WW – EDRI Report on Biometrics Panel at Montreux Conference

EDRI and a coalition of civil liberty groups organized a pre-event at the international conference of data protection commissioners on 12 September in Montreux. The aim was to strengthen cooperation between NGOs and official data protection authorities (DPAs). The meeting was well-attended by NGOs, privacy officials and industry representatives and led to promising discussions on how to improve collaboration in the future. EDRI reports that the panel on biometrics started with the assumption by Gus Hosein from co-organizer Privacy International that these technologies are already here and can not be stopped anymore. Therefore, civil liberty groups have to come up with more realistic approaches. The Swiss Data Protection Commissioner Hanspeter Thür then presented his approach to biometrics. Different from the EU rush, Switzerland started a pilot project before deciding about the introduction of biometric passports. The DPA’s biggest concern at the moment is the plan for a central national database for biometric passports. A plan for such a database for immigration control has already been stopped by the Data Protection Authorities (DPA). Barry Steinhardt from co-organizer ACLU pointed out the governments’ “policy laundering” strategy, where they introduced biometric passports through the mostly unknown and in-transparent organization ICAO and then at the national level referred to “international obligations”. Stephanie Perrin from the Office of the Canadian Federal Data Protection Commissioner gave some examples of how to and how not to fight biometrics. The “it does not work” argument is tricky, because many of the technologies will work in a few years. More successful are early privacy impact assessments that are mandatory in Canada and a focus on standards organizations. The biggest problem and concern in biometrics is the creation of central databases, the participants agreed after also discussing security aspects in this field.

US – U.S. Postpones Imposition of Biometric Passports

The United States has extended the deadline for the switch over to biometric passports by one year until October 26, 2006. [Source]

CA – Testimony Heard Regarding Edmonton Police Attempt to Arrest Journalist

Edmonton police deliberately used a restricted database to gather information on a journalist who wrote anti-camera columns. With the information, cops tried to set up a sting to arrest him for drunk driving. Except some pesky journalists happened to have police scanners and blew the lid off of the operation. This is the third such scandal faced by the Edmonton Force in recent months. [Source] See also [Alberta Privacy Commissioner OK's inquiry into Cops]

WW – Survey: Bank Security Key Issue for Consumers

A third of consumers would close all accounts and move their business to another bank if their person financial information was compromised in a data security breach, according to a survey commissioned by EDS and conducted by Canadian market research firm Ipsos Reid. The survey of just under 1500 North American consumers also found that 10% would close some of their accounts and use another bank if their personal data was breached, while 55% would discontinue banking until they felt the crisis was resolved. Commenting on the study, Jean-Louis Bravard, EDS financial services global leader, says: “The act of protecting consumers’ personal information is not only imperative to meet compliance standards but is essential in a financial institution’s ability to attract and retain a solid customer base. Financial providers must rise to security challenges or they risk losing their customers.” While the vast majority of consumers - 93% - are confident in their financial institution’s ability to protect their personal information, over half (59%) still want to be provided with on-going information on measures taken to increase security. The study also shows that consumers are conscious of how their personal information is used, and over half (53%) do not agree that banks should be performing data analysis and mining their personal information to develop financial profiles. Just under half (23%) object to receiving unsolicited advice that is based on such profiles. But the majority (93%) believe financial institutions do not have the right to share any personal information with third parties. Around 83% of consumers said banks should obtain permission prior to releasing any personal information to third-party companies, while 76% said banks should refrain from providing third party offers, products and services, and 67% want to be told what information is being shared and with whom. [Source] [Source] [Source]

WW – Data Protection Commissioners Call for Universal Convention

Data-protection commissioners from 40 countries have called on the United Nations to prepare a binding legal instrument to enhance data protection. At an international conference, the commissioners committed themselves to collaborating with governments and international organizations with a view to developing a universal convention on data protection. [Source]

