UK – Biometrics Roadshow Kicks Off ID Cards Charm Offensive

The public are being invited to try out the technology behind the national ID card scheme at the UK Passport Service’s (UKPS) “biometrics roadshow”. The Home Office-backed roadshow is part of the government’s latest attempt to convince an increasingly sceptical public that ID cards will safeguard their identities by raising awareness of biometric technology. The campaign kicks off at Manchester Airport, where members of the public will be able to have their irises and fingerprints recorded as well as see a demonstration of the new ePassports and biometric technology from the e-Borders immigration programme. The mobile facility will visit seven locations around the country. [Source]

CA – Study Finds People Uncomfortable with Government Surveillance

A Canadian study indicates people 4 years after the Sept. 11 terrorist attacks are becoming uncomfortable with increased government surveillance. Dr. Kevin Haggerty, director of the criminology program at the University of Alberta, notes immediately after the terrorist attacks, both U.S. and Canadian officials quickly increased surveillance of their citizens. But now, four years later, Haggerty says suspicion of government leaders` motives has heightened, with more people questioning the greater invasion of their privacy. “Right after (9/11) it was impossible for anyone to say no to anything that would purportedly increase security,” said Haggerty, who co-authored a paper on the subject published in the Canadian Journal of Sociology. The ability of lawmakers to monitor our Internet use, financial transactions, personal movements and cell phone use had previously been proposed and rejected as unwarranted privacy invasions. But now he said polling numbers indicate people are now looking more critically at the impact on their civil liberties – “the cornerstone of a liberal democracy.” “Without a sense of privacy, we tend to self-censor and don’t say what we really think,’ he said. “It’s hard to quantify, but it’s a huge loss.” [Source]

CA – Reid: PS Workers Evade Access Law by Failing to Keep Records:

22 years after access to information became the law in Canada, senior public servants in Ottawa are dodging it by not keeping simple records of their decisions, says Canada’s information commissioner. John Reid says that when people complain about not getting information after filing a request, and he looks at the file, the reason often is that there is just no information to retrieve. In particular, in the most senior ranks of the government, executives’ input often is not documented. Meetings are held with no minutes taken, views and debate are not put on the public record. “We go into an office and say, ‘why are you doing this?’ They say, ‘we don’t know’,” Mr. Reid said at a conference on freedom of information in Ottawa, sponsored by the Canadian Newspaper Association. [Source]

CA – Information Commissioner Opposes Proposed Merger with Privacy Commissioner

The federal information watchdog has come out against the idea of merging his duties with those of the privacy commissioner, saying it could undermine the two offices. Information commissioner John Reid said “the public interest would not be served” by moving to one ombudsman for both functions. “In the single-commissioner model, it is certainly possible that one value - openness or privacy - would get preferential treatment,” he told a conference on the Access to Information Act. [Source]

AB – Alberta Privacy Commissioner Report Concerning Use of Credit Checks

The Office of the Information and Privacy Commissioner of Alberta received a complaint alleging that SAS Institute (Canada) Inc. (“SAS”) collected personal information in contravention of the Personal Information Protection Act (“PIPA” or “the Act”). Specifically, the complainant was required to consent to a “credit check” when she applied for a position with SAS. The Investigator concluded that “SAS contravened section 11(1) of the Act by collecting the complainant’s personal information for a purpose that was not reasonable. As well, the organization contravened section 11(2) of the Act when it collected the complainant’s personal information over and above the extent reasonable to assess suitability to manage petty cash and validate employment history.” Recommendations:

Review the responsibilities of a position when hiring to ensure that credit information is reasonably required to determine a candidate’s suitability.
Where the organization determines that credit information is reasonably required, revise the consent forms to clearly state the purpose for collection.
Where SAS determines that credit information is reasonably required to establish an employment relationship with an individual, the organization should clearly state in all job postings/advertisements that a credit check may be required of the successful candidate. [Full report]

