US – U.S. Officials Seek to Share Biometric Information Internationally

Homeland Security Department (DHS) official Robert Mocny says that governments and private companies should facilitate biometric data sharing to help fight the threat of terrorism. Officials working on a system that would allow an international exchange of biometric data permanently linked to individuals say that privacy controls should be built into new biometric data-sharing programs. However, privacy advocates question whether DHS has done a proper assessment of the biometric technologies and policies. “My question,” said Mr. Mocny, “is how is it ethical not to share?” [Source]

CA – NDP to Filibuster Voter Photo ID Bill; Use of Voter Lists for Political Fundraising

The NDP vows to filibuster legislation that would require voter photo ID for the first time in Canadian federal electoral history and the handing over vital personal information about voters to political parties and election candidates. Ottawa NDP MP Paul Dewar this week described the legislation as “a big brother bill” that risks widespread identity theft if voter lists with the birth dates of electors gets in the wrong hands. Dewar and NDP House leader Libby Davies are mounting a last-ditch campaign against the bill as it heads to a final Commons vote. The legislation would require Elections Canada to assign a lifetime identifying number for each of the more than 22 million electors and put their birth dates on the permanent list of electors, which would be updated annually and made available to the political parties and candidates in each voting district. The bill specifically allows the parties to use the information for fundraising and soliciting electoral support. [Source] [Bill C-31]

CA – Feds Flunk SIN System, Says Auditor General

Canada’s federal government just doesn’t seem to have the knack for numbers. Eight years of wrappings on the knuckles by the Auditor General still hasn’t fixed this country’s Social Insurance Number (SIN) management system, according to the latest audit. In particular, two pressing issues dating back to 1998 remain unresolved. In her Status 2007 report tabled this week, Auditor General Sheila Fraser emphasized this was the fourth time since 1998 she had reported these problems and that the government should have fixed them by now. Fraser described the SIN management system as severely lacking, and stung the responsible department - HRSDC - for failing to adequately address the 1998 shortcomings. Once again, Fraser had to reprimand HRSDC for the quality and authenticity of information retained in the Social Insurance Register and for the government’s policies on how other federal departments may use the SIN management system. [Source] [Source] [Source] [Source] [Source]

CA – New Brunswick Right to Information, Privacy Acts to be Reviewed

A committee headed by Université de Moncton professor Donald Savoie has been formed to examine the Province’s Right to Information and Protection of Personal Information acts and make recommendations to enhance public access to government information while improving protections for personal information. The committee will be tasked with undertaking a comparative assessment of access and privacy legislation in other jurisdictions, including privacy legislation as it relates to health issues. The committee will produce a discussion paper which will identify key issues and propose a series of recommendations. The discussion paper will form the basis for broad consultations to be held throughout the province. “A review of access-to-information legislation cannot be undertaken in isolation from privacy laws - indeed, the two go hand in hand,” Savoie said. “My committee is undertaking a significant task in reviewing this legislation, and we will conduct extensive consultations with New Brunswickers and concerned institutions and agencies as part of the review process.” [Source]

US – Lack of Info Feeds Public Outcries About Privacy, Experts Say

Federal agencies need to do a better job of informing the public about measures taken to protect their sensitive and private information, current and former government officials say. A lack of information can lead to trouble, said several experts, speaking at the CTO Forum held by the Government Electronics and Information Technology Association. In some cases, agencies have been forced to end programs – such as data mining or surveillance projects – because of public outcry that stemmed from misperceptions that might have been better addressed with better information. “When we don’t get the kind of meaningful public debate, decisions get based on inadequate knowledge and the public gets in an uproar on things based on incorrect information,” said the director of the National Security Program at the nonprofit Markle Foundation. [Source]

EU – Draft Laws Raise Privacy Concerns

As European governments draft legislation to comply with the Data Retention Directive, privacy experts are concerned that the measures erode European privacy rights. A proposal in Germany would prohibit the use of fake information to create an email account. In the Netherlands, a proposal would force phone companies to save records that show the whereabouts of the caller during the entire call - which goes beyond what the directive requires. Peter Fleischer, Google’s European Privacy Counsel, said that Germany’s proposal is “an incredibly bad thing in terms of privacy.” Fleischer added that the requirement would be “totally unenforceable and would never work.” EU countries must approve legislation to implement the Data Retention Directive by 2009. [Source]

EU – Bulgarian DP Fails to Protect Citizen’s Personal Data: Audit Report

A recent report made public by the Bulgarian National Audit Office about the activity of the Commission for Personal Data Protection (CPDP) in Bulgaria in the period 1 January 2003 - 31 December 2005 shows that CPDP has failed in achieving its main purpose - to protect the citizen’s personal data. According to the report, the CDPD has spent approx. 1.35 million Euro for its activities, but has completed only 17 investigations at citizens’ complaints. The Commission has failed in creating the mandatory registry of personal data processors and hasn’t imposed any sanction so far. [Source] [Audit Report of the CDPD] [Access to Information Programme – Bulgaria]

