Canada’s air security agency said its $25-million biometric screening program is a major step toward ensuring the wrong people don’t get access to an airport’s most sensitive areas. The sophisticated screening program, now up and running at Canada’s major airports, uses iris and fingerprint scans to verify an airport worker’s identity. Airport workers can now gain access to restricted areas only if they swipe a security card, which is embedded with their biometric information, in a reader and then use their iris or fingerprint to match it. The reader authenticates three things: (1) That the person’s fingerprint or iris pattern match the stored images of the worker to whom the card is issued; (2) Confirms the person has a valid Transport Canada security clearance; and, (3) Confirms the cardholder is allowed access to a particular restricted area. The cards employ a hologram to prevent tampering. At the same time, a database in Ottawa also verifies whether workers’ cards are valid before they are allowed access. [Source]

UK – 3,500 Schools Now Use Finger Print Scanners in ‘Big Brother State By Stealth’

As many as 3,500 schools are taking fingerprints from pupils, often without their parents’ permission, a new poll revealed this week. Soaring numbers require pupils to undergo biometric identity checks before they can register in the mornings, buy canteen meals and use the library. But the trend has prompted furious complaints from parents who are concerned their children’s data will be stored on insecure databases. Under current laws, schools do not have to seek parental consent before taking pupils’ fingerprints, although they should notify them. In an attempt to ease parental worries, schools are soon to be issued with new guidance urging them to gain permission as it is “best practice”. But campaigners claim the move does not go far enough and are demanding a change in the law to abolish biometric scanners completely from school premises. The collection of children’s fingerprints has also raised fears that children could become accustomed to giving out data about themselves, losing even more of their privacy. [Source]

WW – Study: US, UK Consumers Favor Biometrics as They Fret About Identity Theft

The Ponemon Institute, on behalf of Unisys, has released a survey that found 69% of U.S. respondents favour adoption of biometric technologies by banks, credit card companies, healthcare providers and government agencies. In the U.K., 92% of those surveyed indicated they support biometrics over other security technologies, such as smart card readers and passwords. The survey also found that 63% of U.S. consumers believe that financial institutions and government agencies are not doing enough to protect customers’ financial information. [Source]

CA – Canadian Court Orders Federal Privacy Commissioner to Investigate Complaint

The Federal Court of Canada yesterday issued an important decision addressing the jurisdictional reach of Canada’s privacy legislation. The court ordered the Privacy Commissioner to investigate a complaint involving a U.S. based company that collected and used the personal information of a Canadian complainant. [Decision] [Coverage] [Coverage]

CA – OPC Publishes Fact Sheet, Guidance on Privacy Impact Assessments (PIAs)

The Federal Privacy Commissioner this week published “Fact Sheet: Privacy Impact Assessments,” which discusses: * What are Privacy Impact Assessments (PIAs)? * When is a PIA required? * Who conducts PIAs? * What is the role of the Office of the Privacy Commissioner? * What fundamental principles guide PIAs? * What steps are involved in a PIA? * How do PIAs protect my information? and * Who can look at PIA reports? [Source]

CA – Ont. Wants Retailers to Be Forced to Notify Customers When Their Data Stolen

Ontario wants the federal government to force Canadian banks and retailers to notify customers when their credit or debit card information has been compromised, Government Services Minister Gerry Phillips said this week. Phillips said he would prefer to see one federal law instead of having every province and territory pass its own legislation to protect consumers against identity theft. [Source] [Press Release from the Office of the Information and Privacy Commissioner of Ontario]

CA – New Brunswick Throne Speech Highlights Review of EHR Privacy

New Brunswick’s Throne Speech promised that a review of access to information legislation will be initiated, including privacy legislation as it relates to health issues and the use of electronic health record technology. [Source]

CA – Ontario Implements New Adoption Information Laws – “Will Help Protect Privacy”

The Ontario government has begun implementing Bill 183, the Adoption Information Disclosure Act, 2005. Adult adoptees and birth parents whose adoptions were finalized in Ontario can now: (1) Register a “no contact” notice with the Ontario Registrar General (ORG) if they do not want to be contacted; (2) Register with the ORG a notice specifying a “contact preference” on how they prefer to be contacted; and (3) Apply to the Child and Family Services Review Board to prevent disclosure of identifying information if there are concerns regarding sexual harm or significant physical/emotional harm. [Source]

CA – Ontario Gov’t Unveils Website to Identify and Track Down Deadbeat Parents

The McGuinty government is unveiling www.goodparentspay.com, a new website that will post pictures and information to help find parents who are refusing to make court-ordered child support payments. The new website, run by the Family Responsibility Office (FRO), will be launched in late February 2007. The FRO has also started reporting defaulting support payors to professional and occupational organizations beginning with the Law Society of Upper Canada and the Ontario Motor Vehicle Industry Council. [Source] [Source] [www.goodparentspay.com]

CA – Government Mismanagement of SINs Costing Canadians as Much as $2.4 Billion

Mismanagement and fraud within Canada’s system of SINs is costing Canadians between $377 million and $2.4 billion annually, says a report from The Fraser Institute, an independent research organization. The new report, Mismanagement of Canadians’ Social Insurance Numbers: Should We Be Concerned about Losses and the Potential for Fraud? concludes that Canada’s system of managing SINs is open to fraud, misuse, and overpayment, and it urges the government to review the system with an eye to implementing reforms. The study contrasts the number of useable SINs with the actual number of Canadians to identify potential sources of problems with the use of SINs. The study also looks at a series of case studies completed by the Auditor General on programs that rely on SINs and then presents estimates of potential losses associated with SINs. [Source]