US – Study Identifies Generation Y’s Rising Interest in Insurance Products

38% of technically savvy men ages 18–24 expressed an interest in identity theft insurance in 2004 as compared to 19% in 2003, a Vertis study released yesterday found. The result was gleaned from the Baltimore-based company’s Customer Focus 2005: Insurance study, which surveyed 2,000 adults in August and Sept 2004. The study found that 25% of women age 25–34 and 23% of women age 18–24 expressed an interest in identity theft insurance. It also found that 15% of total adults would consider purchasing identity theft insurance. Though ID theft insurance has found an interest within the 18-to-24-year-old age group, the study also found increases of 6–10 percentage points in other insurance products. [Source]

US – CIO Insight Interview with EPIC’s Marc Rotenburg

Lax Protections Hurt Consumers, Business. Extract: Q: How big is the privacy problem? Rotenberg: …We think that in the 21st century the protection of privacy is going to be as big a challenge for our information economy as the protection of the environment was for the industrial economy of the 20th century. Q: Do people own their personal information? Rotenberg: “from a common-sense viewpoint, most people would say that they should have the right to control the use of their personal information… If a bank is trying to decide whether or not to give you a home mortgage, they’re going to ask you for a bunch of financial information in order to make a good determination. But to imagine that means that somehow the bank, in taking that information, has the right to turn around and sell it to others is, I think, completely wrong. Even if it is public-record information. Q: What about the belief that the flow of personal information between businesses greases the economic wheels of America? Rotenberg: Well that grease is turning to gravel. And I say that because of the enormous problem we’re having today with identity theft. I think it’s very difficult for the private sector to say that the unregulated use of personal information isn’t causing economic harm to the U.S. economy. We lost $50 billion in 2004 as a result of identity theft. We now have people turning away from online commerce because of privacy concerns. So I think we need to look at that much more seriously than simply saying it’s okay to have all that data out there because it’s good for the economy. [Source]

EU – Netherlands Database to Track All Dutch from Birth

The Dutch government plans to open an electronic file on every child at birth. Beginning Jan. 1, 2007, all citizens will be tracked from cradle to grave in a single database--including health, education, family and police records –the Health Ministry said. As a privacy safeguard, no single person or agency will be able to access all contents of a file. But organizations can raise “red flags” in the dossier to caution other agencies about problems, A ministry spokesman said. [Source]

EU – Data Retention Bill Divides EU Countries

European Union nations made no progress last week in negotiating a bill that would force telecommunications companies to keep records of phone and e-mail traffic as part of the EU’s anti-terrorist campaign. Talks among EU justice and home affairs ministers stalled over cost and privacy concerns if law enforcement officials are given access to phone and Internet mailing records. Communications experts also said retaining vast amounts of telephone and e-mail traffic could cost the industry $124 million in additional software and other costs. [Source] [Source]

US – Insurance Companies see Surge in ID Theft Policies

U.S. insurance companies are reporting a surge in the sales of identity theft policies employers have begun offering employees as a low-cost benefit. For employers, the coverage can save costs by avoiding the productivity losses that come when victims spend many hours clearing their names, USA Today reported. One of the newest employers to adopt the plan is the Salt River Project, an electricity provider to the Phoenix area, who began offering identity theft insurance to its 4,500 employees in July. It pays $50 per employee per year for the program. A few dozen employees already have sought the resolution services, the newspaper said. Based on the type of plan selected, employees can get 24-hour phone assistance, a case manager to assist in recovery efforts and reimbursement of up to $25,000 for lost wages or expenses such as notary fees. [Source]

CA – Edmonton Cops “Swamped” with Public Record Requests

Police attribute increase to publicity on FOIPP: Edmonton cops have been inundated with requests from people wanting to know who’s been looking at their police files. The EPS has received 139 requests for information under the Freedom of Information and Protection of Privacy Act so far this year, up from 112 last year. “EPS will be advising the public that requests will be taking longer to process,” aid an EPS spokesperson. Lawyer Tom Engel said it’s difficult to say whether the large number of requests are tied to the well-publicized events of police looking up information on their computers about Sun columnist Kerry Diotte and then-police commission chair Martin Ignasiak. “I would think a fair number of those requests would have to be from people who’re worried their privacy has been breached, like Diotte and myself,” Engel said. The EPS spokesperson said officers aren’t sure why there have been more requests. “I think it could be more publicity to the Freedom of Information not just locally, internationally, people are more aware of what information is out there.” [Source]

