Biometrics

US – Alaska Senate Bill Aims To Protect Biometric Information

Senator Bill Wielechowski (D-Anchorage) has introduced a bill that would protect Alaskans from having their personal “biometric information” gathered or used without their consent. “In 2004, the Alaska Legislature unanimously passed legislation outlawing the collection, analysis, or storage of a law-abiding citizen’s genetic information without their express written consent,” said Senator Wielechowski. “Senate Bill 190 would update this legislation to protect not only Alaskans’ DNA, but all similar forms of biometric information. Examples of the potential misuse of biometric information include the collection of an individual’s DNA by potential employers or insurers to weed out applicants who may have a genetic predisposition towards certain illnesses; and the use of video surveillance enhanced by facial recognition technology to track citizens’ movements without their knowledge.” SB 190 has been referred to the Senate State Affairs and Judiciary Committees. No hearings have been scheduled yet. [Source]

Canada

CA – Supreme Court: Police Can Search Your Trash

Police are free to search through a person’s garbage without a warrant, even if it means crossing a residential property line, the Supreme Court of Canada has ruled. In a 7-O ruling, the court said a former national swim star had no reasonable expectation of privacy in the contents of the trash set outside on his property. The decision is bound to be controversial. Police say combing through garbage is an importance investigative technique that’s helped uncover everything from murder weapons to DNA. But the Canadian Civil Liberties Association argues allowing police to rummage through trash without restraints or supervision had grave privacy implications since the material found in the average household’s garbage bags reveals a wealth of information about the people who live there. Beyond searching for evidence of a specific crime, law enforcement officials would be free to collect information for databases of personal biological information. In extreme cases, they might consider collecting trash in troubled neighbourhoods to construct profiles of people living the community. In a dissenting opinion, Justice Carole Conrad rejected the “abandonment” theory. Conrad said it was reasonable for Russell to believe the items he placed outside in sealed garbage bags wouldn’t be searched without a warrant, adding the only people with an “implied license” to take away trash were the city’s garbage collectors. But the court was not unanimous. Justice William Brennan wrote a harsh dissent, arguing that allowing police to scoop up someone’s trash wasn’t all that different from intercepting their phone calls or rifling through their dresser drawers. [Judgment] [Source] [Commentary] [Commentary]

CA – Plan to Test Students for Drugs and Alcohol Draws Flak

A Manitoba school board contemplating drug and alcohol testing for students in all grades is coming under fire for what critics say would be an infringement on privacy rights. The controversial idea comes from a Flin Flon principal who wants to find a way to deter students from coming to classes drunk or stoned. School trustees thought it was worth looking at saliva and breathalyzer tests for board employees and students who appear to be under the influence. The testing, which the board believes would be the first of its kind in Canada, could act as a deterrent or help principals confirm suspicions if students reeked of alcohol or displayed “erratic behaviour.” The proposal has attracted the attention of Manitoba’s ombudsman and has drawn the ire of some who have accused the board of “looking for trouble.” Valerie Price, executive director of Manitoba Association for Rights and Liberties, said school drug testing would be unlikely to survive a constitutional challenge. The Supreme Court has allowed principals to bring in sniffer dogs and search lockers, but drug testing is different, she said. [Source]

CA – Privacy Concerns Raised Over Airport Screening

Privacy activists and unionists expressed concerns yesterday over a new RCMP-Transport Canada agreement that aims to root out organized crime at Canada’s airports by better screening employees. Transport Minister John Baird called the agreement a “big step forward” this week, pointing out that it would allow authorities to search 10 police databases for information about baggage handlers, fuellers, ramp workers and the like. The idea is that these searches – which would go far beyond criminal-record checks to involve the mining of “intelligence” databases that list even peripheral associates of figures in criminal networks – would allow airport officials to assess the risks of hiring or continuing to employ some people. Observers, however, say the flip side is the possibility of privacy complaints and even lawsuits, especially if people with no criminal record find themselves out of work because of uncorroborated suspicions they had no chance to answer. [Source] [Source] See also: [Biometrics brings greater confidence to airport security]