US – FTC launches National Consumer Protection Week

The FTC this week, in cooperation with federal, state and local agencies and national advocacy organizations for consumer protection and education, launched its ninth annual National Consumer Protection Week. This year’s theme, “Read Up and Reach Out. Be an Informed Consumer,” encourages consumers to arm themselves with knowledge about scams and share it with friends and families. According to the FTC, informed consumers are better able to see through frauds and deceptions, whether they take the form of questionable claims in an ad, “act now” offers that come in the mail or e-mail, or Web sites promoting schemes that sound like sure-fire successes. To promote the concept, the FTC and other groups participating in the program have launched the National Consumer Protection Week Web site at www.consumer.gov/ncpw, which contains practical information for consumers and businesses. For organizations that want to promote the week, there is also an “Outreach Toolkit” online with resources like a press release, PowerPoint presentation, newsletter article, radio PSA scripts, National Consumer Protection Week logos and Web banners. [Source]

US – Retailers Amass Consumer Data, Incur Security and Privacy Risks

The vast databases of consumer data compiled by retailers are attractive targets to criminals. A study by Retail Systems Alert Group estimates that about three-quarters of merchants collect details from customers every time they pass through the check-out. There are no comprehensive federal laws that regulate how companies should protect that data. The PCI Data Security Standard requires retailers to encrypt data. However, a recent Visa survey that found that only 31% of large retailers were in compliance. [Source] See also: [Cybercrime Blame Game at RSA Conference]

US – FTC: ID Theft Tops Consumer Complaints List for Seventh Straight Year

The Federal Trade Commission released data for 2006 that showed that about 36% of its consumer complaints were related to identity theft. ID theft complaints accounted for 36% of the 674,000 complaints the agency fielded last year. In 2005, 37% of all the complaints were ID theft-related. Internet-related complaints accounted for 60% of all fraud complaints, compared to 46% in 2005. However, Internet auction complaints were down last year, from 12% in 2005 to 5% last year. [FTC Press Release] [Source] [Source] See also: [Utah Legislature Urges Congress to Crack Down on ID Theft] [FTC Chairman: Enforcement Actions Should Serve As A Warning To Companies]

CA – Feds Fumbling Large IT Projects: Auditor-General

The federal government is fumbling potential opportunities to improve business practices and services to Canadians, according to a critical report of IT project management by Auditor General Sheila Fraser. The report notes the Feds continue to experience problems managing large IT projects - despite a framework of best practices being in place since 1998. “We found several of the same problems we have reported in the past,” says Fraser. And the persistence of these long-standing problems is extremely troubling, she adds, because they involve large public investments. [Source] See also: [UK – Public Sector Lacks Data-Security Sense]

US – E-mail Spam at All-Time High: IBM Report

Spam has reached an all-time high of 77% of e-mail traffic in Canada and the U.S., says an Internet security expert. “It’s a remarkable thing,” Jordan Kalpin, Canadian regional director for IBM Internet Security Systems, said this week after IBM released a comprehensive security report. [Source]

EU – Data Protection Supervisor Pressures European Central Bank to Control SWIFT

Peter Hustinx, the EU’s data protection supervisor, is criticizing the European Central Bank’s (ECB) contention that it is not responsible for ensuring that SWIFT was complying with EU data protection rules. Hustinx said that the ECB “cannot escape some responsibilities in the SWIFT case.” He added that the financial community “should therefore provide payments systems which do not violate European data protection laws.” The European Data Protection Supervisor gave the central bank until April to come up with measures to make its payment operations fully compliant with data protection legislation, urging it to take appropriate measures as soon as possible. [Source] [Source] [Source]

CA – CSIS Director: Too Much Secrecy Helps Terrorists

CSIS: Overreacting to risk means we're 'giving in to fear' — Canada's spy master, of all people, is warning that excessive government secrecy and draconian counterterrorism measures will only play into the hands of terrorists. “The response to the terrorist threat, whether now or in the future, should follow the long-standing principle of 'in all things moderation,'” Jim Judd, director of the Canadian Security Intelligence Service, said in a recent Toronto speech. [Source]

US – U.S. Set to Begin a Vast Expansion of DNA Sampling

The Justice Department is completing rules to allow the collection of DNA from most people arrested or detained by federal authorities, a vast expansion of DNA gathering that will include hundreds of thousands of illegal immigrants, by far the largest group affected. The new forensic DNA sampling was authorized by Congress in a little-noticed amendment to a January 2006 renewal of the Violence Against Women Act, which provides protections and assistance for victims of sexual crimes. The amendment permits DNA collecting from anyone under criminal arrest by federal authorities, and also from illegal immigrants detained by federal agents. Over the last year, the Justice Department has been conducting an internal review and consulting with other agencies to prepare regulations to carry out the law. The goal, justice officials said, is to make the practice of DNA sampling as routine as fingerprinting for anyone detained by federal agents, including illegal immigrants. Until now, federal authorities have taken DNA samples only from convicted felons. The law has strong support from crime victims’ organizations and some women’s groups, who say it will help law enforcement identify sexual predators and also detect dangerous criminals among illegal immigrants. “Obviously, the bigger the DNA database, the better,” said Lynn Parrish, the spokeswoman for the Rape, Abuse and Incest National Network, based in Washington. “If this had been implemented years ago, it could have prevented many crimes. Rapists are generalists. They don’t just rape, they also murder.” [Source (NYT)] [ACLU Alarmed At Justice Department Move to Collect DNA, Violates Privacy Rights and Causes Further Delays in Overwhelmed System] See also: [Federal Genetic Privacy Bill is Back] and [NY State Law requires felons to submit DNA]

