Privacy News Highlights
27 January—02
February 2007
Contents:
UK – Information
Commissioner Releases Guidance on Schools Fingerprinting
US – Georgia to Restrict Fingerprinting, Ban RFID
Implants and Genetic Discrimination
RU – Russian Biometric Passports Failed
EU – Serbia Rejects Biometric ID Cards
CA – Federal & Alberta Privacy
Commissioners to Investigate TJX Data Breach
CA – Ontario Government to Post Photos,
Identities of “Deadbeat Parents”
EU – Pan European Medical Records System Proposed
EU – E.U. and U.S., Divided on Air Passenger Data, Seek
Deal
EU – Dutch DPA Advises Negatively on Dutch Draft Data
Retention
EU – Greece Vodafone Fined € 76 Million Over Security
Breach And Wiretap Scandal
EU – France CNIL Warns ISP Free against Data Breaches
EU – Spain Adopts New Video Surveillance Legislation
UK – Royal Data Breach Lands Journalist Jail Time
US – Poll Exposes Generational Divide on Expectations of
Privacy
EU – German High Court Rules that Disclosure of Consumer
Credit Data Is illegal
WW – Survey: Consumers Favor Stronger Authentication
Methods For Online Banking
US – 50 State Guide to Open Records Laws Released
US – IBM Calls on Congress to Act on Genetic
Non-Discrimination Legislation
UK – Info Commissioner Richard Thomas Issues Report on
Patient Record System
US – GAO Issues Report on Health Information Technology
and Privacy
US – Pennsylvania Blue Cross Health Records to be
Accessible Via Cell Phone
WW – Data Security and Privacy Breach Roundup
UK – Information Commissioner Issues ID Theft Warning
US – Identity Theft Tops Complaints to Illinois Attorney
General in 2006
US – Survey: ID Fraud in U.S. Falls by $6.4B
WW – Symantec Unveils ‘Universal ID System’
US – Sony BMG Settles FTC Charges Over Rootkit
US – Carnegie Mellon CyLab Publishes 2006 Privacy Policy
Trends Report
WW – Net Pioneer Predicts Overwhelming Botnet Surge
CA – Canadian Tax Authorities Use Searchbot
to Search for Cheats
US – Lawmakers Target Sex Offenders on The Net
WW – IBM Donates New Privacy Tool To Open-Source
WW – Phishing Overtakes Viruses and Trojans
WW – Study Finds IE7 + EV SSL Won’t Stop Phishing.
EU – Norwegian Privacy Authorities Investigating Google
EU – French Big Brother Awards 2006
AU – Australian Big Brother Awards 2006
US – ACLU v. NSA Hearing on Warrantless Wiretaps
US – Digital Billboards Use RFID to Deliver Personalized
Messages to Car Owners
EU – European Commission Announces RFID Forum in March
2007
US – Human RFID Tag Provider VeriChip Announces IPO
WW – RFID Deployed in Large US, UK Hospitals
US – TJX Hit with Class Action Lawsuit
US – Banks Step Up Efforts to Pressure Retailers On Data
Security
US – US Government Does Not Score Well On Cybersecurity
US – Smart Card Alliance Issues Privacy, Security
Guidelines
US – FBI Turns To Broad New Wiretap Method
CA – Toronto Police Push Surveillance Cams:
No Privacy Threat
US – Justice Department Releases Documents on Spying
Program
US – Bill Would Establish Cttee to Study Privacy
Amendment to N.H. State Constitution
US – Maine Lawmakers Reject Compliance With Real ID Act
Of 2005
The UK Information Commissioner has declared that
schools should ask for the consent of children and parents before they take
pupil’s fingerprints, despite there being no legal obligation for them to do
so. The data protection supervisor issued the informal
advice this week, contrasting with previous public comments on the issue of
consent, some of them related to its official guidance on school
fingerprinting, which it is still drafting. Received wisdom - established by
the Gillick
precedent - has it that a child can decide for itself on matters of data
protection when it is mature enough. This was the basis on which the ICO worked
until now. Only this week, the ICO issued an official
guidance note on the age at which children were deemed to be old enough to
ask under the Data Protection Act to see their school records. The note
accorded with its early view of fingerprinting: pupils where old enough when
they were mature enough. “As a general rule, students aged 12 and over should
be considered mature enough to make a request for their own personal
information,” said an assistant commissioner in a written statement . [Source]
[ICO
Advice] [Technical
Guidance Notes] [Parliament
won’t debate school fingerprinting] [School fingerprinters
say they don’t grab teaching cash]
A state legislative study panel says
The Russian Federal Migration Service (FMS) said this
week that the equipment for recording personal data of a passport’s holder
turned out to be unreliable and is breaking all the time, and FMS employees simply
do not have the skills of using the new equipment. Due to these problems, the
beginning of mass issuing of new passports this year in
A grass-roots campaign in
The Privacy Commissioner of
The photographs of
European Union president
The Dutch Data Protection Authority (DPA) has made a
strong case against the Dutch draft law that seeks to implement the EU data
retention directive (the draft law would introduces a retention period of 18
months, both for telephone and Internet traffic data). In its advice of 22
January 2007 the DPA concludes that the draft disregards the requirements of
article 8 of the European Convention on Human Rights. By extending the
retention of mobile telephone location data to all the location data generated
during a communication the draft goes beyond the demands of the directive. The
DPA notes that this extension implies surveillance of the movement of large
amounts of innocent citizens and points to the agreement in the European
Parliament and the German implementation draft, where it is explicitly stated
that the directive does not demand the retention of these location data
generated during a mobile communication. Another point of critique of the DPA
are the limitations on access to the retained data. The DPA concludes that
these provisions are too broad and need to be drafted more strictly and
precisely. The Dutch DPA finally criticizes the use of delegation provisions.
