Biometrics

MX – Mexico to Fingerprint Phone Users In Crime Fight

Mexico will start a national register of mobile phone users that will include fingerprinting all customers in an effort to catch criminals who use the devices to extort money and negotiate kidnapping ransoms. Under a new law published on Monday and due to be in force in April, mobile phone companies will have a year to build up a database of their clients, complete with fingerprints. The idea would be to match calls and messages to the phones’ owners. Hundreds of people are kidnapped in Mexico every year and the number of victims is rising sharply as drug gangs, under pressure from an army crackdown, seek new income. Lawmakers who pushed the bill through Congress last year say there are around 700 criminal bands in Mexico, some of them operating from prison cells, that use cell phones to extract extortion and kidnap ransom payments. Most of Mexico’s 80 million mobile phones are prepaid handsets with a given number of minutes of use that can be bought in stores without any identification. The phones can be topped up with more minutes via vendors on street corners. The register, detailed in the government’s official gazette, means new subscribers will now be fingerprinted when they buy a handset or phone contract. The plan also requires operators to store all cell phone information such as call logs, text and voice messages, for one year. Information on users and calls will remain private and only available with court approval to track down criminals. Lawmakers say phone users must immediately report lost or loaned phones to avoid being held responsible for a handset used in a crime. [Source]

US – US State Department Employees Use Biometrics to Access Network

More than half of US State Department employees who use the department’s unclassified computer network now log on with smart cards that contain biometric data. The cards were issued through the department’s Biometrics for Logical Access Development and Execution (BLADE) public key infrastructure program. The program is doubly effective in that it requires users to provide a fingerprint that matches the data held on the card and when the card is removed from the workstation, that workstation is locked. [Source] See also: [Carnegie Mellon to join U.S. Intelligence biometrics center]

US – State Department Ready to Expand Use of Biometrics

The State Department in late January began testing the use of digital certificates on Microsoft Word and Excel documents. State is using the Group Policy Object function to digitally lock down Microsoft Office so employees does not use any macros that are not approved by State, says Jarrod Frahm, program manager of the Biometrics for Logical Access Development and Execution (BLADE) program. Many times insecure documents pose a security risk to the network as employees open them up and let a virus behind their firewall. The pilot is starting with the Information Resources Management office and then could expand to the public diplomacy and diplomatic security offices. State eventually would implement it agency-wide. State’s initial foray into securing Microsoft documents is part of a larger effort to use biometrics and a Public Key Infrastructure (PKI) to improve the security of the department’s computer networks and eventually its buildings. “Eventually we hope to get it to the point where all applications and Web sites are single sign-on capable so when you put your finger print in, you just have to reauthenticate to those sites,” says Frahm Feb. 11 during a speech at a biometrics conference sponsored by the Institute for Defense and Government Advancement (IDGA) in Vienna, Va. [Source] [State Department uses biometrics for computer access]

EU – Researchers Doubt Biometric Scans’ Security

Researchers at the University of Tilburg say that security checks based on an iris scan or a fingerprint are not secure enough. A recent investigation they conducted found that one in five such checks produced incorrect results. These occurred, for example, because of grease on a finger or a speck of dirt in an eye. For this reason, the researchers are calling for double controls, such as a combination of an iris scan with the entry of a numbered code. The Tilburg researchers have expressed their doubts about the security of such biometric security measures, which are currently mainly in use at Schipol airport. They worry that individual details may not be stored safely enough and that unauthorised persons might be able to access them. Based on their findings, the researchers soon intend to make recommendations about security to the government. [Source]

WW – Researchers Hack Faces In Biometric Facial Authentication Systems

A Vietnamese researcher will demonstrate at Black Hat DC next week how he and his colleagues were able to easily spoof and bypass biometric systems that authenticate users by scanning their faces. The researchers cracked the biometric authentication embedded in Lenovo, Asus, and Toshiba laptops by spoofing the biometric systems with everything from a photo of the authorized user to brute-force hacking using fake facial images, demonstrating vulnerabilities in the systems that let an attacker cheat them with phony photos of the legitimate user and gain access to the laptops. [Source]

WW – Personal Fingerprint Scanning: Inexpensive but Not Quite Easy

Biometrics was a buzzword for a while, leading many to envision a secure future where your fingerprint (or retinal pattern or voice) would serve as a password replacement, negating the need for sticky notes and insecure passwords like “password”. The future has arrived in a way, and like many times when it actually comes, it’s simultaneously pretty cool… and a bit of a letdown. Upek’s Eikon Digital Privacy Managers bring fingerprint scanning to the masses, with Firefox and Mac support, simple and sturdy design, and an extremely low price (under $50). They also highlight reasons why the technology won’t soon be replacing passwords. We tested both the To Go version, which looks just like a USB memory stick, and the “not to go” version which offers a solid base and better indicators for where to place your finger. Both versions offer software support for Vista, XP, and Mac OSX Leopard, and are similar in most other respects. The “To Go” version is light and easy to use, immediately being recognized and also offering a nice protective slide over the scanning area. The “not to go” version has a slightly-too-short cable, but is quite attractive with blue LED lighting and a modern steel/grey look. Both models use a “slide” scanning technique, as opposed to some other scanners where you press your finger down and hold. This has benefits- no real need to clean the scanning surface- but also is harder to use. Which brings us to the crux of the issue- the extreme difficulty of getting the devices to work correctly. They are, simply put, finicky. They require precision, and our fingers and desks didn’t co-operate. Simply changing the angle of the scan makes a great difference, as does the starting position of your finger, and the speed of swiping. Consistency is important, and the indicator labels on the larger version help quite a bit. It can take quite a bit of work to figure out the right process, and for those with sweaty or damp fingers it simply will not work well no matter what. There are some cute additions- the ability to start programs by swiping a particular finger which works pretty well, protection of a file vault- though not all features are available to Mac users. The price is definitely right for those who have always wanted to have their fingerprints work as their keys. [Source]

