Privacy News Highlights
28 September–31 October 2007
Contents:
US – U.S. Military Establishes Biometrics Defence Agency
UK – U.K. Researchers Unsmudge Fingerprints
US – Mind-Reading Computers Becoming ‘Increasingly
Necessary’
CA – U.S. Demands Passenger Lists for Canadian Sun
Flights
CA – Privacy Commissioner Releases Annual Report and
Survey on Privacy Attitudes
CA – Privacy Complaints Against Insurers Trending
Downwards
CA – Industry Canada Launches Public Consultation on
PIPEDA Reforms
US – Insurer’s Data Breach Affecting Ohio Consumers
CA – Canada to Criminalize Identity Theft
CA – BC Govt Releases Requirements and Architecture for
Public Sector ID Mgmt
US – CIO Council Turns Focus On Privacy
EU – Berlin Court Prohibits Retention of Personal Data
US – Report Finds That Nearly 50% of Users Maintain Three
Email Addresses
U.S. Tops List of Spam-Offending Countries
US – Microsoft Rolls Out Online Personal Health Records
WW – Google Unveils Plans for Online Personal Health
Records
CA – New Web Health Portal to Help Canadians Care for
Loved Ones
WW – Hard Drives Give Up Health Secrets
UK – Law Requiring Disclosure of Decryption Keys Now In
Force
US – Nevada Law Mandates Encryption of Transmitted
Personal Information
WW – Password-Cracking Chip Causes Security Concerns
EU – EU Considers Creating Biometric Register of Non-EU
Visitors
UK – U.K. National Centre to be Created to Deal With ID
Fraud
UK – Information Commissioner to Lead Review Into the Use
of Personal Information
US – Brief Filed Challenging COPA on Free Speech Grounds
WW – TJX Violated 9 of 12 PCI Controls at Time of Breach:
Court Filings
US – Equifax Follows Suit in Offering Credit Freezes to
Consumers
CA – Even Politicians Turn to Access to Information Act
to Get Information
UK – UK Government Backs Down on Controversial FOI Fees
Change
CA – Privacy Concerns about Genetic Information May
Increase Insurance Rates
CA – New Brunswick Committee Recommends Hiring Full-Time
Privacy Commissioner
CA – Nova Scotia Province Initiates Review of Electronic
Medical Records
WW – Mind the Gap: Personal Info of 800,000 Stolen
WW – TJX Breach Twice as Large as Expected
US – DHS E-Mail Snafu Reveals Info on Thousands of
Security Pros
CA – Alberta Government Computer Breaches Exposed
UK – Britons Would Adopt Identity Card Measure: Survey
US – White House Issues Memorandum on HSPD-12
Implementation Status
US – Analysis of Federal Files Reveals 50% Chance of
Imprisonment for ID Theft
US – Court Strikes Down Age Verification for Adult Sites
WW – New Two-Factor Authentication Scheme Launched
WW – Debate Looms Over Scrapping WHOIS
EU – German Privacy Commissioner Protests Proposed
Google-DoubleClick Merger
CA – Government Lags Cyber Crime Fight, Says Report
EU – Austrian Police Want to Use Trojans as Surveillance
Tools
IN – New Self-Regulatory Body Opens Office
WW – EU Experts Recommend More Education for Privacy
Challenges of Web 2.0
EU – Italy to Require Bloggers to Register With
Government
US – Key Privacy Groups Propose Do Not Track List
US – Prostitutes’ Photos, Case Details Put Online
WW – EPIC Releases Privacy and Human Rights Report
US – US House Committee Votes to Permanently Extend
Do-Not-Call List
US – Judge: Educational Privacy Law Not Sufficient to
Block RIAA’s Subpoenas
US – Stalling Cars via OnStar: A Hacker’s Dream Come
True?
US – Paper – Privacy’s Other Path: Recovering the Law of
Confidentiality
US – California RFID Bill SB362 Passed Into Law
US – IBM Tracks Conference Attendees Through RFID-Enabled
Name Tags
UK – UK Attaches RFID Chips to Kids’ School Uniforms
WW – Phishing Scams Increase More than 150% in First Half
of 2007
US – Privacy, Personal Information at Risk on Campuses:
Study
CA – Users Guard Personal Info Over Business Data
WW – Microsoft: Without Better Internal Coordination,
More Security Breaches Likely
US – NIST Publishes Guide to Managing Risk from
Information Systems
EU – Belgium Launches Multipurpose ID Cards for Children
UK – ID Cards Trialled for UK Background Checks
CA – TTC Security-Camera Challenge Seen as Test Case
UK – Almost all CCTV Systems Are Illegal, Says Expert
WW – Surveillance Shot of Hollywood Filmmaker Sparks
Movie about Spycams
US – U.S. Congress Seeks to Restrict Domestic Satellite
Use
US – Verizon Intros New Opt-Out Policy for Dissemination
of Calling Records
US – Senate Report Reveals Few Details About Warrantless
Wiretap Program
US – More than 755,000 on US Terrorist Watch List
US – DHS to Issue Plan for US-VISIT Exit Program by
January 2008
US – Real ID Standards Expected In 2–3 Months, Says DHS
official
US – US Law Would Let ID Theft Victims Seek Restitution
US – House Committee Approves Global Online Freedom Act
US – California Governor Vetoes Retail Security Breach
Law
CA – Canadian University Fights for Right to Monitor
Employees
The year-old Department of Defense Biometrics Task
Force (BTF) has outgrown its mission and organizational home. As a result,
officials have decided to create an ongoing entity, known as the Biometrics
Defense Agency (BDA), with an expanded area of responsibility covering use of
the technology in all aspects of military operations. In April, the Office of
the Secretary of Defense’s Defense Science Board delivered a final report
concluding that the use of biometrics is “vitally important to the success of
many missions within the DoD.” The Task Force on the Defense Biometrics Program
outlined 46 recommendations in its report and urged the OSD to develop planning
for the use of biometrics in the broader scope of identity management at the
earliest opportunity. “One of our missions is to provide the standards by which
the biometrics community operates. We will develop policy to help guide the
biometrics community and determine an acceptable timeframe for turning around
an answer,” said Dr. Myra Gray, director of the Biometrics Task Force. “We want
to strike a balance without degrading quality, using biometrics as an
identifier but not as an inhibiter. In the process of information sharing, we
have to be sensitive to privacy laws, cultural and security issues,” she
stressed. [Source] [final report]
U.K. researchers have developed a technique for
identifying fingerprints that have been smudged, clipped, distorted or
otherwise badly recorded. The researchers, from the University of Warwick, also
claim the identification only takes seconds to execute, no matter the size of
the database the prints are being compared against. “Our technology ...
provides high speed and more importantly, our system’s accuracy and speed doesn’t
degrade when the size of database increases,” said Li Wang, one of the
researchers on the project, in a statement. The technique involves building a
master coordinate map for all the fingerprints on record, called an image
space. When a smudged, uneven or distorted copy of a fingerprint needs to be
identified, it then can be overlaid onto this topological map, allowing the
system to make a match with the copy on record. [Source]
The U.S. National Science Foundation is funding
research that may enable computers to respond to a user’s levels of frustration
or boredom. In other words, we’re talking about “mind-reading” technology.