US – Identity-Theft Risk Greatest In Major Cities

Residents of New York, Detroit and Los Angeles are the most at risk of having their identity stolen, according to new research. By contrast, people in Wyoming run the lowest risk of identity fraud, according to ID Analytics. Other states with low rates of identity related fraud are Vermont and Montana, ID Analytics said. Its new research report was slated to be published this week. “Moving is a very dramatic way to reduce your identity risk,” Stephen Coggeshall, ID Analytics chief technology officer, said in an interview. “It is more appropriate for people to understand the risk of their area and to take the appropriate precautions.” Instead of inspiring people to move, ID Analytics’ research is meant to help law enforcement, Coggeshall said. “What’s most meaningful about these findings is that they can help identify specific areas where criminals may be operating in an organized manner,” he said. However, ID Analytics’ study gave no indication why people in certain areas of the country are at greater risk of identity theft. [Source] [Source] [Source] See also: [Credit monitoring doesn’t stop ID Theft; Better to Stop Data Thieves Cold] See also: [ID theft stats: going up or down?]

WW – Report: Mobility, Security Most Pressing IT Issues In 2007

The EQUS Group, a technology market research firm, has released a report based on interviews with 83 IT executives. The report, “Corporate Outlook for 2007: Security & Privacy,” indicates that mobility and security are the top concerns for IT execs in 2007. The interviews found that 77% ranked protection from attack as their most urgent concern, followed by proprietary data protection. [Source]

EU – European Parliament Passes Resolution on SWIFT, PNR, & Transatlantic Dialogue

The European Parliament adopted a resolution yesterday that calls on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) to end its practice of “mirroring all data concerning EU citizens and enterprises in its US site or to move its alternative database site outside US jurisdiction.” The resolution also outlined difficulties related to drafting a data sharing agreement with the U.S. European authorities need the agreement to gain oversight of U.S. Treasury subpoenas on SWIFT. U.S. requires SWIFT – which has a data center in the U.S. – to turn over data involving Europeans and other customers from around the world to U.S. authorities looking for evidence of terrorist financing. European privacy officials have called the data sharing illegal under European data protection laws, but they have been unable to prevent it. [Source] [Source] [Europe demands say on US data trawling]

CA – Canadian Banks Reissue Credit Cards over Fraud Fear

Three Canadian banks are issuing thousands of new credit cards to Canadians whose card numbers were stolen or exposed to potential fraud in a security breach at the company that owns the Winners and HomeSense retail chains. The banks say they are issuing the cards as a precaution. But one banking source said there are indications that some fraudulent purchases have been made on Canadian cards as a result of the breach. [Source] [Source] See also: [New Credit Cards May Leak Personal Information – many ‘contactless’ credit cards can leak their owner’s name and card number for reading at a distance]

AB – Manifests of Government Aircraft Flights to Be Made Available Online

Detailed information on who is flying on government aircraft, where they went and why they went is now available online on the Service Alberta website. “Premier Ed Stelmach made a commitment to Albertans that there would be more openness and transparency in the way the government conducts its business,” said Lloyd Snelgrove, Minister of Service Alberta, responsible for the government’s air transportation service. “This is one of the improvements we have in mind that will clearly demonstrate that the Premier and this government intend to make good on that promise.” Starting with flights originating in January 2007, the digital copy of the manifests will show: When the flights took place; which government aircraft was used; where the flights began and ended; the purpose of the trip; and who was aboard [Source]

WW – Novartis to Release Genetic Research Information

Some of the world’s biggest drug companies are finding that their genetic research is worth more to them if they give it away. Novartis has helped uncover which of the 20,000 genes identified by the Human Genome Project are likely to be associated with diabetes. But rather than hoard this information, as drug firms have traditionally done, it is making it available for free on the World Wide Web. [Source]

US – Electronic Medical Records Sound Good, Privacy an Issue, Says Survey

The potential benefits of electronic medical records (EMRs) sounds appealing to most people, but when the issue of privacy is raised, many people become concerned about the potential for privacy abuses in EMR systems. However, most have read or heard nothing about EMRs, so public opinion is waiting to be formed. These are some of the findings of three different surveys, each of which contained some relevant questions on EMRs, which were conducted by Harris Interactive in 2006 and 2005. Two of these surveys were conducted with Dr. Alan F. Westin, Professor of Public Law & Government Emeritus at Columbia University. In reviewing these results, Dr. Westin commented “Personal medical records have always been rated as highly sensitive by the American public. As programs to automate and interconnect patient medical records across the U.S. health care system proceed, it will be vital to track how patients see this affecting not only the quality and costs of health care, but also the confidentiality, privacy and security of their personal health information.” Many people know virtually nothing about the current campaign to adopt EMRs throughout the U.S. health care system. Only 29% claim to have read or heard anything about them. Therefore, it is important to point out that mass public opinion about EMR systems does not yet exist. How public opinion develops, as public knowledge and awareness of EMRs grow, will depend therefore on reports in the media on the advantages and disadvantages they offer. [Source] See also: [Baylor Health network starts linking patient data]

