Biometrics

EU – Biometric Visas: Kids Under 12 Won’t Need to Give Fingerprints, Says EU

Children under twelve will be exempted from the requirement to provide fingerprints, as MEPs wished, following an agreement with the Council approved by the EP Civil Liberties Committee, which also approved: SHARING OF EQUIPMENT FOR COLLECTING BIOMETRIC DATA MEPs would like to see new methods of organisation to ease the registration of visa applicants and reduce costs to Member States. A special type of representation, purely to receive applications and collect biometric data, would be set up alongside diplomatic and consular representations. In this way Member States would not need to equip every one of their consulates with biometric collection equipment. These joint centres would also help strengthen consular co-operation locally. However, Member States would remain free to provide their diplomatic and consular offices with such equipment if they wished. SUBCONTRACTING ONLY AS A LAST RESORT: In exceptional circumstances, Member State may co-operate with an external service provider if, because of a very high number of visa applications, it is impossible to organise the collection of biometric identifiers in appropriate conditions or to ensure sufficient geographical cover in the country concerned in another way. [Source]

US – Facial Recognition Helps Indiana Secure Drivers’ Licenses

The Indiana Bureau of Motor Vehicles (BMV) has taken another step toward warding off identity theft by deploying facial-recognition technology in all its 140 branches. The BMV joins more than 20 states by adding facial-recognition features to new licenses. The BMV launched a pilot project in November 2008 in three branches to develop procedures, then went live statewide only a month later. When a citizen applies for a new license or renews an existing one, his or her photo is taken and “enrolled” in the system. Each evening, the BMV’s system runs the photo against existing images in a database of approximately 6.5 million license holders. Using algorithms, the system produces a score that indicates the probability of a match with any existing photos. Scores over a certain threshold are reviewed the next morning by personnel. Throughout Indiana’s 140 motor vehicles branches, there are usually about 500 reviews daily, or about 5% of the images processed The BMV expects to add about 1.8 million licenses yearly to the system and predicts it will be searching through 14 million every day by the end of the contract. At the end of the four-year contract, the state will own the system or it can renew the contract. The state would then own the hardware and images. If Indiana renews the contract, L-1 would modify the system routinely with the latest technology. [Source]

EU – Dutch Payment by Fingerprint Initiative Stopped

Dutch supermarket chain Albert Heijn has decided not to follow up on a trial with payment via fingerprint. The trial was conducted at a branch near Amsterdam, where 580 participants were able to pay for their daily groceries using their finger print instead of cash or debit cards. The trial, which lasted 6 months, was the first of its kind in the Netherlands, where more than half of all supermarket transactions are completed using a debit card. During the first weeks of the trial, experts already pointed out a number of security issues arising from the use of the fingerprint payment method. A security expert managed to pay using someone else’s finger print. Albert Heijn has currently decided not to follow up on the trial, citing ‘security issues and vulnerability to fraud’. [Source]

EU – Air France Trials Biometric Boarding Cards

Air France has started trialling RFID-equipped smartcards which store passenger fingerprints to allow automated boarding. The card contains an encrypted version of forefinger and thumb prints. It can be used at a dedicated gate, which checks the card, compares it to the passenger’s finger or thumb print and, assuming the dabs match, opens the gate. The back of the card has flight information printed on it and can be re-used up to 500 times. This includes a barcode with all the same information as a traditional paper boarding pass. So a passenger can check in online, get to the airport and insert their card into a machine which will then be print their flight information and seat number onto the card. The airline claims registering for a card takes only a few minutes, and that once information is transmitted to the card no files are kept elsewhere. The trial runs until the end of the year, but only for members of AF’s frequent flyer programme and only for flights between Paris Charles de Gaulle and Amsterdam Schipol. Air France hopes to extend use of the card to other companies like Hertz so passengers could use the card to pick up a car key at their destination. [Press release] [Source]

Canada

CA – National Public Forum on EDLs, Privacy & Surveillance at the Canada-U.S. Border

A national forum on EDLs is being organized by the Canadian Civil Liberties Association, the Consumers Council of Canada, the Council of Canadians, the Information Policy Research Program of the Faculty of Information - University of Toronto and the International Civil Liberties Monitoring Group. This public forum is an opportunity for Parliamentarians, policy makers, the media and the public to learn more about EDLs that are being introduced across Canada. These new licences raise important civil liberties and privacy-related concerns, as they include radio-frequency identification (RFID) and biometric capabilities. They also have the potential to evolve into a de facto national I.D. card without any legislative debate. Two panels featuring Chantal Bernier, Assistant Privacy Commissioner of Canada, Michelle Chibba, Director of policy at the Information and Privacy Commission of Ontario, as well as Canadian and U.S. civil society experts will focus on the impacts of these new identity documents. Speakers will also discuss Ontario’s Bill 85 and the Real ID program in the U.S. University of Toronto researchers and Prof. Andrew Clement will also demonstrate the capabilities of RFID and biometric technology used in BC’s and other provinces EDLs. March 24, 2009 from 9:00 to 12:00 - Ottawa Library Auditorium, 120 Metcalfe. [Complete program]

