US – NIST Releases Biometric Data Specification for Personal Identity Verification

NIST Special Publication 800-76-1, Biometric Data Specification for Personal Identity Verification, is now available for a 3 week public comment period. This document is a revision for the earlier version of February. Changes include incorporation of the published errata document, clarification on performance testing and certification procedures, and caution regarding fingerprint minutiae generation. [Source]

CA – Nymity Study: Business Responding to Privacy Requirements

A new study conducted by Nymity finds that corporate Canada has made strides in being open to consumers about how their personal information is being handled, a requirement of privacy laws in Canada. In the past companies relied on simple, short, motherhood statements placed on websites. Now, website privacy policies provide specific details about an organization’s privacy practices (on average privacy policies available online are 6½ pages in length); are structured to maximize readability; provide many advanced provisions to assist consumers in making informed decisions. In other findings: 83% of all organizations have dedicated privacy policies for Canadians, leaving only 17% of the organizations providing generic international policies; 82% of organization privacy policies addressed all corporate operations leaving only 18% of policies restricted to website operations; and over 90% of all organizations address transferring information to 3^rd parties. The 2006 Nymity Trends in Transparency Report analyzed 23 openness criteria, from over 200 companies in 8 industries. Study results were released in conjunction with the Canadian Marketing Association to raise industry awareness about the importance of privacy policy transparency, and to highlight best practices adopted by many leading organizations serving the Canadian marketplace. [Source] [Source]

CA – BC Government Loses Tapes with Personal Data on BC Citizens

Thirty-one computer tapes holding information about hundreds of thousands of B.C. citizens are missing from a government facility in Victoria. The data on the tapes could be used to commit identity fraud. A confidential government report about the incident obtained by the Vancouver Sun recommends not making the tapes’ disappearance public knowledge. Canadian law does not require that individuals be notified in the event of a possible data breach. The government became aware the tapes were missing in August 2005. Richard Rosenberg, a University of B.C. computer science professor, questioned the B.C. government’s handling of citizens’ personal data. “You sort of wonder, when are the lessons going to be learned that confidential information has to be protected, guarded and dealt with as if it’s important, because it is,” says Rosenberg. [Source] [Source] [Source]

US – BBB & ANSI Spearhead Coalition to Combat ID Theft & Fraud

The American National Standards Institute (ANSI) and the Better Business Bureau system (BBB) have announced a partnership with a cross-sector team of high profile companies to create a single resource of standards and guidelines that businesses and other organizations can use to prevent and respond to identity theft and fraud. The initiative, called the Identity Theft Prevention and Identity Management Standards Panel (IDSP), will have two main charges: First, it will identify and catalogue any existing, broadly-applicable identity theft and fraud prevention standards and guidelines. Second, it will identify areas where updated or new standards are needed. The panel’s recommendations for revised or additional standards shall serve as a call to action for further work by the standards development community. Issues to be explored by the IDSP include managing access, storage and disposal of customer and employee data, personnel qualifications and training for the handling of sensitive data, criteria for selecting data contractors, and recapturing and restoring the integrity of stolen identities. An aggressive timetable of 12-18 months has been set to produce a comprehensive, cross-sector set of requirements and best practices that can help any organization protect the confidential personal data of its employees and customers. In addition to industry, participation is being sought from standards development organizations, trade and professional associations, government agencies, consumer groups, organized labor, academia and other interested groups. [Source].