US – Missing VA Hard Drive Contains Personal Info for 535,000 Vets, 1.3 Million Doctors

The scope of a breach related to a missing hard drive is greater than originally thought, according to new information on the latest breach involving the Department of Veterans Affairs. The VA began notifying 1.8 million veterans and doctors this week that their information may be on a portable hard drive reported missing last month from an Alabama VA facility. The portable hard drive was used to back-up data on a VA employee’s office PC. Initial reports indicated that the drive contained information on 48,000 veterans and was not encrypted. [Source] [Source] [Source] [Source] [Source] [Source]

US – Indiana State Government Site Security Breach

An Indiana state government web site, www.IN.gov, experienced a security breach that exposed 5,600 credit card numbers of individuals and businesses. Normally, stored card information is encrypted or shortened to the last four digits, but in this case, the entire card numbers were stored in unencrypted form. State technology officials have sent notification letters to the individuals and businesses affected by the breach and have informed the US Secret Service of the attack. [Source] [Source] [Source]

KR – Korean Web Sites Infect 92,000 PCs with Malware

According to the Korea Information Security Agency, 1,000 Korean online game-related web sites were infected with malware, resulting in 92,000 infected PCs. KISA has informed the sites of the problem and urged them to cleanse their sites of the malware. The attackers’ aim was apparently to intercept gamers’ IDs and passwords. KISA says 620,000 PCs were attacked targeting a known flaw in Microsoft Windows, but most were protected as they had applied the latest Microsoft patches. The agency also urged computer users to obtain automatic security updates. [Source]

US – Parents Puzzled by University Data Breach Notification

A number of Radford, Virginia-area parents with young children have received letters from Radford University (RU) telling them their children’s SSNs and dates of birth may have been compromised in a security breach at the university’s Waldron School of Health and Human Services. A university spokesperson declined to comment on why the young children’s information was in their computer system, but an area television station discovered that the parents who had received the letters had all provided their children’s information when enrolling them in a health insurance program. RU at one time had an outreach grant to promote and help families enroll in the program. RU sent out 2,400 notification letters; about 100 RU students were also affected by the breach. [Source] [Source]

US – Indian Consulate Tosses Sensitive Data Into Recycling Center

Thousands of visa applications containing confidential information belonging to individuals in 14 states sat exposed for more than a month in the yard of a California recycling center after being dumped there by the Indian consulate in San Francisco. The documents contained the names, dates of birth, addresses and other passport details of people who had applied for an Indian visa between 2002 and 2005. An official at the Indian consulate said the San Francisco facility had run out of storage space and hired a company to take boxes containing the visa paperwork and other documents to a local recycling yard – where it was assumed they would be destroyed. Instead, the boxes marked “visa applications” were simply dumped in a publicly accessible yard at the recycling center where they remained for more than a month. The gaffe was exposed by the San Francisco Chronicle earlier this month. The newspaper story quoted Consul General B.S. Prakash as saying he didn’t consider the documents to be confidential because they didn’t include Social Security or credit card numbers. [Source]

WW – Credentica Releases Software Product for User-Centric Identity Management

Credentica , a Montreal-based provider of innovative security software for identity and access management, has announced the immediate availability of its U-Prove product for user-centric identity management. The U-Prove product enables organizations to protect identity-related information with unprecedented security throughout its lifecycle, wherever it may travel. It is tailor-made for online user authentication that must withstand phishing attacks, for sharing identity information across disparate domains, and for creating the digital equivalent of the cards in one’s wallet. At the same time, the U-Prove product enables critical privacy functions. For example, it enables online users to seamlessly authenticate to any number of sites without giving rise to unwanted profiling or surveillance capabilities, to transfer data between unlinked accounts, and to store digitally signed audit trails that prove the transactions they engaged in. These functions have been specifically designed to meet data protection requirements in Government Online, Electronic Health Record management , cross-domain enterprise identity and access management, and Trusted Computing. [Source]

WW – Identity Management Market Grows Rapidly, Driven by Regulation, Security Issues

The Radicati Group’s latest study, “Identity Management Market, 2007-2011” provides market size, four-year forecasts, technology trends, and competitive information for the Identity Management market. Identity Management solutions are becoming widely used corporate products, helping companies to protect and manage their IT resources, as well as roles and access privileges of internal and external users. The demand for Identity Management suites continues to be dominated by security and cost-cutting benefits; however, regulatory compliance is becoming equally important, especially for companies in North America. Various regulations, including the Sarbanes-Oxley Act, HIPAA, and others, may require companies to provide audit trails of all user actions to government auditors, and oblige top executives to be certain that no users have violated their access rights or used digital resources inappropriately. [Source]

