Biometrics

WW – Apple Files an Biometric Security System Patent for iPhone, More

On March 26, 2009, the US Patent & Trademark Office published an Apple patent application relating to an advanced embedded biometric authentication security system that will be implemented on all of Apple’s future hardware from the iPhone to the MacBook. Devices will be able to authenticate the user by comparing the detected identification information with identification information stored in a library of the device. For example, the sensor may include a sensor for detecting features of a user’s skin, or features underneath a user’s skin. Other methods include fingerprint technology, face recognition, ear canal sensory, and in the case of the iPhone, voice recognition to identify just a few of the security features being considered. [Source] See also: [Ontario has new method to keep problem gamblers out of gaming sites – your face!]

Canada

CA – Saskatchewan Government Ditches ‘Enhanced’ Driver’s Licence Plan

Saskatchewan motorists who plan to travel to the U.S. are being advised to use a passport at the border after the provincial government halted a plan to offer an ‘Enhanced Driver’s Licence” (EDL) this week. On Monday, the government issued a news release to say it was abandoning the so-called smart-cards. The release cited concerns “over cost, public interest and changing card requirements,” as factors for not going ahead. Barely a month ago, the government had introduced legislation to support the cards. At that time, Gary Dickson, Saskatchewan’s privacy commissioner, said the plan needed closer study. Dickson praised the move to scrap the plan. [Source] [Saskatchewan cancels RFID licences while Ontario looks for off-switch] [Enhanced drivers’ licences bring privacy worries]

CA – Coalition Calls for Moratorium on EDLs

At a public forum in Ottawa on Monday, a coalition of civil liberties groups called for a moratorium on enhanced driver’s licences (EDLs) pending a House of Commons debate. All Canadians will need either a passport or EDL to cross into the United States beginning on June 1 when American Western Hemisphere Travel Initiative rules go into effect. EDLs have incited controversy across Canada due to privacy concerns surrounding their embedded RFID technology. While some provinces have introduced or plan to introduce EDLs this year, Saskatchewan on Monday announced that it will not deploy EDLs due to privacy concerns. [Source] See also: [EDLs are a solution in search of a problem] [P.E.I. Licences Not as Secure as Hoped - Editorial] and [Obama’s message: Glory days of open border are gone]

CA – Enhanced Licence Comes to Quebec

Premier Jean Charest introduced Quebec’s new enhanced driver’s licences (EDLs). Due to new American security regulations, beginning June 1 Canadians will need either a passport or EDL to cross into the United States by land or water. Charest introduced the licence, called “Plus,” in the border town of Saint-Bernard-de-Lacolle. The EDLs are embedded with an RFID chip that border agents will scan to determine travelers’ identity and citizenship. Although initially Quebec’s information and privacy commissioner expressed concerns about cardholders’ privacy due to the embedded RFID, in a separate report Jacques St. Laurent said he is now confident that the system is secure. [Source]

CA – Air Canada Sued Over Passenger Info Case

Canada’s privacy commissioner is taking Air Canada to court to compel the airline to release records involving a so-called “unruly” customer, arguing passengers should be able to know the information air carriers are collecting about them. In a newly filed affidavit, a senior official with the Office of the Privacy Commissioner of Canada sets out why the dispute has broad implications for air travellers. The document bolsters an application in Federal Court for an order requiring Air Canada to hand over the disputed documents about an incident on board a flight from Kamloops and Vancouver and to confirm the commissioner’s right to ask for evidence in support of a claim of solicitor-client privilege. “The ability to obtain access to one’s personal information and to challenge its accuracy is a critically important means of holding an organization accountable for its personal information practices,” according to Carman Baggaley, senior policy and research analyst at the commission. [Source]

CA – Ontario Judge Orders Website to Reveal Identity Data on Anonymous Posters

An Ontario Superior Court judge has ordered a pair of website owners to turn over identifying information about eight people being accused of defamation after posting anonymous comments. “In my view, the defendants are under an obligation to disclose all documents in their power and control,” Justice Stanley Kershman said in a ruling delivered to defendants Connie Wilkins-Fournier and Mark Fournier of Kingston, Ont., who run the website Free Dominion. [CBC] Update: [FreeDominion.ca To Appeal Anonymity Decision]

CA – AICPA/CICA Proposes Changes to Generally Accepted Privacy Principles

The draft changes add several new criteria to GAPP principles and amend existing criteria; new changes address personal information identification and classification; risk assessment; privacy incident and breach management; privacy awareness and training; collection of information developed about individuals; data disposal and destruction; communication of personal information to third parties; and on-going monitoring. Comments on the changes are requested by April 15 2009. [Source] [Exposure Draft]

