Two German companies have developed a new biometric system for identifying airline passengers during the boarding process. The system, designed to conduct biometric checks on passengers prior to boarding an aircraft, is intended to play a significant role in the introduction of “trusted passenger” programs planned by the airline industry to increase aviation security. According to company spokespeople, passengers with an electronically readable identity card containing biometric data will also benefit from technology as they will be able to move through airport security points more quickly and easily than travelers without cards. [Source]

EU – Biometric Passports Introduced in Sweden and Norway

Following Belgium (in November 2004) and ahead of Germany (on 1 November 2005), Sweden and Norway have become the second and third European countries to start issuing biometric passports compliant with the standard recommended by ICAO. In addition, Sweden has also introduced biometric ID cards valid as travel documents across the Schengen area. The new Swedish passport introduced on 1 October 2005 has an RFID (Radio Frequency Identification) microchip embedded in its polycarbonate data page. The chip contains a digital photo and personal information of the holder. The digital photo in the chip can be measured against the facial features of the person travelling with the passport, which is intended to make it easier to authenticate passport holders and reduce risks of theft and fraud. The new Swedish passport thus complies with the ICAO recommendations for biometrics in machine-readable travel documents (use of facial recognition technology and of high-capacity, contactless integrated circuit chips). It also complies with the EU Council Regulation on standards for security features and biometrics in passports and travel documents issued by Member States. [Source]

CA – Federal Privacy Commissioner Tables Annual Reports

The Federal Privacy Commissioner’s 2004-2005 Annual Reports on PIPEDA and the Privacy Act were tabled last Thursday. Last year the OPC introduced several measures to help organizations comply with PIPEDA, such as a follow-up procedure to monitor the progress of businesses in implementing the Commissioner’s recommendations; a process for establishing “reasonable grounds” to select subjects for audits; and a self-assessment tool to help organizations ensure compliance with PIPEDA. The number of complaints in 2004 increased by more than 100% from the previous year from 302 to 723, with 29% or 213 of complaints related to the financial sector. In terms of complaint type, just over a third or 286 of those pertained to use and disclosure of information with collection and access following closely behind. Consent of the individual remains at the heart of the Act, especially as newer technologies such as RFID and biometrics make their way down to the consumer level. The Commissioner’s office will be conducting a survey in the upcoming months on RFID to look at how the technology is used and how businesses are thinking about using it. The Commissioner is also calling for an overhaul of Canada’s Privacy Act, which took effect in 1983, in the face of a “voracious appetite for personal information and surveillance”. [Source] [Source]

Full press release is available at:
http://www.privcom.gc.ca/media/nr-c/2005/nr-c_051006_01_e.asp
Full text of report is available at:
http://www.privcom.gc.ca/information/ar/200405/200405_pa_e.asp
Full text of PIPEDA Report is available at:
http://www.privcom.gc.ca/information/ar/200405/2004_pipeda_e.asp

CA – Access Commissioner John Reid Produces His Own Access Bill

Justice Minister Irwin Cotler has been promising a draft government access bill to the House Access to Information Committee, but has so far not delivered. So Access Commissioner John Reid produced his own. Reid and his staffers have been appearing before the Standing House Committee on Access to Information, Privacy and Ethics and providing the committee and its Library of Parliament staffers with their positions and findings. This week, Reid beat the government to the punch by being the first out to produce an access bill that goes beyond the Martin-Bryden Bill. And the bill is much more consistent, but far from an overhaul effort. He is also providing the bill to Justice John Gomery for consideration. [Source]

AB – Edmonton Police Did Not Leak Personal Data to Convict

Alberta’s Privacy Commissioner has exonerated the Edmonton Police Service after a high-profile defence lawyer’s personal information ended up in the jail cell of a former Alberta skinhead. Tom Engel theorized that information about his tax deductions, Social Insurance Number, income and RRSP contributions - and similar files on his law partner, their wives and four legal assistants - ended up in the U.S. jail cell of convicted skinhead Daniel Sims back in December because Edmonton cops were somehow targeting him as an enemy of the service. But a spokesman for Privacy Commissioner Frank Work said an investigation by the group showed EPS made no such disclosure to Sims. The federal Privacy Commissioner continues to investigate whether the RCMP may have given Engel’s private information to Sims. [Source]

