Privacy News Highlights
18–24 April 2009
Contents:
US – F.B.I. and States Vastly
Expand DNA Databases
CA – Alberta Bars Could Collect
Names, Photos Under Proposed Bill
AU – Australia Tax Office Has
Culture of Privacy Violation: Report
US – NY Tax Worker Accused of
Stealing Taxpayers' IDs
BC – NDP Candidate Quits After
Embarassing Facebook Pics Surface
US – Mayo Clinic Backs New Personal
Health Record Site
UK – ICO Takes Enforcement Action
for Serious Data Breach
UK – MPs to Probe ISP Snooping and
Throttling
UK – Phorm Not Worried by
Government ISP Investigation
US – Lost Laptops Cost Companies
$50k Apiece: Ponemon Study
EU – Dutch Authorities Give Strict
Ruling on Legal Hurdles for Viral Marketers
US – Device Identification in
Online Banking is Privacy Threat, Expert Says
AU – CrimTrac: Expand DNA
Collection
UK – “My Genome is My Property”
US – Bigger FTC Presence in
Healthcare
CA – Court Overturns Alberta
Privacy Commissioner Order on Surgeon's Patient List
US – US Court Backs Children’s
Privacy
UK – Another NHS Breach: Stolen NHS
laptop Has Records of 1,400 Scots
UK – British Council Violated Data
Protection Act, Says Info Commissioner's Office
UK – UK's Regulation of
Investigatory Powers Act Under Review Due to Alleged Overuse
US – Dept of Health and Human
Services Issues EHR Data Security Guidance
US – Students Lose, Fair Use Wins
in Suit Targeting Anti-Plagiarism Tool
WW – Facebook Users' Vote Ending
Way Short of Threshold
WW – Cloud Computing Security Group
Releases Report Outlining Trouble Areas
UK – Google Street View Cleared of
Breaking UK Data Protection Act
MY – Malaysian Personal Data
Protection Act to Protect Personal Information
NZ – Bill on Cross-Border Data
Transfers
US – Supreme Court Limits
Warrantless Car Searches
US – Student Strip-Search Case
Before Supreme Court
US – Congress Examines Cable, Web
Privacy
US – Court Delivers Blockbuster
Blow
UK – More than 1/3 of Employees
Would Sell Employer's Secrets
US – Verizon: Organized Crime Behind
Data Breaches
US – Two Charged With Invasion Of
Privacy
US – Newly Released Documents Shed
(a Bit) More Light on FBI's Spyware
US – NSA Wiretaps Have Exceeded
Limits
UK – Council Use of RIPA Needs to
be Reined in, Says Government
UK – Britain's 'Database State'
US – Obama, Congress to Revisit
Real ID
US – House Members Plan to Draft
New Online Privacy Bill
Biometrics
Starting
this month, the FBI will begin collecting DNA samples from innocent people in
order to help solve future violent crimes, reports the New York Times. The
bureau will take genetic samples from those who have been arrested or detained,
but not convicted. In past practice, the FBI only swabbed convicts. The move
has prompted privacy concerns and fears of a genetic surveillance society, the
report states. ACLU lawyer Michael Risher said the Constitution prohibits
"the indiscriminate taking of DNA for things like writing an insufficient
funds check, shoplifting, drug convictions..." [Source]
Canada
The
Alberta government is moving toward letting bars collect personal information
from patrons in a bid to identify troublemakers and prevent gang activity. An
amendment to the provincial Gaming and
Liquor Act, introduced in the legislature, proposes that bars and
nightclubs be given authority to collect, use, and share with each other
information about problem patrons. In 2008, Alberta's privacy commissioner
ordered Tantra, a Calgary nightclub owned by Penny Lane, to stop scanning
patrons' driver's licences, disputing the company's view that the practice
curbed violent behaviour. If Bill 42 is passed, venues could collect names,
ages and photos of patrons and share them with other businesses to prevent the
same troublemakers from moving between bars and clubs and creating the same
problems, the solicitor general's office said. However, clubs would have to
follow the privacy commissioner's guidelines. Kent Hehr, justice critic for the
Alberta Liberals, said there are still privacy concerns in the proposed
legislation. "There's no real filter for how they're going to dispose of
this information, what it's to be used for, and it can really open up a whole
can of worms as to what information we're going to be allowed to be collected
by private organizations," he said. [Source]
[Privacy
chief backs crackdown on problem bar patrons Official fears some guests will be
unfairly targeted]
E-Government
The
Australian Tax Office (ATO) is reportedly preparing to revamp tax information
sharing rules, after a report raised concerns about collusion between the ATO,
Australian Crime Commission and Australian Federal Police. The confidential