Consumer

UK – Lawyer-Client Privilege Can’t Stop Surveillance, Says House of Lords

The state is allowed to bug communication between lawyers and their clients, the House of Lords has said. The UK’s highest court ruled that spy law the Regulation of Investigatory Powers Act (RIPA) allows lawyers’ conversations to be bugged. Lawyers are allowed to withhold the details of communication with their clients from the police, prosecutors or courts. Lord Carswell said that legal professional privilege cannot be absolute, that it has to have exceptions. “If it were not possible to exercise covert surveillance of legal consultations where it is suspected on sufficiently strong grounds that the privilege was being abused, the law would confer an unjustified immunity on dishonest lawyers,” he wrote.”There may be other situations where it would be lawful to monitor privileged consultations, for example, if it is necessary to obtain information of an impending terrorist attack or to prevent the threatened killing of a child,” said Lord Carswell. “The limits of such possible exceptions have not been defined and I shall not attempt to do so, but they could not exist if the rule against surveillance of privileged consultations were absolute.” [Source] [The ruling]

WW – Online Clicks Have Value, for Someone Who Has Something to Sell

The New York Times reports on the emergence of virtual cookie stores--behavioral exchanges where advertisers can buy information on Web users’ behavior. While not unlike the data houses of the print advertising world, these virtual malls--the Times looks at BlueKai and eXelate Media--give Web sites a place to sell customers’ information, and advertisers and others a place to gobble it up. “People are realizing that it’s the data that drives the value,” said Omar Tawakol, CEO of BlueKai. To mitigate privacy concerns associated with the Internet model, both companies provide an opt-out and an area where consumers can see what information has been collected about them. [NYT]

E-Government

UK – Facebook, Bebo and MySpace ‘to be Monitored by Security Services’

Home Office ministers have revealed that social networking data might be included in the government’s Intercept Modernisation Programme (IMP), reports the Times. The program already requires Internet service and telecommunications providers to retain telephone and e-mail data for a period of 12 months for the intelligence community’s use in counter-terrorism efforts. Plans to include social networking activities into that cache are meeting strong opposition so far. Among the opponents is Facebook Chief Privacy Officer and head of global public policy Chris Kelly, who said the full-monitoring plan was a bad-for-business “boil-the-ocean strategy” and technically impractical. [Source] [Home Office Defends Plan to Monitor Social Network Conversations] See also: [Cautionary tales from the social-networking universe]

UK – FIPR Report Denounces “Database State”

A new report says that one quarter of Britain’s government databases are illegal and should be scrapped or redesigned. The Joseph Rowntree Reform Trust report says that the databases housing information on children, communications, citizens’ DNA and others are too broadly available, vulnerable to lax data security standards and risk stigmatising those whose information is included in the records. The Trust examined 46 public-sector systems for the report, finding that 11 were “almost certainly” illegal. “It’s the slack attitude to data security which is most worrying,” said report co-author Terri Dowty of the Action on Rights for Children. Co-authors of the report inlcude Ross Anderson, Ian Brown, Terri Dowty, Philip Inglesant, William Heath, Angela Sasse, and the Foundation for Information Policy Research. [Database State - full report] [Database State - Executive Summary] Update: [Database report condemned as ‘inconsistent and inaccurate’] and [Debate: Are Gov’t Database Excessive? Yes vs No]

US – Diebold Admits Voting Machine Audit Log Flaw

In a hearing in California last week, Premier Election Solutions, formerly known as Diebold, admitted that a flaw in its voting machines software can lose votes and fail to log the loss. Logs are an essential component of election audits. The flaw exists in all versions of the company’s tabulation software. [Source] [Source]

Electronic Records

CA – Ontario Unveils Electronic Health Data Plan

Ontario has unveiled a $2.1 billion strategy that promises to give every diabetic patient in the province an electronic health record by 2012. The “eHealth Ontario” initiative will also connect doctors, patients and pharmacists electronically to better manage the flow, safety and effectiveness of prescription drugs and cut wait times at Ontario hospitals, the head of the group developing the program says. The 53-page strategy aims to have 65% of the province’s primary physicians and two-thirds of their patients hooked up to the electronic medical data by April 2012. The goal is to have enrolled 100% of physicians and all of their patients by 2015. It also would see 65% of medication orders filled electronically in three years with 35% of physicians ordering drugs via secure, electronic prescriptions. Key to the program, Kramer says, is the enrolment of as many as 800,000 diabetes patients in the province into the electronic record system. [Source] [e-Health Office] [e-Health Strategy] [Report on consultations]