CA – Martin Defends Wiretap Bill

Prime Minister Paul Martin moved this week to reassure Canadians that new legislation aimed at giving law-enforcement authorities the right to monitor e-mail and Internet traffic will not violate civil rights. Speaking in Toronto, Mr. Martin told reporters that the government will ensure that the bill, which will be unveiled next month, will shield Canadians from unlawful eavesdropping. “In every instance, when the government brings forth this kind of legislation, obviously the question of civil rights is first and foremost in our minds, and they will be protected,” Mr. Martin said. [Source]

WW – Survey: Online Retailers Still Sharing Users' Personal Data
Online retailers are doing a better job of responding to customers' inquiries, but they continue to share users' personal data without permission, according to the "Third Quarter 2005 Online Customer Respect Study of Retailers." The study was conducted by The Customer Respect Group Inc. in Ipswich, Mass. [Source]

US – Do-Not-Call Lists Criticized as Ineffective

Regulators say the National Do-Not-Call Registry system is working, but a recent survey found that 51% of registered consumers say they’re still getting calls they think the list is supposed to block. Despite 1 million reports of violations, the FTC has filed only 14 lawsuits and levied only four fines. In addition to questions about effectiveness, with 25 states maintaining their own do-not-call lists, some with tougher restrictions, a fresh debate is developing as to which calls are restricted and which ones are not. [Source]

WW – Poll: Public Perceives Net as Threat to Kids

Some 94% of consumers in a recent Harris Interactive survey believe the Internet poses a threat to children. Among the biggest threats perceived by the respondents in the poll -- which was commissioned by San Francisco, California, network security firm Zone Labs, a Check Point company -- were predators in chat rooms (61%) and pornography (16%). [Source]

US – Massachusetts Court Orders Spammer Sites Shut Down

A Massachusetts judge has ordered Boston-area spammers to permanently shut down dozens of websites that sold such products as counterfeit prescription drugs, pirated software, and pornography. The judgment, which relied on the CAN-Spam Act, was a result of a lawsuit filed by Massachusetts Attorney General Thomas Reilly. [Source]

EU – Danish Citizens Can Now Access Their Medical Records Online

A new e-service has been launched in Denmark, enabling citizens to get information about their treatments in hospital. Patients can now access their medical records online through the award-winning health portal sundhed.dk and read about their diagnoses and treatments in hospital from as far back as 1977. The e-service gives patients an overview of all their contacts with Danish hospitals. Information about diagnoses, operations, examinations and treatments in hospital since 1977 is available under the heading "My treatments in hospital" on each patient's personal page on the sundhed.dk ('health.dk') portal. Treatments received outside the hospital and psychiatric treatments are registered online from 1995, and the site also contains information about births, accidents, registrations for waiting lists and other registrations. By clicking on different parts of the list, the patient can gather more detailed information about the visits. The record entries are the original ones, written by the doctor, using medical terminology. If patients have questions about the entries, they can print the page and bring it to their general practitioner. [Source]

EU – EU Deal On Data Retention Law Could Be Reached By Year’s End

Ministers for justice and home affairs from the 25 EU member states this week backed away from their threat to enact a law without legislative approval that would require data retention for a two-year period. European Parliament members had vowed to sue to block the law’s enactment. Differences over the length of time for data retention have caused recent discord. EU attempts to pass a data retention law after Sept. 11 were derailed, largely because of privacy and cost concerns. The EU justice commissioner has proposed a six-month retention limit for Internet communications and one year for telephone records. The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs will consider the proposal in about a month before it moves to the full legislature. [Source]