According to the DPA, the details on the specific data to be retained should be
included in the law itself. The law should also be more specific about the
obligation to provide the statistical data on the actual use of the retained
data. The draft law is not at all clear about these essential ingredients of
the data retention regime and delegates these matters power to the government.
The draft, now in the phase of consultation, was made public on 21 December
2006. It also provoked a strong reaction of a large coalition of telecom
companies and ISPs. [Advice Dutch Data
Protection Authority (in Dutch only, 22.01.2007)] [Draft
law implementation data retention directive (in consultation), (in Dutch only,
21.12.2006) ] [EU Data
Retention - documentation, news and links] [Key
documents on “the making of” data retention 1997 - 2006] See also: [Ireland DRI
challenges EU’s Data Retention law]
The Hellenic Authority for the Information and
Communication Security and Privacy has fined Vodafone € 76 Million (approx. US
$100 Million) over a security breach and wiretapping scandal that saw the illegal
monitoring of the mobile calls of top government officials. Vodafone was ruled
at fault for not preventing unknown hackers from subverting a legitimate
surveillance system to spy on Greek officials around the time of the 2004
Athens Olympics. The Authority said that Vodafone had failed to take adequate
measures to protect its network and had not informed subscribers that their
phones were being tapped. It further criticized Vodafone for obstructing its
investigation by failing to admit the existence of the surveillance system
itself. [Source]
On January 4, 2007, the French Data Protection
Authority (CNIL) announced that leading ISP Free SAS erroneously transferred
personal data, including unlisted phone numbers, from more than 120,000 customers
to third-party operators of web-based and phone-based directory services. The
CNIL decided not to impose any fines as it was satisfied that Free SAS took
measures to correct its internal security controls. The CNIL however considered
that this was a particular threat to privacy which justified a public warning.
[CNIL Decision]
The first Spanish legislative instrument dealing with
video surveillance of private individuals entered into force on December 12,
2006. Instruction 1/2006, adopted by the Spanish Data Protection Agency on November
8, 2006 applies to images recorded by cameras when the purpose of processing is
the security of individuals. The Instruction is the consequence of the growing
increase in the use of these devices in
A journalist has been jailed for tapping the mobile
phone voicemail services of royal employees. Clive Goodman was royal editor of
the News of the World at the time. Goodman admitted hacking into the phones 487
times in just one eight month spell ending in June of last year. He was
sentenced to four months in prison. Goodman breached the Regulation of
Investigatory Powers Act (RIPA), committing a criminal offence. The case
comes in the wake of calls from Information Commissioner Richard Thomas for tougher
penalties for journalists who invade people's privacy. Thomas wants people who
breach the Data Protection Act to face two years in jail. Currently
there can be no jail term because those activities are not criminal acts. [Source]
Nine out of 10 Americans believe the Internet has
changed our expectations of privacy, according to a new poll conducted on
behalf of the Congressional Internet Caucus
Advisory Committee in advance of its annual policy conference in
In its decision of December 14, 2006, the Düsseldorf
High Court (OLG Düsseldorf) ruled that the transfer of consumer data to the
Schufa Holding AG on the basis of the general acceptance of the terms and conditions
of a contract without further consideration of a data subject’s interests or
without obtaining their prior consent is illegal. The Schufa Holding AG is a
credit association set up by the credit services sector in
The fourth annual Financial
Institution Consumer Online Fraud Survey has found that 91% of the 1,678
adults surveyed from eight countries say they would use a new authentication
method if their banks decided to offer stronger security. The survey also found
that 6% said they believe that banks should ditch usernames and passwords in
favor of stronger authentication methods for online banking. More than 90% of
bank customers favor the use of two-factor authentication for their online
banking, conducted by IT security company RSA Security. The survey also found
that 58% of banking customers wanted their bank to adopt stronger
authentication for telephone banking. [Source]
[Source]
Find
out which government records are available to the public in each state in the
revised, Open Government Guide , produced by The Reporters Committee for
Freedom of the Press. The access to public records for private investigators,
lawyers or journalists is more often than not the same as that accorded to the
unwashed masses. [Source]
[Guide to Open Records]
IBM’s Chief Privacy Officer, Harriet Pearson,
testified before the House Education and Labor Subcommittee on Health,
Employment, Labor and Pensions about the subject of genetic non-discrimination.
