EU – More Discussion Needed on Biometrics, Say EU Data Protection Commissioners

According to the Article 29 Data Protection Working Party, the implementation of biometric features in passports, other travel documents and ID-cards raises a lot of ethic, legal and technical questions. In a recent Opinion, the Working Party warned against the potential risks of prematurely introducing biometric identifiers and stressed that an exhaustive discussion in society is needed before implementing biometric features in passports, other travel documents or ID cards. The Opinion calls for highly protective standards to be used as a safeguard against the privacy risks raised by the use of biometric technologies. Among other things, the EU data protection Commissioners stated that:

· Effective safeguards have to be implemented at an early stage in order to limit the risks inherent to the nature of biometrics.

· The strict distinction between biometric data collected and stored for public purposes (e.g. border control) on the basis of legal obligations on the one hand and those collected and stored for contractual purposes on the basis of consent on the other hand must be guaranteed.

· The use of biometrics in passports and identity cards has to be technically restricted for verification purposes comparing the data in the document with the data provided by the holder when presenting the document.

· Only competent authorities should be able to access the data stored in the chip. In order to guarantee this, Member States should set up a register of competent authorities.

Considering that the ethic risks raised by biometric technologies are particularly important, the data commissioners believe that it is important to wait for the results of project BITE (Biometric Identification Technology Ethics). [Source]

NB – New Brunswick Minister Resigns After Violating Province’s Privacy Laws

For the second time this year, a Lord cabinet minister has stepped down after revealing private, privileged information about an individual. Family and Community Services Minister Tony Huntjens resigned this week after published comments in Saturday’s Telegraph-Journal. The resignation involves a taped interview with the newspaper in which Huntjens revealed the identity of a man under his department’s care who had been sent to a mental health facility in Maine. In July, Environment and Local Government Minister Brenda Fowlie resigned after she revealed personal details about an official. [Source]

CA – Pagers Will Track Viewing, Listening Habits of Canadians

Pager-like devices likely will be used in four or five years to help radio and television stations determine the listening and viewing habits of Canadians. The goal is to capture accurate data to change the ratings system in Canada. In Quebec, more than 90% of Montrealers who were asked to carry the devices agreed. [Source]

WW – A New Place for Spam’s Same Old Pitches

Now that Web logs -- blogs, for short -- are a popular online pastime for millions of people, scammers are finding new ways to exploit them as vehicles for junk advertisements. The Internet has even coined a term – splog, a combination of spam and blog – for a phenomenon that follows in the footsteps of rogue advertising such as spam e-mail, junk mail, junk faxes and adware. The new forms of spam can show up on blogs as fake comments posted by readers that actually have nothing to do with the subject at hand. Instead they are advertising pitches or attempts to get you to click on an unrelated Web site. [Source]

US – Survey: Preservation and Retention of E-Mail and Electronic Records

Despite increased pressure from regulators and courts, nearly half of American organizations still haven’t adopted records retention policies for e-mail and other electronic documents, according to a new survey. In the survey of 2,100 records and information managers, 49% of companies and government agencies have not adopted a records retention policy for e-mail. Over half (53%) do not include electronic records in their legal hold orders associated with regulatory inquiries and litigation – leaving open the possibility that records critical to a legal matter could be destroyed. And, more than two-thirds (68%) don’t have a plan in place to preserve electronic records that need to be migrated, to ensure the accessibility of the information over time. The survey and associated white paper, “2005 Electronic Records Management Survey - A Renewed Call to Action“ was co-sponsored by the two leading professional associations serving the records and information management profession, AIIM - the Enterprise Content Management Association and ARMA International. “The majority of organizations surveyed are not prepared to meet many of their current or future compliance, legal, and governance responsibilities, because of the deficiencies in the way they currently manage their electronic records.” [Source]

US – NASCIO Releases Findings from IT Project Management Assessment

Findings from the National Association of State Chief Information Officers’ (NASCIO) 2005 survey of state information technology (IT) project management practices have been released. Several core themes emerge as recommendations for success of state IT initiatives:

· There is value in adopting an enterprise approach toward IT investments.

· Given the complexity of implementing IT projects both within and across agencies, clarifying the governance structure during the initiation phase of the project is essential.