Canada

CA – Canadian Judge Rules Internet Users Have “No Reasonable Expectation of Privacy”

A judge in Canada has ruled that Internet users have “no reasonable expectation of privacy” regarding records kept by their Internet service providers (ISPs). The ruling was made in the course of a child pornography case in which law enforcement officers asked an ISP to provide subscriber information for an IP address that was allegedly used to access the content. Bell Canada provided the information without a warrant. Most Canadian ISPs require warrants before they will provide subscriber names, except in the case of child pornography. Privacy advocates are concerned the ruling could set a precedent that would put individuals’ entire surfing history at the disposal of law enforcement authorities without the need for warrants. They maintain the judge operated under the faulty assumption that the information obtained from the ISP is similar to what could be found in a telephone directory. [Source] [Source]

CA – Taxman must pay $1.3M for Breaching Privacy Right

In a groundbreaking case, a B.C. Supreme Court jury has awarded a B.C. businessman $1.3 million in damages after finding a Canada Revenue Agency search violated his privacy. The jury also recommended the government agency apologize to Hal Neumann of Saanich for the September 2005 search of his home by five CRA agents and two armed and uniformed police officers for documents he had already given the government. The jury found Neumann’s right to privacy, which CRA employees infringed, was worth $1 million. The jury also found the CRA employees were negligent and damaged Neumann by breaching his rights to be free from unreasonable search and seizure under the Canadian Charter of Rights and Freedoms. They awarded him $150,000 for pain, injury, suffering and loss of enjoyment of life, $100,000 for aggravated damages and $50,000 for loss of income. The CRA is reviewing the B.C. Supreme Court decision and considering its next steps, media relations spokesman Noel Carisse said Wednesday from Ottawa. [Source]

CA – Privacy Watchdog Warns Tories Against Mass Snooping

Privacy Commissioner Jennifer Stoddart delivered a stern warning to the federal government yesterday, saying she is strongly opposed to any legislation that allows the “mass surveillance” of private e-mails and phone calls. She was reacting to the news that the government wants to update Canada’s wiretapping laws with new police powers to monitor criminal suspects in the digital era of cellphones and chat rooms. Public Safety Minister Peter Van Loan told a Commons committee Wednesday that his government would propose “changes to programming and legislation” that would modernize police powers to catch criminals using modern devices. Yesterday, the minister stressed that he supports Ms. Stoddart’s concerns and that legislation is not imminent. Opposition critics said they share the commissioner’s concerns and would want to see the details of any legislation before taking a position. [Source]

CA – Ottawa Recalls Sensitive Database in Border Project

The federal government is repatriating a database of personal information about Canadian citizens after warnings the U.S. government might misuse it. The database with details about several hundred British Columbians was turned over to the U.S. Customs and Border Protection agency last year as part of a controversial project to issue “enhanced driver’s licences” instead of passports for land-border crossings. The pilot project is the first step in a Canada-wide program that could have seen the personal information of hundreds of thousands of Canadians handed over wholesale to American officials. But the Canada Border Services Agency has bowed to pressure from privacy advocates and is recalling the database, with the U.S. border agency promising to erase its records. Instead, as the project expands, the growing personal databanks will reside in Canada, accessible electronically -with strict limits- by American border officials. “The data will remain in Canada, and it will be accessed remotely,’’ said David Loukidelis, British Columbia’s privacy commissioner and a critic of the original plan. Each time personal data is accessed at the border, however, it is recorded permanently in the U.S. Treasury Enforcement Communications System or TECS, just as similar information is recorded in TECS whenever a passport holder is checked at the Canada-U.S. border. The second phase of the B.C. project, open to all Canadian citizens living in the province, is set to be launched this spring for those who don’t want to use a passport. About 48,000 of the enhanced driver’s licences are expected to be issued, said Alex Dabrowski, a spokesman for the B.C. government. The fee has not yet been established. Saskatchewan, Manitoba, Ontario, Quebec and Nova Scotia have also asked to sign on, some as early as this spring. In the meantime, privacy advocates remain concerned about the RFID technology, for fear the chips could be used to secretly track Canadian citizens. [Source]

CA – Federal Court to Hear Insurer’s Case

Canada’s Federal Court must hear a case against Privacy Commissioner Jennifer Stoddart, reports Canadian Underwriter. The New Brunswick Appeal Court stayed proceedings in the case of State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada and Attorney General Canada, saying that only the Federal Court can determine the outcome of a direct challenge to the authority of the privacy commissioner. State Farm alleges that the privacy commissioner did not have the authority to compel the company to turn over information compiled on a person involved in a motor vehicle accident with a State Farm client. [Source]

CA – Former Privacy Commissioner Radwanski Acquitted

Former privacy commissioner George Radwanski was cleared of fraud and breach of trust charges in an Ottawa courtroom last week. But his former chief of staff, Art Lamarche, was convicted on breach of trust charges for his part in securing more than $16,000 in unearned vacation pay for Radwanski, who served as federal privacy commissioner between 2000 and 2003. “Whatever (Lamarche’s) motivation may have been, it was effected for a dishonest purpose i.e. Mr. Radwanski’s unjustified enrichment,” Justice Paul Belanger wrote in his ruling. The findings conclude a lengthy Crown investigation into allegations that Radwanski used government funds to pay for lavish business lunches and inappropriate travel advances. [Source] See also: [Radwanski verdict highlights new risk for civil servants]

