a server on September 8 that contained the names and Social Security numbers of students, faculty and staff. The FBI is investigating the incident, which is believed to have originated offshore. Gartner Group identity theft and privacy analyst Avivah Litan described universities as “low-hanging fruit” to hackers, due to their open networks and the amounts of personal and financial information they house. “It’s a lot easier to get into a university than a bank,” Litan said. [Source]

EU – Deutsche Telekom to Tighten Up on Data Privacy

Deutsche Telekom officials are hurrying to implement improved data protection standards. The company failed to repair a known loophole that left the personal details--including bank account information--of 30 million landline customers vulnerable. The company said it has since closed the loophole. Deutsche Telekom will also set up a Data Privacy Board department that will focus on staff access to customer data, and will issue data privacy reports every six months going forward. “In the race against data theft, we want to be at least one step ahead at all times,” said chief executive Rene Obermann. [Source]

WW – IBM, Secret Service, Others Study Identity / Cybercrime Issues

IBM, LexisNexis and the Secret Service are among a group of corporations, government agencies and academic institutions that has formed to study and help solve identity management challenges around cybercrime, terrorism and narcotics trafficking. The Center for Applied Identity Management Research (CAIMR) will study those issues and focus on developing real-world tools and best-practices recommendations to solve them. The nonprofit research organization, which will be headquartered at Indiana University, brings together experts in criminal justice, financial crime, biometrics, cybercrime and cyberdefense, data protection, homeland security and national defense. CAIMR will examine the challenges, knowledge gaps and research needed to solve identity issues in areas such as individual privacy, cybersecurity, and data breaches, and outline how those issues effect public safety, commerce, government programs and national security. The group has laid out four initial areas of study:

§ Public safety, which includes identity theft, cybercrime, computer crime,
organized criminal groups, document fraud and sexual predator detection.

§ National security, including cybersecurity and cyberdefense, human trafficking
and illegal immigration, terrorist tracking and financing.

§ Financial and corporate fraud, including mortgage fraud and other financial crimes,
data breaches, e-commerce fraud, insider threats and healthcare fraud.

§ Individual protection, including identity theft and fraud.

CAIMR’s founding members include Indiana University, the Secret Service, LexisNexis, IBM, Cogent Systems, Visa and Intersections, Inc. Other members of CAIMR are Fair Isaac, University of Texas at Austin, Wells Fargo & Company, U.S. Marshals Service, Dragnet Solutions, ID Experts, Identity Theft Assistance Corporation, Information Technology Association of America, and National Center for Missing and Exploited Children. [Source]

US – New Anti-Piracy Law Imposes Stronger Penalties

US President George W. Bush has signed into law the Prioritizing Resources and Organization for Intellectual Property Act (PRO-IP), which imposes more stringent penalties on people convicted of music and movie piracy. The bill creates an executive-level position, Intellectual Property Enforcement Coordinator, who will advise the White House on protecting both domestic and international IP. The law has the backing of the RIAA and the Motion Picture Association of America (MPAA) as well as of the US Chamber of Commerce. The US Justice Department opposed the creation of the IP czar, saying such a position would undermine its authority. [Source] [Source] [Source]

EU – German Court Says IP Addresses in Server Logs Are Not Personal Data

A German court has ruled that website operators are allowed to store the IP addresses of their visitors without violating data protection legislation. Without additional information, IP addresses do not count as personal data, it said. The issue has never been tested in a UK court but the view of the German court is consistent with guidance published last year by the UK’s Information Commissioner. The ruling said that an internet service provider (ISP) could not tell a third party who was using a particular IP address at a particular time without a legal basis. ISPs generally do not give out such information except when ordered to do so by a court. The only other way for a person’s identity to be determined by the IP address would be for the information to be transferred to a third party illegally, the court said. In an automated translation from the German, the ruling said that IP addresses lack the necessary quality of ‘determinability’ to be personal data. That means that the identity of the person behind the data can be determined without disproportionate burden and using normally available knowledge and tools. The court said that web publishers, therefore, could store IP addresses in server log files which keep a track of activity on a web page. The Article 29 Working Party, the committee of Europe’s privacy watchdogs, has said that IP addresses should be treated as personal data by ISPs and search engines, even if they are not always personal data. [Source] See also: [Anonymizing Google’s Server Log Data - How’s It Going?] and [‘Overplayed’ privacy concerns rile Symantec boss: ‘IP addresses are so not private’] [Americans Extremely Concerned About Internet Privacy: Consumer Reports Research]

PH – Philippines’ Senate Must Pass IP, Data Privacy Laws’