WW – Report on Data Protection Commissioners Conference in Montreux

EDRI reports on the 27^th international conference of data protection commissioners which took place in Montreux/Switzerland from 13 to 15 September 2005. The meeting saw several hundred data protection authorities (DPA) officials, industry, cyberrights groups and other stake-holders for three intense days of discussion. One big issue was the tenth anniversary of the EU’s data protection directive from 1995. The assessment was mixed, though. There are still many differences in national laws and enforcement is weak. While the EU directive had a big impact on the globalization of data protection legislation, this approach is hard to enforce on the border-less Internet. There is also a strategic rival emerging with the APEC privacy guidelines that incorporate a lower privacy standard than the EU directive or the OECD guidelines. Part of the discussion therefore focused on other means of privacy protection, ranging from industry self-regulation to incorporating privacy protection into the design of the technical infrastructures. Most presenters agreed that the ‘user empowerment’ approach failed, and that there needs to be some legal foundation for data protection. The commissioners in their closed session on 16 September adopted the Montreux Declaration. It calls for the spread of universal privacy principles around the world, including through the U.N.; cooperation with NGOs around the world; and for intergovernmental organizations (like ICAO, creator of the biometric/RFID passport standard) to comply with such principles and to appoint privacy officers. The conference also passed resolutions on biometric identity documents and on the use of personal data for political communications. Next year’s conference will take place in Buenos Aires, Argentina.

UK – UK Supermarket Tesco Sells Personal Data

The Guardian reports about a new daughter-company of the UK Supermarket chain Tesco, that is selling very detailed information about every household and every person in the UK to the highest bidder. The database called Crucible contains “A map of personality, travel habits, shopping preferences and even how charitable and eco-friendly you are.” And even if you don’t shop at Tesco’s, by combining data about for example magazine subscriptions from other sources such as Experian, Claritas and Equifax, the company has, in its own words collected a “massive pool” of consumer data. The company also uses government information, such as the electoral roll, which contains names, ages and housing information. The two reporters from the Guardian started with an information request, on data collected by the company through the Clubcard (the Tesco loyalty system). Only after a 4 months battle and a formal appeal to the Information Commissioner a reporter got her personal data. Though she provided as little information about herself as possible when applying for the Club Card, after 1 year Tesco had 2 pages of information on her and her specific shopping behaviour. Tesco said its Clubcard was completely compliant with the data protection act and Tesco itself did not sell data about individual shoppers to third parties, only on an aggregated level. [Source]

US – Shopping Cart Privacy: A High-Tech Scanning Device Is Headed For Grocery Stores

A Salt Lake-based venture intended to give consumers an electronic device to help make grocery shopping more efficient and convenient has some privacy hurdles. The U-Scan Shopper can deliver alerts to purchase certain items and on-the-spot meal ideas and recipes. But it can also track how long a consumer spends in a certain aisle. The company insists that users can take advantage of the technology without revealing their identity. [Source]

CA – E-Ontario Concept Kicks Off Showcase Ontario 2005

Public service colleagues from around the world look to “make the connection” for improved citizen service delivery and modernized government at Showcase Ontario 2005 in Toronto, Ont. according to Ontario’s corporate CIO. In his keynote welcome to this year’s Showcase attendees, Greg Georgeff, Ontario’s corporate CIO, said that public servants, working together, could deliver results, and results are the citizenry’s bottom line. “We are all looking for the best for our jurisdictions,” Georgeff said. “We are colleagues because we need each other, and we are willing to make that connection.” At Showcase you can acquire the skills, information, and the partnerships that help all people working for government, in the public’s best interest, deliver better citizen service, he said. “You understand that the work ahead of us, when we talk about modernizing government, is fundamental to everything that we do,” said Georgeff. Georgeff also noted that governments must progress from being process-oriented to product-oriented. “Dealing with your colleagues and joining up in partnerships is key to what we need to do (to achieve modernization),” he said. “But we also need to understand what modernization is all about.” [Source]

GK – Cell Phone Dealer Arrested for Selling Sex Videos Stored on Customer Phones

An Athens mobile phone dealer has been arrested for allegedly selling thousands of amateur sex videos downloaded from cellular phones brought to his shop for repairs. The arrest followed a sting operation in which the suspect allegedly transferred 183 pornographic videos to the cellular phones of undercover electronic crime squad officers for a total fee of €15 (US$18), police said in a statement. [Source]

WW – Data Encryption Aabout to Make Quantum Leap

Two companies – ID Quantique SA of Geneva and MagIQ Technologies Inc. of Somerville, Mass. – have pioneered commercial quantum cryptography gear. The technology is currently limited to sending data to distances of no more than 100km. The director of research at Accenture Technology Labs says government, the military and the financial industry are currently the primary markets for the shorter-range technology. He adds that securely backing up data is expected to be one of the fastest-growing commercial uses of quantum cryptography, since backup facilities are usually quite near the data centres they serve.