IBM filed its testimony on the Genetics
Information Non-Discrimination Act last week and called on Congress to
enact laws that prevent discrimination based on genetic information which is
increasingly prevalent in the diagnosis and treatment of many medical
conditions, as well as in research to discover the fundamental genetic mechanisms
of major diseases. In October 2005, IBM became the first major corporation in
the world to establish a genetics privacy policy that prohibits current or
prospective employees’ genetic information from being used in any employment
decisions. [Source]
In a recent report,
Information Commissioner Richard Thomas has assured patients that they will
have the chance to opt-out of the new NHS medical records system. In trial
areas where the records will first be uploaded to the system, NHS will contact
the patients first, and give them their options to limit the scope of
information or to opt-out entirely, according to the report. They also will be
given the opportunity to view their information before it is uploaded to the
system. [Source]
[Report]
The Government Accountability Office has released a
report entitled Health
Information Technology: Early Efforts Initiated but Comprehensive Privacy
Approach Needed for National Strategy. GAO-07-238. GAO has identified key
challenges associated with protecting electronic personal health information in
four areas: (1) Understanding and resolving legal and policy issues; (2) Ensuring
appropriate disclosure; (3) Ensuring individuals’ rights to request access and
amendments to health information; and (4) Implementing adequate security
measures for protecting health information. [Source] [Highlights]
Blue Cross of Northeastern Pennsylvania plans next
month to begin a project to allow its 600,000 members to access their health
records on cell phones or handheld devices. In March, the insurer will begin providing
members free access to mobile software that they can download to cell phones
and handheld devices. Members can then use their mobile devices to show doctors
their medication history, previous diagnoses, allergies and other data. In
addition to the health data obtained from claims records, the mobile
application will have a member's eligibility and insurance benefits. The
insurer is using MobiSecure Wallet and MobiSecure Vault software from Toronto-based
Diversinet Corp. to run the application. Users can download the Wallet
software to their PC or cell phone, which is used to retrieve the health data
from the Vault, a server-side repository that stores the health data. The
MobiSecure software generates a new unique password for each transaction. [Source]
People are risking identity theft by not protecting
their personal details, the
Consumers complained to Illinois Attorney General Lisa
Madigan’s office about identity theft more than they did about any other topic
in 2006. Of the 32,724 consumer complaints received last year, 5,327 – or 16% –
dealt with ID theft, capturing for the
first time the No. 1 spot on the yearly consumer complaint list that the attorney
general compiles. Other complaints in the top 10 dealt with such subjects as
credit, telecommunications and construction/home improvement fraud. In a news
release, Madigan also pointed to a disturbing new trend, saying her office
received more than 700 mortgage-related complaints last year. While
mortgage-related problems did not make the top 10 list of 2006 consumer
complaints, last year’s figure represents more than double the number of
mortgage-related complaints from 2005. [Source]
Americans lost about $US49.3 billion to criminals who
stole their identities in 2006, an 11.5% decline that may reflect increased
vigilance among consumers and businesses. Losses declined from a revised
$US55.7 billion in 2005, according to the third annual study
by Javelin Strategy & Research. They had increased in each of the prior
two years. The average identity theft fraud fell 9% from $US6278 to $US5720,
while the median - where half were larger and half were smaller - held steady
at $US750. "Businesses are doing a better job screening, and consumers are
doing better at locking up information and monitoring their accounts,"
Javelin president said. The percentage of people affected by fraud has steadily
fallen from the first survey in 2003, when it was 4.7%, to 3.7% last year. [Source]
[Source]
Symantec Corp. claims a new component of its Security
2.0 initiative will create a universally accepted identity system across all
Web sites, helping users manage their online identities in a secure way. The
Identity Initiative is a combination of services and software the company calls
the centerpiece of the Security 2.0 initiative it launched in October. “Our
goal is to create a universally accepted identity system across all Web sites –
from online financial institutions to retailers – for millions of consumers,”
said Symatnec spokesman. “We have a strong base to build from, with almost half
of our active Norton user base already enrolled in a basic Norton account.