The Philippine Congressional Commission on Science Engineering and Technology (COMSTE) has recommended the Senate merge the proposed Data Protection Act with proposed amendments to the nation’s intellectual property code into one bill. A joined proposal would cover issues affecting data privacy such as cross-border data transfers and misuses of personal data, among other issues. COMSTE also recommended that the combined bill follow the APEC Privacy Principle rather than European Union standards. “The EU standards are restrictive,” said panel member Beng Coronel. “APEC standards are preventive and apply more to local companies.” [Source]

US – Court Says Woman May Sue County Clerk Over Identity Theft

An Ohio appeals court has reversed a lower court decision that dismissed an identity theft lawsuit brought against the Hamilton County clerk of courts, allowing Cynthia Lambert the right to proceed with her lawsuit. Lambert had sued the clerk, Greg Hartmann, after her identity was used fraudulently following the posting of an image of a 2003 speeding ticket that contained personally identifiable information, including her Social Security number (SSN), online. Someone using a phony driver’s license under Lambert’s assumed identity made purchases totaling more than US $20,000. The driver’s license number used by the data thief differed from Lambert’s actual license number by one digit, the same error made by the recording officer at the time the ticket was written. [Source]

US – Justice Department Issues New FBI Guidelines

The Justice Department has issued new guidelines for FBI investigations, weakening the standards that have long been in place to ensure proper targeting of law enforcement and national security investigations. The guidelines represent another step in the creation of a domestic intelligence system in the United States. They permit FBI agents to go undercover to collect information, send in informants and tail citizens, all without suspicion of wrongdoing or connections to a foreign power. [Attorney General Guidelines, October 03, 2008] [DOJ Fact Sheet, October 03, 2008] [FBI Dir. Mueller/ A.G. Mukasey Statement, October 03, 2008] [EPIC page on Attorney General Guidelines]

US – Privacy Is A Thing of the Past, Says Private Investigator

Steven Rambam has a 25-billion record database containing the personal information of “pretty much every American.” In an interview, the private investigator discusses the database, how he safeguards it, and how the widespread availability of personal information feeds “a new engine of capitalism.” “Where it gets a little creepy is when they aggregate all of this data together and have an extraordinary profile of you,” Rambam says. He also discusses “slippery, slimy” things Americans should be concerned about when it comes to their personal information. [Source] See also: [Numerati: Mathematical Modeling Used To Track and Label]

AU – Get Privacy in Place before SEHRs

In a Mondaq report, Christina Crotty of Minter Ellison discusses the privacy implications of a national movement towards shared electronic health records (SEHR). The Australian Law Reform Commission (ALRC) has recommended that steps for addressing privacy risks should be in place before the adoption of SEHRs, including the creation of an organisation to oversee the system. The Privacy Commissioner’s Privacy Blueprint for the Individual Electronic Health Record includes similar recommendations, and calls for individual opt-out capabilities, sensitivity labels and audit logs. The National E-Health Transition Authority is considering these recommendations. [Source]

US – Privacy Group Asks States to Investigate Social Nets

The Center for Digital Democracy (CDD) has sent letters to the New York and California Attorneys General, asking them to investigate “hypertargeting” advertising methods used by popular social networking sites, reports MediaPostPublications. “We cannot allow social media marketing to be a data-collection black box,” said CDD executive director Jeff Chester, referring to the hypertargeting systems used by sites for identifying users’ interests in order to serve relevant ads. MySpace says users can opt-out of hypertargeting via the company’s privacy policy. The CDD shared its concerns with the U.S. FTC, EU officials and U.S. Rep. Ed Markey (D-MA), as well. [Source]

EU – DPA Issues Guide for Kids, Parents

A new handbook published by the Spanish Data Protection Agency (DPA) aims to help children protect their privacy in the digital age, reports Internet Law News. The guide, written for kids and parents, includes an overview of the Data Protection Act and its provisions specific to children. It also contains guidance on posting personal information and photos on the Internet, sharing information with third parties and using chat rooms, social networks and public forums, among other recommendations. “Parents must provide guidance to their children regarding the use of the Internet,” the DPA states.[Source]

WW – New Firefox Add-On Tracks Your Location

A new Firefox add-on can pinpoint your location using WiFi signals. Geode has been developed by Mozilla and uses Skyhook’s Loki technology to identify a user’s location from local WiFi hotspots. Mozilla claims the technology can pinpoint the user’s location, correct to within 10-20 meters, in less than a second. The add-on has been designed to work with mapping and geo-tagging websites and is a trial version of a function that will appear in the forthcoming Firefox 3.1 web browser. A demo application called Food Finder works with Geode to identify restaurants and cafés in the immediate vicinity on a Google Map. The add-on has raised some privacy concerns but Mozilla claims users will be able to specify whether they want their location revealed. [Source]