CA – Ontario’s Bill 150: Warrantless Search & Seizure In the Name of Green

Late last month, Ontario Energy Minister George Smitherman introduced Bill 150, the Green Energy and Green Economy Act. It makes an energy audit compulsory for the sale (and some leases) of every residential property in Ontario. The bill contains some “scare powers”:

an inspector may, without a search warrant, enter any place where he or she believes that there are documents relating to an offer to sell or to lease a residence. This would include a lawyer’s office, a real estate office, and - with a search warrant - even a private home. The inspector has the right to demand to see any documents that are relevant to the home energy audit and take them away for the purpose of making copies. ...require any person to assist with an inspection. ...failure to co-operate with a search, is punishable by a penalty of up to $10,000. Corporations can be fined up to $25,000. [Source] [Facebook user must open up about private content]

CA – Toronto Judge Rules Private Facebook Content Discoverable

Chatting with “friends” on social networking sites could have legal implications and turn Facebook users into their own worst enemies. A Toronto judge has ordered a man suing over injuries from a car accident to answer questions about content on his Facebook page that is off-limits to the public. Lawyers for Janice Roman, the defendant in the lawsuit, believe information posted on John Leduc’s private Facebook site - normally accessible only to his approved “friends” - may be relevant to his claim an accident in Lindsay, Ont., in 2004 lessened his enjoyment of life.[Source] [Source] See also: [A study from New Jersey shows that Megan’s Law is ineffective in reducing sex crimes or deterring recidivists]

CA – Revenue Officials Appeal ‘Earth-Shattering’ $1.3-Million Lawsuit

The Canada Revenue Agency is appealing a groundbreaking ruling that awarded a Vancouver Island businessman $1.3 million after searchers violated his privacy. Last month, Hal Neumann of Saanich won his case against the CRA and the attorney general, when a B.C. Supreme Court jury found that a September 2005 search of his home by five CRA agents and two armed and uniformed police officers for documents he had already given the government violated his rights. The CRA and the attorney general said in their appeal notice that the jury had no jurisdiction to hear the case. The notice of appeal also calls the $1-million award “wholly out of proportion” to damages made in similar cases. They also are appealing the decision to force the national revenue minister to apologize to Neumann because he is not a named party in the lawsuit. The jury found Neumann’s right to privacy, which CRA employees infringed, was worth $1 million. [Source]

Consumer

US – EPIC Asks FTC to Investigate Google

The Electronic Privacy Information Center (EPIC) yesterday asked the U.S. FTC to investigate the privacy and security safeguards of Google’s cloud computing services. The formal complaint requests that the commission look into Google Docs, Gmail and other cloud services offered by the company. The filing cites a breach earlier this month involving Google Docs. “We think the time is right for the FTC to look more closely at cloud computing services,” said EPIC executive director Marc Rotenberg. A Google spokesperson said: “We are highly aware of how important our users’ data is to them and take our responsibility very seriously.” [New York Times] [EPIC filing]

E-Government

CA – Alarm Raised Over B.C.ers’ Personal Info Going to U.S.

The B.C. government plans to contract out its computer nerve-centre to a U.S. company. Officials are negotiating with EDS Advanced Solutions, a subsidiary of Hewlett-Packard, for the operation of its mainframe computer servers at Victoria. The plans concern some who say that government information —including documents, e-mails, citizens’ names and records, and cabinet documents— will be vulnerable to The Patriot Act provision that enables U.S. authorities to access U.S. companies’ information. New Democrat MLA Michael Sather asked: “How can they ensure that our personal information is being protected if government doesn’t have proper oversight of it?” [Source]

Electronic Records

EU – Data Retention Directive Provokes Widespread Condemnation

UK internet service providers will have to all store communication information from customers for a full year starting on 15 March, as part of the controversial EU Data Retention Directive (PDF). Under the directive, details of every email, phone call and text message sent or received, including information such as IP address and time of use, will have to be recorded. Police and security experts will be able to request access to the information to help combat terrorism and cyber crime, but only with a court order. Nonetheless, the move has sparked serious concerns from privacy groups, IT security firms and legal experts. Susan Hall, an ICT and media partner at law firm Cobbetts LLP, maintained that such a database is “the antithesis of what the whole internet is about”. [Source] [All travel plans to be tracked by Government] [Big Brother to spy on your holidays as security database is set up to log all trips abroad]

US – Wal-Mart Plans to Market Digital Health Records System

Wal-Mart, the World’s Biggest Retailer, hopes to do for electronic health records what it has done for dog food, plastic lawn chairs, and some generic drugs: make them widely accessible for a reasonable price. Instead of suburban shoppers, Wal-Mart this spring will be targeting physicians’ practices with bundled hardware, software, installation, maintenance and training. Through its Sam’s Club division, Wal-Mart will become a systems integrator, bundling hardware from partner Dell (Dell) with software, or rather, software-as-a-service, from Massachusetts-based eClinicalWorks. Long a target of workers groups armed with wage and benefit complaints, (among other charges) the company has been delving into the crossroads of health and IT lately.