CA – B.C. Teachers Threaten Boycott Of Student Data Collection

Teachers are considering another boycott in B.C. schools — this one aimed at a multimillion-dollar computer program that’s being introduced province-wide to gather information on all students attending public and private schools. The program, known as BCeSIS for B.C. electronic Student Information System, is despised by many teachers, who find it slow, archaic and frustrating. Their union is discussing a possible boycott this spring to stop further implementation until concerns are addressed. But Irene Lanzinger, president of the B.C. Teachers’ Federation, said there are other important issues that also need to be discussed, such as whether the province should be gathering such data, what it will do with the information, how long it will keep it and who will have access to it. “Should we have a central, provincewide database that has every child on it? That’s a debate we’ve never had,” she said in a recent interview. “Schools have lots of information about kids and their privacy rights have to be respected.” While BCeSIS is now mostly used to collate attendance and marks, it can also be used to track behaviour issues, discipline, medical conditions, court records, custody orders and special needs. There is also an opportunity for teachers to write comments about students that could follow them throughout their school career and beyond. Teachers are seeking assurances that information collected through BCeSIS will be limited, available to teachers only for instructional purposes and expunged — except for key data — after graduation. They also want a prohibition on “data-matching” among ministries or with other governments

[Source]

CA – Anonymity is Becoming A Thing of The Past, Study Says

Anonymity is getting harder to come by. That’s according to the results of a study on privacy, anonymity and identity, released this week in Ottawa. Researchers in five countries undertook the survey, which found that laws in nations around the world are enabling technology to undermine citizens’ anonymity. “What we’re starting to see is a move toward making people more and more identifiable,” said University of Ottawa law professor and study co-lead Ian Kerr. This loss of anonymity is important, says Kerr, because it is one of the ways people can protect their privacy. The results will be released online in three installments next month. [CBC] [ID Trail + Book]

Consumer

US – New Report on Identity Theft Debates the Costs of Services

Consumer Federation of America recently published a report analyzing the costs of for-profit identity theft services. The report found that descriptions of services were often confusing, unclear, and unambiguous. Also, the services may not always offer the protection that consumers were led to believe they would get. The new report, “To Catch a Thief: Are Identity Theft Services Worth the Cost?“ explores the types of services in the market, the fees charged, the descriptions, the claims of benefits, and whether the performance of the services can be carried out by the consumers themselves. The CFA recommended ten steps to protect personal information and detect fraud. The CFA also found some practices it considered “troublesome” including overbroad assertions by identity theft services websites. The organization expressed a strong preference for discouraging services from requesting consumers’ free annual reports on their behalf and believed that consumers should have stronger rights regarding their credit reports. [CFA Press Release] [To Catch a Thief: Are Identity Theft Services Worth the Cost? ]

E-Government

CA – Passport Canada Abruptly Cuts Online Service

Passport Canada has abruptly ended its online application service, just as other federal departments are expanding their Internet-based links with Canadians. The agency posted a cryptic notice on its website earlier this month, saying its online service is “stepping aside” and will not be available after April 30. The move follows complaints from Canada’s privacy commissioner about sloppy security at the agency, and an embarrassing online security breach more than a year ago. But a spokesman for Passport Canada says the online service is being wound up simply because it isn’t as “convenient” for Canadians as using downloadable forms that must be filled out and brought in person to a passport office. “Passport On-Line has been replaced by interactive forms because they are more convenient for applicants,” Jean-Sebastien Roy said in an email response to questions. “Interactive forms do not require a password or an online session.” [Source] [Source]

US – NIST Publishes Draft eVoting Machines Guidelines

The National Institute of Standards and Technology (NIST) has released a draft of voluntary standards for electronic voting machines. The current evoting machines guidelines are known as VVSG (Voluntary Voting System Guideline) 2005; the new draft guidelines are known as VVSG Next Iteration (VVSG-NI). NIST is accepting public comment on the draft document through July 1, 2009. After the standards are finalized, it will be up to state and local governments to decide if they will require their machine manufacturers to comply with them. [Source] [Source]

E-Mail

US – Proposed Legislation Would Prohibit SMS Spam

US Senators Olympia Snowe (R-Maine) and Bill Nelson (D-Florida) have introduced legislation that would expand the Can Spam Act to include unsolicited SMS (Short Message Service) messages. The m-Spam Act would allow the Federal Communications Commission (FCC) and Federal Trade Commission’s (FTC) to pursue spammers who send messages to mobile phones. It would also prohibit sending unsolicited messages to cell phone numbers listed with the Do Not Call Registry. In the US, cell phone users must pay not only to send text messages, but to receive them as well. [Source] [Source]