Consumer

US – FTC Revises Online Behavioral Advertising Principles

The US Federal Trade Commission (FTC) last week issued a report critical of current Internet privacy policies. The report says that websites are for the most part not making clear to their users what information is being collected about them and how that information is used for advertising. Here’s what the FTC is asking marketers to do:

1. Provide transparency and consumer control.

2. Provide security and place limits on data retention.

3. Get “affirmative express consent” prior to using previously collected data differently than promised.

4. Get “affirmative express consent” before using “sensitive” data.

The report stops short of calling for federal regulation of online privacy rules, but its tone suggests that if ISPs do not take steps quickly, that is exactly what will happen. The report is an update to voluntary guidelines for online behavioral advertising. Privacy groups say the report does not go far enough and that the time has come for legislation. [Source] [Source] [Source] [Mondaq] [FTC Report] [Privacy Mandates Could Be End of "Free" Internet: Szoka and Thierer Warn of FTC Interference in Online Advertising Market] [Consumer groups: FTC online ad policy falls short] [TRUSTe Praises FTC for Work on Behavioral Marketing; Agrees that Strong Industry Self-Regulation is Needed]

US – Court Denies Cable Bid to Turn Back Privacy Rules

A U.S. appeals court on Friday denied a bid by the cable industry to overrule privacy rules that make it more difficult for them to share subscribers’ personal information with other parties. The U.S. Court of Appeals for the District of Columbia Circuit denied a petition by the National Cable and Telecommunications Association, which argued that federal rules on telecom carriers’ use of customer data violated free speech rights under the U.S. Constitution, federal law or both. [Washington Post]

E-Mail

US – Verizon to Apply Spam Blocking Measures

Verizon.net is home to more than twice as many spam-spewing zombies as any other major ISP in the US, according to an analysis of the most recent data from anti-spam outfit Spamhaus.org. Verizon says it plans to put measures in place to prevent it from being used as a home to so many spammers. If spammers are attracted to the company’s network, it may be because Verizon still allows customers to send e-mail on Port 25, the communications channel that is traditionally used by large organizations to send e-mail. [Washington Post]

EU Developments

UK – ICO Strengthens Criticism of Government Data Sharing

The Government’s controversial plans to share personal data between departments and with the private sector are “too wide” and the safeguards “weak” according to privacy watchdog the Information Commissioner’s Office (ICO). The ICO has released its second opinion on the contents of the Coroners and Justice Bill, which proposes legalising greater sharing of information between Government departments and with outside contractors and private companies who request it. When the Bill’s proposals were first published, the ICO was less critical. The ICO now believes that the proposed new law poses some dangers to privacy and for Government’s accountability for the processing of personal data it has collected. “The Bill’s information-sharing provisions are too wide, and its safeguards relatively weak,” it said. “The provisions should only apply in precisely defined circumstances where there is a legal barrier to information sharing that would be in the public interest.” [Source] [ICO’s new opinion] [The Bill] See also: [Government data sharing plan could extend to private sector] and [Surveillance will cost more than £34 billion say Convention on Modern Liberty]

UK – Regulators Demand Clearer Privacy Policies

Two-thirds of people surveyed by the UK privacy watchdog want marketing opt-outs to be clearer, while 62% want a clearer explanation of how personal information will actually be used. The survey found that 71% did not read or understand privacy policies. The Information Commissioner’s Office (ICO) has begun a campaign to encourage companies to be more up-front about what their privacy policies mean. The ICO surveyed 2,141 people about their attitudes to the small print of privacy policies and found that 47% of people believed that companies deliberately made it hard to read or hard to understand, and 42% believed that the material only existed to justify the selling on of personal details. The ICO is running a consultation process on a proposed Code of Practice for companies to follow when publishing their privacy policies. It said that policies are written in deliberately obscure language which consumers find hard to understand, and that the policies are written to protect companies, not to inform citizens. [Source: ICO Consultation] See also: [A Creative Commons for privacy? ]

EU – Commission Disbands Privacy Group for Being too American

The European Commission has dismantled a group of five experts it assembled to review EU data protection legislation, following complaints that too many of its members represented American interests. The group was disbanded at the end of January, just a month after it first met. The group included Peter Fleischer, Google’s global privacy counsel; David Hoffman, director of security policy and global privacy for Intel; and Christopher Kuner, a privacy lawyer with U.S. law firm Hunton and Williams. The group is now expected to be reformed as a larger, more representative group. Henriette Tielemans, a privacy lawyer with U.S. law firm Covington and Burling, and Jacob Kohnstamm, chairman of the Dutch data protection authority, comprised the remainder of the group’s membership. [Source] [Source]

Facts & Stats

WW – Forrester Report Indicates IT Security Spending is Up Slightly

A survey from Forrester Research says that the percentage of IT operating budgets devoted to security is increasing, from 11.7% in 2008 to 12.6% in 2009. Fully half of the security budgets are earmarked for staffing and upgrades to existing technology. The report, “The State of Enterprise IT Security: 2008 to 2009”, surveyed nearly 950 IT and security managers in Europe and North America. [Source]