The founder and CEO of MagIQ Technologies said that quantum cryptography could prove valuable for "any large to mid-size enterprise with data to protect," and predicts it will see broader use in business within 18 to 24 months. Eventually, he says, as costs come down and the equipment becomes more common, even small businesses and consumers might end up using a version of quantum encryption to protect their privacy on-line. [Source]

EU – EU Executive Unveils Plan to Store Electronic Data

The European Commission adopted proposals on Wednesday to log details of all telephone, Internet and e-mail traffic to combat terror and serious crime, throwing down the gauntlet to European Union member states who are negotiating a rival plan. Telephone and Internet firms are waiting for the outcome of the clash as the proposals differ over how much industry will end up paying to store data longer than it does now. [Source]

WW – EDRI Report on Data Retention Panel at Montreux Conference

EDRI and a coalition of civil liberty groups organized a pre-event at the international conference of data protection commissioners on 12 September in Montreux. EDRI reports on the panel discussions on data retention, which noticed the interesting development of an emerging “rainbow coalition” between civil liberties groups, DPAs, Internet and telecommunication providers, and the European Parliament. Hielke Hijmans from the Office of the European Data Protection Supervisor (EDPS) made it clear that “terrorism is not out of this world when you retain data”, and while protecting our societies, “we must not forget our basic values like privacy, as enshrined in article 8 of the European Convention on Human Rights”. Because data retention is already applied in some EU member states, the EDPS is currently working under the assumption that an EU directive can not be stopped completely. Therefore, they focus on safeguards and limiting types of data and retention periods. Cédric Laurant from co-organizer EPIC pointed out that data preservation regimes (only retaining data in specific investigations) “have not prevented law-enforcement agencies from doing their job”. Even the heavily criticized Council of Europe’s Cybercrime Convention only contains data preservation. Following the EU discussions on data retention, though, a number of countries including Nigeria, Estonia, and Argentina have adopted data retention laws. Peter Swire from Ohio State University, the former Clinton Administration’s Chief Counselor for Privacy, introduced a new way of framing the debate on data retention. It is not just a cost argument that helps to align with industry, but also a security risk. If all Internet traffic data are retained, Internet usage of police officers and security agencies will also be retained. Therefore, organized crime no longer has to bribe police officers in order to get inside information, but just needs to bribe ISP employees. This led to an interesting discussion on the security risks related to data retention. In the end, the most appealing argument was that not even the Bush administration agencies want data retention in their “war on terrorism”.

DK – Privacy Watchdog Finds Police Data Riddled With Errors

The Danish Data Protection Agency has criticized Denmark’s National Commissioner of Police for what it calls an “unacceptably high” number of errors in reporting individuals to the Schengen Information System, or SIS. The SIS database gives enforcement agencies throughout Europe access to reports on individuals and objects, such as cars, for border control purposes, internal police checks and in some cases for the purpose of issuing visas, residence permits and dealing with those whom the system defines as aliens. People are reported to the SIS on immigration, public order or national security grounds. Once on the SIS database, people are generally refused permission to enter or stay in the Schengen area – which covers most of Europe – although citizens from participating Member States are allowed to travel throughout the area without being subjected to checks at internal borders. Currently, 13 of the 15 original Member States of the EU are part of SIS, plus Norway and Iceland. The UK and Ireland are only partially involved, but that could change. [Source]