AU – Canberra Plans Unified Privacy Principles

Australian Special Minister of State John Faulkner has proposed a set of unified privacy principles and protections for credit reporting and health information, following a revamp of the Privacy Act. Senator Faulkner will also tackle abuses of data capture and usage made possible by small, cheap and versatile devices that record and transfer sound, images and data. [Source]

SA – South Africa Privacy Bill Promises Protection

The Protection of Personal Information Bill is expected to compel social networking Web sites, such as Facebook, to allow their members to keep their personal information private. Members of social networking Web sites will also be given the right to stop those Web sites from selling their information. The SA Law Reform Commission is still drafting the Bill, also known as the Data Privacy Bill. Once law, the legislation will help protect people from criminals by holding companies and individuals, who fail to take adequate steps to protect people’s private information, legally liable. In terms of the proposed law, companies, for example, will be required to notify all customers affected by security breaches that could result in identity theft. Offenders could face up to 10 years in prison, as well as fines and punitive damages. However, the Bill’s progress has been slow – it still does not feature on this year’s parliamentary programme and is said to be on the agenda for early 2009. [Source]

EU – Privacy Filmmakers Awarded

Ireland’s Data Protection Commissioner Billy Hawkes announced the winners of the “Privacy in the 21st Century” video competition. A team of three National College of Art & Design students took the first prize of €5,000. At an event hosted by Google Ireland, the commissioner remarked on the high quality of entries received, and said: “The submissions explored a wide range of privacy issues such as surveillance, identity theft and the availability of information through social networking sites.” Second and third prizes were also awarded. The competition intended to promote awareness of privacy issues. View the winning entries here. [Source] See also: [PBS Series Highlights Surveillance State: The “Last Enemy”] [“The Last Enemy” on YouTube (with creepy Total Information Awareness opening)] [IMDb, “Eagle Eye” ] [IMDb, “Body of Lies” ]

EU – France Launches Public Online Consultation on ePrivacy

The French Internet Rights Forum and the French National Commission for Informatics and Liberty (CNIL) have teamed up to hold online public debates on four privacy-related issues. The public debates will help officials understand French nationals’ views on a variety of topics in order to improve future privacy protections. The two groups will publish a report in mid-January with the findings of the consultation process. [Source]

AU – Australian Commissioner Issues Guides

Australian Privacy Commissioner Karen Curtis recently released three guides to help business leaders understand their obligations under the Privacy Act and navigate privacy issues within diverse organizations. Curtis released the guides--Interaction between the Privacy Act and the Spam Act; Internal investigations of privacy complaints; and Handling personal information security breaches –during Privacy Awareness Week. [Source]

US – Supreme Court Hears Arguments in Police Database Errors Case

If a false entry in a database leads to a unconstitutional police search that reveals illegal drugs, does the government get to hold it against you? That’s the question the Supreme Court will tackle in a case civil liberties groups such as the Electronic Privacy Information Center argue will have broad implications in a world where we are constantly being evaluated against databases and watch lists that are riddled with frustratingly persistent errors. “In these interlinked databases, one error can spread like a disease, infecting every system it touches and condemning the individual to whom this error refers to suffer substantial delay, harassment, and improper arrest,” EPIC director Marc Rotenberg argued in a friend of the court brief (pdf). Not surprisingly, the government disagrees..... The case is Herring vs. US 07-513. [Source] [Transcript of Herring v. US argument] [US Supreme Court Docket page for Herring v. US] [EPIC page on Herring v. US] [EPIC’s page on the 2003 online petition urging the reestablishment of accuracy requirements for the FBI’s National Crime Information Center, the nation’s largest criminal justice database]

US – National Organization for Child Online Safety Calls on President to Sign Legislation

Web Wise Kids applauds Congress for passing legislation to promote youth online safety. Senate Commerce Committee Chairman Daniel Inouye and Vice Chairman Ted Stevens ensured that provisions were included in the Broadband Data Improvement Act (S. 1492) that will support efforts to increase public awareness and education of Internet safety, protect children from cybercrimes and help parents shield their children from inappropriate material. S. 1492 requires that the FTC carry out a nationwide program to increase public awareness and education regarding strategies to promote the safe use of the Internet by children. The legislation also establishes an “Online Safety and Technology Working Group” comprised of representatives from business, nonprofit and government sectors. Tasks of the working group include evaluating efforts to promote online safety through education, parental control technology, blocking and filtering software, age-appropriate labels for content and the development of technologies to help parents shield their children from inappropriate online content. Web Wise Kids encourages the President to sign this legislation and call on Congress and the next Administration to substantially increase funding to meet the growing need for Internet safety programs and resources. [Source] See also: [UK: Watchdog to protect children]