US – Poll: Americans Have Overwhelming Disdain for Personal Data Collection

A CBS/New York Times poll found that 83% of Americans view growing databases of personal information as a bad thing. High-profile security breaches have fueled the distrust Americans feel toward data brokers and banks. Congress has consistently sided with industry, but the time has come for lawmakers to begin paying more attention to consumers. The poll found that two-thirds of the respondents said the federal government isn’t doing enough to protect them. Numerous data-protection and privacy bills have yet to see action. [Source]

WW – Cyber-Catharsis: Bloggers Use Web Sites as Therapy

The Internet is now teeming with some 15 million blogs. Although the medium first drew mainstream attention with commentary on high-profile events such as the presidential election, many now use it to chronicle intensely personal experiences, venting confessions in front of millions of strangers who can write back. [Source]

WW – Governments Increasingly Use Net Filters, Report Says

Study Says Software Makers Supply Tools to Censor Web: A new report from the OpenNet Initiative, a human rights project linking researchers from the University of Toronto, Harvard Law School and Cambridge University in Britain, once again raises tough questions about the use of filtering technologies – often developed by Western companies – by autocratic governments bent on controlling what their citizens see on the Web. Myanmar now joins several nations, including China, Iran and Singapore, in relying on Western software and hardware to accomplish their goals, said Ronald J. Deibert, a principal investigator for the OpenNet Initiative and the director of the Citizen Lab at the Munk Center for International Studies at the University of Toronto. [Source]

US – L.A. Archdiocese Releases Information from Clergy Personnel Files

After nearly three years of legal wrangling, the Roman Catholic Archdiocese of Los Angeles released information from the confidential personnel files of 126 clergymen accused of sexual abuse. The records, which summarize the files, show that for more than 75 years the nation’s largest archdiocese shipped priests accused of abuse between therapy and new assignments, often ignoring parishioners’ complaints. The confidential files were released to The Associated Press this week as part of the settlement talks in a civil suit with lawyers for 560 accusers. The documents offer details in a number of cases, though much of the information has already been published in various forms. [Source]

US – IBM Promises Not To Use Genetic Information In Hiring, Benefits Decisions

Harriet Pearson, IBM’s chief privacy officer and an IAPP board member, says the “time is right” to protect employee privacy because advances in genetic technology make it possible or companies to use DNA screening in hiring and benefits evaluations. Genetic tests are not prevalent in the marketplace, but some companies have secretly performed the tests without employees’ knowledge or consent. As a leading information technology company with a growing market share in the medical industry, IBM’s announcement is especially significant in terms of influencing policy of other major corporations, experts say. Still, genetic specialists insist that a federal law is the best way to protect employees’ secret information. [Source]

US – Study: Consumers Support EHRs But Still Wary Of Privacy, Security Breaches

A Public Opinion Strategies survey conducted for the Markle Foundation has found that 72% of Americans favor establishing a national network for healthcare information. But 79% of those surveyed say they want the opportunity to grant permission to access their records. Another study done by Public Opinion Strategies showed that 69% of those surveyed said they would go online to check for errors in their medical records. [Source] [Source]

US – Privacy Advocates Seek Tighter Regulation of Drug Company Marketing Practices

EPIC has argued that US Food and Drug Administration regulators need to scrutinize how pharmaceutical companies collect and use consumer information. The advocacy group pointed out that the drug companies have engaged in alleged deceptive practices to collect personal information, including the mailing of free drug samples to current and former users of medications. [Source]

US – Bank of America Users Warned of Laptop Theft

Users of the Bank of America Corp.’s Visa Buxx prepaid debit cards are being warned that they may have had sensitive information compromised following the theft of an unencrypted laptop computer. In a letters sent to Buxx users and dated Sept. 23, the Charlotte, North Carolina, bank warned that customers may have had their bank account numbers, routing transit numbers, names and credit card numbers compromised by the theft. [Source]