Finance

CH – US Demands Info On Additional 52,000 Swiss Accounts

The United States has sued UBS AG in an effort to get the Swiss bank to turn over the names of as many as 52,000 wealthy Americans who allegedly tried to evade taxes on $14.8 billion in secret accounts. UBS failed to comply with a summons from the IRS issued last July to produce records related to the American accounts, the Department of Justice said in a petition to the Miami federal court. The Swiss government also has refused to cooperate, an IRS official said. UBS, the largest bank in Switzerland, said today it intends “to vigorously contest” court enforcement of the so-called IRS “John Doe” summons. The bank did turn over the names of 250 account holders today under the terms of a criminal settlement. It objected, however, to providing any more names. [Source] [UBS vows to fight demand for more names in tax case] [UBS tax deal is Swiss bank secrecy’s Waterloo] [Concerns about privacy rules hit Swiss banks] [UBS move shakes foundations of Swiss bank secrecy]

NZ – Credit Agencies Seek More Personal Details

Privacy watchdogs are deciding whether to give credit companies more access to the financial details of millions of New Zealanders. Under a new system backed by credit reporting agencies, financiers would be able to obtain more information about prospective borrowers. A review being done to see whether the companies should be allowed to see now-secret information - including how much credit someone has, and who has loaned them the money. At present, the only information a lender can get about a borrower is how many times they have applied for credit - but not whether they were successful - and any negative details, such as whether they have defaulted on a loan or been bankrupted. The credit industry wants that extended to include whether the credit applications were approved, what type they were, who the loan was with, what the credit limit was, and whether the account is still open. Privacy Commissioner Marie Shroff said a reference group made up of government agencies, credit reporting agencies such as Dun and Bradstreet, credit providers and consumer advocates was reviewing the Credit Reporting Privacy Code. It was to report back in May, and the public would then be invited to comment. The proposed system is known as full file or positive credit reporting, and would replace New Zealand’s negative system. New Zealand and Australia are among a handful of countries that still use the negative system. [Source]

FOI

CA – Access-to-Information Laws Too Weak: Watchdog

Canada’s information commissioner says existing access-to-information laws are too weak. and lack measures that would force the federal government to hand over the records Canadians have a right to see. Commissioner Robert Marleau will table “a shopping list of legislative amendments” next month for MPs to consider. But he says it’s vital Treasury Board President Vic Toews take steps to force individual government departments to give their access-to-information offices the money and staff to fulfil their legal obligations under Canada’s Access to Information Act. Marleau said the decision by Canada’s Foreign Affairs Department to systematically prevent the release of hundreds of thousands of government records is a symptom of a much broader problem, where bureaucrats are trying to use every administrative trick in the book to avoid a mounting workload. “There is a systemic problem; it’s not just a departmental performance issue. The centre, like Treasury Board Secretariat, has to exercise some leadership to turn this ship around,” Marleau said. [Source] See also: [Foreign Affairs violating disclosure laws: experts]

CA – BC Privacy Commissioner: Government Must Stop Dragging Heels on FOI Requests

The B.C. public faces unacceptable delays when asking for information from the provincial government under the Freedom of Information process, says the province's information and privacy commissioner. In his annual report released this week, David Loukidelis points to government-wide failure to respond to requests in a timely fashion. "In order to hold public bodies, the government, to account, we need to have timely access to information," said Loukidelis. "This is a chronic problem. It has been going on for well over 10 years." The delays appear to be caused, in part, by a complicated approval process in which some information requires as many as 12 people to sign off for release, he said. Poor records-management and complex cross-ministry consultations also slow things down. Government processed almost 6,000 FOI requests in 2008, with an average response time of 35 business days. Businesses and public bodies received on-time responses between 79 and 94% of the time. But Loukidelis said he found disturbing delays for media, political parties and special-interest groups. The government slowed to only 49% on-time requests for media and 53% for political parties. [Source]

Genetics

WW – DNA Left at Crime Scene Could Be Used to Create Picture of Criminal’s Face

Forensic experts will soon be able to reconstruct facial features and skin just by reading DNA, U.S. scientists said. ‘Forensic molecular photofitting’ maps the genes that are linked to skin pigmentation and facial structure which means a person’s face could emerge from the analysis, Dr Mark Shriver from Pennsylvania State University said. The process has already been used to help identify and convict serial killer Derek Todd Lee who murdered seven women in Louisiana. [Source] See also: [Legislative push in Colorado to require DNA from anyone arrested on suspicion] and [Indiana Police want to add DNA from more people to database Critics say samples, via mouth swabs, violate rights]

Health / Medical

CA – Infoway Launches New E-Health Certification

The government-funded organization works to accelerate the adoption of electronic health records in Canada. Its new e-health certification aims to make consumer health vendors bake more security, privacy and interoperability features into their applications. Canada Health Infoway is launching a new certification service for vendors who create consumer e-health applications such as Microsoft HealthVault and Google Health. The Toronto-based non-profit organization hopes its new e-Health Certification Service will encourage health IT vendors to take advantage of the considerable progress Canada has made in setting standards and deploying interoperable electronic health records. With interest in consumer health products continuing to grow, ensuring these solutions work well with technologies used to store Canadian health data is essential. In addition to better interoperability, organizations investing in certified e-health solutions can also expect a high degree of confidence that the products they buy meet stringent security standards. When applying for certification, a vendor will need to fill out a self-assessment form on how well their product meets Infoway’s standards. After passing this stage, vendors will have to “provide an overview of their privacy policy” and “demonstrate very specific test scripts through their applications,” according to Shelagh Maloney, Infoway’s executive director of external liaison. “Our ultimate goal is that buyers of these systems, especially the health organizations, will make it a mandatory requirement in their buying process to purchase consumer health platforms certified by Infoway,” she said. [Source]

