Privacy News Highlights
07—14 October 2005
Contents:
WW – Lufthansa
Systems Demos Airline Biometric ID System
EU – Biometric Passports Introduced in Sweden and Norway
CA – Federal Privacy Commissioner Tables
Annual Reports
CA – Access Commissioner John Reid Produces
His Own Access Bill
AB – Edmonton Police Did Not Leak Personal
Data to Convict
CA – Martin Defends Wiretap Bill
WW – Survey: Online Retailers Still Sharing Users'
Personal Data
US – Do-Not-Call Lists Criticized as Ineffective
WW – Poll: Public Perceives Net as Threat to Kids
US – Massachusetts Court Orders Spammer Sites Shut Down
EU – Danish Citizens Can Now Access Their Medical Records
Online
EU – EU Deal On Data Retention Law Could Be Reached By
Year’s End
US – Poll: Americans Have Overwhelming Disdain for
Personal Data Collection
WW – Cyber-Catharsis: Bloggers Use Web Sites as Therapy
WW – Governments Increasingly Use Net Filters, Report
Says
US – L.A. Archdiocese Releases Information from Clergy
Personnel Files
US – IBM Promises Not To Use Genetic Information In
Hiring, Benefits Decisions
US – Study: Consumers Support EHRs But Still Wary Of Privacy,
Security Breaches
US – Privacy Advocates Seek Tighter Regulation of Drug
Company Marketing Practices
US – Bank of America Users Warned of Laptop Theft
WW – Study: ID Thieves Often Known to the Victims
US – Banks Offer Identity Theft Services For A Fee
WW – Liberty Alliance Releases Legal, Privacy Guidelines
on Identity
DE – E-Mail Eavesdropping Faces Criticism: Costs Are
High, Utility is Low
US – Panel Says E-Voting Vulnerable
EU – Plans for Police Forces to Exchange Data
SA – South African Privacy Legislation Unveiled
US – The NetSmartz workshop launches “UYN”
WW – Experts Warn Spyware Threat Escalating
WW – AOL Revises Privacy Policy to Track Member Activity,
Web Searches
US – States Seeking to Track Cell Phones for Traffic
Conditions
WW – Trade Association AIM Global Issues RFID Position
Statements
US – TSA to Push Ahead With Controversial Airport
Screening Technology
NL - Dutch Smash 100,000-Strong Zombie Army
WW – Phishing Attack Targets One-time Passwords
AU – Personal Phone Data Still Misused
US – Business Groups Support Reform of PATRIOT Powers
US – GAO Issues Study/Report on Chief Information
Officers:
WW – Software Company Changes Distribution Practices
Flagged by CDT
US – Kansas Supreme Court Ousts Judge for Viewing Porn
Online
Two German companies have developed a new biometric
system for identifying airline passengers during the boarding process. The
system, designed to conduct biometric checks on passengers prior to boarding an
aircraft, is intended to play a significant role in the introduction of “trusted
passenger” programs planned by the airline industry to increase aviation
security. According to company spokespeople, passengers with an electronically
readable identity card containing biometric data will also benefit from technology
as they will be able to move through airport security points more quickly and
easily than travelers without cards. [Source]
Following
The Federal Privacy Commissioner’s 2004-2005 Annual
Reports on PIPEDA and the Privacy Act were tabled last Thursday. Last
year the OPC introduced several measures to help organizations comply with
PIPEDA, such as a follow-up procedure to monitor the progress of businesses in
implementing the Commissioner’s recommendations; a process for establishing “reasonable
grounds” to select subjects for audits; and a self-assessment tool to help organizations
ensure compliance with PIPEDA. The number of complaints in 2004 increased by
more than 100% from the previous year from 302 to 723, with 29% or 213 of
complaints related to the financial sector. In terms of complaint type, just
over a third or 286 of those pertained to use and disclosure of information
with collection and access following closely behind. Consent of the individual
remains at the heart of the Act, especially as newer technologies such as RFID
and biometrics make their way down to the consumer level. The Commissioner’s
office will be conducting a survey in the upcoming months on RFID to look at
how the technology is used and how businesses are thinking about using it. The
Commissioner is also calling for an overhaul of
Full press release is available at:
http://www.privcom.gc.ca/media/nr-c/2005/nr-c_051006_01_e.asp
Full text of report is available at:
http://www.privcom.gc.ca/information/ar/200405/200405_pa_e.asp
Full text of PIPEDA Report is available at:
http://www.privcom.gc.ca/information/ar/200405/2004_pipeda_e.asp
Justice Minister Irwin Cotler
has been promising a draft government access bill to the House Access to Information
Committee, but has so far not delivered. So Access Commissioner John Reid
produced his own. Reid and his staffers have been appearing before the Standing
House Committee on Access to Information, Privacy and Ethics and providing the
committee and its Library of Parliament staffers with their positions and
findings. This week, Reid beat the government to the punch by being the first
out to produce an access bill that goes beyond the Martin-Bryden
Bill. And the bill is much more consistent, but far from an overhaul effort. He
is also providing the bill to Justice John Gomery for
consideration. [Source]
Prime Minister Paul Martin moved this week to reassure
Canadians that new legislation aimed at giving law-enforcement authorities the
right to monitor e-mail and Internet traffic will not violate civil rights. Speaking
in
WW – Survey: Online Retailers
Still Sharing Users' Personal Data
Online
retailers are doing a better job of responding to customers' inquiries, but
they continue to share users' personal data without permission, according to
the "Third Quarter 2005 Online Customer Respect Study of Retailers."