CA – Vancouver Firm Major Force in OpenID Collaboration

The problem of having multiple Internet identities – being forced to employ user names and passwords for every website that requires a sign-in – may become a lot easier to handle. And that’s thanks, in part, to Vancouver-based Sxip Identity, headed by entrepreneur Dick Hardt. Sxip – a major force in the open-source OpenID 2.0 project aimed at giving users a universally recognized user-centric online identity -- is one of three companies that will be working with industry giant Microsoft on what’s being called Identity 2.0. Sxip, along with Verisign and JanRain, will collaborate on interoperability between OpenID and Microsoft’s new identity product Windows CardSpace. “These are two leading user-centred mechanisms,” said Hardt last week in an interview from the RSA Conference in San Francisco where Bill Gates made the announcement of the collaboration. “By starting to work together, we’re starting to converge Microsoft’s CardSpace and Open ID.” [Source]

US – RIAA to ISPs: Help Us Sue Your Customers Better

As if suing thousands of music fans isn’t bad enough, now the RIAA wants to conscript ISPs into helping them streamline the shakedowns. The major record labels sent a letter to ISPs across the country asking them to trade away customers’ rights and make the overzealous file sharing lawsuits more profitable -- and the RIAA even has the audacity to suggest that this is all for your own good. ISPs currently have no obligation to maintain IP log files, and that’s a good thing when it comes to protecting your privacy. Those log files can serve as Internet breadcrumbs -- your ISP and any third party that has access to them can retrace your online activities. But the RIAA wants ISPs to maintain (and disclose) a customer’s IP logs for six months whenever the RIAA says the user may have infringed copyright. In exchange, the record companies will reduce its initial lawsuit settlement demands. Of course, the actual customer would have no say in the matter. The RIAA letter says it wants the information kept because it could “exculpate” the customer, but of course those same records can also implicate the user. Funny, the labels don’t mention that. EFF and others have long warned that copyright claims could become an altar on which personal privacy is sacrificed. [Source] [RIAA Admits ISPs Have Misidentified “John Does”]

US – Illinois Bill Would Ban Social Networking Sites.

Illinois Bill Would Ban Social Networking Sites. Library blogger Michael Stephens is reporting that an Illinois state senator, Matt Murphy (R-27, Palatine), has filed a bill that ‘Creates the Social Networking Web site Prohibition Act. Provides that each public library must prohibit access to social networking Web sites on all computers made available to the public in the library. Provides that each public school must prohibit access to social networking Web sites on all computers made available to students in the school.’ Here is the bill’s full text.” --- This local effort harks back to an attempt last May to get federal legislation banning school and library use of social networking sites (Wikipedia summary here). The DOPA bill passed the House but died in the Senate.

US – Petition Would Require Audio-Visual Record of Contacts Between Police & Public

A notice posted on California Secretary of State Debra Bowen’s Web site outlines a petition that would “require peace officers to create an audio-visual recording of all contacts with or searches of citizens.” The petition “Requires that a copy of the recording be provided to affected citizens who are arrested and charged with a crime.” The costs are unknown, said the notice, but could potentially cost “hundreds of millions of dollars on a one-time basis, with ongoing costs in the tens of millions of dollars.” [Source]

US – Job Seekers Take the Bait on Phishing Scam

A Washington Post article discusses a sophisticated phishing scam, which in recent months has targeted thousands of job seekers on such popular Web sites as Monster.com and CareerBuilder.com. Phishers send out seemingly legitimate e-mail in an attempt to get people to reply with personal information then used in a variety of scams. [Source]

US – Judge Dismisses Suit Against Myspace From Sex Assault

A judge has dismissed a lawsuit against the social networking Web site MySpace filed by the family of a 13-year-old girl who says she was sexually assaulted by a 19-year-old man she met online. The $30 million lawsuit accused the site of having no measures to protect children who use it. [Source] [Commentary]

CH – China Provides Access to ID Database to Curb Fraud

Con artists and swindlers in China who try to use fake ID will have a tougher time trying to pass themselves off as someone else now that the public has access to the Ministry of Public Security’s population database. Anyone can now send a text message or visit the country’s population information center’s website, to check if the name and the ID number of a person’s identity card match. If they do match the ID cardholder’s picture also appears, said the Ministry, adding that no other information is available to ensure a citizen’s privacy is protected. Completed at the end of 2006, China’s population information database, the world’s largest, contains personal information on 1.3 billion citizens. Giving public accessing to the database is also designed to correct mistakes if an individual discovers that their name, number and picture don’t match. Millions of dollars are lost each year by people who use false identities. According to the Ministry of Public Security, about 90% of people who commit crimes hold fake ID cards. [Source] See also: [China to renew 200 mln ID cards in 2006] [Overlapped ID numbers affect one mln people]

AU – Police Lose Landmark Job Privacy Case

Police who vet the job applications of nearly half a million New Zealanders each year have lost a landmark privacy case after revealing suppressed details of a failed court case to an employer. The job applicant won a $12,500 damages payout after taking his case to the Human Rights Review Tribunal. The case reveals details of a little-known informal police file of “notings” – as opposed to criminal convictions - recorded at the Police National Intelligence database. [Source]