We’ll enable our millions of customers to extend the functionality of their
Norton account to manage all their information, all in one place.” [Source]
The FTC has announced that Sony BMG Music
Entertainment agreed to reimburse consumers up to $150 for damage to their
computers from CDs with hidden DRM software. According to the FTC, which announced
the settlement, Sony BMG’s software limited the devices on which music could be
played to those made by Sony, Microsoft, or other Windows-compatible devices.
The software also exposed consumers to significant security risks and was
unreasonably difficult to uninstall. [Source]
The Carnegie Mellon CyLab Privacy Interest Group
(CPIG) has released Privacy Policy Trends Report. The report examines the state
of online privacy at the end of 2006 through the lens of website privacy
policies, looking at three main areas: (1) privacy practices of the most
popular websites as compared with a random sample of websites that post privacy
policies, (2) privacy policies of websites in the U.S. financial industry, and
(3) trends in the adoption of the Platform for Privacy Preferences (P3P). [Report]
Internet pioneer Vint Cerf warned high-powered
attendees at the World Economic Forum in
IBM is giving its work on its “Identity Mixer”
software to Higgins project, an open-source effort devoted to empowering users
by granting them more online control of their personal information. When making
an online purchase, users would provide an encrypted credential provided by
their credit card company in lieu of credit card account information. The
encrypted credentials could be used only once, requiring users to obtain a new
set when they make another purchase or transaction. The technology is intended
to build consumers’ trust about the security of online transactions. [Source]
Phishing attacks have outnumbered e-mails infected
with viruses and Trojan horse programs for the first time. Security mail
services vendor MessageLabs reports that in January 2007, one in 93.3 e-mails
(1.1%) comprised some form of phishing attack. There were fewer e-mails
infected with viruses. [Source]
The Norwegian press is reporting that the Norwegian
Data Inspectorate is investigating Google and the large amount of data stored
by search engines. Google has responded that does not know the persons behind
IP numbers, and that the company is not willing to give such information to
others. [Source]
The French Big Brother Awards event took place on 20
January 2007. The winner of the State award was Jacques Lebrot, a “security”
sub-prefect for having deprived of jobs several thousand people with police
records created just on the basis of suspicion and discrimination, violating
their right to the presumption of innocence. Sony-BMG company took the
enterprise award for its “rootkit”, spy software installed in the sold CDs to
control the usage of the CD, ironically, by those who had became the rightful
owners by buying the respective CD. The Locality Orwell prize was given to the
Mayor of Ploërmel for having installed more than 50 video-surveillance cameras
in a locality with 9000 inhabitants and zero degree of delinquency and for the
creation of a green number encouraging denunciations. The Orwell Novlang prize
was awarded to the director of the Judiciary Police who supports the genetic
filing of the entire population arguing that the innocent persons could thus be
rid of any suspicion. Winning the lifetime achievement award was the Minister
of Justice who had previously been nominated and awarded in 2004 for being a
strong supporter of the electronic bracelet for delinquents and for having
imposed it retroactively to the sexual delinquents after their liberation. He
won the 2006 award for his disrespect of institutions and human rights and for
his determination to imprison and control. The Voltaire prize for vigilance was
taken, ex-aequo, by the school directors who have refused to fill in the
children database and by the webmaster of Ordinateurs-de-vote.org for his
permanent work in showing why the electronic vote is a false good idea and a
threat to democracy. [Source]
Outgoing Human Services Minister Joe Hockey has won
the People's Choice Orwell for the "access card - a national ID card in
disguise", in the 2006 Australian Big Brother Awards, hosted by the
Australian Privacy Foundation. Mr. Hockey was chosen for "his refusal to
release the privacy impact assessment" and for "his rejection of key
recommendations of his own Consumer and Privacy Taskforce.". "This
was a well-deserved win for the relentless campaign of disinformation and
doublespeak surrounding the access card project." The Worst Public
Official award went to federal Justice Minister Chris Ellison, "for the
'Abolition of Financial Privacy' legislation masquerading as the
Anti-Money-Laundering and Counter-Terrorism Financing Bill". "People
might think, who could possibly object to that?" the judges said.