· Organizational change management must be viewed as an integral component of project management.

· Enterprise portfolio management can facilitate the alignment of statewide IT investments with a state’s goals and objectives and enterprise architecture.

· Actively supporting career advancement for project managers within the state through project management training and certification programs enhances continuous improvement.

Report available from NASCIO’s new IT project management webpage [Source]

EU – Electronic Identity Being Consciously Promoted in Europe

Almost 60 representatives from 14 European countries, India, Japan, the USA, the European Commission, and the United Nations met in Brussels, Belgium on 13-14 October 2005 to discuss interoperable European electronic identity and electronic services and development projects in the participating countries. Biometrics and their use in electronic identity cards were also highly visible. In addition, EU projects, standardisation, interoperability issues and development work on the European Citizen Card were discussed. [Source]

EU – Scotland Opts for National Electronic Health Records

The Scottish Executive has announced that they are to follow the recommendations of the Kerr Report and implement a national system of electronic health records, together with telecare throughout the country. The Executive’s plans for modernising NHS Scotland, entitled ‘Delivering for Health’ details plans for the implementation of a national IT system, including the plans for electronic patient records, and is a response to May’s Kerr report, which was carried out by a team lead by Professor David Kerr, Head of Review of NHS Scotland. [Source]

WW – Technology Announced for Tracing Illegal TV Recordings

Invisible marks that can be used to trace illegal copies of television shows and movies will be embedded in programs available on demand across the country using technology from Widevine Technologies. Widevine, based in Seattle, said its invisible digital markers would be embedded in programs distributed to cable companies. [Source]

US – Study: Americans Bank Less Online Because of ID Theft Worries

A study by Internet security company Entrust Inc. found that 18% of banking customers are banking less online or not at all because of Identity theft. The survey indicated that 94% of the respondents said they would be willing to endure added security features. At a recent ID theft forum in New York, experts acknowledged the frustrating fact that consumers could still be victimized by identity thieves despite taking steps to prevent the theft of their personal information. [Source] [Source]

US – Bank of America Gives Two-factor Authentication to Millions of Customers

Bank of America is to provide two-factor authentication technology to 14.5 million customers in a bid to cut identity theft. The online software, made by PassMark Security, is currently an optional service to customers in 20 states but will become compulsory in the future, the bank said. To use the service, which is to be rolled out in all states in the country next year, customers must pick an image, write a phrase and select three challenge questions. [Source]

NF – Information Commissioner Blasts Gov’t for ‘Clear Violation’ of Open-Records Laws

The Williams administration has fought for eight months against the release of 50 pages of documents containing information it has already posted publicly on its website, according to a withering report by the province’s open-records czar. The province had classified the information as secret cabinet advice exempt from release under access- to-information laws. “I find it quite puzzling that information that had been released to the media and is currently available on the Internet is now being withheld as an exception to access,” information commissioner Phil Wall wrote in a stinging 36-page report. [Source]

US – EPIC, Patient Privacy Rights Launch Effort to Protect Medical Records

On October 26 EPIC joined with Patient Privacy Rights, a national consumer organization, in an effort to establish stronger protections in the United States for patients’ medical information. According to the groups, Congress is rushing to pass legislation to establish a national Health Information Network without patient privacy protections, yet recent surveys show that Americans consider the privacy of medical records to be a major concern. As part of the effort to protect patients’ privacy rights, the groups are circulating an online petition calling for strong medical privacy safeguards. The petition states simply:

I want to decide who can see and use my medical records
I do not want my medical records or those of my family’s to be seen or used by my employer
I should never be forced to give up my right to privacy in order to get medical treatment.