investigation follows allegations made as part of the Project Wickenby tax
fraud crack down, regarding a culture of inappropriate disclosure of
information to law enforcement agencies. The ATO was accused of passing on
information to the AFP and other agencies in their attempts to prosecute
high-profile figures such as Paul Hogan and Glen Wheatley. The Boucher report
gave credibility to these claims, and also said there was evidence of pressure
on ATO staff seconded to the AFP to be facilitated and made faster, the AFR
said. "There may be a gap between current policy and practice. It also
appears ... there is legal risk which should be addressed by serious
non-compliance concerning these important arrangements," the paper quoted
the report as saying. The ATO is expected to propose major changes to its
culture, policies and procedures in a report to Parliamentary Joint Committee
of Public Accounts and Audit. [Source]
A
former New York state tax department worker was accused of stealing the
identities of thousands of taxpayers and running up more than $200,000 in
fraudulent charges. Walter Healey gathered credit card, brokerage account and
Social Security numbers that he used to open more than 90 credit card accounts
and lines of credit between 2006 and 2008. [Washington
Post]
The
NDP candidate for the new riding of Vancouver-False Creek has abruptly
withdrawn from the election race hours after inappropriate photos of him surfaced
on a social networking site. Ray Lam, a community organizer who sits on the
board of Vancouver Pride and other gay-rights group, said the photos were taken
from his private Facebook page. "I regret this material and the associated
comments that have now become public," Mr. Lam said in a statement. [Source]
Electronic Records
The
Mayo Clinic has combined its medical expertise with Microsoft's technology in a
free Web site launching yesterday that will let people store personal health
and medical information. The Mayo Clinic Health Manager uses Microsoft's
HealthVault system to store medical histories, test results, immunization files
and other records from doctors' offices and hospital visits, along with data
from home devices like heart rate monitors. [Washington
Post]
EU Developments
The
Information Commissioner’s Office (ICO) has found the British Council in breach
of the Data Protection Act after the
loss of an unencrypted computer disc. Details lost include sensitive personal
information relating to trade union membership of over 2,000 members of staff.
The ICO required the British Council to sign a formal Undertaking outlining
that it will take reasonable measures to keep personal information secure in
future. By signing the Undertaking
the British Council agrees to implement a number of security measures to
protect personal information more effectively. For example, all portable and
mobile devices which are used to store and transmit personal information must
be encrypted, with immediate effect. Failure to meet the terms of the Undertaking
is likely to lead to further enforcement action by the ICO. [Source]
UK
MPs have launched an investigation into the use of snooping technology by ISPs
which allows them to profile customers for advertisers and throttle or block
specific types of traffic. An inquiry by the All-Party Parliamentary Group on
Communication will examine issues such as the emergence of Phorm's profiling
system, and the restriction of bandwidth available to specific applications
such as BitTorrent. Both activities are reliant on Deep Packet Inspection (DPI)
technology. The informal cross-party group of MPs and Lords will also consider
calls for ISPs to do more to block spam and botnets. The group, chaired by
Labour MPs John Robertson and Derek Wyatt, has called for submissions on five
questions around the subject (below). It will hold evidence sessions in June,
with a final report due in Autumn.
·
Can we distinguish
circumstances when ISPs should be forced to act to deal with some type of bad
traffic? When should we insist that ISPs should not be forced into dealing with
a problem, and that the solution must be found elsewhere?
·
Should the Government be
intervening over behavioural advertising services, either to encourage or
discourage their deployment; or is this entirely a matter for individual users,
ISPs and websites?
·
Is there a need for new
initiatives to deal with online privacy, and if so, what should be done?
·
Is the current global
approach to dealing with child sexual abuse images working effectively? If not,
then how should it be improved?
