Privacy News Highlights
25 May–01 June 2007
Contents:
WW – Recent
NIST Tests Show Better Face Recognition Software
EU – Dutch Pot Shops to Fingerprint Customers
US – Liquor Stores May Ask For Customers’ Fingerprints
US – FBI Plans Big Tent for Biometrics
CA – Ontario Privacy Report Cites Record Number of
Complaints, Lack of Transparency
CA – Privacy Commissioner Report Highlights PIPEDA Woes
CA – Information Czar Gives Failing Grade to Mounties
CA – Reasonable Expectation of Privacy Workshop Movies
Available
UK – UK Information Commissioner Urges Caution on Data
Sharing
WW – Email Users: Spam on the Rise in Wake of CAN-SPAM
EU – European Commission to Consider Identity Theft
Legislation
UK – A Humiliating Retreat on Plan to Exempt MPs from FOI
Laws
CA – Ontario Court: Historic Blow for Freedom of
Information
US – California Jurists Not Swayed on Police Privacy Rights
CA – Secret Health Documents Sold at Saskatoon Auction
US – Choicepoint Settles With 43 States, D.C. Over Data
Breach
US – Woman Falsely Labeled a Sex Offender by MySpace
UK – Calls for Brown to Confirm ID Card Future
CA – Impact of Passport Plan Unknown, Professor Says
CA – Canadian Port Workers to Get Security ID Cards
WW – Privacy Concerns Arise Over Apple's DRM-Free Tracks
EU – EU Privacy Chief Defends Google’s Privacy
Protections
UK - Data Misuse Threat to Trust in Police IT
US – U.S. Company Faces Fine for Unauthorized Overseas
Data Transfer
EU – Data Protection Watchdogs’ Express Concerns about
Google Practices
WW –
Restrict Google Image Results to Faces, News
WW – Facebook Adds New Features to Compete With Myspace,
Youtube
CA – Ontario’s Privacy Chief Warns Teens to Protect Their
Privacy Online
US – Poll: Americans Distrust Real ID Unacceptable
Privacy Threat
US – FTC Investigating Google/DoubleClick Deal
US – California State Senate Passes RFID Legislation
WW – Wi-Fi-based RFID Expected to Grow 100 Percent
Annually
US – NIST Readies Guidance on IT Security Assessments
US – Border-crossing PASS Card Won't Jeopardize Privacy:
NIST
UK – 90% of CCTV’s Violate Privacy Law: CameraWatch
US – DHS Still Faces Substantial Privacy Assessment
Backlog: GAO
US – Congress to Hold Hearing on Employment Verification
System
US – White House Publishes Breach Response Rules
US – Social Security Agency Revisions to Privacy and
Disclosure Rules
US – CDT Offers Recommendations on Model Privacy Form
US – Tennessee Gov. signs ID Theft Protection Measure
US – Ohio Lawmakers Approve Credit Freeze Legislation
US – Adoptee Rights Bill Revived in Connecticut Senate
For scientists and engineers involved with
face-recognition technology, the recently released results of the Face
Recognition Grand Challenge—more fully, the Face Recognition Vendor Test (FRVT)
2006 and the Iris Challenge Evaluation (ICE) 2006—have been a quiet triumph.
Sponsored by the National Institute of Standards and Technology (NIST), the
match up of face-recognition algorithms showed that machine recognition of
human individuals has improved tenfold since 2002 and a hundredfold since 1995.