US – GAO Report: HHS Needs Better Plan to Protect Patient Privacy

The Government Accountability Office released a report last week that acknowledges the department’s efforts to consider privacy issues associated with the creation of a national database of e-medical records. However, the report concluded that the agency needs a better plan to protect patient privacy when it comes to the adoption of a national system of electronic health records. The report criticized HHS for failing to establish “milestones” to measure progress in development of privacy protections and for not having a person or organization in charge of coordinating federal privacy policy initiatives. HHS disagreed with the GAO’s findings in a written rebuttal. [Source] [GAO Report]

US – Experts Testify That Privacy, Security Not High Enough On HHS Agenda

The chairman of the Homeland Security and Governmental Affairs Subcommittee said during a hearing last week that the Health and Human Services Department (HHS) is not placing enough emphasis on privacy and security as it builds a Nationwide Health Information Network. The interim national health IT coordinator, Dr. Robert Kolodner, told the panel that the implementation of health technology is complex, requiring methodical steps to accomplish the mission. However, Carol Diamond, Managing Director of the Markle Foundation’s health programs, said that privacy and security should be finalized before the technology is developed to avoid “inappropriate uses of personal information.” [Source] [Source] [GAO report confirms IT’s threat to privacy] [Source] [Source] See also: [Joint DOD/VA EHR to Yield “Considerable Savings,” Official Says]

UK – NHS Addresses Euro Data-Sharing EHR Concerns

The NHS has not yet decided whether it will take part in a large-scale pilot involving the sharing of confidential patient details between European countries. However, following recent criticism of the proposed scheme by security experts, officials administering the National Programme for IT (NPfIT) – the massive health service computerisation project - have claimed the project would ensure privacy and security. The pilot would take place as part of the Competitiveness and Innovation Framework Programme (CIP), itself part of a massive EU funding drive for research and development, and would involve six countries allowing patients’ details to be shared if they were treated outside their home state. The scheme has not yet been approved, but is likely to be agreed upon later this year. [Source]

EU – Germany’s National Ethics Council Publishes Opinion on Privacy & Health Info

Germany’s National Ethics Council has published an opinion setting out guidelines about privacy rights and health information, warning against private health insurance companies demanding ever more detailed diagnostics from new customers. The 55 page opinion (English language version probably soon available here) argues that private health insurance companies’ desire to know ever more about their customers’ current state of health before offering them protection has to be balanced against the individual’s privacy rights. While the Council acknowledges that insurance companies have a legitimate interest to know about the risks they are taking on, it argues that individuals also have rights that must be protected. It is especially (but not only) modern genetic diagnostics that makes prediction of an individual’s future health trajectory possible. While this information can be used to engage in preventative measures, it can also be used to exclude individuals from health insurance. The Council thus argues that the amount of information requested must be proportional to the protection offered — for very high levels of insurance, higher information requirements are acceptable. Problems arise, however, if individuals seeking normal levels of protection are subjected to tests that may lead to information the individual would prefer not to have — such as knowledge about an incurable disease that will afflict them in the future. Individuals, the Council argues, also have a right to ignorance that must be taken into account. The Council links this to the “right to informational self-determination” established by the German Constitutional Court and consequently advocates restrictions on insurance companies’ information requirements. [Source]

CA – PEI Government Announces Drug Information System

Premier Pat Binns this week officially announced a Drug Information System for PEI that will record information on all prescription drugs dispensed to Island residents. The Drug Information System is a computerized pharmacy network that will connect pharmacists, physicians, and other authorized health care professionals with comprehensive electronic medication profiles for all patients. [Source]

CA – CHI Developing Health Surveillance and Information Management Portal

Canada Health Infoway is working with the country’s 13 provinces and territories to integrate six applications, or key modules, into one portal for public health surveillance and information management. Jeffrey Betts, a business development manager for systems integrator IBM Canada Ltd., offers a walkthrough of the various component modules, including: 1. Case management; 2. Outbreak system; 3. Health alerts: 4. Immunization; 5. Materials and vaccine management; and 6. Workload management. [Source]

AU – Australia Health Fund Leaking Patient Medical Files

The intimate medical history of hundreds of people has been provided by one of the country’s largest private health funds to a company that uses it to sell its services to vulnerable patients. HCF has handed over to McKesson Asia Pacific the contact details, gender, age, the broad type of mental illness, and the recent number of hospital admissions for 370 people without their consent. The Office of the Federal Privacy Commissioner is so concerned that it contacted HCF this week seeking an explanation. The acting NSW Privacy Commissioner, John Dickie, described HCF’s conduct as “very suspicious”. [Source]

US – Johns Hopkins Loses 135,000 Worker, Patient Records

Computer backup tapes containing payroll data on 52,000 Johns Hopkins workers and medical information on 83,000 patients were lost last month but are thought to have been destroyed, the university and hospital announced this week. Nine backup tapes that were shipped in late December by courier to a Baltimore-area contractor for conversion to microfiche were never returned and never reached the contractor, Johns Hopkins authorities said in letters and e-mails sent to former patients and current and former employees. Eight of the nine tapes contained payroll information on 20,000 former and 32,000 current employees of Johns Hopkins University. The data on the unencrypted tapes included employee names, Social Security numbers, birth dates and – in cases where employees were paid by direct deposit – bank account information. The ninth backup tape contained the names of 83,000 hospital patients, their parents' names, race, sex, date of birth and medical record numbers. [Source]