The study was conducted by The Customer Respect
Group Inc. in
Regulators say the National Do-Not-Call Registry
system is working, but a recent survey found that 51% of registered consumers
say they’re still getting calls they think the list is supposed to block. Despite
1 million reports of violations, the FTC has filed only 14 lawsuits and levied
only four fines. In addition to questions about effectiveness, with 25 states
maintaining their own do-not-call lists, some with tougher restrictions, a fresh
debate is developing as to which calls are restricted and which ones are not. [Source]
Some
94% of consumers in a recent Harris Interactive survey believe the Internet poses a
threat to children. Among the biggest threats perceived by the respondents in
the poll -- which was commissioned by
A
A new e-service has been launched in
Ministers for justice and home affairs from the 25 EU
member states this week backed away from their threat to enact a law without
legislative approval that would require data retention for a two-year period.
European Parliament members had vowed to sue to block the law’s enactment.
Differences over the length of time for data retention have caused recent
discord. EU attempts to pass a data retention law after Sept. 11 were derailed,
largely because of privacy and cost concerns. The EU justice commissioner has
proposed a six-month retention limit for Internet communications and one year
for telephone records. The European Parliament’s Committee on Civil Liberties,
Justice and Home Affairs will consider the proposal in about a month before it
moves to the full legislature. [Source]
A CBS/New York Times poll found that 83% of Americans view
growing databases of personal information as a bad thing. High-profile security
breaches have fueled the distrust Americans feel toward data brokers and banks.
Congress has consistently sided with industry, but the time has come for
lawmakers to begin paying more attention to consumers. The poll found that
two-thirds of the respondents said the federal government isn’t doing enough to
protect them. Numerous data-protection and privacy bills have yet to see
action. [Source]
The Internet is now teeming with some 15 million blogs. Although the medium first drew mainstream attention
with commentary on high-profile events such as the presidential election, many
now use it to chronicle intensely personal experiences, venting confessions in
front of millions of strangers who can write back. [Source]
Study Says Software Makers Supply Tools to Censor Web:
A new report from the OpenNet Initiative, a human
rights project linking researchers from the University of Toronto, Harvard Law
School and Cambridge University in Britain, once again raises tough questions
about the use of filtering technologies – often developed by Western companies
– by autocratic governments bent on controlling what their citizens see on the
Web.
After nearly three years of legal wrangling, the Roman
Catholic Archdiocese of Los Angeles released information from the confidential
personnel files of 126 clergymen accused of sexual abuse. The records, which
summarize the files, show that for more than 75 years the nation’s largest archdiocese
shipped priests accused of abuse between therapy and new assignments, often
ignoring parishioners’ complaints. The confidential files were released to The
Associated Press this week as part of the settlement talks in a civil suit with
lawyers for 560 accusers. The documents offer details in a number of cases,
though much of the information has already been published in various forms. [Source]
Harriet Pearson, IBM’s chief privacy officer and an
IAPP board member, says the “time is right” to protect employee privacy because
advances in genetic technology make it possible or companies to use DNA
screening in hiring and benefits evaluations. Genetic tests are not prevalent
in the marketplace, but some companies have secretly performed the tests
without employees’ knowledge or consent. As a leading information technology
company with a growing market share in the medical industry, IBM’s announcement
is especially significant in terms of influencing policy of other major
corporations, experts say. Still, genetic specialists insist that a federal law
is the best way to protect employees’ secret information. [Source]
A Public Opinion Strategies survey conducted for the Markle Foundation has found that 72% of Americans favor
establishing a national network for healthcare information. But 79% of those surveyed
say they want the opportunity to grant permission to access their records.
