Biometrics

UK – Pharmacists Want to Offer Biometric ID

UK pharmacists are lobbying to take part in the government’s national identity card scheme by offering a biometric identity service. The National Pharmacy Association wants its members to be able to collect photographs and fingerprints for people applying for an ID card or biometric passport. The move came on the day Smith announced that Manchester would become the first city in the UK where people can sign up for ID cards from this autumn. [Source] See also: [UK Retailers reject ID security fear]

CA – Alberta Privacy May Be an Issue at Drop-In Centre

The province’s privacy commissioner is concerned about new security measures at the Calgary Drop-In Centre. Staff at the centre is in the process of installing a new biometric security system. The system will take a photo of each client as they arrive and take a digital image of their fingerprints. Any client that refuses the process will not be allowed into the centre. Officials at the centre say this is the best way to keep track of who is using the centre because many of their clients don’t have identification. But the privacy commissioner’s office has concerns about the security of the information the centre is gathering. Officials at the Drop-In Centre say clients don’t need to worry about their privacy being breeched. “[The information] will never be used for outside organizations. It is a closed system, internal to the Drop-In Centre,” says Louise Gallagher, a spokesperson for the centre. At this point the privacy commissioner’s office can’t do much about their concerns because the Information and Privacy Act does not apply to non-profit organizations. [Source]

Canada

CA – Ontario Commissioner Cavoukian Releases Annual Report & Recommendations

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, is urging the provincial government to make specific legislative changes and take additional steps to protect privacy and ensure greater accountability. In her 2008 Annual Report, released this week, the Commissioner cites how her sweeping recommendations from her seminal investigation into a privacy complaint against the video surveillance program of Toronto’s mass transit system have been hailed in the U.S. as a model that cities around the world can build upon, and in Canada as “a road map for the most privacy-protective approach to CCTV.” Among the recommendations she is making in her 2008 Annual Report, are:

- Amend the law to make it clear that all Ontario universities fall under FIPPA

- The government needs to set specific fees for requests for patients’ health records under PHIPA

- Ontario’s enhanced driver’s licence (EDL) needs a higher level of protection

[News Release] [2008 Annual Report] [A More Detailed Look at Compliance Rates and Other 2008 Access and Privacy Statistics: An adjunct publication to the 2008 IPC Annual Report] [Coverage]

CA – New Brunswick Opposition Wants Tougher Privacy Legislation

The Liberal government will introduce privacy legislation and prescription drug monitoring legislation in this sitting of the legislature, said Health Minister Mike Murphy. But the official Opposition says the Liberals are dragging their feet on the privacy issue. “A year ago next month, the government introduced a bill entitled Access to Information and Protection of Privacy Act,” said health critic Margaret-Ann Blaney. “In September of last year, the government introduced a discussion paper entitled Personal Health Information Access and Privacy Legislation.” “It has been a year in one case and nine months in the other case and nothing has passed into law,” said Blaney. “In the meantime on six occasions, the private, confidential health information of the people of New Brunswick has been compromised,” said Blaney. [Source]

CA – Alberta Government Wants Shots, Stabbings Reported

The Alberta government wants to compel medical workers to alert police about patients who’ve been shot or stabbed, one of several legislative changes being sought to combat growing gang problems in some communities. The proposed bill, called the Gunshot and Stab Wound Mandatory Disclosure Act, would turn what has been a discretionary practice by health care workers into a legal requirement. Alberta’s Information and Privacy Commissioner Frank Work, has questioned whether mandatory reporting is necessary, cautioning that the province must ensure the legislation doesn’t interfere with medical aid. Work has recommended the Alberta government clearly state what information medical workers must report to police and how. [Source]

CA – Bill Addresses Do-Not-Call Debate

It was reported last week that recently tabled anti-spam legislation includes provisions to eliminate the national Do Not Call list. If passed, the [Electronic Commerce Protection Act] would repeal sections of the Telecommunications Act pertaining to the list, and would, instead, prohibit telemarketers from contacting Canadian consumers unless they have opted-in to such efforts. The Do Not Call list has come under scrutiny in recent months due to its enforcement mechanisms and the fact that a percentage of those registered on the list are receiving more, not fewer, telemarketing calls. [Source]

CA – Winnipeg Nightclubs Must Limit Personal Info Collection

A court case initiated by the federal privacy commissioner against the Canad Inns hotel group has been adjourned after successful mediation. The commissioner took action in January to stop the Manitoba hotel chain from scanning the IDs of patrons at seven of its nightclubs. Canad said obtaining and saving patron information was necessary to prevent criminal behavior in its clubs and to aid investigators should an incident occur. The agreement reached in court this week allows Canad to continue examining patrons’ IDs, but it must “limit the personal information collected to the name, picture and birth date of patrons,” court documents say. [Source]

CA – Alberta Bill Would Let Bars Collect Patron Data

A bill designed to keep gang members out of Albertan bars is popular with bar owners’ associations, but less so with patrons and privacy advocates. If passed, Bill 42 would let bars collect the name, age and photograph of customers as a condition of entry. Management could also share the information with other bars or police. The legislation received a skeptical nod from provincial privacy commissioner Frank Work, who said it’s a better solution than the licence-scanning practice employed by certain nightclubs. But some question bars’ need for such data. “They’re just creating this massive database of people coming and going,” one man said. [Source] [Bill 42]