US – CVS Settles on $2.5 Million for Violations

America’s largest drugstore chain will pay $2.5 million for violations of the Health Insurance Portability and Accountability Act (HIPAA), reports Bloomberg. CVS Caremark Corp. settled federal charges for compromising customer privacy by failing to properly dispose of prescription records and drug bottles. The Federal Trade Commission (FTC) and Health and Human Services Department began investigating the company after media reports revealed the presence of sensitive customer information in open trash bins. The FTC also faulted the company for deceiving customers with ads asserting “that nothing is more central to our operations than maintaining the privacy of your health information.” [Source]

Horror Stories

US – Univ. of Alabama Data Breach

A computer intrusion at the University of Alabama (UA) in November 2008 exposed information contained in 37,000 records of medical laboratory test results. The compromised information includes names, addresses, birthdates and Social Security numbers (SSNs) of people who have had lab work done on the UA campus since 1994. The intruder or intruders managed to access 17 UA servers. [Source]

Identity Issues

UK – Scottish Government Re-Iterates Opposition to ID Cards

The Scottish Government’s Minister for Community Safety Fergus Ewing has reiterated its complete opposition to UK Government proposals for a National Identity Scheme. The Minister made his views clear in a response to a consultation by the Westminster Government on their ID cards secondary legislation. Commenting on the scheme, Fergus Ewing said: “The Scottish Government continues to be completely opposed to the National Identity Scheme, and the Scottish Parliament recently supported a call for the UK Government to cancel its plans for the National Identity Scheme.” The Scottish Government has restating its principled opposition to the scheme as well as seeking clarification on the following issues: the lawfulness of the National Identity Register in light of the S v Marper decision by the European Court of Human Rights that storing biometric data of persons investigated but not convicted of crimes breached their right to respect for private and family life (Article 8, Human Right Act) the current wording of the draft secondary legislation may suggest unlawful sub-delegation to a designated authority of the duty to ensure that an ID card has been issued if Scottish registration information is used for the purpose of verifying the information on the National Identity Register, the secondary legislation should state that this should be done using section 9 powers of the Identity Cards Act 2006. [Source]

Intellectual Property

CA – Canadian Content Available Online May Be Regulated

The CRTC begins hearings this week on “new media” with the prospect of new Canadian regulation on Internet broadcasting. A key issue will be whether a new tax on ISP is established to fund the creation of Canadian content. [Source]

Internet / WWW

UK – UK Plans to Consolidate Communication Data Retention

Rather than requiring every service provider in the UK to keep its own user communication information to comply with European data retention rules, the UK government plans to use BT and other “high tier providers” to retain the data. The move comes as a result of the government’s decision not to bear the burden of paying for each individual provider’s compliant data retention system. UK draft laws require retention of IP address and session data for 12 months. The data retention scheme is expected to cost taxpayers about £46 million. [Source] [Source]

WW – Everquest 2 Server Logs Offer Insight Into Offline Human Behaviour

A consortium of academics announced at the American Association for the Advancement of Science that they have accessed a phenomenal amount of data captured from Everquest 2 that they will use to inform new theories in human behaviour. The data was scraped from the Sony computer servers and includes 60 terabytes of information about what players do when they’re online. Researchers have been exploring the opportunities that the logs of online games offer social science since the early text-based MUD and MOO days, using chat and activity records to inform our understanding of online interactions. Now, however, the academy is interested in applying the knowledge they gain to offline life. [Source]

Law Enforcement

CA – Police Chiefs Urge Ottawa to Change Laws to Help Battle Crime

Canada’s police chiefs lined up to support B.C.’s fight against gang violence and urged Ottawa to make much-needed legal changes to help police battle crime. Steven Chabot, president of the Canadian Association of Chiefs of Police, said what’s really needed are new federal laws to help police wiretap digital devices and make evidence disclosure less of a burden on the legal system.”There is almost universal understanding this is a crucial area of law that needs updating,” Chabot said at a meeting of B.C. police chiefs in Victoria. “What is required now is for the Government of Canada to act.” B.C. Solicitor General John van Dongen said he’ll travel to Ottawa next week to lobby the federal government. [Source]

Offshore

WW – Recession Makes IAM More Important Than Ever: Forrester Research

Any economic downturn brings new risks to your organization. Nervous employees who fear downsizing may be tempted to gain unauthorized access to sensitive information stored across applications while temporary workers are less loyal and identity verification processes for full-time employees may not be used, making your organization more susceptible. For this reason, identity and access management (IAM) remains a top priority for security professionals. In Forrester's "The State of Enterprise IT Security: 2008 to 2009," 82% of security decision-makers reported that IAM would be an important or very important issue for their IT security organization in the coming year. Forrester predicts that the IAM market will grow from nearly $2.6 billion in 2006 to more than $12.3 billion in 2014. [Source]

Online Privacy

WW – Facebook Withdraws Changes in Data Use

After a wave of protests from its users, the Facebook social networking site said on Wednesday that it would withdraw changes to its so-called terms of service concerning the data supplied by the tens of millions of people who use it. The about-face was made known to many users in a message posted on the Facebook home page saying: “Over the past few days, we have received a lot of feedback about the new terms we posted two weeks ago. Because of this response, we have decided to return to our previous Terms of Use while we resolve the issues that people have raised.” The posting invited users to click on a link to get more details. Terms of service generally outline appropriate conduct and grant a license to companies to store users’ data. Unknown to many users, the terms frequently give broad power to Web site operators. Earlier this month, Facebook deleted a provision from its terms of service that said users could remove their content at any time, at which time the license would expire. It added new language that said Facebook would retain users’ content and licenses after an account was terminated. Last Monday, the company’s chief executive, Mark Zuckerberg, said in a blog post that the philosophy “that people own their information and control who they share it with has remained constant.” But, at that time, he did not indicate the language would be revised. The changes in the terms of service had gone mostly unnoticed until Sunday, when the blog Consumerist cited them and interpreted them to mean that “anything you upload to Facebook can be used by Facebook in any way they deem fit, forever, no matter what you do later.” Given the widespread popularity of Facebook — by some measurements the most popular social network with 175 million active users worldwide — that claim attracted attention immediately. The blog post by Consumerist, part of the advocacy group Consumers Union, received more than 300,000 views. Users created Facebook groups to oppose the changes. To some of the thousands who commented online, the changes meant: “Facebook owns you.” [Source]