AU – National Gene Database Proposed

Researchers in Western Australia are forging ahead with plans for a genetic database - a BioBank - containing the DNA of every consenting adult in the state. The WA Genome Project will build on the population records collected by the state over the past 30 years, and linked together through new database technology. It will include all births, deaths, hospitalizations and mental health service contacts, along with cancer and other disease registries. The implications are massive for individuals who might be identified and who could risk being discriminated against by organisations such as health insurers and employers. The Howard Government revealed last week it had agreed to establish new laws to protect genetic privacy. [Source]

US – Health IT Standards Body to be Formed Soon

Health and Human Services Secretary Michael Leavitt is expected soon to name the members of the public-private organization that will set standards to enable the exchange of health care data... AHIC also will choose the use cases for which standards will be implemented. Leavitt suggested electronic prescribing and bio-surveillance as early use cases... Katrina destroyed the paper medical records of thousands of New Orleans evacuees... “With most medical records gone, if there ever was a case for electronic health records, this is it,” Leavitt said. [Source]

DU – Hospitals Hacked: 1.2 Million Patient Records Retrieved

In a hack of two hospitals, computer security experts of ITSX, Fox-IT and Madison Gurkha retrieved over 1.2 million electronic patient records, i.e., the medical records of 8% of the entire Dutch population. The hospitals had agreed to the test on condition that their names would not be revealed. One of the hospitals involved has developed a regional electronic patient database in which a number of hospitals and general practitioners co-operate and exchange information over the internet; the other, an academic hospital, is a participant in the newly developing national electronic patient database which will be accessible for health care workers, also using the internet. The experts could retrieve all information regarding these 1.2 million people: insurance number, address, date of birth, length, weight, illnesses, history of treatment, past and current medication, etc. The experts were able to alter or delete this information (but of course refrained from doing so). The Dutch minister of Health was questioned on the matter a few days after the hack, and wrote it off to ‘poor internal procedures and administration’, not to his lack of investment in a solid infrastructure. Considering that all medical information is stored unencrypted, that hospitals use uncompartimentalised database systems (which allows all databases - and thus, all intruders – to freely exchange information), and often only rely on firewalls against outside invasion, developing a more robust system will only be possible if serious financial commitments will be made. [Source]

JP – Japan: Zurich Life Insurance Loses Customer Data

Zurich Life Insurance Co. said on Sept. 2, 2005, that its Japanese branch has lost some 1,200 pieces of customers’ personal data stored in dossiers and on a CD-ROM disk. The data include applications that policyholders submitted between 1997 and 2005 to claim insurance payouts and other benefits, Zurich Life said in a statement. The insurer, a unit of Zurich Financial Services Group of Switzerland, started alerting those concerned the same day of the loss through via mail and other means. In addition, it began responding to customers’ inquiries on the matter via a new toll-free phone number. Zurich Life said it first became aware of the loss in July, when its staff found that the application dossiers related to 30 pieces of personal data had been lost. [Source]

US – Mistaken Child-Porn Raid Leads to Lawsuit

A Kansas couple is suing their ISP, Cox Communications, after police showed up at their Wichita home accusing them of child pornography. The police apparently had the wrong house, based on mistaken information from the ISP. The suit is for invasion of privacy, breach of contract, defamation of character, and “outrageous conduct.” [Source]

UK – Digital Rights Group Sets Up

A UK-based digital-rights organisation, Open Rights Group (ORG), has been formed to tackle European and British legislation which could threaten digital and civil freedoms. ORG will serve as a hub for other cyber-rights groups campaigning on similar digital rights issues and follows in the footsteps of the US group Electronic Frontier Foundation (EFF). [Source] [Source]