· This week it took out a full-page ad in Roll Call, a publication for members of Congress, calling for “quality,affordable health insurance” for “every person in America.”

· In October, it rolled out e-health records to all 1.4 million of its employees and their dependents.

· Since 2006 Wal-Mart has offered a list of around 350 generic prescription drugs priced at $4 for a 30-day supply. In February the list became available to physicians subscribing to Epocrates’ Web-based and mobile clinical content.

· The retailer has begun building walk-in medical clinics in some stores and aims to open 2,000 nationwide within 5 - 7 years.

Wal-Mart’s foray into the healthcare industry, specifically into the e-records business is laudable on its face, representing fashionable twin attributes, Change and Progress. But serious questions about privacy and security cannot be ignored. [Source]

AU – Doctors ‘Prepared to go to Jail’ to Protect Patient Privacy

Government officials want access to more physicians’ records but doctors say they’d rather go to jail than give them up. Officials want to increase the number of Medicare audits to look for instances of Medicare over-servicing. They estimate it could save taxpayers about $147 million over four years. The Australian Medical Association is against the plan, citing privacy issues. Human Services Minister Joe Ludwig said his department worked with the Privacy Commissioner’s office “to get this right,” and that he looks forward to talking with the AMA president about the issue. Ludwig said Medicare officers would “work with the highest regard to privacy.” [Source]

US – New Mexico Electronic Medical Records Bill Goes to the Guv

A bill that would require security and privacy protections (pdf) related to the use of electronic medical records is on its way to Gov. Bill Richardson. The House passed the Electronic Medical Record Act last week. The Senate passed it earlier in the session. The bill, sponsored by state Sen. Peter Wirth, is part of the governor’s legislative health-reform agenda. About 15% of providers, or 600 physicians in New Mexico, use electronic medical records. The legislation does not require use of medical records, but puts in more privacy protection. According to the news release, the Electronic Medical Records Act:

Clarifies individual rights with disclosure of information contained in electronic medical records
Provides for the accurate retention and accessibility of electronic medical records
Allows individuals to request that their records be excluded from a record locator service
Requires the service provide a log indicating who has accessed a client’s medical record and for what purpose
Establishes electronic medical records systems as the legal equivalent of existing non-electronic medical records

The New Mexico Department of Health is now using electronic medical records in all public health offices around the state, the agency said in a news release. [Source] [Electronic Medical Record Act]

Encryption

WW – Researchers Find Ways to Sniff Keystrokes from Thin Air

Researchers say they’ve discovered new ways to read what you’re typing by aiming special wireless or laser equipment at the keyboard or by simply plugging into a nearby electrical socket. Two separate research teams, from the Ecole Polytechnique Federale de Lausanne and security consultancy Inverse Path have taken a close look at the electromagnetic radiation that is generated every time a computer keyboard is tapped. It turns out that this keystroke radiation is actually pretty easy to capture and decode -- if you’re a computer hacker-type, that is. Using an oscilloscope and an inexpensive wireless antenna, the team was able to pick up keystrokes from virtually any keyboard, including laptops. “We discovered four different ways to recover the keystroke of a keyboard.” With the keyboard’s cabling and nearby power wires acting as antennas for these electromagnetic signals, the researchers were able to read keystrokes with 95 percent accuracy over a distance of up to 20 meters (22 yards), in ideal conditions. Previously researchers had shown how the sound of keystrokes could be analyzed to figure out what is being typed, but using the laser microphone to pick up mechanical vibrations rather than sound makes this technique much more effective, Barisani said. “We extend the range because with the laser microphone, you can be hundreds of meters away,” he said. The Ecole Polytechnique team has submitted their research for peer review and hopes to publish it very soon. [Source]

EU Developments

UK – Straw Climbdown on the Big Brother Personal Datashare Plan

Jack Straw this week bowed to public pressure by scrapping plans to share sensitive personal data across Whitehall departments. The controversial proposals would have allowed medical records and DNA to be shared with police, foreign governments and other bodies. But the Justice Secretary ditched the plans following a storm of protest from politicians, doctors, lawyers and civil liberties campaigners, who warned it was the latest step towards a Big Brother society. There were also major concerns about the Government’s ability to safeguard information about individuals following a series of major data blunders. In further U-turns, Mr Straw has also toned down plans to allow secret inquests to be held without juries in the interests of ‘national security’. He has also dropped controversial plans to give bailiffs the right to break into people’s homes by force to seize property for debts. In an embarrassing U-turn, justice minister Michael Wills told MPs yesterday that the controversial Clause 152 to fast track data-sharing had been dropped entirely from the Coroners and Justice Bill. A spokesman for Mr Straw said he had been persuaded to rethink the plans following a massive public backlash, and that Straw will now launch a fresh public consultation on how to share information where there is a clear benefit. [Source]