WW – Facebook’s Users Ask Who Owns Information

Reacting to an online swell of suspicion about changes to Facebook‘s terms of service, the company’s chief executive moved to reassure users that the users, not the Web site, “own and control their information.” The online exchanges reflected the uneasy and evolving balance between sharing information and retaining control over that information on the Internet. The subject arose when a consumer advocate’s blog shined an unflattering light onto the pages of legal language that many users accept without reading when they use a Web site. The pages, called terms of service, generally outline appropriate conduct and grant a license to companies to store users’ data. Unknown to many users, the terms frequently give broad power to Web site operators. This month, when Facebook updated its terms, it deleted a provision that said users could remove their content at any time, at which time the license would expire. Further, it added new language that said Facebook would retain users’ content and licenses after an account was terminated. Mark Zuckerberg, the chief executive of Facebook, said in a blog post on Monday that the philosophy “that people own their information and control who they share it with has remained constant.” Despite the complaints, he did not indicate the language would be revised. The changes in the terms of service had gone mostly unnoticed until Sunday, when the blog Consumerist cited them and interpreted them to mean that “anything you upload to Facebook can be used by Facebook in any way they deem fit, forever, no matter what you do later.” Given the widespread popularity of Facebook, that claim attracted attention immediately. The blog post by Consumerist, part of the advocacy group Consumers Union, received more than 300,000 views. Users created Facebook groups to oppose the changes. To some of the thousands who commented online, the changes meant: “Facebook owns you.” Facebook moved swiftly to say it was not claiming to own the material that users upload. It said the terms had been updated to better reflect user behavior — for instance, to acknowledge that when a user deletes an account, any comments the user had posted on a page remain visible. For Facebook, the ability to store users’ data and use their names and images for commercial purposes is important as it seeks to make more money from the virtual interactions of friends. Amid the evolution, at least a few members are showing their uneasiness about the stance that Facebook is taking. Some members, including Sasha Frere-Jones, the pop critic and staff writer for The New Yorker, said they had deleted their accounts to show their opposition to the new terms. [Source]

US – Judge Dismisses Boring Suit against Google

A U.S. District Court judge dismissed an invasion of privacy suit against Google on Tuesday. The case was brought by a Pittsburgh couple who claimed photos of their home on Google Map’s Street View service caused them mental anguish and decreased the value of their home. The judge said that the couple “failed to state a claim under any count,” the report states. Street View has created controversy worldwide. Last month, a private Minnesota community successfully demanded that the company remove images of its streets and homes. At the request of authorities in many countries, Google has agreed to add face and license plate-blurring technology in order to lessen privacy impacts. [Source]

WW – Survey: Privacy A Major Concern Among Web Surfers

Following on the heels of Facebook’s decision to rescind a highly controversial move to store all content posted on the social network, new data has emerged to support consumers’ increasing alarm over online privacy. The vast majority—80.1%—of Web surfers are indeed concerned about the privacy of their personal information such as age, gender, income and Web-surfing habits, according to a survey of some 4,000 Web users administered and analyzed by Burst Media. More worrisome, perhaps, is the finding that privacy concerns are prevalent among all age segments, including younger demographics that are coming of age online.Still, privacy concerns do appear to increase with age, from 67.3% among respondents ages 18-24 to 85.7% of respondents 55 years and older. In addition, the Burst survey found that most Web users believe Web sites are tracking their behavior online. Three out of five—62.5%—respondents indicated it is likely that a Web site they visit collects information on how they navigate and interact with it. Based strictly on the description “advertisements more relevant to interest,” only one in five respondents—23.2%—said they would not mind if non-personally identifiable information was collected if ads were better targeted. [Source] [Burst Media News Release]

Other Jurisdictions

WW – International Panel: ‘War on Terror’ Has Diluted Principles

An international group of judges and lawyers has warned that systemic torture and other abuses in the global “war on terror” have “undermined cherished values” of civil rights in the United States, Britain and other countries. “We have been shocked by the damage done over the past seven years by excessive or abusive counterterrorism measures in a wide range of countries around the world,” Arthur Chaskalson, a member of the International Commission of Jurists, said in a statement announcing the results of a three-year study of counterterrorism measures since the Sept. 11, 2001, attacks in the United States. “Many governments, ignoring the lessons of history, have allowed themselves to be rushed into hasty responses to terrorism that have undermined cherished values and violated human rights,’’ said Chaskalson, a former chief justice of South Africa. The Geneva-based panel’s conclusions, released Monday, were echoed by a former British domestic intelligence chief, who said people in Britain felt as if they were living in a “police state” because of the government’s counterterrorism actions. “It would be better that the government recognized that there are risks – rather than frightening people in order to be able to pass laws which restrict civil liberties, precisely one of the objects of terrorism – that we live in fear and under a police state,” said Stella Rimington, former head of MI5, the domestic intelligence-gathering agency. [Source]

Privacy (US)

