Privacy News Highlights

14—20 October 2005

Contents:

US – Biometrics Payment Company to Buy Assets Of Credit Card Processor 2

US – Arizona Traffic Violators Face ID Theft Check. 2

CA – Feds to Run Trial Collection of Biometric Data. 2

CA – Federal Privacy Commissioner Denies PATRIOT ACT Complaints. 2

UK – Study Finds UK Lax on ID Theft 2

US – NY Man Sentenced In Closed-Door Court Session For Sending 9 Million Spam Ads. 3

US – Pentagon Database On Young Americans Violates Federal Privacy Laws. 3

CA – Canadians and Identity Theft: Concern on the Rise. 3

US – Banks Regulators Want Two-Factor Web Log-in System.. 3

AU – Australian Police Agree on National Database. 3

AU – Terror Laws Spark Data Fears in Australia. 4

WW – Sleuths Crack Tracking Code Discovered in Color Printers. 4

EU – Big Brother Awards Austria: EU Parliament as “Defender of Freedom” 4

CA – How RBC Does Customer Segmentation. 4

EU – Denmark: Citizen Access to Medical Records Online. 4

CA – Nova Scotia Website to Track Waiting Times. 5

US – DUI Cases Thrown Out Due to Closed-Source Breathalyzer 5

UK – Microsoft Warns ID Cards Pose Massive Security Risk. 5

US – Watchdog Group Criticizes RFID Plans for Drivers’ Licenses. 5

UK – Retention of Conviction Data Does Not Breach Data Protection Act 6

EU – Sweden Investigates Legal Aspects of Data Sharing. 6

AU – Australia Introduces Spyware Bill 6

IN – India Right to Information Act Comes into Force. 6

US – Privacy Groups Send Joint Letter on San Francisco Wireless Internet Access. 6

WW – Google Discloses Few Details in New Privacy Policy. 6

US – Federal Regulators Order Banks to Increase Online Security. 7

WW – August Record High For Phishing, But Spam Email Campaigns Down. 7

US – Consumer Privacy Group Calls For Wal-Mart Protest 7

EU – Sun Powers Belgian E-Government Electronic Identity Card Program.. 7

EU – Flemish Project Addresses Privacy Shortcomings of Belgian e-ID Card. 7

AU – Australian Smart Card Framework Announced. 8

WW – Electronic Frontier Foundations (EFF) Cracks Printer Codes. 8

 

 


 

US – Biometrics Payment Company to Buy Assets Of Credit Card Processor

CardSystems Solutions, the company attacked by hackers who took advantage of improper data storage practices, will sell its assets to Pay By Touch, a biometric company that seeks to tap CardSystems’ merchant network to offer its biometric technology to stores. The biometric technology requires customers to swipe their fingers, not cards, to make purchases. More than 40 million customer accounts were accessed during the data theft earlier this year – a security breach that led to Congressional hearings. [Source]

 

US – Arizona Traffic Violators Face ID Theft Check

Arizona Motorists cited for criminal traffic violations will have to give their thumbprint to Maricopa County Sheriff’s deputies or go to jail. “This will be mandatory. No exceptions,” Sheriff Joe Arpaio said Wednesday. “If they don’t want to give the print, they’re going directly to jail. Period.” Arpaio launched the new policy Wednesday across the Valley, expanding and toughening a pilot program in which motorists pulled over for routine traffic stops were asked to voluntarily provide a thumbprint. The goal was to catch people who took the wheel with stolen or phony driver’s licenses and ultimately to combat identity theft in Arizona, which ranks top in the nation for the crime. But Arpaio said about 67% of motorists declined to voluntarily give their thumbprints. Although Arpaio cannot require people to provide a fingerprint if they are cited for civil traffic violations, he said he can if the citation is criminal. Criminal traffic violations include reckless driving, excessive speed (more than 20 mph above the posted speed limit) and driving under the influence, while civil violations include speeding, failure to yield or unsafe lane changes. The prints are entered into the Automated Fingerprint Identification System to see if drivers are using fake identification. Civil libertarians have been vehemently opposed to the program since the pilot began. “We still have a major constitutional privacy issue here,” said the ACLU. “It’s one thing to take a fingerprint from a person suspected of driving drunk,” they said. “But it’s something entirely different to threaten people with jail for offenses they never dreamed would land them behind bars.” The ACLU also questioned Arpaio’s link between traffic tickets and identity theft. “The trouble I’m having is finding the nexus between people violating traffic laws and identity theft,” she said. “I just don’t see it.”  [Source]