EU – Parliament Reaches Good Balance Between Data Protection & Transparency

European Data Protection Supervisor Peter Hustinx is satisfied with the European Parliament’s handling of transparency and data protection considerations. In a vote last week, MEPs adopted amendments that clarify when information should or should not be disclosed for the sake of transparency. “They confirm that data protection does not stand in the way of public disclosure of personal information in cases where the person involved has no legitimate reason for keeping the data secret,” Hustinx said. Parliament determined that only when the privacy and integrity of persons are particularly at stake, can information be withheld. [Source]

UK – Hotline Allows Workers to Find Out if They Were Blacklisted on Secret Database

The Information Commissioner’s Office (ICO) has established a hotline for workers who suspect they were blacklisted from employment as a result of data protection law violations. A consulting firm is being prosecuted by the ICO for its part in a widespread pre-employment screening scheme involving the sale of workers’ personal information to more than 40 major British construction companies for pre-employment screening purposes. One electrician whose file describes him as a “leading activist” says he hasn’t had a call from an employment agency in nine years.” Workers who want to know if their personal data was part of the scheme are encouraged to call the hotline. [Source]

EU – Art 29 WP Announces Data Protection Conference on New Technologies

The Commission is asking how should personal data be protected in the wake of modern technologies and new policies? How well are current rules on international transfers of personal data working in a time of “cloud computing”? What are the expectations of individuals, businesses and society as a whole? These and other topical questions will be addressed by a conference on personal data protection in the EU, organised by the European Commission, which will take place in Brussels on 19 and 20 May 2009. Interested individuals, business leaders, consumer associations, academics, data protection supervisors and public authorities from both the EU and third countries are invited to take part. Among the speakers will be the Vice-president of the European Commission in charge of Justice, Freedom and Security, Jacques Barrot. [Source] [Programme] See also: [EU Commission Publishes 54-page FAQ on Personal Data Flows to Third Countries]

UK – UK to Monitor, Store All Social-Network Traffic?

The UK. government is considering the mass surveillance and retention of all user communications on social-networking sites, including Facebook, MySpace, and Bebo. Vernon Coaker, the UK Home Office security minister, said the EU Data Retention Directive, under which Internet service providers must store communications data for 12 months, does not go far enough. Communications such as those on social-networking sites and via instant-messaging services could also be monitored, he said. [CNET]

Filtering

AU – Internet Filter List Of Porn Exposed

The Australian Government’s plans for a nationwide Internet filter are in jeopardy after its top-secret blacklist of banned Web pages was leaked. The list, published on the Internet, reads like a White Pages of porn and its release has provided a handy guide for young people to access the very material the Government wishes to banish from their eyes. [Australian IT]

Finance

US – PCI Security Standards Council Issues Prioritized Approach for Compliance

The PCI Security Standards Council LLC has issued a list of compliance guidelines it calls the Prioritized Approach to help companies struggling with where to go or even where to begin implementing the controls to protect payment card customer data. The guidelines map PCI DSS requirements to a set of six milestones, dealing with the most important security issues first. [Source] [Source] [Source] [Source] See also: [Visa Says RBS WorldPay and Heartland No Longer PCI DSS Compliant]

EU – Switzerland to Relax Banking Secrecy Laws

The Swiss government has agreed to adopt Organisation for Economic Co-operation and Development (OECD) standards and to co-operate with countries investigating tax evasion on a case-by-case basis. “Banking secrecy does not protect any form of tax offence,” officials said in a statement released before Saturday’s meeting of G20 finance ministers. “With the globalization of financial markets and in particular the current financial crisis, international co-operation on tax matters has become increasingly important.” Tax havens have been under increasing international pressure to cooperate with various nations’ investigations of tax evaders. Swiss officials said: “The privacy of customers will continue to be protected from unauthorised access to information concerning private assets.” [Source]

FOI

US – FBI Records Lowest Performance for FOIA Performance

The annual Rosemary Award for the year 2009 has been awarded to the FBI. The award is given out by The National Security Archive at The George Washington University. It recognizes outstandingly bad responsiveness to the public that flouts the letter and spirit of the Freedom of Information Act. The Award is named after President Nixon’s secretary Rose Mary Woods and the backwards-leaning stretch with which she erased an eighteen-and-a-half minute section of a key Watergate conversation on the White House tapes. Out of a total of 61,272 requests, the Justice Department denied 15,886 based on “no records”. The agency backlog for the fiscal year was 4,364. The agency received 52,260 requests from last year’s report and 59,615 from the current annual report. The agency processed 53,889 requests from last year’s report and 61,272 from the current annual report. In a case filed before the District Court for the District of Columbia, the Section Chief for Records/Information Dissemination at the FBI Headquarters explained that FBI files are indexed only by reference terms that have to be manually applied by individual agents. Further, the usual procedure was to look in a central database and thereby not turning up any record stored at FBI offices around the country, records before 1970s, and paper records indexed manually. Additionally, even if the record were sent directly to the field office, the procedure adopted was to forward the request to the central office where the data could not be located. Only after filing suit, the FBI would perform a broader search. The FBI itself has recognized that its recordkeeping and search capabilities are deficient and has some of the longest average response times in the federal government. The FBI has also been faulted with having a routine practice of refusing to process requests unless requesters obtain a privacy waiver from living individuals about whom they have requested information. Another problem highlighted with the FBI was failing to properly maintain and preserve its historical records leading to destruction or inaccessibility of important records. [2009 Rosemary Award for Worst FOIA Performance Goes to FBI] [2009 Rosemary Award] [FBI wins Rosemary Award - Background Memorandum] [Declaration of FBI Section Chief for Records/Information Dissemination] [U.S. Department of Justice, Freedom of Information Act Annual Report (Fiscal Year 2008)] [EPIC’s Litigation Docket]

