Privacy News Highlights
16–31 October 2008
Contents:
UK – Police to Carry Handheld Fingerprint Scanners
WW – Protecting Biometrics Information With Dithering: Research Paper
CA – Ontario Privacy Commissioner: EDLs Bring Privacy Risks
CA – Guide for Educators Released
US – Government Computers Used to Find Information on Joe The Plumber
CA – Toronto Councillors to Spend Another $50,000 Seeking Database Access
US – Army Intelligence Paper Voices Concern Over Twitter as Potential Terrorist Tool
US – eVoting Machine Study Finds Problems
WW – E-mail Attachment Malware Soars 800 Per Cent in 3 Months
CA – Alberta First to Offer Medical Information Online
WW – Researchers Read Electromagnetic Emanations From Wired Keyboards
UK – ICO Calls Home Office Plans Threat to British Way of Life
UK – Companies Dominate Data-Failings Shame List
UK – Government Snooping Will Harm Web Content: Expert
CA – 1-in-10 Canadians hit by Web ID Theft
WW – Anti-Piracy Tool Angers Chinese Internet Users
AU – Australian Net Filter to Cause World Wide Wait
US – Banks Accept Credit Card Applications Torn Up, Taped Together
US – Red Flags Rule Enforcement Pushed Out
CA – New Brunswick Privacy, Information Changes Blasted
US – Administration to Bypass Reporting Law
US – Personal Genome Project Trial Launched
US – Genetic Privacy: An Outdated Concern?
US – Creating Unique Patient IDs Could Mean Safer, Cheaper, More Efficient Health Care
US – National Patient ID Would Violate Patient Privacy Rights: Citizens’ Council
US – Experts Predict Federal Law on Medical ID Theft
US – Health Sector’s Data Security Breaches Examined
US – Final Tally: More than 1,000 Health Records Breached
US – Two New California Health Privacy Laws Seek Stiffer Penalties, Added Enforcement
US – NY HS Student Charged with Felonies After Notifying Principal of Security Hole
CA – British Columbia Bars’ Plan to Scan IDs Might Violate Privacy Laws
US – Federal Agencies Reducing Use of SSNs
WW – Price of Stolen Data Falling, But Cost to Victims is Still High
WW – Bloggers Get Insurance Against Lawsuits
WW – International Telecommunication Union Criticised for Role in Internet Snooping
WW – DPAs Endorse Resolution on Child Safety Online
EU – EU Cracks Down on Internet Child Porn
EU – Lawmakers Criticize Virtual Strip Search
AU – Do-Not-Export Register Wanted For Data Transfer
EU – German Privacy Watchdogs Agree Social Networking Ground Rules
WW – Big Tech Companies Back Global Plan to Shield Online Speech
WW – Browser Privacy Features: A Work In Progress - CDT
WW – Consumer Group Opposes Google, Yahoo Partnership
EU – Dutch Judge Orders Google to Reveal IP Addresses of Suspect Gmail Account
NZ – Commission: Mitigate Risks before Outsourcing
AU – Australian Privacy Watchdog Warns Against High-Tech Privacy Risks
SB – Serbia: Law on Personal Data Adopted
US – Supreme Court Affirms Identity Fraud Conviction
US – Can Data Mining Save America’s Schools?
US – Privacy Laws Needed to Curb Surveillance, Says Schneier
US – EPC RFID Tags in Identity Documents Offer Poor Security, Privacy: Report
CA – Audit Finds Fault With Physical Security at the Canada Revenue Agency
US – DHS Inspector General Report Says Portable Storage Device Security Lacking
WW – Survey: Human Error, Hardware Theft Are Big Causes
US – Data Breaches at State and Local Level Far Exceed Those at Federal Level
CA – Information-Security Spending Not Likely to Be Cut, Poll Finds
US – NIST Request for Information Seeks “Revolutionary Ideas” for Cyber Security
WW – Security Concerns Delay Cloud Computing
US – EFF Challenges Constitutionality of New FISA Law
CA – Consultation on Covert Video Surveillance Draft Guidance Document
CA – B.C. Government Gives CCTV the Green Light
US – Newest Source of Teen Ire: Webcams in Their Cars
UK – Passports Needed to Buy Mobile Phones
UK – Continuing Coverage of Rumored UK Mobile Phone Registry Database
US – Feds to Take Over Airline Watch Lists in 2009
US – New Health IT Bill on Horizon
British police will be issued handheld fingerprint scanning devices as early as 2010, a U.K. police agency said this week. The technology, which has already been tested by 20 forces in England and Wales using mobile-phone sized devices, will be rolled out to the rest of the country within the next 18 months, the National Policing Improvement Agency announced. The devices could be used to compare the prints obtained against the records of the seven and half million people already on the police national fingerprint database. The mobile fingerprinting devices would allow officers to check identities within five minutes. Under current British law, authorities are not allowed to keep fingerprint data on file if no charges have been laid. Privacy advocates in the U.K. expressed concern with the plan, however, saying that allowing police to record fingerprint data so easily could pave the way for changes to those laws. A similar technology is already being used in the United States by the Los Angeles police force. [Source]
“Fuzzy extractors allow cryptographic keys to be generated from noisy, non-uniform biometric data. Fuzzy extractors can be used to authenticate a user to a server without storing her biometric data directly. However, in the Information Theoretic sense fuzzy extractors will leak information about the biometric data. We propose as alternative to use a fuzzy embedder which fuses an independently generated cryptographic key with biometric data. As fuzzy extractors, a fuzzy embedder can be used to authenticate a user without storing her biometric information or the cryptographic key on a server. A fuzzy embedder will leak in the Information Theoretic sense information about both the biometrics and the cryptographic key. While both types of leakage are important, information leakage of the biometric data is critical since the cryptographic key as opposed to biometric data can be renewed. We show that constructing fuzzy embedders which leak no information about the biometrics is theoretically possible. We present a construction which allows controlling the leakage of biometric information, but which requires a weak secret at the decoder called dither. If this secret is compromised the security of the construction will degrade gracefully.” [Source] [white paper]
Ontario’s Information and Privacy Commissioner yesterday cautioned that the proposed new enhanced driver’s licences (EDL) would bring privacy risks. Ann Cavoukian told the government committee reviewing the EDL bill that the radio frequency identification (RFID) technology embedded in the EDLs opens up Canadian citizens to the possibility of identity theft, unauthorized identification and surveillance. A University of Toronto professor told the committee the government could have chosen a more privacy-enhanced RFID technology, but instead “They’ve picked from the bottom of the heap.” [Source] [Submission from the Information & Privacy Commissioner/Ontario on Bill 85]
The Information and Privacy Commissioners of Ontario and British Columbia have released a tool to assist education officials tasked with determining whether or not to release confidential student information in potential life-or-death situations. Ann Cavoukian and David Loukidelis today issued the Joint Practice Tool for Exercising Discretion - Emergency Disclosure of Personal Information by Universities, Colleges and other Educational Institutions. Privacy laws have been blamed by some in recent years as leading to school administrators’ failure to prevent students’ suicide deaths. But the commissioners say privacy laws permit the disclosure of students’ information in certain circumstances without their consent. The Practice Tool provides examples to help administrators make judgment calls in such situations. [Source] [Guide]
