Biometrics

US – DHS Begins Test of Biometric Exit Procedures at Two U.S. Airports

The U.S. Department of Homeland Security (DHS) began collecting biometrics—digital fingerprints—from non U.S. citizens departing the U.S. as part of a pilot program at Atlanta and Detroit International Airports. Non-U.S. citizens leaving the United States from Detroit and Atlanta airports should expect to have their biometrics collected before boarding their flights. U.S. Customs and Border Protection (CBP) officers will collect biometrics at the boarding gate from non-U.S. citizens departing from Detroit; U.S. Transportation Security Administration (TSA) officers will collect biometrics at security checkpoints from non-U.S. citizens departing from Atlanta. These pilots are expected to continue through early July. US VISIT plans to begin implementing new biometric exit procedures based on these pilots for non-U.S. citizens departing the United States by air within the next year. Since 2004, the U.S. Department of State (DOS) and U.S. Customs and Border Protection (CBP) have collected biometrics from most non-U.S. citizens between the ages of 14 and 79, with some exceptions, when they apply for visas or arrive at U.S. ports of entry. US VISIT has simultaneously worked to create a congressionally mandated automated biometric exit capability, which these pilots will test. US VISIT, in collaboration with CBP and TSA, leads testing and deployment efforts for biometric exit procedures, collects biometrics from international travelers applying for visas and entering the United States, and provides biometric identification services to federal, state and local agencies. [Source]

Canada

CA – Ann Cavoukian Gets Third Term as Ontario Privacy Commissioner

Ann Cavoukian has been appointed to a third term as Ontario’s privacy czar. Cavoukian was reappointed as the province’s information and privacy commissioner by the Ontario legislature this week. She will continue to serve in the position that she has held since 1997. The commissioner said she will use her third term to continue to find ways of using technology to protect personal privacy, rather than encroach upon it. [Source] [News Release]

CA – Private-Sector Privacy Law Debated in Manitoba

The Manitoba Legislature is currently debating Bill 219 – The Personal Information Protection and Identity Theft Protection Act. The Bill has been introduced as a private member’s Bill by Mavis Taillieu of the Opposition Progressive Conservative Party of Manitoba. It seeks to regulate the collection, use and disclosure of personal information by organizations in the private sector and is intended to be “substantially similar” to the federal PIPEDA. It would also establish a duty for organizations to notify individuals who may be affected when the personal information an organization has collected is lost, stolen or compromised. The Government of Manitoba has indicated that it has two primary concerns with the Bill. The first concern is that the Bill lacks an independent oversight body such as a Privacy Commissioner of Manitoba. The second concern raised by the government is that the Bill would introduce legislation in Manitoba that (according to the government) would regulate activities in the private sector already governed by PIPEDA. [Source]

CA – ICBC to Be Audited by BC Commissioner

B.C. Privacy Commissioner David Loukidelis will audit the Insurance Corp. of B.C. (ICBC) at the company’s request. The Crown corp last week admitted that ICBC defence attorneys obtained from an ICBC employee the claim histories of jurors appointed to at least three court cases. ICBC has since pulled back work with the attorneys involved and is continuing its internal investigation into the matter. The report states that ICBC will implement any post-audit recommendations from the privacy commissioner to prevent similar incidents in the future. [Source] [Two more ICBC jury breaches are found]

CA – Info on 28K Union Members Missing

Alberta’s Information and Privacy Commissioner is looking into the theft of a laptop computer containing sensitive information on tens of thousands of Albertan union members. The laptop belonged to a United Food and Commercial Workers (UFCW) union employee and was taken from a UFCW office in New York in March. It contained the social insurance numbers and e-mail addresses of 28,000 Albertan UFCW members. A union official said the information was encrypted and that “The chance of any information getting out is slim to none.” [Source]