Consumer

WW – Women are More Often Victims of ID Theft: Survey

Women become victims of identity theft more often than men and lose more money they never recover, according to a new report by the Affinion Security Center, an ID theft security company. 28% of women surveyed said they were victims of identity theft, compared with 21% of males, the poll found. The national survey also found that 17% of the female respondents lost $1,000 or more, which they never recovered, while just 10% of men reported losses that high. The Affinion Security Center survey, exploring the impact of identity theft on victims, mirrors a recent study conducted by Javelin Strategy and Research, which found that women are more likely to become victims of ID theft. But the survey’s results spotlight gender disparities in identity theft and differences in how women and men change their behaviors after being defrauded. Researchers said they believe women become victims more often because they tend to make more household purchasing decisions than men as traditional managers of the home. The majority of females surveyed (79%) said they were more concerned about becoming victims of ID theft than having their homes invaded or cars stolen; 71% of male respondents said they had concerns about becoming a victim. [Source]

CA – Comment Deadline Extended on Proposed GAPP Changes

The Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA) have extended to June 1 the deadline for public comment on the recently released exposure draft of proposed changes to their Generally Accepted Privacy Principles (GAPP). GAPP is a comprehensive global privacy framework that creates a basis for conducting a privacy self-assessment or audit. The changes include additional criteria on privacy risk assessments; privacy incident and breach management; privacy awareness and training; and personal information on portable media. The CICA and AICPA have also released a free privacy risk assessment tool to help organizations assess their privacy risk. [Source] [March 13 GAPP Exposure Draft]

US – IAB Publishes Social Media Metrics Definitions

The Interactive Advertising Bureau (IAB) has released definitions for social media advertising metrics.

The document helps create a road map for advertisers on how to make social media purposeful, measure a wide variety of user interactions and monitor online dialogue, and to put numbers around it that marketers can understand. Below are just a few of the thing the IAB document defines:

o Application and video installs.

o The number of relevant actions, including newsfeed items posted, comments posted, uploads, poll votes, and so forth.

o Conversation size, which measures the number of content relevant sites and content relevant links, and the monthly uniques spread across those conversations.

o Site relevance, which measures the density with which phrases specific to a client concern are brought up among relevant sites.

o Author credibility, such as how relevant the author’s content is and how often it is linked to.

o Content freshness and relevance, which defines how frequently an author posts.

o The average number of friends among users of a specific application.

o Number of people currently using an application. [IAB Defintiions]

E-Government

US – New Firm Mines Its Political Polling Expertise

A bipartisan group including some former senior White House staffers will take its polling know-how to the Web. Sara Taylor, who worked as the political director for President George W. Bush, has brought together some unlikely bedfellows to form Resonate Networks, an advertising firm that will use data on political leanings and attitudes to help companies and interest groups sell online ads. “This is the Web 2.0 of the micro-targeting world,” said Taylor. “For public affairs advertisers, the micro-targeting possibilities are limitless when it comes to identifying, persuading or motivating high-quality online audiences for an issue-based or branding campaign.” Taylor worked with Bush aide Karl Rove to use similar micro-targeting techniques in the 2004 presidential campaign. She said Resonate will take those techniques a step further by using information from surveys and the tracking of online behavior to directly target consumers. It’s part of a nascent field called attitudinal targeting that could allow a food or health-care company, for example, to sell ads that push an industry viewpoint to sites most frequented by mothers concerned about childhood obesity. Or the technology could help an environmental group sell banner ads on sites most frequented by moderate Republican voters who are concerned about global warming, the firm said. “The big challenge has always been segmenting audiences based not just on who they are, where they live and what they earn, but what they believe, how influential they are and the degree to which they are willing to engage on an issue,” Ickes said. [Source]

AU – Privacy Commissioner Issues Research, Guide on Securing Portable Data

Many Australian government agencies do not have appropriate controls covering the use of portable storage devices (PSDs) for the handling of personal information. According to new research by the Office of the Privacy Commissioner, this personal information is being lost at an alarming rate. While agencies have policies regarding the transfer of personal information, more care needs to me taken to protect data on USB keys, PDAs and optical disks. More than (58%) of agencies have experienced the loss or theft of an agency-issued PSD within the past 12 months. Conducted by Orima Research during March and April, the research involved a survey of 94 federal Government agencies. The research indicates 75% of agencies have policies covering the secure transfer of records to external parties, and 69% have policies for staff temporarily working away from the office. Some 81% of agencies have policies covering uses of agency-issued PSDs, but only 55% have policies covering uses of privately owned PSDs. While nearly all agencies – 97% - keep a PSD register only 56% are using minimum encryption standards. Agencies are more likely to use software controls (54%) than hardware controls (16%) to manage or restrict their use. Curtis said the research will help the privacy office assess risks associated with PSDs “given their growing use by government” and reports of data breaches around the world. The Office of the Privacy Commissioner has also developed a guide to help agencies better manage PSDs. The guide is online here, and the report can be downloaded from here. The report and recommendations come during Privacy Awareness Week 2009. [Source] [New Zealand Privacy watchdog pushes agencies on USB stick security]

US – CDT Recommends Standards for Use of Analytics Tools on Federal Web Sites

CDT and EFF have released a joint report examining the use of analytics tools on federal agency Web sites. Analytics typically track user behavior on a site; the data is used create a better user experience. The report analyzes existing policy and makes recommendations for how federal agency Web sites can use analytics tools while protecting citizen privacy. Agency Web sites will play a key role in the Administration’s plan to create an environment that fosters a more participatory government, but new uses of technology must be approached with special attention given to privacy. [Full text of report] [Press Release] SEE ALSO: [Future of Privacy Forum Letter to the White Office of Science and Technology Policy]

Electronic Records

CA – Telus Health Space, Powered by Microsoft HealthVault, Launched in Canada

TELUS has announced that it has signed an agreement with Microsoft Corp. in which TELUS is granted the exclusive license to host and operate the HealthVault platform for the development of a consumer-focused e-health service in Canada. The service will be called TELUS Health Space, powered by Microsoft HealthVault. The service will be the first of its kind in Canada, letting Canadians manage and store their personal health information and have access to applications like personal health record, chronic disease management, pediatric care and wellness products that will allow better management of their health and the health of their family. TELUS Health Space will make the service available to organizations such as governments, health regions, hospitals, insurers and employers, who would like to offer the service to their constituents. TELUS will operate Health Space’s infrastructure and securely host all stored health data in Canada to help ensure consumer privacy. [Source] See also: [Infoway: Patient Data Must Reside in Canada]