US – VA Loses Another 48,000 Records

The U.S. Department of Veterans Affairs has launched an investigation into a portable hard drive that went missing late last month from an Alabama medical facility and may contain personal data on as many as 48,000 veterans. The department said the external drive, which was used to back up an employee’s computer at the Birmingham VA Medical Center, was reported missing on January 22 and may have been stolen. The VA’s Office of Inspector General opened an investigation one day after hearing of the breach and notified the FBI. [Source] [Source]

US – U.S. Legislator Pushes for ‘Passport Lite’

A top American legislator is circulating a proposed bill forcing U.S. officials to consider allowing enhanced driver’s licences at land border crossings. The draft legislation would commit the U.S. to at least one pilot project on using driver’s licences instead of either passports or a high-technology ID card dubbed passport lite. It would also ensure the Homeland Security and State departments take advantage of the extra time Congress gave them, until June 1, 2009, to ensure there won’t be traffic tie-ups and damage to cross-border trade. Democrat Louise Slaughter, a New York congresswoman who chairs the powerful rules committee in the House of Representatives, has been building support for the measure. Canadian and U.S. citizens under 17 would be exempt from the rules and Americans without the proper ID would get a break for six months after the deadline goes into effect. [Source]

US – Identity Thefts Decline, But Still Major Problem: Study

According to the third annual survey by Javelin Strategy & Research, identity fraud occurring in the U.S. declined in 2006 by 12% over the previous year, from $55.7 billion to $49.3 billion. Researchers attributed the decline to better consumer education and awareness as well as increased use of online banking and financial sites that allow individuals to monitor their accounts more frequently. [Source]

WW – Liberty Alliance and Oracle Team to Advance Identity Governance Framework

Liberty Alliance and Oracle this week announced that Oracle has submitted the Identity Governance Framework (IGF) royalty-free to Liberty Alliance. The IGF is an open standards-based initiative developed by Oracle to help organizations better govern and protect sensitive identity-related employee, customer and partner information as it flows across heterogeneous applications. Liberty Alliance will leverage its expert groups, diverse global membership and leadership in addressing the technology, business and privacy aspects of digital identity management to further develop the IGF specifications. [Source]

WW – Microsoft to Back Open ID Scheme

A plan to make it easier for web users to manage their online identities has won the support of Microsoft. The Open ID scheme uses web addresses that people already own to help authenticate their identity. In this way it tries to reduce the number of names and passwords that people have to remember and manage. As part of the deal Microsoft is sharing some of its technology with Open ID developers and will include it in future identity-related products. [Source] [Source] [Source]

US – Study: New Technology Can’t Completely Protect Users from Online Scams

Researchers at Harvard University and the Massachusetts Institute of Technology have released a working draft of a study that shows users who access online banking tend to overlook clues that the sites’ security may have been compromised. For example, when the HTTPS indicator that shows whether an encrypted connection is working was absent, all of the study’s 67 users proceeded with their transactions. The study’s results are coming at time when U.S. banks are improving their authentication technologies as required by federal regulators. [Source] [Working Draft] [Source] [Study: Users ignore bank security features]

US – Privacy Group Sues Army Over Surveillance of Soldiers' Blogs, Web Sites

A U.S. Army unit that monitors thousands of Web sites and soldiers' blogs looking for sensitive military information has been hit with a Freedom of Information Act (FoIA) lawsuit by a San Francisco-based privacy group that wants to know more about the monitoring program. In a lawsuit (download PDF) filed in U.S. District Court in Washington last week, the Electronic Frontier Foundation (EFF) said that despite several requests for information from the Army unit, known as the Army Web Risk Assessment Cell (AWRAC), no answers have been provided. Marcia Hofmann, a Washington-based staff attorney for the EFF, said the FoIA lawsuit is aimed at protecting free speech and privacy and helping soldiers and other Americans understand how and why Web sites and soldiers' blogs are being monitored. "The idea is to get more information on what the Army is doing," Hofmann said. "Some soldier bloggers choose not to blog because of concerns about what they can and can't say" online. [Source] Related: [EFF to Open European Branch Office]

EU – German Police Barred From Secret Computer Searches Over Net

A German court has ruled that police cannot secretly search suspects’ computer hard drives over the Internet. The ruling bars police from using software to search through remote hard drives unless parliament passes a law explicitly allowing the technique. However, police still will be allowed to seize evidence from PCs when conducting searches in person. [Source] [Source] [Source] [Source]

UK – UK to Jail Privacy Violators

In a move to crack down on the illegal trade in personal information UK courts will soon start jailing people who trade in, or deliberately misuse, the personal data of others, according to the Department for Constitutional Affairs. Today’s decision follows a public consultation on increasing penalties for deliberate and wilful misuse of personal data and is part of the Government’s strategy on data sharing to deliver better public services to individuals. The British Government has been increasingly concerned about an apparent growth in the trade in personal data, especially to companies that engage in spam email and cold calling marketing tactics, and under the new regulation, offenders could face up to two years in prison. The current penalty of a small fine in the Data Protection Act have not provided a sufficiently strong deterrent. [Source]