Tufts University researchers are exploiting near-infrared spectroscopy technology
that uses light to pick up on emotional cues by monitoring brain blood flow.
Mind-reading technologies aren’t as rare as you might think. Earlier this year,
a company announced a special helmet that enables video game players to
communicate via their brainwaves with games. [Source]
The U.S. government has angered Canada’s airlines with
a proposal to order them to hand over personal information about passengers who
take flights that go south over U.S. airspace en route to sunny destinations.
Although the planes wouldn’t take off from or land on American soil, the U.S.
Department of Homeland Security is proposing that Canadian carriers send passenger
manifests up to 72 hours in advance of departures to and from popular winter
escapes such as Mexico and the Caribbean. The Air Transport Association of
Canada is gearing up to voice its outrage on behalf of Canadian airlines. “We’re
already vetting our passengers against the Canadian no-fly list,” ATAC policy VP
Fred Gaspar said. “If you happen to go through some part of U.S. airspace, the
U.S. may end up intercepting your plane and forcing you to land. That’s a
scenario that we don’t want to go through. … There are also privacy concerns.
This is a data-fishing expedition by a third-party government. Excluded from
the plan are flights between two points in Canada, such as Toronto-Vancouver,
in which the flight path temporarily crosses into U.S. airspace. [Source] [U.S.
Plan for Airline Security Meets Resistance in Canada]
The Privacy Commissioner of Canada has issued her
annual Privacy Act report, which chronicles the year in privacy from a public
sector privacy perspective. The report places the spotlight on the ongoing
frustration with a woefully outdated privacy law and the mounting concern with
identity theft, cross-border data transfers, and Internet harms such as spam. The
Commissioner also released the results of a nationwide EKOS study on Canadians’
attitudes toward privacy. The results make a convincing case that good privacy
is also good politics. Among the more notable results:
§
80% of
Canadians place great importance on having strong privacy laws, despite the
fact that more than half of Canadians are not aware that Canada actually has
privacy laws in place.
§
77%
believe in security breach disclosure laws where sensitive information is
compromised and 66% believe such laws are needed even for non-sensitive
information
§
Only
17% believe the government takes protecting personal privacy seriously. That
number dips to 13% of Canadians who believe businesses do so.
[Source][Annual Report] [EKOS Privacy Survey] [Canadians fear national security measures
threaten privacy]
Information privacy complaints against insurance
companies have dwindled from 50 in 2004 down to seven as of September 2007,
according to Elizabeth Denham, the director of the research analysis and
stakeholder relations branch of the Office of the Privacy Commissioner of
Canada. Overall, the industry has had only 119 privacy complaints made against
its members over the past four years. That includes 50 complaints in 2004, 32
in 2005, 30 in 2006, and thus far only seven in 2007. [Source]
The government’s response to the PIPEDA review
included a promise to consult on possible reforms to the law, including the
creation of a mandatory data breach notification requirement. Industry Canada published
the promised consultation in the Canada Gazette, asking Canadians for
comments on the data breach requirement along with a series of smaller changes
to Canada’s national privacy law. For
those that don’t have PIPEDA consultation fatigue - this is effectively the
third consultation on these issues in the past 18 months (the Privacy
Commissioner consultation, the Ethics Committee hearings, and now the Industry
Canada consultation) - the deadline for responses is January 15, 2008. [Report of the
Commons committee charged with reviewing PIPEDA] [Gazette
consultation]
Hartford Financial Services Group Inc. is offering
credit protection services for one year for all customers affected by the loss
of the three backup tapes that contained the personal information for 230,000
customers, including 9,200 people in Ohio. As a cautionary measure, the company
is offering one year of comprehensive credit protection from Equifax Inc.
(NYSE:EFX) for all affected consumers, who already have been notified.
Preliminary cost estimates for Hartford haven’t been determined. [Source]
The Canadian government plans to criminalize identity
theft to give police the ability to stop such activity before any fraud has
actually been carried out, Justice Minister Rob Nicholson said. He said he
would introduce legislation targeting the actual gathering and trafficking in
credit card, banking and other personal data for the purposes of using it
deceptively. Identity fraud is already a crime in Canada, but gathering and
trafficking in identity information generally is not. [Source] [Source] See also: [Privacy
Commissioner Welcomes Government Action on Identity Theft]
The B.C. Office of the Chief Information Officer
(OCIO), with the advice and counsel of an executive committee of Broader Public
Sector (BPS) Chief Information Officer’s, and key industry leaders have
collaborated to develop an architecture that would enable an identity
management service for the government and the BC BPS. The goal of this project
is to develop an identity management architecture to enable interoperation
across a diverse range of public sector organizations and their service
providers using multiple vendors’ technology solutions. The two major
deliverables identified as key to the success of the project goal were a
requirements and architecture document (see below for links). The next phase of
the project is to identify some implementation pilots and put some solutions in
place. [BC Identity Management Forum]
[Requirements]
[Architecture]
See also: [Carl Ellison
whitepaper on ceremony design and analysis]
The CIO Council is formally addressing privacy issues
— much the same way it looks at enterprise architecture, best practices and
workforce challenges. In May, the council created the Privacy Committee, headed
by Karen Evans, the Office of Management and Budget’s administrator for
e-government and information technology and director of the CIO Council, and
Ken Mortensen, the Justice Department’s acting chief privacy and civil
liberties officer. The committee’s purpose is to discuss privacy issues related
to governance, policy and security. “We wanted to have an agency help lead the
committee that has a privacy officer beyond” the chief information officer,
Evans said. There is often a conflict when the CIO is also the privacy officer.