U.S. state and local officials are investigating if state and law-enforcement computer systems were illegally accessed when they were tapped for personal information about “Joe the Plumber.” Samuel Joseph Wurzelbacher became part of the national political lexicon Oct. 15 when Republican presidential candidate John McCain mentioned him frequently during his final debate with Democrat Barack Obama. The 34-year-old from the Toledo suburb of Holland is held out by McCain as an example of an American who would be harmed by Obama’s tax proposals. Public records requested disclose that information on Wurzelbacher’s driver’s license or his sport-utility vehicle was pulled from the Ohio Bureau of Motor Vehicles database three times shortly after the debate. Information on Wurzelbacher was accessed by accounts assigned to the office of Ohio Attorney General Nancy H. Rogers, the Cuyahoga County Child Support Enforcement Agency and the Toledo Police Department. It has not been determined who checked on Wurzelbacher, or why. Direct access to driver’s license and vehicle registration information from BMV computers is restricted to legitimate law enforcement and government business. [Source]
Toronto councillors have voted to spend an estimated $50,000 in pursuit of a court decision on giving them access to a city database containing personal information about residents. The city has already spent more than $150,000 getting outside opinions from two lawyers on the controversial topic of read-only access to the Integrated Business Management System (IBMS). But both, along with Ontario privacy commissioner Ann Cavoukian, basically said automatic access by councillors would contravene provincial privacy law. The system contains a wealth of information, including details about city prosecutions of individuals for bylaw and zoning infractions, and licensing offences. There are also less-sensitive details, such as planning applications and city-issued building permits. Some councillors feel they need access to this database to better serve their constituents; others fear the information could be used to invade privacy or for political gain. [Source]
According to a draft US Army intelligence paper, voice-altering software, Global Positioning System (GPS) maps and the micro-blogging service Twitter could be used to plan and carry out terrorist attacks. The report notes that twitter was used to spread news of a recent Los Angeles (CA) earthquake more quickly than commercial news outlets and that “Twitter is already used by some members [of social activism, human rights and other groups] to post and/or support extremist ideologies and perspectives.” [Source] [Source] [Source] [Source]
A newly-released report says that the electronic voting machines used in New Jersey and other US states are unreliable and potentially vulnerable to hacking. A New Jersey judge ordered the report as part of a lengthy legal battle over the use of the devices, which are Sequoia AVC Advantage 9.00H direct recording electronic (DRE) touch-screen voting machines. The report says that the machines can be manipulated by installing a replacement chip containing malicious software on the main circuit board.
[Source] See also [news item] [Site that collects problems with voting machines]
The volume of malware attacks conducted via e-mail attachments increased about 800% over the past three months as this low-grade hacking method was brought back from the grave, according to a U.K.-based security vendor. This reverses an earlier trend. Previously, malware trends indicated hackers were moving away from sending infected attachments. Most attacks were carried out by embedding links to viruses or Trojans right into the e-mail. It was a strategy to get around anti-spam filters that have become effective at blocking malware attachments. But between July and September, the e-mail attachment method made a comeback. One in every 416 e-mail messages contained a dangerous attachment – an eightfold increase of one in every 3,333 messages for the previous quarter, according to Sophos PLC. [Source]
Alberta citizens will soon be able to access their medical information online, around-the-clock, reports the Globe and Mail. The province’s electronic health portal will be up and running within a few months, according to Alberta Health official Mark Brisson. The system is expected to improve care and reduce costs, but is not without privacy concerns. Brisson hopes the incremental approach toward moving patient information online will help build user confidence in the privacy and security of the system. At first, only vaccination records and other innocuous data will be available. [Source]
Swiss researchers have demonstrated that keystrokes from wired keyboards can be read remotely from distances of up to 20 meters. The keyboards emit electromagnetic waves. The researchers at Security and Cryptography Laboratory at Ecole Polytechnique Federale de Lausanne have described four different methods of eavesdropping on keystrokes on wired keyboards. [Source] [Source]
The Information Commissioner’s Office (ICO) said it will study the government’s plans for a communications database to house citizens’ phone and Internet usage records. The plans, previewed last week by Home Secretary Jacqui Smith, aim to help law enforcement authorities solve and prevent crimes. But some say the anticipated giant databank would be unjustified. “It is likely that such a scheme would be a step too far for the British way of life,” said the ICO in a statement. “Precise details of the plans are unclear at this stage; the ICO will be studying proposals once published and responding to government’s consultation in due course.” [Source] See also: [Government gives more detail on communications surveillance plan]
Companies top a league of shame published today by the privacy watchdog as part of efforts to crack down on data security problems in both the private and public sectors. Richard Thomas, information commissioner, promised tough action against the failings after businesses in the private sector racked up more than a quarter of the 277 breaches of confidential information rules reported to his office during the past year. [Source] See also: [UK: Bosses ‘ignore toxic data risk’] [Speech] and [ICO: Prevention a CEO-Level Responsibility]
The government’s obsession with surveillance will damage the fragile online content economy, according to former Endemol creative director Peter Bazalgette. Bazalgette, who left the Big Brother producer earlier this year and is now on the board of digital video distributor myvideorights.com, claimed in a speech that the online content economy could be hit by government plans to curb cyber-terrorism. “Ambitious plans from the home office to capture online and mobile data may be intended to combat terrorism but will destroy consumers’ confidence in online transactions,” he said in a speech at the London School of Economics organised by thinktank Polis. Bazalgette argued that most entertainment and information will be delivered to homes and mobile phones for free in the future because that is the mode users prefer - but this could be put in jeopardy by government plans. “But broadband advertisers want to know a lot about us so they can target their message precisely and judge its effectiveness. So we’ll pay for the likes of Coronation Street and The X Factor in future with our own personal data,” Bazalgette added.”But we have to be confident it is secure and not passed on to every Tom, Dick and minister.” In his Polis Media Leadership Dialogue, Bazalgette also claimed there was a policy vacuum that could hinder the development of the online economy. [Source]
