Privacy News Highlights
15–28 February 2008
Contents:
US – NIST Releases Draft Registry of Biometric
Standards
AU – Australia Needs More Biometrics Data: Report
CA – Alberta Privacy Commissioner Orders Nightclub
to Stop Using Licence-Scanners.
CA – Alberta Privacy Commissioner Orders Pawnshop
Database Destroyed
CA – Supreme Court Reviews Privacy Commissioner
Investigation, Enforcement Powers
CA – Newfoundland Minister Unveils New Birth
Certificate
US – Staff Data Snooping on Customers Common, Hard
to Stop: Report
WW – Reed Elsevier to Acquire ChoicePoint
WW – Measuring Security and Trust in the Online
Environment: OECD Report
US – Group Seeks Coordinated Interstate EHR System
by 2009
US – Google to Store Patients’ Health Records
US – Washington State Considers Barring Data Mining
by Pharmas
WW – Encrypted Computer Memory Vulnerable to Hacking
Using Cold Air: Study
EU – Article 29 Working Party Changes Chair,
Publishes Work Programme:
EU – Data Privacy Regulators Say Net Search Engines
Must Follow Rules
UK – Call to Scrap Children’s Database
UK – Data Breaches Cost £47 per Record: Ponemon
Study
UK – Tax Authorities Pay for Britons’ Bank Details
EU – Liechtenstein Toughens Financial Privacy Rules
US – Wikileaks.Org Site Taken Offline
US - Public “Deeply Dissatisfied” With Availability,
Delivery of Govt Financial Info.
UK – U.K. Govt Rejects Mandatory DNA Database
WW – Analysis: Personal Health Records Threaten
Privacy
CA – Saskatooner fighting SCA over Health Records
Access
US – Tenet Healthcare Warns 37,000 Patients of Data
Compromise
UK – Government Discloses Hundreds of Devices Lost
EU – Stolen Laptop Had Data Of Over 171,000 Irish
Blood Donors
WW – Liberty Alliance Launches Health Identity
Management Group
CA – Canadian Government to Issue Electronic
Passports in 2011
EU – German ID Card to Allow Pseudonyms
US – RIAA Sends Wave of Pre-Litigation Letters to
Universities
WW – Few Pedophiles Posing As Youths Online: Study
AU – Judge Kirby on Privacy: Computer Code Trumps
the Law
WW – Google Says I.P. Addresses Aren’t Personal
WW – Facebook Says It Has Fixed Deletion Issue
HK – Privacy Commissioner Says Law Reforms Needed
SA – South African Data Protection Law Delayed
AU – Aussie Businesses Face Compulsory Breach
Disclosure
US – GAO Report: Identity Theft Efforts Lacking
US – Nixon Sues Web Site Operator for Offering
Sensitive Consumer Data
US – FTC Content to Observe Impact of IAB Guidelines
WW – RFID-embedded Credit Cards Cracked
EU – European Commission Publishes Preliminary RFID
Guidelines
WW – OECD RFID Paper: A Focus on Information
Security and Privacy
US – Losses From Cyber Intrusions at US Banks Rise
Significantly
EU – Secret Printer ID Codes Breach EU Privacy Laws
US – Wisconsin Man Accused of Using GPS to Track
Wife
CA – B.C. Court Limits Police Wiretaps
EU – German Court Rules Cyber-Spying Violates
Privacy
WW – Growth of GPS Phones Raises Privacy and
Regulatory Issues
WW – Cell Phone Snooping Now a Simple Feat
US – Firm Gets U.S. Contract For Quick Passenger
Data Checks
US – White House Wary of Proposed Changes to FISMA
US – Connecticut Bill Safeguards Personal Identity,
Creates Privacy Protection Law..
US – Alaska Consider Prescription Database Law
US – Washington State Outlaws RFID Skimming
The
National Institute of Standards and Technology (NIST) has released a draft
registry of biometric standards that could improve sharing of data between
agencies. The Registry of USG Recommended Biometric Standards was developed by
the interagency Subcommittee on Biometrics and Identity Management of the White
House National Science and Technology Council (NSTC). The subcommittee did not
formulate new standards but developed the list through a consensus of 15
agencies participating in the process. They evaluated what the subcommittee
called the “numerous, often contradictory standards currently available.” The
goal is for data gathered and saved by one agency to be accessible by other
agencies through the use of common formats and processes. [Source]
Australia
should consider fingerprinting passport holders in addition to using facial
recognition technology to minimise identity fraud, a report has recommended.