·
Who should be paying for
the transmission of Internet traffic? Would it be appropriate to enshrine any
of the various notions of Network Neutrality in statute? [Source]
[Details of how to
respond]:
Parliament
has formed a new group to investigate internet traffic issues - and Phorm wants
to make it clear that it welcomes the chance to convince more people about the
merits of its behavioural advertising system. Formerly formed this week, the All Party Parliamentary Group on
Communications will look into internet traffic issues including behavioural
advertising, privacy, child abuse and internet neutrality, in order to decide
how the government should regulate internet service providers (ISPs).
"Recent technical advances are beginning to make it practical to inspect
internet traffic - 'bad' traffic might then be blocked; 'bulk' traffic might
then be slowed; 'wicked' traffic detected and crimes investigated; or personal
profiles could be built to better target advertising," the group wrote on its site.
The comms group will be taking submissions on the issues until 22 May, with a
final report due in the autumn. [Source]
[All Party Parliamentary Group on
Communications]
Facts & Stats
A
single lost or stolen laptop costs a business an average of nearly $50,000,
according to an Intel-sponsored study by the Ponemon Institute. That figure is
based on Ponemon's recent voluntary survey of 28 US companies reporting 138
separate cases of missing laptops. Value of missing kit was mathmagically
calculated by factoring laptop replacement, data breach cost, loss of
productivity, investigation cost, and other variables. The value of a lost
laptop to a firm cost an average of $49,246. Minimum damage calculated in the
survey was about $1,200, and the maximum reported value was just short of a
cool $1m. Consulting firms, law firms, financial services, healthcare,
pharmaceutical, education, and technology are companies which would take the
biggest financial hit from a lost notebook, according to the study. Tech firms
top the list when just factoring the cost of IP loss and lost productivity. The
Ponemon peeps claim a lost laptop that has encryption will cost a company about
$40,000, while a machine without encryption runs up an average of $60,000.
That's a $20k difference - but still a peculiarly large amount of damage being
done by a supposedly secure laptop. Ponemon suspects the reason encrypted costs
aren't zero because the encryption may have not been implemented properly. [Source]
Viral marketing which relies
on people to hand over friends' contact details can be legal but only if
certain conditions are met, Dutch authorities have ruled. Companies must be
careful not to break telecoms and data protection laws, regulators said. 'Tell
a friend' promotions are a staple of viral marketing and involve one user
providing email addresses to a company so that a friend of theirs can receive a
message from that company. [Source]
Finance
Banks'
use of device fingerprinting technology for preventing fraud poses a threat to
privacy, according to an Electronic Frontier Foundation (EFF) attorney. CNET
News reports that during an RSA conference panel yesterday, the EFF's Jennifer
Granick said the device identifiers used by the biggest online banks and
e-commerce companies in the U.S. let them monitor consumer transactional
patterns. "There is very little privacy protection in the U.S. for this
type of information," Granick said. "We don't want it shared with
[advertising affiliates]." A banking industry attendee said that the
privacy issue is encumbering banks' fiduciary obligation to prevent fraud,
while another said: "Data is being collected in the name of fraud
prevention, but is being sold." [Source]
Genetics
The
head of CrimTrac, the agency that maintains the national DNA database, thinks
that the collection of genetic information should be expanded. "I
personally believe that newcomers to crime need to be added to the national DNA
database through broader DNA testing," said Chief Executive Ben McDevitt.
McDevitt suggests that authorities begin taking DNA samples from those who are
charged but not convicted of crimes, and those who are charged for minor crimes
such as burglary and auto theft, the report states. "They are recidivist
offenders, and in my view recidivist offenders need to be added to the national
database as early as possible in their cycle of offending." [Source]
The
founder of genetic fingerprinting has spoken out against the collection of DNA
information from innocent citizens, The Guardian reports. Sir Alec Jeffreys
said that while convicted offenders should expect to have their DNA collected
and retained, the government should not be storing DNA data on those simply
arrested on suspicion of a crime. Britain's DNA database is Europe's largest.