US – Poll Finds Government Continues to be Perceived as Secretive

In a Sunshine Week poll conducted by the Scripps Howard News Service and Ohio University involving 1012 adults, the government was more often thought to be secretive than not. With respect to local government, about 40% stated that they viewed it as somewhat or very secretive. In contrast, 74% of the interviewed population considered the federal government as somewhat or very secretive. The study also found that 87% decided voting issues based on a presidential candidate’s position. [News Service Poll]

Health / Medical

US – Patients Want E-Record Access: Deloitte

American consumers want more control of their health information and the majority prefer providers that use Internet-based tools to augment care, according to the 2009 Survey of Health Care Consumers conducted by Deloitte consulting. Only 9% of those surveyed have a personal health record, up from 8% the prior year. But 57% want a secure Internet site to access medical records, schedule appointments, refill prescriptions and pay medical bills. And 42% said they want an online PHR connected to their physician’s office, while 55% want to be able to e-mail their physician. 60% said they want the government to set standards on health IT, while 38% said they are very concerned about privacy and the security of medical data. Another 24% said they are not at all concerned about health information privacy and security, according to the survey. [Source]

US – Rx Database Access in Question

Despite built-in privacy provisions, a proposed amendment to the Illinois Prescription Monitoring Program has raised privacy concerns. House Bill 3695 would give coroners and law enforcement agencies instant access to the federally mandated program database, which houses the prescription information of Illinois residents, in order for them to more quickly determine the cause and manner of death. A Pekin police official said having access to the database would also help officers with the war on drugs. “There is a huge privacy issue here,” said Paul Stephens of the Privacy Rights Clearinghouse. State Rep. Mike Smith (D-Canton) has also expressed concern. [Source]

Identity Issues

CA – Bernier Applauds Saskatchewan Stall on EDLs

Assistant federal privacy commissioner Chantal Bernier says Saskatchewan’s decision to forgo enhanced driver’s licences (EDLs) until the privacy considerations can be more thoroughly examined is “highly significant,” reports the Canadian Press. Bernier said: “The province seems to have come to the conclusion...the cost-benefit analysis is not convincing.” Last week, officials stalled the adoption of EDLs due to concerns about the RFID embedded in the licenses, which are designed to be a passport alternative. Bernier said that details on how personal information contained on EDLs is used and protected should be worked out prior to implementation. [Source]

CA – Enhanced Licence Comes to Quebec

Quebec Premier Jean Charest will introduce enhanced driver’s licences. Information and Privacy Commissioner Jacques Saint-Laurent is the latest provincial commissioner to express reservations about the licence due to the potential for privacy violations. Saint-Laurent has not given his approval on EDLs. Last week, Saskatchewan officials opted not to implement EDLs in that province after Information and Privacy Commissioner Gary Dickson expressed concerns. [Source]

CA – Ontario Commissioner Expounds on EDLs

A CBC “Search Engine” podcast explores the burgeoning use of RFID technology in Canadians’ driver’s licenses. Enhanced driver’s licenses have been developed as a passport alternative for use when crossing the U.S. border. They are already in use in Manitoba and are slated to launch in Ontario this June. In the podcast, Ontario Privacy Commissioner Ann Cavoukian shares her privacy concerns about EDLs with host Jesse Brown, and discusses ways citizens who choose to use EDLs could protect their personal information from RFID skimmers when the cards are not in use. She says that on-off switch technology for the IDs is in the works, and reminds citizens that use of EDLs is voluntary. [CBC podcast]

US – Anonymity and Privacy Should Not Add Up to Prison Time: EFF

The Electronic Frontier Foundation (EFF) has urged the U.S. Sentencing Commission to reject modifications to federal sentencing guidelines that would require extra prison time for people who use technology that hides one’s identity or location. Under current rules, a criminal defendant can get additional time added to a prison sentence if he used “sophisticated means” to commit the offense. In its testimony before the commission, EFF will argue that sentencing courts should not assume that using proxies – technologies that can anonymize users or mask their location – Is a mark of sophistication. In fact, proxies are widely employed by corporate IT departments and public libraries and, like many computer applications, can be used with little or no knowledge on the part of the user. “It would be a serious mistake for the United States Sentencing Commission to establish a presumption that using a common technology is worthy of additional punishment,” said the EFF. “Whether or not a convicted person’s use of a proxy is worthy of increased penalties is a case-by-case determination most appropriately made by a court.” [Source] [Full Testimony]