FR – Filtrage Automatique des Contenus : l’ordre moral s’enhardit

L’association IRIS (Imaginons un réseau Internet solidaire) apprend que le gouvernement aurait l’intention d’instaurer, par une mesure législative, le filtrage automatique et par défaut de l’accès à l’information en ligne, au prétexte de la protection des mineurs. Une proposition d’amendement législatif aurait ainsi été adoptée au cours d’une réunion interministérielle. L’annonce de cette proposition serait prévue le 22 septembre prochain, au cours de la Conférence de la famille 2005. La mesure pourrait être introduite dans le prochain projet de loi sur la prévention de la délinquance. L’amendement consisterait à ajouter à la loi pour la confiance dans l’économie numérique, après le paragraphe sur les moyens techniques de filtrage (Article 6-I.1), la disposition suivante: « Ils [les fournisseurs d’accès à Internet] mettent en oeuvre auprès de tous leurs abonnés, de manière automatique, des dispositifs techniques performants et activés par défaut qui permettent de restreindre l’accès aux services de communication au public en ligne mettant en péril les mineurs. Un décret en Conseil d’Etat fixe les modalités du présent article.» [Source]

WW – Credit Cards Battle vs. Criminals Hits Stalemate

Security experts at Visa and MasterCard say the battle against Internet-based thieves has reached a stalemate and the industry would have to spend millions of dollars over the next decade just to keep up with the criminals. The picture they presented of an escalating struggle between commerce and criminality offered little hope of quick relief for consumers worried about identity theft or for investors in card-issuing banks concerned about security’s escalating costs. [Source]

CA – Report Slams CSIS for Lying, Destroying Notes

Canada's security and intelligence investigators routinely destroy screening interview notes and are not above lying, making it difficult for anyone to scrutinize their work, warns a damning government report. And when they don't destroy them, notes by CSIS officers can be inaccurate or incomplete, or both, says the Security Intelligence Review Committee. The watchdog's June 2005 report, dubbed Top Secret and obtained by The Canadian Press, offers rare and disturbing insight into a security agency it says is not above lying and manipulating information to achieve its ends -even if in the process it destroys the reputation and career of an innocent person. [Source] [Source]

US – Too Much Information: Online Gov’t Records Erode Privacy, Help Criminals

Consumers in Virginia take issue with the amount of personal information county government makes available to anyone with an Internet connection. All Virginia localities are required to post land records online by July 2006. Consumers are fighting to repeal the law that requires clerks to make the information available online. [Source]

AU – HealthConnect Slammed in New Report

Work to date on HealthConnect, the Australian federal government’s planned electronic health record system, has been slammed in a Productivity Commission report released this week. “After seven years of R&D and 30 independent evaluation reports - some unpublished - many unresolved issues remain, including database design, privacy, security and access control measures, and stakeholder liability,” it says. “The (patient) registration method chosen, opt-in or opt-out, is also a crucial factor. An opt-out system has now been legislated in Canada as the more efficient option, after it was found that only one per cent of people did not want to participate. “In contrast, an opt-in system is planned for HealthConnect (but) issues surrounding the consent model remain unresolved.” The Productivity Commission’s research into the impacts of advances in medical technology found the overall approach to assessing the expected costs and benefits to be disjointed. [Source]

US – Electronic Medical-Records Plan Raises Fears

A federal panel is being criticized for having no privacy advocates as commissioners. Instead, the critics say, the 16-member panel is comprised strictly of industry representatives and government officials – a sign, they believe indicates a potentially harmful inattention to patient privacy. The panel, formally known as the American Health Information Community, was appointed by Health and Human Services Secretary Mike Leavitt earlier this week and is “charged with advising the secretary on how to make health information digital and interoperable.” [Source]

US – Thousands of Health Records Stolen from Palo Alto Agency

US – Miami-Dade Police Officer Suspended Over Data Access

A Miami-Dade police officer has been relieved of duty and is under investigation for allegedly obtaining unauthorized access to Social Security numbers and other personal data on as many as 4,689 people maintained by ChoicePoint. According to ChoicePoint, the employee was not authorized to use the Miami-Dade Police Department’s account with the company and had accessed information illegally and acted outside the scope of his employment. [Source] [Source]

US – Students’ Social Security Numbers Posted Online

Personal information of 21,762 Miami University students, including names, Social Security numbers and grades, was posted on the Internet for the past three years, WLWT-TV in Cincinnati reported. [Source]

US – Thousands of Health Records Stolen from Palo Alto Agency

A backup tape containing the names, Social Security numbers and detailed health information of as many as 6,000 current and former clients of the Children’s Health Council was stolen from the nonprofit agency’s offices, officials have confirmed. Payroll information for about 700 current and former employees, as well as financial information for parents of clients, also was on the tape, which was reported missing shortly after Labor Day. The agency sent out letters last week alerting each person affected that they may be at risk of identity theft [Source]