UK – Data Errors Lead to New Concerns Over Health Records Database

The chairwoman of an association for parents, midwives and other healthcare professionals says she is opting out of a national database of health records because it may prove impossible to correct data mistakes. Beverley Beech says she is particularly concerned about plans for more data sharing by government agencies and departments. She was speaking to Computer Weekly after the publication this week of Database State, a report commissioned by the Joseph Rowntree Reform Trust from the Foundation for Information Policy Research. The report lists 46 big government databases and gives each one a red, amber or green light according to concerns about privacy and the Human Rights Act. Beech said she knows of at least two instances where mothers have discovered mistakes in their social services records, which they have been unable to correct. She says that mothers are now too fearful to tell midwives they have post-natal depression in case this information ends up on a social services database, which is shared with the local council, with the result that action is taken to remove their babies and put them into care. [Source] see also: [ICO ‘increasingly concerned’ about NHS data safety]

WW – Online Age Quiz is a Window for Drug Makers

RealAge, which promises to help shave years off your age, has become one of the most popular tests on the Internet. According to RealAge, more than 27 million people have taken the test, which asks 150 or so questions about lifestyle and family history to assign a “biological age,” how young or old your habits make you. Then, RealAge makes recommendations on how to get “younger,” like taking multivitamins, eating breakfast and flossing your teeth. Nine million of those people have signed up to become RealAge members. But while RealAge promotes better living through nonmedical solutions, the site makes its money by selling better living through drugs. Pharmaceutical companies pay RealAge to compile test results of RealAge members and send them marketing messages by e-mail. The drug companies can even use RealAge answers to find people who show symptoms of a disease - and begin sending them messages about it even before the people have received a diagnosis from their doctors. While few people would fill out a detailed questionnaire about their health and hand it over to a drug company looking for suggestions for new medications, that is essentially what RealAge is doing. [New York Times] See also: [Your Online Clicks Have Value, for Someone Who Has Something to Sell]

E-Mail

US – Supreme Court Won’t Revive Va. Anti-Spam Law

The US Supreme Court has declined to consider reinstating Virginia’s tough anti-spam law, leaving in place a lower court ruling that threw out the measure as unconstitutional. The high court’s decision ends the legal odyssey of the 2003 law, one of the nation’s first, which was intended to crack down on people who send masses of unwanted e-mail. [Washington Post] Virginia’s attorney general said that his office will rewrite the state’s antispam law now that the U.S. Supreme Court has refused to review a lower court’s decision striking down the measure. [WSJ]

EU Developments

EU – E.U. Threatens Action to Defend Web Users’ Privacy

A top European Union official plans to threaten EU intervention to set tougher rules on how Internet users’ personal data is collected, analyzed, and shared by search engines and service providers. Consumer Affairs Commissioner Meglena Kuneva warns that if the industry fails to offer adequate responses on data collection and profiling, the European Commission will not hesitate to intervene. [Washington Post] [New York Times]

EU – Spanish DPA Meets with Facebook

The Spanish data protection agency (Agencia Española de Protección de Datos--AEPD) says it is encouraged by its meeting with social networking firm Facebook last week. The meeting was part of a series of roundtable discussions the agency is conducting with major social network and Internet service providers. AEPD Director Artemio Rallo has expressed concerns about the clarity of online companies’ privacy policies, the need for age verification and data retention and destruction policies on Internet sites. Among its recommendations for Facebook, the AEPD wants the company to explore the possibility of a default setting that provides users with the maximum amount of privacy. [Source]

EU – Few Irish Organizations Have Data Retention Policies

Despite vast stores of personal data, only about half of Ireland’s organisations have formal data retention or destruction policies, reports ElectricNews.Net. An Irish Computer Society’s Privacy Forum survey revealed that 94.2% of organisations store personal data, and 57.7% transfer data to external organisations or individuals, yet only 50.7% have policies in place to protect it. Other responses revealed that about 31% of organisations have a formal data breach policy; 33% have an informal policy; and 20% have no data breach policy in place. [Source]

EU – German Court: Data Retention Violates Privacy

The Administrative Court of Wiesbaden has ruled that blanket retention of citizens’ data violates their privacy. “The court is of the opinion that data retention violates the fundamental right to privacy,” the ruling states. “It is not necessary in a democratic society. The individual does not provoke the interference but can be intimidated by the risks of abuse and the feeling of being under surveillance [...] The directive [on data retention] does not respect the principle of proportionality guaranteed in Article 8 ECHR, which is why it is invalid.” Data retention requirements and terms have been a source of debate throughout Europe in recent months.[Source] [Q&A]