US – FTC Chairman: The Standard for Companies is ‘Reasonableness’

FTC Chairman Deborah Platt Majoras outlined for RSA Conference attendees what companies need to do when it comes to protecting consumers’ personal information. Companies should deliver on consumer promises they make about data security. They also must be aware of the common threats to security and take action to protect against them. Majoras added that companies should not store information they don’t need. Since 2001, the FTC has taken 14 enforcement actions against companies related to their data security efforts. Majoras said that the FTC’s standard is “not perfection, but reasonableness.” [Source]

UK – U.K. Financial Company Fined for Laptop Theft

Nationwide Building Society, a U.K. financial services provider, has been fined $1.9 million after a laptop containing sensitive customer data was stolen from an employee. The Financial Services Authority hit Nationwide with the fine last week, following an investigation into the theft, which occurred in November 2006 at the employee’s house. [Source] [Source]

US – Report Supports Call For National Database of Academic Records

The Lumina Foundation for Education, a private, independent foundation, recently released a report regarding the use of student unit record (SUR) databases, or state records that contain information from college and university registrars on student enrollment. While plans to create a national SUR database have generated concerns over student privacy issues, the study highlights the possible benefits of doing so. According to the report, 40 states have operating SUR databases. These 40 SUR databases cover 81% of the nation’s higher education enrollment. The 10 states that do not have SUR databases are considered to be “fairly small,” with the exception of Michigan and Pennsylvania. Each of the 40 states with databases keeps SURs for public institutions. Four states also include information on all independent and non-profit colleges. The Commonwealth and two other states are about to join these four with full participation, according to the report. [Source]

US – DHS Nixes Use of RFID in Border Security Program

The Department of Homeland Security is abandoning plans to use radio frequency identification (RFID) technology in a key part of its border security system after it failed to work as expected in a 15-month test. A spokeswoman for the DHS border security program said the agency is now “exploring alternatives,” such as biometric technologies, for tracking foreign visitors as they pass through checkpoints entering and exiting the U.S. The agency tested the technology in an effort to improve its U.S. Visitor and Immigration Status Indicator Technology (US-VISIT) program, created by Congress in Jan., 2004 to track foreign nationals within the United States. The US-VISIT spokeswoman said the agency hoped to use RFID technology to automate and speed up the process of getting an accurate record of who left the country. A testing period from Aug., 2005 to last November found the technology wanting for multiple reasons, DHS officials said. DHS Secretary Michael Chertoff disclosed the failure of the technology on Feb. 9 in testimony to the Homeland Security Committee of the U.S. House of Representatives. In his testimony, Chertoff cited a Government Accountability Office (GAO) report, released on Jan. 31, that also found the RFID test to be a failure due to performance and reliability problems. [Source]

US – Wal-Mart’s RFID Initiatives Run Into Problems

Wal-Mart has pushed its suppliers to use exotic radio-activated tags to chop labor and inventory costs anew. But tests using the tags aren’t showing any savings, and suppliers forced to invest in the relatively expensive technology are grumbling. Wal-Mart once hoped to have up to 12 of its roughly 120 distribution centers using the Radio Frequency Identification, or RFID, technology by January 2006. But so far it has installed the technology at just five, plus 1,000 stores. [Source]

WW – Discover, Motorola Launch Cell-Phone RFID Payment Trial

Discover Financial Services, the fourth-largest credit-card organization in the U.S., has launched a technology trial to test a new mobile banking and RFID-enabled payment platform in collaboration with cellphone handset maker Motorola. The ability to make payments, however, is just part of the scope of the trial, which is also an initial trial of Motorola’s M-Wallet technology. M-Wallet is a service Motorola has been developing for a number of years to enable such mobile banking applications as making payments via NFC technology. Other applications include using a mobile phone to check account balances, redeem electronic discount coupons and make person-to-person money transfers. These applications happen through data communications via the cellular phone network, whereas the payments occur through RF transmissions with RFID-enabled payment terminals at stores and restaurants. All 1,000 participants in the Discover-Motorola trial are Discover employees with Discovery credit-card accounts, located in and around Chicago and Salt Lake City. [Source]

US – Kodak Files Patent for Edible RFID Tag

NewScientist.com has uncovered a recently filed patent application from camera and imaging technology giant Kodak that outlines a compelling new application of RFID: ingestible tags that act as monitors for health characteristics within the human body. The idea is that the RFID tag antenna – the critical component which allows data to broadcast – be composed of organic material that would dissolve as a result of certain chemical reactions within the human body. Once dissolved, the tag antenna, and therefore the tag itself, would stop transmitting a signal, indicating that the targeted chemical reaction had occurred. Kodak calls them “fragile tags”. [Kodak patent application]

US – Columbus Children’s Hospital to install RFID system

Healthcare technology provider Mobile Aspects will be implementing an RFID-enabled inventory management system at Columbus Children’s Hospital to manage and track congenital heart care supplies. According to the announcement, the iRISupply system will automate key processes in patient care including charge capture, inventory management, and device expiration management. [Source]