Intellectual Property

UK – UK Government Outlines Digital Rights Agency Proposal

The UK government has fleshed out the digital rights agency proposed in Lord Carter’s Digital Britain report and called for comment from the industry and consumers. The agency would establish a co-regulatory approach for navigating online copyright issues for film and music content, including illegal file sharing. [Guardian]

EU – Swedes Say No to Copyright Law: Poll

Support is weak among Swedes for the new IPRED copyright law designed to make it easier to investigate suspected cases of illegal file sharing, a new poll shows. Almost half of Swedes, 48% of the 1,000 interviewed, consider the law to be wrong while only 32% are in favour, a new poll from Sifo shows. [The Local]

Internet / WWW

UK – Thief uses Google Earth to Identify Lead Roofs

A thief used Google Earth to help locate buildings with lead roofs that he later stole. Tom Berge, a 27-year old builder, used the app to identify schools, museums and churches across London with lead roofs. He would then steal the material and abseil down the side of the building, before selling the lead on to scrap metal dealers. Berge’s efforts netted him nearly 100,000 in six months. Berge, who pleaded guilty to theft, received an eight-month suspended sentence and 100 hours community service. [Source]

Online Privacy

WW – Browser Add-on Locks out Targeted Advertising

A Harvard fellow has developed a tool to help Internet users take a bite out of targeting advertising, reports PCWorld. Christopher Soghoian’s TACO (Targeted Advertising Cookie Opt-Out) lets Web surfers opt out of 27 advertising networks that use behavioral advertising systems. Those who eschew the temptation of uniquely relevant ads and the processes behind their delivery can download the plug-in on Soghoian’s Web site. TACO is unique in that it sets permanent opt-out cookies, meaning that if a user clears cookies from his or her browser, he or she won’t need to go back through the opt-out processes again afterwards. Soghoian describes the TACO as a temporary fix for a long-term issue. [Source]

US – Many See Privacy on Web as Big Issue

As arguments swirl over online privacy, a new survey indicates the issue is a dominant concern for Americans. More than 90% of respondents called online privacy a “really” or “somewhat” important issue, according to the survey of more than 1,000 Americans conducted by TRUSTe. [NY Times]

WW – Privacy on Semantic Web

Privacy will be enhanced on the Semantic Web, according to Internet pioneer Sir Tim Berners-Lee. ZDNet reports that World Wide Web Consortium (W3C) project teams are building privacy into the bones of the Semantic Web, which aims to make the Web more intuitive. Some researchers have warned that an increase of data mining and privacy compromises could result. But Berners-Lee says that the whole project was geared toward privacy enhancement. Developers are looking to build in ways to make the Web adhere to privacy preferences set by users, and to let users request via the Web, information held on them by third parties. [Source]

JP – Japanese Court Orders ISP to Reveal File Sharer’s Identity

A Japanese court has ordered an Internet service provider (ISP) to disclose the identity and address of a customer who allegedly used file-sharing software to expose personally information of 110,000 high school students. The information was apparently unintentionally uploaded to the Internet through a computer infected with malware. [Source]

WW – Facebook Lets Members Make Profile Elements Wide Open

Facebook users now have the option to share more broadly. In response to users’ requests, the company yesterday launched a new “everyone” setting that allows them to lift privacy access controls from certain elements of their profiles. Those who choose the option can open up portions of their profiles--such as status updates, wall posts, photos and videos--to Facebook’s 175 million users. “This is an additional setting for those of you who wish to share with a broader audience,” wrote Facebook engineer Mark Slee in a blog posting. [Source] See also: [IBM develops Facebook privacy application]

UK – Phorm Launches Newsletter, Tackles ‘Distorted Reception’ of BA Space

The UK-based behavioral ad firm Phorm launched an e-newsletter, in part to address the negative press that attached itself to the company throughout 2008. Phorm works directly with ISPs to build profiles of user interest, based on their overall web surfing behavior, and serve relevant ads to them across participating websites. Early last year, privacy advocates attacked the firm under grounds that it is invasive to user privacy. Months of ceaseless barrage from the press in both the U.S. and U.K. led to a tough year-end: participating ISPs left Phorm to the vultures; and by December it lost UK CEO Hugo Drayton and CFO Lynne Millar. The new year yielded a change in sentiment for behavioral advertising. In January the AAAA, BBB, DMA, ANA and IAB united to prepare guidelines to position behavioral advertising in a way more favorable to consumers. This month, the IAB’s UK arm released a series of guidelines, to which all major search engines agreed to comply. The first issue of Phorm’s newsletter, dubbed inphorm, went out this morning. [Source]

CA – Canada’s First Street View Map Service Unveiled Amid Privacy Concerns

The first Web-based, interactive, street-level map of Canada launched yesterday at Canpages.ca featuring panoramic photos of Vancouver, Whistler and Squamish, B.C has caught the attention of privacy watchdogs. Similar to Google’s Street View launched in 2007, Canpages’ Street View service allows users to take a virtual walk on city streets thanks to high-resolution images taken by a special 360-degree camera. [IT Business] [Source] See also: [Google Street View Launched in Britain] and [

UK – Privacy Campaigner Vows Legal Challenge to Google Street View

A privacy campaigner will launch a legal challenge to Google’s Street View service, which was launched today. Simon Davies of Privacy International says that he will pursue “a test case” against Google. Privacy watchdog the Information Commissioner’s Office (ICO) has given the service the all-clear, saying that the blurring means that the service does not publish personal information and so does not break the law. Davies said that he will mount a legal challenge to the ICO’s opinion. Davies said that he is not sure what exactly the legal basis of a challenge to the system or to the ICO’s opinion would be, but said that it was an established legal principle that a person’s consent is required for a photograph that is used commercially. [Source] [Google pulls some street images] [OUT-LAW: Is Google’s Street View legal?]