EU – Garman Privacy Scandal Results in Resignation

Deutsche Bahn boss Hartmut Mehdorn has resigned. The head of the state-owned rail operator has been under pressure since a large spying regime within the company came to light earlier this year. “I have made an offer to terminate my contract with the supervisory board chairman,” Mehdorn said, noting that the company was suffering due to the “destructive debates” over his future. In an effort to root out fraud, Deutsche Bahn accessed confidential data on hundreds of thousands of employees in 2002, 2003 and 2005. The company also monitored staff e-mails. [Source]

UK – Committee: ICO Should Assess Private Firms, Too

In its review of proposed data protection changes within the Justice and Coroners Bill, the Joint Committee on Human Rights deemed that the Information Commissioner should have the power to spot check private businesses, reports ITPro. “We consider that these additional powers for the Information Commissioner would be a human rights enhancing measure,” the committee’s report states. Currently, the ICO may only spot check public organisations. The report also called for giving the ICO the ability to “seek sanctions” against public bodies that refuse to comply with its notices. [Source]

Filtering

US – Jonas Brothers Site Cited for Violating Children’s Privacy

The operator of a Web site for Jonas Brothers’ fans has promised to change its policies following a query by the Children’s Advertising Review Unit (CARU). The CARU found that the site violated the federal Children’s Online Privacy Protection Act (COPPA) by collecting the names and cell phone numbers of kids under the age of 13 without parents’ consent. Site operator Ultrastar Entertainment said it will no longer collect such information. The company said in a statement that it has “worked with CARU directly to ensure the site’s compliance, and is making all suggested modifications” to the Web site. [Source]

Finance

US – Groups Urge Obama to Defend California Financial Privacy Law

A coalition of advocacy groups is urging the Obama administration to defend California’s landmark financial privacy law. In American Bankers Association v. Brown, the banking industry is appealing the U.S. Supreme Court to overturn last year’s 9th Circuit decision to uphold the 2003 Financial Information Privacy Act, which prohibits financial institutions’ sharing of customers’ personal information within affiliated companies. The Supreme Court asked for the Obama administration’s opinion on the California law earlier this month. In a letter to the president and solicitor general, the groups say: “This represents a defining moment for privacy rights.” [Source]

Health / Medical

US – Stimulus Package Includes Changes to HIPAA Privacy Rules

The federal stimulus package includes amended rules regarding the Health Insurance Portability and Accountability Act (HIPAA). The new provisions require doctors to keep records of when they disclose patient information. The previous regulations allowed doctors to share patient information for treatment, payment or healthcare reasons without noting when the information was shared. The new provisions do not take effect until January 2014. Medical practices are also required to post notices of data security breaches if 10 or more patients are affected. If the number of affected patients is 500 or more, the practice must notify all affected patients, a media outlet and the US Department of Health and Human Services (HHS). [Source] See also: [Ownership of electronic health information must be addressed] and [Minnesota Blood-screening newborns: research/privacy debate]

AU – Patients’ Medical Records Leaked Online by Pathology Lab Sullivan Nicolaides

An alarming privacy breach by one of Queensland’s biggest pathology labs has released patient medical histories on the internet. The names, contact numbers and private details of at least 100 patients, and potentially hundreds more, were plastered on the website of Brisbane-based Sullivan Nicolaides. The breach has cast serious doubt on the safety of electronic patient record systems, and angry patients were last night demanding answers. [Source] See also: [More Kaiser Permanente Workers Fired for Breaching Health Records]

UK – ICO Issues Enforcement Order

The Information Commissioner’s Office (ICO) has issued an enforcement order to an NHS organisation for violating the Data Protection Act. Camden Primary Care Trust has until the end of the month to improve its information security policies and to report its progress to the ICO. The order follows an investigation into the disposal of computers containing the unencrypted personal and health information of 2,500 patients. The machines were dumped beside a skip for disposal. They were stolen and have yet to be recovered. “This incident highlights organisational error and will no doubt damage public trust in the NHS locally,” said Assistant Information Commissioner Mick Gorrill. [Source] [ICO Order]

Horror Stories

WW – Cached Data Exposes Credit Card Info

Cached data from a server that is no longer in use has exposed 22,000 credit card numbers including CVVs, expiration dates, names and addresses; 19,000 of the cards could still be active. Most of the card numbers are for accounts in the US and the UK, though some Australian accounts are affected as well. The cached data appear to be from a now-defunct payment processing gateway that managed credit card transactions for a number of websites. [Source] [Source]