[“I Want My Medical Privacy!” petition] [Patient Privacy Rights site]

US – U.S. Commission Recommends National Patient Authentication System

The Commission on Systemic Interoperability has called for a Social Security-type of identification system to allow doctors to quickly access data on patients. The commission, which was established by the Medicare Modernization Act of 2003, believes the authentication system will lead to faster adoption of an electronic health records (EHR) system. The commission also proposed in its report to Congress that financial incentives be created as a way to persuade healthcare providers to adopt EHR. [Source]

US – Operation Dumpster: Patient Privacy Is Thrown to the Curb

A check of Dumpsters near Michigan doctors’ offices found an alarming number of discarded medical records containing personal information that is supposed to be private under HIPAA laws. Results of the investigation were disturbing to the Department of Community Health as well as the Attorney General’s Office, which warned that sloppy disposal can easily subject patients to identity theft. The physicians’ offices responsible for disposing the records without shredding them promised to commit additional training and resources to protecting patient privacy. [Source]

US – ChoicePoint Notifies Another 17,000 Consumers on Possible Breach

ChoicePoint said this week in a regulatory filing that it has sent out another 17,000 notices to people telling them they may be victims of fraud. The Alpharetta-based company had said in February, after announcing the breach, that it had notified roughly 145,000 consumers that they may have had their personal information improperly accessed. That number has now increased to 162,000, ChoicePoint said in its quarterly report to the Securities and Exchange Commission. The filing did not detail reasons for the increase, though the company had previously said the number could ultimately be higher. ChoicePoint said Tuesday its review of the data breach is ongoing and there could be further notices sent out. [Source]

US – Data on 3,000 Consumers Stolen With Computer

Social Security numbers and other information about more than 3,000 consumers were stolen recently from TransUnion LLC, one of three U.S. companies that maintain credit histories on individuals, in the latest of many security breaches that have focused congressional attention on identity theft and fraud. The data were housed in a desktop computer that was stolen last month from a regional sales office in California, TransUnion said. On Oct. 21, the company sent 3,623 notices to consumers alerting them to the breach and offering free monitoring of their credit reports for a year. [Source]

US – ID Thieves Prey on Financial Aid

According to the Wall Street Journal, identity thieves have found a new target for fraud: the government. Identity thieves are posing as students in order to collect federal student financial aid. One thief profiled by the Journal assumed 43 identities and stole $316,000 in federal aid. The thief committed the crime by purchasing a list of names of prison inmates, and using their personal information for fraud. [Source]

US – Pizza Chain Caught Without Fully Baked Security

Papa John’s has beefed up security for its Web-based e-mail system after the pizza chain learned that internal e-mail and customer data had been exposed. The leak at the Louisville, Ky.-based pizza chain made internal corporate e-mail and thousands of customer comments available to anyone with a Web browser. The customer comments were submitted between Sept. 29 and Nov. 7 and included names, addresses, phone numbers and e-mail addresses of customers. “It looks like there is no password protection on Papa John’s internal Web e-mail system,” said Richard Smith, an Internet privacy expert, “This sort of Web site privacy leak happens more than it should.” [Source]

CA – Survey: Majority of Canadians Confident They Will Not Fall Prey to Identity Thieves

Identity theft has risen markedly in the recent years, yet Canadians seem unfazed by the threat. Consumers, banks, credit card firms and other businesses lose more than $2.5 billion in Canadian funds every year because of identity theft. TransUnion released a survey this week that indicates that 70% of the respondents believe it is “somewhat” or “very” unlikely that they will be victimized. A Canadian anti-fraud hotline shows that identity theft complaints increased 63% between 2002 and 2003. [Source]

UK – Government “in Denial” About True ID Card Costs

The UK government’s ID card plans have again come under fire after the London School of Economics (LSE) revealed the cost of the scheme could now rise to almost £30bn. The LSE had initially claimed the ID card scheme would cost taxpayers up to £19bn – despite the Home Office maintaining the cost will be just £5.8bn over 10 years. But in an as-yet-unpublished report the LSE is now claiming that could rocket by another £5bn to £10bn because of the cost of updating all government department IT systems in order to make them work with ID cards. [Source] [UK Gov’t Reply] [KPMG Report: 10-year Lifespan of ID Cards “Unrealistic”]

UK – ID Cards: A Trade Association Starts Up, Focussed on Personal Digital Identities