CA – Finding on Faxed Records Released

The Information and Privacy Commissioner of Alberta this week released the closing report on an investigation into the improper release of confidential medical information. The commission investigated Caritas Health Group after Edmonton’s Misericordia Hospital faxed a patient’s medical records to the wrong recipient. The records included details on the adoptive parents and birth mother of a child who had received medical treatment at Misericordia. The commission found that Caritas “failed to meet the requirements of section 60(1)(c)(ii) of the Health Information Act” and failed to “take reasonable steps to protect health information” against unauthorized disclosure. The commission offered several recommendations. [Source]

CA – Ontario Prosecutors Told to Stop Secret Checks on Jurors

Prosecutors should not be doing secret background checks on potential jurors because the practice risks violating privacy rights and the impartiality of juries, Attorney General Chris Bentley says. “The only checks that should be conducted are those with respect to criminal records,” he told reporters after news reports prosecutors in Barrie are getting police to check up on jurors without their permission – including probes into their mental health histories. A directive went out from Bentley’s office to Crown offices emphasizing that no juror background checks should be requested beyond a criminal check. Bentley would not comment on what should happen in cases where inappropriate background checks are ordered: “We’ll take a look at that in individual instances.” But he did tell reporters he is consulting with the province’s information and privacy commissioner to “ensure the privacy rights of all Ontarians.” [Source]

E-Government

UK – Council Uses Terror Law to Spy on Shirker in Shower

A local UK council has used surveillance powers designed to catch terrorists and prevent serious crime to check how long a member of staff spent in the shower. Burnley borough council invoked laws set up to safeguard national security to mount a covert operation against one of its own officials because it suspected he was using a gym during office hours. Internal council papers, obtained under the Freedom of Information Act, revealed that the council decided to mount a “direct surveillance” operation against the official. Its purpose was “to see if [the] council employee is using gym/showers whilst clocked in”. The surveillance was authorised for three months, after which the council concluded the employee had carried out “personal activities” while at work and had defrauded the council. The operation required authorisation from senior council officials under the Regulation of Investigatory Powers Act (RIPA). The act, introduced in 2000, was said by government ministers to be necessary to combat terrorism. Critics warned that its wide powers could easily be abused. But the snooping operation was condemned by the Conservatives and critics as a ridiculous misuse of powers. The government is to review RIPA, including its use by local authorities. [Source]

US – Eighteen Percent of Computers at Interior Missing or Lost

According to a report from the US Department of the Interior’s inspector general (IG), the Department cannot account for the whereabouts of 18% of its computers. The vast majority of the missing computers, 450 out of a sample of 2,500, belonged to the Fish and Wildlife Service. Just two of the department’s eight bureaus have kept good records of their computer inventories, according to the report, and disposal procedures for machines from bureau to bureau. In addition, the majority of department’s PCs are not encrypted. [Source]

UK – Information Commissioner Sends Harsh Letter to NHS Over Data Breaches

The UK Information Commissioner (ICO) has sent a letter to the National Health Service directing the organization to tighten patient information security controls in the wake of numerous data security breaches. In the last four months alone, 140 data security breaches were reported at NHS. The ICO plans to monitor NHS’s security practices with checks at various hospitals. There have also been reports circulating that HNS will allow patients to request that their medical records be deleted from the Summary Care Records (SRC) system, a national medical database. The rumors appear to be accurate, with the exception of records that have already been accessed for patient treatment; for legal reasons, those records will be archived rather than deleted. [Source] [Source] [Source] [Source] [Source]

E-Mail

WW – Report: 90% of eMail is Spam

According to a report from Symantec, nine out of every 10 emails sent over the Internet last month were spam messages. The findings mark a 5.1% increase over last month’s figures. Most of the spam comes from social networking site profiles that were likely created with automated CAPTCHA (completely automated public Turing test to tell computers and humans apart) readers. Because the headers were not spoofed, filters were unable to detect them as spam. The report also indicates that spammers are most active during US business hours, suggesting that either most are based in the US or that spammers have found those hours to prove most fruitful. [Source] [Source]