Indeed, the best face-recognition algorithms now perform more accurately than
most humans can manage. Overall, facial-recognition technology is advancing
rapidly. [Source]
[NIST Report]
Coffee shops licensed to sell marijuana in the
southern Dutch city of Maastricht will begin fingerprinting customers and
scanning their IDs this summer to help prove they’re following rules governing
such sales. In particular, the measures are expected to help stores show they
are not selling to underage customers and that they haven’t sold more than the
maximum permitted to a customer on a given day. Shops in Rotterdam and several
Dutch border cities were considering following suit. “We’re very afraid we’re
going to lose customers over this, and to be honest we’re even a little ashamed
we’re doing it, but the city of Maastricht has such harsh punishments that we
don’t feel we have any choice,” said the chairman of the Union of Mastricht
Coffee Shops. [Source]
See also: [Irish
Schools lining up to fingerprint pupils]
Texas liquor stores may ask customers to hand over
their fingerprints to verify their age. Clerks at Centennial Fine Wine and
Spirits will ask for identification from any customer who doesn’t look at least
40. More than two-dozen states allow stores to use fingerprints, scanning them
into an electronic verification system after a customer first shows proof of
age with a legal identification card. Now Texas lawmakers may allow retailers
to set up their own systems. “It would be like a check verification system that
we already implement now where their fingerprint is on file, and if they’re a
regular customer, then we can always go back to that fingerprint,” Phillips
said. But customers are divided. “That’s Big Brother watching. You know, if you
want to know my age, ask me, but having my fingerprint or my DNA or anything
out there -- that’s mine,” customer Kelley Nicosia said. [Source]
The FBI’s planned biometric repository upgrade will
improve the system’s existing capability to store not only fingerprints but
also the iris scans, in addition to more futuristic identifiers. FBI
technologists are planning for upgrades that will buttress the law enforcement community’s
limited ability to use DNA as a forensic tool, according to a recent briefing
the bureau offered on plans for its Next Generation Identification system. NGI
is designed to incorporate improved technology into the bureau’s Integrated
Automated Fingerprint Identification System (IAFIS). The bureau plans within
the next few weeks to request proposals from vendors to build NGI. The agency
already has described a phased plan to roll out the upgrades to its existing
biometric repository during the next several years. [Source]
The provincial government has reported record-breaking
numbers in privacy complaints against the health-care and public sectors last
year, but at least one Canadian analyst is not ready to cast the first stone
against these institutions. Privacy Commissioner Ann Cavoukian has reported in
her 2006 Annual Report that the number of privacy complaints filed under public
sector privacy laws has reached 170 in 2006, the highest in the last nine
years. Similarly, privacy-related complaints under the Personal Health
Information Protection Act reached 183 in 2006, also a record high. [2006 Annual Report]
[2006
Annual Report News Release] [Commissioner
Speaking Notes] [Source]
[Source]
[Privacy
Commissioner: Ont Gov’t fails at openness commitment] [Ont. Gov’t “knee jerk”
reaction to withholding info] [Ontario
should post bids online: P.Commish]
31% per cent of Canadian businesses are either still
in the process of complying with the private sector privacy law or have yet to
begin, according to a survey released by Jennifer Stoddart's office this week. The
Privacy Commissioner of Canada published the results of the survey, conducted
by Ekos Research Associates, in conjunction with the tabling of her annual
report in Parliament, stating that “There has never been a greater need to take
data protection seriously as new data breaches reinforce concerns about both
security issues and trans-border data flows.” High-profile data breaches among
a few well-known banking and retail organizations during 2006 reinforce the
very serious nature of privacy breaches and the need to better protect personal
information held by private sector companies. Despite these cases, complaints
against some of the major sectors covered by PIPEDA since 2001 (financial
institutions, insurance companies and the transportation sector) have declined
slightly. This is in contrast, however, to those industries which have been
subject to PIPEDA only since 2004, such as the retail and accommodation
sectors. These sectors have been the subject of substantially more complaints
than in previous years. Overall, there were 424 complaints in 2006, compared
with 400 in 2005. [Source]
[Press
Release] [Coverage]
[Annual
Report] [Backgrounder:
Findings of a 2007 poll commissioned by the Office of the Privacy Commissioner
of Canada] [2007
EKOS Research Associates survey: Canadian Businesses and Privacy-Related Issues]
The RCMP has received a failing grade for “floundering
badly” at answering information requests from Canadians. In his first annual
report as information commissioner, Robert Marleau gave the Mounties an “F”
Tuesday on their efforts to comply with the Access to Information Act. Marleau
also flunked the Privy Council Office - the bureaucracy that serves the prime
minister and cabinet - as well as the Canada Border Services Agency, Health
Canada and Justice. For $5, Canadians can ask federal agencies for a range of
files, from expense reports to briefing notes. Agencies are supposed to respond
within 30 days, or at least provide good reasons why they need more time.
Institutions receive an “F” from the information commissioner if they answer
more than 20 per cent of requests late. “The RCMP is floundering badly. It does
not have a coherent plan in place with specific deliverables and target dates,”
the report says. “While it is true that the RCMP has a large workload of access
requests with which to cope, it can, and must, do better.” Yves Marineau, the
RCMP’s Access to Information co-ordinator, said the organization has invested
money and people to solve the problem. “We do have a plan in place,” he said.
“We’re definitely striving to do better in the future.” The information
commissioner, an ombudsman for users of the act, investigates complaints and
encourages departments to meet the requirements of the law. Marleau’s report
laments that responses to access requests are too often late, incomplete or
overly censored. It says the Privy Council Office, which has received a failing
mark three years in a row, cannot answer its modest workload of requests on
time due to a “burdensome and unusual approval process” that depends on signoff
from an array of senior officials. [Source]
[2006-07 Annual
Report]
The University of Ottawa IDTrail Team produced two
short films exploring the "reasonable expectations of privacy". They
were used at the Computers, Freedom, and Privacy (CFP) 2007 conference in
Montreal, Canada. The short films were produced and directed by Max Binnie,
Katie Black and Jeremy Hessing-Lewis with contributions from Daniel Albahary,
Ian Kerr, and Jane Bailey. They are available for download under a Creative Commons
Attribution 2.5 license. The first film, "Tessling-Just
the Facts", is a brief dramatization of the facts that gave rise to R.