Electronic Records

CA – BC Organization Promotes Opting Out of eHealth System

As the province gets set to launch its new eHealth system, organizations concerned about medical privacy are saying the public needs to educate and protect themselves. They’ve started a campaign, called ‘BC’s Big Opt-Out’, stressing the right of everyone in the province to decide if they want to consent to what’s been dubbed as an integrated healthcare record data base. Micheal Vonn with the BC Civil Liberties Association says it will upload patient data into a centralized system. “The system will be widely accessible across all sectors of healthcare, as well as the Ministry of Health, and ultimately, many, many other government players.” Vonn says information which might be useless to an emergency room doctor, could be of interest to employers, insurers, police or researchers if it gets in the wrong hands. She says the campaign’s website has downloadable letters that can be sent to your healthcare providers--so if you do not want to consent to the eHealth system, you can make it known. [BC’s Big Opt Out website] [Source]

Encryption

WW – Software Improves P2P Privacy by Hiding in the Crowd

April 8th, 2009 Researchers at the McCormick School of Engineering and Applied Science at Northwestern University have identified a new “guilt-by-association” threat to privacy in peer-to-peer (P2P) systems that would enable an eavesdropper to accurately classify groups of users with similar download behavior. To thwart this threat, they have released publicly available, open source software that restores privacy by masking a user’s real download activity in such a manner as to disrupt classification. [Source]

EU Developments

EU – EU Approves Amendment to e-Privacy Directive

The European Parliament ratified amendments to the EU e-Privacy Directive (2002/58/EC) which requires websites to ensure the consent of the user before storing information on a computer or accessing user information already stored on a computer. The amendment requires operators to clearly inform users that the site uses a cookie. The amendment also empowers the Commission to adopt measures on the security of data processing. The amendment directs that when adopting such measures, the Commission should consult all relevant European authorities and organizations, such as ENISA, the European Data Protection Supervisor and the Article 29 Working Party in order to be informed of the best available technical and economic methods for improving the implementation of Directive 2002/58/EC. [Draft Recommendation for Second Reading] [Directive 2002/58/EC on data protection and privacy] [Article 29 Working Party]

EU – EC Starts Legal Action on Phorm

The European Commission has started legal action against Britain over the online advertising technology Phorm. It follows complaints to the EC over how the behavioural advertising service was tested on BT’s broadband network without the consent of users. Last year Britain had said it was happy Phorm conformed to European data laws. [BBC]

UK – Advocates Back off Consulting Work

The UK privacy consultancy 80/20 will discontinue its advisory work due to its founders’ involvement in the advocacy group Privacy International. “It is with great sadness that we must take the decision to cease working with...organisations in an advisory capacity,” the firm’s founders said in a statement. 80/20 has advised such firms as eBay, AOL, Phorm and Microsoft. Google has been a critic of 80/20’s connection to Privacy International, saying that founder Simon Davies’ criticisms of [Google] are “undermined by the fact that alongside his work for Privacy International, he acts as a consultant to a number of [rival technology companies],” said a Google spokesperson. [Source]

EU – UK’s Privacy Laws Illegally Inadequate, says Europe

UK laws protecting the privacy of people’s communications are inadequate, the European Commission has said. The Commission has launched a legal case against the UK over its implementation of European Union Directives. [Source]

UK – UK Gov Delays New Data Breach Powers for ICO

The March target for publishing legislation to give the Information Commissioner’s Office (ICO) more regulatory powers has passed, and the Ministry of Justice is mum on a new deadline. The secondary legislation is needed to follow through on last year’s amendments to the Data Protection Act, which give the ICO the ability to impose civil monetary penalties for certain breaches of information. “We are committed to bringing these provisions into force as soon as possible,” said a MoJ spokesperson. [Source]

UK – ICO: Google Street View Does Not Breach Privacy Laws

The Information Commissioner’s Office (ICO) has again deemed that Google’s Street View application does not breach personal privacy. The ICO stated its opinion in response to a formal complaint about the service from the group Privacy International. The British version of the Street View service launched last month. It offers 360-degree views of cities and towns, including people, homes and automobiles. Google blurs the faces of people and licence plates before publishing. Privacy International expressed disappointment in the ICO’s response. The ICO published a similar finding at the close of an earlier investigation about Street View. [Source]