Encryption

US – End-to-End Encryption Coming in Q3

Heartland Payment Systems will begin trialing an end-to-end encryption system late this summer. The company is developing the system along with soon-to-be-announced technology partners. Merchants and processors in Spain already use end-to-end encryption, but the Heartland system is expected to be the first of its kind in the U.S. The company is also pushing for an end-to-end encryption standard. [Source] See also: [Heartland earns back spot on PCI-approved list] and [Heartland Data Breach: Is End-to-End Encryption the Answer? Experts Say New Measure is a Start, but Industry Standards are Needed]

EU Developments

UK – ICO Hopes Report Sparks Debate

UK Information Commissioner Richard Thomas says he hopes the results of a Rand Europe study on the EU Data Protection Directive will stimulate debate. Rand made nine recommendations for improving the 15-year-old directive, such as implementing better methods for exporting data outside of Europe. “This is an approach that will have appeal across Europe,” said Hunton & Williams partner Bridget Treacy, “as many of the European data protection authorities would be very resistant to any suggestion that there needs to be wholesale change.” Thomas said he hopes the report encourages “people to think about what twenty-first century data protection law should look like.” [Source] [Coverage] [ICO Press Release] [Rand Europe study: Review of the European Data Protection Directive] [Report Summary]

EU – EU Breach Notification Law Passed

The European Parliament this week passed legislation requiring European telecoms and ISPs to notify their customers in the event of a personal data breach. The measure was part of a telecom law package that the Council of Telecom Ministers will now consider for ratification. “This will increase the incentives for better protection of personal data by providers of communications networks and services,” said the Commission. Earlier this week, European telecommunications commissioner Viviane Reding said the EC will pursue breach notification mandates across government and other business sectors by 2012. [Source] [NYT] See also: [UK - Survey: Data security awareness up in the Public Sector] UPDATE: European Parliament drops insistence that breach notifications be extended to online banking, email or other service providers]

EU – CNIL Report Opens Dialogue on Targeted Advertising

The French data protection authority (CNIL) hopes its report on targeted advertising will feed a debate on the topic. The 30-page report is CNIL’s first step in bringing the targeted advertising sector in line with European data protection principles. The report explores privacy challenges, jurisdictional issues and “personal” data. The authority calls for debate, better education and, perhaps, a code of conduct. Today, the CNIL issued its annual report for 2008, outlining last year’s key topics and priorities for 2009. [Source] [CNIL Report: La publicité ciblée en ligne]

Filtering

WW – New Web Censor Evasion Toolkit Launches: Psiphon

Mentioned in a NYT article by John Markoff about tools such as Tor used in places like China and Iran to route around internet censorship, this word of a new browser-based toolkit. Political scientists at the University of Toronto have built yet another system, called Psiphon, that allows anyone to evade national Internet firewalls using only a Web browser. Sensing a business opportunity, they have created a company to profit by making it possible for media companies to deliver digital content to Web users behind national firewalls. From their press release: At the heart of the new venture is Psiphon’s Managed Delivery Platform (MDP), in which large-scale producers of content push their media through Psiphon’s proprietary cloud-based system to consumers in denied environments. On the user end, the free service is encrypted, requires no software to download, is multimedia capable, and can even work through mobile smart phone platforms, such as the iPhone. Users can sign on to Psiphon in a variety of ways: through email invites from trusted friends and colleagues, for example, or through Psiphon’s innovative “right2know” technology, which allows media producers to show consumers in censored environments content which is not available to them. www.psiphon.ca See ALSO: [NYT: With new software, Iranians and others outwit net censors]

Finance

US – Court OKs Class-Action Settlement

A U.S. District Court judge has approved the settlement agreement for a class-action suit against TD Ameritrade Holding Corp. The settlement provides for more than six million accountholders affected by a 2007 data breach. Ameritrade will pay nearly $2 million in legal fees and will provide victims with anti-spam services. The agreement also allows for victims to pursue future identity theft claims. In his order, U.S. District Judge Vaughn Walker said: “The court is particularly concerned that TD Ameritrade has agreed to pay the class counsel $1.87 million and yet the class itself will receive no monetary award.” [Source]

FOI

CA – CBA Supports Amendments to Access to Information Act

The CBA expressed its support for proposed changes to the Access to Information Act (ATIA) as the most important vehicle for citizens’ access to government records. The CBA urged the government’s Standing Committee on Access to Information, Privacy and Ethics to consider reinstating or even expanding a central tracking system for access requests. “There is a compelling public interest in knowing that the ATIA is as effective and efficient as possible in meeting the needs of the public,” says the CBA’s submission. David Fraser and Priscilla Platt of the National Privacy and Access to Information Law Section presented the submission to the federal government on May 6. [News release] [Submission].