US – Documenting the Drug Chain with RFID: Two e-Pedigree Programs Begin

In an effort to maintain the quality and security of pharmaceuticals, and to reduce counterfeiting, many drugmakers are turning to electronic (e-pedigree) software to document the movement of their drugs through the supply chain. Pfizer is readying its first e-pedigree trial for a 2007 launch. The drugmaker will use RFID to document the movement of bottled Viagra leaving its facilities, bound for distributors, wholesalers and other partners. Software will create the e-pedigrees – secure files that store unique ID numbers culled from the bottles’ RFID tags, along with shipping and transaction data, lot numbers and other pertinent information. The firm already utilizes an RxAuthentication Service to verify the authenticity of RFID tags on drugs it receives; more than 300,000 authentications have been performed on RFID-tagged Viagra bottles to date. Purdue Pharma, meanwhile, plans to begin RFID-tagging every bottle and case of OxyContin it produces. After the bottles are labeled, interrogators will collect tag data at multiple points and pass it on to software, supplied by automated packaging systems provider Systech International, that will act as a repository for all tag data. This data will then be available for incorporation into an RFID-based e-pedigree platform. Although Purdue is not currently using such an e-pedigree system, it hopes to do so as it implements the Gen 2 technology.

US – Patients, Doctors Staying Away From Implantable RFID Chips

RFID chip company got a ho-hum response to its initial public offering, partly because only 222 people have gotten chipped. Putting RFID chips into people’s arms is, it turns out, not a booming business. VeriChip, which has created a system for putting RFID chips into humans for medical-record tracking, held an initial public offering on Friday, and the company’s stock has been struggling ever since. The stock is currently trading at around $6.15. The company released 3.1 million shares in the IPO for $6.50 a share. Part of the problem is likely the lackluster sales for the company’s most famous product. [Source] [Implantable RFID May Be Easy, But That Doesn’t Mean It’s Ethical]

US – Justice Dept. Says Lost FBI Laptops Still a Problem

The U.S. Justice Department’s inspector general said yesterday that the FBI reported 160 laptop computers as lost or stolen in less than four years, including at least 10 that contained highly sensitive classified information, and one that held “personal identifying information on FBI personnel.” The IG said the FBI is reducing the number of thefts and disappearances of weapons and laptop computers, but the bureau acknowledged in a statement that “more needs to be done.” [Source]

UK – Used Computers Present ID Theft Risk

A survey of 329 British companies has found that less than half use expert firms to properly dispose of their used computers. ID thieves are able to retrieve sensitive data from used hard drives. The problem is especially acute in West Africa, where ID theft and other scams are prevalent. Another concern is that many companies sell their used computers to second-hand dealers who are ill-equipped to properly clean the sensitive data from the PCs. [Source]

US – Raytheon Unveils ID Card, Fortifying RFID With Biometrics

The Intelligence and Information Systems business division of government defense, aviation and technology company Raytheon has unveiled a new RFID-based identification card. Dubbed the PAD—which stands for personal authentication device—this card incorporates a fingerprint biometric authentication function. The company is pitching the PAD for use in border security programs run by both the Department of Homeland Security (DHS) and the Department of State. [Source]

EU – Belgian Gov’t to Set Up Electronic Card for Foreign Nationals in Belgium

Steria, who provided the IT infrastructure and services used to roll out the original Belgian electronic identity card, is currently adapting these solutions to produce an electronic card for foreign nationals living in the country. Foreigner@Card was designed and will be launched as part of the existing BELPIC (Belgian Personal Identity Card) project. Steria will undertake the adaptations required to create this new electronic card, at central level (National Register) and for the 3 municipalities selected to pilot the new project. It was in June 2006 that the Belgian Council of Ministers decided to set up Foreigner@Card, an electronic card for foreign nationals with valid residence permits. A pilot version of the project was launched at the end of December. The Belgian government plans to equip the entire country by autumn 2007. The Ministry of the Interior and all Belgian municipalities currently issue paper versions of the card for foreign nationals. The long-term objective is to replace these paper versions with electronic cards that can store certificates and will be issued in a controlled, secure environment, in line with the Belgian identity card. This new card will enable foreign nationals residing in Belgium to benefit from the online services provided by the country. [Source]

EU – Gemalto Selected for the National Identity Project of Portugal

Gemalto has announced that it has been selected by Portugal to provide the solution for the national e-ID card including the secure operating system, the personalization system and applications, the middleware and associated helpdesk services. A first pilot phase is starting this week; eventually all Portuguese citizens will be able to use the high-end cards including a built-in biometrics feature (fingerprint) as their national ID document. The new called “Citizen Card” will include several id-numbers such as civil identification, taxpayer, social security and health and will also replace, in the future, the elector card. A variety of e-government services will be available through the electronic ID provided by the new Citizen Card. [Source]