Another study done by Public Opinion Strategies showed that 69% of those
surveyed said they would go online to check for errors in their medical
records. [Source]
[Source]
EPIC has argued that US Food and Drug Administration
regulators need to scrutinize how pharmaceutical companies collect and use
consumer information. The advocacy group pointed out that the drug companies
have engaged in alleged deceptive practices to collect personal information,
including the mailing of free drug samples to current and former users of
medications. [Source]
Users of the Bank of America Corp.’s Visa Buxx prepaid debit cards are being warned that they may have
had sensitive information compromised following the theft of an unencrypted
laptop computer. In a letters sent to Buxx users and
dated Sept. 23, the
A recent study found that in 26% of all identity theft
cases the victims knew the person who had misused their personal information.
As much as 50% of debit-card fraud occurs when a relative or friend who knows
the PIN takes the card to steal funds. [Source]
Bank customers in
The Liberty Alliance Project, an industry consortium
working on standards for federated identity systems, has released a 15-page
guideline document that aims to help organizations deal with some of the
legal and privacy issues that arise from such federated identity projects. The
technologies that underlie the Liberty Alliance Project are mature enough for
companies to build federated identity systems, according to a Liberty Alliance
Communications spokesperson. But companies must also agree on what types of
information will be shared and the security and privacy measures they need to
have in place to achieve what the Liberty Alliance calls a “circle of trust”
among the organizations involved. “The biggest barriers are how organizations
actually work together to federate.” [Source]
According to statements made by a variety
of German Internet providers the number of official requests for e-mail taps in
At a conference held by the National Institute of
Standards and Technology, a panel of election officials, computer scientists,
and academics said that overlooked bugs and malicious code pose a plausible
threat to software on electronic voting machines. The panel weighed in on steps
that should be taken before, during, and after elections to protect electronic
voting systems against software-related problems. [Source]
The European Commission wants to make it easier for
national police forces in the European Union to exchange data. Information such
as DNA profiles of suspects and fingerprints could be made more readily
available under proposals. The aim is to cut red tape and ensure data held by
one national law enforcement agency is handed over on request to police in
another EU state or the bloc’s police agency Europol. Under the plans, national
police should also share information about guns, car registration data,
telephone numbers and other telecommunications data, and hand over names listed
in civil registers. The data should be used to prevent, detect or investigate
crimes, the Commission said. The EU already shares some information through the
Schengen Information System, which was set up
together with the EU’s borderless Schengen
area. The Commission said that system had been “greatly utilised”
by law enforcement across
The
SA Law Reform Commission has released a privacy bill for public comment. Currently,
there is no law that specifically protects privacy. The draft bill is modeled
after the EU directive and the Organization for Economic Co-operation and
Development guidelines, which are aimed at achieving market efficiencies.