Information Commissioner Richard Thomas will get an extra £6-million and added powers by the end of the year, reports silicon.com. The funds will be used to broaden the ICO’s breadth of guidance by allowing for the hiring of additional personnel to conduct audits and carry out inspections. The commissioner will also gain the power to fine companies for violations of the Data Protection Act and to conduct data security spot checks. “I am pleased to see more resources and powers for my office but it is unfortunate that it has taken the losses of the last year to convince government that we need them,” Thomas said. [Source]
About 10 percent of Canadians who shop online report being victims of identity theft, a recent survey said. The Canadian Anti-Fraud Call Center, which is operated by the RCMP, says Canadians this year have reported 8,048 cases of identity theft, with $7.3 million in losses. That surpasses all of 2007, when 9,971 cases of identity theft worth $6.4 million were reported. The survey by Ipsos Reid was commissioned by PayPal Canada and found the province of Ontario was hardest hit, with 12% of online shoppers reporting ID theft. Alberta was second with 9% of online shoppers reporting fraud. British Columbia and Quebec were third with 8% of shoppers reporting fraud, while the balance of the provinces reported less than 6% of identity theft, the report said. [Source]
Chinese internet users have reacted with fury after Microsoft launched an anti-piracy tool to combat the widespread sale of fake software. People have flooded blogs and bulletin boards to complain it violates their right to privacy - with one lawyer even reporting the firm to security officials for “hacking”. The new version of its “Windows Genuine Advantage” program turns the background black every hour if the installed software fails a validation test. But the software giant’s attempt to protect its intellectual property sparked angry denunciations. The China Software Industry Association said it planned to take action against Microsoft. Critics said Microsoft was putting their information at risk by accessing their computers. But the software giant argues that counterfeit programs pose a far greater risk to information security. [Source]
Internet speeds could slow by 30% under the Australian Government’s proposed web filtering scheme, even though it will do little to block illegal content. That’s the warning from technical experts, who also say the plan could expose users’ financial details during online banking sessions and see popular websites including Facebook and YouTube banned. The warnings came after Broadband, Communications and Digital Economy Minister Stephen Conroy confirmed the Federal Government planned to introduce a mandatory internet filter, shelving plans to allow Australians to opt out of the scheme. [Source] [Aussie Govt: Don’t Criticize Our (Terrible) ‘Net Filters]
Two banks refused the credit card applications fished from the trash, taped-together and filled out by consumer reporter Lisa Parker of NBC News Chicago. But three other banks issued cards and about $21,000 in credit, says the report. Some of the applications had been torn into as many as two dozen pieces and taped back together before being filled out. Illinois Senator Dick Durbin, a one-time identity theft victim, said he would relay the incident to the Federal Trade Commission. “The credit card companies have to assume some responsibility here...,” Durbin said. [Source]
The Federal Trade Commission (FTC) has extended the November 1 deadline for enforcement of its Red Flags Rule by six months. The rule requires that creditors and financial institutions implement identity theft prevention programs, but the commission found that many companies needed more time to come into compliance. The new enforcement deadline is May 1, 2009. In its statement, the FTC said that the extension does “not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance.” [Source]
The provincial government’s proposed bill to modernize information and privacy laws is being criticized for weakening the public’s access to important government information. Speaking before a legislative committee examining the bill, ombudsman Bernard Richard said increased fees could deter the public from requesting government documents and information. “In my view, we’re taking a significant risk in terms of access,” he said. The existing fee is $5, plus photocopying fees. The new bill proposes the fee increase to $25, plus photocopying fees and a $30-an-hour search fee. The idea is to ensure frivolous requests aren’t costing government hundreds of dollars to prepare. But Richard said he doesn’t think that’s a problem and the higher fees will prevent New Brunswickers from requesting information. Increasing the fees is “tantamount to a MLA charging a constituent for a meeting with them,” he said. [Source]
The Bush administration has informed Congress that it is bypassing a law intended to forbid political interference with reports to lawmakers by the Department of Homeland Security. The August 2007 law requires the agency’s chief privacy officer to report each year about Homeland Security activities that affect privacy, and requires that the reports be submitted directly to Congress “without any prior comment or amendment” by superiors at the department or the White House. But newly disclosed documents show that the Justice Department issued a legal opinion last January questioning the basis for that restriction, and that Michael Chertoff, the homeland security secretary, later advised Congress that the administration would not “apply this provision strictly” because it infringed on the president’s powers. Several members of Congress reacted with outrage to the administration’s claim, which was detailed in a memorandum posted this week on the Web site of the Office of Legal Counsel at the Justice Department. In an apparent coincidence, the Homeland Security Department’s privacy officer, Hugo Teufel III, issued his annual privacy report. It said there were 4,184 privacy complaints over a recent six-month period, but gave few details about them. [Source]
A Harvard University Medical School study will make available to the public the sensitive medical information of 10 people, with their consent. Participants in the Personal Genome Project, reports the New York Times, have agreed to share their disease histories, allergies, medications, ethnic backgrounds and other personal information, including their decoded DNA and photographs. The “PGP 10”--the first 10 volunteers in the project, including a well-known technology venture capitalist, a prominent psychologist and a university professor, have forfeited their privacy to demonstrate the usefulness of knowing our genetic predispositions. The idea is that the availability of genetic information will speed medical research, but getting there requires a changed attitude towards privacy. [NYT Source]
One participant in the Personal Genome Project, the Harvard University Medical School study that will share the sensitive medical and health information, including genetic predispositions, of 10 volunteers, told the MIT Technology Review that she wanted to share her genomic information in order to “bring genomic information into the realm of the mundane.” Entrepreneur and technology venture capitalist Ester Dyson said: “I want to show people this information is not inherently dangerous. Information, when misused, is always dangerous, but it’s more dangerous when people attribute something mystical to it.” Dyson and nine others agreed to make their genomic information available to the world at large as part of the study. [Source] [Source]