CA – B.C. Thieves Ransack ID Office

Victoria Police are investigating a break-in and theft at a B.C. government office that has all the hallmarks of the work of an organized identity theft ring, Health Minister George Abbott said last week. Thieves recently broke into the government's Vital Statistics Office in downtown Victoria and fled with stock paper used to make birth and marriage certificates, he said. [Source]

US – Former Counterterrorism Chief Calls for Use of Best Technology for New ID Cards

Richard Clarke, a former Bush Administration official, said a system of open-source and transparent standards should be used for a federated identity card to authenticate an individual’s identity across various computer systems and organizations. Clarke also recommends that government regulators require two-factor authentication to protect private information. Clarke said an independent civil liberties oversight board is needed to serve as a watchdog for the use of personal information by government agencies and the private sector. [Source]

US – TIVO Users Fear Recording Restrictions

Many fans of digital video recorders made by TiVo are beginning to fear that Hollywood studios will one day reach into their set-top boxes to restrict the way they record and store movies and programs. Among the functions included in TiVo’s latest software upgrade is the ability to allow broadcasters to erase material recorded by TiVo’s 3.6 million users after a certain date. [Source]

WW – Huge Surge in ID Theft Using Spyware

Spyware with a criminal intent, the most severe threat, was found to be doubling every month, according to the latest Aladdin eSafe CSRT study. The report noted that 15% of spyware threats are now designed to log keystrokes, as well as steal user passwords, logged-on user names, administrator passwords, instant messaging content and email addresses. [Source] [Source] [Source]

UK – Demon Internet Service Founder Pleads Guilty to Email Snooping; Appeals Verdict

Cliff Stanford, the founder of Demon Internet and Redbus, pleaded guilty last week to unlawful email interception and along with a co-defendant George Liddell, was sentenced to six months imprisonment, suspended for two years. Stanford was also fined £20,000 and ordered to pay £7,000 towards prosecution costs. The trial had been expected to run for up to two weeks. Stanford and Liddell were charged under the Regulation of Investigatory Powers Act (RIPA) 2000 with intercepting emails belonging to John Porter, son of Dame Shirley Porter and former chairman of Redbus. This is the first time that anyone has been prosecuted under RIPA, according to the defence council. “This is ...the first time anyone has been prosecuted for this offence under RIPA.” Despite pleading guilty, Stanford decided to appeal in light of the fact that “seven top lawyers... thought that what I did was not illegal” [Source] [Source]

US – NSA Awarded Net Location-Tracking Patent

The National Security Agency has obtained a patent on a method of figuring out an Internet user’s geographic location. The patent describes a way to discover someone’s physical location by comparing it to a “map” of Internet addresses with known locations. [Source]

WW – Computer Hackers Unleash Viruses for Financial Gain

Symantec.’s Internet Security Threat Report found that during the first half of 2005, new viruses targeting Microsoft Windows increased 48% compared to the previous six months. Hackers are exploiting the Internet for cash, not notoriety or for thrills, according to the report. The report by the security software maker also found that malicious code that exposes confidential information made up three-quarters of the top viruses, worms and Trojans, up from 54% compared to the last six months of 2004. [Source]

US – Teen Privacy Concerns Spur Suit over Psych Test

Called TeenScreen, this computerized Q&A is designed to diagnose mental illness and identify depression and suicidal tendencies in adolescents. That ambitious agenda, plus a history of giving the test to some students without parental permission, has put TeenScreen in the hot seat. Last week, a lawsuit outlining these complaints was filed in federal court in the Northern District of Indiana in South Bend by a Northern Indiana couple and their 16-year-old daughter. They charge that the Columbia University test violates parental and child rights at federal and Indiana levels and invades privacy. [Source]

US – ChoicePoint Sends Notices Stemming From 3 Incidents of Unauthorized Access

ChoicePoint announced three cases of unauthorized access to its database of personal information. The company detected the breaches in February when a crime ring accessed 145,000 records from its database. One of the breaches allegedly involves a Florida police officer who faces a suspension from the Miami-Dade Police Department, but no criminal charges to date. ChoicePoint also announces that it will send out 4,667 more notices to people whose records also were compromised in the February breach. The firm is offering all affected consumers one year of free credit monitoring. [Source]