"My genome is my property," said Jeffreys. "It is not the
state's." Jeffreys also condemned the government's planned response to an
EU court of human rights ruling against the practise. [Source]
Health / Medical
The
FTC last week issued proposed rules on federal breach notification requirements
for certain healthcare providers or affiliates. Under the American Recovery
and Reinvestment Act of 2009, the commission will have authority over an
estimated 900 entities that are not subject to the privacy and security
requirements of HIPAA, but that play in the Health 2.0 space in some way.
Although it is not the FTC's first foray in the health field, its presence may
take some by surprise, reports Modern Healthcare. "They bring a lot of
enforcement actions..." said Pam Dixon of the World Privacy Forum,
"healthcare may not be accustomed to this." [Source]
Alberta's
Court of Queen's Bench has overturned a decision by the province's privacy
commission that ordered cosmetic surgeon Dr. Barry Lycka to stop using patient
information to seek donations and sell services, such as those offered by a
medi-spa. In an April 17 decision, Justice Gerald Verville said the Office of
the Information and Privacy Commission made legal mistakes by not disclosing
the names of the two complainants and by stating that even with patient
consent, Lycka couldn't use personal health information to raise money.
Verville said if a patient does give consent, an office such as Lycka's can
market any commercial service or solicit money without contravening the Health Information Act. The spa,
foundation and Lycka's medical clinic all operate separately, but the
10,000-patient database is shared, as is a list of 5,000 other names collected
at the Edmonton Bridal Show and Women's Show. Verville said without knowing the
names of the two complainants who said they didn't give consent, Lycka's office
had no opportunity to confirm or deny the women's words. "The commissioner's
decision limited the ability of the applicants to defend themselves," the
judgment reads. [Source]
The
state Supreme Court affirmed children’s privacy rights with an April 17 ruling:
Parents do not have unconditional access to their children’s health records.
But both legal and mental-health experts say parents should not panic; the
court’s decision is not intended to wrestle control of children’s treatment
away from caregivers. The court decided it was not in three children’s best
interest for their mother, Susan Harder of North Liberty, to have specific
information from their counseling sessions. [Source]
The
UK Information Commissioner is demanding an explanation for a breach of
personal information at Scotland's Aberdeen Royal Infirmary, reports the
Aberdeen Press and Journal. NHS Grampian acknowledged that a laptop containing
details on nearly 1,400 Scots was stolen from a locked office in the
gastro-intestinal department last week. The patient information was password
protected, but not encrypted, despite the Scottish Government's 2008 health
directorates calling for such a measure. "Funds and a contract for the
necessary technology have been made available to help make this happen,"
said a government spokesperson. NHS Grampian said it will encrypt all files
within three months. [Source]
Horror Stories
The
UK Information Commissioner's Office says that the British Council'sloss of an
unencrypted disk containing personally identifiable information constitutes a
breach of the Data Protection Act.
The disk
holds sensitive data belonging to more than 2,000 staff members. The breach was reported to the ICO promptly; the ICO has required theBritish Council to officially agree to a number of security measures toguard against future data loss. Among those measures are ensuring that all portable and mobile data storage devices are encrypted. [Source] [Source]
UK
Home Secretary Jacqui Smith has announced a review of the Regulation of
Investigatory Powers Act (RIPA) following complaints that the powers had been
invoked for trivial offenses, including littering and taxi overcharging. The review invites public feedback. The review seeks input on which public
authorities should have the authority to invoke RIPA. [Source]
[Source]
The
US Department of Health and Human Services has released a document
offering guidance on protecting electronic health record data. The document says that electronic medical
data must be rendered "unusable, unreadable or indecipherable" to those
who do not have the authority to view them, and recommends encryption and
destruction as acceptable methods of meeting those requirements. The document is tied to two sets of breach
notification regulations required by the Health Information Technology for
Economic and Clinical Health (HITECH) Act, part of the economic stimulus
bill. One set of notification
guidelines will be issued by HHS, and the second will be issued by the FTC for
entities not covered by HIPAA.