Growing consumer concerns over the management and control of personal data and identity have galvanised a group of identity, customer management and privacy experts to establish an independent industry association, called the Personal Digital Identity Association (PDIDA). The PDIDA provides an open forum to foster common agreement, promote best practice guidelines, share experiences and develop the nascent market of personal digital identity management technologies and services. Originating in the UK, but not limited by geography, the PDIDA is focused on the responsible management of personal digital identities, primarily covering the perspectives of the consumer, as well as the implications and opportunities for businesses, service providers, technology vendors and government. “Left unmanaged, our personal digital identity is on a collision course with corporate CRM systems, privacy concerns, compliance requirements, as well as UK and European legislation,” said a spokesperson. “A new era is emerging where individuals will take a much more active role in the management of their personal information, empowering individuals to dictate how and when their details may be accessed and used by third parties. This environment offers potential mutual benefit to consumers, as well as businesses, government agencies and service providers alike.” [Source]

UK – British Man Gets 4 Years in Jail for eBay Phishing Scam

A British man was jailed for four years for masterminding an eBay Internet auction swindle which stole computer account details from users and assumed their identities. David Levi led six others in a gang which scooped almost $355,000 through a “phishing” fraud – the practice of stealing goods after tricking computer users into revealing their bank details. [Source]

US – Consumers Readily Surrender Personal Details in Bogus Survey

RSA Security found in a startling study that the vast majority of people they interviewed under the guise of a tourism survey with the potential for prizes too easily gave up personal details. The study’s conclusions suggest that Americans have yet to fathom that identity theft poses a significant risk. Visitors surveyed were asked a number of questions that included queries on their mother’s maiden name, date of birth and address. Giving out personal information is especially problematic because a person’s mother’s maiden name is often used to verify identity or reset passwords. Another concern is that cyber criminals can easily guess passwords once they have a bevy of personal details. [Source]

US – FBI Launches New Consumer Education Web Site

The FBI recently launched a Web site that aims to educate consumers about online scams. The Web site, known as “Looks Too Good to Be True,” includes real-life stories of Internet scams, warnings regarding new online threats, and quizzes designed to help consumers recognize fraud. The FBI’s Web site is similar to a site that was recently launched by the Federal Trade Commission. [Source]

JP – Privacy Concerns Spur Census Change

The Japanese government has decided to change the way it conducts the census after participation dropped in the latest survey due in part to rising concerns about privacy. By the end of 2005 the Internal Affairs and Communications Ministry will form a panel that will examine the possibility of conducting the survey on the Internet or collecting census forms through the mail, officials said. About 100 cases were reported in which people pretending to be authorized census personnel were found to be collecting census forms. [Source]

JP – Japan’s New Privacy Law Disappoints Consumers

The Japan Consumer Information Center and other consumer groups have logged hundreds of complaints in the past six months about the failure of the Personal Information Protection Law, which took effect in April, to stop the onslaught of telemarketing calls and direct mail. Companies that hold information on fewer than 5,000 people are not subject to the law. Companies that comply with the law cannot be required to stop using customer lists if they obtained them legally and use them “within the range of announced purposes.” A government panel issued a report last month that recommended that companies be banned from accessing the residents’ register for business purposes. Under the law, companies could be required to make changes in their practices, but no business improvement orders have been issued so far over privacy violations. [Source]

CA – Canadian Teens Like to Hide Identity on Net, Study Finds

Almost six in 10 teenagers are disguising their identities on the Internet according to a new study, released by the Media Awareness Network, that looks at a generation of Web-savvy young Canadians. Whether it’s pretending to be older or a different gender, those in Grades 7 through 11 said they have experimented with social roles either to see what it was like to be someone else, talk to older kids or even flirt. About 17% said they did it so they can act mean to others and not get in trouble. This year’s survey of 5,200 students in Grades 4 through 11 shows that young Canadians are more connected than ever, with nine in 10 having access to the Internet at home. And by their late teens, more than half have their own Internet-connected computer, separate and apart from the family computer. [Source]

WW – Microsoft to Bundle Anti-Spyware App with Windows

Microsoft said Friday that it plans to bundle its “Windows Anti-Spyware” tool with Windows Vista, the chronically delayed next version of the company’s operating system. Microsoft also decided to rename the program “Windows Defender,” in part to give it “a more positive name.” [Source]