WW – Study: ID Thieves Often Known to the Victims

A recent study found that in 26% of all identity theft cases the victims knew the person who had misused their personal information. As much as 50% of debit-card fraud occurs when a relative or friend who knows the PIN takes the card to steal funds. [Source]

US – Banks Offer Identity Theft Services For A Fee

Bank customers in Oregon are offered various types of ID theft coverage for between $9.99 and $15 monthly. Advocates say the fee-based services, which offer consumers ID theft prevention, detection and restoration services, should be provided to customers as a free service. Banks say the fees are needed to cover costs associated with time-intensive remedies. Privacy advocates say they object to banks making money from other people’s troubles. [Source]

WW – Liberty Alliance Releases Legal, Privacy Guidelines on Identity

The Liberty Alliance Project, an industry consortium working on standards for federated identity systems, has released a 15-page guideline document that aims to help organizations deal with some of the legal and privacy issues that arise from such federated identity projects. The technologies that underlie the Liberty Alliance Project are mature enough for companies to build federated identity systems, according to a Liberty Alliance Communications spokesperson. But companies must also agree on what types of information will be shared and the security and privacy measures they need to have in place to achieve what the Liberty Alliance calls a “circle of trust” among the organizations involved. “The biggest barriers are how organizations actually work together to federate.” [Source]

DE – E-Mail Eavesdropping Faces Criticism: Costs Are High, Utility is Low

According to statements made by a variety of German Internet providers the number of official requests for e-mail taps in Germany is low. Since the transitional period set out by the German Telecommunication Interception Ordinance (Telekommunikationsüberwachungsverordnung; TKÜV) had ended on January 1 2005 some companies had received only a single official request, with most companies receiving less than three, one of the suppliers of the various commercial solutions declared when asked by heise online. Despite the low demand e-mail providers are obliged since January 1 of this year to make the standard interface for routing copies of e-mails to criminal prosecution authorities – specified by the Technical Guidelines to the German Telecommunication Interception Ordinance – available. The companies are thus again raising the question of the relationship of costs to benefits. [Source]

US – Panel Says E-Voting Vulnerable

At a conference held by the National Institute of Standards and Technology, a panel of election officials, computer scientists, and academics said that overlooked bugs and malicious code pose a plausible threat to software on electronic voting machines. The panel weighed in on steps that should be taken before, during, and after elections to protect electronic voting systems against software-related problems. [Source]

EU – Plans for Police Forces to Exchange Data

The European Commission wants to make it easier for national police forces in the European Union to exchange data. Information such as DNA profiles of suspects and fingerprints could be made more readily available under proposals. The aim is to cut red tape and ensure data held by one national law enforcement agency is handed over on request to police in another EU state or the bloc’s police agency Europol. Under the plans, national police should also share information about guns, car registration data, telephone numbers and other telecommunications data, and hand over names listed in civil registers. The data should be used to prevent, detect or investigate crimes, the Commission said. The EU already shares some information through the Schengen Information System, which was set up together with the EU’s borderless Schengen area. The Commission said that system had been “greatly utilised” by law enforcement across Europe to an extent which highlighted the need for more advanced rules, allowing for a direct exchange of information between national police forces. The latter is rare in the EU, where the exchange of data mainly has to go through national justice ministries and under rules set out in bilateral agreements. The Commission acknowledged its proposals would have an impact on data privacy rights, but said safeguards against violations would be provided for by proposals to strengthen protection of personal data presented earlier this month. [Source]

SA – South African Privacy Legislation Unveiled

The SA Law Reform Commission has released a privacy bill for public comment. Currently, there is no law that specifically protects privacy. The draft bill is modeled after the EU directive and the Organization for Economic Co-operation and Development guidelines, which are aimed at achieving market efficiencies. Supporters say the bill is needed to do business with other countries. [Source]

US – The NetSmartz workshop launches “UYN”