UK – Government: Public & Private Sectors Should Share Personal Information

The Department of Constitutional Affairs has proposed in its Information Sharing Vision Statement that the public and private sectors share information on fraud. The UK Information Commissioner supports more public sector data sharing with proper privacy safeguards. Commissioner Richard Thomas said he does not “want data protection to be wrongly blamed for preventing sensible information sharing.” Civil liberties groups are concerned by the new plan. [Source] [Information sharing vision statement] [Vast database a ‘sinister’ expansion of the ‘Big Brother’ – Big Brother row as 400,000 civil servants win right to snoop] [Source] [Gov spins data sharing] [Conservatives alarmed by ‘Big Brother’ databases]

US – Anti-Spam Group Ordered to Pay $11.7 Million

The nonprofit group behind a popular blacklist used to block spam has been hit with a multimillion-dollar judgment, but the order may not be enforceable. The U.S. District Court for the Northern District of Illinois ordered that Spamhaus must pay $11,715,000 in damages to e360insight and its chief, David Linhardt, who sued the U.K.-based organization earlier this year over blacklisting. [Source]

US – Spam Canned: FTC Busts Four Operations, Fines $400K

The FTC has shut down four illegal e-mail spamming operations, including one that offered the opportunity to “date lonely wives,” the agency said Thursday. Two of the other operations sending unwanted commercial e-mail hijacked the computers of third parties and used them to spam customers with sexually explicit e-mail, the FTC said Thursday. The FTC charged the four operations with violating the CAN-SPAM Act. Federal courts in Illinois and Arizona approved the FTC request to shut down the operations. [Source] [$400 penalty levied]

CA – Federal Government Has a Role to Play in Spam Reduction: Minister

The federal government has a role to play in stopping spam from clogging Canadians’ email inboxes, Industry Minister Maxime Bernier said last weekend. Bernier said he just received a copy of a 2005 report assembled by the National Spam Task Force, which recommended the government institute an anti-spam statute. “The report that I received, it told me yes, we have a role,” Bernier said. “I just want to be sure that the thing that we’re going to do, it will be something that will solve the problem. The question is, what can we do? And I’m not sure right now. Maybe the market will decide in the end.” [Source]

UK – Report: Too Much Recklessness Blights Government IT Projects

A new report from The Work Foundation finds that too many government ICT projects have been insufficiently piloted before being rolled out, are over-complex in design, ignore the advice of the staff who must use the systems, and try to solve too many problems at once, rather than build on systems that are already in place. The report says public managers need a ‘balanced’ approach to risk when delivering ICT projects – neither too cautious, nor too foolhardy. The report’s co-author said: “Too many government ICT projects fail to deliver the promised benefits because public sector managers have a reckless streak – they become dazzled by the potential of the technology and lose sight of what is practically deliverable. “Government should not be about cutting edge innovation - it should be about serving citizens well and efficiently. If someone gets their benefit late due to computer failure, it matters in a way that it simply doesn’t when private sector ICT projects fail. The private sector can afford the luxuries of innovating; in the public sector, ICT needs to work.” [Source] [News Release] [Report]

EU – Terrorism No Excuse for Privacy Breaches, Says EU Regulator

Terrorism and organised crime should not be used as excuses for passing laws which undermine people’s privacy and data protection rights, according to the European Data Protection Supervisor (EDPS). Existing laws do not need changed, he said. In an update on data protection in Europe, EDPS Peter Hustinx said that security concerns were not an adequate reason to undermine data protection principles. “It is a misconception that protection of privacy and personal data holds back the fight against terrorism and organised crime,” said Hustinx. “Current legislation does allow, for instance, law enforcement to check suspicious phone numbers found in a computer.” [Source] [Source] [Source] [Source] [EDPS website]

EU – Irish Journalists Urge Defeat of Planned Privacy Law

Privacy legislation drawn up by Michael McDowell, the Irish justice minister, has been criticised by legal academics as being rushed, ill-drafted, and uninformed by public consultation or debate, At a conference organised by the National Union of Journalists this week, lawyers urged McDowell to withdraw the privacy bill and allow the courts to balance the rights to privacy and to freedom of expression on a case-by-case basis. Andrea Martin, a solicitor and media law consultant, said the provisions were “premature, ill-thought-through and poorly drafted”. The bill was brought to cabinet and published by McDowell in July, but only after his efforts to introduce a reform of defamation law first was rebuffed by other ministers who wanted the two bills introduced together. [Source] [Source]