EU – Mifare Classic RFID Vulnerability Research Published

A research paper detailing a security vulnerability in the Mifare Classic RFID chip has been published. The research, which was conducted by Professor Bart Jacobs and his colleagues at Radboud University in Holland, was set to be published earlier this year, but NXP, the company that manufactures the Mifare Classic chip, sought an injunction to delay the paper’s dissemination to allow customers time to make changes to their security systems. The chip is used in prepaid transportation system cards in London, Boston and Holland and is also used to restrict access to some buildings. [Source] [Source] See also: [A paper recently published by the Stanford Law Review detailed some alarming examples of security researchers hacking into RFID systems]

US – California Makes It a Crime to ‘Skim’ RFID Tags

California became the second state to pass a law making it illegal to steal data from RFID cards. The law sets a penalty that includes a maximum fine of US$1,500 and up to a year in prison for someone convicted of surreptitiously reading information from an RFID card. The California bill makes exceptions for certain emergency situations, such as permitting a health care worker to scan someone’s RFID-enabled health card in order to help the person. Also, police officers would be allowed to view information on an RFID card with a warrant. The bill was first introduced by California State Senator Joe Simitian in 2006, and the final version was signed into law this month. Earlier this year, Washington became the first state to pass a law against theft of RFID data. Washington makes it a class C felony to steal data from an RFID card specifically for the purpose of fraud, identity theft or other illegal purposes. That means that if convicted, a criminal could receive a penalty of as much as a $10,000 fine and five years in prison. While there are security mechanisms that issuers of RFID cards can employ to make it more difficult for someone to steal data stored on them, many don’t or do so poorly, so these laws could help serve as a deterrent against would-be hackers. California’s governor this week vetoed another related bill also introduced by Simitian that would have required schools to obtain written consent from parents before issuing RFID cards to students that could be used for recording attendance or tracking the students’ whereabouts. The bill, drafted after controversy erupted at one California school that issued RFID cards to students, would also have required schools to take certain steps to protect students’ privacy. [Source]

WW – E-Passport Demo Shows Weaknesses in New Border Controls

The data on the radio chips in so-called e-passports can be cloned and modified without detection, representing a gaping security hole in next-generation border control systems, according to security researchers. Upwards of 50 countries are rolling out passports with embedded RFID chips containing biometric and personal data. The move is intended to cut down on fraudulent passports and strengthen border screenings, but security experts say the systems have several weaknesses. Dutch researcher Jeroen van Beek has released a software toolkit that can be used to encode RFID chips with false information. In a demonstration video, van Beek shows how a scanner at Amsterdam’s airport reads a passport chip he encoded with Elvis Presley’s information and photograph. It means that a fraudster could potentially create a fake passport with an RFID chip that would appear legitimate. The reason the data looks legitimate is due to a fundamental problem in how governments are setting up systems to handle e-passports. Passport data on RFID chips is signed with a digital certificate belonging to the country to which the passport was issued. E-passport systems are supposed to verify that certificate when scanning a passport, Laurie said. All countries issuing e-passports are supposed to upload their digital certificate to the Public Key Directory (PKD), a database that should be queried to ensure the certificate is correct,. But only 10 of the 50 or so countries have agreed to upload those certificates to the PKD. Only 5 countries are contributing to the database, he said. “Basically, the whole thing falls down.” The e-passport system’s security is rooted in the back-end database checks of those certificates, he said. In van Beek’s demonstration, the passport chip containing fraudulent data presents its own certificate that appears to be from a legitimate authority but isn’t. Since the Netherlands doesn’t use PKD to verify passport certificates, the certificate is accepted. [Source] [Source] [Software Lets Users Manipulate Passport Data]

EU – RFID Helps Hospital Monitor Patients, Accelerate Treatment

The Spanish facility is using EPC tags and readers to not only track a patient’s movements and location, but also access clinical information. [Source] See also: [GPS Spoofing 1] [GPS Spoofing 2] [Anaheim Fire Department Deploys Multipronged RFID System to monitor the location and status of not only firefighters, equipment and supplies, but also disaster victims]

EU – T-Mobile Admits Losing Data for 17 Million Customers: Statement

Europe’s leading telecommunications company, Deutsche Telekom, admitted that it has lost confidential data belonging to 17 million T-mobile clients. The theft, in 2006, which is now subject to a judicial inquiry, involved telephone numbers, dates of birth, addresses and email addresses, subsidiary T-Mobile said in a statement. A DT Spokesman said that bank details were not attached, and that “according to our information, even though these details have been put up for sale on the black market, there has not been a buyer.” According to news weekly Der Spiegel, copies of the information continue to circulate. German detectives have been working for weeks in tandem with the company, seeking to protect people whose lives could be endangered through the lost information. [Source]