WW – Facebook Defends Teen Security Tricks

Facebook has defended its privacy protection despite the possibility that this has been circumvented for the first time by an alleged sexual predator. The teen-tastic site’s chief privacy officer Chris Kelly told security experts Facebook offers a robust system to protect identities of its 16 million participants and to exclude pedophiles. Facebook uses a combination of algorithms to spot dodgy traffic with “real-world” social techniques. He rejected employing technology such Zephyr at MySpace, which enables parents to track their children’s name, age and sites visited in MySpace, and objected to emailing Facebook participants about potential dangers online and safety steps as tantamount to spam. Kelly, speaking during an RSA Conference panel on youth and the internet, offered his re-assurances despite an Illinois man having been arrested the day before for allegedly using Facebook to lure a 15-year-old boy while posing as a teenage girl. He told the Chicago Tribune this was the first time Facebook has been used to contact a minor for predatory reasons. [Source]

CA – Study: Majority of Children Believe Their Online Information is Private

Microsoft Canada and Ipsos released a study that found that 96% of Canadian parents have discussed the dangers of sharing private information online. However, the survey found that of the more than 1,000 children who participated, 70% between the ages of 10 and 14 believed that everything they post online is private. One child expert said children today have redefined privacy online, but they are unaware of the privacy dangers inherent in sharing photos, birth dates, addresses and phone numbers on the Web. [Source] See also: [Net Safety Day (Feb 6) Marked Worldwide] [More Children Seeing Porn Online, Researchers Say]

CA – Website Verifies Disease-Free Sex Partners; Raises Concerns About Privacy

In what may be the new frontier of online social networking, a Web site is being launched that purports to help online daters verify the sexual health of prospective partners. Checktonight.com will issue a digital stamp of approval to site subscribers who have tested free of any of five sexually transmitted diseases, a level of disclosure that is seen by some as a predictable innovation in Internet use and by others as a move that is potentially troubling from the perspective of personal privacy, sexual behaviour and possibly the privacy of health records. “We’re talking about this because it’s kind of like a new frontier – it’s saying look at how sexual health is coalescing with a Web service that allows people to verify their sexual test records,” says Jesse Hirsh, a Toronto-based Internet analyst. [Source] [ www.Checktonight.com ]

JP – High Court Rules Nationwide Registry Is Constitutional

The Juki Net, the nationwide Japan residency registration, is constitutional even though it contains personal information on residents who did not consent to the inclusion of their data, the Nagoya Court has ruled. Plaintiffs had sought to have their information removed from the registry. They also were seeking monetary compensation. The registry, which was established in August 2002, includes names, addresses and birth dates. The plaintiffs had argued that the state network violated their right to privacy in Article 13 of the Constitution. [Source]

US – Rebellion Growing as States Challenge Law to Standardize Driver’s Licenses

Opposition among state officials is turning into an open revolt against a federal law calling for the creation of standardized driver’s licenses nationwide that are meant to be less vulnerable to fraud. Maine legislators started off the rebellion late last month by passing a nonbinding resolution that rejected the law, called the Real ID Act, which Congress passed in 2005. They said that it would cost the state $185 million to put into place and that instead of making Maine’s residents more secure, it would leave them more vulnerable to identity theft. Since then, legislatures in five states - Georgia, Montana, New Mexico, Washington and Wyoming - have voted in committee or on the floor of one chamber to move similar legislation ahead. The bill adopted in a 99-to-1 vote by the Montana House of Representatives would go furthest, ordering state officials there to ignore the federal law. What state officials are hoping is that Congress will repeal or modify the law, or at least provide some of the billions of dollars the states claim it will cost to establish the new licensing system nationwide. [Source] [Arizona Senate Committee Gives Thumbs Down to Real ID Act] [Coverage][Real debate about Real ID]

US – Mass. AG leads Multistate Probe into TJX Breach

Massachusetts Attorney General Martha Coakley will lead a civil investigation by dozens of states into the security breach disclosed last month by The TJX Companies Inc., the owner of T.J. Maxx and Marshalls retailers. The state's consumer protection division is looking into the data breach, “particularly what security measures the company took to protect consumer information,” Coakley's office said in a statement this week. A Coakley spokeswoman, Emily LaGrassa, added that more than 30 states have asked for details on the TJX investigation or expressed interest in joining the probe. [Source]

US – Huge Database Aims to Include Photo of Every Tucson House

Photographers from a Canadian company are going house to house, shooting pictures of the roughly 300,000 houses in metropolitan Tucson. It’s part of an effort to photograph and appraise every house in the country, creating a database that can be sold to banks and insurance companies. While the city attorney says the activity is perfectly legal, it has officials and some residents concerned about privacy rights. [Source]

US – RSA Conference Panel Says Privacy Legislation Too Premature for RFID

Adoption of RFID technology could stall if lawmakers overreact to security and privacy concerns by legislating the technology, according to a group of experts who discussed the issue Tuesday at RSA Conference 2007. While legislation could eventually protect consumers from overambitious enterprises using the technology to glean insight on consumer habits, the speakers said, it could also make RFID too costly, hindering adoption by retailers and manufacturers. In addition, researchers are still unclear how to address security issues while keeping down the price of the tags used to label pallets and items. [Source]