 

CA – Feds to Run Trial Collection of Biometric Data

Digitized photos and fingerprints will soon be collected from thousands of newcomers to Canada as part of a high-tech pilot project aimed at bolstering border security. The six-month trial by the Citizenship and Immigration Department represents one of the first federal forays into the new and controversial realm of biometric technologies. The government has signalled strong interest in making greater use of biometrics - measurable physical characteristics such as facial appearance, iris scans or fingerprints - as a means of confirming identity. The rapidly evolving technology worries civil libertarians and privacy advocates who question the accuracy of the methods and wonder how the data will be shared and used by security agencies. [Source]

 

CA – Federal Privacy Commissioner Denies PATRIOT ACT Complaints

The Canadian Privacy Commissioner this week denied a series of complaints launched after a major bank (CIBC) disclosed that U.S. law enforcement could access credit card user’s personal information. The Commissioner concluded that Canadian privacy legislation “cannot prevent U.S. authorities from lawfully accessing the personal information of Canadians held by organizations in Canada or in the United States, nor can it force Canadian companies to stop outsourcing to foreign-based service providers.” [Finding]

 

UK – Study Finds UK Lax on ID Theft

A UK University study interviewed identity thieves to find out the most common schemes they use to obtain personal information. The study found that people fail to take enough precautions to protect their information. Rather than involvement in highly organized criminal gangs, most identity thieves take advantage of people through relatively simple methods such as retrieving discarded mail that reveals personal information or stealing unattended purses. The study also found that once the thieves had possession of the personal information, it was relatively easy to successfully apply for and obtain credit cards using someone else’s personal information. [Source]


US – NY Man Sentenced In Closed-Door Court Session For Sending 9 Million Spam Ads

An 18-year-old man was sentenced for sending more than 9 million spam ads in online instant messages to members of a popular networking Web site, MySpace.com. Anthony Greco allegedly asked the company to hire and give him exclusive rights to send commercial email through the site – conditions to guard against more spam, according to federal court records. When the company did not respond to his demands, he allegedly threatened to tell others how he had spammed MySpace users with ads for adult and mortgage refinancing Web sites. In a plea deal earlier this year, Greco agreed to plead guilty in a deal that would deliver a sentence of 18 months to two years in prison. [Source]


US – Pentagon Database On Young Americans Violates Federal Privacy Laws

In a letter to Defense Secretary Donald Rumsfeld, more than 100 groups are alleging that the database intended to help the Pentagon recruit potential military members is illegal. Opponents argue that the database on young Americans could be misused by the government and the private sector. The military has said the effort is legal and is critical to building and maintaining an all-volunteer armed forces. The Pentagon is spending $342.9 million on advertising and marketing. [Source]

 

CA – Canadians and Identity Theft: Concern on the Rise

According to a recent telephone poll conducted by Ipsos Reid, 8% of Canadian adults who own credit cards indicate that they have personally been a victim of identity theft. Credit Card holders in British Columbia are more likely than any other province or region to report being a victim of identity theft (12%). The incidence of identity theft among Credit Card holders in other parts of the country ranged from 4% in Atlantic Canada to 9% in Ontario. Reported instances of identity theft were consistent across all age groups in the same proportion and were approximately the same among men and women. And it would appear that concern about identity theft is on the rise. Financial institutions have been trying to push the new “Smart Card,” which has a computer chip to store information.  The same survey finds less than half of cardholders know about it, and the same number have actually used it.  [Source]

 

US – Banks Regulators Want Two-Factor Web Log-in System

The US Federal Financial Institutions  Examination Council will require banks to strengthen  security for Internet customers using a “two-factor” method  of authentication to help thwart identity theft by the end of next year. Customers will have to confirm their identities not only through PIN or password, but also with something they physically have, like a hardware token with numeric access codes that change every minute. [Source]

 

AU – Australian Police Agree on National Database

Australia’s police ministers have agreed to a national rollout of a massive database of “persons of interest”, which will eventually include information on missing persons. The CrimTrac Minimum Nationwide Person Profile (MNPP) will give police access data on persons of interest provided by any jurisdiction. The database will include images and text. [Source]

 

AU – Terror Laws Spark Data Fears in Australia

Civil libertarians in Australia say new anti-terror laws could ease police access to business customer records without adequate checks and balances. Under the draft laws, banks, airlines, phone and power companies could be forced to provide information about customers suspected of terrorist offences to federal police and ASIO agents. [Source]