The two jobs are different because CIOs try to manage and make information
flow, while privacy officers must make sure information is kept private. [Source]
In a ruling, dated March 27, 2007, which has only now
been published and is likely to have legal ramifications, a Berlin court has
barred the Federal Ministry of Justice from retaining personal data acquired via
its website beyond the periods associated with the specific instances of use of
the site. Thus IP addresses in particular may no longer be filed away. Given
these Web markers “it is even today possible in most cases, without any
elaborate effort being required, to identify Internet users by merging personal
data with the help of third parties,” the judges declared. The local court also
opposed the view espoused by operators and some data privacy watchdogs that
security reasons justify a recording regime that over short periods of time
maps the behavior of all Net users and allows individual users to be picked
out. [Source]
A study by reputation services firm Habeas and IPSOS
has found that while email is one of the most popular consumer solutions, they
do not entirely trust it, partly because of privacy concerns. J.F. Sullivan,
Vice President of Marketing at Habeas, said consumers use multiple email
addresses as a solution to avoid spam and phishing, with one used for friends,
one for work and another for newsletters. [Source]
The U.S. remains the world’s biggest spammer,
according to security firm Sophos, which released its quarterly report on the
world’s top spam-offending countries – dubbed the “Dirty Dozen.” According to
the report, the U.S. came in well ahead of its rivals, being responsible for
28.4% of all spam. South Korea was second at 5.2 %, followed by China at 4.9%,
Russia at 4.4%, and Brazil at 3.7%. [Source]
Microsoft is starting its long-anticipated drive into
the consumer health care market by offering free personal health records on the
Web. The move by Microsoft, which is called HealthVault, comes after two years
spent building its team, expertise and technology. In recent months, Microsoft
managers have met with many potential partners including hospitals,
disease-prevention organizations and health care companies. The company’s
consumer health offering includes a personal health record, as well as Internet
search tailored for health queries, under the name Microsoft HealthVault. The
personal information, Microsoft said, will be stored in a secure, encrypted
database. Its privacy controls, the company said, are set entirely by the
individual, including what information goes in and who gets to see it. The
HealthVault searches are conducted anonymously, and will not be linked to any
personal information in a HealthVault personal health record. Microsoft does
not expect most individuals to type in much of their own health information
into the Web-based record. Instead, the company hopes that individuals will
give doctors, clinics and hospitals permission to directly send into their
HealthVault record information like medicines prescribed or, say, test results
showing blood pressure and cholesterol levels. [Source] [www.healthvault.com] See also: [Microsoft Designs Ad Format On New Health
Site To Address Privacy Concerns] [Network Outage
Affected California VA Medical Facilities]
Less than two weeks after Microsoft Corp. announced
plans to support online personal health information records, Google unveiled
plans to follow suit and support the “storage and movement” of people’s health
records. [Source]
Canadians caregivers will soon have access to a new
bilingual web portal tool that will contain information on providing care,
respite supports, financial advice, discussion boards for connecting with one
another and a Caregiver Electronic Record (CER), which will serve to connect
caregivers to home and community care sectors. The CER will provide caregivers
with an electronic way to help them monitor their personal caregiving issues
and the details about the care they are providing. The initiative is supported
by a $1 million investment from Canada Health Infoway (Infoway) and designed to
support the 3 million Canadians who provide a staggering 2 billion hours of
care to loved ones. [Source]
A researcher has found 10% of the used disk drives he
bought contained private health information about someone other than the
computer’s former owner. “Some of the stuff we found was startling – mental
health information, records about child and elder abuse,” Khaled El Emam said,
citing the discarded hard drive of a nurse that contained information on
patients. “Some of it was very sensitive information and this was stuff we just
bought from a second-hand dealer.” El Emam, the Canada research chair in
electronic health information at the University of Ottawa, bought 65 used
drives in four provinces and retrieved data from two-thirds of them. 8% had
health information about the previous owner and 10% about someone else. That
puts people at risk of identity theft scams and also risks their health. [Source]
Users of encryption technology can no longer refuse to
reveal keys to UK authorities after amendments to the powers of the state to
intercept communications took effect this month. The Regulation of Investigatory Powers Act (RIPA) has had a clause
activated which allows a person to be compelled to reveal a decryption key.
Refusal can earn someone a five-year jail term. Part III of RIPA was in the
original Act but was not activated. The Home Office said last year that it had
not implemented the provision because encryption had not been as popular as
quickly as it had predicted. It launched a consultation which culminated in
Part III being made active on 1st October. The measure has been criticised by
civil liberties activists and security experts who say that the move erodes
privacy and could lead a person to be forced to incriminate themselves. It is
also controversial because a decryption key is often a long password –
something that might be forgotten. An accused person might pretend to have
forgotten the password; or he might genuinely have forgotten it but struggle to
convince a court to believe him. [Source]
[Privacy
fears over encryption clause]
Nevada has enacted a data security law that mandates
encryption for the transmission of personal information (see Nev. Rev. Stat. §
597.970 (2005)). Specifically, the Nevada encryption statute generally
prohibits a business in Nevada from transferring “any personal information of a
customer through an electronic transmission,” except via facsimile, “unless the
business uses encryption to ensure the security of electronic transmission.”
The Nevada encryption law goes into effect on October 1, 2008. [Source]
A technique for cracking computer passwords using
inexpensive off-the-shelf computer graphics hardware is causing a stir in the
computer security community. Elcomsoft, a Russian software company, has filed a
US patent for the technique. It takes advantage of the “massively parallel
processing” capabilities of a graphics processing unit (GPU) - the processor
normally used to produce realistic graphics for video games. The toughest
passwords, including those used to log in to a Windows Vista computer, would
normally take months of continuous computer processing time to crack using a
computer’s central processing unit (CPU). By harnessing a $150 GPU Elcomsoft
says they can cracked in just three to five days. Less complex passwords can be
retrieved in minutes, rather than hours or days. It is the way a GPU processes
data that provides the speed increase. One spokesman describes the process
using the analogy of searching for words in a book. “A [normal computer
processor] would read the book, starting at page 1 and finishing at page 500,”
he says. “A GPU would take the book, tear it into a 100,000 pieces, and read
all of those pieces at the same time.” [Source]
The European Union’s top justice official wants a log
kept of all non-EU citizens entering and leaving the 27-nation union as part of
a raft of new anti-terror measures. EU Justice and Home Affairs Commissioner
Franco Frattini said he would include the register in proposals he presents
next month to member states. Non-EU nationals would be electronically
registered with biometric identifiers under the plan, Frattini said. The
register is “extremely necessary” in order to crack down on people who are
granted permission to stay for a restricted time but melt away when the period
expires, he said. The scheme would operate alongside an airline passenger data
recording system modeled on one developed by the United States, which Frattini
has said he also plans to unveil in November. [Source]
A national centre where consumers can report crimes
such as identity and card fraud is to be set up in the UK. Acting on the
recommendations of the 2005 Fraud Review, the UK Government announced in a
recent Comprehensive Spending review that it will add an additional £11m by
2010-11 to establish a National Fraud Reporting Centre. Last year more than
170,000 cases of identity fraud were recorded by the Government but currently
there is no single point of contact for consumers who find themselves victims