CA – FOI Deadlines Regularly Missed by BC Govt: Study

The B.C. government routinely breaks the law when dealing with freedom-of-information requests from the media, political parties and other interest groups, a new report says. The study by the B.C. Freedom of Information and Privacy Association says the Liberal government fails more than half the time to meet legal deadlines for releasing information to news outlets. In the case of responding to political parties, government exceeds time limits nearly two-thirds of the time. “Political interference is the rule of the day,” Darrell Evans, the association’s executive director, said in an interview yesterday. He said the study -- Failing FOI -- was timed for release during the B.C. election campaign in an attempt to get the system fixed. Campbell promised improvements when he was in opposition, and then made it worse once in power, Evans said. “What pains us most is the hypocrisy,” he said. [Source] [FIPA News Release] [FAILING FOI: How the BC Government flouts the Freedom of Information Act and stonewalls FOI requests - An analysis of the BC Government’s response to freedom of information requests, 2006 – 2008] [BC OIPC 2008 Annual Report: TIMELINESS OF GOVERNMENT’S ACCESS TO INFORMATION RESPONSES]

Genetics

UK – Britain to Remove Some DNA Profiles from Database

Britain bowed to a court ruling and promised this week to remove the DNA records of hundreds of thousands of innocent people from its vast national database of genetic information – but many will have to wait up to 12 years for their details to be deleted. People arrested on suspicion of a vast range of minor offenses, from shoplifting to public drunkenness, will have their DNA profiles held for six years even if they are not charged. Critics accused the government of flouting the spirit of a European Court of Human Rights ruling and undermining the legal presumption of innocence in British law. The court in December rejected Britain’s “blanket and indiscriminate” storage of genetic information. “People in Britain should be innocent until proven guilty,” said Chris Grayling, law and order spokesman for the opposition Conservatives. “Ministers are just trying to get away with as little as they possibly can instead of taking real action to remove innocent people from the DNA database.” [NYT Source] [Government will keep DNA for up to 12 years despite European court ruling] and [DNA pioneer condemns plans to retain data on innocent]

Health / Medical

CA – New Brunswick Health Minister: Privacy Bill Coming

New Brunswick Health Minister Mike Murphy says that privacy legislation will be introduced in this sitting of the legislature. Critics have condemned Liberals for taking too long to pass healthcare privacy legislation. Nearly a year has passed since the government introduced the not-passed Access to Information and Protection of Privacy bill, and “in the meantime on six occasions, the private, confidential health information of the people of New Brunswick has been compromised,” says health-critic Margaret-Ann Blaney. “The fact is that we have indicated we have privacy legislation coming forward in this sitting,” Murphy said. [Source]

US – Cyber Intruders Claim to Hold Virginians Personal Health Data Hostage

A posting on Wikileaks.org claims that cyber attackers stole data of about eight million patients from the Virginia Department of Health Professionals’ Virginia Prescription Monitoring Program website; they are demanding US $10 million in ransom for their return. The intruders claim to have encrypted the database and protected it with a password. That particular site is presently unavailable as are several others related to the Virginia Department of Health Professionals. The ransom note says that if the money is not paid within seven days, the data will be offered for sale. Federal and state authorities are investigating. [Source] [Source] [Source]

HK – Hong Kong Privacy Commissioner Launches Hospital Privacy Campaign

The privacy commission and Hospital Authority have launched a HK$200,000 campaign to protect patients’ details following leaks at public hospitals. The Care for Patients - Protect Their Personal Data campaign is the largest the commission has organized for a specific profession. The Office of the Privacy Commissioner for Personal Data commission will, in the 12-month campaign, run seminars, display panels, quizzes and an online self-training module for staff at hospitals and clinics. [Source] [Source] [Source]

UK – Privacy Watchdog Concerned Over Electronic Health Records

The Information Commissioner has expressed concern that electronic patient records are not secure enough following the revelation that Lanarkshire NHS patient data was found on a hard drive purchased on eBay. Speaking to Channel 4 News, Information Commissioner Richard Thomas said that the recent spate of data losses had prompted talks with the NHS on how to ensure adequate privacy practices are in place. “As we move towards electronic health records across England we do have anxieties. We talk very closely with the NHS to ensure that they are taking security seriously but they’ve got to be very vigilant indeed to get security right,” he said. The two disks from Lanarkshire NHS trust contained patient data relating to radiology and x-rays, including thumbnails of x-rays and sensitive correspondence. [Source] See also: [Baby records theft sparks inquiry by NHS]

US – California Imposes $250K Sanction

California regulators yesterday imposed the first monetary sanction since a new law to help protect patient privacy went into effect on January 1. The Department of Public Health imposed a $250,000 fine, the maximum allowed under the new law, on Kaiser Permanente’s Bellflower hospital for failing to prevent unauthorized employees from accessing the medical records of a high-profile patient. “It is the hospital’s job to prevent these breaches from occurring, not just crack down after the fact,” said California’s HHS Secretary Kim Beishe. In a written statement, Gov. Schwarzenegger said: “The fine issued today should be a reminder that there are consequences for violations of medical privacy.” [Source]

Horror Stories

US – Hard Drive Sold on eBay ‘Had Details of Top Secret U.S. Missile Defence System’

The latest results in a five-years-running study might prompt some to review data destruction policies. University researchers purchased 300 drives from eBay and other retailers, finding that 34% of disk drives still contained confidential data. Banking details, blueprints, patient records, employee data, embassy logs and details on a ground-to-air missile defence system were among the data left behind. Study leads at the University of Glamorgan in Wales say that over the past 5 years the volume of drives containing sensitive data has fallen, but the volume of data exposed has increased.. [Source]

US – Hackers Breach UC Berkeley Computer Database

University of California, Berkeley, officials said Friday that hackers infiltrated restricted computer databases, putting at risk health and other personal information on 160,000 students, alumni and others. The university said data include Social Security numbers, birth dates, health insurance information and some medical records dating back to 1999. Personal medical records - such as patient diagnoses, treatments and therapies - were not compromised. [Washington Post]

US – Lexis Nexis and Investigative Professionals Breach Affects 40,000 People

The United States Postal Inspection Service is investigating a data breach that affected customers of Lexis Nexis and Investigative Professionals. As many as 40,000 individuals are believed to be affected by the breach; of those approximately 300 had their personal information used to make fraudulent credit card purchase. Affected customers have been notified by a letter that says the unauthorized access occurred between June 14, 2004 and October 10, 2007 and that compromised information included names, dates, and in some cases, SSNs. The letter also says that the perpetrators “were operating businesses that at one time were both ChoicePoint and Lexis Nexis customers.” [Source] [Source] [Source]