US – Ponemon Study: Boardroom Privacy Tops Personal Privacy

The Ponemon Institute released a study this week that found that 85% of the 226 directors who participated said that they placed a higher priority on corporate confidentiality than the protection of their privacy rights. The survey also found that more than half of the directors surveyed said they had served on corporate boards that had approved “aggressive” surveillance efforts to plug a boardroom leak. [Source]

UK – Corporate ID Theft Costs British Firms £50m a Year

Corporate identity theft cost British businesses £50m in 2005 - and the figure is set to increase 1,300% by 2020, new research shows. Corporate ID theft is one of the fastest growing risks firms face and large businesses are most likely to be affect, a study from commercial insurer Royal & SunAlliance (R&SA) found. It happens when fraudsters steal the identity of a legitimate company and then trade under its credit and name. [Source] [Source] [Background]

US – Justice Dept Defends Mandatory Web Labeling

The U.S. Department of Justice has stepped up its defense of a proposal to imprison Web site operators who don’t label pages containing sexually explicit material. The idea, outlined in an April speech by Attorney General Alberto Gonzales, is approaching a vote in Congress. [Source]

AU – Privacy Commissioner Comments on Anti-Money Laundering Bill 2006

The Australian Privacy Commissioner has released a second round of comments in relation to the second exposure draft of the proposed anti-money laundering and counter-terrorism regime. This second round of comments follow the office’s previous recommendations made to the department and to the Legal and Constitutional Legislation Committee Inquiry in March 2006. [Source] [News Release] [Submission]

CA – PIPEDA Case Summary #340: Law Firms Collected Credit Reports Without Consent

The Office of the Privacy Commissioner of Canada received two complaints from individuals alleging that different law firms had collected their personal information, by conducting credit checks on them, without their knowledge or consent. The issue of jurisdiction was raised during the investigations, though in different ways. The Assistant Privacy Commissioner concluded that both cases were well-founded (and recommended that the law firms implement a policy that prohibits conducting credit checks without consent, with certain exceptions). [Source]

CA – September 25-29 is Right to Know Week

A special panel discussion in Toronto will help mark the first Right to Know Week in Canada, 25-29 September. Ontario Information and Privacy Commissioner Ann Cavoukian, her counterparts in other provinces and territories and the federal Information Commissioner are all holding special events during the week of September 25 to help focus attention on an individual’s right of access to government-held information and open, transparent government. September 28 is recognized around the world as International Right to Know Day. This recognition began at an international meeting of access to information advocates in Sofia, Bulgaria on September 28, 2002. Since that time countries around the world have promoted this date to raise awareness of citizens’ rights to government information in the interests of open, accountable and transparent government. [Ontario Information and Privacy Commissioner] [Newfoundland Office of the Information and Privacy Commissioner] [Coverage]

US – Study: Healthcare Firms Lack Security Plan

Most healthcare companies are investing in security because of legal requirements, not forward thinking, a new study says. For healthcare, pharmaceutical, biotech and biomedical companies, legal and regulatory requirements as well as potential liability continue to be key drivers behind security investments, and much of this spending is still reactionary, according to the Global State of Information Security study. The report was released by PwC and others. While improving physician effectiveness and quality of life is a top priority for provider organizations – prompting a rise in the use of laptops, personal digital assistants and remote access to patient records – incidents involving the loss or theft of executive laptops and their stored data continue to occur, the report said. Yet only 29% of pharmaceutical companies have security standards or procedures for handheld and portable devices, and 30% still do not classify data and information assets according to risk levels, according to the report. Other key findings from the survey:

o Only 34% of pharmaceutical companies keep an accurate inventory of all 3^rd parties using customer data, 56% do not require 3^rd parties, including outsourcing vendors, to comply with privacy policies.