US – Study Notes Link Between IT Sabotage, Work Behavior

Workers who sabotage corporate systems are almost always IT workers who exhibit specific negative office behavior according to recent research. That is the conclusion of the U.S. military in conjunction with Carnegie Mellon University’s Software Engineering Institute Computer Emergency Response Team (CERT) program, which together analyzed insider cybercrimes across a variety of critical industry sectors. The research suggests that potential troublemakers should be easy to spot. Nearly all the cases of cybercrime investigated were carried out by people who were “disgruntled, paranoid, generally show up late, argue with colleagues, and generally perform poorly.” According to the research, 86% of those who committed cybercrimes held technical positions and 90% had system administrator or privileged system access. Almost half – 41% – of those who sabotaged IT systems were employed at the time they did it but most crimes were committed by insiders following termination. Most incursions – 64% – involved VPNs and old passwords that had never been terminated, highlighting a lack of security controls and gaps in their organizations’ access controls. As a result, Carnegie Mellon has developed a methodology that it said can help detect insider threats as early as possible, involving management, IT, human resources, security officers, and others who “must understand the psychological, organizational, and technical aspects of the problem, as well as how they coordinate their actions over time”. [Source] [CMU Study: Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System Sabotage]

WW – Bill Gates Says Tech’s Biggest Challenge is Keeping Data Secure

Speaking to an annual gathering of 15,000 computer security experts in San Francisco, Microsoft Chairman Bill Gates said that keeping information secure in this age of laptop-lugging workers is the tech industry’s most formidable challenge. [Source] [Source] Microsoft Chairman Bill Gates Touts Importance of Smart Cards: Bill Gates criticized the use of passwords, saying that smart cards and digital certificates are “the way to go.” Microsoft’s Chief Research and Strategy Officer, said security will be more of a challenge as users expect to access information from multiple locations with more devices. Gates told delegates that Windows Vista users will be able to create a digital identity card for online transactions, eliminating the need for passwords while bolstering security against phishing attacks. [Source] [Source] [Source]

AU – Australia Government Introduces Smartcard Legislation

Draft laws introducing the Australian Government’s proposed health and welfare smartcard have been introduced to parliament amid concerns by government backbenchers that it may be used as a national identity card. The controversial card will carry personal information, replacing the Medicare card and providing access to up to 16 other government health and welfare services. The Federal Government, fighting claims its access card will turn into a national identity scheme, has refused to guarantee Australians access to personal information gathered under the $1.1 billion scheme. In a bid to counter “Big Brother” fears, the Government has promised to vest ownership of the card with individuals. But the Human Services Minister, Ian Campbell, would not say yesterday whether cardholders would be able to easily identify who had accessed personal data held by agencies, including Medicare and Centrelink. A Government source said it was “technically feasible” for cardholders to track transactions involving their personal files under the access card technology. [Source] [Source] [Public locked out of their own national cards] [Source] [Source] [‘Rushed’ Access Card Bill raises suspicions] [Source] [Smartcard could be abused, govt admits] [Coalition MPs attack proposed ID card]

UK – Warning Over E-Passport Microchips

Microchips in Britain’s new ePassports only have two-year warranties, a National Audit Office report says. They are so new, no-one knows how long they will last, or how the scanners reading them will work, the NAO said. Public Accounts Committee chairman Edward Leigh said the fact they had a two-year warranty, when passports were kept for 10 years, was “most worrying”. The Home Office said the ePassport had been rigorously tested, but it would work to improve the warranty. [Source][Source] See also: [New Raytheon ID Technology Answers Concerns About New Passport Regulations for Americas]

UK – Tories Warn Industry That Their Government Will Scrap ID Card Project

The British Conservative Party has issued a warning to companies intending to tender for work in the multibillion Pound ID card scheme that a future Tory government would “immediately” cancel the project. As the Financial Times reports, shadow home secretary David Davis also wrote to the government asking for that position to be taken into account when entering into contracts. (See here for the official announcement on the party’s website.) The Tories are presently launching a web- and print-based campaign against ID cards. The main arguments put forward are that ID cards “won’t work”, “are a waste of money”, and “an invasion of privacy”. The campaign also includes an online petition to the Prime Minister “to scrap the proposed introduction of ID cards”. (As of 6 February 2007, 16,143 signatures have been added). [Source]

CA – Report: “Chip & PIN Migration: A Canadian Retailer’s Perspective” Released

Over the next three years Canada’s major credit card issuers plan to move from familiar magnetic stripe cards using customers’ signatures for authentication to cards with a built-in microprocessor that checks a personal identification number (PIN) that the cardholder enters on a point-of-sale device when making a purchase. “Chip & PIN Migration: A Canadian Retailer’s Perspective,” a new study commissioned by Visa Canada claims the move is necessary because of rising credit-card fraud and the benefits will justify the costs to retailers. A national retailers’ organization, however, says the study doesn’t change its concerns about costs. The chip cards – often called smart cards – should go a long way toward combating several common types of credit-card fraud, said a MasterCard Canada VP. They will be harder to duplicate than magnetic-stripe cards, and the use of PINs will reduce fraudulent transactions with lost or stolen cards and new cards intercepted on their way to the cardholder, he said. [Source] [Source]

IS – Israel Court: E-mail Surveillance Is Akin To Wiretapping

Is it permissible for the police or any other body to trace your e-mails? Tel Aviv District Court Judge Khaled Kabub ruled yesterday that copying of electronic mail for purposes of surveillance constitutes illegal wiretapping. This means that any time the police force wishes to conduct surveillance of e-mail, it will be required to obtain special authorization from a District Court president. Granting of such authorization will be measured, for limited periods, and only for suspected crimes punishable by imprisonment of at least seven years. [Source]