US – Mary Ellen Callahan Appointed Homeland’s Chief Privacy Officer

“Our Privacy Office is viewed as a leader in the federal government in public outreach and as [a] model for privacy impact assessments.” DHS Secretary Janet Napolitano. U.S. Department of Homeland Security Secretary Janet Napolitano announced her appointment of Mary Ellen Callahan as the department’s chief privacy officer. For more than 10 years, Callahan has specialized in privacy, security, data protection, consumer protection and e-commerce law, currently as a partner at Hogan & Hartson, LLP. She is the co-chair of Online Privacy Alliance, a self-regulatory group of corporations and associations established to create an environment of trust and foster the protection of individuals’ privacy online. Callahan also serves as vice-chair of the American Bar Association’s Privacy and Information Security Committee of the Antitrust Division. She holds a Juris Doctor from the University of Chicago Law School and graduated magna cum laude from the University of Pittsburgh. [Source]

US – Mass. Extends Data Protection Compliance Deadline Again

Massachusetts officials have once again extended the deadline for compliance with the state’s stringent data security regulations. Organizations now have until January 1, 2010 to ensure that any personal data they retain that belong to Massachusetts residents are protected in a number of ways, including encrypting data while they are being transmitted over public networks or stored on devices that can be carried from one location to another and limiting the amount of information they retain. The decision to extend the deadline was based in part on the current economic climate as well as the need to allow companies ample time to make the necessary changes to their systems. State regulators have also pared back their demands that third-parties with access to the data be required to demonstrate that they were compliant with the requirements as well. Originally, the compliance deadline was January 1, 2009; last November, the date was pushed back to May 1, 2009, and last week, it was once again extended. [Source] [Mixed reception to Mass. data regs changes]

Security

WW – McAfee Mobile Security Report 2009

According to McAfee’s Mobile Security Report 2009, half of mobile phone manufacturers said they had experienced security incidents in the last year, including malware attacks and voice and text spam. Seventy percent of respondents believe security of mobile devices is a critical issue. Nearly half of those responding said that they had felt a significant financial impact from the cost of addressing security issues in their devices. Most of those responding believe that security improvement costs should be the responsibility of service providers or manufacturers instead of end users. Among the most serious security concerns are mobile payments, installing applications and Wi-Fi and Bluetooth connections. [Source] [Source] [Report] [Internet Storm Center Comment]

US – Body Scanners Replace Metal Detectors in Tryout

For the first time, some airline passengers will skip metal detectors and instead be screened by body scanning machines that look through clothing for hidden weapons, the Transportation Security Administration said. An experimental program that begins at Tulsa International Airport will test whether the $170,000 body scanners could replace $10,000 metal detectors that have screened airline passengers since 1973. Airports in San Francisco, Las Vegas, Miami, Albuquerque and Salt Lake City will join the test in the next two months. The scanners aim to close a loophole by finding non-metallic weapons such as plastic and liquid explosives, which the TSA considers a major threat. The machines raise privacy concerns because their images reveal outlines of private body parts. “We’re getting closer and closer to a required strip-search to board an airplane,” said the ACLU. Privacy advocates fear that passengers won’t understand that the scanners take vivid images that screeners view. Christopher Bidwell, security chief at the Airports Council International trade group, said the scanner “really does not reveal as much as some people might think.” The scanners aim to address problems exposed by government probes in which covert agents got liquid explosives and detonators through airport checkpoints. A 2005 Homeland Security report urged better checkpoint technology. Security analyst Bruce Schneier, a frequent critic of the TSA, said the scanners should improve security but warned that they take longer than metal detectors - 30 seconds vs. about 15 seconds per passenger. “There will be pressure to do the screening faster, which will be sloppier,” Schneier said. [Source]

CA – Government’s Wireless Security Lax, Warns B. C. Auditor-General

B.C.’s Auditor-General has identified shortcomings in the security of wireless communications in B. C. government offices in Victoria. John Doyle released a report titled Wireless Networking Security in Victoria Government Offices, which came after he conducted a high-level security assessment of government wireless access points in the Victoria area. Two-thirds of scanned wireless access points near government buildings used only modest encryption, or none at all, to ensure secure transmission of information, he said. In one particular location, it was possible to access information transmitted over an unsecured link from several hundred metres around the building. “Given that wireless technologies are becoming increasingly popular, it is essential that government ensure appropriate levels of security for wireless communication,” he said [Source] [Report]

Surveillance

CA – MLA Doesn’t Like Spy Drone Watching Us

The MLA of a southern Manitoba community said he’s worried about an unmanned American surveillance plane that will be able to spy on a strip of Canadian soil as it patrols near the border. Emerson MLA Clifford Graydon voiced his concerns after the high-profile launch of the Predator B in Grand Forks, North Dakota Monday by U.S. Customs and Border Protection (CBP). The U.S. $10.5 million remote-controlled plane is part of American efforts to crack down on potential terrorist threats and other illegal activity, said CBP Air and Marine Assistant Commissioner Michael Kostelnik. The Predator B is not allowed to come within 16 kilometres of the U.S.-Canada border, Kostelnik said, but the aircraft can use its sensors to collect information from the ground from as far as 25 kilometres. That’s about nine kilometres past where U.S. territory ends. Graydon said he’s not happy he wasn’t informed that the plane could potentially pick up information from his community. Emerson is about 300 metres north of the border, and is one of at least four southern Manitoba communities that will potentially fall within the Predator B’s surveillance range. “All the way to the Ontario borders there are communities. I don’t think they should be monitored,” said Graydon. [Source]