o Despite 54% of pharmaceutical respondents indicating employees as the likely source of attack this year, 73% of pharmaceutical companies do not yet have an identity-management solution.

o 8 in 10 U.S. healthcare organizations say business continuity and disaster recovery are the drivers of increased security spending in information security and privacy.

o Only 46% of pharmaceuticals have an overall security strategy, and 73% do not integrate information-security safeguards with privacy and compliance plans. [Source] [Report]
See also 6 September 2006 GAO Report: Health Care Privacy Breaches Widespread ]

US – Pair Indicted for Filing Phony Medicare Claims with Stolen Patient Information

Two people were indicted on charges of conspiracy to commit computer fraud, conspiracy to commit identity theft and conspiracy to wrongfully disclose individually identifiable health information as well as charges related to fraud in connection with computers and violations of HIPAA. The two allegedly conspired to steal personal medical information belonging to more than 1,100 Cleveland Clinic Florida patients and using it to make more than US$2.8 million in phony Medicare claims. The Cleveland Clinic has sent letters to patients whose data were stolen. If convicted of charges against them, the two could each face up to 10 years in prison and fines of up to US$250,000. [Source]

US – University of Texas San Antonio Server Breached

A security breach of a server at the University of Texas at San Antonio (UTSA) is under investigation by a university technology team, local police and state and federal officials. The compromised server contains 4 years’ worth of data, including names, addresses and SSNs, that belong to 53,000 current and former students who have received financial aid and 11,000 current and former faculty and staff members. All 64,000 individuals received letters apprising them of the situation. The breach was discovered during a routine risk assessment in mid-August. A university spokesperson said the problem was detected before any information could be taken. [Source]

US – Nikon World Magazine Subscribers’ Data Exposed

The names, addresses and credit card numbers of 3,235 subscribers to Nikon World magazine were accessible on the Internet for approximately nine hours last week. The problem was discovered on September 13 when an Alabama camera store employee attempted to subscribe to the magazine on line. The sensitive subscriber data were accessible from a link in an email from Nikon World. Nikon says it has contacted everyone whose data were compromised. The breach affects people who subscribed to the magazine after January 1, 2006. [Source] [Source]

US – Employee Files Found in Dumpster

Following the buyout of a telemarketing company, employees found personnel files and files containing consumer data dumped in the trash. The employee files included photocopies of driver’s licenses and Social Security cards. The state attorney general’s office plans to examine the discarded files. Federal law requires businesses to take measures to destroy personal data beyond simply tossing it in the trash. [Source] [Source]

US – Unisys Subcontractor Arrested in VA Computer Theft

Authorities have charged a 21 year-old Unisys Corp. subcontractor with stealing a desktop computer with billing information on as many as 38,000 U.S. Department of Veterans Affairs medical patients. The Washington, D.C.-area man was charged Wednesday with theft of government property. He is the employee of an unnamed company that “provides temporary labor to Unisys,” according to a statement released by the Veterans Affairs department’s Office of Inspector General. [Source] [Source]

US – Study: Data Breaches Not the Leading Cause for Identity Theft

A 12-month study conducted by Javelin Strategy and Research has concluded that data breaches are not the leading cause for identity theft. The leading causes are lost or stolen wallets, check books and credit cards. The focus on data breaches compared with other causes of ID theft has misled consumers “on how to set overall priorities for guarding against identity fraud,” said Javelin’s president. [Source] [Source] See also: [RCMP Investigator Urges Full Disclosure on IT Security Breaches]