US – Federal Court Finds Patriot Act Gag On Connecticut Library Unconstitutional

A federal judge has ruled unconstitutional a Patriot Act gag order preventing an unnamed Connecticut librarian from speaking out on the receipt of a National Security Letter (NSL) demanding patron library records. In a further twist, however, the court immediately stayed its ruling until September 20 to give the government time to prepare an appeal. On August 31, government attorneys argued that the FBI, which served the NSL, needed the gag to preserve an ongoing investigation and that the recipient of the letter was still free to speak on the Patriot Act--just not to divulge its identity. U.S. District Court Judge Janet Hall, however, rejected that argument, and found that the provision, which gags those who receive an NSL, as overly broad. “The government may intend the non-disclosure provision to serve some purpose other than the suppression of speech,” Hall wrote. “Nevertheless, it has the practical effect of silencing individuals with a constitutionally protected interest in speech and whose voices are particularly important in an ongoing national debate about the intrusion of governmental authority into individual lives.” [Source]

WW – APEC Privacy Meeting Reports Progress on Regional Framework

A regional framework for the protection of personal information in cyberspace has moved a step closer as a result of discussions at the Asia-Pacific Economic Co-operation meeting in Korea. More than 50 delegates from government and private organizations attended the second seminar on the international part of the framework, hosted by APEC’s e-commerce steering group. Participants agreed businesses should be accountable for the security of any personal information they held, particularly when data was moved between countries. [Source]

WW – Internet Users Use More Risky Internet Behavior At Work

An online survey of 1,200 corporate computer users found that two in five, or 39%, believe their IT department will prevent them from spyware attacks or phishing scams at their desks. As a result, net security firm Trend Micro found that computer users are more apt to click through to suspicious links or visit questionable Web sites at work. [Source]

AU – Data Protection Laws on Ice

Australia will not follow the lead of the US by introducing stiffer data protection laws to safeguard sensitive information held by companies despite compelling recent evidence of a thriving black market trade in the personal data of Australians. Despite two high-profile cases that have seen thousands of Australians forced to replace personal items ranging from credit cards to passports, Attorney General Philip Ruddock is maintaining the existing Privacy Act, which carries no criminal sanctions, is strong enough to compel companies to keep their data safe from theft. No new laws will be considered in Australia to force companies to disclose all details of a breach of data security that could expose personal information to either the general or criminal populations. [Source]

US – Supreme Court Nominee Acknowledges Constitutional Right to Privacy

In tough questioning before the Senate Judiciary Committee, Judge John G. Roberts Jr. said during the confirmation hearing that there is a right to privacy in the liberty clause of the 14^th Amendment. Roberts added that all current Supreme Court justices would agree that there is a right to privacy “to some extent or another.” [Source]

US – The Role Of CPOs – How Important Is Privacy To Overall Corporate Strategy?

A report on privacy professionals finds that it is difficult to obtain information on how many companies employ CPOs. While it is easier to find information on corporate privacy policies, identifying the professionals is more elusive. The best snapshot of data comes from the “2005 Benchmark Study of Corporate Privacy Practices,” released in July by the Ponemon Institute and Vontu. According to the report, 69% of respondents employ a privacy professional compared to 67% in 2003. However, only 41% of these privacy professionals are dedicated fully to privacy issues. [Source]

US – Teenager Pleads Guilty to Hacking Paris Hilton’s Phone

A Massachusetts teenager has pleaded guilty to hacking into the cell-phone account of hotel heiress and Hollywood celebrity Paris Hilton, a high-profile stunt by the youngest member of the same hacking group federal investigators say was responsible for a series of electronic break-ins at data giant LexisNexis. The 17-year-old boy was sentenced to 11 months’ detention at a juvenile facility for a string of crimes that include the online posting of revealing photos and celebrity contact numbers from Hilton’s phone. [Source]