US – Federal Court Restricts NYC Police Surveillance

In a rebuke of a surveillance practice greatly expanded by the New York Police Department after the Sept. 11 attacks, a federal judge ruled this week that the police must stop the routine videotaping of people at public gatherings unless there was an indication that unlawful activity may occur. Four years ago, at the request of the city, the same judge, Charles S. Haight Jr., gave the police greater authority to investigate political, social and religious groups. [Judge Restricts New York Police Surveillance, New York Times, February 16, 2007] [Source]

UK – Email Petition Opposes Vehicle Tracking, Road-Pricing

An Internet petition opposed to the UK government’s plans for nationwide congestion charging and vehicle tracking reached 100 million signatures less than three months after it was posted on a Web site. However, the government said it would continue with its plans to commission road-pricing trials. A government official said that petition was misguided in stating that the drivers’ movements would be monitored. The official said that “any system, to secure support, would need to address the issue of personal privacy.” [Source]

EU – European Commission Holds Privacy Workshop on Vehicle Tracking Systems

The European Commission organized a 13 February workshop on privacy and data protection issues with regards to in-vehicle telematics and cooperative systems. The workshop’s objective is to discuss how to deal with privacy issues in the design of telematics services and applications. The agenda will discuss experiences of EC-funded projects in this area and present various case studies. Experts from the industry (vehicle manufacturers, equipment suppliers, telecommunications), security in electronic communications, as well as representatives from data protection authorities will be invited in order to elaborate guidelines for tackling these issues. [Agenda for 13 February EU In-vehicle Telematics and Co-operative systems – Workshop on privacy and data protection issues]

US – Case Against Sprint In NSA Suit Put On Hold

A U.S. judge issued an order on Wednesday putting on hold court proceedings against Sprint Nextel, which faces a lawsuit claiming it helped the U.S. National Security Agency track international calls. The stay order by U.S. District Court Judge Vaughn Walker will put the lawsuit on hold pending an appellate review of the Hepting v. AT&T lawsuit in the U.S. Ninth Circuit Court of Appeals. [Source]

WW – Skype Reads BIOS and Motherboard Serial Numbers

Skype is reading and storing the BIOS and motherboard serial numbers of its Windows users. The situation was uncovered because of an error message generated when Skype is executed on 64-bit versions of Windows. [Source] [Source] [Skype responds]

CA – Wireless Network Needs Safety Net, Vancouver Police Say

Vancouver’s goal of becoming a free Wi-Fi city is still in its planning stages but security concerns have already been raised about allowing any user to access the Internet anywhere in the city. Police are concerned that unrestricted wireless access would give criminals an advantage by making it more difficult to track them. In a report earlier this month to city council, staff said a private partner is necessary to make the project work. The staff report outlined four options: a private-public partnership, building the wireless network as a public utility for the city, handing the project over completely to the private sector, or doing nothing at all. None of the options mitigate the security risks completely, said Shari Wallace, acting director of information technology for the city. [Source]

US – TSA: Not Living Up to Its Middle Name

The Transportation Security Administration is extending an olive branch to airline travelers who have been delayed or prevented from boarding a plane on account of their name matching an identical one on the agency’s “no-fly” list. The TSA recently created a Web site designed to help disgruntled detainees clear their name. However, the would-be passenger must supply some personal data, including date and place of birth, as well as identifying numbers for a driver’s license, birth certificate or passport. This could be a useful service. But TSA is not living up to its middle name - Security. TSA and the contractor that built the site have overlooked a key piece of cyber protection. The site requests a lot of personal information. When a person clicks on “submit form,” it transmits an individual’s data to TSA without the benefit of the secure data transfer offered by secure sockets layer. [Source]

US – Congress Seeks ‘Bite’ For Privacy Watchdog

Key U.S. lawmakers want to replace the five-member Privacy and Civil Liberties Oversight Board, a White House privacy and civil liberties board created by Congress in 2004, with one that is more independent of the president. The idea is to make the board more like the one envisioned by the bipartisan 9/11 Commission. [Source]

US – FOIA Processing Trends Show Importance of Improvement Plans: GAO

GAO testified on the results of its study on FOIA processing and agencies’ improvement plans. The draft report on the study is currently out for comment at the agencies involved (and is thus subject to change). For the study, GAO reviewed status and trends of FOIA processing at 25 major agencies as reflected in annual reports, as well as the extent to which improvement plans contain the elements emphasized by the Executive Order. To do so, GAO analyzed the 25 agencies’ annual reports and improvement plans. [Source] [Freedom of Information Act: Processing Trends Show Importance of Improvement Plans. GAO-07-491T, February 14] [Highlights]

US – Proposed Legislation Would Require ISPs to Retain Customer Data Indefinitely

US Congressman Lamar Smith (R-Tex.) has introduced the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act of 2007 (SAFETY Act), which would require ISPs to retain, at a minimum, subscriber names, addresses, telephone numbers and Internet protocol addresses to “permit compliance with court orders that may require production of such information” indefinitely. ISPs failing to comply would face fines and a one-year prison term. [Source] [ACLU Condemns Bill Eliminating Online Privacy] [SAFETY Act Spurs Blog Protests, Misinterpretations] [Privacy Groups Hit ISP Data Storage Bill]