Identity Issues

UK – ID Scheme Will Cost £400m Annually

The UK government could save around £400m each year if it cancelled identity cards and stuck with the current generation of passports, according to Home Office figures. If start up costs of £300m are included, the National Identity Scheme looks set to cost government and citizens around £4.3bn more than the cost of current passports over a decade. This is more than triple the £1.31bn specific cost of identity cards over a decade released by the Home Office earlier this week. This is because the £400m annually also includes the cost of adding fingerprints to passports - the current ones include only digitised photos - the costs to the rest of government of the National Identity Scheme and the charges made to individuals for having their biometrics taken. The figures were released in an impact assessment signed by home secretary Jacqui Smith and placed in the House of Commons library on 6 May 2009. “It is crazy to fritter away billions of pounds on an unnecessary and intrusive ID card scheme during the biggest crisis in public finances for a generation,” said Liberal Democrat shadow home secretary Chris Huhne. “Only the most profligate of governments would stick with this ridiculous plan when costs are spiralling out of control. It shows just how out of touch ministers are that they think charging people through the nose to invade their privacy is acceptable.” [‘Lunatic’ Smith doubles ID card costs for Mancunians] [Pilots plot air raid on Jacqui over ID cards] [Anonymity proves grey area for IDScan] [Source]

UK – Pilots Refuse to Take Part in National Identity Card Trials

Airline pilots are to become the first group to refuse to take part in the national identity scheme when compulsory trials start at Manchester and London City airports this autumn. The British Airline Pilots’ Association (BALPA), which represents more than 80% of commercial airline pilots, is to mount a legal challenge to Home Office plans to use “critical” airside workers as the first compulsory “guinea pigs” for the scheme. MPs are shortly to be asked to approve the powers to compel the pilots and other airside workers at the two airports to register for the national ID card scheme as part of their “pre-employment” checks. The £30 fee is to be waived as an incentive for them to sign up. The pilots’ union has protested to ministers that the £18m scheme cannot be regarded as voluntary when they are being told they will not qualify for an “airside pass” without them: “ID cards will have absolutely no value as far as security is concerned. This is nothing other than coercion and promises that ID cards would be voluntary have been broken,” Jim McAuslan, BALPA general secretary, has told ministers. “We will resist.” [Source]

CH – Shaky Security of Swiss Biometric Passports

A test report by the Swiss supervisory authority for communications (Bundesamt für Kommunikation (Bakom) says the Swiss E-Pass reader system is not proof against interception. Bakom experts evidently managed to intercept data transmitted by an E-Pass chip to two readers under test. The Swiss Tages-Anzeiger reports that Bakom, in an as yet unpublished test report, lists “several security flaws”. The system is now to be modified at Bakom’s recommendation. According to the report, Bakom’s testers were able to snoop remotely on the reading process using a simple receiver. The conclusion of Bakom is reported to be that, under “ideal conditions”, this could be done from a distance of up to 25 metres. The data stream thus obtained could be stored and further processed offline. Worse than that, it is said that such reader systems can also route data over the mains supply system “unintentionally”, allowing them to be picked up from much greater distances – more than 500 metres away. The Swiss Federal Office of Police (Fedpol), which commissioned the investigation, emphasised that the intercepted data were still encrypted, reports the Tages-Anzeiger, but wanted to draw the consequences all the same and, on Bakom’s recommendation, want the readers to be retrofitted with filters that would make it more difficult to eavesdrop on the data by means of radio or via the mains system. Since 2006, under a pilot project, passports fitted with a chip storing biometric characteristics of the holder have been issued in Switzerland on a voluntary basis. Following Switzerland’s accession to the Schengen Agreement at the turn of the year, the plan is for all Swiss citizens to be issued with a new E-Pass in future. But the citizens will have the last word on this; In a referendum on 17 May, Swiss voters will decide whether the obligatory introduction of this personal document goes ahead. [Source]

US – Center for Applied Identity Management Research Releases 1^st Annual Report

The Center for Applied Identity Management Research (CAIMR), a trusted public-private partnership of cross-disciplinary experts focused on conducting applied research that addresses current and future identity management challenges, has announced the release of its first annual workshop report, “An Applied Research Agenda for Confronting Global Identity Management Challenges,” that outlines several key areas of focus for the organization in 2009. The consensus of the workshop participants was that a bold, comprehensive, and innovative applied research agenda is required to solve the identity management challenges faced by society today and in the future. CAIMR has identified four of the most prevalent identity management challenges that the organization will examine as it builds its applied research agenda this year:

The Cyber Challenge
The Information Protection Challenge
The Information Sharing Challenge
The Policy and Privacy Challenge, including:

o Assessing the effectiveness of implemented policies (legislation or regulation) to address identity management issues such as credit freezes to protect future harm from identity theft or Red Flag Regulations; and

o Assess the impact of proposed identity management policies.