v. Tessling [2004], a criminal case which addressed the concept of the
"reasonable expectation of privacy" with respect to forward-looking
infrared (FLIR) technology. The second film, "CFP-Interviews",
is a documentary that provides the viewer with a taste of various public interest
perspectives on how to conceive of "reasonable expectations of
privacy". It features short interviews with the following experts in the
field of privacy, civil rights and law, in order of appearance: Clayton Ruby,
Ruby & Edwardh; Andrew Clement, U of Toronto; Peter Jordan, Engineer (ret.);
Chris Hoofnagle, Samuelson Clinic, UC Berkeley; Eugene Oscapella, Lawyer,
Foundation for Drug Policy; David Sobel, Electronic Frontier Foundation (EFF); Pippa
Lawson, CIPPIC; Jim Karygiannis, MP Scarborough-Agincourt; Marc Rotenberg, EPIC;
Cindy Cohn, Electronic Frontier Foundation (EFF); Marlene Jennings, MP NDG –
Lachine; and Deirdre Mulligan, Samuelson Clinic, UC Berkeley. [Source]
The Information Commissioner has published some advice
for government bodies that want to share information but think data protection
laws prevent them from doing so. The advice note gives a rough idea of the
mindfulness public bodies ought to have for human sensibilities when they start
shunting data between computer systems. The gist of it adheres to basic data
protection principles - have a sound reason for doing it in the first place,
consider how it might effect ordinary people, give people proper consent before
using and sharing information, and so on. Scratch the surface, however, and it
gets interesting. Last autumn, the government ordered a review of how data
protection law might prevent it from realising its grand vision for information
sharing. The rough idea was that an omniscient state might know enough about
people’s lives to justify its interference in their private affairs when they
had broken no law. This is a controversial idea to say the least (which perhaps
explains why the review is late and, ironically, secret). The review’s remit
was also brash in that it implied that data protections might have to be cut
back in order to give the grand vision room for manoeuvre. [Source]
A recent survey indicates that spam has increased
since CAN-SPAM took effect in February 2004. The Pew Internet and American Life
Project released a survey recently that shows that 37 percent of email users
reported an increase in spam compared to 24 percent when the law took effect.
However, users report a significant decrease in pornographic spam. [Source]
See also: [Feds:
Notorious Seattle spammer indicted]
The European Commission says that it is planning to
consider identity theft legislation later in the year to help stop the
escalation of cybercrime. The European Commission said success in any efforts
to deter cybercrime would rely on increased cooperation and collaboration among
law enforcement agencies across Europe. [Source]
The Tory behind plans to exempt MPs from freedom of
information laws made a humiliating climbdown yesterday. Backbencher David
Maclean has been widely condemned over his proposal, which he says is designed
to keep correspondence between MPs and constituents secret. Critics argue,
however, that this is already covered by the Data Protection Act and say he
just wants to keep MPs’ expenses beyond scrutiny. Mr Maclean has now agreed to
alter his Private Member’s Bill after peers from all parties threatened to
wreck it, branding it “scandalous”. The former chief whip has drafted an
amendment that would force MPs to reveal minute details about their expenses
and allowances. [Source]
[No basis to
FOI amendment, says campaign group]
The Ontario Court of Appeal struck a historic blow for
freedom of information yesterday, ruling that government officials cannot
simply suppress information about a notorious murder case without first
considering the public interest in its release. Ignoring the virtues of open,
informed debate seriously damages the reputation of the justice system “and
places us back to an era where government secrecy was the norm, and disclosure
was at the whim of the minister,” a 2-1 majority said. [Source]
The California Supreme Court suggested this week that
state law gives the public the right to know the names and salaries of
government employees, including police officers. During two hours of oral
argument, the state high court reviewed cases brought by two newspapers, the Contra
Costa Times and the Los Angeles Times, seeking access to information about
public employees. In the Contra Costa Times case, the newspaper sought the
names and pay of Oakland employees earning $100,000 or more. Lower courts
upheld the media's right to the information, but unions for the police and
other workers took the case to the state high court. The court appeared ready
to rule in favor of the media but also to carve out exceptions for rare cases
in which revealing an officer's identity could threaten his or her safety. [Source]
[California
Supreme Court considers if employees' salaries should be public]
The Saskatoon Health Region apologized this week after
more than 2,000 “very confidential” patient information cards were accidentally
sold at an auction of surplus health region material. The plastic cards are
used to make imprints on documents for patient records. They contain names,
dates of birth, addresses, religious affiliations, health card numbers and the
names of patients’ doctors. The cards were discovered in a box that was bought
as part of a collection of material in a weekend auction. The buyer turned them
over to the opposition Saskatchewan Party, which returned them to the health