of such crime. [Source] [UK MPs call for
ID theft czar]
Richard Thomas will be looking at how the information
is shared and protected by the public and private sectors, and will consider
possible changes in the Data Protection
Act and the powers and sanctions available to the Information Commissioner’s
Office (ICO) and the courts. He will also make recommendations on data sharing
policy with the aim of ensuring transparency, scrutiny and accountability. UK
Prime minister Gordon Brown announced the review on 25 October as part of a
package of measures designed to make government more open and increase public
access to information. [Source]
See also: [UK ID card service mounts birth,
marriage, death landgrab] See also: [Whitehall
plans citizen web accounts] and [Privacy
Advocates Oppose Merger of Government Data]
The Center for Democracy & Technology has filed a “friend
of the court” brief in federal appeals court challenging the Child Online Protection Act (COPA) as a
violation of the First Amendment. The amicus brief, submitted to the Third
Circuit on behalf of CDT and 17 other groups, argued that COPA places
unconstitutional burdens on producers and distributors of Web content. Other
strategies are more effective than COPA at protecting children from
inappropriate online content, and also impose fewer restrictions on lawful
adult speech In particular, technological parental controls such as Internet
filtering software and non-technological tools such as youth education. Amici
included organizations that represent corporate leaders in the Internet
industry; publishers, distributors and retailers of books and other content;
libraries and librarians; newspapers, editors and journalists; and public
interest organizations that uphold civil liberties and advocate for a free and
open Internet. [CDT
Brief]
New documents filed in a federal court by banks suing
the TJX Companies over its data breach claim that the retailer had not complied
with nine of the 12 security controls mandated by the Payment Card Industry
(PCI) data security standards when the breach occurred. Among the deficiencies
that contributed to the breach were a failure to properly configure its
wireless network, a failure to segment networks carrying cardholder data from
the rest of TJX’s network and the storage of prohibited data. A forensics
expert hired by the company to probe the incident, which exposed data on some
94 million accounts, also identified other deficiencies such as improper
patching practices and a failure to maintain adequate logs. TJX knew before the breach that its wireless
networks were insufficiently protected, but took no steps to mitigate the
situation. The company also knew that storing sensitive card data was a
violation of PCI policies, but it continued to do so anyway. [Source] See also: [Visa rolls out new payment application
security mandates | PDF
] and [Retailers Want Credit
Card Companies to Retain Data]
Beginning Oct. 31, Equifax will begin offering
consumers nationwide the option of obtaining credit freezes, following similar
moves by fellow credit bureau companies TransUnion and Experian. TransUnion
began offering credit freezes Oct. 15, and Experian’s freeze option takes
effect Nov. 1. Equifax will increase the monthly fee by $2 to cover the credit
freeze option for consumers who pay between $4.95 and $12.95 for credit
monitoring services. [Source]
Government secrecy is so pervasive that even
government backbenchers are using access to information legislation to find out
what’s going on, says former federal information commissioner John Reid. When
the Liberals were still in power, Reid said, he learned that 5% of the requests
for information from the federal government were coming from members of
Parliament. [Source]
See also: [Alberta
Right to Know Week] [Riley Report:
Access to Information: The Next Challenges]
The UK Government has dropped controversial proposals
that critics said would have neutered the Freedom
of Information Act. Changes to the charging structure that would have
allowed bodies to refuse more requests will not now go ahead. The move comes
amid significant opposition from pressure groups and media companies, who say
that the changes would have hindered access to information about the activities
of public bodies. Of the 324 people or organisations who responded to the
Government’s consultation on the plan, 73% objected to it, the Ministry of
Justice said. “Many respondents considered the proposals contrary to democratic
process,” said the Ministry’s summary of survey responses. “Those respondents
generally argued that the Freedom of Information
Act 2000 has become a feature of British democracy by holding public
authorities to account and by creating greater transparency in decision-making
and the use of public resources. “The proposals would, it was thought, diminish
the effectiveness of the Freedom of
Information Act. Many respondents believed that the proposals unfairly
targeted bodies acting in the broad public interest such as media and pressure
groups,” it said. The Ministry said that it would not proceed with the proposed
changes. “Taking account of the range of responses received, the Government has
decided to make no changes to the existing fees regulations,” it said. “It does
intend, however, to deliver a package of measures to make better use of the
existing provisions to improve the way FOI works and to meet the concerns
particularly of local authorities.” [Source]
[The Ministry of
Justice analysis of the consultation process]
A new study published in The Journal of Risk &
Insurance explores the financial implications of banning insurance companies
from accessing genetic information. Drawing on data that includes economic,
demographic, and relevant family background information, the study simulates
the market for 10-year life insurance plans that include breast cancer testing
for women 35-39 years of age, examining the potential impact of keeping genetic
test results away from insurers. The study suggests that short- to medium-term
moratoria on the use of genetic test results by insurance companies may be a
more desirable policy framework than strict regulation through legislation that
may be difficult to change in the future. [Source]
See also: [French Protest DNA
Database Law]
As plans move ahead to create an e-medical records
system in the province, a government-appointed committee has recommended the
hiring of a full-time privacy commissioner to oversee personal health
information issues, according to this Canadian Press article. The e-medical
records system is expected to be operational in 2009. Heath Minister Mike
Murphy said that legislation will be introduced in the spring to ensure the
confidentiality of patients’ health records. The committee also suggested that
patients be able to access their own health information and have the ability to
correct inaccurate health information. [Source]
[N.B.
to create new law to protect health records] [Personal
Health Information Task Force] [Task
Force Report]
The province will engage an independent consultant to
help review and enhance the electronic system that transfers patient diagnostic
imaging and laboratory test results to clinics using electronic medical
records, Health Minister Chris d’Entremont announced on Oct. 4. The review
comes after an announcement the previous week of an error in the eResults
system that caused a delay in the transfer of medical test results to patients’
electronic files. The error has since been corrected and all test results have
been sent to doctors for review. Said Mr. d’Entremont: “We’re not taking any
chances where patient safety is concerned. We are engaging a third party,
independent consultant to do a full electronic medical records review and make
sure the system is working properly.” [Source]
A vendor managing job applicant data for clothing
retailer Gap lost personal information, including SSNs for some 800,000 U.S.
and Canadian job seekers, the company admitted in a press release. The breach
affects people who applied for jobs at the retail chain either by phone or
online between July 2006 and June 2007, including Old Navy, Banana Republic,
Gap and Outlet stores in the United States, Puerto Rico and Canada. However,
the laptop did not contain Social Security numbers belonging to Canadian
applicants. Gap said the vendor, which it did not identify, violated the terms
of the agreement between the two companies by failing to encrypt the data contained
on the stolen laptop. [Source]
A former security expert for MasterCard says his
analysis of a TJX-hired vendor’s report in the aftermath of its security breach
shows that the retailer was in compliance with just three of 12 Payment Card
Industry (PCI) requirements that credit card companies impose on merchants. The
expert said that TJX failed to properly secure its wireless network, which
allowed the culprit to access servers at its headquarters. The breach impacted
about 100 million account numbers. TJX responded in a statement that its
security was “comparable to many other major retailers.” It also suggested that