A new study by the nonprofit RAND Corp. illustrates that medical care could be delivered not only more easily, safely and efficiently, but more cheaply. The study examined the costs and benefits of creating a unique patient identifier (UPI) for every person in the United States. It showed that such an identifier would reduce medical errors, simplify electronic transactions, increase efficiency, improve patient confidence and protect patient privacy. The one-time cost of $1.5 billion to $11.1 billion for a UPI that would remove systemic errors in retrieving health records is small, the study concluded, compared with the potential savings of $77 billion per year when adoption of the UPI reached 90%. Those benefits could double when additional safety and health values are tallied. It’s not a new idea: Legislation was passed in 1996 - the Health Insurance Portability and Accountability Act (HIPAA) - that mandated a UPI, but privacy and security concerns about sharing patient information electronically have so far stalled its development. Those concerns are legitimate, especially in a post-9/11 climate where worries over security issues, identity fraud and the vulnerabilities of computer data have intensified. But researchers are confident that this system, in which the UPI resembles a product bar code, poses far fewer risks than the current system known as statistical matching, which retrieves records by searching for identifiers such as name, address, birth date and SSns, and which incurs privacy risks by revealing large amounts of personal information during a search. [Source]
Responding to a major study released yesterday by the Rand Corporation, Citizens’ Council on Health Care says Congress should maintain its long-standing prohibition on development of a national patient identification number, otherwise known as the Unique Patient Identifier (UPI). “Congress must dismiss the data industry’s apparent call to centralize, nationalize and socialize private medical information. American privacy rights must be protected from those who wish to impose corporate agendas including unconsented data sharing, patient and doctor profiling, health surveillance, research, and industry profiteering,” says Twila Brase, president of CCHC. “A government-established patient identifier and the implementation of a government-imposed health data system will violate patient rights, privacy rights and constitutional rights,” she adds. Brase further says, “The breaches of a national health data system enabled by a national patient ID will be spectacular. Medical ID theft will be enabled. And patients will lose their ability to control and limit outside access to the most private details of their medical and personal lives.” “The Rand study was funded by some of the largest corporations in the health information technology industry, including Microsoft, IBM, Oracle and Siemens. Certainly the conclusion of the study would economically benefit those who funded it through the sale of equipment and software. Thus the funders would appear to be motivated by profit, not principle,” notes Brase. [Source]
A strengthened federal law to combat medical ID theft may be on the horizon, reports Government Health IT. “We are going to see legislation, probably in 2009, that addresses this in some way,” said Hogan and Hartson partner Marcy Wilder at a Medical Identity Theft Town Hall meeting this week. Medical ID theft is one of the fastest-growing crimes in the nation. Currently, victims rely on the legal protections afforded by the Health Insurance Portability and Accountability Act (HIPAA) or states’ breach notification laws, but Wilder says there are gaps in these rules that must be filled. [Source]
In SC Magazine, Kevin Prince reveals the results of a study to determine the impact of data security breaches in the U.S. healthcare industry. The findings are intended to help the industry take measures to reduce its exposure to such incidents. “Healthcare organizations have done better than many other industries regarding the number of data security breach incidents and total number of records lost,” writes Prince. “However, enhanced disclosure laws for health care organizations and modern [hacker] tactics are forcing these businesses to take a new and deeper look at IT security.” [Source] [Statistics]
California’s Department of Public Health issued its final report on UCLA Medical Center data breaches yesterday, revealing that the total number of patients whose medical data was improperly accessed is 1,041. That’s about a hundred more than earlier tallies, reports the Los Angeles Times. One hundred sixty-five UCLA employees have been fired or disciplined for breaching the records of celebrity patients since the investigation began earlier this year. [Source]
Two new California laws aimed at protecting citizens’ healthcare information are expected to shake things up in the sector, reports AIS’s Health Business Daily. Assembly Bill 211 and Senate Bill 541, signed into law late last month, create stiffer penalties for healthcare organizations that fail to protect patient information and create a state Office of Health Information Integrity to enforce medical privacy laws. “If this law is vigorously enforced, and we start seeing some of these fines imposed, I think it will bring some added rigor to the privacy and security compliance programs of a lot of health care providers in California.” [Source]
A 15-year-old Shenendehowa Central School student has been arrested and charged with computer trespass, unlawful possession of personal identification information and identity theft, all of which are felonies. The student allegedly gained access to a school system database while in a computer class at the school. He then allegedly emailed the principal, telling him what he had been able to do. The file was accessible to anyone with a district password, students included. The district superintendent said that while the file may have been accessible, it required some know-how to find and access it. The student has been suspended from school and will face the charges against him in family court in Saratoga County, NY. [Source] [Source] [Source]
B.C.’s privacy commissioner is investigating whether the practice of having bar patrons run their drivers licences through scanners at the door violates privacy laws. If David Loukidelis rules that the Bar Watch program breaks the law, a program proposed for Victoria could be shut down before it gets going. Loukidelis could also shut down existing Bar Watch programs in Vancouver and Nanaimo, and bar owners in those cities would likely be ordered to destroy databases full of their patrons’ personal information. A ruling is expected in a few weeks. [Source]
More details from the president’s Identity Theft Task Force report, released earlier this week, reveal that federal agencies have been effective in reducing their reliance on Social Security numbers as personnel identifiers. Specifically, the Social Security administration, the Internal Revenue Service and the Defense Department have removed SSNs from personnel forms, military ID cards and tax documents. Local and regional governments, however, still have work to do in this area, the report states. A Government Accountability Office (GAO) report released earlier this week shows that 85% of the nation’s most populous counties post SSN-laden records online. The number of federal convictions for identity theft increased 26% between 2006 and 2007, and currently the Federal Trade Commission (FTC) has 1.6 million identity theft complaints on file. [Source] [U.S. Identity Theft Convictions Increase 26 Percent, Feds Say]