Identity Issues

CA – Alberta Court Upholds Privacy Ruling Against Nightclub Scanning IDs

A judge has upheld a ruling from Alberta’s privacy commissioner that ordered a Calgary nightclub to stop scanning driver’s licences before allowing people inside. The judicial review from Alberta Court of Queen’s Bench Justice Carolyn Phillips was issued earlier this month. In February 2008, Information and Privacy Commissioner Frank Work ordered Tantra nightclub and its parent company, Penny Lane Entertainment, to stop scanning driver’s licences and to destroy any information that it had collected through this practice. In her decision dated March 6, Justice Phillips upheld Work’s order. [Source]

Intellectual Property

EU – E.U. Telecom Law Set to Enshrine the Right to Information

A Europe-wide law forcing Internet service providers to cut subscribers off from the Internet if they illegally download copyright-protected music or movies isn’t going to happen as part of an ongoing review of telecom rules, telecom commissioner Viviane Reding said in an interview. Speaking after lengthy negotiations Tuesday evening with members of the European Parliament and representatives of the 27 national governments of the European Union, Reding said that the issue of online piracy has yet to be resolved in the so-called telecom package of laws being updated to better suit the age of high-speed Internet. [Network World] See also: [The Pirate Party Makes a Bid for the European Parliament]

NZ – New Zealand’s Stringent Copyright Law a No-Go

New Zealand Prime Minister John Key said that a potentially divisive Internet piracy law has been withdrawn. The Copyright Amendment Act would have required Internet service providers (ISPs) to sever Internet connections of customers who were suspected of violating copyright laws, even if the allegations were not proven. The law was slated to take effect last month, but it was postponed when citizens protested. Prime Minister Key acknowledged that there needs to be some sort of Internet copyright law; a new law will be introduced at a future date. [Source] See also: [Extension of copyright term postponed in the European Parliament]

Internet / WWW

CA – University of Toronto Researchers Uncover Chinese Computer Spy Network

University of Toronto researchers announced that they have uncovered a cyberspying network based in China that has infected more than 1,295 computers in 103 countries, calling the discovery “a wake-up call.” More than 30% of the infected hosts of the malware-based network now called GhostNet are considered high-value targets and include computers located in various ministries of foreign affairs, embassies, international organizations, news media, non-government organizations and even the private office of the Dalai Lama, the head of Tibet’s government-in-exile, according to a report released by SecDev Group, a research organization at the Munk Centre for International Studies at U of T. The report said GhostNet primarily uses a malicious software program called ghOst RAT (Remote Access Tool) to steal sensitive documents, control computer devices such as Webcams and control infected computers. “GhostNet represents a network of compromised computer residents in high-value political, economic and media locations spread across numerous countries worldwide,” according to the report. The U of T investigation began when researchers were granted access to computers of Tibet’s government-in-exile. Tibetan NGOs and the office of the Dalai Lama were concerned about leaks of confidential information. The group discovered that computers infected with malicious software that allowed remote hackers to steal information. The researchers also found that servers collecting the stolen data were not secured. The researchers were able to gain access to the control panels of the four servers used by the network. Three of the servers were found to be based in China and a fourth was in the U.S. [Source]

WW – Cloud Computing is “Here-and-Now”

Jeffrey Rayport and Andrew Heyward’s have released a report “Envisioning the Cloud: The Next Computing Paradigm.” The pace of cloud adoption is rapid, but circa 1980s laws and regulations are stumbling blocks. He says “there is a real need for the government to get involved in cloud computing around the issues of data security and privacy,” because of this. “I predict that data privacy and security will prove to be the thorniest issue regarding cloud computing going forward...” [Source] [Source] [Report] See also: [IBM cloud initiative suffers setback as Google, Amazon and Microsoft 'refuse' to sign] [Open Cloud Manifesto] [Once-secret 'cloud Manifesto' Sees Light of Day] and [Security concerns for cloud computing] and [More Security Loopholes Found In Google Docs] and [Canadian firms lead in adopting cloud computing]

Online Privacy

WW – Researchers Can ID Anonymous Twitterers

In a paper set to be delivered at an upcoming security conference, University of Texas at Austin researchers showed how they were able to identify people who were on public social networks such as Twitter and Flickr by mapping out the connections surrounding their network of friends. From the ITworld article: ‘Web site operators often share data about users with partners and advertisers after stripping it of any personally identifiable information such as names, addresses or birth dates. Arvind Narayanan and fellow researcher Vitaly Shmatikov found that by analyzing these ‘anonymized’ data sets, they could identify Flickr users who were also on Twitter about two-thirds of the time, depending on how much information they have to work with.’” [IT World article] [Source]