US – California RFID Bill Is Resurrected

A California State Senator has resurrected legislation that was shelved after an intense anti-privacy lobbying effort. The bill SB 682, was held by the Assembly Appropriations Committee, effectively ending its chances of passage this year. But Sen. Joe Simitian (San Mateo) worked with the Assembly leadership to “gut and amend” another bill and revive the effort to place limits on government use of Radio Frequency Identification (RFID technology) to identify and track Californians. The legislation, now designated SB 768, the Identity Information Protection Act of 2005, would establish security standards for RFID or other “contactless” identity cards, and criminalize the remote, unauthorized reading of personal information. [California’s SB 768]

US – Fort Carson Soldiers' Personal Records Stolen in Break-in

The Army said Monday that thieves stole computer equipment containing Social Security numbers and other personal records of a number of soldiers, some of whom are serving in Iraq. [Source]

WW – Personal Data Exposed Via eBay Storage

Disklabs bought... most contained some kind of confidential or personal data” [Source]

WW – Sounds from Keyboards Expose Password Weaknesses

A new security vulnerability has been discovered: the clickety clack of the keyboard. An audio recording of an individual's typing can be transposed into a transcript of what was typed, according to University of California at Berkeley researchers. [Source]

US – EPIC Calls for Government Watch List Accuracy

In comments to the FBI, EPIC has urged the agency not to expand the Terrorist Screening Center’s watch list records system until the Bureau resolves significant privacy, transparency, and due process issues. EPIC’s recommendations were made in response to a notice, published by the FBI on July 28, outlining plans for the creation of a records system that will encompass the government’s consolidated watch list information, operational support records, and records related to complaints or inquiries from individuals about erroneous watch list matches. A second notice published the same day exempted the database, the Terrorist Screening Records System, from numerous Privacy Act requirements that ensure that agencies maintain accurate data and give people rights in their information. In its comments, EPIC criticized the lack of transparency in the government’s development of the system. EPIC noted that the FBI has disclosed little information in response to a Freedom of Information Act request about the watch lists’ use within the Secure Flight passenger prescreening program. The comments also addressed the FBI’s decision to exempt the system from legal requirements that agencies maintain only accurate, timely, complete, relevant and necessary information about people. Not only will the Terrorist Screening Center use data that does not meet these requirements to screen individuals, but the agency has also failed to provide meaningful avenues for individuals to access personal information and correct inaccuracies. EPIC also said that the system’s broadly drawn “routine uses” of watch list data would only heighten the system’s privacy problems. EPIC urged that development of the system should be suspended until the FBI is willing to disclose more information about the system to the public and address its substantial privacy issues.

[EPIC’s Comments to the FBI] [Background Info]

US – EPIC Spotlight: Database Tracks Every Move of Foreign Students, Visitors

EPIC’s September “Spotlight on Surveillance” scrutinizes the Student and Exchange Visitor Information System (SEVIS), a Homeland Security program. SEVIS is also a part of the US-VISIT program, which has been criticized as flawed. Through SEVIS, the federal government is accumulating a massive amount of data on foreign students and exchange visitors, such as biographical information of the student or exchange visitor and their dependents (name, place and date of birth, spouse and children’s data); academic information (status, date of study commencement, degree program, field of study, institutional disciplinary action); and employment information (employer name and address, employment beginning and end dates). The stated goals of SEVIS are related to immigration and education; however, the database is also available to other federal, local, state, tribal and foreign agencies, as well as immigration and education agencies. SEVIS represents a massive surveillance system that monitors and tracks students and exchange visitors at all times. [September Spotlight on Surveillance]

US – U.S. Airlines Install Surveillance Cameras

JetBlue and Sun Country airlines have installed surveillance cameras that allow pilots to monitor passengers in an effort to avert a hijacking. The combination of bulletproof doors and the ability to see an attack from the cockpit will give pilots a better chance to make an emergency landing, airline spokesmen said. The technology was installed with little fanfare after JetBlue tested the systems using a post-September 11 Federal Aviation Administration grant distributed in 2002. Sun Country announced its camera system in August. Nearly one dozen airlines received federal grants to test the systems for future use and it is not mandated by the FAA. Privacy advocates generally oppose the use of surveillance cameras, which they contend is not an effective tool against terrorist attacks. Guidelines, they said, are needed to ensure surveillance cameras aboard aircraft do not violate a passenger’s privacy. [Source]