CA – Investigation Sought Into Alleged Spyware Use by Canadian Company

The Canadian Competition Bureau has been asked to investigate a Canadian company, Integrated Search Technologies, in what is believed to be the first complaint of its kind filed with the bureau. The complaint alleges that the installation of the company’s software involves “a blatant misrepresentation as to the purpose of the installation” and also deceives or confuses consumers into accepting the installation. Canada has no law that specifically makes spyware illegal, but spyware that collects personal information without the user’s consent could be pursued under privacy laws. [Source]

WW – 2005 Privacy Survey is Underway at NCSU

Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy policies and user values. The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and will help us with our investigations of privacy policy expression and user comprehension thereof. [Take the Survey]

AU – Telstra ‘Worst Privacy Invader’

TELSTRA, the NSW Government and two senators have been named as Australia’s worst privacy invaders in national shame awards. The Australian Privacy Foundation (APF), a national lobby group dedicated to protecting the privacy rights of Australians, announced the winners of the annual Big Brother Awards, or Orwells, in Melbourne. [Source]

US – Ontario Privacy Commissioner Wins HP/IAPP Privacy Award

Sprint Nextel, the Information and Privacy Commission of Ontario and Watchfire are recipients of the prestigious HP/IAPP Privacy Innovation Awards. One winner was selected from more than 30 total entrants in three categories: large organization, small organization and technology. [Source]

US – ACLU Challenges USA PATRIOT ACT

The ACLU urged the 2nd Circuit Court of Appeals last week to uphold two separate lower court rulings that whittle away at provisions of the US Patriot Act, which allow the FBI to secretly demand public information from public libraries and ISPs. At issue in last week’s hearing are two challenges brought by the ACLU in New York and Connecticut regarding a surveillance provision that was dramatically expanded by Section 505 of the Patriot Act. [Source]

US – Microsoft Calls on Congress to Enact New Federal Privacy Law

Microsoft announced last week a series of steps the company would like to see Congress take to supersede state laws that deliver a patchwork of regulation on the collection, use, storage and disclosure of personal information. Consumers want a consistent standard, according to Peter Cullen, Microsoft’s chief privacy strategist. Among the significant aspects of the company’s position is the view that consumers should have some control over how their personal information is used and disclosed. The company also said a federal privacy law should require companies to notify consumers if a data breach jeopardizes the security of their personal information. [Source] [Source]

US – New Passports Still to Have RFID

The State Department announced it will move forward with plans to require new passports to be equipped with RFID chips. The recently issued final rule also attempts to address deficiencies in a previous proposal, which would have made personal data contained in the hi-tech passports vulnerable to unauthorized access. The previous design would have stored information in the remotely readable passports in unencrypted form. Tests had shown that the passports’ RFID chips could be read from two feet or more, posing asignificant risk of unauthorized access. The program was widely criticized as unnecessary and insecure by EPIC and other civil liberties groups. The previous design was also criticized by privacy and security experts and the travel industry. The State Department now plans to cover the passport booklet with metallic shielding that effectively blocks transmission of information when the booklet is not open. The Department also called for the implementation of Basic Access Control, a practice in which the data contained in the RFID chip is stored in encrypted form, and is only decrypted by RFID readers that optically read and decode a key printed on the inside of the passport’s cover. This key is also used to encrypt all communications between the passport and the reader. The State Department, in conjunction with the National Institute of Standards and Technology, will also add shielding to the RFID readers in an attempt to prevent the interception of signals between authorized readers and passports. The State Department did not, however, provide any details concerning this effort. While these proposed changes should mitigate the most significant risks of skimming and eavesdropping, they invalidate the main justification that the State Department used to promote the use of RFID technology - to save time at Customs by distance scanning with no physical contact required. Computer Security expert Bruce Schneier has also said that “collision avoidance ID” in the chip still creates serious privacy risks and should be fixed. He writes in a recent column for Wired, “the real issue is how many other problems like this are lurking in the details of its design? We don’t know, and I doubt the State Department knows either. The only way to vet its design, and to convince us that RFID is necessary, would be to open it up to public scrutiny. [Final Rule] [EPIC, EFF et al, Comments on RFID Passports]