US – U.S. Court of Appeals Okays Surreptitious GPS Tracking By Police

On February 2, the 7th Circuit of the U.S. Court of Appeals, ruled against a defendant who claimed that the surreptitious placement of a GPS tracking device amounted to an unconstitutional search. From the court’s decision: “The police had not obtained a warrant authorizing them to place the GPS tracker on the defendant’s car. The district judge, however, found that they had had a reasonable suspicion that the defendant was engaged in criminal activity, and she ruled that reasonable suspicion was all they needed for a lawful search, although she added that they had had probable cause as well. The defendant argues that they needed not only probable cause to believe that the search would turn up contraband or evidence of crime, but also a warrant. The government argues that they needed nothing because there was no search or seizure within the meaning of the Fourth Amendment.” So the gist of it comes down to this. The fourth amendment protects against unreasonable search and seizure, but the judges ruled that the placement of a GPS tracking device without the suspect’s knowledge, does not qualify as a search of his car. This is the first time the seventh circuit has weighed in on this issue, which other circuits have split on. The court equated GPS tracking to police physically following a car, or monitoring safety cameras to follow a car, neither of which amounts to illegal search and seizure. The court did note that wholesale surveillance of the entire population is another matter entirely. [Source] [Source]

US – Professors: Tracking Sex Offenders Is Unconstitutional

A new state law forcing sexual predators to wear tracking devices for the rest of their lives is unconstitutional, according to three University of Wisconsin-Madison law professors. The measure violates privacy rights and amounts to punishment and warrantless surveillance when applied to offenders who aren’t on parole or government supervision, the professors said in a letter sent to Corrections Secretary Matthew Frank on Feb. 3. “A clearer example of governmental intrusion into personal privacy is difficult to imagine,” wrote law professors Walter Dickey, Byron Lichstein and Meredith Ross. [Source] [Source]

US – DOJ Balks At Privacy Provision in Proposed Telephone Rules

U.S. federal regulators working on rules to secure the calling records and other private information of telephone customers are running into resistance from phone companies and law enforcement agencies. The rules, an effort by the FCC to combat “pretexting”,’ are circulating among the commissioners for comment and may be voted on this month. The departments of Justice and Homeland Security have taken issue with two possible provisions in the emerging rules, both of which have privacy advocates concerned. [Source]

AU – ACMA Issues Do Not Call Contract

The Australia Communications and Media Authority has selected the company to provide its $33 million national Do Not Call Register service scheduled to come into operation by the end of May. Once the register begins operation it will be unlawful, in the absence of consent, for any non-exempt telemarketer in Australia or overseas to contact a number listed on the register. [Source]

US – TiVo Sees If You Skip Those Ads

TiVo revealed the other day that it’s offering TV networks and ad agencies a chance to receive second-by- second data about which programs the company’s 4.5 million subscribers are watching and, more importantly, which commercials people are skipping. This raises a pair of troubling questions: Is TiVo, which revolutionized TV viewing with its digital video recording technology, now watching what people watch? And is it selling that sensitive info to advertisers and others? The answers, apparently, are no and no. “I promise with my hand on a Bible that your data is not being archived and sold,” said Todd Juenger, TiVo’s vice president and general manager of audience research and measurement. “We don’t know what any particular person is watching,” he said. “We only know what a random, anonymous sampling of our user base is watching.” Still, privacy advocates say TiVo’s new data service – dubbed StopWatch – reflects the growing ease with which companies could, if they so choose, collect and exploit vast amounts of information about consumers’ everyday habits. [Source]

US – CDT Faults U.S. Guidelines for Terror Information Sharing

A CDT analysis finds that privacy guidelines issued by the Bush Administration for the Information Sharing Environment are inadequate. The ISE is a potentially revolutionary system for exchanging personally identifiable information that was mandated by the intelligence reform act of 2004. Adoption of detailed guidelines to protect privacy was supposed to be a pre-condition for its development. Moving forward with the ISE without adequate guidelines jeopardizes privacy, due process and First Amendment rights. [Source] [CDT Analysis – ISE Guidelines]

US – US-VISIT Program Faces Strategic, Operational, and Technological Challenges

This testimony summarizes a December 2006 GAO report on the Department of Homeland Security’s (DHS) efforts to implement the U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program at land ports of entry (POE). US-VISIT is designed to collect, maintain, and share data on selected foreign nationals entering and exiting the United States at air, sea, and land POEs. These data, including biometric identifiers like digital fingerprints, are to be used to screen persons against watch lists, verify identities, and record arrival and departure. This testimony addresses DHS’s efforts to (1) implement US-VISIT entry capability, (2) implement US-VISIT exit capability, and (3) define how US-VISIT fits with other emerging border security initiatives. GAO analyzed DHS and US-VISIT documents, interviewed program officials, and visited 21 land POEs with varied traffic levels on both borders. [Source]

US – USPS Receives Consumer Nod For #1 Gov’t Agency For Privacy Protection

The Ponemon Institute has released its “2007 Privacy Trust Study of the United States Government” in conjunction with the Federal Trade Commission’s launch of National Consumer Protection Week. Americans have given top privacy billing to the USPS for three consecutive years. The survey of more than 7,000 adults also found that Americans are still concerned about a “loss of civil liberties and privacy rights,” “surveillance into personal life” and “monitoring email and Web activities.” [Source]

US – House Introduces Four Privacy Bills … With One Runt in the Litter

27B Stroke 6 outlines four important pieces of privacy-protecting legislation that have either been recently introduced or received new life in the Democratically-controlled House of Representatives:

· The Prevention of Fraudulent Access to Phone Records Act, introduced by Dingell and Ranking Member Joe Barton (R-TX), and 24 original cosponsors, to prohibit pretexting of phone records and to enhance security requirements for customer proprietary network information.