US – National Academies/CSTB Report on Electronic Voting

Election officials across the United States are increasingly looking to electronic voting systems as a way to administer elections more efficiently, but skeptics have raised concerns about the security and reliability of these systems. Asking the Right Questions About Electronic Voting, new from the National Academies’ National Research Council, offers a set of questions that policy-makers and the public should ask to help ensure that the technologies implemented are secure, reliable, efficient, and easy to use. Advance copies are now available to reporters. The report, which was chaired by Dick Thornburgh, former governor of Pennsylvania, and Richard Celeste, former governor of Ohio, was released on September 13, 2005, and is available free at the web site below. [Press Release] [Full Report]

WW – New Technology Knocks Out Digital Cameras

Researchers at the Georgia Institute of Technology have come up with an inexpensive way to prevent digital cameras and digital video cameras from capturing that secret shot. [Source]

WW – Security Experts See Surge of Phishing Attacks Targeting European Banks

Phishing attacks against European banks – primarily in Spain and Italy – are on the rise. Cyber criminals have focused most efforts on scamming computer users in North America. The fake emails mimic bank language, which shows a level of “sophistication to the attacks.” [Source]

US – Medical Records, PI Stolen From Non-Profit Provider in California

California police are investigating the theft of birth dates, Social Security numbers, psychiatric, health and financial information for about 5,000 clients of the Children’s Health Council in Palo Alto, Calif. Also stolen was payroll information for about 700 current and former employees. The theft is just another in a string of escalating cases of security breaches and identity theft cases. Last year, the Federal Trade Commission said there were 635,000 reports of identity theft with losses of $547 million. [Souce]

UK – School Decides on Toilet Cameras

More than 80 parents have complained to a school in Lancashire after cameras were installed in the toilets there. [Source]

US – Firm to Stop Selling Data on Cell Phone Calls

Source Resources Inc. of Tennessee will stop selling personal cell phone records of individuals over the Internet and will provide information on how it acquired such data under an agreement reached last week with Verizon Wireless. The firm was among dozens of companies advertising that for fees starting under $100, they would provide records of calls placed to and from any phone user. [Source]

US – Passenger Screening Plan Shelved

The U.S. government is shelving plans to identify potential terrorists on passenger lists through commercial databases, the Wall Street Journal reported Thursday. The newspaper said the decision comes as a group of privacy experts is preparing a report highly critical of the Secure Flight program, the Transportation Security Administration's effort to take over passenger screening from the airlines. The TSA has considered using commercial data for Secure Flight but came under criticism from privacy advocates, the Government Accountability Office and others. In response, the agency has decided to launch the program without commercial data, the Journal quoted TSA chief Kip Hawley as saying. "There's no question it would be helpful, but it brings with it a lot of privacy concerns," Hawley told the newspaper. Secure Flight is now expected to launch by early next year. [Source]

US – Missouri Passes Law to Prevent PII Being Posted with Harmful Intent.

A bill that prohibits posting certain personal information on the Internet with the intent or threat to cause harm or death to a person is officially law. The Missouri governor signed it shortly after Senate approval Thursday. The law applies to all persons, not just public officials. The bill’s emergency clause was also approved, which enabled the law to go into immediate effect after the Governor’s signature. [Source]

CA – Police Commission Could Face Fingerprinting, Probes of Family, Friends

Edmonton city council is considering a proposal to fingerprint Police Commission members as well as probe their family and friends in order to tighten security clearance. Under the scheme, commissioners would have to fill out a detailed questionnaire with a police inspector every time they’re appointed or reappointed, according to a report released Thursday. The form includes questions about whether they or family, friends and associates have faced criminal charges, are involved with gangs or are doing anything that would embarrass the commission. As well, commissioners’ fingerprints would be compared to information in the RCMP’s Ottawa databanks, which could take up to four months. While police fear staff safety and the integrity of investigations could be at risk without such enhanced checks, commission chair Brian Gibson described the idea as “overkill.” [Source]

--------