Organizations that comply with the guidelines set forth in the document
will not be held to breach notification requirements. HHS will accept public comments on the document through May 21,
2009. [Source]
[Source]
[Source] [Source]
SEE ALSO: [SunTrust
Banks Announce Security Breach: Bank Sends Letters To Customers Warning
Accounts Compromised]
Intellectual Property
Students
have suffered another defeat in their legal fight against the company that runs
a plagiarism-detection tool popular among professors. A federal appeals court
last week affirmed a lower court’s decision that the Turnitin service does not
violate the copyright of students, even though it stores digital copies of
their essays in the database that the company uses to check works for academic
dishonesty. [Chronicle]
Internet / WWW
Facebook
invited the 200 million people who regularly use the site to vote on its
governing documents. The site gave its members until yesterday afternoon to
choose either the current terms of use, or a revised set of documents that
reflect input from users over the past 30 days. However, Facebook said the vote
would be binding only if 30% of the site's active users voted. That would be 60
million people. As of yesterday morning, a vote on the site revealed that only
about 609,000 people had cast ballots. [SiliconValley.com]
The
Cloud Security Alliance has released a document outlining more than a dozen
areas it says must be addressed to better secure cloud computing environments.
The 83-page report, "Security Guidance for
Critical Areas of Focus in Cloud Computing," outlines 15 areas or
domains that need to be addressed, spotlighting two in particular: governance
and operations within the cloud. The report outlines the framework that makes
up many cloud computing architectures and also addresses governance and risk
management issues encountered by companies and service providers. It recommends
that service providers conduct regular third-party risk assessments and make
the results available to customers. Other domains addressed in the report
include compliance and audit, recommending service providers adhere to SAS 70
Type II audits and ISO 27001 certifications, as well as a greater uniformity in
comprehensive certification scoping. Encryption and key management, storage
issues, application security concerns and virtualization security problems are
also addressed in detail. [Source]
[Report]
Google
Street View, the controversial website that shows 360-degree street views of
many of Britain's cities does not breach the Data Protection Act, the
information commissioner ruled today. Hundreds of people complained that their
privacy was breached by the service, which launched last month for 25 cities
and towns. [Guardian]
[Common sense on Street View
must prevail, says the ICO] [Google CFO
defends Street View despite privacy concerns]
Offshore
The
lack of a Personal Data Protection Act has hindered legal action against those
who misuse the personal information of individuals, said Malaysian Deputy
Minister of Science, Technology and Innovation, Fadillah Yusoff. He said before
this many had suggested that the act be had to guard the personal information
of individuals but till now a bill had not been tabled in Parliament. [Source]
Online Privacy
As
the impact of digital advertising on consumer privacy comes under scrutiny,
AT&T is taking a stance in support of stricter standards. In its testimony
Thursday at a House subcommittee hearing on the issue, the telecommunications
heavyweight is expected to advocate more transparency and consumer control in
the fast-growing field of targeted ads. [WSJ]
Other Jurisdictions
A
bill to ensure that New Zealand's data protection standards apply to personal
data crossing into New Zealand had its first reading in Parliament earlier this
month. Minister of Justice Simon Power said that the Privacy (Cross-Border)
Amendment Act 2008 would "enable us to assure our international business
partners that their customers' personal information will be protected."
Power noted the lack of attention to cross-border privacy concerns in the
Privacy Act of 1993. Privacy Commissioner Marie Shroff said: "The changes
in this Bill should help secure a finding from the European Union that New
Zealand law offers an adequate standard of data protection, thus opening up trading
opportunities with Europe." [Source]
Privacy (US)
The
Supreme Court has sharply limited the power of police to search a suspect's car
after making an arrest, acknowledging that the decision changes a rule that law
enforcement has relied on for nearly 30 years. In a decision written by Justice
John Paul Stevens, an unusual five-member majority said police may search a
vehicle without a warrant only when the suspect could reach for a weapon or try
to destroy evidence, or when it is "reasonable to believe" there is
evidence in the car supporting the crime at hand. The justices noted that law
enforcement for years has interpreted the court's rulings on warrantless car
searches to mean that officers may search the passenger compartment of a
vehicle as part of a lawful arrest of a suspect. But Stevens said that was a
misreading of the court's decision in New York v. Belton in 1981. [Source]
The
Supreme Court will soon issue a decision, the first to address the issue of
strip searches in schools, will set legal limits, if any, on the authority of
school officials to search for drugs or weapons on campus. If limits on
searches are imposed, the school district warns, its ability to keep all drugs
out of its schools would be reduced. In California and six other states, strip
searches of students are not permitted. Only once in the past has the high
court ruled on a school-search case, and it sounds quaint now. It arose in 1980
when a New Jersey girl was caught smoking in the bathroom, and the principal
searched her purse for cigarettes. The justices upheld that search because the
principal had a specific reason for looking in her purse. But they did not say
how far officials could go - and how much of a student's privacy could be
sacrificed - to maintain safety at school. [Source]
U.S.