many smaller banks overreacted after the breach when they reissued all of their
bank cards. The company also said it stands by its estimate that 45.7 million
card accounts were stolen during the attack. A recent court filing in the case
the banks have brought against the retailer suggests that the number of
accounts is more than double the company’s estimate. [Source]
[Source]
[TJX was warned about
lax security before breach]
A Reply All to a daily news roundup that had been
e-mailed by the U.S. Department of Homeland Security to some 7,500 people,
including thousands of security professionals, flooded government and business
mail servers with over 2 million messages. The gaffe also revealed all
subscribers’ e-mail addresses, and in some cases other personal information, to
other recipients of the DHS bulletin. Some of that information, including
telephone numbers and titles of military personnel and government workers, may
have been classified. According to the New York Times, the unintended spam run
began when a recipient of the “DHS Daily Open Source Infrastructure Report” hit
the Reply All button to transmit an e-mail address change request. [Source] [Computerworld blog post and related comments]
Security holes at Alberta’s government offices and
educational institutions contributed to computer network breaches at Alberta
Health and Grant MacEwan College, according to the auditor general Dharap. They
were the most serious among dozens of security protocol issues at just about
every level of government and the education community. In many, the breaches
were as simple as not having proper password policies in place. But in the
cases of MacEwan College and the health department, the breaches potentially
exposed their networks. MacEwan left unfettered Internet access to private
financial documents, while Alberta Health logged unknown, unauthorized
connections during occasional security checks. The Auditor-General said public
bodies still don’t quite understand how important information technology
security is. “It is a recurring theme throughout the report in that most of
those we audited had concerns over the security of IT and access,” he said. “And
the common recommendation was the need to have a control framework in place. In
many cases they have informal systems and practices but without a proper
control framework they don’t have any guarantees.” [Source]
Most people in Britain would accept a government
proposal that would require citizens to apply for a personal identity card,
according to a poll by ICM Research for No2ID. 54% of respondents think this
measure is a good or very good idea, while 42% disagree. In 2006, the House of
Commons approved the Identity Cards Act,
effectively creating Britain’s National Identity Register (NIR). The NIR is due
to store up to 49 different items on everyone living in the country, including
fingerprints, DNA, home address and telephone numbers. The legislation
stipulates that, starting on 2009, everybody in Britain will hold a “smart”
biometric ID card linked to the national register. The card will be required
for access to public services such as doctors’ surgeries, unemployment offices,
libraries and others. [Source]
This memorandum serves as a reminder for agencies to
complete background investigations and issue credentials as required for the
implementation of Homeland Security Presidential Directive (HSPD) 12, “Policy
for a Common Identification Standard for Federal Employees and Contractors,”
which the President issued on August 27, 2004. In support of the implementation
of HSPD-12, the Office of Management and Budget (OMB) has issued Memorandum-05-24
(M-05-24), “Implementation of Homeland Security Presidential Directive (HSPD)
12 - Policy for a Common Identification Standard for Federal Employees and
Contractors,” as well as Memorandum-07-06 (M-07-06), “Validating and Monitoring
Agency Issuance of Personal Identity Verification Credentials.” Under HSPD-12
and the OMB memoranda, agencies are to complete the background investigations
on all current employees and contractors and issue Personal Identity
Verification credentials in accordance with the following schedule: • October
27, 2007: Agencies must complete background checks and issue credentials to all
employees with 15 years or less service, and contractors
• October 27, 2008: Agencies must complete background
checks and issue credentials to all employees with more than 15 years of
service. [Source]
SEE ALSO: [Federal
Agencies Miss Employee ID Card Deadline] [HSPD-12
card opens door for digital signatures] and [JPL staff members get partial victory in
privacy lawsuit] and [OPM
wants new evaluation of security clearance process] and [Court Blocks
Government Rule on Employment Eligibility Verification]
A new study
of 500 closed U.S. Secret Service case files shows that ID thieves go to jail
about half of the time after their convictions, according to data released by
Utica College’s Center for Identity Management and Information Protection. The
researchers also found that offenders were sentenced to prison terms for three
years or less. The case files also revealed that ID thieves used the Internet
just 10% of the time. The study also determined that the median loss from the
identity theft in the cases was just over $31,000. [Source]
[Study:
Identity Fraud Trends and Patterns] [Study Finds Id
Thieves, Methods More Diverse Than Believed] [Arizona
Continues To Top List Of Identity Theft Complaints]
A US court has struck down age verification
requirements for porn sites, as a First Amendment violation. Describing the
federal statute at issue, the majority opinion explains, “The plain text, the
purpose, and the legislative history of the statute make clear that Congress
was concerned with all child pornography and considered recordkeeping important
in battling all of it, without respect to the creator’s motivation.” The
majority proceeds to hold the statute facially overbroad and then strikes down
the law as unconstitutional. The requirements intruded on the privacy and
safety of performers and created headaches for sites like flickr and
photobucket that host images. It is has long been thought that the requirements
wouldn’t hold up in court, but this is the first actual ruling. [Source] [Court ruling]
[Commentary]
A new system to provide an alternative to chip and PIN
and other two-factor authentication schemes has been launched. GrIDsure relies
on the human ability to recognise patterns to offer a viable alternative to token
or card reader-based schemes. GrIDsure, a UK company, says its system can be
used anywhere a PIN, password, passcode device or smart card is normally used,
without having to carry extra hardware. And it is touting it as a more secure,
yet more simple way for card users to prove they are they are the rightful card
holder, whether buying online, at a shop till or cash point. Users create a
simple pattern by choosing a set number of squares on a grid, in a shape of
their choice - such as an ‘L’, square or tick. A grid filled with random
numbers is presented to the payee at authentication time for them to provide a
unique, one-time passcode to authorise a transaction. GrIDsure claims its
approach is nearly 40 times more secure than Chip and PIN and, being
non-language dependent, it can be used by those with low literacy rates or
disabilities. [Source]
Some privacy advocates are proposing scrapping the
WHOIS system entirely because they cannot agree with the people who use the
system on how to give domain name owners more options when they register, such
as designating third-party agents. Privacy advocates say individuals should not
have to reveal personal information simply to have a Web site. [Source]
The Data Protection Commissioner of the German federal
state of Schleswig-Holstein Thilo Weichert has expressed grave reservations
about Google’s acquisition of the advertising marketing company DoubleClick. “At
present we have to assume that in the event of a takeover of DoubleClick the
databases of that company will be integrated into those of Google, with the
result that fundamental provisions of the European Data Protection Directive
will be violated,” the head of the Independent State Center for Data Protection
of the federal state of Schleswig-Holstein (ULD) in Kiel writes in a letter
addressed to Neelie Kroes, the European Commissioner for Competition. The
merger of the two Internet companies “would thus lead to a massive violation of
data privacy rights” of consumers in the European Union. In its upcoming
competition-law decision on the deal the EU Commission would need to take a
gross violation of privacy of this kind into account, the data protection
advocate adds. [Source] See also: [Google now accounts
for over half of the world’s online searches – three-quarters in the UK]
Governments face a unique challenge when it comes to
battling cyber crime, according to a recent report entitled, ‘‘Countering Cyber
Crime: It’s Everyone’’s Responsibility’’. In a report released by Toronto-based
market analysis firm International Perspectives, it outlines challenges
governments face and the actions they can take to counter cyber crime.