Electronic Records

UK – Patients Gain Right to Scrub E-Records from NHS database

NHS patients will be given the ability to scrub electronic records of their treatments and medical conditions from a proposed national medical database. The concession to patient privacy and data protection follows negotiations between health service officials and data protection watchdogs at the Information Commissioner’s Office (ICO). Patients - who already had the right to opt out of the scheme - now have the right to have their medical records deleted instead of simply masked once they are put onto the system. [Source] [Source]

EU Developments

EU – European Commission Suing Sweden for Failing to Implement Data Retention Law

The European Commission is suing Sweden for failing to implement data retention legislation. The European Union’s (EU’s) Data Retention Directive passed in March 2006; it requires member states to implement data retention laws by March 2009. The Swedish government plans to introduce the legislation in the next few months. Sweden has had to comply with the Intellectual Property Rights Enforcement Directive (IPRED), which requires telecommunications providers to surrender data in certain legal cases, since April of this year. Some Internet service providers (ISPs) have made an end-run around the requirement by deleting user data regularly; data retention legislation would make it illegal to delete the data too soon. There are some who say that the provisions of the legislation would be at odds with the European Convention on Human Rights. [Source] [Source] [Source]

Filtering

AU – Net Filtering May Not be Mandatory in Australia

The Australian Government has indicated that it may back away from its mandatory Internet filtering plan. Communications Minister Stephen Conroy today told a Senate estimates committee that the filtering scheme could be implemented by a voluntary industry code. That statement is a departure from the Internet filtering policy Labor took into the October 2007 election to make it mandatory for ISPs to block offensive and illegal content. [Australian IT]

Health / Medical

UK – NHS ‘Loses’ Thousands of Files

The personal medical records of tens of thousands of people have been lost by the NHS in a series of grave data security leaks. Between January and April this year 140 security breaches were reported within the NHS – more than the total number from inside central Government and all local authorities combined. The sacred principle of doctor-patient confidentiality is being compromised, Richard Thomas, the Information Commissioner, has warned. Britain’s information watchdog has ordered an urgent overhaul of data security in the health service. Some computers containing medical records have been left by skips and stolen. Others were left on encrypted discs – but the passwords allowing access were taped to the side. [Source]

CA – 1,380 Health Test Results Over 10 Years Weren’t Delivered to Doctors

Saskatoon Health Region administrators are scrambling to determine if patients have been put at risk because of a computer error that has persisted for 10 years. On May 6, a physician called the health region’s medical imaging department wondering why a patient’s test results had not been faxed to his office. That triggered an internal review of all the X-rays, CT and MRI scans, ultrasounds as well as other medical imaging tests performed in Royal University, Saskatoon City, and St. Paul’s hospitals. Of the 2.2 million medical imaging tests that have been performed since the department’s reporting system was computerized ten years ago, 1,380 medical reports faxed to doctors’ offices never arrived. The health region will telephone each of the 1,380 patients and their doctors. [Source]

Horror Stories

UK – Laptop Stolen From Car Holds UK Soldiers’ Data

A laptop computer stolen from a parked car near Edinburgh holds personally identifiable information of thousands of soldiers. The computer was left in the vehicle overnight late last month by a Ministry of Defence employee. The computer had been missing until a woman who found it discovered the confidential data on it and turned it in to authorities. Military police and detectives from the police force’s Crime Investigation Department (CID) are investigating the incident. [Source]

AU – Stolen Credit Data Published in Blog

Victorian police are investigating a massive identity fraud involving the personal details of thousands of Australians that have been available on a blog site for more than a month. The data includes thousands of Visa, Mastercard, and American Express numbers, including expiry dates, together with home addresses, phone numbers, and email addresses. [Australian IT]

AU – ASIO Bugs 3000 Calls a Year

Australian authorities, including the spy agency ASIO, are bugging the telephones of Australian citizens at a rate of more than 20 times their US counterparts. Figures cited in a federal parliamentary estimates hearing this week revealed that about 3000 Australians had their phone calls intercepted every year. [Australian IT]