EU – Security Pros Call for Data Breach Regulations

A recent report calling for stringent data security and breach notification laws has been welcomed by information security professionals. Delegates of the independent Information Security Solutions Europe (ISSE) conference being held in Madrid broadly welcomed the recommendation to introduce a breach notification law presented in the report compiled by respected IT security academics. Commissioned by EU agency, The European Network and Information Security Agency (ENISA), the report made a series of recommendations, focused on shifting the liability of IT security gaps onto IT users and vendors alike. The requirement to notify EU authorities and affected customers of any potentially damaging data breach came out top.[Source] [Irish Justice Minister Wants Mandatory Data Loss Reporting]

IS – Israel Step-on Scanner Lets Air Passengers Keep Shoes On

Israel has introduced a step-on scanner that spares airline travelers the nuisance of having to remove their shoes so they can be X-rayed for hidden weapons, though the new device cannot yet sniff out explosives. Only the shoes of passengers deemed suspicious by Ben-Gurion Airport staff are removed, X-rayed and swabbed for bomb residues. Most people can now keep their shoes on. Installed next to the walk-through scanners at Ben-Gurion, “MagShoe” announces within two seconds whether the footwear of the passenger standing on it contains unusual metal that might be a knife for a hijacking or a bomb detonator part. The U.S. Transportation Security Administration is assessing MagShoe’s feasibility for American airports and several other countries have expressed an interest, the Israeli source said. [Source]

EU – EU to Introduce ‘Virtual Strip Searches’ at Airports by 2010

The new imaging technology creates an image of an unclothed body which privacy critics argue ‘amounts to a virtual strip search’. According to a draft European Commission regulation, the new millimetre wave imaging scanners are to be used “individually or in combination, as a primary or secondary means and under defined conditions” to provide a “virtual strip search” of travellers. The new EU regulation, which will be binding on Britain, is intended to enter into force across the continent by the end of April 2010. The new imaging technology creates an image of an unclothed body which privacy critics argue “amounts to a virtual strip search” has been tested on a voluntary basis at Heathrow’s Terminal Four. [Source] [Commission Regulation of supplementing the common basic standards on civil aviation security laid down in the Annex to Regulation (EC) No 300/2008] [ACLU Backgrounder on Body Scanners and “Virtual Strip Searches” (6.06.2008)] [Paolo Costa’s letter to the European Commission (26.09.2008)] [Body scanner trial for Adelaide airport] See also: [TSA employees are bypassing airport screening]

US – TIGTA Report Finds Lack of Management Control on Some Computer Systems

According to a report from the Treasury Inspector General for Tax Administration (TIGTA), three computer systems at the US Internal Revenue Service (IRS) Office of Research, Analysis and Statistics lack adequate access management controls. The IRS’s security policies were found to be adequate, but enforcement needs improvement. The report found there to be insufficient guidance and compliance oversight of IRS security policies; in addition, no vulnerability scanning software had been deployed. 11% of employees on the systems reviewed were permitted access without required authorization from managers; systems were not configured to disable inactive accounts. [Source] [Report] See also [Feds Tighten Security on .gov]

JP – NRI Secure Technologies Web Security Assessment Trend Analysis Report

A security assessment survey of 169 websites conducted by Japan’s leading cyber security consulting organization, NRI Secure Technologies, Ltd., during the 2007 fiscal year found that 41% of the sites had critical security flaws that could allow access to sensitive information. An additional 30% of the sites were found to have vulnerabilities that could lead to information leaks. The majority of vulnerabilities in websites were found to be due to “incomplete measures,” in which security measures have been applied to some extent, but not broadly enough to prevent access to sensitive data. [Source]

US – Beware of Hotel Internet Connections: Study

A study from the Cornell University School of Hotel Administration found that most hotels do not take adequate security precautions on the Internet connections they provide for their customers. The study, titled “Hotel Network Security: A Study of Computer Networks in U.S. Hotels.”compiles data from 147 written survey responses and from visits to 46 hotels. 20% of the hotel networks use simple hub topologies, making them unsecured networks. Most of the other hotel networks channel guest traffic through switches or routers, which are more secure than hubs, but still make users susceptible to man-in-the-middle attacks. The researchers recommend that the hotels set up Virtual Local Area Networks (VLANs) to best protect guests from Internet threats. [Source] [Source] [Source]

US – Army Program Seeks Out Unauthorized Applications

The US Army Information Management Support Center has put software on 11,000 desktop computers that will detect unauthorized applications. Any ones discovered are reported to the Configuration Control Board, which also lets the user know what has occurred. In some cases, users have the opportunity to explain why the application is on the computer. If the application is deemed unnecessary, it can be removed remotely. [Source]