The NetSmartz Workshop, an interactive, educational safety resource that enhances the ability of children to recognize dangers on the Internet, announced the launch of a new initiative designed to provide children with a fun, easy way to remember rules for online safety automatically. The initiative features the central theme “Use Your NetSmartz,” or “UYN” in chat lingo. UYN provides children as well as parents, educators, and law enforcement with a simple, easy-to-remember abbreviation that embraces all the basic elements of Internet safety. [Source]

WW – Experts Warn Spyware Threat Escalating

Security experts are warning that computer users are still failing to take basic steps to protect themselves against spyware threats. A senior researcher at Symantec told attendees at the Virus Bulletin conference in Dublin, Ireland that techniques such as screen capture, key logging, behavioural analysis and common word recognition are all methods employed by spyware applications to build a profile of a user. [Source]

WW – AOL Revises Privacy Policy to Track Member Activity, Web Searches

AOL to Offer Personalized Content and Targeted Advertisements: AOL’s changes in its privacy policy are drawing mixed reviews. AOL changed its privacy policy to reflect that it will not sell members’ home addresses – a past practice. But privacy advocates object to the customized searches. The changes are the first major revisions to the company’s privacy policy since 1998. The changes – which take effect Nov. 10 – will affect U.S. users only. [Source] [Source]

US – States Seeking to Track Cell Phones for Traffic Conditions

In what would be the largest project of its kind, the Missouri Department of Transportation is negotiating with private contractors to monitor thousands of cell phones, using their movements to produce real-time traffic conditions on 5,500 miles of roads statewide. Cell phone users won't even know anyone's watching them. But transportation and technology leaders assure there is no need to worry - the data will remain anonymous, leaving no possibility of tracking specific people from their driveway to their destination. "There is absolutely no privacy threat whatsoever," said Pete Rahn, director of the Missouri Department of Transportation. But privacy advocates are uneasy. "Even though its anonymous, it's still ominous," said Daniel Solove, a privacy law professor at George Washington University and author of the book, "The Digital Person." "It troubles me, because it does show this movement toward using a technology to track people." Cell phone monitoring already is being used by transportation officials in Baltimore, though not yet to relay traffic conditions to the public. Similar projects are getting under way in Norfolk, Va., and a stretch of Interstate 75 between Atlanta and Macon, Ga. [Source]

WW – Trade Association AIM Global Issues RFID Position Statements

Aim Global has published the first series of Global Position Statements related to issues stemming from RFID. The consumer privacy and security position statements indicate that AIM Global “is dedicated to ensuring full compliance with all relevant personal privacy and security regulations and laws.” [Source]

[RFID Position Statement]

US – TSA to Push Ahead With Controversial Airport Screening Technology

Will New Airport X-Rays Invade Privacy? The Transportation Security Administration may be ready to unveil plans to introduce the backscatter body scanner, which some privacy and civil rights advocates have objected to for producing X-ray images that produce too much detail of a person’s body. New cloaking software may allay some privacy concerns, but it is unclear how the American public will react to the new security machines. The ACLU maintains that the cloaked images are still objectionable. [Source]

NL - Dutch Smash 100,000-Strong Zombie Army

Dutch police have arrested three people for building a worldwide zombie network of more than 100,000 PCs used to launch internet attacks on companies and to hack into bank and Paypal accounts. [Source]

WW – Phishing Attack Targets One-time Passwords

A Swedish internet bank was forced to shut down its website for a short time last week after its one-time password security system was targeted by a new type of phishing scam, according to reports. Recipients were directed to several fake websites, thought to be based in South Korea, and asked not only for their account details, but also for the next password on their list of one-time passwords. F-Secure explains that Nordea’s online banking customers are given a scratch sheet, which contains a certain number of hidden passwords. As customers use the service they uncover the next password in the list, which gives them access to their account. According to F-Secure: “Regardless of what you entered, the site would complain about the scratch code and asked you to try the next one. In reality the bad boys were trying to collect several scratch codes for their own use.” The bank discovered the attack last Monday night, and shut the site for around 12 hours. This is said to be the first time that a phishing scam has targeted such a password system, which is intended to be more secure than a normal fixed-password scheme. [Source]