US – Aetna Contacts 65,000 After Web Site Data Breach

Insurance company Aetna has contacted 65,000 current and former employees whose Social Security numbers (SSNs) may have been compromised in a Web site data breach. The job application Web site also held names, phone numbers, e-mail and mailing addresses for up to 450,000 applicants, Aetna spokeswoman Cynthia Michener said. SSNs for those people were not stored on the site, which was maintained by an external vendor. The company found out about the breach earlier this month when people began receiving spam messages that appeared to come from Aetna and complained to the company, Michener said. The spam purported to be a response to a job inquiry and requested more personal information. [Source]

US – Missing Laptop Holds Pension Data

A laptop computer stolen from an office of NorthgateArinso, the company that provides the Pension Trust’s computerized administration system, contains personally identifiable information of 109,000 Pension Trust members. The compromised data include names, salary information and bank account details; the data are not encrypted. [Source] [Source]

Identity Issues

US – Identity Thieves Getting More Clever: ITRC Study

The Identity Theft Resource Center (ITRC) has released its annual study, revealing that, in 2008, identity thieves and consumers were smarter about identity theft. In Identity Theft: The Aftermath 2008, the ITRC found that the public is more aware of the potential for identity theft, which has led to more people discovering fraud through the monitoring of credit card and bank statements. The report also found that identity thieves have become more clever and effective in their efforts. “If a thief wants to get [our information], he will find a way to get it,” said ITRC co-founder Linda Foley. [Source] [ITRC Press Release] [Report]

JP – Proposed Foreigner Identification Card Protested

More than 200 people rallied in Tokyo’s Shinbashi district to protest government-sponsored immigration bills they claim would violate the privacy of foreign residents and strengthen government control over them. The protesters say the proposed system would allow the government to punish non-Japanese who fail to properly report their personal information, and could even make it possible for immigration authorities to arbitrarily revoke their visas. Under the bills as they are currently written, a new “zairyu” (residence) card would replace the current alien registration card. Foreigners would be obliged to carry the new card at all times, just as with the current card. Failure to do so could result in a maximum fine of ¥200,000, the same as the current regulation. Non-Japanese would also be required to report to the government in 14 days if they change employer or address. Otherwise they could lose their visas if they don’t report in 90 days. [Source]

Law Enforcement

CA – Police Can Share Records Even if Charge Dropped: Court

An individual falsely accused of a crime does not have the right to stop police from keeping permanent records of the information and sharing it with other agencies, the Ontario Court of Appeal has ruled. An individual’s “right to liberty does not include the right to censor accurate information lawfully held,” the appeal court concluded in a 3-0 ruling. More than 30% of cases in the country are dropped without any criminal conviction, according to Statistics Canada. In Ontario, it’s closer to 40% that are stayed or withdrawn. The Court of Appeal ruling means records of these charges and allegations can remain on police databases, and may end up being disclosed in situations where individuals are required to undergo background checks for employment or volunteer work. Employers and agencies are entitled to “all potentially relevant information,” said the appeal court, in ruling against a 57-year-old Toronto-area social worker who used to operate a group home. “In a case where withdrawn charges which were false are disclosed, the potential employee has the ability to explain the circumstances to the proposed employer,” the three-judge panel suggested. While the ruling appears correct in its interpretation of the law, the result may be unfair for some people wrongfully accused of a crime, suggested David Fraser, a Halifax lawyer who specializes in privacy matters. “In the minds of most people, if you are charged, you are presumed guilty. While the information on the databases is factually correct, there is no context. In many cases, people may not be given a chance to explain,” said Fraser. The decision overturned a Superior Court ruling in 2007 that found Peel Regional Police violated the rights of the man when it turned over records to Toronto police. The appeal court noted that the man “set in motion” the disclosure of information when he agreed to the background check. The appeal court rejected arguments that the process violated his right to liberty and security under the Charter of Rights. “Disclosure by one police service to another of information obtained by the public prosecution of an individual does not fall within this concept of liberty,” it said. [Source]