EU – Citizens’ Privacy Must Become Priority In Digital Age: EU Commissioner Reding

In a video posted on her website, Viviane Reding, the European Union’s Commissioner for Information Society and Media, said that Europeans must have the right to control how their personal information is used, and said that the Commission would take action wherever EU Member States failed to ensure that new technologies such as behavioural advertising, RFID ‘smart chips’ or online social networking respected this right. “I will not shy away from taking action where an EU country falls short of this duty,” Reding said. Commission Press Room: IP/09/571 [Source] [video]

Facts & Stats

WW – Facebook Reaches 200 Million User Mark

Facebook has crossed the 200 million user mark, founder and CEO Mark Zuckerberg announced in a blog post last Wednesday. Facebook’s dramatic growth since its launch in 2004 has fueled hopes that it may open itself to investors with a Wall Street stock offering amid questions about whether its revenue can keep up with higher computing costs. [SiliconValley.com]

US – Internet Used By More than Half in U.S. Election

More than half of US adults used the Internet to participate in the 2008 election, the first time that threshold has been crossed, according to a study released yesterday. Some 55% searched for political news online, researched candidate positions, debated issues or otherwise participated in the election over the Internet, the Pew Internet and American Life Project found. [Washington Post]

Filtering

US – CDT Urges FCC to Avoid Filtering and Other Mandates

CDT has filed two set of comments with the Federal Communications Commission in response to the Child Safe Viewing Act, in which Congress asked the FCC to assess tools to help parents guide their children’s television and content viewing. In joint comments filed on behalf of a coalition of industry and public interest groups, as well as in individual comments for CDT, we argued that the FCC must avoid technical and other mandates that harm innovation and violate constitutional free speech principles. The goal, CDT urged the FCC, is to allow parents to make decisions for their families, and not have the government or a network operator deciding what is “good” or “bad” content. [CDT Joint Comments to FCC] [CDT Individual Comments to FCC]

Finance

US – Model Privacy Form Comments Sought

Consumers have tested a model privacy form developed to help them easily compare financial institutions’ privacy policies. Now the Securities and Exchange Commission (SEC) is reopening a public comment period on the form to get more feedback. The form was developed by the SEC and other federal regulators in response to the Financial Services Regulatory Relief Act of 2006. Financial institutions that choose to use the form, should it pass muster, would satisfy Gramm-Leach-Bliley Act disclosure requirements and could take advantage of a legal “safe harbor,” the report states. [Source]

Health / Medical

US – FTC Issues Proposed Notification Rules for Breach of Health Records

The FTC has posted its proposed rule implementing new breach notification requirements for health records, imposed by the American Recovery and Reinvestment Act of 2009 (ARRA). The FTC rule will apply to vendors of personal health records and related entities not covered by HIPAA (the Health Insurance Portability and Accountability Act). The Department of Health and Human Services is required to issue by August 17 proposed rules pertaining to similar breach notification provisions applicable to entities covered by HIPAA. The FTC is the first agency to publish details for implementation of the new privacy and security provisions in ARRA. CDT will be drafting comments to the FTC proposed rule. Public comments are due on June 1, 2009. [Text of FCC’s Proposed Rule, April 16, 2009] [HTML version] [CDT Analysis of ARRA Privacy Provisions, March 24, 2009] See also: [US: State privacy laws may undercut electronic medical records: MIT Study]

US – Invisible ID May Help Ensure Access to Health Records

A high-tech system that will give paramedics instant access to a patient’s health records at the scene of an accident or during an emergency has been launched. After several years of development, invisibleBracelet.org announced that it was ready to sign up clients. A metaphorical — not literal — bracelet, it’s really a sticker that goes on the back of a driver’s license. EMSA crews always search for a patient’s ID anyway — now they simply have to look on the back of the license for an eight-digit code to enter into the ambulance’s computer system. Invisible Bracelet will not only give the ambulance crew access to vital health records, it will send an e-mail or text message to the patient’s next of kin to let them know about the emergency. The company will charge $5 for signup and $3 a year to renew. With such a low price, Roberts says, profits will have to come from signing up huge numbers of people. For now, Invisible Bracelet is available only in Oklahoma, but the company hopes to go nationwide soon. [Source]