region. A Health region official said the cards don’t contain medical
information about patients, but they were supposed to be shredded. [Source]
[Saskatoon
health region probes release of hospital cards]
ChoicePoint Inc. has agreed to implement more safeguards
as part of a settlement with 43 states and the District of Columbia over
allegations it failed to adequately secure consumers' personal information
related to a breach of its database it disclosed in 2005. The consumer data
provider has agreed to adopt significantly stronger security measures. Among
them are written certification for access to consumer reports and, in some
cases, onsite visits by ChoicePoint to ensure the legitimacy of companies
before they are allowed access to personally identifiable information. [Source]
US – Cable and Wireless Blames Sacked Executive for
Missing Database: Telco
Cable and Wireless has blamed a sacked executive for the illegal use of a
database of 100,000 customer details. The company has now served an injunction
on the person. The database was stolen when an employee went on a business trip
to Pakistan two years ago. Details from the database have been used in call
centres in country to dupe unsuspecting victims into divulging credit card
details, according to an investigation carried out by the BBC. [Source]
US – N.Y. Area University
Mistakenly Publishes Personal Information Online: New York’s Stony Brook University has admitted it
mistakenly published the personal information of nearly 90,000 faculty members,
students and alumni online. University officials acknowledged the blunder to
those affected in a letter dated May 7. The letter said that during an overhaul
of the Health Sciences Center library Web site, a long-dormant file was made
public. It held names and SSNs of 89,853 current and former faculty, staff,
students, alumni and others. [Source] See
also: [Sensitive
information on Dutch royal family found in rubbish dump]
US – Security Breach at the Colorado
U. Exposes 45,000 Students’ Names, SSNs: A hacking incident has led to a security breach
affecting nearly 45,000 students who were enrolled at CU-Boulder from 2002 to
the present. University security officials discovered the security compromise
May 12. The university is sending letters to the affected individuals to notify
them that their information was exposed during the incident. [Source]
US – SBU Announces Nearly
90,000 Affected By Security Breach: Stony Brook University has notified those affected by the public
disclosure of a file that contained names and Social Security numbers (SSNs)
for nearly 90,000 current and former faculty, staff, students and others. The
security breach occurred during a Web site overhaul. The university has offered
those affected by the breach free credit monitoring for 90 days. [Source]
US – Energy Reports Losing
1,400 Laptops in Six Years:
The Energy Department notified Congress this week that it has lost 1,427 laptop
PCs over the past six years. The department said none of the laptops contained
classified information. The figure represents approximately 2% of its current
inventory of laptop computers, or approximately 71,874 units used either by
agency personnel or contractors. The agency revealed the information in
response to a FOIA request. [Source] See also: Identity
Theft-Related Data Breaches Increasingly Stemming From Laptop Theft: Symantec]
It took nearly a week for Jessica Davis to get an
explanation about why MySpace had labeled her a sex offender and pulled her
profile from the social networking Web site. And when her name was finally
cleared, it wasn’t because of anything MySpace did. “They have a corporate and
a moral responsibility to me as far as coming up and saying, ‘We messed up.
This is going on. We’re doing what we can to fix it,’“ said the 29-year-old,
newly engaged University of Colorado senior, a woman who confessed to losing
her driver’s license for careless driving a decade ago but insisted she’d never
committed a crime to earn the status of sex offender. [Source] See
also: [MySpace
age verification... for parents?] [Police
Monitoring MySpace, Case No. 420] [Myspace
Calls For Australian Sex-Offender Database] and [G8 Seeks Private Sector Help
to Combat Child Porn] and, for that matter: [EU Steps Up Fight Against
Cybercrime]
Gordon Brown has been called upon to confirm his
position on ID cards, amid increasing Westminster speculation he will abandon
the government’s controversial scheme once prime minister. With rumours
mounting Mr Brown will move away from a national ID card scheme - increasingly
criticised for its cost and implications for civil liberties - the shadow home
secretary David Davis has called on the soon-to-be prime minister to make his
position clear. Launching his leadership bid, Mr Brown said he intended to
strike a different note to Tony Blair on many key issues, including a greater
safeguard on civil liberties. At the time he said this would not mean scrapping
the controversial ID card scheme, but it has increasingly been questioned
whether Mr Brown is waiting until he is firmly in power to announce a change of
policy. [Source]
The American plan to require passports for all Canadian
travellers is a “leap of faith” with unknown economic consequences, a new
report says. The Network on North American Studies in Canada is warning
that no one on either side of the border has done a comprehensive study of the
economic impact of the move. “We really don’t know what impact it’s going to
have on transborder trade,” said Donald Abelson, a political science professor
from the University of Western Ontario and one of the authors of the report.