UK – Police Retention of Photos of Innocent Man Breached Right to Privacy, Says Court

Police should not have kept photos taken of an arms trade protester, the Court of Appeal has ruled. The retention of the photos long after the peaceful protest was a breach of the man’s right to privacy, the Court ruled. The Court said that London’s Metropolitan Police were justified in taking photographs of Andrew Wood as he left the annual general meeting (AGM) of Reed-Elsevier plc, owner of Spearhead Exhibitions, which puts on arms trade fairs. But two of the three Court of Appeal judges said that though the taking of the photos was legitimate, they should have been deleted as soon as it became apparent that no crime had taken place at the meeting. [Source]

Location

WW – Scrubbed Geo-Location Data Not So Anonymous After All

Researchers at the Palo Alto Research Center (PARC) have found that anonymized data from GPS-enabled devices could, in fact, identify individuals. Researchers Philippe Golle and Kurt Partridge said that knowing someone’s general home and work locations can render the anonymization process null. “Obfuscation techniques which prevent re-identification based on (approximate) home location alone may not be adequate if the subject’s (approximate) work location is also known,” the researchers write. “In fact, we show that home and work locations, even at a coarse resolution, are often sufficient to uniquely identify a person.” [Source]

Offshore

KR - Criminal DNA Database as Soon as 2010

Korean police could collect the DNA samples of convicted felons from as early as next year. The Ministry of Justice said that it will push through a bill on the collection and management of the genetic information of convicted criminals and suspects in 11 crime categories. It will soon send the bill to the National Assembly for approval. Among the crime categories subject to the monitoring of DNA are murder, robbery, rape, arson, drug use and sexual crimes against minors. [Source]

Other Jurisdictions

UK – Privacy Code of Practice Coming

The Information Commissioner’s Office (ICO) will next year publish a data protection code of practice for Web companies. The aim is to get companies building privacy into their products and practices from the start, rather than tacking it on after the fact. “Systems have lagged behind in data protection,” said Assistant Information Commissioner Jonathon Bamford at a conference last week. “It’s better to build in rather than bolt on protection.” The ICO expects the code will drive up compliance by giving companies good practices to adopt. The office will launch a public consultation late this year. [Source ]

Privacy (US)

US – Proposed Makeover for Privacy Act

The National Institute of Standards and Technology’s Information Security and Privacy Advisory Board (ISPAB) sent recommendations for better protecting citizens’ private data to the Office of Management and Budget. Among other suggestions, the ISPAB called for a Privacy Act overhaul. The Privacy Act is “really out of touch with the way modern computers work,” said panelist and privacy expert Peter Swire, CIPP. A U.S. Senate staffer said lawmakers want to rewrite the Act soon. The ISPAB also proposed installing chief privacy officers at major U.S. agencies and creating a federal Web site--privacy.gov--for privacy notices. The Center for Democracy and Technology yesterday posted a draft Privacy Act revision for consideration and comment. [Source] [Source] [CDT Privacy Act Wiki]

US – Federal Chief Privacy Officer Urged; Board: Government Must Update Privacy Laws

A government advisory panel recommends the creation of a federal chief privacy officer within the White House Office of Management and Budget as well as changes to the 35-year-old Privacy Act to reflect the impact of new technology on privacy. The report from the Information Security and Privacy Advisory Board, entitled Toward A 21st Century Framework for Federal Government Privacy Policy, also calls on the government to hire chief privacy officers for most major agencies and to create a government-wide federal Chief Privacy Officers’ Council. Among the advisory board’s recommendations:

· Amend the Privacy and E-Government Acts to improve government privacy notices; revised the definition of systems of records based on how the government uses, not holds, of records; and cover commercial data sources.