Public records containing Social Security numbers make millions of Americans vulnerable to identity theft, said the Government Accountability Office (GAO) in a report released this week. The GAO surveyed 247 of the nation’s most populous counties, finding that 85 percent make available online public records containing SSNs, and some offer up the information for bulk sale to private companies. SSNs are critical tools for identity thieves and there are no federal laws restricting this type of bulk disclosure, although some states have enacted statutory restrictions on displaying SSNs in public records. Several bills to better protect SSNs have been introduced. [Source]
The value of stolen payment card information is estimated to be one-tenth what it was a decade ago. Part of the reason may be the large scale of data security breaches that have flooded the black market with stolen personal financial information. Some data thieves age their quarry, waiting months to sell it so that the specter of fraud may have eased for the victims. [Source]
The not-for-profit, Media Bloggers Association has launched a comprehensive program to provide bloggers with access to legal and financial resources long available to traditional media organizations including BlogInsure, a new liability insurance program for bloggers which provides coverage for all forms of defamation, invasion of privacy and copyright infringement or similar allegations arising out of blogging activities. The cornerstone of the new program is an online course in media law developed by the Media Bloggers Association in partnership with The Poynter Institute’s News University. The course is free of charge and bloggers are not required to join the MBA to take the course. However, the course and passing its exam is a prerequisite for individuals interested in joining the Media Bloggers Association - it is also the basis for the significant discount on liability insurance exclusively available to bloggers through the BlogInsure program. [Source]
At EuroDIG, the first European Dialogue on Internet Governance, the scientists and experts of the Council of Europe have sharply criticised the International Telecommunication Union (ITU) for acting behind closed doors in its initiatives towards cybersecurity standardization. Just recently, the ITU’s work on standards for back-tracing IP addresses caused something of a furore. Yet, said Bill Drake, a scientist at the Center for International Governance at the Graduate School in Geneva, this work was only a tiny part of the work being done in the sensitive area of IT security. If you had access to the documents, Drake said, you could see everything that was going on, but the ITU was not an open organisation. Drake’s criticism was echoed by other representatives of non-governmental organisations, complaining that draft standards in domains that were of great significance for all users, such as identity management, were not being made available to the public or to interested circles. Drake warned that ITU member countries and its member firms might thus be setting the agenda for the ways and means in which the internet could be used in future. [Source]
Data protection authorities (DPAs) from across the world last week endorsed a resolution to protect children’s privacy. Proposed by the Office of the Privacy Commissioner of Canada, the resolution creates an international effort to protect the privacy of children online. “We must ensure that [children] understand the impact that these technologies can have on their privacy, and provide them with the tools and information they need to make smart decisions,” said Canadian Privacy Commissioner Jennifer Stoddart at the 30th International Conference of Data Protection and Privacy Commissioners in Strasbourg, France. DPAs from New Zealand, France, Ireland, Berlin and the United Kingdom cosponsored the resolution. [Source] [Resolution]
In a bid to crack down on Internet child porn, the European Commission Friday pledged €300,000 to create a pan-European alert platform where people can report illegal material on Web sites. Under a plan originally devised by the French government, the alert platform will be set up and run by Europol – the E.U. law enforcement agency. The aim is for the platform to help investigators of online crime in E.U. countries share information about all cybercrime, but child porn in particular. Child pornography accounts for over half of all offenses committed online, the Commission said in a statement. In addition to paying for the creation of the platform, the Commission said it will also make available funding for those countries in the E.U. that will have to adapt their national reporting systems so they interoperate with the Europol platform, and for countries that don’t have any such systems. Barrot said the alert platform would only be useful if authorities in the 27 member states use it. “In order for the platform to be fully effective, the member states have to use it during their investigations,” he said. [Source]
European Union (EU) lawmakers debated the use of revealing airport security scanners in a parliamentary meeting yesterday. The scanners “see” through passengers’ clothes, essentially producing naked images that help security officials see any concealed objects. They have been tested and are in use at airports across the globe. The EU intends to authorize the use of such scanners at airports within the 27-nation bloc, but some MEPs are calling for limited use. “Many travelers will consider these scanners an enormous intrusion” on personal privacy, said Britain’s Philip Bradbourn, who added that, although they may offer some benefit, “they should be a last resort..not a random sample of innocent holiday-makers.” [Source] See also: [Dutch Say OK; Germans Say No Way to Body Scanners]
At an event this week, experts shared differing perspectives on the issue of accountability-based data protection law. Director of Information Integrity Solutions Malcolm Crompton, said the accountability approach would place a “stronger incentive on agencies to ensure data handling practices are safe,” while Graham Greenleaf, director of the Cyberspace Law and Policy Centre said a do-not-export-my-data registry would be necessary under such an approach. The proposed registry would let Australians prevent the exportation of their data outside the country by placing themselves on a list akin to telecommunications do-not-call lists. [Source]
Social networking sites are not permitted to store information about people’s use of the sites beyond the duration of a particular session in Germany, according to a panel of all that country’s data protection officials. Companies behind social networks such as MySpace and Facebook must also tell users what happens to any data that is collected and tell them how they can influence the use of that data. The principles were laid down by the German Düsseldorfer Kreis (GDK), a panel of all the German data protection authorities. They laid down eight principles of operation for social networking sites to keep them in line with data protection law, according to the Data Protection Review operated by the data protection agency of Madrid. The principles covered what data can be collected under what circumstances, and what it can then be used for. [Source] See also: [Japan’s Sense of Privacy Squashes Social Networking]