In addition, CAIMR’s workshop participants identified over 100 scenarios including threat scenarios which described how an identity can be compromised and threat mitigation scenarios which described how an identity can be protected. These threat scenarios span every industry, government agency and personal use for the Internet. Examples include:

Account take-over fraud against bank/retailer/healthcare providers
Attack on an identity database
Cyber threats to enterprise attribute-based controls
Insider misuse of corporate assets/information
Gain access to credit/financial data by fraud
Using botnet networks to extort or hijack identity
Identity fraud in thin file situations
Relating real-world identities to 2^nd life identities [Source] [First annual workshop report: An Applied Research Agenda for Confronting Global Identity Management Challenges]

Internet / WWW

US – McAfee Introduces First Online Center to Assist Victims of Cybercrime

Consumers in the United States have lost close to $8.5 billion over the last two years to cybercrime, according to Consumer Reports. In response, McAfee has launched the Cybercrime Response Unit, the first online center to aid the diagnosis of cybercrime and help an individual recover from the crime. The Cybercrime Response Unit helps consumers and small business owners identify if they have been the victim of a cybercrime and recommends next steps. The free online service directs victims to appropriate law enforcement, credit agencies and other resources to address their situation. The site also provides a forensic scanning tool based on McAfee’s Global Threat Intelligence. It assesses whether an individual has malware running on his or her computer or has visited malicious Web sites that may have stolen personal information. A squad of specially trained Cybercrime Response Unit Agents is available to assist victims by telephone in the most serious cases. The Cybercrime Response Unit Web site directs those cases to the toll free phone lines as appropriate. “We want to help the victim to understand the types of risky online behaviors that can lead to cybercrime so they can better avoid it in the future, and be empowered to use the Internet safely,” said DeWalt. “Ultimately, educated users help us fight against cybercriminals.” [Source]

Law Enforcement

WW – Officers Wrongly Accessed Personal Info

Police officers in two nations have been cited for violations of data protection regulations. Edinburgh officer Anna Wong was suspended and charged with 54 breaches of the Data Protection Act for using Scotland’s Intelligence Database and other systems to find personal details on people she knew. The Ottawa Citizen reports that a constable will have to forfeit $6,000 in salary for using the Canadian Police Information Centre (CPIC) database and another information system to find information on potential tenants for his landlord friend. “CPIC and RMS abuse is considered a serious offence,” said the prosecutor. [Source]

Location

US – Wisconsin Court Upholds GPS Tracking by Police

Wisconsin police can attach GPS to cars to secretly track people’s movements, an appeals court ruled. Mounting a GPS on a car without the driver’s knowledge is legal as long as it’s done in public, the Madison-based District 4 Court of Appeals ruled. So is using the device to track the movements, whether the drivers are suspects or not, the three-judge panel concluded. “So far as we can tell, existing law does not limit the government’s use of tracking devices to investigations of legitimate criminal suspects,” Judge Paul Lundsten wrote. “If there is no Fourth Amendment search or seizure, police are seemingly free to secretly track anyone’s public movements with a GPS device.” But the judges said they “are more than a little troubled” by their own conclusion and asked Wisconsin lawmakers to consider regulating the use of GPS by police, businesses and individuals. Lawmakers also may want to regulate how businesses and individuals use GPS and similar tracking devices, the court said. Some uses, such as a trucking company tracking its vehicles, are legitimate, it said, but others are not. Using GPS to monitor a person, on its own, would not be enough for a stalking charge, the court said. Larry Dupuis, legal director of the ACLU of Wisconsin, said using GPS to track someone’s car goes well beyond observing them in public. “That’s an involuntary intrusion on somebody’s property,” he said. “My initial reaction is, there’s got to be something wrong with this.” [Source]

US – Victory for Location Privacy in New York GPS Tracking Case

The highest court for New York state has ruled in People v. Weaver that police may not use a GPS device to track the movements of your vehicle without first getting a warrant. (Opinion) In Weaver, state police placed a GPS tracking device on the defendant’s car and tracked it for 65 days for no apparent reason. GPS devices are sophisticated tracking devices that give officers extremely detailed, round-the-clock information about the movements of a vehicle or tagged suspect. As the Court recognized, the GPS unit will disclose trips of an indisputably private nature from which the government can infer not simply where we go, but our political, religious and amorous associations,” GPS poses a categorically different kind of privacy threat than simple tracking beepers previously allowed without a warrant in U.S. Supreme Court cases from the early 1980s. For these reasons, suspicionless, warrantless GPS tracking violates the state guarantees against unreasonable searches and seizures. EFF and the ACLU for the National Capital Area have filed a similar brief in United States v. Jones, a pending federal case in the District of Columbia Court of Appeals where FBI agents planted a GPS device on a car while it was on private property and then used it to track the position of the automobile every ten seconds for a full month, all without securing a warrant. We look forward to that court’s decision in light of the solid reasoning in Weaver. [Source]

Offshore

TR – 70,000 Phones Tapped by the Turkish State in the Last 3 Years

In Turkey the revelation last month by the ministry of justice that 70,000 telephones have been monitored by the state in the last three years, has provoked a major controversy. Many of the telephone taps are related to an ongoing investigation and trial into an alleged conspiracy to overthrow the Islamic rooted government. But there is an increasing feeling that the investigation could turn Turkey into a big brother state. The widespread use of tapping has led to a boom in the sale of devices to block telephone monitoring. The scope of the investigation continues to widen and there are new revelations practically every week. Concerns are also being raised internationally. The European Union and the United States initially welcomed the investigation into the alleged conspiracy against the government, seeing it as part of Turkey’s democracy drive. It would put an end, they hoped, to the era of military interventions and coups. But, as police rounded up journalists, human rights activists, artists and academics in an ever-expanding case, some question whether the ruling party has seized the judiciary, once a bastion of the secularist elite, to punish its political opponents. [Source]

Online Privacy

WW – Fbcontroller Allows for Hijacking of Facebook Accounts

A computer security enthusiast in India has released a tool designed to allow people to take complete control of strangers’ Facebook accounts if they can get hold of the targets’ session cookies. It also could be used to manage large quantities of hijacked accounts. [CNET] [Blog] SEE ALSO: [Your social networking info can sting you in court] and [Don’t Twitter your porn name: privacy commissioner]