WW – IBM Unveils New Scratch-Off RFID Tags to Give Consumers Privacy Controls

IBM researchers have developed a method to ensure consumer privacy while using RFID tags that emulate scratch-off lottery tickets or perforated clothing labels. While the RFID device would remain on the shirt, can, or package itself, IBM’s idea is to attach a partially-destructible RFID antenna so that the consumer can remove it after purchase. IBM researchers introduced the concept in a paper presented this week. Destroying part of the antenna would degrade the antenna range from a few meters down to a few inches, helping to alleviate concerns that hidden RFID scanners could “read” the contents of a consumer’s shopping cart, identifying what they purchased. [Source] [Source] [Source]

WW – Rebuttal to SPYCHIPS Book

Although RFID technology could be used by a variety of applications, the technology has been assailed by pro-privacy groups worried that the technology could be used to spy on their belongings. This week, Nicholas Chavez, chief executive of RFID Inc., published a 25-page rebuttal of a recent book, SpyChips, which examined the RFID industry from a privacy perspective.

US – Report: Government Has Major Role in RFID Development

Public-sector usage of RFID technology is growing as officials continue to weigh implementation and maintenance costs against time, labor and cost savings. But the federal government also has a major role in establishing international standards, broadening research into the technology and helping to create a new RFID market, according to a new report published by the IBM Center for the Business of Government. [Source]

CA – Bell Canada Announces RFID Pilot Program

The Supply Chain Network Project, a group of suppliers and retailers including Staples Business Depot and UPS Supply Chain Solutions, has selected Bell Canada to deploy the electronic product code pilot project. The founder and developer of the Supply Chain Network Project, Jeff Ashcroft, advocates RFID as a way to reduce labor, distribution and inventory losses. Bell Canada is currently running its own RFID pilot within the company’s fleet management. [Source]

US – Retailers Expect RFID Technology To Help Boost Holiday Sales

American retailers are using RFID technology to ensure that popular items are in-stock this holiday season as the industry relies on customer-service basics. In the past year, there has been a dramatic increase in RFID in the U.S. and Canada. Frost & Sullivan has predicted that the retail market for RFID will increase from $400 million in 2004 to nearly $4.2 billion in 2011. [Source]

US – California Bill Would Place Moratorium On The Use Of RFID In Identification Cards

The industry lobby is working hard to convince California lawmakers of the merits of wireless identification technology as the Identity Information Protection Act of 2005 makes it way toward the House floor in January. If the first-of-its-kind bill in the nation passes, it would stall companies that make chip technology for driver’s licenses, school identification, library and health cards. The industry also is opposed to requirements in the bill that would mandate costly security features in all cards – a layer of protection critics argue is unnecessary. The bill’s sponsors contend that the RFID industry needs to demonstrate a commitment to privacy by embarking on pilot programs to improve their designs [Source]

US – New York County Considers Mandating Secure WiFi Connections

According to a new proposal being considered by a suburb of New York City, any business or home office with an open wireless connection but no separate server to fend off Internet attacks would be violating the law. Politicians in Westchester County are urging adoption of the law – which appears to be the first such legislation in the U.S. – because without it, “somebody parked in the street or sitting in a neighboring building could hack into the network and steal your most confidential data.” [Source]

US – US Homeland Security Issues Cyber Security Plan

A preliminary report released by the Department of Homeland Security seems to scatter cybersecurity responsibilities across the government and the private sector while sticking to generalities about future plans. In its 175-page draft of the National Infrastructure Protection Plan, the department outlines a broad framework for protecting the nation’s “critical infrastructure” and “key assets”. The plan asserts that cybersecurity responsibilities should ultimately lie with the Department of Homeland Security, but also calls on state and local governments to develop information security measures and to be aware of vulnerabilities in their systems. [Source] [Federal Register Notice]

EU – Germany Unveils New e-Passports

Germany has become the first European Union country to introduce biometric passports. The new biometric passports contain a tiny computer chip that stores a scan of the holder’s face. After 2007, the chip also will include fingerprint scans, and iris scans may follow. At the airport, a device will scan a traveler’s face while an immigration officer swipes the passport to cross-check the information. The country’s data protection commissioner said officials have not provided enough information about the security testing done on the new e-passports, making a proper security assessment impossible. The commissioner, Peter Schaar, would like to see more safeguards to prevent access to confidential biometric data. [Source]