CA – Canada’s Do-Not-Hesitate-to-Call List

Michael Geist’s Lawbytes column reviews efforts to establish a do-not-call list in Canada. He argues that the current bill has been amended beyond recognition, transforming the do-not-call list into the do-not-hesitate-to-call list. The revised bill, established without consulting consumer groups, creates a wide range of exceptions for politicians, charities, polling companies, and businesses. [Source] [Source]

US – Panel: New Rules, Tech Needed for Data Privacy

The feds need new privacy rules and technological methods to police their use of personal data from contractors like ChoicePoint and Acxiom, representatives from within and outside the government suggested Friday... The best protection against privacy intrusions is “for the government not to have the data for any long amount of time,” O’Connor Kelly said. “Let’s use basic holding and processing constraints to limit the government’s access to data, whatever the source.” [Source]

US – Federal Board Discusses Privacy Act Makeover

Government and industry privacy experts met on September 13 to discuss a policy and legal framework for updating the 1974 Privacy Act. A few noted that 30 years have produced new technologies and threats that were not foreseen when the law was enacted. Members of the Information Security and Privacy Advisory Board (ISPAB) proposed coordinating their efforts with the Homeland Security Department’s Data Privacy and Integrity Advisory Committee. Both committees advise federal agencies that are responsible for privacy policies and regulations. Franklin Reeder, ISPAB’s chairman, said he doesn’t know of any lawmakers who are eager right now to undertake a sweeping review of federal information privacy laws. “What we see on the legislative front are a lot of shotgun solutions,” largely in response to a series of security breaches involving commercial databases, he said. But Reeder said advisory committees, such as ISPAB and DHS’ privacy committee, could play a useful role by creating a framework of new policy ideas about data privacy. “When the political system decides it wants to do something, it will at least have something to go to,” he said. ISPAB members gathered in Rockville, Md., for the opening session of a two-and-a-half day meeting on current information security and privacy issues. [Source]

US – Federal Bill Introduced to Protect Privacy of Personal Data Overseas

With customer service and backroom data operations moving offshore, often to countries that have a poor record for privacy protection, US Representative Edward M. Markey (D-Mass) filed legislation this week that would give consumers more control over their personal financial and medical information, saying that “Consumers deserve not only to know where their personal information is going, but also to have confidence that their sensitive information is collected, used, and stored safely, wherever in the world that may be.” Markey’s staff evaluated the privacy protections in 20 countries or regions, and gave nine a grade of ‘‘F.” The failing countries included Mexico, Brazil, Bangladesh, China, India, Malaysia, the Philippines, Pakistan, and Russia. Grades of ‘‘D” were assigned to Singapore, Hong Kong, Thailand, and Taiwan. The United States and Korea received ‘‘C” grades, while Japan, the Czech Republic, Australia, Hungary, the European Union, and Canada were given grades of ‘‘A” or ‘‘B.” Under Markey’s bill, any business seeking to transfer a customer’s personal information to a foreign country would first have to notify the consumer. Financial services, medical data firms, and even tax preparers often transfer customer data abroad. The bill would require the US Federal Trade Commission to determine whether a country has privacy protections that are ‘‘adequate and enforceable.” Consumers would be given the opportunity to opt out of transfers of personal data to countries that meet the privacy standards and would be required to opt in for transfers to countries that fail to meet the standards. [Source]

US – Identity Theft Protection: The New Employee Benefit

Employers are unveiling a new benefit: identity theft protection. Employers are buying insurance policies that help employees prevent identity theft or recover from it. The plans offer 24-hour telephone assistance, a case manager and reimbursement of a maximum $25,000 for lost wages or other expenses. [Source]

-------------------------------------------------------------------