US – ID Theft Task Force Issues 7 Recommendations

Victims of identity theft should be allowed to seek restitution from defendants for time spent undoing damage from the offense, according to interim recommendations issued this week by a federal task force on ID theft. The Task Force issued seven recommendations These include 1) directing the Office of Management and Budget to issue guidance to federal agencies on how to handle data breaches; 2) strengthening data security in the government; 3) accelerating and broadening the review of where social security numbers are used by agencies; 4) establishing a new "routine use" by which agencies would be allowed to share information otherwise restricted by the Privacy Act to facilitate responding to a data breach; 5) holding workshops for academics and businesses to develop better methods to authenticate identities; 6) amending criminal statutes to allow identity theft victims to seek restitution from defendants for time spent undoing damage from the offense; and 7) developing a universal police report to make it easier to report identity theft and enter it into existing systems. [Source] [Source] [Source] [Source]

UK – No Idea Where Your ID is? Youngsters Haven’t a Clue Says Passport Service

According to research carried out for the Identity and Passport Service (IPS), when put on the spot, only half of young people (49%) could say where their passport was without having to think or look for it. Two thirds (60%) could not say, without checking, which month their passport was due for renewal. The same number (62%) do not have a record or copy of the passport or its number in case of emergencies. This is despite the fact that a third of young people (31%) rely on their passport as proof of age in bars and nightclubs. Even more concerning, 41% of young people admit they do not keep their passport locked away or in a secure place - they’d rather keep it in a drawer (12%) or on their person (6%). iPods and mobiles are treated with far more care – 72% of young people keep these valuables either locked away or in a safe place. [Source] [UK Identity & Passport website news release]

CA – CIPPIC Files Objection to Sony Rootkit Settlement

The Canadian Internet Policy and Public Interest Clinic (CIPPIC) has filed an objection to the proposed Sony rootkit class action settlement, pointing to the absence of future conduct provisions that were included in the U.S. settlement as well as the “explanation” Sony BMG offered for their absence. EFF submitted an affidavit in support of the objection. [Source] [Privacy And Copyright - An Increasingly Volatile Mixture] [DRM is anti-privacy, anti-security, anti-cryptography]

US – AG: Congress Should Requires ISPs to Save User Data

During testimony this week before a Senate panel, Attorney General Alberto Gonzales said that Congress should require ISPs to save customer records to help the government in the online fight against child pornography. Justice Department officials have told the companies that they need the records saved for up to two years to help them get the information they need to build and prosecute cases. [Source]

US – Social Security Numbers (SSNs) Remain On State Web Site

A software program successfully removed 97% of the SSNs listed in documents accessible through the Ohio Secretary of State’s web site. Seven months after the personal information was discovered online, staffers are manually checking the database to remove what’s left on the site. A spokesman for the Secretary of State said the office is unaware of any ID theft that resulted from the exposure of the personal information. [Source]

US – Organized Crime Gets More Sophisticated Online

According to a top U.S. Department of Justice official, cyber scams are increasingly being committed by organized crime syndicates out to profit from sophisticated ruses rather than hackers keen to make an online name for themselves. [Source]

US – Study: Americans Oppose Outsourcing Personal Financial, Health Data

New York-based law firm White & Case LLP and the Ponemon Institute have released the results of a study on outsourcing. The survey found that almost 90% of those surveyed oppose the outsourcing of their health records to companies outside the U.S. Another finding was that about 70% of the respondents are strongly opposed to their financial data being turned over to any foreign company. [Source]

US – EFF Publishes Search Privacy Tips

Recent data breaches and AOL’s search engine query disclosure scandal have made many users more concerned about search engine privacy. In an attempt to help educate Internet users, the EFF has published a concise guide entitled, “Six Tips to Protect Your Online Search Privacy.” An assortment of common-sense suggestions, the EFF’s tips are ranked by difficulty level, from easy to advanced. The advanced tips recommend changing one’s IP address, and using an anonymizing proxy like Tor. The EFF warns users not to log in or register for accounts with major search providers, and explains the risks of inputting search queries that contain personally identifiable information. The guide also contains detailed instructions that describe how to disable cookies. [Source]