"But this legislation turns thousands of bank tellers and other employees
into amateur spies, with a legal obligation to report anyone who may be 'acting
suspiciously'." The Orwell for Greatest Corporate Invader was shared by
all Australian banks, for continuing to send personal information to the global
transaction hub, Swift, even after it was confirmed that the information was
being provided to US security agencies. Most Invasive Technology went to the
NSW Health Department, for overturning the opt-in requirement in the state's
health privacy law to allow the start of its electronic patient record system, Healthelink.
The Best Privacy Guardian award, or Smith, went to barrister Lex Lasry and
other defence lawyers who refused to submit to stringent ASIO security
clearances when representing suspects accused of terrorism. The Australian
Communications and Media Authority won an honourable mention for having
successfully prosecuted the company, Clarity 1, under the Spam Act, resulting
in fines of $5.5 million.
[Source]
[APF Big Brother
Award Winners]
This week, the ACLU urged
the Sixth Circuit Court of Appeals to uphold a lower court ruling
that the NSA’s warrantless wiretapping is illegal and unconstitutional. Audio from the
hearing is available at the Sixth Circuit’s website as a 670 MB WAV file.
This case deals with the so-called “Terrorist Surveillance Program”
that the President has publicly confirmed. EFF has sued AT&T for its
role in the NSA’s illegal spying, which we allege goes beyond what the
President has directly admitted and intercepts the phone and Internet
communications of millions of ordinary Americans. Last summer, Judge Walker rejected the government’s
motion to dismiss EFF’s case, along with AT&T’s motion to dismiss, and
allowed the case to go forward. That ruling is also on appeal. [Source] [Source]
Mini Cooper owners will be the recipients of
personalized marketing messages on billboards in four
DG Information Society and Media will be hosting a
conference on RFIDs in
Applied Digital Solutions announced this week that it
will take VeriChip public on Feb 8. Applied Digital manufactures security and
identification products based on a number of technologies, including RFID. A
subsidiary of Applied Digital, VeriChip manufactures the controversial
human-implantable RFID tag of the same name. VeriChip targets non-traditional
areas in which most RFID companies do not compete, like patient identification,
infant protection, and wander prevention. [Announcement]
RFID solutions
provider Parco Wireless has announced
its UWB RFID implementation at
A class action lawsuit, filed in US District Court in
The Massachusetts Bankers Association is increasing
its efforts to force retailers to improve data security safeguards or face
financial consequences. The group is backing legislation that would require the
party responsible for a security breach to reimburse banks for the costs of
reissuing cards when fraud results. Major credit card issuers may issue fines
of up to $10,000 per month for stores that fail to make efforts to comply with
the Payment Card Industry Data Security Standard (PCI). In December, Visa
The Cyber Security Industry Alliance (CSIA) has
renewed its call for the U.S. Congress to pass a comprehensive data protection
law in 2007. The CSIA, a trade group representing cybersecurity vendors, gave
the
A group that represents companies and government agencies
with a stake in the successful deployment of RFID and technology has issued a set
of best practices guidelines. The Alliance Identity Council has released
the best practices to address privacy concerns related to the use of RFID in
identification documents. [Source]
CNET reports that the FBI appears to have adopted an
invasive Internet surveillance technique that collects far more data on
innocent Americans than previously has been disclosed. Instead of recording
only what a particular suspect is doing, agents conducting investigations
appear to be assembling the activities of thousands of Internet users at a time
into massive databases, according to current and former officials. That
database can subsequently be queried for names, e-mail addresses, or keywords.
[Source]
U.S. Attorney General Alberto Gonzales said this week
he would turn over secret documents detailing the government’s domestic spying
program, ending a two-week standoff with the Senate Judiciary Committee over
surveillance targeting terror suspects. The records will be given to Senate
Judiciary Chairman Patrick Leahy and the panel’s top Republican, Sen. Arlen
Specter, who two weeks ago lambasted Gonzales for refusing to turn over
documents that even the FISA Court’s presiding judge had no objection to releasing.
[Source]
New Hampshire State Rep. Jim Ryan is sponsoring
legislation that would create a committee to study whether the state should
advance a constitutional amendment that would guarantee the right to personal
privacy. Ryan’s bill is among a number of privacy-related measures the
Legislature is advancing this year. A Republican lawmaker is eager to push for
the second year to prevail in efforts to shun participation in the federal
government’s Real ID Act, which would require states to meet federal standards
for issuing driver’s licenses by May 2008. [Source]
--------