“Policy-makers on both sides have to wake up and understand that this issue can
have tremendous ramifications on both sides of the border. We’re taking a leap
of faith.” Since the start of this year, Canadian air travellers to the United
States have been required to show a passport under the so-called Western
Hemisphere Travel Initiative. It will be extended to land and sea border points
by 2009. [Source]
[DNA
in passports ‘inevitable’ report warns] [People,
Security and Borders: The Impact of the Western Hemisphere Travel Initiative on
North America, a publication of the Network on North American Studies in Canada
(NNASC)]
Transport Canada announced it is creating mandatory
identity cards for workers at the country’s major ports in a bid to step up
maritime security and combat potential terrorist threats. The cards will be
implemented in Vancouver, Halifax and Montreal in December, with other ports
following next year. The Marine Transportation Security Clearance Plan also
includes background checks for port workers who have access to secure areas
like loading docks and fuelling stations, but some port managers fear the
ambitious program could sink them financially. The initiative is part of a
five-year, $115-million federal program to get Canada’s ports up to
international security standards. [Source]
[Port
managers wary of Transport Canada plan to issue new ID cards to workers]
The launch of music tracks free of digital locks on
iTunes has been overshadowed by the discovery that they contain data about who
bought them. Some fear this data could be used to identify the owner of the
tracks if they turn up on file-sharing sites. [Source]
European Data Protection Supervisor Peter Hustinx said
last week at a conference in Amsterdam that Google is taking steps to safeguard
the privacy of European citizens. Hustinx, who said the company’s efforts are
“not just window dressing,” made the comments a week after data protection
officials who comprise the Article 29 Working Party wrote to Google to express
concerns about the company’s data retention policy related to users’ searches.
Google’s Global Privacy Counsel -- Europe, Peter Fleischer, CIPP, an IAPP board
member, also attended the conference last week in Amsterdam, where he made a
presentation on the workings of Google’s personal search function. [Source] See also:
[What Search
engines know about us][EU Decision On Google Data
Privacy Months Away] and [Google
Street View Raises Privacy Fears] [UK
ICO Among European Privacy Leaders Seeking Info From Google]
Potential security breaches by police insiders risk
undermining public confidence in law-enforcement surveillance technologies,
such as the number plate recognition system and fingerprint database, the
former head of police IT has warned. Phillip Webb, who stepped down as chief
executive of the Police IT Organisation in March, said that the potential for
insiders or others to misuse information held on police databases could
undermine public support for the technology and the laws that allow its use. Speaking
on the growth of electronic surveillance at the Government IT Summit, Webb said
that technologies such as automatic number plate recognition systems and
electronic fingerprint records were “marvellous tools” that could protect
society from dangerous people. But he said it was essential that information is
“applied correctly, is used correctly and is not misused.” Webb said he was
concerned, in particular, that insiders and others could misuse the automatic
number plate recognition system, which is the largest Oracle database in
Europe. He said, for example, that it could be used to track the movements of
celebrities or politicians. The database is able to track a single vehicle’s
movement over several months, whether or not the driver is a criminal, he said.
Webb also said that the police “would not say no” if given a chance to
cross-check 1.2 million unidentified fingerprints taken by police, which are
stored electronically, with fingerprints that may be collected by the state as
part of the ID cards scheme. But he said a debate needed to be held over
“legally whether or not we should”. [Source]
The Commission Nationale de l’Informatique et des
Libertés (CNIL) has fined a subsidiary of Tyco Healthcare. The CNIL’s action is
believed to be the first time a U.S.-based multinational has been fined for
transferring personal data overseas in violation of European data protection
law. The violation stems from the company’s use of a human resources database
containing personal data. The CNIL fined the company after a 2006 inspection
found that it was using the personally identifiable information more than the
company had indicated previously to the CNIL. [Source]
A letter from an
influential group of privacy experts in Europe saying that Google’s new privacy
policies appear to breach the requirements of the EU’s data protection regime
was published this week. Previously, Google operated a policy of retaining
search queries and identifying information, such as Internet Protocol (IP)
addresses, for as long as it thought useful. In March, Google’s global privacy
counsel, Peter Fleischer, announced
a new policy. He said that the company will keep its server log data but
will make that data “much more anonymous, so that it can no longer be
identified with individual users, after 18-24 months.” The letter of concern
was sent to the search giant on 16th May by the Article 29 Working Party.