 

WW – Sleuths Crack Tracking Code Discovered in Color Printers

It sounds like a conspiracy theory, but it isn’t. The pages coming out of your color printer may contain

hidden information that could be used to track you down if you ever cross the U.S. government. [Source]

 

EU – Big Brother Awards Austria: EU Parliament as “Defender of Freedom”

Today the organizers of the Austrian Big Brother Awards have released their nominations for this year’s awards for “Data Leeches” and curtailers of people’s privacy. Who among those shortlisted will finally be crowned with the inverted laurels will be determined on October 25. A winner of one of the rarely bestowed positive prizes however has already been named: The European Parliament is to receive the “Defensor Libertatis” Award. The Parliament as a whole was being honored “for its commitment to important issues and the courage its parliamentarians have shown in risking conflict on their account with the Council of Ministers and the EU Commission,” the organizers declare. [Source]

 

CA – How RBC Does Customer Segmentation

If banks could choose their customers the way kids choose sides on the playground, customers in the 18-to-35 age bracket would be picked last. With their relatively small incomes, low account balances and large student loan debts, young customers aren’t exactly the sort over whom the average bank salivates. At RBC Royal Bank, however, executives recognized that some of those impecunious young customers might eventually turn into wealthy, profitable customers. So RBC analysts pored through the bank’s data on its young customers looking for subsegments with a strong potential for rapid income growth. Their analysis identified medical school and dental school students and interns as a group with a high potential to turn into profitable customers. So in 2004 the bank put together a program to address the financial needs of credit-strapped young medical professionals, including help with student loans, loans for medical equipment for new practices and initial mortgages for their first offices. Within a year, RBC’s market share among customers in this subsegment has shot up from 2% to 18%, and the revenue per client is now 3.7 times that of the average customer. Martin Lippert, vice chairman and CIO at RBC Financial Group, says the bank’s willingness to help these young professionals get started will likely be rewarded with a lower attrition rate down the road. [Source]

 

EU – Denmark: Citizen Access to Medical Records Online

A new e-service has been launched in Denmark, enabling citizens to get information about their treatments in hospital. Patients can now access their medical records online through the award-winning health portal sundhed.dk, and read about their diagnoses and hospital treatments from as far back as 1977. The e-service gives patients an overview of all their contacts with Danish hospitals. Information about diagnoses, operations, examinations and treatments in hospital since 1977 is available under the heading “My treatments in hospital” on each patient’s personal page on the sundhed.dk (‘health.dk’) portal. Treatments received outside the hospital and psychiatric treatments are registered online from 1995, and the site also contains information about births, accidents, registrations for waiting lists and other registrations. The new free-of-charge service is generating great interest among citizens. About 12,000 people ordered a digital signature from the National Board of Health during the first few days of availability, causing a temporary breakdown of the server. The digital signature ensures that only the individual patient can view the entries and, according to the National Board of Health, the system is fully secure. Until now, citizens had to apply in writing to the National Patient Register in order to gain access to the content of their medical records. [Source]

 

CA – Nova Scotia Website to Track Waiting Times

Nova Scotians will now have a better idea of how long they will have to wait for certain hospital procedures. The province launched a website on October 7 that will allow people to track wait times for tests, treatments and services. The site will allow patients and their doctors to make more informed decisions about treatment options. The website uses interactive maps and charts to provide information on the times people have to wait for appointments. The information is provided by the province’s nine district health authorities and the IWK Health Centre in Halifax. The website is part of the province’s long-term strategy to improve wait times for health services. [Source]

 

US – DUI Cases Thrown Out Due to Closed-Source Breathalyzer

Hundreds of cases involving breath-alcohol tests have been thrown out by Seminole County judges in the past five months because the test’s manufacturer will not disclose how the machines work. Bruce Schneier notes that “This is the right decision.  Throughout history, the government has had to make the choice: prosecute, or keep your investigative methods secret.  They couldn’t have both.  If they wanted to keep their methods secret, they had to give up on prosecution. People have the right to confront their accuser.  People have a right to examine the evidence against them, and to context the validity of that evidence.  As more and more evidence is collected by software, this means open-source equipment.” [Source] [Source]

 