Essentially, lack of understanding on what cyber crime really is, is one of the
biggest barriers for government to counter cyber crime, according to Alicia
Wanless, executive director of International Perspectives. Wanless said the
government has to start acting immediately on cyber crime. “There’s been a lack
of adequate movement towards countering cyber crime, just even on a public
awareness level - putting up Web sites isn’t enough,” she said. [Source]
CIPPIC has released a ten page response to Public Safety’s
lawful access consultation. [Source] [Consultation Document]
[Summary of past
lawful access submissions] See also: [PIAC
Comments on “Customer Name and Address Information Consultation”]
Police in Austria have indicated their intention to
use Trojan horse programs as remote surveillance tools in certain
investigations. The country’s Minister of Justice and the Interior Minister “have
drafted a proposal that will be amended by legal experts and the cabinet with
the intention of allowing police to carry out such surveillance legally with a
judge’s warrant.” Some in the security software industry are concerned that the
tools developed by law enforcement agencies will fall into the hands of
unscrupulous individuals and be used for harmful purposes. Another problem is
how the tools will escape detection by antivirus programs. Police in Germany
have faced legal challenges to the use of Trojans as surveillance tools. [Source]
The Data Security Council of India has opened an
office in New Delhi. The group, which was developed by the National Association
of Software and Service Companies (Nasscom), is an independent, self-regulatory
body that will oversee the Indian IT industry. The new chairman, Shyamal Ghosh,
will ensure that the group develops, monitors and enforces privacy and data
protection safeguards for the country’s business process outsourcing industry,
according to this IT News Online article. [Source]
See also: [New
Steering Committee to Research Data Security Standards]
The European Network and Information Security Agency
(ENISA) presented a number of recommendations on how to improve data privacy at
Social Networking Sites (SNS) at the eChallenges
conference in The Hague. These networks were like digital cocktail parties,
at which one met many people, partook of copious amounts of alcohol and after
which one was liable to wake up with a terrible hangover the next day, ENISA
writes in its first detailed
position paper. In many cases users were not aware of the actual size of
the audience to which they were revealing details of their private lives, ENISA
notes. In addition to the users’ responsibility for their own behavior and a
duty on the part of the site operators to ensure transparency and take steps to
prevent abuse ENISA also believes that the legislator has an obligation to
confront the issue. Their investigation of sites such as Facebook, Myspace and
Twitter led the experts of ENISA to conclude that there are of 14 areas of
vulnerability in all. The experts found the option of simultaneously monitoring
users over long periods of time and collecting details they happen to give away
unawares especially alarming.” [Source] [ENISA
Position Paper No.1: Security Issues and Recommendations for Online Social
Networks] See also: [Microsoft
To Pay $240 Million For Facebook Stake] and [Google buys ‘shameless commerce’ mobile social
networking service] and [Google to Work
With Nielsen on TV Data] and [Massive
data sharing may lead to mom-like services] and [Information R/evolution video
clip]
Italian lawmakers recently introducing a law that
would effectively require all bloggers, and even users of social networks, to
register with the state. If it is ratified, the Ministry of Communications
would decide who must register with the state.[Source]
A coalition of privacy advocates has recommended an
ambitious set of proposals intended to give consumers greater control over
their personal data and to offset the impact of pervasive behavioral tracking.
Included in the recommendations is a call to create a national “Do Not Track
List” that would provide consumers with a simple tool for opting out of
behavioral tracking. CDT joined with Consumer Action, the Consumer Federation
of America, the Electronic Frontier Foundation, Privacy Activism, Public
Information Research, Privacy Journal, Privacy Rights Clearinghouse, and the
World Privacy Forum in crafting the proposal, which is timed to coincide with
the start Thursday of a two-day Federal Trade Commission workshop on behavioral
targeting. [Source]
[Online
Marketers Considering Do-Not-Track List] [Illustration of Do Not
Track List] See also: [FTC Should Apply
Spyware Principles to Targeting] [Privacy Group FTC
Comments] [FTC
Town Hall Meeting on Behavioral Advertising]
Mug shots of convicted prostitutes are appearing on
the El Cajon Police Department’s Web site. Police hope to discourage them from
plying their trade in town using a 21st-century version of public flogging. Pictures
of 11 women, details of their crimes and areas where they are banned from loitering
were posted as of yesterday. Police said they plan to add pictures of convicted
“johns” – the clients – within weeks. They are urging viewers to report when
the offenders violate probation. [Source]
[Website]
The Electronic Privacy Information Center (EPIC) and
Privacy International released the 9th “Privacy and Human Rights” report, an
international survey of privacy laws and developments that provides an overview
of key privacy topics and reviews the state of privacy in over 75 countries around
the world. It singles out a number of global trends, such as expansion of
identification technologies, new data retention schemes, and intensified
international data transfers, among others. According to EPIC’s Executive
Director, “the report makes clear that what is needed today is the enforcement
of privacy rights as fundamental human rights and not ever-weaker policy
frameworks that allow governments and businesses to do whatever they wish with
the personal information of individuals.” [Privacy
and Human Rights]
The House Energy & Commerce Committee approved a
bill that would extend the FTC’s authority to maintain the national Do Not Call
registry indefinitely. Consumers who signed up for the registry early on were
scheduled to have their numbers removed from the list in 2008, a move to help
maintain the list’s accuracy. But the FTC has largely resolved this issue by
removing disconnected or reassigned numbers from the list on a monthly basis.
The agency has also pledged not to remove numbers from the list until Congress
makes its final decision about whether to extend the registry permanently. [Source] See also: [Telecom’s Takeover of Canada’s Do-Not-Call
List]
A University of Tennessee student had tried to prevent
the release of his name, address and phone number to the Recording Industry
Association of America, contending in part that he had not waived his right to
privacy under the Federal Educational
Rights and Privacy Act (FERPA). However a judge denied the student’s motion
to quash a subpoena seeking the information because the law allows the release
of “directory information,” such as the student’s name, address, telephone
number and email address. according to the judge, a computer’s MAC address
doesn’t qualify as an “educational record” under FERPA, and is therefore not
protected. The case is related to the association’s efforts to investigate
on-campus file sharing. [Source]
See also: [Opinions vary among students
about privacy]
GM has announced that they’ll be equipping nearly two
million of their 2009 model vehicles (that have OnStar installed), with the
capability to be remotely shut down to idle via OnStar commands at the request
of law enforcement. The claim is that owners will have to give permission first
for this capability to be enabled. Critics say that, regardless of what OnStar’s
privacy policy says, if the technical capability for this function is present,
OnStar will have no practical choice but to comply when faced with a law
enforcement demand or court order, whether or not owner “permission” was ever
granted. This new capability will also create an irresistible challenge to the
hacker community -- and perhaps criminal organizations. [Source] See also: [Car Insurers’ Devices Track Teen Drivers]
Daniel Solove and Neil Richards,, have published a new
paper entitled “Privacy’s Other Path: Recovering the Law of Confidentiality.” Professors
Richards and Solove contend that Warren, Brandeis, and Prosser did not invent
privacy law, but took it down a new path. Well before 1890, a considerable body
of Anglo-American law protected confidentiality, which safeguards the
information people share with others. Warren, Brandeis, and later Prosser
turned away from the law of confidentiality to create a new conception of
privacy based on the individual’s inviolate personality. English law, however,
rejected Warren and Brandeis’s conception of privacy and developed a conception
of privacy as confidentiality from the same sources used by Warren and
Brandeis. Today, in contrast to the individualistic conception of privacy in
American law, the English law of confidence recognizes and enforces
expectations of trust within relationships. Richards and Solove explore how and
why privacy law developed so differently in America and England. Understanding
the origins and developments of privacy law’s divergent paths reveals that each
body of law’s conception of privacy has much to teach the other. [Source]
According to a press release on Senator Simitian’s
website, Gov. Arnold Schwarzenegger has signed Bill SB362 (California’s human
implantation bill) into law. The Bill will go into effect on January 1, 2008. [Source] [Senator
Simitian’s press release] [Text
of bill]
For the first time, IBM is using RFID technology in name
tags for attendees of its Information on Demand conference in Las Vegas. At the
registration desk, IBM provides notice of the technology’s use and offers
attendees the option of obtaining a name tag without the chip. IBM’s conference
manager said about 2 percent of the 6,500 people in attendance indicated that
they didn’t want an RFID-enabled name tag, according to this Computerworld
article. The chip contains the attendee’s name, title and company, and no other
personal information. [Source]
See also: [Privacy