Other Jurisdictions

EU – Greece Puts Brakes on Google Street View

Greece’s data protection agency has banned Google from expanding its Street View service in the country, pending “additional information” from the firm. Street View gives users a 360-degree view of a road via Google Maps. Authorities want to know how long the images would be kept on Google’s database and what measures it will take to make people aware of privacy rights. [BBC]

WW – Google Reshoots Japan Street Views after Privacy Complaints

In a statement, Google said it would reshoot photos for the Japanese version of its Street View service. The company will lower its car cameras 16 inches to allay privacy concerns. The concession follows complaints that the tall cameras captured images over fences and into private homes. “It is certainly a fact that there have been concerns,” said a Google Tokyo spokesperson. Earlier this week the Hellenic data protection authority banned Google from photographing Greek cities pending further guidance, and Hungary’s privacy ombudsman said he would monitor Street View’s rollout in that country. [Source]

Privacy (US)

US – Audit Reveals “Shocking Findings”

Inside the data leakage audit of a Boston-based pharmaceutical firm: during the 15-day review, auditors examined outbound e-mail, FTP and Web communications, revealing 11,000 potential leaks, more than 700 critical information leaks and violations of Payment Card Industry and other security standards. Among the “worst leaks:” confidential zip files and attachments sent by e-mail to an outside vendor; unencrypted e-mailing of a clinical study to an outside vendor; the mailing of employee compensation data to an outside company. “We thought we were in good shape...” said the company’s CIO. “This just goes to show you can do all that and it’s just not enough.” [Source]

Privacy-Enhancing technologies (PETs)

EU – EC Wants Software Makers Held Liable For Code

Software companies could be held responsible for the security and efficacy of their products, if a new European Commission consumer protection proposal becomes law. Commissioners Viviane Reding and Meglena Kuneva have proposed that EU consumer protections for physical products be extended to software. The suggested change in the law is part of an EU action agenda put forward by the commissioners after identifying gaps in EU consumer protection rules. [CNET]

RFID

EU – EC Sets out Privacy Requirements for Smart RFID Tags

The European Commission has set a code of conduct for companies using RFID tags that it hopes will safeguard citizens’ privacy and allow the quick rollout of the new technology. The Commission’s code of conduct, which took the form of a formal recommendation to national governments, was welcomed by the industry. The Commission’s recommendation comes after a lengthy consultation with privacy groups, consumer groups, retailers and makers of the smart chips, and is designed to allay fears that the new tags could be used to track citizens’ movements or compromise their data protection. It lays out 4 basic principles to protect privacy that all companies using or making RFID chips must respect:

o The chip inside an RFID-enabled product must automatically deactivate at the point of sale once the product is bought by a consumer, unless the consumer expressly asks for it to remain active.

o Companies or public authorities using smart chips should give consumers clear and simple information so that they understand if their personal data will be used, the type of data collected (such as name, address or date of birth) and for what purpose. They should also provide clear labeling to identify readers, which are the devices that “read” the information stored in smart chips.

o Retail associations and organizations should promote consumer awareness on products containing smart chips through a common sign to indicate when products use the technology.

o Companies and public authorities should conduct privacy and data protection impact assessments before using smart chips. These assessments, reviewed by national data protection authorities, should ensure that personal data is secure and well protected. [Source] [website] [EU Press Release (12 May)] [FAQ] [The Guidelines] [2-page ‘Citizen’s Summary] [Summary of Impact Assessment] [EU RFID Consultation Website] [Coverage]

Security

CA – CATSA Eyeing More Body Scanners at Airports

Digital body scanners may be coming to some Canadian airports. The Canadian Air Transportation Security Authority (CATSA) completed a six-month trial of the imaging technology at B.C.’s Kelowna International Airport in January, and hopes to install scanners in seven more airports, pending approval from Transport Canada and the Office of the Privacy Commissioner (OPC). While generally considered a boon to security, the scanners have been controversial due to the revealing images they produce. The OPC has cautioned the authority on the need for immediate destruction of the data produced, among other good practices. [Source] See also: [IPC Paper: Whole Body Imaging in Airport Scanners: Activate Privacy Filters to Achieve Security and Privacy]

WW – Study: 34% of Discarded Hard Disk Drives Contain Confidential Data

A third (34%) of discarded hard disk drives still contain confidential data, according to a new study which unearthed copies of hospital records and sensitive military information on eBayed kit. The study, sponsored by BT and Sims Lifecycle Services and run by the computer science labs at University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the US, also found network data and security logs from the German Embassy in Paris on one purchased drive. Researchers bought 300 drives from eBay, other auction sites, second-hand stalls and car boot sales. A disk bought on eBay contained details of test launch routines for the THAAD (Terminal High Altitude Area Defence) ground to air missile defence system. The same disk also held information belonging to the system’s manufacturer, Lockheed Martin, including blueprints of facilities and personal data on workers, including social security numbers. [Source]

IN – Survey: 83% of Threats Due to Internal Security Breach

Despite the huge losses incurred by the Indian firms due to security threats, the IT security spending remains low in the country compared to the other fast growing economies. Companies in India log 83% of threats due to internal security breach, as per a study. “The procurement of IT security products in these companies was purely demand based and adherence to standards is abysmally low,” said Girish Trivedi, Deputy Director, ICT Practice, Frost & Sullivan, South Asia and Middle East. The findings based on a survey conducted by Frost & Sullivan at the South Asia Enterprise Security Summit 2009, also pinpoints that internal security breaches by employees constituted 43%. The former employees constituted 28% of breaches and partner/supplier (12%). Of the companies, 42% suffered financial losses, while 35% suffered intellectual property losses. In the survey, which was conducted on CIOs across industries, 85% of the respondents believed that Viruses, Worms and Trojan Horses were the major disquiet in today’s IT environment. [Source]