UK – Microsoft Warns ID Cards Pose Massive Security Risk

Central identity database increases risk of “huge” data breach. Microsoft has warned the UK government’s national ID card plans pose a huge security risk that could actually increase the likelihood of confidential personal information falling into the hands of hackers and criminals. A top security and identity management expert at Microsoft said the current technology proposals are flawed and criticized other IT suppliers for failing to speak out publicly about their concerns for fear of damaging any future bids for a piece of the lucrative ID cards contract. He said: “I have concerns with the current architecture and the way it looks at aggregating so much personal information and biometrics in a single place. There are better ways of doing this. Even the biometrics industry says it is better to have biometrics stored locally.” [Source] [Source]

 

US – Watchdog Group Criticizes RFID Plans for Drivers’ Licenses

A watchdog group said the Department of Homeland Security is considering requiring radio frequency identification chips in drivers’ licenses, an option that it warned carries huge costs and poses privacy risks to Americans. In a new report, “Real ID: Big Brother Could Cost Big Money,” Citizens Against Government Waste said integrating RFID chips that carry detailed personal information would cost $17.4 billion and could push the cost of a drivers’ license from between $10 and $25 to at least $90. [Source]

 

UK – Retention of Conviction Data Does Not Breach Data Protection Act

An Information Tribunal in London ruled last week that police forces do not break the Data Protection Act by processing conviction data on the Police National Computer which relates to offences more than 20 years old. However, the Tribunal determined that access to such data must be restricted. The Tribunal was issuing a judgment on three case appeals representing all the police authorities in England and Wales. It ruled that in the three cases before it, the data in question should within six months of its judgment be restricted to police users only. The appeals concern offences which, though of some age, involved in each case either a sentence of imprisonment or a serious offence, e.g. one involving violence and which under the present so-called Weeding Rules remain on the Police National Computer for 100 years or the death of the data subject, whichever occurs earlier. The present Weeding Rules are the result of agreed arrangements reached in 1995 under the previous Data Protection Act 1984 between the Association of Chief Police Officers, ACPO, and the Information Commissioner. [Source]

 

EU – Sweden Investigates Legal Aspects of Data Sharing

The Swedish government has started an official inquiry into the legal possibility of increasing electronic data sharing and exchange between government authorities. The inquiry aims to clarify how this could be done without violating the privacy rights of citizens. The inquiry will investigate if and how the laws governing electronic information exchange have to be amended. The report is to be published before the end of October 2006. [Source]

 

AU – Australia Introduces Spyware Bill

[Bill]

 

IN – India Right to Information Act Comes into Force

The Right to Information Act is a new law that the Indian government has enacted that gives every citizen the fundamental right to seek information from any government department. The Act aims to promote openness, transparency and accountability in governance. Information, as per the Act, includes records, documents, file notings, memos, e-mails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports, papers, samples, models, data and material held in any electronic or printed form. In the last decade, activists, rights groups and politicians have been campaigning for such a law. [Source]

 

US – Privacy Groups Send Joint Letter on San Francisco Wireless Internet Access

The ACLU, EFF, and EPIC have submitted comments and recommendations on protecting privacy in municipal wireless Internet access in response to an RFI by the San Francisco City. [Source]

 

WW – Google Discloses Few Details in New Privacy Policy

Google is offering more detailed information about how it collects and uses personal data of internet users. Since 14 October Google has expanded its privacy policy outlining more details but little change in substance. Some key issues, such as how long personal data are kept, are not answered by the new privacy policy. The new privacy policy is ‘layered’ and consists of a easy readable short version and a more comprehensive full version. Google has joined the US safe harbour program in order to bring its data collection practices more in line with EU data protection principles. [Source]

 

US – Federal Regulators Order Banks to Increase Online Security 

Federal regulators have ordered banks to tighten their Internet security procedures by the end of 2006 to help thwart identity theft, one of the fastest-growing types of consumer fraud. In a letter sent to banks, the Federal Financial Institutions Examination Council said it is not sufficient that banks permit online access with a single form of authentication, such as a password or personal identification number, when the risks of a breach are too high. [Source] [Source]

 

WW – August Record High For Phishing, But Spam Email Campaigns Down

Spam emails declined for the second consecutive month, 14,135 to 13,776, according to the Anti-Phishing Working Group. Efforts to combat phishing attacks have led cyber criminals to devote more resources to launch and sustain a campaign, according to the group. [Source]

 

US – Consumer Privacy Group Calls For Wal-Mart Protest

Consumers Against Supermarket Privacy Invasion and Numbering called on consumers late last week to march on a Dallas Wal-Mart to protest the retailer’s use of radio frequency identification technology. A store spokesman says consumers have been told to simply remove the tags after they purchase a product. The retailer is using the technology to reduce the number of out-of-stock merchandise. [Source]