Concerns Dog IT Efforts to Implement RFID in the Workplace]
Ten schoolchildren in the U.K. are being tracked by
RFID chips in their school uniforms as part of a pilot program intended to
hasten registration, simplify data entry for the school’s behavioral reporting
system, and ensure attendance. The founder of Leave Them Kids Alone, a children’s
advocacy group, condemned the plan. “With pupils being fingerprinted and now
this it seems we are treating children in a way that we have traditionally
treated criminals.” In a blog post about the report, security expert Bruce
Schneier quipped, “So now it’s easy to cut class; just ask someone to carry
your shirt around the building while you’re elsewhere.” [Source] See also: [Los Amigos high school students must wear ID
badges]
Microsoft’s Malicious Software Removal Tool detected
31.6 million phishing attempts during the first six months of 2007, which is an
increase of more than 150% over the incidents in second half of last year. The
company’s Security Intelligence Report, presented during the RSA Conference
Europe in London this week, indicates a spike in the number of attacks designed
to steal personal information. Brendon Lynch, CIPP, Head of Microsoft’s Privacy
Strategist Group, said that the report’s findings confirm something security
professionals already know - that personal information is the currency of
computer crimes. [Source]
CDW Government released the results of its third
annual Higher
Education IT Security Report Card. The report is based on a national survey
of 151 higher education IT directors and managers. It gauges IT security and
support on campuses over a three-year period. It reveals that, despite
increased attention to better IT security in higher education, there has been
little progress. The report concludes that less than half of campus networks
are safe from attack, with 58% reporting at least one security breach in the
last year. Data loss or theft has increased 10% in the last year, up to 43%,
according to the CDW-G. That includes loss or theft of staff and student
personal information. [Source]
[Higher
Education IT Security Report Card]
IT managers can set up all the security policies they
want, but nearly a quarter of Canadian executives admit they look after their
personal data more carefully than that of the enterprise they work for,
according to a survey report released this month. One in five of the businesses
surveyed said they did not use anti-virus software or a firewall, while one in
six said their firm has been the victim of a security breach. The survey,
conducted by Leger Marketing on behalf of Toronto-based Fusepoint Managed Services,
was based on interviews with 1,200 executives. [Source]
Lack of coordination among marketing, privacy and
security staff members will lead to more security breaches, according to
Brendan Lynch, Microsoft’s security report sheds some light on a major factor
that leads to security breaches: some departments are mismanaging data while
assuming that the IT department has the data locked down. The survey also found
that privacy and security professionals wrongly are assuming that marketing
colleagues are coordinating with them before the collection and use of
sensitive data. The Ponemon Institute, on behalf of Microsoft, surveyed more
than 3,600 security, privacy and marketing executives in various industries in
the U.S., UK and Germany. [Source]
NIST announced the release of the initial public draft
of Special Publication 800-39, Managing
Risk from Information Systems: An Organizational Perspective. This
publication provides guidelines for managing risk to organizational operations,
organizational assets, individuals, other organizations, and the Nation
resulting from the operation and use of information systems. Special Publication
800-39 is the flagship document in the series of FISMA-related publications
developed by NIST and provides a disciplined, structured, flexible, extensible,
and repeatable approach for managing that portion of risk resulting from the
incorporation of information systems into the mission and business processes of
the organization. [NIST
Special Publication 800-39] See also: [DRAFT
NIST IR 7328: Security Assessment Provider Requirements and Customer
Responsibilities: Building a Security Assessment Credentialing Program for
Federal Information Systems] and [DRAFT
Special Publication 800-55 Revision 1, Performance Measurement Guide for
Information Security] See also: [Experts:
Apply privacy and security best practices early to manage risk effectively]
The government of Belgium expects to be the first to
issue multipurpose national chip cards to all citizens and residents. Unlike
Britain, where residents will have to be 16 to qualify for the card, Belgians
are eligible from birth. The Belgian government has begun issuing stylishly
designed blue and green children’s cards both as an identity and a child
protection measure. The kids’ card has three functions. First, it acts as an ID
document. Second, it provides a way of contacting next of kin if the child gets
lost or has an accident. Each card carries a phone number that connects to a
cascade of numbers registered by the parents. If there is no answer, the call
is transferred to a national child-protection hotline. The card’s third
function is internet safety: from the age of six, children can receive a PIN
allowing them to sign on to children-only online groups. The children’s card is
part of a national programme to replace existing cards with multi-purpose
electronic tokens. Some 6m electronic ID cards have been issued to Belgians; a
similar card is being issued to 1.4 million foreigners. Local authorities issue
the card, valid for five years, at a cost ranging from nothing to 35 euros
(£24.30). The e-ID has an embedded digital signature allowing citizens to bank
online, as well as carry out e-government transactions such as filing tax
returns. And since January, citizens of Brussels have been able to report
crimes by plugging the ID in to a card reader. Van Eyck says that far from
oppressing citizens, the card puts them in control of their information. At the
European ministerial e-government conference, he demonstrated a service called
Myfile, which allows card-holders to check information held on them in the
national register. [Source] See also: [All
Bulgarians to Have Electronic Health Cards By 2009]
A trial of the ID card system for criminal records
checks has been dubbed a success by the Home Office but criticised by lobbyists
as pointless. The joint pilot between the Criminal Records Bureau (CRB) and the
Identity and Passport Service (IPS) tested the use two online services
requiring passports or ID cards for background checks on people who want to
work with children. The trial was held earlier this year across cities in the
UK. Volunteers had their backgrounds checked and approved online using a
passport-based system and an ID card-based system, and were interviewed by
independent firm FDS about the experience. [Source]
An investigation into whether privacy laws would be
violated by installing thousands of security cameras throughout the country’s
largest public transit network will likely be a test case for other Canadian
jurisdictions contemplating similar surveillance systems to deter crime or
terror attacks, experts say. The Toronto Transit Commission (TTC) is in the
process of installing up to 10,000 security cameras in its buses, streetcars
and subway system, adding to its current network of about 1,500 cameras. That
prompted London-based Privacy International to lodge a complaint with Ontario
Privacy Commissioner Ann Cavoukian, denouncing the project as an unnecessary
waste of resources that violates Canadian privacy laws. The TTC chairman
defended the plan, saying it conforms to privacy guidelines because the
information will not be viewed live and will be accessed only by the police. [Source] [Privacy
International Complaint] See also: [Wi-Fi
growth fuels video surveillance adoption] and [Baltimore Proposal to Allow Police to View
Surveillance Camera Footage Live in Patrol Cars] and [Chicago Crime Cams Nab Beer Drinker As
Reminder of Big Brother System] and [Security Experts
Report on Hazards of New Surveillance Architecture]
As many as 95% of CCTV systems in the UK are operating
illegally, according to a CCTV expert. The revelation comes as new legislation
is about to take effect in Scotland which could render even more systems
illegal. Companies whose premises have CCTV systems in operation must alert the
Information Commissioner that they are gathering personal information about the
people they are recording. They must also put up signs to warn the public that
recording is taking place. According to the expert, if the system is
non-compliant it could invalidate the usefulness of the evidence in a court of
law. This assessment matches that of non-profit CCTV awareness raising body
Camerawatch. It said in June that its research showed that over 90% of the UK’s
4.2 million CCTV systems were not compliant with the Data Protection Act. “If you operate CCTV equipment monitoring
public or private space and you are monitoring members of the public then it is
likely you will need a SIA licence,” said SIA head of investigations Jennifer
Pattinson. “The reason for licensing is to remove the criminal element from the
private security industry but also to improve levels of training and
professionalism in the industry.” The news follows the revelation last week
that London’s dense network of CCTV cameras may not have an effect on the solving
of crimes. An analysis of London’s 10,000 cameras showed that boroughs with
many cameras had no better crime-solving statistics than those with few
cameras. [Source]
Writer-director Adam Rifkin
has made a new film, ‘Look,’ which focuses on people’s lives as captured
through the eyes of surveillance cameras and the things they do when they think
no one is watching them. The film won the Grand Jury prize at CineVegas Film
Festival earlier this year and will be out in theatees in December. Rifkin said
the experience with the traffic cam made him realize just how prevalant
surveillance cameras are – not only in the obvious places such as Target
stores, 7-Elevens and above ATMs, but also in changing rooms and bathrooms
(only a few states expressly prohibit the placement of cameras in bathrooms).