Surveillance

US – Miles Tax a Bad Idea that Would Invade Privacy of Everyone

Transportation Secretary Ray LaHood has proposed taxing drivers based on mileage, rather than gas consumption, to finance road maintenance. But White House Press Secretary Robert Gibbs has said such a tax “is not and will not be the policy of the Obama administration.” Even Sen. Barbara Boxer, D-Calif., worries about a “Big Brother system tracking your every move,” though she also has called the mileage tax a “brilliant idea.” The National Surface Transportation Financing Commission proposes raising gas taxes while transitioning to a mileage tax. It says the GPS devices “can and should be designed to fully protect ... privacy.” [Source]

Telecom / TV

CA – Canadian Do Not Call List Backfires

Six million Canadians are registered with the National Do Not Call List to avoid telemarketers -- but that list may now be in the hands of telemarketing agencies. Since the list was established last September, the CRTC has been receiving a monthly average of 20,000 registered complaints, says University of Ottawa law professor Michael Geist, based on information he collected through Access to Information. Even more surprising, the Canadian Radio-television Telecommunications Commission, the body that oversees the Do Not Call List, and Bell Canada, the company tasked with investigating public complaints, have yet to levy a single fine against a telemarketer for a violation. The list is severely flawed, says Geist. After poring over thousands of pages of documents, Geist said, to date, the CRTC’s disciplinary strategy has consisted of roughly 70 letters being issued to rogue telemarketers, suggesting they take ‘corrective action’ or face the possibility of a $15,000 fine if the violator is a corporation, or $1,500 if it is an individual telemarketer. [Source]

US – FTC Files Suit against Robocallers

The FTC filed lawsuits against three companies on allegations they made hundreds of millions of unsolicited calls to consumers, businesses and government agencies. Two Florida companies and the Chicago-based Network Foundations L.L.C. are accused of violating telemarketing laws and consumers’ privacy. The companies used robotic callers and a method called “spoofing,” which masks the true number of the outbound caller. They made “extraordinary efforts to hide their identities,” said FTC Chairman Jon Leibowitz during a news conference yesterday. In court papers, the FTC described the scheme as “an enterprise utterly permeated with fraud.” [Source]

US Government Programs

US – Justice Dept. Finds Many Flaws in F.B.I. Terror Watch List

The FBI has improperly kept nearly 24,000 people on a terrorist watch list based on outdated or sometimes irrelevant information, while it missed others with legitimate terror ties who should have been on the list, according to a Justice Department report released Wednesday. The report said the mistakes posed a risk to national security, because of the failure to flag actual suspected terrorists, as well as an unnecessary nuisance for non-suspects who may be questioned at a traffic stops or stopped from boarding an airplane. By the beginning of 2009, the report said, the government’s terrorist watch lists included about 400,000 people, listed as 1.1 million names and aliases, an exponential growth from the days before the attacks of Sept. 11, 2001, when it included fewer than two dozen people. [Source] [Report]

US Legislation

US – FTC Supports H.R. 2221 - Data Accountability bill

Testifying before members of the House Energy and Commerce Committee earlier this week, the FTC Acting Director of the Bureau of Consumer Protection expressed support for the Data Accountability and Trust Act. Eileen Harrington said: “A critical element of privacy is data security. If companies do not protect the sensitive consumer information that they collect and store, that information could fall into the wrong hands.” The bill includes requirements for data security policies and breach notification, and would let the commission collect civil penalties from violators. Harrington also shared details on the commission’s recent settlement with mortgage lender James B. Nutter & Company. [Source]

US – House Internet Privacy, Data Breach Bills Could Merge

Lawmakers will hold a joint hearing this summer to discuss possibly merging two privacy-related bills. House Energy and Commerce Communications Subcommittee Chairman Rick Boucher (D-VA) is working on a measure to address Internet providers’ collection, storage and use of customers’ data for targeted advertising purposes. Lawmakers heard from stakeholders on the topic at a hearing last month. Joe Barton (R-TX) and Cliff Stearns (R-FL) will co-sponsor the bill. House Energy and Commerce Consumer Protection Subcommittee Chairman Bobby Rush (D-IL) last week introduced the Data Accountability and Trust Act (H.R. 2221) to, in part, implement across-the-board data breach notification requirements that would pre-empt states’ differing mandates. [Source]

US – Bill to Bolster Prosecutions Raises Concern

An Illinois state Senator has proposed a bill to give prosecutors more access to medical records, reports mywebtimes.com. House Bill 1110 would allow prosecutors to subpoena medical records to confirm an HIV diagnosis, the report states. The bill aims to help prosecute cases of Criminal HIV Transmission, where an individual knowingly transmits the virus to another person without disclosing to that person that they have the virus. In Illinois, the AIDS Confidentiality Act prohibits the disclosure of HIV or AIDS records. Bill sponsor Sen. Mike Jacobs, (D-East Moline) says those who knowingly transmit HIV lose their right to privacy. [Source]

Workplace Privacy

WW – Survey: Companies Worried About Remote Access Data Breaches

Companies that provide remote access to their networks for workers represent the bulk of organizations - about 92%, according to a survey published recently by a British IT security firm. Although 82% of companies allow workers to carry company data on their laptops and mobile devices to work remotely, 44% of companies in the survey believe their networks are only “quite” secure, amid growing cybersecurity threats. The AEP Networks survey also found that firms are increasingly worried about the impacts of a data breach on their business: 29% believe this would cause major, long term damage. Asked about the likely impact of data loss on their organization, only 3% believed that jobs would be lost and the same number would expect no real impact at all. 61% of companies said they rely on virtual private network (VPN) security to provide adequate protection for their remote access needs, Donnellan said. About 69% of the 160 organizations surveyed said they plan to increase their investment in remote security over the next 12 months. [Source]

+++