AU – Patients’ Privacy At Risk: Doctors

Australian doctors are concerned that proposed legislation could violate patient privacy and drive a wedge in the physician-patient relationship. The government has released an exposure draft on a new law aimed at preventing Medicare fraud. The law would require physicians to submit patient records to Medicare authorities in certain instances. Australian Medical Association president Rosanna Capolingua said the legislation forces doctors to break their oath of patient confidentiality. A senator said that Medicare is working with the Office of the Privacy Commissioner to ensure the privacy risks are mitigated. There will be a public hearing on the legislation May 6. [Source]

Horror Stories

US – Hackers Grabbed More than 285M Records In 2008

Hackers made off with at least 285 million electronic records in 2008, more than in the four previous years combined, according to a new study that shows identity thieves are getting better at exploiting careless mistakes that leave companies vulnerable to attack. The number comes from a study of 90 data breaches investigated by Verizon Communications, which is hired to do a post-mortem on most big computer intrusions. [Washington Post] [Verizon report]

US – Time Warner Cable Competitor Shelves Unpopular Internet Cap Plan

With Time Warner Cable facing the fury of consumers and threats of legislation, Frontier said this week that it would not sell Internet service with ‘tiers’ of usage, much like the minute allowance of a cell phone plan. [SiliconValley.com] [New York Times]

WW – Organized Crime Behind a Majority of Data Breaches

A string of data breaches orchestrated principally by a handful of organized cyber-crime gangs translated into the loss of hundreds of millions of consumer records last year, security experts say. The size and scope of the breaches, some of which have previously not been disclosed, illustrate the extent that organized cyber thieves are methodically targeting computer systems connected to the global financial network. [Washington Post]

US – NC Hospital Patient Data on Computer Stolen in Georgia

Officials at Moses Cone Health System in Greensboro, NC have begun notifying more than 14,000 patients that their personal information was on a laptop computer stolen while in the possession of consulting firm VHA. The computer was stolen on March 9 from the vehicle of a VHA employee in Georgia. The hospital learned of the theft four days later, but waited until this week to make the theft public. VHA had the information on the computer because it was conducting analysis to help the hospital improve patient care and reduce costs. The data were not encrypted. The theft affects cardiology and orthopedic patients treated at Moses Cone Memorial Hospital or Wesley Long Community Hospital between February 2004 and February 2009. The data include confidential patient information and some Social Security numbers (SSNs). [Source] [Source] SEE ALSO: [Borrego Springs (CA) Bank Warns Customers of Account Data Compromise] [Gexa Informs Customers of Year-Old Data Breach] [Missing Laptop Holds Sensitive Ministry of Defence Information] [Stolen Laptop Contains Commercial Driver’s License Holder Data]

Identity Issues

US – Michigan Lawmaker Urges Governor to Rethink RFID in Licenses

Saskatchewan won’t have them. B.C. is rolling them out. And now the enhanced driver’s licence (EDL) debate has begun in Michigan. State Rep. Paul Opsommer wants the governor to rethink the state’s use of EDLs. At issue, says Opsommer, is the fact that EDLs contain RFID technology. “Michigan entering into a federal agreement to put unencrypted, long-range RFID computer chips into our driver’s licenses presents a huge privacy risk with very little benefit,” Opsommer said in a statement. The U.S. Department of Homeland Security says the cards do not pose a privacy risk. [Source]

CA – Manitoba Enhanced ID a Flop?

Manitoba’s new enhanced ID cards are selling like air conditioners in January, and the province’s MPI critic says it might be time to scrap them altogether. Manitoba Public Insurance began offering the $50 cards, which are renewable every five years, on Feb. 2. Although the insurer figured up to 100,000 people might eventually apply for one, or for the enhanced driver’s licences that have yet to appear, the number applied so far is “just over 1,000,” according to an MPI spokesman. [Source]