Google has responded with a statement that it wants to have a “constructive
dialogue” with European authorities about its controversial policy. [Source] [Article
29 Working Party letter] [Article
29 Working Party Resolution on Privacy Protection and Search Engines, November
2006] [Google
under Gov’t scrutiny on both sides of Atlantic] [Google privacy
counsel: Privacy policy 'is vague'] [Google
Grabs GreenBorder to Tighten Web Security] [Overview
of Google saga, with links]
Google
Image Search has a new feature that lets you restrict the results to some
general categories. For the moment, the only categories that are available seem
to be faces and news-related images, but other categories should follow. Google
uses face detection technology to select only images that contain faces and
that may be the first visible result of the Neven Vision acquisition. [Source]
[Amateur
Facial Recognition Creeps Closer] and also [Google’s “Street View” and
Privacy in Public] [Google
Maps - street view] [NYT:
Google Photos Stir a Debate Over Privacy]
Facebook is inviting thousands of technology companies
and programmers to contribute features to its service. They can even make money
from the site’s users by doing so, and, at least for now, Facebook will not
take a cut. Some of the new features, demonstrated by software developers at a
Facebook event on Thursday, will allow members to recommend and listen to
music, insert Amazon book reviews onto their pages, play games and join charity
drives, all without leaving the site. [NYT Source]
[Facebook
API Unilaterally Opts Users Into New Services] see also: [Phishers can use social Web
sites as bait to net victims: Study] [Facebook
Allowing Profiles to be Crawled by Google]
Privacy Commissioner Ann Cavoukian is warning teens
and college students that professors and potential employers will check their
online profiles and potentially use the posted personal information against
them. Cavoukian also cautioned that child predators will troll social
networking sites for potential victims. She suggested that young users restrict
who has access to their profiles by taking advantage of privacy settings
offered by sites such as Facebook. [Source]
See also: [Age/Identity
verification and adult content flagging issues and information roundup]
A new poll released by the ACLU finds deep distrust
among American voters about new driver’s licenses that would store every
American’s personal information in a national database accessible to state and
local governments. The driver’s licenses described in the poll mirror the Real
ID Act, which has sparked rebellion nationwide. Twelve states have opted out of
the national ID program and more are on the way. “The public is very reluctant
to give the government carte blanche to regiment and track Americans, and this
poll proves it,” said Barry Steinhardt, director of the ACLU’s Technology and
Liberty Program. “Americans are worried about the costs of a national ID, and
not just the costs as taxpayers, but the costs to a free society.” [Source] [Poll results,
including exact questions asked and basic demographic cross-tabs] More at [http://www.realnightmare.org] and see
also: [N.H.
Senate backs Real ID ban] [SC Senate
agrees to refuse Real ID] [Revolt
against new U.S. ID card grows]
The Federal Trade Commission (FTC) is reportedly
launching a preliminary review of Google’s proposed acquisition of DoubleClick.
The FTC refused comment to The New York Times. Google representatives say the
company is confident the deal will survive antitrust scrutiny. News of the
proposed deal met with criticism from privacy advocates and competitors. [Source]
[Google
deal to get antitrust review] [Google chairman
says privacy concerns won’t scuttle DoubleClick acquisition] [Filing Reveals Google Subject
to “Second Request”] [FTC Merger Reform
Announcement] [EPIC’s
Complaint to the FTC] [EPIC’s
FTC Google Complaint page] [Letter from the NY State
Consumer Protection Board]
The California State Senate has passed the Identity Theft Information Protection Act
(SB 30), aimed at providing privacy and security safeguards for state
identification documents containing RFID technology. Among other things, the
bill would require identification documents that are created, mandated,
purchased, or issued by various California public entities that use radio waves
to transmit data, or to enable data to be read remotely, to meet specified
requirements. The bill also would require those public entities and authorized
third parties to protect operational system keys and data transmitted remotely
by California identification documents from unauthorized access, and would
restrict the disclosure of this information. A previous version of the bill
passed last year, but Gov. Arnold Schwarzenegger vetoed it. [Source]
[Identity
Theft Information protection Act (SB 30)] See also: [Backlash
against RFID is growing: States lead the way as technology researchers express
concern about security, privacy issues] [More
on RFID and Pharma Legislation] [RFID
prompts privacy concerns at OPCC]
A new market study predicts an annual
growth rate of 100% for Wi-Fi-based RFID technology, through 2010. Conducted by
market research firm In-Stat, based in Scottsdale, Ariz., the study
estimates 135,000 Wi-Fi-based RFID tags were shipped in 2006. It also predicts
that figure to continue growing as more businesses increase their Wi-Fi
coverage. An In-Stat senior analyst says that while a growth rate of 100% may
seem high, growth rates can be misleading because the current market is very
small. Wi-Fi-based RFID is gaining traction in a variety of industries,
particularly in the health-care, manufacturing and transportation and logistics
markets, which are using it mainly for tracking assets. One inhibitor to the
technology's growth has been short battery life, though advancements in
technology are changing that. [Source] [Wi-fi
and RFID used for tracking students] [RFID Payment Platforms
Gaining Momentum]
The National Institute of Standards and Technology has
finished the third and possibly final draft of its revised guidelines for
assessing the adequacy of IT security. Special Publication 800-53A, Guide for
Assessing the Security Controls in Federal Information Systems, will be
released for comment June 4. NIST is charged under the Federal Information
Security Management Act with developing standards and guidance for implementing
IT security programs. SP 800-53 is part of a series of documents developed for
selecting the proper level and types of IT security controls. The core of the
series is Federal Information Processing Standard 200, which establishes
minimum security requirements under FISMA. Once those requirements have been
established, agencies select the appropriate set of controls from NIST SP
800-53, Recommended Security Controls for Federal Information Systems. SP
800-53A is an addendum that sets out the framework for conducting mandatory
assessments of security controls required under FISMA. Comments on previously
released drafts have resulted in significant changes in the third draft
version, according to NIST. Changes are expected to include a greater emphasis
on two-factor authentication, trust relationships to assure adequate security
controls at IT vendors and greater restrictions on remote access to sensitive
data. [Source]
See also: [Study Finds Information
Security Awareness Training for Government Workers Falls Short] and [Government Agencies
Falling Short on Information Security Training]
The government's planned border-crossing
identification card does not require strong privacy protections because the
only data it can transmit wirelessly is a reference number, according to the director
of NIST. The reference number will be etched on the Generation 2 Radio
Frequency Identification tag on the People Access Security Services (PASS)
card, to be issued by the State and Homeland Security departments. The
reference number can be communicated wirelessly to readers 20 feet away or
more. It will be read at border crossings to serve as a "pointer" to
a file in a Homeland Security database that will contain the personal identifying
information of the person to whom the card was issued. But the reference number
itself is not personal information, according to NIST Director William Jeffrey.