Supporters say the bill is needed to do business with other countries. [Source]
The NetSmartz Workshop, an interactive, educational safety
resource that enhances the ability of children to recognize dangers on the
Internet, announced the launch of a new initiative designed to provide children
with a fun, easy way to remember rules for online safety automatically. The
initiative features the central theme “Use Your NetSmartz,”
or “UYN” in chat lingo. UYN provides children as well as parents, educators,
and law enforcement with a simple, easy-to-remember abbreviation that embraces
all the basic elements of Internet safety. [Source]
Security experts are warning that computer users are
still failing to take basic steps to protect themselves against spyware
threats. A senior researcher at Symantec told attendees at the Virus Bulletin
conference in
AOL to Offer Personalized Content and Targeted Advertisements:
AOL’s changes in its privacy policy are drawing mixed reviews. AOL changed its
privacy policy to reflect that it will not sell members’ home addresses – a
past practice. But privacy advocates object to the customized searches. The
changes are the first major revisions to the company’s privacy policy since
1998. The changes – which take effect Nov. 10 – will affect
In
what would be the largest project of its kind, the Missouri Department of
Transportation is negotiating with private contractors to monitor thousands of
cell phones, using their movements to produce real-time traffic conditions on
5,500 miles of roads statewide. Cell phone users won't even know anyone's
watching them. But transportation and technology leaders assure there is no
need to worry - the data will remain anonymous, leaving no possibility of
tracking specific people from their driveway to their destination. "There
is absolutely no privacy threat whatsoever," said Pete Rahn,
director of the Missouri Department of Transportation. But privacy advocates
are uneasy. "Even though its anonymous, it's
still ominous," said Daniel Solove, a privacy law professor at
Aim
Global has published the first series of Global Position Statements related to
issues stemming from RFID. The consumer privacy and security position
statements indicate that AIM Global “is dedicated to ensuring full compliance
with all relevant personal privacy and security regulations and laws.” [Source]
Will New Airport X-Rays Invade Privacy? The
Transportation Security Administration may be ready to unveil plans to
introduce the backscatter body scanner, which some privacy and civil rights
advocates have objected to for producing X-ray images that produce too much
detail of a person’s body. New cloaking software may allay some privacy concerns,
but it is unclear how the American public will react to the new security
machines. The ACLU maintains that the cloaked images are still objectionable. [Source]
Dutch police have arrested three people for building a
worldwide zombie network of more than 100,000 PCs used to launch internet
attacks on companies and to hack into bank and Paypal
accounts. [Source]
A Swedish internet bank was forced to shut down its
website for a short time last week after its one-time password security system
was targeted by a new type of phishing scam, according to reports. Recipients
were directed to several fake websites, thought to be based in
Major business groups, including the National
Association of Manufacturers and the U.S. Chamber of Commerce, are urging
Congress to add additional judicial controls to provisions of the PATRIOT Act
expanding government access to personal records held by businesses. In an October
4 letter to Senate Judiciary Committee chairman Arlen Specter (R-Pa.), the
traditionally conservative groups praised Senate language requiring a factual
basis and particularized suspicion for court orders under the controversial
Section 215 of the PATRIOT Act and ‘National Security Letters.’ The House bill
reauthorizing the PATRIOT Act does not contain similar protections.
Representatives of the two Houses of Congress have begun discussions to
reconcile the two versions. [Additional Info]
A new GAO report examines the responsibilities of CIOs at 20 leading private-sector organizations. The questions
GAO addressed were (1) What are the responsibilities
of these CIOs, and how do they compare with those of
federal CIOs? (2) What are the key challenges of
these private-sector CIOs? (3) How do these
organizations govern their information and IT assets enterprisewide?
The CIOs of most of the 20 leading private-sector
organizations GAO met with had either sole or shared responsibility for 9 of
the 12 information and technology management functional areas. Almost all of
the private-sector CIOs had responsibility for five
areas: (1) systems acquisition, (2) IT capital planning, (3) information
security, (4) IT human capital, and (5) e-commerce. In only three
areas--information dissemination and disclosure, information collection, and
statistical policy--did half or fewer of the CIOs
have responsibility. Eleven of the private-sector CIOs
reported that aligning IT with business goals was their greatest challenge.
Other major challenges that the CIOs frequently cited
include controlling IT costs and increasing efficiencies, ensuring data
security and integrity, and implementing new enterprise technologies. The
private-sector CIOs described several approaches to
governing their companies’ IT assets, including utilizing an executive-level
committee with the appropriate decision authority and establishing cross-organizational
teams to drive broad collaborative efforts such as enterprisewide
business processes. Several CIOs also described their
ongoing efforts to balance between centralization and decentralization of
decision authority as their companies’ competitive environments evolve. [Source]
Bellevue, Wash.-based 180solutions has ended its
relationship with a company called Integrated Search Technologies (IST) that
the Center for Democracy and Technology (CDT) identified as a particularly malicious
“spyware” distributor. 180solutions has also voluntarily agreed to end the
practice of allowing third party “affiliates” like IST to decide how the its
software is downloaded onto users’ computers. 180solutions’ move highlights the
importance of CDT’s ongoing efforts to investigate major sources of spyware
distribution online, untangle their complicated webs of affiliate
relationships, and apply pressure to the major companies that profit from those
enterprises. [Press
Release]
The Kansas Supreme
Court ousted a county judge for viewing Internet pornography on his office computer.
Saline County District Judge George R. Robertson, 56, had been on the bench for
10 years and on administrative leave since June, when a judicial panel
recommended his removal for violating the canons of judicial conduct. [Source]
--------