AU – Personal Phone Data Still Misused

Australia’s telco and media watchdog is being criticized for failing to halt what it has described as the misuse of a massive database of Australians’ personal information, two years after raising concerns over abuse of the database. The Integrated Public Number Database (IPND) contains the personal contact information for every Australian who has any type of telephone connection - listed or unlisted, business or personal, fixed line or mobile. According to telecommunications regulations, the information, updated every 24 hours, is collected to provide directory services, emergency services and law enforcement bodies with contact information. But the data is highly prized by direct marketers and companies who want to ensure they have correct information for people on their own databases. Companies licensed as Directory Providers are using the IPND information to clean data for third parties, provide them with previously unknown phone numbers or addresses, and update demographic profile data. [Source]

US – Business Groups Support Reform of PATRIOT Powers

Major business groups, including the National Association of Manufacturers and the U.S. Chamber of Commerce, are urging Congress to add additional judicial controls to provisions of the PATRIOT Act expanding government access to personal records held by businesses. In an October 4 letter to Senate Judiciary Committee chairman Arlen Specter (R-Pa.), the traditionally conservative groups praised Senate language requiring a factual basis and particularized suspicion for court orders under the controversial Section 215 of the PATRIOT Act and ‘National Security Letters.’ The House bill reauthorizing the PATRIOT Act does not contain similar protections. Representatives of the two Houses of Congress have begun discussions to reconcile the two versions. [Additional Info]

US – GAO Issues Study/Report on Chief Information Officers:

A new GAO report examines the responsibilities of CIOs at 20 leading private-sector organizations. The questions GAO addressed were (1) What are the responsibilities of these CIOs, and how do they compare with those of federal CIOs? (2) What are the key challenges of these private-sector CIOs? (3) How do these organizations govern their information and IT assets enterprisewide? The CIOs of most of the 20 leading private-sector organizations GAO met with had either sole or shared responsibility for 9 of the 12 information and technology management functional areas. Almost all of the private-sector CIOs had responsibility for five areas: (1) systems acquisition, (2) IT capital planning, (3) information security, (4) IT human capital, and (5) e-commerce. In only three areas--information dissemination and disclosure, information collection, and statistical policy--did half or fewer of the CIOs have responsibility. Eleven of the private-sector CIOs reported that aligning IT with business goals was their greatest challenge. Other major challenges that the CIOs frequently cited include controlling IT costs and increasing efficiencies, ensuring data security and integrity, and implementing new enterprise technologies. The private-sector CIOs described several approaches to governing their companies’ IT assets, including utilizing an executive-level committee with the appropriate decision authority and establishing cross-organizational teams to drive broad collaborative efforts such as enterprisewide business processes. Several CIOs also described their ongoing efforts to balance between centralization and decentralization of decision authority as their companies’ competitive environments evolve. [Source]

WW – Software Company Changes Distribution Practices Flagged by CDT

Bellevue, Wash.-based 180solutions has ended its relationship with a company called Integrated Search Technologies (IST) that the Center for Democracy and Technology (CDT) identified as a particularly malicious “spyware” distributor. 180solutions has also voluntarily agreed to end the practice of allowing third party “affiliates” like IST to decide how the its software is downloaded onto users’ computers. 180solutions’ move highlights the importance of CDT’s ongoing efforts to investigate major sources of spyware distribution online, untangle their complicated webs of affiliate relationships, and apply pressure to the major companies that profit from those enterprises. [Press Release]

US – Kansas Supreme Court Ousts Judge for Viewing Porn Online

The Kansas Supreme Court ousted a county judge for viewing Internet pornography on his office computer. Saline County District Judge George R. Robertson, 56, had been on the bench for 10 years and on administrative leave since June, when a judicial panel recommended his removal for violating the canons of judicial conduct. [Source]

--------