· Government leadership on privacy must be improved by OMB hiring a chief privacy officer who’s provided with proper resources, regularly updating OMB’s Privacy Act guidelines; hiring chief privacy officers at all agencies with chief financial officers; and creating a CPO Council.

· OMB should update its cookie policy. The current policies depend on bureaucratic speed bumps to protect user privacy. Instead of banning the use of cookies, the government should be requiring clear opt-in consent process for the use of cookies.

· Hold agencies accountable on minimizing the use of Social Security numbers.

· OMB should work with U.S.-CERT to create interagency information on data loss. Security and privacy personnel need more information from US-CERT about the incidents that other agencies report. Agencies are contributing information and could learn a great deal about the types of incidents to look out for; the quality of their own reporting; and other best practices. [Source]

US – Judge: Fraud Alert Service is Illegal

A federal judge last week decided that LifeLock’s fraud monitoring practices violate California law. The identity-theft protection company was sued last year by one of the nation’s three credit reporting bureaus for violating California’s Unfair Competition Law. For a fee, LifeLock places fraud alerts on consumers’ credit reports on their behalf. U.S. District Judge Andrew Guilford determined that the lawmakers writing the 2003 Fair and Accurate Credit Transactions Act (FACTA), which gave consumers the right to place free fraud alerts on their credit reports, did not intend for “companies and entities such as credit repair clinics,” to be able to place the alerts. [Source]

Security

WW – Cloud Security Alliance, Jericho Forum Sign Pact

The Jericho Forum and the Cloud Security Alliance have made a formal commitment to jointly develop and promote best security practices in cloud computing. Their first step together will be working on version two of CSA’s major document “Security Guidance for Critical Areas of Focus in Cloud Computing.” The paper sets down 15 areas of concern that should be addressed by best practices in order to secure data in the cloud. CSA and Jericho forum say they hope version two will be ready at the end of October. Participation in the work is not limited to group members. One goal of the version two work will be to incorporate Jericho Forum’s “cloud cube“ model of security and risk assessment in the CSA document, says Jim Reavis, the executive director of CSA. Jericho Forum and CSA have signed a memo of understanding with the broad goal of working together, but that otherwise has few specifics, he says. Jericho Forum is made up mostly of European IT executives, while CSA has a larger membership and includes more vendors. [Source]

Surveillance

US – National Truck-Driver Drug Test Database Sparks Privacy Concerns

Two of the nation’s largest trucking organizations are at odds over legislation establishing a national database for commercial driver drug and alcohol test results. The Safe Roads Act, introduced in the U.S. Senate May 20, would authorize $5 million annually to establish and run a database requiring medical review officers and employers to report positive results from drug or alcohol tests to the Federal Motor Carrier Safety Administration. The legislation would require that employers check the database prior to hiring drivers. The American Trucking Associations, which has pushed for a national clearinghouse for drug and alcohol testing for 10 years, said the legislation closes a loophole exploited by substance abusers in federal drug and alcohol testing requirements. Despite language in the bill providing for privacy protections, the Owner-Operator Independent Driver Association, which represents individual drivers, says the legislation doesn’t go far enough to protect driver privacy rights. [Source]

US Government Programs

US – Obama to Create Cyber Czar in Awareness Effort

The Obama administration is creating a “cyber czar” within the White House to coordinate the nation’s computer security. Critics already say the post will not have enough authority to haul the government into the digital age. Government and private industry need to better protect the nation’s computer networks, the White House warns in a plan to be rolled out today as the administration sets broad goals for dealing with cyber threats. [Washington Post] [NYT] [White House blog] [Obama Speech]

US – GAO Report Says Federal Agencies Still Have Security Control Deficiencies

According to a report from the US Government Accountability Office (GAO), all but one of the 24 major government agencies have weak data access control in their information security programs. The report examines how the agencies are adopting regulations specified in the Federal information Security Management Act (FISMA). [Source] [GAO Report]

+++