 

EU – Sun Powers Belgian E-Government Electronic Identity Card Program

Sun Microsystems announced it has successfully demonstrated to the Belgian Federal Government ICT (FEDICT) the integration /interoperability of the Belgian Electronic Identity (eID) cards with multiple Sun products. Based on Java Card technology, the eID cards provide Belgian citizens with identification, strong authentication and signature capabilities. Belgium’s eID initiative is helping to improve government efficiency, reduce paperwork and make interactions with Belgian citizens quicker and more secure. Currently, more than 1 million Belgians have eID cards and additional cards are being issued at a rate of 150,000 cards per month. The Belgian government estimates that by the end of 2009, 8,2 million citizens age 12 years and older will have eID cards, based on Java Card technology, allowing them to access enhanced government and enterprise services. Belgian citizens can already use the new eID card for identification, authentication and authorization for many public facing services, including: secure online tax form declaration, official document requests (marital status, birth certificate, etc.), electronic submission of court case conclusions, as well as access to the public library, swimming pool and other community services. The eID card infrastructure can also be used by enterprises to secure their electronic applications and services. Technology vendors are teaming with Belgian companies to develop applications using the eID infrastructure to provide additional services like more secure online ticket purchases, online opening of e-commerce accounts and as a qualified signature for contract signing. [Source]

 

EU – Flemish Project Addresses Privacy Shortcomings of Belgian e-ID Card

The ADAPID project aims to make the next generations of Belgian e-ID cards more compatible with the privacy rights of citizens. ADAPID (ADvanced APplications for electronic IDentity cards in Flanders) is an initiative launched in 2003 by a consortium of researchers and industry representatives in Flanders. In February 2004 the consortium submitted an extensive report to the Flemish government, describing the privacy and security problems of the current e-ID card. The report, which is not publicly available, proposed a four-year industry-academia research project aimed at redesigning the card in order to address the problems. In Early 2005 ADAPID won the financial support of the Institute for the promotion of Innovation by Science and Technology in Flanders (IWT-Flanders) and the project officially started on 1 July 2005. The Belgian e-ID card currently being distributed is only the first card generation. Second generation cards will be issued until the end of 2007 and a third generation of cards will be issued after that date. In line with this three-phase evolution, the ADAPID project will investigate the security and privacy issues of the first and second generation e-ID cards and propose a more suitable design for the third-generation, as well as advanced applications for e-government and e-health. Running until 30 June 2009, the project will address a number of privacy requirements, including the following: Cardholders should only provide the minimal amount of information needed when interacting with an organization. Each citizen should be known to each organization by a different pseudonym, and pseudonyms should not be linkable to each other. Different organizations should not be able to combine their databases in order to infer more information about citizens, i.e. the sets of data provided by citizens to the different organizations should be unlinkable. Cardholders should be anonymous towards those applications that do not truly require their identification. [Source]

 

AU – Australian Smart Card Framework Announced

Special Minister of State Eric Abetz, today announced that the Australian Government Information Management Office (AGIMO) was developing a smart card framework for the Australian Government. “Our focus is on efficient and secure implementation of smart cards by Australian Government agencies. The framework will also ensure interoperability, through the development of agreed standards”, said Abetz. “The framework will serve as a reference document, providing government agencies with guidance for interoperable smart card programs. All Australian Government agencies will be expected to meet the requirements laid out in the framework.” [Source]

 

WW – Electronic Frontier Foundations (EFF) Cracks Printer Codes

The digital rights organization EFF has started extensive research into the hidden codes some laser colour printers and photo copiers add to every page they print or copy. In 2004 printer-manufacturer Canon was awarded a Big Brother Award in Germany for secretly adding a unique code to every print-out. Soon after, it turned out the practice is very wide-spread. The unique number on every print-out is invisible to the bare eye, measuring only 0,1 millimetre. After the Big Brother Award for Canon, the Dutch police immediately admitted they use the codes to detect the sources of print-outs, tracing individual printers through the vendor chain. EFF suspects the US government of having persuaded most manufacturers of including the secret codes, “in a purported effort to identify counterfeiters.” In addition to a call to the public to send in print-outs, to create an even more extensive list of printers, EFF has filed a Freedom of Information Act (FOIA) request to find out all about “the Secret Service’s efforts to promote the development and implementation of machine identification code (MIC) technology in colour laser printers and colour photocopiers. [Source] [Source] [Source] [Source]

 

--------