US – Bill Would Authorize FTC to Establish Data Privacy Requirements for Companies

US Congressional representatives Bobby Rush (D-Ill.) and Cliff Stearns (R-Fla.) last week introduced the Data Accountability and Trust Act, which would authorize the FTC to establish data privacy requirements for businesses. Companies would be required to conduct vulnerability assessments and develop and implement policies for eliminating data they no longer need. US legislators will be looking at a number of other technology-related bills as well. [Source]

US – Business Leaders Support Maryland Breach Notification Bill

Industry representatives are supporting a bill that would require Maryland businesses to notify consumers within five days after personal information has been lost or is at risk of misuse. The bill’s momentum comes in the aftermath of security breaches at Johns Hopkins University and another incident involving the Department of Veterans Affairs. A corporate lobbyist said companies would prefer a federal security breach notification law, but “that doesn’t seem to be on the horizon.” [Source]

US – Iowa Official Asks Lawmakers to Create Privacy Commission

Iowa Ombudsman Bill Angrick wants to create a privacy commission to review government practices related to posting public records online that contain sensitive information, such as SSNs. The ombudsman’s office also is proposing a bill that would require the redaction of all SSNs from public records before they are released. The bill also would require the state to notify the public of any security breaches. [Source]

US – State Opposition to Real ID Act Continues to Grow

The Illinois Legislature is expected to address the state’s compliance with the Real ID Act, which is scheduled to take effect in May 2008. The law requires the states to issue a national driver’s license to help prevent terrorists and illegal immigrants from obtaining fake identification. While Illinois awaits the federal government’s issuance of regulations for the licenses, some states are balking at the cost of the mandate. Other objections center around privacy concerns. [Source] See also [Utah House panel says national ID cards violate rights] and [Nevada Legislators protest Real ID requirements] and [Real ID sparks controversy in Idaho] [Chertoff defends Real ID mandate] [Pennsylvania Resolution Would Seek Changes In Real Id Act] [Illinois Lawmakers Look at Cost, Privacy Issues Related To New Driver’s Licenses]

US – Maine Senator Announces Legislation to Delay Implementation of Real ID

U.S. Senator Susan Collins of Maine, ranking member of the Senate Homeland Security Committee, has announced that she is introducing legislation to delay the implementation of the Real ID Act of 2005, providing states a more reasonable time frame to comply with the new federal security standards for drivers’ licenses. The legislation would also require the Department of Homeland Security to take into account the concerns and challenges associated with states’ compliance. [Source] [Source] [Source] [Source]

US – Death Certificates on Abortions Proposed in Tennessee

Legislation introduced in Tennessee would require death certificates for aborted fetuses, which likely would create public records identifying women who have abortions. Rep. Stacey Campfield, a Republican, said his bill would provide a way to track how many abortions are performed. The number of abortions reported to the state Office of Vital Records is already publicly available. The office collects records - but not death certificates - on abortions and the deaths of fetuses after 22 weeks gestation or weighing about 1 pound. The identities of the women who have abortions are not included in those records, but death certificates include identifying information such as Social Security numbers. House Judiciary Chairman Rob Briley, a Democrat, called Campfield’s proposal “the most preposterous bill I’ve seen” in an eight-year legislative career. “It is totally inconsistent with everything the law contemplates as it relates to anything close to that subject,” he said. [Source]

US – Kentucky Approves Measure to Add Online Identities to Sex Offender Registry

In the Kentucky Senate, a bill that would require registered sex offenders to list their online identities on the state registry that already contains their names and addresses was approved by the Senate Judiciary Committee this week. Senate Bill 65 covers e-mail addresses, instant message screen names, and any online identities used by registered sex offenders. If approved, SB 65 could be the first law of its kind in the nation. [Source]

CA – EAP found in Contravention of Personal Information Protection Act

The Alberta Information and Privacy Commissioner has found that Wilson Banwell Human Solutions contravened the Personal Information Protection Act (PIPA) by disclosing more personal information than was necessary to a complainant’s employer. The investigation also determined Banwell contravened PIPA by disclosing the complainant’s personal information to a union for purposes that were not reasonable, and to an extent that was not reasonable. Investigation report at: P2007-IR-001 .

US – New Mass. Governor Looks to Limit Use of Criminal Background Checks

Gov. Deval Patrick is exploring a plan to limit employers’ access to the criminal records of job applicants. Under consideration is a legislative change in the Criminal Offender Record Information law, which currently allows employers approved by the state’s Criminal History Records Board to review an applicant’s record. Past efforts to amend the law have not prevailed in the Legislature. The effort is likely to run into resistance from state prosecutors, who say that employers need access to the information to ensure public safety. 10,000 organizations have access to the criminal records. [Source]

--------