Other Jurisdictions

TW – Taiwan Human Rights Groups Slam KMT Legislator’s Privacy Proposal

Human rights groups have slammed a proposal by a ruling Kuomintang member to allow legislators special access to private data without informing the target. Under the Computerized Personal Data Protection Act, official bodies need to apply for permission from a citizen before looking into his private information, but KMT legislator Hsieh Kuo-liang wants that restriction to be cancelled for lawmakers. If legislators have to file an application to see the information, they will never be able to dig up scandals about officials, Hsieh said. The lawmaker said colleagues making wrong accusations would still be liable for prosecution. The human rights activists described the proposal as an unacceptable expansion of power by lawmakers and as a potential disaster for privacy. They want the opposition Democratic Progressive Party to file a different amendment including a ban on handling certain sensitive private information. [Source]

Privacy (US)

US – Senator Olympia Snowe Honored With IAPP 2009 Privacy Leadership Award

Sen. Olympia J. Snowe, Maine, received the International Association of Privacy Professionals’ 2009 Privacy Leadership Award for her ongoing efforts on the behalf of U.S. citizens in the area of privacy and data protection. Snowe is serving her third six-year term in the U.S. Senate. During her tenure, she has advanced privacy legislation to protect citizens’ rights, including:

o Writing the legislation to prohibit spyware and privacy-invasive practices such as keylogging and skimming

o Voting for the Consumer Phone Records Act to keep unwelcome hands out of citizens’ phone logs and to give the FTC and FCC greater enforcement authority in that area

o Co-introducing an amendment to protect information filed in bankruptcy proceedings, which is far more sensitive than details contained in other publicly available documents

o Co-authoring the privacy provisions in the Wired for Health Care Quality Act to give patients more control over their health records and to hold accountable those responsible for breaches.

o Introducing the recently passed Genetic Information Nondiscrimination Act, which lets people take advantage of the possibilities genetic testing can offer without fearing the negative repercussions that could result from the abuse of such information.

o Co-sponsoring a Defense Authorization Bill amendment to give free financial protections to the 26 and a half million veterans and active duty personnel whose personally identifiable information was stolen from the Veterans Administration. [Source]

US – Nevada Senators Question Need to Comply With Real ID Act

State Senate Finance Committee members expressed concern about a bill that would require the state Department of Motor Vehicles starting in 2010 to issue driver’s licenses that comply with the federal Real ID Act. Senate Majority Leader Steven Horsford, D-Las Vegas, said the bill would create an unfunded mandate that forces DMV to spend as much as $1.5 million of its own money to meet requirements of the federal law. Finance Chairwoman Bernice Mathews, D-Reno, said that before she takes a vote on Senate Bill 52, she wants to check if the state can receive an exemption from complying with the law. During a hearing, both liberal and conservative lobbyists condemned the proposal on the grounds it would violate citizens’ right to privacy. Several complained Real ID licenses are the first step toward the insert of a radio frequency chip into licenses to allow government authorities to keep track of citizens’ whereabouts. The DMV denied that allegation. Former Arizona Gov. Janet Napolitano now is director of the Department of Homeland Security, which oversees the Real ID Act. As governor, she signed a bill declaring her state’s opposition to enforcing the Real ID Act. But as homeland security chief, she intends to “roll out something new” concerning the act, according to ACLU lobbyist Rebecca Gasca, who urged the committee to reject the bill. [Source] [Resistance to Real ID mounts from all sides] See also: [TWIC: Big Government Creeping Privacy Threat]

Security

WW – Application Security Best Practices: A New Maturity Model for Building Security In

The Building Security in Maturity Model (BSIMM) is “a set of best practices developed by Citigal and Fortify” that draws together data from nine software security initiatives to help software developers build more secure products. The model “breaks down” the best practices into 12 areas, including strategy and metrics, security features and design and configuration and vulnerability management. [Source] [Source] [Source] [Source]

US – Government Accountability Office Issues Report

The Government Accountability Office (GAO) has released the following reports, testimony, and correspondence: Information Security: Securities and Exchange Commission Needs to Consistently Implement Effective Controls. [GAO-09-203, March 16] [Highlights]