Thus, the PASS card architecture does not require compliance with international
standards for protecting personal information on an identification card, such
as encryption. [Source]
A new
organisation set up to highlight concerns over the legality of CCTV cameras
across the UK has been launched in Edinburgh. CameraWatch said that up to 90%
of the UK’s 4.2 million cameras were in breach of the Data Protection Act. The
body said that such breaches could undermine CCTV evidence in court. However,
that claim was questioned by the Information Commissioner’s Office, which
stressed that a code of practice for CCTV use has been issued. Current law
states that CCTV should be appropriately sited with clear signage. Operators
must also ensure images are securely stored if they are to be used as evidence
in court. [Source]
[Nearly
all cameras illegal, says watchdog] [CCTV:
Guardian or threat?] [Coverage]
[Most
CCTV Evidence Could Be Useless in Court] [Info.Commish: No
Evidence of Mass CCTV Violations] Other news: [Surveillance
Camera Programs Expanding in Milwaukee] [Pittsburgh
Mayor Wants Crime-Watch Cameras On Street Corners] [Columbus
Looking At Surveillance Cam Program] [Info Commissar
questions flying eyes in skies]
The Homeland
Security Department’s Privacy Office produced more than double the number of
privacy impact assessments in 2006 than it did two years before, but it still
has a huge backlog of programs to assess, according to a new report from the Government
Accountability Office. The privacy office produced 25 such assessments in
2006, up from 11 in 2004 and 19 in 2005. Even so, the numbers fall far short of
the total DHS programs requiring such assessments, which was 46 in fiscal 2005,
143 in fiscal 2006 and 188 in fiscal 2007. However, the GAO is mostly
complimentary in its review of the privacy office, saying the office has made
great strides in carrying out its responsibilities. Actually, the privacy
office’s success in setting up a framework for identifying DHS programs
requiring privacy assessments has contributed substantially to the backlog of
programs needing assessment, GAO said. [Source]
[GAO Report] [Coverage] See
also: [GAO:
FBI Needs to Address Weaknesses in Critical Network]
On June 7, the
Subcommittee on Social Security of the Committee on Ways and Means will hold a
hearing on current and proposed employment eligibility verification systems and
the role of the Social Security Administration in authenticating employment
eligibility. EPIC’s current “Spotlight on Surveillance” scrutinizes the
national employment verification system now under consideration in Congress.
The national database is proposed to prevent undocumented immigrants from
obtaining employment in the U.S., but it could instead prevent millions of
Americans from obtaining lawful employment. The federal program will also be
expensive. The GAO has estimated that a nationwide expansion of the Basic Pilot
program would cost $11.7 billion. Congress is considering two bills that would
create a nationwide, mandatory employment eligibility verification system. Both
H.R. 1645 and S.AMDT. 1150 expand data sharing and collection, consolidating
the power to access and control this information in the Department of Homeland
Security. New exemptions are created, requiring the Social Security
Administration, Internal Revenue Service, and Department of State to disclose
confidential and sensitive personal data to the Department of Homeland
Security. This data includes employee data, birth and death records, driver’s
license and state identification files, visa and passport records and taxpayer
information. EEVS also presumes that workers will use biometric Social Security
cards and REAL ID cards - neither of which exist. [EPIC Spotlight
on Surveillance on EEVS] [Committee
Press Release on June 7 Hearing] [Submit Public Comment for
the June 7 Hearing] [Office of Inspector
General, Social Security Administration: Congressional Response Report:
Accuracy of the Social Security Administration’s Numident File, A-08-06-26100
(Dec. 18, 2006)] [H.R.
1645] [S.AMDT.