Intellectual Property

EU – ISP Sabotages File Sharing Law

As of April 1, Swedish courts can order Internet operators to submit the details of their clients if they are suspected of sharing files illegally. One broadband provider has begun destroying its clients’ IP address details as a result. “We’re following the law and choosing to destroy the details,” said Bahnhof CEO Jon Karlung, an opponent of the measures, which are based on the European Union’s Intellectual Property Rights Enforcement Directive. The law allows ISPs to retain or destroy the IP addresses of file sharers. If other ISPs follow suit, “that would make the new law completely ineffective,” Karlung said. [Source]

Internet / WWW

US – U.S. Mulls Stiffer Sentences for Common Net Proxies

“Proxy” servers are an everyday part of Internet surfing. But using one in a crime could soon lead to more time in the clink. A key vote on new federal sentencing guidelines would classify the use of proxies as evidence of “sophistication,” increasing sentences by about 25% -- which could mean longer time behind bars, depending on the crime. It’s akin to judges handing down stiffer sentences when a gun is used in a robbery. Yet digital-rights advocates are worried. Although they aren’t absolving criminals, they complain that the proposal is so broad, it could lead to unnecessarily harsh sentences for tech neophytes who didn’t know they were using proxies in the first place or who were simply engaging in a practice often encouraged as a safer way of using the Internet. “It sends a bad message about protecting your own privacy,” said John Morris, general counsel for the Center for Democracy and Technology. “This is the government saying, ‘If you take normal steps to protect your privacy, we’re going to view you as a more sophisticated criminal.’” [Source]

US – Online Proxy Users Won’t Get Stiffer Sentences After All

A controversial proposal that would have seen judges directed to consider the use of Internet proxies when handing down sentences for online crimes has been rejected by the U.S. Sentencing Commission. The initial proposal would have directed judges to consider the use of a proxy as an indication of the sophistication and intent of those who have been convicted, but civil liberties groups and technology advocates strongly opposed the matter, given that there are a variety of common and legitimate uses of proxy servers. The arguments put forth by these advocates apparently held the day. [Source]

Online Privacy

WW – Amazon Bars Controversial Phorm Technology from its Sites

Amazon has barred web monitoring advertising system Webwise from accessing its web sites. The online retailer, which is the UK’s second biggest shopping site behind eBay, will not allow the system to monitor people’s use of its site. [Source]

WW – Wikipedia Opts Out of Phorm User Tracking

Wikipedia has asked behavioral advertising technology company Phorm to remove its domain names from the company’s controversial Webwise service. Webwise tracks users’ online activities so that advertisers can serve tailored ads. In a statement, the Wikipedia Foundation requested that its Web sites and all related domains be excluded from Phorm’s system, asserting “...we consider the scanning and profiling of our visitors’ behavior by a third party to be an infringement on their privacy.” [Source]

EU – Facebook Users to Vote on New Privacy Policy

Voting begins on Facebook’s new terms of service (TOS) agreement. The changes reflect users’ input sought out after February’s row over the company’s original TOS changes, which many users found to be privacy invasive. Voting will end on April 23 and one-third of active users must vote in order for it to stick. The new rules intend to limit the use of members’ personal information and also limit the company’s rights to use and distribute member content. [Source] See also: [OPC Settled Case Summary #30 - Impersonation, Privacy Settings, and Social Networking Sites]

Other Jurisdictions

AU – Australian Privacy Legislation Put in the “Too-Hard” Basket

Government officials are cool on the topic of a statutory cause of action for privacy. Victorian Attorney-General Rob Hulls said yesterday that he would likely not support a measure such as one proposed by the Victorian Law Reform Commission recently that calls for legislation to stave off surveillance. Mr Hulls said actions already exist under the common law for those who believe they have suffered a serious invasion of privacy. The federal government is reviewing the Australian Law Reform Commission’s report of last year, which also calls for a tort of privacy. But Special Minister of State John Faulkner said it is “not progressing that recommendation at this stage.” [Source]

Security

WW – Symantec Issues Latest Internet Security Threat Report

According to a report issued Monday by Symantec, hackers are finding new ways to attack unknowing computer users by taking advantage of weaknesses in Web applications and browser plug-ins, sometimes turning even legitimate Web sites into a source of malicious code. In another trend, security experts are noticing a significant proliferation of Internet worms and other malicious activity in nations with “emerging economies,” where increasing computer use has been accompanied by widespread adoption of pirated software that lacks updated security protection. [SiliconValley.com]