Google, Microsoft and Yahoo and a group of human rights and public interest organizations plan to introduce a global code of conduct that they say will better protect online free speech and privacy against government intrusion. The principles are the starting point for a new effort, called the Global Network Initiative, which commits the companies to “avoid or minimize the impact of government restrictions on freedom of expression,” according to a final draft of documents obtained by The New York Times. Stating that privacy is “a human right and guarantor of human dignity,” the initiative commits the companies to try to resist overly broad demands for restrictions on freedom of speech and overly broad demands that could compromise the privacy of their users. The principles have the backing of prominent human rights organizations, including the Committee to Protect Journalists, Human Rights Watch and Human Rights in China. Business for Social Responsibility and the Center for Democracy and Technology helped lead the two-year talks, and organizations like Harvard University’s Berkman Center for Internet and Society and the Calvert Group, a socially responsible money manager, also participated. But the effort is already being criticized by some human rights activists. “After two years of effort, they have ended up with so little,” said Morton Sklar, executive director of the World Organization for Human Rights USA. “It is really very little more than a broad statement of support for a general principle without any concrete backup mechanism to ensure that the guidelines will be followed.” [Source]
Several of the largest Internet companies have recently released new Web browsers or browser features aimed at giving Internet users greater control over their privacy as they surf the Web. That browser makers are competing to provide the best privacy protections is great news for Internet users, who will hopefully see continuing improvements in the simplicity and accessibility of browser controls that allow them to manage the information they generate and transmit over the Internet. This report compares the privacy features available in four Web browsers - Firefox 3, Internet Explorer 8 Beta 2, Google Chrome, and Safari 3. Three types of features are analyzed: privacy modes, cookie controls, and object controls. CDT also evaluates the most popular add-ons for each browser and feature type: Stealther for a Firefox privacy mode, CookieSafe for cookie controls in Firefox, AdBlock Plus for object controls in Firefox and PithHelmet for object controls in Safari. The report does not address other browser features such as Web search boxes or malware or phishing detection. Apple, Google, Microsoft and Mozilla verified the accuracy of the claims made in the report about their browser software. The browser is the gateway to the Internet for many consumers. Ensuring that browser privacy controls are easy to find and simple to use is one crucial component of empowering consumers to maintain their privacy online. Improvements in this area cannot replace the need for a robust national privacy law, but they go a long way towards putting consumers in control of their own data. [Full Report]
U.S. Public Interest Group, a consumer organization, is opposing Google’s plan to share advertising with rival Yahoo, saying it could harm consumer privacy, according to a letter sent to the U.S. attorney general. U.S. PIRG argued that advertisers who try to compete with Google and Yahoo, which together have more than 80% of the search advertising market, will be forced to collect more information on Internet users because they would not be able to compete with the market leaders on price. [Source]
A judge in the Netherlands has ordered Google to turn over IP addresses associated with a Gmail account that was used in a case of alleged industrial espionage. Google had refused to comply with the initial request from the company, iMerge, because “disclosing the user’s identity violated rulings on the balance between freedom of expression and a person’s right to his reputation.” The suspect had been chief technology officer at iMerge. He allegedly installed a backdoor server in the hosting center configured to forward messages from a corporate director’s mailbox to the Gmail account in question. [Source] [Source]
The State Services Commission has warned government agencies to examine the risks before offshoring IT systems, reports stuff.co.nz. Although offshoring can benefit organizations by reducing costs and improving delivery, the associated risks--espionage, intelligence gathering and challenges for enforcing privacy rights in foreign jurisdictions, among others--must be weighed thoroughly by organizations before proceeding down that road, the commission warned. “Agencies should consider the likely public reaction to a data breach of that information if they have any doubts about its suitability for outsourcing or sending offshore.” [Source]
Victoria’s privacy watchdog says new technology and the fear of terrorism are making it harder to protect people’s personal details. Privacy Commissioner Helen Versey is trying to persuade governments and private companies to resist the temptation to create massive databases of people’s private information. In her report to State Parliament, Ms Versey warns that wireless personal devices, such as mobile phones; automated number-plate recognition; and closed-circuit television in public spaces, means it is becoming easier for people to be tracked. She says some “horror stories” prompted her to draw up guidelines for the state’s public sector on the use of portable devices such as iPods and memory sticks whose databases could be lost or stolen. Ms Versey is concerned about “false positives” in the nationwide automated number-plate recognition system being developed by CrimTrac, the Federal Government’s criminal information and intelligence agency. [Source] [Annual Report]
Parliament by the majority vote adopted the Law on Personal Data Protection, which is one of the preconditions for putting Serbia on the white Schenghen list. The Law on Personal Data Protection, which was supported by 137 deputies from the ranks of ruling majority and the Liberal Democratic Party, regulates the citizens’ data protection, their processing and use, as well as the citizens’ right to have insight into their personal data. According to the law, there are certain limitations to the personal data protection, proceedings at the responsible body, as well as data safety. [Source]
Yesterday’s Supreme Court decision on a man convicted of identity theft is expected to have a big impact on what has been a divisive issue for lower courts. The New York Times reports that the Supreme Court affirmed the conviction of a Mexican citizen who used a counterfeit Social Security number to gain employment, saying that he knew he was using false information. Federal prosecutors are more frequently using the 2004 aggravated identity theft law as a means for trying illegal aliens. “It’s given the federal government a huge lever,” said Professor Kevin Johnson, dean of the University of California, Davis law school. [Source]