UK – Report: Children at Risk on Networking Web Sites

Children using hugely popular social networking Web sites such as MySpace.com and Bebo.com face bullying, unsuitable advertising and pornography, a report by a UK consumer watchdog magazine said. [Source] [Which? Magazine report]

EU – ICC Hopes to Makes Data Transfer Out of EU Simpler

The International Chamber of Commerce has produced a standardized application form that can be used to seek permission from all 25 EU countries to send personal information from within the EU to outside it. Stringent controls on the transfer of personal data are in place in the EU and a company must apply to all 25 member states to formalize rules controlling the movement of that data. Previously that involved a separate application for each country, but the ICC has produced a form which it hopes will become a standard across all member states. It awaits approval by EU data protection authority the EC Article 29 Data Protection Working Party. [Source] [ICC standard application form] [UK ICO’s information on international transfers]

EU – Digital Rights Ireland Files Suit Over Surveillance

Irish civil rights group Digital Rights Ireland has started a High Court action against the Irish Government challenging new European and Irish laws requiring mass surveillance. The action challenges the law on data retention contained in the Irish Criminal Justice (Terrorist Offences) Act, 2005 and the European Data Retention Directive passed in 2006. [Source] [Source] See also [Ireland brings case against data retention to Europe]

US – HP Investigation Extended Beyond Digging Up Phone Records

According to published reports, HP investigators hunting for a boardroom leak extended beyond the techniques that identified people’s private phone records, by shadowing the company’s directors and trying to install snooping software on at least one reporter’s computer. Authorities and politicians remain primarily concerned about the deceptive measures that enabled HP’s investigators to obtain the personal phone logs of several directors, 9 reporters, 2 employees and a semiretired physicist. [Source] [Source] [Spokesman Among Targets in HP Leak Probe] [HP pretexting case raises concerns in Canada] [Coverage] [Coverage] [Coverage]

US – House Committee to Hold Hearing on HP Pretexting

The US House Energy and Commerce Committee plans to hold a two-day investigative hearing regarding the legality of telephone pretexting, or pretending to be someone else to obtain their phone records. The hearing was prompted by the recent scandal at HP in which it was revealed that a company hired by an HP contractor to discover the source of corporate information leaks used pretexting to conduct its investigation. One day of the hearing will focus on HP; company executives, board members and others are likely to be called as witnesses. HP was given until this Monday to submit numerous documents to the committee. [Source] [Source] [Security Firm Part of Probe of HP] [‘Pretexting’ Is Common in Business World] [Protect Yourself From Pretexting] [Coverage]

US – Privacy & American Business and Center for Social & Legal Research Bid Farewell

Alan Westin, a privacy pioneer, has announced that P&AB and The Center for Social and Legal Research are closing. Westin launched P&AB in 1993 when consumer privacy “was just emerging as a serious national issue in the U.S.,” according to a letter he wrote last week. Westin is a dean of American privacy as well as the author of a seminal tome on privacy, Privacy and Freedom, published in 1967. [Source]

US – Opinion: Growing Need to Educate the Public About RFID Technologies

Mark Roberti, founder and editor of RFID Journal, says it is time for the vendors of RFID technology to create a nonprofit group focused on education. The group would “promote and encourage companies using RFID” to use best practices to protect consumer privacy. The group also would educate the public, lawmakers, journalists and privacy advocates about privacy issues and ways to address them. Lastly, Roberti suggests that the group would be helpful in coordinating the work of various RFID industry groups to “ensure a unified approach to RFID labeling.” [Source]

EU – Survey: Most Businesses Unaware of Data Leaks

Portable devices, email attachments and email content are the top 3 ways that information leaks from an organization, according to the Workshare Information Risk survey. The survey, which was commissioned by Workshare, tapped 200 security and risk professionals in organizations with more than 1,000 employees in the UK, Germany, Japan and Australia. Another issue identified by the survey is that most companies do not have a way to prevent the leaks. The survey found that 57% of businesses do not have automatic enforcement of document security compliance. [Source] [Press Release] [Study]