WW – Microsoft Security Intelligence Report

Microsoft’s Security Intelligence Report, which covers events in the second half of 2008, says that scareware, programs that lead users to believe their machines are infected with malware and urge them to buy phony anti-virus software, has emerged as a significant threat. The report examined file format attacks as well, which rely on users opening maliciously crafted files. Most of the file format attacks in 2008 exploit a known flaw in Windows that was patched in 2006. [Source] [Source] [Source]

US – With Budgets Tight, US Companies Still Plan to Spend on IT Security

The results of a survey from Robert Half Technology indicate that a majority of companies plan to invest in IT security projects despite the tough economy. 70% of chief information officers responding to the survey said their organizations plan to spend funds on IT security initiatives. The survey includes responses from 1,400 CIOs at US companies with 100 or more employees. Other IT areas in which the CIOs expected to invest include virtualization, data center efficiency, VoIP and social networking. [Source]

US – Data Minimisation May Plug Breaches

Data minimization could become a key security tool for companies. That’s according to two Wharton professors who say that companies should reduce the amount of personal data they hold in order to reduce their liability. Marketing professors Eric Bradlow and Peter Fader say that companies should assess what customer information they actually need to retain, rather than hoarding all available data, which leaves them more vulnerable to expensive data breaches and adds to security costs. Bradlow and Fader say that although the ability to minimize will vary by industry, there is real potential for it to become a company norm. [Source]

Surveillance

US – Officials Say U.S. Wiretaps Exceeded Law

The National Security Agency intercepted private e-mail messages and phone calls of Americans in recent months on a scale that went beyond the broad legal limits established by Congress last year, government officials said in recent interviews. Several intelligence officials, as well as lawyers briefed about the matter, said the N.S.A. had been engaged in “overcollection” of domestic communications of Americans. They described the practice as significant and systemic, although one official said it was believed to have been unintentional. [New York Times]

US – Senate Panel to Probe Wiretapping Violations

The head of the US Senate Intelligence Committee said that the panel would hold a hearing to get to the bottom of reports that the National Security Agency improperly tapped into the domestic communications of American citizens. The House and Senate Intelligence and Judiciary committees learned of the problem in late February from the Justice Department. [Washington Post]

Telecom / TV

US – AT&T Launches Big-Brother-esque Family Tracking Service

AT&T has launched FamilyMaps, a service that tracks any AT&T cellphone from another phone or PC. The trackee (your child, girlfriend, elderly parent, whoever’s on your family plan) gets a text message that he or she is being watched — and in real time on a map, or by text or emails with the location, you can see where they are. A scheduled service will send you location information at a certain time each day, so you can get an email when your kid makes it to band practice. The service only works on phones within a family plan. So, there’s no way your boss can track you when you call in “sick” from the baseball stadium. GPS tracking isn’t new; Verizon, Sprint and Alltel have their own versions. There’s also a service from Loopt that is free for iPhones and some Verizon and Sprint Nextel phones that will find your friends, and Google’s Latitude also tracks your friends through their cellphones. The difference with the AT&T services is that it doesn’t require the person being tracked to run the same application, and the others have privacy settings. With FamilyMaps, the account holder controls these settings, so you could be always trackable by your family. [Source]

US Legislation

US – Abortion Data Bid Supported by Oklahoma Senate

A bill to require women seeking abortions to fill out a detailed questionnaire passed the Senate after lengthy debate. House Bill 1595 asks women to answer questions about their reason for seeking an abortion, including marital status and job or income considerations. The bill also would ban the practice of terminating a pregnancy based on the sex of the fetus. The bill passed the Senate 34-10. The bill is headed to a conference committee, barring any additional changes in the Senate. [Source]

Workplace Privacy

NZ – NZ Privacy Commissioner Expresses Concern About Job Applicant Data Retention

New Zealand’s Privacy Commissioner has warned that employers and companies that conduct background checks on potential employees may be violating the country’s Privacy Act. For example, applicants for 24 new jobs advertised by the country’s Tertiary Education Commission (TEC) were requested to sign a consent form allowing a third party to conduct background, resume and reference checks, and to allow “any relevant third party” to supply additional information. They were also asked to agree to allow the third party company to hold their application information indefinitely, even if they are not hired. [Source]