WW – Wireless Hack Raises Data Protection Act Compliance Risk

Companies’ wireless networks are less secure than previously believed because of software made in Russia that reportedly speeds up network hacking by 10,000%. Companies may no longer be able to rely on standard security, experts have said. [Source]

US – NIST Issues Three IT Security Documents

The US National Institute of Standards and Technology (NIST) has released three documents that offer guidance on issues of information security. SP 800-121, Guide to Bluetooth Security, provides recommendations for securing implementations of Bluetooth technology. SP 800-115, Technical Guide to Information Security Testing and Assessment, offers guidance for designing and conducting security tests, analyzing the data generated by those tests, and implementing solutions to detected problems. Both documents are in final form. SP 800-82, Guide to Industrial Control Systems (ICS) Security, is a draft document providing recommendations for securing Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) and other system configurations. Public comment on this document will be accepted through November 30, 2008. [Source]

US – NSA’s Warrantless Eavesdropping Targets Innocent Americans

Three former workers at the National Security Agency (NSA)’s wiretapping facility at Fort Gordon, Georgia between 2001 and 2007 have alleged that US spies listened to personal conversations of Americans living abroad and on occasion, shared the conversations they heard with each other. The employees say there was scant supervision and conflicting instructions regarding expectations. Senate intelligence committee Senator John D. Rockefeller IV (D-W.Va.) says his staff is gathering more information about the allegations and may hold hearings. [Source] [Source] [Source] [Source] [Source] [Source] [Source] [NSA Eavesdropping ‘Outrageous’ and ‘Disturbing,’ Critics Say]

SA – South Africa NIA Spies on the Public: Minister

The newly appointed Minister of Intelligence, Dr Siyabonga Cwele, has admitted that unauthorised and unlawful spying on civilians is taking place. In an interview Cwele said he was unhappy with the manner in which the National Intelligence Agency had been conducting business over the past few years. In an interview with the press, he said he had told the heads of the NIA just after his appointment, that he would not tolerate the abuse of resources where people were being spied on to achieve personal agendas. “NIA members have invaded people’s privacy by conducting unnecessary and illegal surveillance, including unauthorised tapping of phones. He said strict measures to prevent unnecessary snooping were important because the issue of human rights and upholding of the law had to be taken into account..... Cwele said his appointment to his new position came as a surprise. “I was not expecting it but I have accepted the position and I understand how important this position is. “The fact that I was a member of the intelligence committee puts me in a better position to deal with the challenges in the department,” he said. [Source]

NZ – Use of Spying Services in Question

Spyware services make it easier than ever to listen in on phone calls and monitor text messages, but some are questioning the legality of these activities. The head of the New Zealand Institute of Professional Investigators (NZIPI) says the use of such services violates phone-tapping laws and certain provisions of the Privacy Act. “When people speak on the telephone, or exchange text messages, they usually do so in an absolute expectation of privacy,” said Trevor Morley of the NZIPI. [Source]

EU – Swedish Government Waters Down Telecoms Monitoring Law

Sweden’s ruling four-party coalition added a series of amendments to a law for monitoring cross-border internet and telephone traffic, bowing to pressure from privacy advocates and worried legislators. Under the revised bill, the military National Defence Radio Establishment will be allowed to monitor Swedes’ internet usage as well as content from e-mails, phone calls and mobile text messages, but only after getting court approval. The bill was originally passed in June in the face of strong public opposition but only after the ruling alliance promised several reluctant MPs within their various parties that it would introduce safeguards to protect individual privacy. The data monitoring bill has drawn criticism from across the political spectrum and interest groups, who argue it infringes civil rights. Norway and Russia have also expressed concerns over the proposed surveillance as a large amount of their electronic communications pass through Sweden. In total, 15 changes were made to the bill, but some critics voiced renewed opposition to the proposed legislation. ‘A precondition for any serious parliamentary process is that the ... law is torn up and that we start from the beginning,’ Peter Eriksson, leader of the opposition Green party, said in a statement. [Source]

US – NYCLU Sues NYPD for Information on Massive Surveillance Plan

The New York Civil Liberties Union has filed a lawsuit in State Supreme Court challenging the NYPD’s refusal to disclose information about its plan to create a massive surveillance network in downtown Manhattan. The plan, called the Lower Manhattan Security Initiative, would establish a network of 3,000 public and private surveillance cameras to monitor and track vehicles and pedestrians south of Canal Street. The system would allow the Department to maintain a database on the movement and whereabouts of millions of law-abiding New Yorkers. Modeled after London’s often criticized Ring of Steel surveillance network, the system is expected to cost about $100 million. The NYPD developed the surveillance plan without seeking any public input. “The NYPD is planning blanket surveillance of millions of law-abiding New Yorkers, but it refuses to disclose even the simplest details of this costly proposal,” said the NYCLU executive director. “A plan of this scope, expense and intrusiveness demands robust public debate and legislative oversight. The public has a right to this information.” [Source] See also $20M camera system at New York’s Freedom Tower is pretty sophisticated]