UK – Formal Complaint Lodged on Street View

Privacy International (PI) has filed a formal complaint with the Information Commissioner’s Office (ICO) about Google’s Street View mapping service, which launched in Great Britain last week. PI Director Simon Davies has requested the system be “switched off while an investigation is completed.” Google said: “The ICO has repeatedly made clear that it believes that in Street View the necessary safeguards are in place to protect people’s privacy.” But Davies insists the Street View product falls short of the assurances given to the ICO that enabled the system to launch, the report states. [Source] See also: [Street View Launched in the UK] [Smear Claims in Google Privacy Battle] and also: [Canadian MP Wants Google Boss to Explain Street Cameras] and [Opinion: Poilievre’s privacy posturing]

WW – Privacy Group Asks Web’s Biggest Names to Reject Phorm System

A digital rights group (Open Rights Group, ORG) has written to the internet’s major companies asking them to opt out of a controversial behavioural advertising system in order to protect site users’ privacy. Companies can choose to have their sites excluded from the system. [Source] [ORG’s letter] Follow up: [Web Giants Mull Response to Behavioral Privacy Concerns]

Other Jurisdictions

NZ – New Zealand ISPs Brace for Data Intercept Law

New Zealand’s Telecommunications (Intercept Capability) Act, coming into full force on April 5, will let the Police, SIS and the GCSB (Government Communications Security Bureau) execute search warrants on internet service providers to grab users’ data. Depending on one’s point of view, it’s a milestone in law enforcement, or a major erosion of civil liberties. [Source]

Privacy (US)

US – Cybersecurity Review is Putting Emphasis on Privacy

As the US National Security Council works on its comprehensive review of federal cybersecurity programs for President Obama, it is going to great lengths to consider privacy and civil liberty issues. The House Cybersecurity Caucus met with Melissa Hathaway, the acting senior director for cyberspace for the National Security and Homeland Security Councils, who is conducting for the administration a 60-day cybersecurity review. [CNET]

US – Strip-Search of Girl Tests Limit of School Policy

Savana Redding, 19, was strip searched by school officials six years ago when teachers suspected she had brought prescription pills to school. An assistant principal, enforcing the school’s antidrug policies, suspected her of having brought prescription-strength ibuprofen pills to school. Ms. Redding, an honors student, had no pills. But she had a furious mother and a lawyer, and now her case has reached the Supreme Court, which will hear arguments on April 21. The case will require the justices to consider the thorny question of just how much leeway school officials should have in policing zero-tolerance policies for drugs and violence, and the court is likely to provide important guidance to schools around the nation.

In Ms. Redding’s case, the U.S. Court of Appeals for the Ninth Circuit, ruled that school officials had violated the Fourth Amendment’s ban on unreasonable searches. Writing for the majority, Judge Kim McLane Wardlaw said, “It does not require a constitutional scholar to conclude that a nude search of a 13-year-old child is an invasion of constitutional rights.” “More than that,” Judge Wardlaw added, “it is a violation of any known principle of human dignity.” [Source] See also: [Rule Requiring Drug Testers to Know Athletes’ Whereabouts Draws Protest]

US – Schneier: It’s Time to Drop the ‘Expectation of Privacy’ Test

Bruce Schneier writes that: “In the United States, the concept of “expectation of privacy” matters because it’s the constitutional test, based on the Fourth Amendment, that governs when and how the government can invade your privacy. Based on the 1967 Katz v. U.S. Supreme Court decision, this test actually has two parts. First, the government’s action can’t contravene an individual’s subjective expectation of privacy; and second, that expectation of privacy must be one that society in general recognizes as reasonable. That second part isn’t based on anything like polling data; it is more of a normative idea of what level of privacy people should be allowed to expect, given the competing importance of personal privacy on one hand and the government’s interest in public safety on the other. The problem is, in today’s information society, that definition test will rapidly leave us with no privacy at all.” [Source]

Security

US – Study Shows Most Companies Have Experienced Loss from Cyber Attacks

Research from Symantec shows that 98% of the 1,000 IT managers from companies in the US and Europe said their companies experienced tangible loss from a cyber attack of some sort over the last two years. 46% of respondents said that cyber attacks resulted in downtime for their companies; 31% said customer and/or employee data were stolen; and 25% said corporate data were taken. Three-quarters of the European respondents said their companies are outsourcing some portion of their security operations. [Source] [Source]

UK – Security Gaps Found in Kids’ Database

The discovery of security gaps in a database housing the personal information of every child in England has delayed its implementation. The ContactPoint index contains sensitive details on 11 million. It has been a source of controversy due to fears of potential privacy breaches and because so many people will have access to it--more than 300,000 workers, including teachers, police officers, social workers, healthcare professionals and others, will use ContactPoint. This is the third time the ContactPoint launch has been delayed for security-related concerns. Shadow Children’s Minister Tim Loughton said: “The Government has proved that it cannot be trusted to set up large databases or to keep our data secure.” [Source] See also: [UK Police identify 200 children as potential terrorists]