The film follows the story lines of several characters, which all intersect and
play out only through the lenses of surveillance cameras. Rifkin didn’t use
real surveillance cameras to shoot the footage, but placed his cameras only in
locations and angles where real cameras were or might be placed and then
degraded the film in post-production to make it look like real surveillance
footage. To make the film as authentic as possible, only unknown actors were
used, and Rifkin shot no closeups. The film’s web site also has a selection of real ‘caught-on-tape’
moments captured from genuine surveillance cams. [Source] [Film Web Site] See also: [Sneaky White Hats Pull Surveillance Cam
Switcheroo | Technical Details]
Democratic members of the House Homeland Security
Committee have asked congressional appropriators to hold off funding for the DHS’s
new office for domestic satellite surveillance, set to open Oct. 1. The
department’s new National Applications Office is set to begin offering
satellite information on request for homeland security, including preventing
and responding to severe weather systems, natural disasters and terrorist
attacks. But the Democrats contend there are not enough legal protections in
place to govern how, and for what purpose, the satellites will be deployed. The
committee’s Democratic leaders are calling for a moratorium on funding for the
new office and do not want the spy satellite program to begin operations until
there is assurance that legal safeguards are in place. [Source]
Verizon Wireless is requiring customers to opt out of
allowing the carrier to share their customer proprietary network information
(CPNI), a new policy that could spark protest from the carrier’s customers.
CPNI comprises users’ calling records and includes the numbers of incoming and
outgoing calls and time spent on each call, among other data. Verizon Wireless
last week began sending letters notifying customers that they have 30 days to
opt out of the program by calling an 800 number before their information would
be shared. [Source] See also: [FCC won’t probe disclosure of phone records]
and [AT&T Invents Programming Language
for Mass Surveillance and User Manual]
Telecommunications companies that assisted the
government’s warrantless surveillance program after the Sept. 11 terrorist
attacks relied on periodic letters bearing the legal endorsement of the
attorney general, and in one case the authorization of the White House legal
counsel, according to a Senate intelligence report. The report, which
accompanies and explains the reasons behind the Senate Intelligence Committee’s
approval of an update to the law that oversees government intelligence
surveillance activities, gives incremental new details of how the White House
deployed a now contentious program run by the National Security Agency without
seeking court warrants. The committee’s update to the Foreign Intelligence
Surveillance Act, or FISA, contains a clause granting legal immunity to telecom
providers that assisted the program, a measure that has met with strong
opposition from other members of Congress. [Source] [Source]
See also: [What’s at Stake in the
Surveillance Debate in Congress]
The US terrorist watch list includes more than 755,000
names and continues to grow, the US Government Accountability Office said. The
list exploded from fewer than 20 entries before the September 11, 2001 attacks
to more than 150,000 just a few months later, after the Terrorist Screening
Center (TSC) was created in December 2003 to keep tabs on terrorist suspects,
according to the GAO. Including known pseudonyms of suspects, the list’s
755,000 names as of May 2007 represents, in fact, around 300,000 people,
according to TSC estimates. Since 2003, the list has been used around 53,000
times to single out individuals for possible arrest or to prevent them from
entering the country, the GAO said. [Source] [ACLU response]
The Homeland Security Department is trying to squash
criticism of its slow development of an exit piece to the U.S. Visitor and
Immigrant Status Indicator Technology program. Robert Mocny, US-VISIT director,
said the agency has decided a piece of the exit program will require airlines
to collect biometric data of visitors leaving the country when they check in at
the airport. Mocny said DHS will issue a notice of proposed rulemaking in the
Federal Register by January 2008 detailing the program. [Source]
The Homeland Security Department’s delay in releasing
the standards for states to implement the Real ID Act seems to be coming to an
end. Stewart Baker, DHS’ assistant secretary for policy, today said it was a
matter of months before the agency will issue the standards for enhanced driver’s
licenses. Congress passed the Real ID Act in May 2005 calling for states to
develop tamper-proof driver’s licenses and keep digital images of verification
documents by 2008. DHS has since extended the deadline to Dec. 31, 2009. DHS
officials had hoped to release standards earlier this year, but Baker said they
ended up making significant changes and still are figuring out how much money
these changes will save states. [Source]
A bipartisan bill that would let victims of identity
theft seek restitution for money and time they spent repairing their credit
history was introduced in the Senate. The legislation would also give federal
prosecutors more tools to combat identity theft and cyber crime, according to
sponsors Democrat Patrick Leahy of Vermont and Republican Arlen Specter of
Pennsylvania. The bill would also eliminate a requirement that the loss
resulting from damage to a victim’s computer must exceed $5,000 for
prosecution; make it a felony to use spyware or keyloggers to damage 10 or more
computers; and expand the definition of cyber crime to include extortion
schemes that threaten to damage or access confidential information on a
computer. [Source]
The US House Foreign Affairs Committee has approved
the Global Online Freedom Act of
2007, which would impose criminal penalties on US Internet companies that
provide customers’ personal information “to governments that use the
information to suppress political dissent.” Companies found to be in violation
could also face civil penalties of up to US $2 million. In addition, the bill
would prohibit ISPs from blocking US government financed content. In two weeks,
a House Foreign Affairs Committee panel will question Yahoo! about its role in
the case of Chinese journalist Shi Tao, who was jailed after Yahoo! allegedly provided
China’s government with information that helped identify and locate him. [Source] [Source]
[Source]
[Source]
In a highly anticipated decision, Gov. Arnold
Schwarzenegger vetoed a law that would have required retailers to protect data
by standards that exceed the Payment Card Industry Data Security Standard.
Schwarzenegger said the bill “attempts to legislate in an area where the
marketplace has already assigned responsibilities and liabilities that provide
for protection of consumers.” The bill, he added, also would have created the
potential “for California law to be in conflict with private sector data
security standards.” The bill’s author, Assemblyman Dave Jones of Sacramento,
said that he was “shocked and disappointed that the governor thinks our
personal information should be left out in the open for identity thieves and
hackers to pilfer,” [Source]
The University of
B.C. wants the right to keep using “spyware” to monitor its employees’ Internet
use. The university - which used the software to fire a worker who surfed
non-work-related websites for hours a day - has gone to court to challenge an
anti-spyware order by B.C.’s privacy commission. [Source] See also: [Ontario panel to study ways to boost campus security:
Experts to see whether confidential information on students can be turned over
to police]
--------