EU – Swedish Party Leader: Sweden Needs Privacy Ombudsman

Sweden’s Social Democratic party leader has called for the establishment of a national privacy ombudsman. Mona Sahlin wants to see the position created to help protect citizens’ privacy in an environment where many threats exist. “...There is a need to really take privacy threats seriously and establish an ombudsman who can monitor and sound the alarm when privacy isn’t respected,” Sahlin said during a radio interview. Sahlin added that, as technology becomes increasingly prevalent, “politicians today must make sure that individuals’ privacy is balanced all the time against society’s responsibility to watch out for and prosecute crimes.” [Source]

EU – Sweden Condemns Surveillance in Schools

Swedish officials have ordered changes to seven schools’ use of surveillance cameras following an investigation. The Data Inspection Board ordered six of the schools to discontinue use of surveillance cameras during times when school is in session, and ordered one school to shut down all but one of its 60 video surveillance cameras. In its report, the board said surveillance occurs regularly and is often an invasion of privacy. Board head Göran Gräslund said the use of surveillance cameras in schools makes students and staff “numb to the practice” and could create a generation of young people who “accept being watched.” [Source]

CA – Manitoba Police Union Says Don’t Buy Cameras, Hire Officers

The union representing Winnipeg’s rank-and-file police officers is questioning a proposal by city hall and the Winnipeg Police Service to spend nearly half a million dollars on surveillance cameras. Winnipeg Police Association president Mike Sutherland said the $460,000 cost of a proposed year-long camera project might be better spent on increasing police response time and upping the number of officers in the downtown. City council will vote on funding the project Oct. 22. The cameras could go up as soon as January. [Source]

AU – Info Deluge Raises Need for Legal Rebuild of Privacy Laws

At a symposium to incite feedback on recent privacy law revision recommendations, stakeholders told the Australian Law Reform Commission that its suggestions won’t do enough to protect citizens’ privacy. What is needed, according to one, is a “fundamental rebuild” of the nation’s privacy laws. Others called for mandatory data breach notification requirements, consumer opt-in for direct marketing and greater powers for the privacy commissioner. One participant said: “Preventing us from sleepwalking into a surveillance society, as Britain’s Information Commissioner has warned, requires taking on some powerful vested interests, not just business as usual.” [Source]

EU – European Court Opinion Due On Phone Details

The Advocate General of the European Court of Justice is due to give his opinion in a case taken by Ireland that centres on the retention of details of customers’ calls by telecoms providers. If Ireland loses the case, telecoms providers will only be required to retain details of customers’ calls for two years, compared to three years at present. Ireland is opposing the legal basis for the adoption of the Data Retention Directive. The Irish Minister for Communications, Eamon Ryan, wants the data retention period to be two years or less. Others opposed to the extensive retention of data include Data Protection Commissioner Billy Hawkes. In his 2007 annual report, Hawkes said initiatives such as the three-year retention regime would “further erode our civil liberties if they are introduced without appropriate safeguards for the privacy of law-abiding citizens”. [Source] See also: [NSA – and others – snooping on cell phone calls with off-the-shelf technology] and [Remote Tracking Software Used to Find Alleged Laptop Thief]

US – Counterterrorist Data Mining Needs Privacy Protection

In a sweeping new report that examines the balance between security and privacy, The National Research Council (NRC) recommends that the U.S. government rethink its approach to counterterrorism in light of the privacy risks posed by unchecked data mining and behavioral surveillance. The NRC report, “Protecting Individual Privacy In The Struggle Against Terrorists,” is the culmination of three years of discussions and research aimed at providing the government with a framework for thinking about existing and future information-based counterterrorism programs. The proposed framework represents an attempt to address privacy concerns that have dogged past counterterrorist data mining programs like Total Information Awareness. The report acknowledges the utility of a variety of technologies in the context of security, but cautions that counterterrorism programs need to be operated lawfully, with oversight, and with some recognition of the limits of technology. Automated terrorist identification, the report says, “is neither feasible as an objective nor desirable as a goal of technology development efforts.” Privacy is one such fundamental right, and the report finds that current government policy doesn’t respect that right sufficiently. Data mining techniques may have proven value in a commercial context, but the report warns that identifying terrorists this way is less reliable and prone to error. The report recommends that the government be particularly careful when using behavioral surveillance to predict dangerous intent. There’s no scientific consensus about whether such technology -- brain scanning, for example -- actually works, says the report. The report presents two major recommendations. It argues that the U.S. government should follow a framework, such as the one proposed in the report, to evaluate the effectiveness, lawfulness, and consistency with U.S. values of every information-based program for counterterrorism. And it calls for a periodic review of laws and policies related to privacy in light of changing technologies and circumstances. [Source] [Source] [Report] [“Protecting Individual Privacy in the Struggle Against Terrorism: A Framework for Program Assessment” (Overview)] [“Protecting Individual Privacy in the Struggle Against Terrorism: A Framework for Program Assessment” (Report)] [NRC Press Release, Oct. 8, 2008] [EPIC on Problems with Data mining]