WW – Public Breach Brings Better Security

A survey of 50 companies reveals that firms that have experienced a pubic data breach spend more on the security aspect of application development than those that have not. The Open Web Application Security Project study also shows that Web application security spending will either stay flat or will increase for about two thirds of respondents’ companies. Other key findings include: 38% of respondents conduct third-party security reviews of outsourced code; 61% perform an independent, third-party security review before deploying Web applications; and just under half employ Web application firewalls. [Source] See also: [The Real Costs Of Data Breaches - Concerns That Go Beyond Money]

WW – Report: Security, Not Environment, Drives e-Waste Disposal

IT managers are concerned about where their electronic equipment is going after disposal because they are worried about sensitive data loss, not the environment, according to a new survey. The survey, conducted by Osterman Research for an e-waste disposal firm, polled approximately 110 IT managers and found two-thirds of respondents said their organizations do not have formal "green IT" plans. And when it comes to managing phased-out technology, IT managers are twice as concerned about data security as they are about being green, according to the report. According to the report, more than 41% of respondents said concerns about data security breaches from assets released from an organization is the primary motivator for adopting a formal IT asset disposal program. In comparison, just 25% said their disposal program is motivated by their business commitment to being "green." [Source]

Surveillance

CA – RCMP Seeks Backdoor Wiretap Access to Blackberry Messaging

The RCMP is seeking backdoor wiretap access to Blackberry devices. The law enforcement agency is concerned that email messaging with the Blackberry is secure and encrypted which raises fears that it is widely used by criminal elements. Liberal MP Marlene Jennings touts her lawful access bill as the appropriate solution, while I respond with concerns about the impact on privacy and business. I also argue - as has long been the case in the lawful access discussion - that before jumping into legislation solutions, law enforcement must first demonstrate that the current laws have created a real impediment to their investigations. [Source]

US – NY Court Hears Arguments on Police Use of GPS

New York’s top court weighed arguments over whether police can hide GPS trackers on suspects’ cars without first getting a court warrant showing probable cause the drivers are up to no good. At the center of discussion was the case of Scott Weaver, whose conviction in a Christmas Eve 2005 break-in was aided by a GPS device that state police secretly attached to his van for 65 days. Defense lawyer Matthew Hug said the GPS device intruded on his client’s right to privacy. “The potential for abuse is staggering,” Hug said, noting that the satellite technology tracks vehicles onto private property where police can’t routinely go. Albany County Assistant District Attorney Christopher Horn told the judges that GPS was essentially just another way of watching a vehicle, which police routinely do without first obtaining a warrant. He doesn’t believe GPS tracking is unconstitutional. Although Weaver was suspected of involvement in a string of burglaries, Horn said police would have had trouble establishing probable cause to get a court warrant to put the device on his van. Rulings in New York and federal courts so far say police can install the devices without getting approval from a judge. However, state courts in Oregon and Washington have said that police use of GPS without a warrant is prohibited under their constitutions. Another case out of Maryland is pending before a federal appeals court. The judges with New York’s Court of Appeals grilled both lawyers. They asked whether it would be lawful for people to attach GPS monitors on their neighbors’ vehicles, whether automakers could install them in all new cars so authorities could monitor movement and whether “no trespassing” stickers on bumpers would prevent a driver from being tracked by GPS. Their ruling is expected in April. New York state police spokesman Lt. Glenn Miner declined to say how many GPS trackers the agency owns or what they use them for. [Source]

UK – Lawyer-Client Privilege Can’t Stop Surveillance, Says House of Lords

WW – Zoombak Tracking Device Raises Questions about Privacy and Safety

After Stella escaped from the yard of her Los Altos home for the third time, her owner decided she needed a way to track the husky-mix dog. Clare found several options on the Internet but settled on a device called the Zoombak, which uses GPS technology and a cell signal to track the thing to which it is attached. Several experts on technology and ethics say that while the Zoombak and similar products have legitimate uses, they can be abused by stalkers, jealous partners and even overzealous law enforcement agents. Users who log onto a company Web site can see the exact location of the Zoombak — and whatever it’s attached to — on Microsoft Virtual Earth. Users also can ask to receive a text or e-mail message when the device enters or leaves a certain area. And that’s where privacy rights can be abused, some experts say. [Source]