lawmakers took aim at privacy practices of cable and Internet providers at a
House hearing, laying the groundwork for a bill that could restrict targeted Web
ads. The focus of the hearing was on new efforts by Internet providers to
collect and share data on consumers' behavior to target online advertising and
by cable companies to target ads at subscribers via their set-top boxes. [WSJ]
A
U.S. District Court judge has paved the way for a potential class-action
lawsuit against Blockbuster for alleged violations of the federal Videotape
Privacy Protection Act. The case stems from Blockbuster's participation in
Facebook's Beacon program, which notified users about friends' online
purchases. Judge Barbara Lynn ruled that a Dallas County resident's claims
should be heard in court despite Blockbuster's argument that she waived her
rights to a class action suit when agreeing on the company's terms of service
contract. Judge Lynn said that the contract was "illusory" because it
included a statement that the company could change the terms at any time. [Source]
RFID
A
bill signed by Washington Governor Christine Gregoire last week puts limits on
who can scan an RFID tag. With some exceptions, House
Bill 1011 prohibits the scanning of an RFID tag by anyone except the
business or agency that issued the tag, the report states. The goal is to help
prevent the surreptitious reading of RFID tags by those not entitled to the
stored information. The law, which goes into effect on July 26, is the result
of "a six-year engagement with the stakeholders," says bill sponsor,
House Speaker Pro Tempore Jeff Morris (D-Mount Vernon). "I think this is a
big step for privacy," Morris says. [Source]
Security
More
than one in three workers have said that they would be willing to sell their
employer's secrets to a stranger. Some of the London commuters taking part in
the survey said that they could be bribed with the cost of a good meal. The
question was put to 600 commuters at London railway stations last week. 37% of
those questioned were wiling to part with company secrets for the right price.
Of those who could be corrupted, 63% said they would disclose sensitive data
for £1 million; 10% would do it if their mortgage was paid off; 5% would do it
for a holiday; 5% would do it for a new job; 4% for getting rid of their credit
card debt; and 2% would do it "for a free slap-up meal." The survey
was conducted by researchers from Infosecurity Europe. The types of information
that the workers had access to included customer data bases (83%); business
plans (72%); accounting systems (53%); human resources databases (51%); and IT
admin passwords (37%). Two thirds (68%) of employees think it is easy to sneak
information out of their organisation and 88% of employees thought that the
information that they had access to was valuable. [Infosecurity Europe] [Source]
Of
the 285 million records compromised in the 90 confirmed network breaches
Networx vendor Verizon examined last year, 91% were linked to organized crime.
And only a third were publicly disclosed. With increasing supply and falling
prices, criminals have had to overhaul their processes and differentiate their
products to maintain profitability, the report states. Their method: Target
points of data concentration or aggregation to get the most valuable
information. "The big money is now in stealing personal identification
number information, together with associated credit and debit accounts,"
the report states. In the 2009 Data Breach Investigations Report released April
15, the Verizon Business Risk Team based its results on evidence the company
collected during data breach investigations from 2004 to 2008, with 2008 events
forming the primary analytical focus. Although financial organizations were the
biggest targets, 13% of the team's caseload were companies that had recently
been merged or acquired. "Mergers and acquisitions bring together not only
the people and products of once separate organizations, but their technology
environments as well," the report states. "Integration rarely happens
overnight or without a hitch. Technology standards are sometimes set aside for
the sake of business expediency." The report also quashed the widely held
belief that insiders perform most hacks: 74% of the breaches were from external
sources, such as organized crime and government entities. However, hackers were greatly aided in their
activities by the victims, with 67% of breaches resulting from someone taking
advantage of a vulnerability to hack into a network and install malware to
collect data. More than 80% of attacks occurred in Eastern Europe, East Asia and
North America, the report states. "Though it's tempting to pander to hype
surrounding state-sponsored attacks from Asia, we find no evidence to support
the position that governments are a significant source of cyber crime,"
Risk Team members wrote. However, evidence is strong that malicious activity in
Eastern Europe is the work of organized crime, they added. [Source]
Two