· The Social Security Number Protection Act of 2007, introduced by Reps. Ed Markey (D-MA), Chairman of the Subcommittee on Telecommunications and the Internet and Barton, and 22 original cosponsors, to strengthen the authority of the Federal Government to protect individuals from abusive acts and practices in the sale and purchase of Social Security numbers.

· The Securely Protect Yourself Against Cyber Trespass Act (or SPY ACT), introduced by Reps. Edolphus Towns (D-NY) and Mary Bono (R-CA), and 28 original cosponsors, to protect users of the Internet from unknowing transmission of the personally identifiable information through spyware programs.

· The Data Accountability and Trust Act (or DATA), introduced by Reps. Bobby Rush (D-IL), Chairman of the Subcommittee on Commerce, Trade and Consumer Protection and Subcommittee Ranking Member Cliff Stearns (R-FL), and 22 original cosponsors, to protect consumers by requiring entities engaged in interstate commerce to have reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.

Crashing the party, however, is the Republican-supported Safety Act, which would compel all Internet service providers to track their customers’ online activities. [Source]

US – Republicans File Data Retention Bill

GOP lawmakers are pursuing legislation that would require Internet Service Providers (ISPs) to store information on users to help law enforcement in cybercrime efforts. The details of the retention requirements would be left to U.S. Attorney General Alberto R. Gonzales, who first urged Congress nearly a year ago to approve such regulations. The bill would require ISPs to store names, addresses, user identifications and telephone numbers. Employees of any Internet provider who fail to store that information will face fines and prison terms of up to one year, the bill says. However, Gonzales would have broad authority to write regulations that could require indefinite storage of other information. Privacy advocates are opposed to the legislation, which as written, would also allow private litigants in civil cases to obtain the records. [Source][Source]

US – Congress Plans Privacy Bills to Hold Retailers More Accountable for Breaches

Senators Patrick Leahy (D-Vt.) and Arlen Specter (R-Pa.) this week introduced legislation to protect consumers when their personal privacy is compromised by data breaches. First introduced in 2005, the Personal Data Privacy and Security Act is one of the stronger data-breach proposals that have been proposed in Congress. U.S. Rep. Barney Frank, D-Mass., chairman of the House Financial Services Committee, favors a bill that would exempt companies from disclosing a breach if the compromised data was encrypted. More than 30 states have security breach laws, but most allow the company to delay notifying the banks while law enforcement investigates. However, Frank said retailers should be required to notify banks about security breaches to give financial institutions the opportunity to send customers new cards to thwart fraud. [Source] [Source] [Source] [Source]

US – Proposed Senate Bill Would Create Database of Illegal Images

A forthcoming bill in the U.S. Senate lays the groundwork for a national database of illegal images that Internet service providers would use to automatically flag and report suspicious content to police. The proposal, which Sen. John McCain is planning to introduce this week, also would require ISPs and perhaps some Web sites to alert the government of any illegal images of real or “cartoon” minors. Failure to do would be punished by criminal penalties including fines of up to $300,000. [Source]

US – Politicians Call For E-Voting Paper Trails By ‘08 Election

A push is under way by congressional Democrats to enact legislation that would require paper trails to accompany all electronic voting machines in time for the 2008 presidential election. Sen. Dianne Feinstein said yesterday that she expects to introduce a bill within the next week that would revive earlier calls for such a mandate. [Source] [Feds Defend Oversight Of E-Voting Testing]

US – Georgia: Criminal Background Checks for All University Jobs Proposed

The University System of Georgia is planning to require all newly hired faculty and staff members to undergo criminal background checks, a policy that has drawn fire from an organization that represents professors in the state. The new policy would require a state and federal criminal history check covering a minimum of seven years, a Social Security check and, for those in professional, faculty and academic positions, an academic credentials check. The policy, which has not yet been adopted, has not gone over well on some university campuses. [Source]

US – Missouri Judge Blocks Employment Background Checks

Kansas City cannot enforce a new ordinance that called for background checks on municipal judge nominees, a federal judge ordered last week. U.S. District Judge Dean Whipple said he was concerned that the ordinance would pose a serious risk of invasion of privacy because it did not ensure that information such as SSNs would be protected and kept confidential. Whipple’s order came in response to a lawsuit filed by Melissa Howard, one of three finalists for a Kansas City municipal judge vacancy. The lawsuit argued that the background checks would be a license to examine personal information, with no guidance on who would have access to it or penalties for misuse. [Source]

CA – Ottawa School Board’s GPS to Watch for Truant Trucks

The Ottawa-Carleton School Board has put out a tender for a global positioning system to keep an eye on the 85 vehicles used by tradespeople who fix and maintain the city’s public schools. The installation will allow managers to keep a detailed record of vehicle use and improve the board’s response to emergencies. “It does gather information around speed, distances, helps us monitor and capture information around efficiency, et cetera,” said the board’s superintendent of facilities, adding that the plan was not prompted by any problems or incidents. But this week, the head of the union said he hadn’t heard about the system and doesn’t like the implications. “It’s sending a loud message to the employee: ‘We don’t trust you,’” said Andrew Horwood, president of the support staff unit of the Ontario Secondary School Teachers’ Federation. He added that the union will likely consider filing a grievance if the units are installed. [Source] [Public board plan to put GPS in vehicles riles union] [GPS use limited by PIPEDA]

US – Court: Employers Must Communicate e-Monitoring Policies

The Ninth Circuit Court of Appeals has confirmed that while employees may have a reasonable expectation of privacy in their workplace computers, an employer who has a policy of monitoring those computers may lawfully access that data and provide it to the government. [Source]

--------