CA – A CCTV Project of Olympic Proportions

Vancouver city officials want to install more closed-circuit television cameras (CCTVs) preceding the 2010 Winter Olympics. The city council will next week consider using $2.5 million in provincial and RCMP security unit funding to purchase and install them. The subject of CCTVs at the Games has been a source of debate between security officials and privacy advocates. Last month B.C. Information and Privacy Commissioner David Loukidelis said “Our hope is that Vancouver-area residents will not wind up surrounded by surveillance systems they neither want nor need. This would be an unfortunate legacy of the 2010 Games.” The city’s director of emergency management said “There is no intent to leave permanent cameras up that are installed for 2010.” [Source] See also: [Calgary Deploys Video Surveillance] and [Pittsburgh to go high-tech with security cameras]

AU – Victorian Law Reform Commission Investigates Surveillance Cameras

Victoria’s top law reform body is investigating an explosion in CCTV numbers in Melbourne amid fears of unregulated spying. “The number of cameras and other surveillance items in public places has grown rapidly but the law had not coped with it, the Victorian Law Reform Commission's chairman Professor Neil Rees said. Prof Rees released a discussion paper and wants public submissions. The challenge was to find the right balance between potentially taking away people's privacy and fundamental freedoms and stopping criminal behaviour. The commission's report will not investigate police use of surveillance which, Prof Rees said, was a matter for another study because of the force's special powers. Studies in the UK and New Zealand have recently also found widespread surveillance threatened freedom and privacy.

[Source] [Victoria Law Reform Commission project pages on surveillance in public places] [Discussion Paper] [Executive Summary]

US Government Programs

US – House Votes to Create Privacy Officers at DHS

The House of Representatives yesterday passed legislation to create more privacy posts in the Department of Homeland Security. H.R. 1617, sponsored by Rep. Christopher Carney, would install a privacy professional in each DHS division. The bill now moves to the Senate for consideration. If passed into law, the new staffers would be charged with ensuring DHS follows privacy laws and regulations. “Representative Carney’s bill would ensure that our privacy will not be neglected as laws and policies are implemented and carried out,” said the ACLU. [Source]

US – Draft Legislation Calls for White House-Level Cyber Security Position

Senate Commerce Committee Chairman John D. (Jay) Rockefeller IV (D-W.Va.) and Senator Olympia Snowe (R-Maine) are drafting legislation aimed at improving the country’s cyber security. Most significantly, the bill would establish an Office of the National Cybersecurity Advisor which would be part of the Executive Office of the president. The office would have the authority to disconnect critical systems from the Internet if it has reason to believe they are under threat of imminent attack. The office would also be charged with overseeing a review of the national cyber security program every four years. [Source] [Source]

US – Virginia May Ditch Real ID Program Over Privacy Concerns

Virginia may be the latest state to opt out of the federal Real ID program to protect your privacy. A bill sitting on Governor Tim Kaine’s desk would prohibit Virginia from participating - unless some changes are made. Del. Bob Marshall says right now, the federal government could require financial information like a social security number or other information to be encrypted on the cards. “The problem is there is no restriction on it,” Marshall says. Marshall says he wants the public to email or call the governor and ask him to sign the bill. Kaine has until Monday to either sign, veto or amend the bill. A spokesman says the bill is one of many still under review. Ten other states have taken similar positions. [Source]

US Legislation

US – FBI Director Urges Renewal of Patriot Act Portions of Law to Expire This Year

FBI Director Robert S. Mueller III urged lawmakers to renew intelligence-gathering measures in the USA Patriot Act that are set to expire in December, calling them “exceptional” tools to help protect national security. Mueller told members of the Senate Judiciary Committee he hopes that the reauthorization of two provisions would be far less controversial than in previous years. One of those provisions, which helps authorities secure access to business records, “has been exceptionally helpful in our national security investigations,” he said. Mueller said that his agents had used the provision about 220 times between 2004 and 2007. Data for last year were not yet available, he said. The measure allows investigators probing terrorism to seek a suspect’s records from third parties such as financial services and travel and telephone companies without notifying the suspect. The ACLU has criticized the provision, saying it violates the First Amendment rights of U.S. citizens. Another provision, permitting roving wiretaps of terrorism suspects, was used 147 times and has helped eliminate “an awful lot of paperwork,” Mueller said. In the past, authorities had to seek court approval for each electronic device carried by a suspect, from a cellphone and a BlackBerry to a home computer. But under the provision, one warrant can cover all of those machines. The ACLU issued a report this month describing “widespread abuse” of government authority under the Patriot Act. [Source] See also: [ACLU Report: RECLAIMING PATRIOTISM: A Call to Reconsider the Patriot Act]

+++