EU – Norway, Sweden Push Ahead with Biometric Passports

Sweden and Norway began deploying biometric passports in October but privacy and security issues may limit the potential of the new systems. Both Norway and Sweden will store digital facial images on smart cards embedded into the passports. The digital image will be used as an additional safeguard against fraudulent passports. To allay the fears of Swedish people concerned about the security of the system and their privacy rights, the digital image on the chips won’t be stored in any database, said a spokesperson from the Swedish National Police Board. “There is no kind of national register for this kind of information,” he said. In addition, when readers are installed at passport control centers, the data won’t be stored there either. [Source]

US – How Many Security Cameras are Trained on New Yorkers?

A dozen college interns working for the New York Civil Liberties Union are conducting a study of the number of cameras throughout Manhattan. The project is intended to shed light on the debate over the surrender of privacy to combat crime and terrorism. In 1998, the group found 2,397 private-sector and government cameras used in Manhattan. So far, the count exceeds 4,000. The group intends to use the findings to bolster its argument that the cameras should be regulated to preserve privacy and prevent abuses. [Source]

US – Privacy Critics Assail TSA’s Registered Traveler Program

Under a plan outlined recently to Congress, private companies would be responsible for screening travelers and issuing them identification cards to avoid random body searches and prolonged airport security screening. Participants in the frequent-flier program would have to pay a fee, provide their fingerprints and other biological identifiers and undergo a background check. The plan outlined to the House Homeland Security subcommittee has drawn the ire of privacy advocates and civil libertarians. The information used to screen the participants will come partly from government watch lists, which have proven to be inaccurate by flagging people - who pose no danger - as potential terrorist threats. [Source]

US – EPIC Testifies on Registered Traveler

On November 3, the House of Representatives’ held hearings on the TSA Registered Traveler program. EPIC Executive Director Marc Rotenberg testified on the problems with the proposed program. He noted the security watchlists that form the basis for the passenger pre-screening are riddled with inaccuracies that are often extremely difficult to correct. Rotenberg also said that the program lacked the necessary privacy protections of the Privacy Act of 1974. This is due to the fact that Registered Traveler databases are either owned by private companies that are not regulated by the Act, or the government databases are exempted from federal laws at the request of the TSA. Finally, Rotenberg cited the risk of “mission creep” within the Registered Traveler program. Using Registered Traveler IDs in situations other than aviation security, as some vendors have suggested, would lead to travelers being allowed or denied access to any number of venues based not upon their risk to that venue, but on their supposed risk to aviation. EPIC recommended that the plan not go forward until these flaws were fixed. Despite these concerns, representatives on the subcommittee were eager to implement the system and questioned Director Hawley on the program’s slow development. [Testimony of Witnesses] [TSA’s Registered Traveler site] [EPIC’s Spotlight on Registered Traveler] [EPIC FOIA Note #8]

US – Lawmakers Split on Data Protection Bill

House Democrats and Republicans split sharply last week over how to best protect consumers’ personal data, as legislation to curb the persistent scourge of identity theft and fraud began to move on a fast track on Capitol Hill. In a 13 to 8 vote along party lines, a subcommittee of the House Energy and Commerce Committee approved a bill that would require information brokers to submit plans for safeguarding private data to the FTC for monitoring and review. [Source] [See also NY Times article: Many Bills, But No Consensus]

US – 47 Attorneys General Urge Congress to Protect Data Security

47 Attorneys General urged party leaders in the House and Senate to pass a strong security breach notification law. The letter is in response to a series of bills that have been introduced to address security breaches and identity theft at the federal level, many of which are substantially weaker than existing state law. The Attorneys General argued quick notification of is necessary because FTC statistics show that the cost and severity of identity theft are reduced when victims are informed shortly after their information is misused. The Attorneys General also called for the ability of consumers to freeze their credit report, which makes it very difficult for identity thieves to open new accounts in another’s name. The Attorneys General specified that credit freeze should be low cost for consumers, free for identity thieves [Huh?], and easy to “thaw” so that consumers can take advantage of credit offers. [Attorneys General letter]

------------------------------------