A growing number of U.S. school districts are carrying out sophisticated data mining and data analysis. Combining standardized test scores, attendance, grades, and other data sources, districts are trying to spot weaknesses and strengths of not just schools, but groups of kids and even individual students. For example, the Plano, Texas, district scanned data across eight schools and zeroed in on 60 kids who looked at risk of failing a standardized test, and created plans to help them. This is just the start. While there’s much criticism of the federal No Child Left Behind legislation—mainly, that it’s left teachers teaching to test requirements, not student needs--it has undeniably created a mountain of data, all of which can be analyzed. In New York City, the effort centers on an $80 million Web-based data mining and business intelligence project called Achievement Reporting and Innovation System. Beginning this year, all 80,000 of the city’s public school teachers will have access to the ARIS system and get training in the analysis tools. Parents also will have Web access to data about their children this year. The effort involves up to 100 TB in a data warehouse, with enrollment, assessment, and biographical data for all 1.1 million New York City students, plus profile data for every staff member. Today, teachers are tapping mostly preset reports, which they access through a browser using the same login as the e-mail system, but by midwinter, the school system expects to have added business intelligence tools to allow more complicated queries. [Source] see also [Candidates’ Use of Email Addresses in Question]
The “sloppy” handling of personal data by businesses, government departments and public bodies is putting lives at risk, warns Bruce Schneier, security technologist and CTO of BT Counterpane. Future generations will judge us on how we addressed fundamental issues of privacy. One of the biggest problems is data pollution. Nearly everything we do creates a computer record. According to Schneier, now is the time to take action before technology enables all evidence of data collection to disappear and it becomes the norm without sufficient controls in place. “The answer would be a comprehensive set of privacy laws,” he said. The death of privacy is a natural result of technological advancement, he said, but it is up to the current generation to ensure that it does not become inevitable.[Source]
In this paper, security researchers explore the systemic risks and challenges created by increasingly common use of EPC for security applications. As a central case study, they examine the recently issued U.S. Passport Card and Washington State “enhanced” drivers license, both of which incorporate Gen-2 EPC tags. They demonstrate the tag’s susceptibility to skimming and eavesdropping, clandestine tracking, cloning, denial of service and covert channel attacks. They consider the implications of these vulnerabilities to overall system security, and offer suggestions for improvement. They also demonstrate anti-cloning techniques for off-the-shelf EPC tags, overcoming practical challenges in a previous proposal to co-opt the EPC “kill” command to achieve tag authentication. Their aim in this paper is to fill a vacuum of experimentally grounded guidance on security applications for EPC tags not just in identity documents, but more broadly in the authentication of objects and people. [Research Paper] [Source]
At Mayo Clinic, RFID Slashes Error Rate: A study showed that after the organization’s endoscopy unit began using passive 13.56 MHz tags to identify specimen bottles, the rate of labeling errors dropped by 94%. [Source] UCSD Medical Center Expands Its RFID Deployment: The teaching hospital estimates the technology has saved it $70,000 annually by merely enabling it to locate its IV pumps more quickly. [Source] AIM to Clarify RFID Interference with Medical Devices: Whether RFID creates interference and dangers in healthcare environments remains an unresolved argument, with published reports available to support both sides. Technology industry association AIM Global wants to resolve the issue and announced a new initiative to develop test protocols that will produce repeatable results.
The tax information of Canadian citizens is at risk of exposure due to lax physical security. According to the June audit of the Canada Revenue Agency, “certain exterior doors and interior perimeter doors were not adequately secured.” In three instances, electronic alarm systems were defective, unarmed or missing. Other security vulnerabilities noted in past audits have not been addressed. Many employees were not aware of security standards at the workplace. The Canada Revenue Agency also reported numerous pieces of equipment lost or stolen last year, including 25 laptops, 17 cell phones, six BlackBerries, five printers, a router and two video surveillance cameras. The audit did not examine the agency’s electronic data systems. [Source]
According to a report from the US Department of Homeland Security (DHS) Inspector General Richard Skinner, DHS has not taken adequate security precautions with portable electronic devices that connect to its unclassified computer systems. The report, “Review of DHS Security Controls for Portable Storage Devices,” says that while DHS has developed policies regarding “acceptable use of portable storage devices, ... the policies have not been implemented by the components. [There is no] centralized process to procure and distribute portable storage devices to ensure that only authorized devices that meet the technical requirements can connect to its systems.” The report recommended that DHS “establish an inventory of authorized devices; implement controls to ensure that only authorized devices can connect to DHS systems: and perform discovery scans, at least annually, to identify unauthorized devices. [Source] [Source] [Report]
A survey of 156 Australian IT managers and executives revealed that human error and hardware thefts are among the greatest causes of data breaches. 45% of respondents reported that a lost or stolen laptop led to a breach, while human error accounted for 42% of breaches. “Today’s organisations have no walls and information can be anywhere, so securing the perimeter is no longer adequate,” said Craig Scroggie of Symantec, the firm conducting the Data Loss Prevention survey. Seventy-nine percent of the 156 respondents have experienced a data breach. [Source]
According to statistics from the Privacy Rights Clearinghouse, breaches of systems at the local and state level of US government exposed the personally identifiable information of more than 3.8 million American citizens in the first nine months of 2008. The majority of the records compromised arose from a July 2008 breach at the Colorado Department of Motor vehicles that affected 3.4 million people. During those same nine months, the number of records breached at federal agencies is reported to be 23,024. The discrepancy calls attention to the need for standardized data security at the state and local levels of government. [Source]
Companies around the world will be looking for areas to cut spending in the uncertain economic times ahead, but information-security is not likely to be a target, according to new survey results. In a global poll conducted by business-advisory firm Ernst & Young, half of the respondents said they planned to increase spending on measures that, among other things, protect clients’ sensitive information from getting into the wrong hands. Only 5% planned to cut their information-security budgets. Ernst & Young surveyed about 1,400 security executives in 50 countries. While companies were once primarily motivated by regulatory compliance in issues of information security, they are now most concerned about protecting their reputations. Among the areas where a security breach would have a serious impact on business operations, 85% of survey respondents cited damage to their brands and reputations, 72% brought up a loss of revenue, and 68% were concerned about regulatory sanctions. [Source]