Surveillance

US – Reps Drafting Anti-Behavioral Advertising Bill Aimed at Google

Google’s controversial behavioral advertising has spurred the US legislators into action. In order to protect people’s privacy rights, the congressmen have already started to draft a bill to make the companies like Google to warn its users beforehand of its behavioral based ad-tracking activity. The representatives who are scripting the bill that highlights the need to revive requirements of the defeated Consumer Privacy Protection Act (CPPA), first proposed in 2002, include Rep. Rick Boucher (D-Va.), Rep. Cliff Stearns (R-Fla.) and Rep. Joe Barton (R-Texas). “I think if we empower (Internet) users in this way. It would lead to greater consumer confidence, leading to more electronic commerce,” Boucher has said. The CPPA provided that “upon the first instance of collection from the consumer of personally identifiable information, that may be used for a purpose unrelated to the transaction, by a data-collection organization, the organization shall provide the notice at the time personally identifiable information is collected.” According to the representatives, the bill will also call for data-collection agencies to offer consumers the choice to opt out of the sale or revealing of personal information. It will require call for the drafting and effectuation of an “information security Relevant Products/Services policy” to protect confidential information. [Source]

Telecom / TV

US – Civil Liberties Groups Oppose Gov’t Mobile-Phone Tracking

Three civil liberties groups have asked a U.S. appeals court to strike down a U.S. government request to obtain stored mobile-phone location tracking information without showing probable cause. The Electronic Frontier Foundation (EFF), the Center for Democracy and Technology (CDT) and the American Civil Liberties Union (ACLU) have filed a brief asking the U.S. 3rd Circuit Court of Appeals to reject the U.S.

Department of Justice’s request that courts give permission for it to obtain historical mobile-phone tracking information without a court-ordered warrant showing probable cause. Several courts have ruled against the government obtaining real-time mobile-phone tracking information without a warrant, but this is the first case dealing with stored tracking information. The DOJ argued that mobile phone users voluntarily convey their location information to their carriers, therefore negating the need for a warrant, but the civil liberties groups disagreed. Mobile phone location tracking data “reveals information about the interior of spaces in which cell phone users possess a reasonable expectation of privacy,” the groups said. [Source]

US Government Programs

US – California Law Would Force Motorists to Report Mileage

A proposal to chart global warming gases from California cars and trucks by requiring motorists to report odometer readings during annual vehicle registrations is meeting resistance from those worried about drivers’ privacy. Assemblywoman Nancy Skinner, D-Berkeley, has proposed the odometer reporting law, saying California needs to estimate miles traveled to succeed in its pioneering drive to control global warming gases - much which comes from vehicles. But even some who want to reduce carbon dioxide and other greenhouse gases said the state needs to ensure that the information will not be released publicly or used to compel individuals to drive less. [Source]

US – Illinois Rx Drug Database Raises Privacy Concerns

Tazewell County Coroner Dennis Conover said an amendment to the Illinois Prescription Monitoring Program would make investigations into questionable deaths much easier, but a national privacy advocacy group has some concerns. House Bill 3695 would amend the Illinois Prescription Monitoring Program - a database of prescriptions that doctors and pharmacists use to determine if patients are getting prescriptions for regulated drugs from multiple sources. The database is mandated by federal law through the U.S. Department of Justice, Drug Enforcement Administration. The intent of the federal mandate is to monitor the distribution for illicit sale and abuse of regulated drugs, according to the U.S. Department of Justice Web site. The amendment to the program was in the executive committee of the state House of Representatives earlier this week but has now been referred back to the rules committee. [Source]

US Legislation

US – Lawmakers Reportedly Drafting Bill to Address Behavioral Advertising Issues

US legislators are drafting a bill that would require Internet companies using targeted advertising technology to notify users that their habits are being tracked for that purpose. One of the legislators involved says that users should be entitled to know exactly what information is being collected, who is collecting the information and what is being done with it. Google has recently announced its intention to start using targeted advertising, joining companies such as AOL, Yahoo and Microsoft. Google’s system will assign users to interest categories based on their activity and target advertising to those interests; users will be able to change their interest categories or opt out of the program entirely. [Source]

US – Privacy Law Would Require Opt-In

The new chairman of the House Subcommittee on Communications, Technology and the Internet wants an Internet privacy bill passed. “Internet users should be able to know what information is collected about them and have the opportunity to opt out,” said Rep. Rick Boucher (D-VA). The bill would not only require Web sites to disclose how they collect and use data and give users the chance to opt-out of such activities, but also would require that Web sites get a user’s opt-in before sharing information with other companies. Boucher says such legislation will enhance user confidence in the online experience, which in turn will improve business. [New York Times]

Workplace Privacy

FI – Finnish President Ratifies Law Allowing Employees’ eMail Activity Monitoring

A newly ratified law in Finland allows employers to monitor employees’ email messages when they suspect misconduct. Employers would not be permitted to read the content of messages, but would be permitted to monitor the sizes of attachments and to whom they were being sent. The law also allows schools, libraries and telecommunications operators to snoop on users’ activity. The law has met with harsh criticism from legal experts and privacy rights groups. The bill passed Parliament earlier this month by a vote of 96-56; the president ratified it on March 13. [Source] [Source]