UK – Fear Over Blanket CCTV at Pubs

The Morning Advertiser reports that officials in some areas are basing pub license approvals on the owner’s willingness to install closed circuit television (CCTV) and release footage to police upon request. The UK Information Commissioner’s Office (ICO) has expressed concern over these reports, stating that: “Hardwiring surveillance into the UK’s pubs raises serious privacy concerns.” Islington police say they recommend pubs be outfitted with CCTV, but that official decisions on licensing are determined by another authority. The ICO says it will contact the police and others to discuss the matter. [Source]

CA – Surveillance Cams on Winnipeg Streets Raise Privacy Concerns

Winnipeg has joined the growing list of cities using security cameras to monitor public places, although there are questions whether that’s more of an invasion of privacy than a way to fight crime. The municipal police force set up two cameras atop the city’s main library Thursday. Eight more cameras will be placed in other crime-ridden downtown areas in a one-year pilot project that could eventually expand to other sites. There’s consensus that cameras can help solve crimes after the fact by identifying suspects, but the verdict is still out on whether the cameras actually prevent it. Winnipeg police Supt. Gord Schumacher admitted Thursday that results in other cities have been mixed. Sometimes, crime simply moves to other areas. In Edmonton, security cameras set up following a 2001 Canada Day riot on Whyte Avenue, a popular strip of bars and boutiques, failed to do anything, according to the Alberta privacy commissioner’s office. The cameras were taken down after a few months. Security cameras in public areas also raise privacy concerns. Anyone walking along the street can have his or her image taken and kept by authorities. Winnipeg police say they followed advice from Manitoba’s ombudsman and have firm guidelines to prevent possible abuse. Images will be destroyed after 96 hours and are only available to the pilot project’s co-ordinator in the investigation of a police report, Schumacher said. [Source]

Telecom / TV

US – Bill Proposes ISPs, Wi-Fi Keep Logs for Police

Republican politicians have called for a sweeping new federal law that would require all Internet providers and operators of millions of Wi-Fi access points, even hotels, local coffee shops, and home users, to keep records about users for two years to aid police investigations. The legislation, which echoes a measure proposed by one of their Democratic colleagues three years ago, would impose unprecedented data retention requirements on a broad swath of Internet access providers and is certain to draw fire from businesses and privacy advocates. Two bills have been introduced so far--S.436 in the Senate and H.R.1076 in the House. Each of the companion bills is titled “Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act,” or Internet Safety Act. [CNET] See also: [UK’s financial traders to record phone calls, emails from next month]

US – Anonymous Caller? New Service Says, Not Any More

A new service set for launch Tuesday allows cellphone users to unmask the Caller ID on blocked incoming calls, obtaining the phone number, and in some cases the name and address, of the no-longer-anonymous caller. The service, called TrapCall, is offered by New Jersey’s TelTech systems, the company behind the controversial SpoofCard Caller ID spoofing service. The new service is likely to be even more controversial — and popular. “What’s really interesting is that they’ve totally taken the privacy out of Caller ID,” says former hacker Kevin Mitnick, who alpha-tested the service. TrapCall’s basic unmasking service is free, and includes the option of blacklisting unwanted callers by phone number. It also allows you to listen to your voicemail over the web. It’s currently available to AT&T and T-Mobile subscribers, with support for the other major carriers due within weeks. [Source]

US Government Programs

US – DHS Privacy Committee Offers Guidance

The Department of Homeland Security’s Data Privacy and Integrity Advisory Committee has offered DHS Secretary Janet Napolitano 16 recommendations on how to best address privacy issues currently facing the department. The panel stressed that “the need to update the government’s legal authority to protect and defend cyberspace in the U.S. classified intelligence systems raise specific and sometimes significant privacy issues, including the conflict between transparency and redress.” The committee has asked that each DHS component - such as the Federal Emergency Management Agency and Office of Intelligence and Analysis - have a designated privacy officer that would report to the head of the section. The committee also “encourages DHS to continue to work toward policy and functional interoperability in the development of new systems and when making major modifications to existing systems,” according to a letter from the committee hand delivered to Napolitano. Additionally, the panel said the 1974 Privacy Act has “not kept pace with the evolution of technology and developments in how data is collected, used, shared and stored. To the extent the Secretary is asked to submit recommendations to Congress for making the act more relevant and effective, the committee recommends that the secretary seek guidance from the Privacy Office staff, who are experts in applying the Act’s provisions throughout the department.” [Source]

US Legislation

US – Missouri Bill Pushes Database for Prepaid Cell Phone Buyers

A St. Joseph Democrat is trying to move organized crime's abuse of disposable cell phones off track. Rep. Ed Wildberger proposed legislation (HB 53) in a statehouse committee this week that would affect anyone trying to buy more than a handful of the phones. He suggested that their names and driver's license information be entered into a database, which the Missouri State Highway Patrol would be able to access - a database similar to the state's method of tracking Missourians who purchase certain medicines, such as pseudophedrine. [Source]

Workplace Privacy

EU – Deutsche Bahn Workplace Spying Scandal Grows

In the wake of the workplace surveillance scandal at Deutsche Bahn, some are calling for CEO Hartmut Mehdorn’s removal, reports DW-World. A company-commissioned report presented to the Bundestag last week revealed that the state-owned national rail operator hired investigators to compare employees’ bank data with supplier information in order to identify corruption. The CEO has apologised to employees, including 800 company executives, in a letter. But Mehdorn’s apology and his account of the matter have failed to put the issue to rest. “He raises more questions than he answers,” said German Transportation Minister Wolfgang Tiefensee. Left Party spokeswoman Dorothee Menzner said: “His resignation can no longer be put off.” [Source] [Deutsche Bahn shaken by spying scandal]

+++