WW – Rivals Skirmish With Microsoft over VISTA Security

Microsoft and its security rivals are feuding over a key piece of Windows Vista real estate. The fight is over the display of technology that helps Vista owners manage the security tools on their PC. Symantec, McAfee, Check Point Software Technologies and other companies want Microsoft to change Vista so their products can easily replace the operating system’s built-in Windows Security Center on the desktop. However, Microsoft is resisting the call. [Source] [Source]

WW – Gartner Report Forecasts Top IT Security Threats for 2006-2007

Gartner research analysts are predicting myriad IT security hazards over the next two years. Gartner released the list of IT Security threats this week during its IT Security Summit in London, part of the company's "hype cycle" reports that track technology trends. The threats, says Gartner, have a "potential to inflict significant damage" on businesses. The threats are: Cyberattacks with a financial motive; Identity theft; Spyware; Social engineering; Viruses; and Rootkits. [Source]

US – Senate Committee Votes to Authorize Warrantless Wiretapping

A bill radically redefining and expanding the government’s ability to eavesdrop and search the houses of U.S. citizens without court approval passed a key Senate committee last week, and may be voted on by the full Senate this week. By a 10-8 vote, the Senate Judiciary Committee approved SB2453, the National Security Surveillance Act, which was co-written by committee’s chairman Sen. Arlen Specter in concert with the White House. [Source] [CDT summary] [Source] [Panel in Senate Backs Bush Plan for Eavesdropping] [GOP Leaders Back Bush on Wiretapping, Tribunals] [ACLU Slams Senate Judiciary Committee’s Approval of NSA Spying Bills] [Senate Panel Sends a Mixed Message on Wiretapping]

US – EFF Tackles US Government on Covert Surveillance

The Electronic Frontier Foundation (EFF) has launched a campaign to shed light on the US government’s electronic surveillance programmes. The EFF is using the Freedom Of Information Act (FOIA) as a springboard to introduce information requests and litigation that it hopes will show the extent of government monitoring of web, email and other electronic communications. David Sobel, senior counsel on the FOIA Litigation for Accountable Government project, said that the investigations are at the early stages. “The first step is initialising our very early requests and in the first month we might be filing some lawsuits based on lack of response,” he told vnunet.com. The EFF aims to uncover surveillance, database and data mining activities by the US government in recent years. Sobel claims to have already contacted the FBI, the Department of Homeland Security, the Department of Justice, and the Department of Education. [Source] [EFF Site] [EFF FOIA Litigation for Accountable Government (FLAG) project website] See also: [ www.thefirstamendment.org ]

CA – Jasper Approves Public Video Surveillance

The Jasper Municipal council approved a policy last week that allows for the placement and use of video surveillance equipment in public outdoor spaces. In part, the policy states that the municipality recognizes its shared role with the RCMP and other agencies in providing “a safe and secure community for residents and visitors. Council also recognizes society’s obligation to ensure the rights of individuals to privacy are not unfairly infringed upon by efforts to achieve and maintain safety and security.” The policy goes on to set out a series of guidelines overseeing when and how a camera system would be installed and operated. Although the policy allows for cameras as an option to help address problems downtown, the policy states that placement of cameras “shall be undertaken only when all other avenues to resolve concerns...have been exhausted.” [Source]

CA – Bombardier Launching Digital Surveillance System for Train Security

Bombardier Inc. is launching a new-generation digital video surveillance and monitoring system for passenger trains at a trade show in Germany next week. Berlin-based Bombardier Transportation’s biggest transit equipment market is western Europe. But it could go into the new Toronto Transit Commission subway cars just ordered from Bombardier and in the new Montreal metro cars Bombardier expects to build. [Source]