1150]
The White House
has issued a memo
to the heads of all federal government executive departments that
establishes new ground rules for responding to potential data incidents and
demands that the agencies clean up their information-handling procedures. In
the May 22 notice, authorities also set forth a requirement for all federal
agencies to develop and implement a data breach notification policy within the
next 120 days as part of the work of the government’s Identity Theft Task
Force. In formulating their respective policies, the White House ordered
agencies to review their existing requirements with respect to privacy and
security, incident reporting and handling, and external breach notification.
The document further requires agencies to develop policies that dictate stricter
policies for the types of workers who are given access to sensitive
information. Among the most basic advice offered in the executive order is for
agencies to:
As an example of the requirements the
document sets forth, in the area of safeguarding against breaches of personally
identifiable information, the White House orders that agencies:
[Source]
[White
House document] [U.S.
Agencies to Develop Breach Notification Plans]
The Social
Security Administration (SSA) has revised its privacy and disclosure rules for
the first time since 1980. The revisions, which came into effect on May 29,
2007, describe the existing responsibilities and functions of the Privacy
Officer, establish a new senior agency official for privacy as required by the OMB,
and explain the SSA’s new Privacy Impact Assessment process in accordance with
the E-Government Act of 2002.
Further, the revisions state that the SSA cannot process electronic requests
via the Internet if the requester’s identity cannot be confirmed. Another
revision gives individuals more direct access to their medical records. [Federal Register
- Social Security Administration Proposed Rules] http://www.access.gpo.gov/su_docs/fedreg/a060913c.html
[Feds:
Cease Collection of SSNs]
A model privacy
notice created by a group of government agencies to give consumers clearer
information about their financial institutions' privacy practices is a big step
in the right direction. In comments filed this week with the agencies
responsible for the "Interagency Proposal for Model Privacy Form under the
Gramm-Leach-Bliley Act," CDT praised the clarity of the model form and
offered minor suggestions to make the proposed notice even more useful for
consumers. The form is intended to make the ubiquitous financial privacy statements
issued by banks and other financial institutions more understandable for
consumers. [Source] [CDT Comments]
To the delight of the AARP and other consumer groups,
the “Credit Security Act of 2007” was signed in law by Tennessee Gov. Phil
Bredesen. The legislation is being hailed by consumer groups as a major step toward
combating identity theft. The new law protects individual SSNs by requiring
state business and governmental entities to make reasonable efforts to prevent
disclosure. Another major component of the law will be that Tennesseans will
have the opportunity to voluntarily block access to their credit information by
placing a freeze on their credit report. [Source]
Consumers in Ohio would be able to freeze their credit
under a bill House lawmakers approved last week. Consumers would have to pay
$10 to obtain the freeze and $5 to thaw it. ID theft victims would be able to
obtain the credit freeze for free. The Senate is considering a similar bill. [Source]
A bill that allows people who were adopted to obtain a
copy of their birth certificates upon reaching age 21 was resurrected in the
Connecticut state Senate this week but still faces a difficult path if it is to
become law. The bill, which appeared dead when it was rejected by the General
Assembly’s judiciary committee a month ago, was tacked on as an amendment to
another piece of legislation this week and adopted by the Senate in a 27-7
vote. This year’s bill would not apply retroactively. It would only apply to
children born after Oct. 1, 2008. Proponents believe that would give
prospective mothers significant advance notice that their identities might
someday be revealed. The first birth certificates would not become available
until 2029. [Source]
[Source]
In a recent survey carried out by Cyber Ark Software
in the UK, it was found that a third of IT workers admitted to using their
administrative passwords to access confidential data, such as personal emails,
wage details and human resources files. Cyber Ark Software carried out this
research as part of an annual survey entitled Trust, Security and Passwords,
which not only found a lack of trustworthiness among IT workers, but found that
organisations are not securing their systems sufficiently in the first place.
One third of IT workers said that they could still access their old company
network long after leaving the job, and over 25% of survey participants said
they were aware of this practice, despite the fact that sensitive data was at
stake and it was against company IT policy. Shockingly, the survey revealed
that over 50% of network users, including IT professionals, were storing their
confidential passwords on Post-It notes, with the same number admitting to
storing the administration password for the entire network on bits of paper
also. [Source]
[IT
admins read private email, says report]
More than a third of employees who keep personal blogs
are posting information about their employer, workplace or colleagues and risk
dismissal, according to new research. Human resources firm Croner commissioned
YouGov to ask employees if they kept a personal blog and, if so, what
information they post. Of those who keep a blog, 39% admitted that they had
posted details which could be potentially sensitive or damaging about their
place of work, employer or a colleague. Gillian Dowling, technical consultant
at Croner, said that the problem is similar to that of the early days of email
use. “In the 1990s when emails were introduced as a new means of communication
employees were lulled into a false sense of security by the informality that
this type of communication brings,” she said. [Source]
--------