FBI police officers have been charged and one was arraigned in Marion County
magistrate court after videotaping high school girls who were trying on prom
dresses at the Middletown Mall. According to an FBI press release, the two
employees were charged with criminal invasion of privacy and conspiracy to commit
video voyeurism by the Marion County prosecuting attorney's office. [Source]
Surveillance
Documents
obtained under the Freedom of Information Act (FOIA) indicate that the FBI has
used technology known as a computer and Internet protocol address verifier, or
CIPAV, in a number of cases over the last seven years. CIPAV is spyware that is placed on target
computers to gather specific information and send it back to an FBI
server. The public became aware of
CIPAV in 2007 when it was used to track down the source of a bomb threat
against a high school in Washington State. The documents do not detail CIPAV's
capabilities, but an affidavit in the Washington case indicates that the
information it collects includes the machine's IP and MAC addresses; open
ports; programs running on the machine; current logged-in user name and
last-visited URL. CIPAV is of
particular use to the FBI because it is able to trace even suspects who use
proxy servers and other anonymization techniques. [Source]
US
government officials said that the National Security Agency's (NSA) domestic
wiretaps have gone beyond established legal limits. The problems were detected during a periodic Justice Department
review of NSA activities; officials at DoJ "took comprehensive steps to
correct the situation and bring the program into compliance." Last July, legislators passed and
then-president Bush signed into law the Foreign Intelligence Surveillance Act
(FISA), which gave NSA the authority to conduct wiretaps without warrants
against foreign terror and espionage suspects. [Source]
[Source]
The Government has admitted that local authorities
have abused surveillance powers and has ordered a review of snooping law the
Regulation of Investigatory Powers Act (RIPA). "There have been some cases
where RIPA has been clearly misused," said a Home Office statement
announcing a public consultation on planned changes. "There have been a
number of occasions recently when public authorities have used techniques under
RIPA when most people would have regarded it as inappropriate to do so,"
said the consultation itself. [Source]
See: The consultation (124-page / 1.34MB PDF)
According
to a report published this week, Britain has become a 'database state'. The
report, by the Joseph Rowntree Reform Trust, found that many of the largest
database projects concerning the public sector clearly breach human rights laws
and European data protection. Britain is the worst at protecting privacy and
the most intrusive in terms of surveillance when compared to other western
democracies. As part of the report, researchers looked at the National DNA
database, which holds the profiles of four million people, over half of whom
are innocent. It includes 39,000 children and nearly 40% of all black men in
England under the age of 35. It has been ruled unlawful by the European court
of human rights. The researchers point out that these databases penalise the
most vulnerable people in society. They cite the examples of a 13-year-old girl
who now has a criminal record for life after an incident in a playground, and
of a single mother who needed to talk to a GP about post-natal depression, but
feared that social services would take her child away if she did. [Source]
US Government Programs
Congress
and the Obama administration are considering ceding key ground in a
long-running battle between the federal government and the states over Real ID.
Proposed legislation being circulated on Capitol Hill would give states more
time, flexibility and money to meet federal Real ID requirements. For the
nation's more than 245 million drivers, the legislation would allow them to
keep using their current driver's licenses to board commercial flights or enter
federal buildings for the foreseeable future. The congressional proposal may
have the backing of the Obama administration. In a recent appearance in
Washington, D.C., Homeland Security Secretary Janet Napolitano gave the
clearest indication to date that the administration plans to push for changes
that are favorable to the states. [Source]
US Legislation
Members
of the House Subcommittee on Communications, Technology and the Internet say
they will this year introduce legislation related to online advertising,
particularly behavioral advertising. The committee held a hearing on the topic
yesterday. Committee Chair Rick Boucher (D-VA) said the not-passed 2002
Consumer Privacy Protection Act will serve as the foundation for the new
legislation. That bill would have required consumer notification on data
collection. "The thought that a network operator could track a users'
every move on the Internet, record the details of every search and read every
e-mail or attached document is alarming," Boucher said. [Source]
+++