US – White House Selects Cyber Security Chief

The Homeland Security Department picked a technology industry lobbyist this week as its cybersecurity chief, filling a job that has had no permanent director for a year. Greg Garcia, VP of information security policy and programs for the Information Technology Association of America, was appointed assistant secretary for cybersecurity and telecommunications, DHS Secretary Michael Chertoff said. The cybersecurity job was created in July 2005, but department officials have struggled to find candidates willing to take significant pay cuts from industry jobs to fill it. Garcia will oversee DHS’s implementation of the “National Strategy to Secure Cyberspace,” a far-reaching blueprint for securing the nation’s most critical information networks and for crafting a disaster-recovery and response plan in case of a major cyber-attack or other massive malfunction. [Source] [Source] [GAO Report: Critical Infrastructure Protection: DHS Leadership Needed to Enhance Cybersecurity. GAO-06-1087T, September 13 – Highlights ]

US – DHS Releases Report on February Cyber Storm Exercise

The US Department of Homeland Security (DHS) has released a report detailing the findings of its Cyber Storm exercise that took place in February 2006. It was designed to simulate events requiring the need for coordination between public and private entities in the face of a major cyber attack or natural disaster. The exercise simulated the effects an attack could have on a variety of critical infrastructure elements, and was designed to simulate cascading events. DHS said the exercise provided valuable information about the ability of numerous public and private organizations to work together in the face of disaster. According to the report, the public and private sectors need to improve the coordination of their communication regarding multiple events. [Source] [Source] [Source] [Lawmakers Fault DHS for Cybersecurity Efforts] [Port-Worker ID Program Stalled, Fails Privacy Safeguards]

US – E-Authentication Maps Out Its Future

The General Services Administration estimates that agencies have about 600 applications that would benefit from E-Authentication services. Right now, about 14 do. So GSA and the government have a long way to go before they fully enjoy the benefits of a single-sign-on environment. Officials from GSA and the OMB are working with agencies to figure out how and in what order the other 586 applications will start using SAML or a digital certificate. Final plans, which some agencies already have handed in, are due Sept. 30. “We are looking for systems that will get the greatest return for agencies,” said Michel Kareis, E-Authentication program executive. “The goal is all 600, but the time frame of when is what the plans will provide.” The systems either face the public, meaning they are outside the agency’s firewall, or are internal systems that hundreds of feds use. For instance, Kareis said, Grants.gov recently became the first of the 25 original E-Government projects to adopt the E-Authentication model. [Source]

US – DHS Federal Advisory Committees Set to Review Privacy Policy Issues

The Data Privacy and Integrity Advisory Committee at the Homeland Security Department and the Information Security Privacy Advisory Board at the National Institute of Standards and Technology are planning to issue a report within the next year on the impact of information technology in the agencies. The goal, according to one participant, is not to redo legislation. Rather, the aim is to determine whether the use of new technologies may have advanced beyond the effectiveness of some laws. [Source] [Federal privacy law faces review from data advisers]

US – CDT "Internet Watch List" Identifies Dangerous Legislation

“As Congress mounts its final push before the midterm elections, a number of bills that threaten the bedrock of Internet privacy and civil liberties could either come up for votes or worm their way into larger legislative packages that end up being rushed into law. Today, the Center for Democracy & Technology (CDT) issued its "Internet Watch List," which contains nine legislative efforts that should not be allowed to succeed in the so-called "silly season" at the end of the 109th Congress. In the coming weeks, CDT will urge lawmakers, journalists and the online public to keep close watch on these legislative efforts to ensure that this collection of bad ideas doesn't become a collection of bad laws. [Internet Watch List] [CDT Press Release, September 14, 2006 ]

EU – Study: Surfing A Bigger Risk than Spam to Company Networks

According to a new study by IDC Denmark, company networks are now more likely to pick up malicious software via employee Web surfing than from e-mail attachments. Nearly 40% of the 200 Danish companies surveyed said their systems had been infected by a virus or worm, despite the fact that 75% had implemented a security policy. [Source]

--------