US – Satellite-Surveillance Program to Begin Despite Privacy Concerns

The Department of Homeland Security will proceed with the first phase of a controversial satellite-surveillance program, even though an independent review found the department hasn’t yet ensured the program will comply with privacy laws. Congress provided partial funding for the program in a little-debated $634 billion spending measure that will fund the government until early March. For the past year, the Bush administration had been fighting Democratic lawmakers over the spy program, known as the National Applications Office. The program is designed to provide federal, state and local officials with extensive access to spy-satellite imagery to assist with emergency response and other domestic-security needs, such as identifying where ports or border areas are vulnerable to terrorism. Since the department proposed the program a year ago, several Democratic lawmakers have said that turning the spy lens on America could violate Americans’ privacy and civil liberties unless adequate safeguards were required. A new 60-page GAO report said the department “lacks assurance that NAO operations will comply with applicable laws and privacy and civil liberties standards.” The report cites gaps in privacy safeguards. The department, it found, lacks controls to prevent improper use of domestic-intelligence data by other agencies and provided insufficient assurance that requests for classified information will be fully reviewed to ensure it can be legally provided. [Source] [Source]

US – Michigan Issues New Enhanced Driver’s License for U.S. Border Crossing

Michigan motorists can seek an enhanced driver’s license next year to comply with tougher security measures at U.S. border crossings, state and federal officials said. The Homeland Security Department and Michigan Secretary of State Terri Lynn Land said they reached an agreement on offering the new and more secure driver’s license that provides identity and citizenship information. Michigan’s agreement is similar to those reached with Washington state, Vermont, Arizona and New York. [Source]

US – Nevada Issues New Secure Driver License

As of Friday, Oct. 10, the new Nevada license and its state-of-the-art security features will be available statewide to help protect drivers and identification card holders against ID theft and fraud. The Carson City office will pilot the department’s new Central Issuance system, whereby applicants will not receive their license at the DMV office. Rather, their old license will be hole-punched and handed back, along with a paper interim document valid for up to 30 days. The permanent license or identification card will then be produced at a secure, central facility and mailed to the customer within 10 working days. [Source]

US – Privacy Groups Praise Bill Curbing Warrantless Laptop Searches

The Travelers’ Privacy Protection Act of 2008 is being hailed by privacy and civil rights groups. Introduced last week, the bill aims to curb new DHS powers to seize and search laptops and other electronic devices from travelers crossing into the U.S. from land borders. The bill would require that U.S. Customs and Border Control agents have “reasonable suspicion” before conducting a search, and would require a probable-cause warrant for the seizure of travelers’ equipment. Timothy Sparapani of the ACLU said that current DHS regulations treat U.S. borders as a “sort of lawless Wild West zone...Nothing can be further from the truth,” Sparapani said. [Source]

US – ID Theft Act Passed

A bill signed into law last week will ease prosecutors’ burden in bringing charges against cybercrooks, reports the Washington Post. The new law will also make it easier for identity theft victims to seek compensation for the troubles associated with restoring their identities. In the Post’s “Security Fix” blog, Brian Krebs outlines The Identity Theft Enforcement and Restitution Act of 2008. [Source]

US – Deadline Nears for Red Flag Rules Compliance

The compliance deadline for a set of provisions geared toward helping prevent identity theft is just around the corner. On November 1, organizations must be in compliance with the federal government’s “Identity Theft Red Flags and Address Discrepancies” provisions of the Fair and Accurate Credit Reporting Act, which went into effect earlier this year. The provisions include a requirement to establish an identity theft prevention program. [Details]

US – Schwarzenegger Vetoes Data Protection Act (Again)

California Governor Arnold Schwarzenegger has vetoed the Consumer Data Protection Act. The bill, which was overwhelmingly approved by both the State assembly and the state Senate, would have required companies doing business in the state to put in place specific security measures to protect customer data. It would also have required the companies to provide more details about data breaches involving credit and debit cards to affected individuals. Schwarzenegger said he vetoed the legislation because “the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.” He also opposed the notion of requiring specific security measures, because companies would then be locked into those measures by the law and implementing new protections as new threats arise could prove problematic. Governor Schwarzenegger vetoed a similar bill last year. [Source] [Source]

+++