The National Institute of Standards and Technology (NIST) has issued a request for Information (RFI) on behalf of the National Coordination Office (NCO) for Networking and Information Technology Research and Development (NITRD) seeking “just a few revolutionary ideas with the potential to reshape the [cyber security] landscape.” The RFI marks the kickoff for the National Cyber Leap Year, which aims to develop “game-changing ideas” to make cyberspace safe for the American way of life.” The first phase of the project will gather ideas; the second phase involves development of the best of those ideas. Ideas must be submitted by December 15, 2008. The project is part of the Comprehensive National Cybersecurity Initiative (CNCI). [Source]
Full-scale adoption of cloud computing will be delayed by concerns about data security, said CSC executive Lem Lasher in an Australian IT story. Lasher said the need for “functionally rich PCs” will continue until security and control issues associated with the cloud concept are resolved. Until then, “We’ll see a more hybrid world,” Lasher said, “in which cloud computing will be used for certain types of applications, but it will be very application-specific.” [Source]
The Electronic Frontier Foundation (EFF) has filed court documents challenging the legality of the FISA Amendments Act. The law grants retroactive immunity to telecommunications companies that have helped the National Security Agency (NSA) with wiretapping US citizens’ phone calls and email. The EFF maintains that the new FISA law violates citizens’ rights to due process of law as well as the federal government’s separation of powers. The EFF maintains that as most of the eavesdropping under the new FISA law takes place without a warrant or a subpoena and the authorization for the eavesdropping comes from the president rather than the courts, the new FISA law violates citizens’ rights to due process of law as well as the federal government’s separation of powers. [Source] [Source] [Source]
The Privacy Commissioner of Canada (OPC) has prepared a draft guidance document that sets out good practice rules for private sector organizations that are either contemplating or using covert video surveillance. Although the use of covert video surveillance may be appropriate in some circumstances, the OPC notes, they view the technology as being inherently intrusive. The OPC is welcoming feedback on the draft guidance and, in particular, seek the comments of those directly affected by covert video surveillance, including unions representing employees of federally regulated organizations as well as consumer associations. The OPC will issue final recommendations for good practices in this area after the close of the comment period (November 14, 2008). [Guidelines]
British Columbian officials will fund a $1-million pilot program that will place closed-circuit television cameras (CCTVs) in suburban areas in an effort to reduce and solve crimes, reports the Toronto Star. The plans were announced at a press conference yesterday. “We believe that closed-circuit television can rightly be used against those who, through their criminal activities, have forfeited their right to privacy,” said Minister for Public Safety and Solicitor General John van Dongen. B.C. Privacy Commissioner David Loukidelis, who learned of the plans just before the news conference, said he looks “forward to learning how it is we can add value to what’s proposed.” [Source]
More than 100 Southern Maryland families have installed cameras into their teen drivers’ cars as part of a state-sponsored study to cut down on risky driving behaviors, reports the Washington Post. But some teenagers resent the intrusion posed by the windshield-mounted cameras. “I feel like I’m being babysat, like I’m being watched constantly,” said one teen whose father enrolled her in the study. The cameras record and transmit questionable driving maneuvers to the camera maker, which then forwards the footage to parents, along with tips for safer driving, so they can discuss the behavior with their young drivers. [Source]
Under a government plan, British citizens who purchase a mobile phone would be required to submit personal information to be stored on the planned national communications database. Purchasers would have to show their passport or another official identifying document at the time of sale. The requirement is expected to help officials monitor the 40 million users of prepaid mobile phones, which give users more anonymity than typical phones because they can be purchased with cash and without their names, addresses or credit card details. 72% of Vodafone’s 18.5 million UK customers use the prepaid, pay-as-you-go phones. [Source]
There are reports that GBP 1 billion has been earmarked to establish a program wherein people purchasing mobile phones in the UK will be required to provide positive identification in the form of a passport or other government-issued ID. That information will reportedly be entered into a national database in an effort to identify the estimated 40 million people who purchase pay-as-you go plans, which previously required no identification. The government has neither confirmed nor denied the rumors. A spokesperson for the Information Commissioner’s office said that “With regards to the database that could contain details of all mobile users, ... we would expect that this information would be included in the database proposed in the draft Communications Data bill.” Vodafone has denied that buyers would be required to provide identification. [Source] [Source]
U.S. airline passengers will soon have to give their date of birth and gender when buying a plane ticket, as the government prepares to take over terrorist watch list screening starting in early 2009, Department of Homeland Security officials announced last week. Under the so-called “Secure Flight” proposal – which has been six years and numerous privacy scandals in the making – airlines will submit travelers’ personal information to DHS, which will compare the information against terrorist watch lists and then send the results to the airlines. Previously, airlines have performed the screening autonomously. The government hopes that a centralized checking system will reduce the number of false matches on the list, which have notoriously included senators, nuns and anyone named David Nelson. Privacy groups gave the program a lukewarm welcome, acknowledging they largely won a five-year battle to scale back the program’s ambitions. “What remains to be seen is whether the revisions to Secure Flight will really work,” said ACLU legislative counsel. “We suspect that although the government will do the vetting now, instead of the airlines, the failure to scrub the watch lists of hundreds of thousands of records of innocent, law-abiding passengers will result in still far too many mistakes and burdens for those travelers whose only crime is that their name is similar to somebody whom the government thinks is suspicious.” [Source] [Source] See also: [Homeland Security Clears Secure Flight but Watchlist Questions Remain]
A new health IT bill is expected for early 2009, reports Government Health IT. Congressional Democrats are working on a measure that includes added incentives for healthcare providers to adopt e-health records, the report states. The legislation is also expected to include a provision that doctors who receive Medicare fees be required to use health IT. Speaking at a public policy forum in Washington, Wendell Primus, a top aide to House Speaker Nancy Pelosi, said the new legislation is designed to replace currently stalled health IT bills, and admitted that privacy issues associated with electronic records have not been resolved. [Source]