The Australian National Audit Office report, released this week, raised
concerns that Australian immigration officers lacked access to foreign
biometric matching systems that included fingerprints. It said the Department
of Immigration and Citizenship (DIAC) should consider the need to extend the
use of biometric technology in identifying foreign arrivals. “The current
relatively limited fingerprint matching capability leaves the department in a
position where it is unable to benefit fully from the international
developments tending towards a broader use of fingerprints,” the report said. [Source]
An
order by Alberta’s information and privacy commissioner for a Calgary nightclub
to stop scanning patrons drivers’ licences at the door will take away a key
security measure, the owner said last week. Paul Vickers, who owns Tantra
Nightclub and several other bars and restaurants across Alberta, said the
ruling offered no alternative solutions for safety and he vowed to appeal it.
He said many other bars and clubs throughout Alberta and other provinces use
similar systems that scan driver’s licences to keep track of who comes through
the door and if they’re a regular customer. BC’s privacy commissioner is also
reviewing the use of similar technology and expects to make a ruling later this
year. (CBC )
Alberta’s
privacy commissioner Frank Work has ordered the city of Edmonton and police to
stop collecting personal information from pawn shops and second-hand stores.
Work also ordered that a database established to store the information be
destroyed. The city has long required pawn shops to keep detailed records of
the people who sell and buy merchandise, and to make the data available to
police on request. In 2005, the city required pawnshops and second-hand stores
to upload information collected by clients to a database maintained by a
private company under contract with the City of Edmonton. Work said in a
published report that the Edmonton did not have authority to require
second-hand stores and pawnshops to upload the information to the database. He
also found that the city had not taken reasonable steps to safeguard the
complainant’s personal information, or that of other clients, from unauthorized
access, collection, use, disclosure or destruction of the information. [Source] [Decision]
The
Supreme Court of Canada will hear a case that will ultimately determine how the
Privacy Commissioner’s investigative authority is affected by claims of
solicitor-client privilege. An employee of the Blood Tribe Department of
Health, after being dismissed, filed a complaint with the Privacy Commissioner
after her request for access to her personal employment file was denied. The
Commissioner requested a copy of the complainant’s file to investigate the
matter. Correspondence in the file between the Blood Tribe Department of Health
and its solicitors was withheld from the Commissioner on the basis that it was
subject to solicitor-client privilege. To verify the existence of the
privilege, which could justify a denial of access, the Privacy Commissioner
ordered production of the withheld documents pursuant to the Personal
Information Protection and Electronic Documents Act (PIPEDA). The Blood
Tribe Department of Health challenged the legality of the Commissioner’s order
and the case was heard by the Federal Court in 2006. The Federal Court ruled
that, in order to effectively conduct an investigation, the Privacy
Commissioner had the authority to compel production of documents over which
solicitor-client privilege was claimed. [Source
and at news.gc.ca]
Newfoundland
and Labrador is unveiling a new, more secure and durable birth certificate,
which has many features to help combat identity theft and fraud. Newfoundland
joins the provinces of Nova Scotia, British Columbia, Manitoba and Alberta in
issuing this new format of birth certificate. As well, several other Canadian
jurisdictions are planning to implement the new certificate during 2008. [Source]
Employees
with access to customer data regularly peruse the information, according to a
recent report. A review of data obtained from a Milwaukee-area public utility
showed that employees at the utility used their access to obtain information
about tenants, former boyfriends and local celebrities, among other reasons.
The customer data available to employees included credit and banking info,
payment histories, Social Security numbers and other personally identifiable
information. [Source][Source][Source]
Financial
news service Bloomberg is reporting that London-based Reed Elsevier will buy
Alpharetta, Georgia-based ChoicePoint for $3.5 billion. The purchase will
combine ChoicePoint’s data brokerage service with Reed Elsevier’s LexisNexis
database to create what Bloomberg describes as a “risk-management business with
$1.5 billion in sales.” In addition to data brokering, ChoicePoint offers risk
mitigation services for commercial insurance, claims tracking software,
automated claims tracking software and document search services. [Source]
A
new OECD paper reviews available official statistics on trust and security in
the online environment. It discusses whether security concerns are an obstacle
to Internet use and examines how people and companies protect their equipment
and networks. The paper, prepared by the OECD Directorate for Science,
Technology and Industry, was discussed by the Working Party on Indicators for
the Information Society in 2007 and transmitted to the Committee for
Information, Computer and Communication Policy. [Source] See also: [Survey
paints bleak picture of public trust in U.S. government]
The
Harmonizing State Privacy Law Collaborative is pushing for a standardized
interstate system for sharing electronic health records (EHR) by 2009. The
Collaborative wants to establish a framework
by the end of this year that would be used as a framework for development of a
network for sharing EHRs between healthcare organizations, including across
state lines. Medical privacy and data security would be priorities for the
group, whose member states currently include Florida, Michigan, Idaho, Kansas,
Kentucky, Missouri, New Mexico and Texas. [Source] [Draft
Document: Privacy
and Security Solutions for Interoperable Health Information Exchange] See
also: [HIE’s top
state e-health agendas] [States Report
Progress on Health IT Privacy] and [Strengthen privacy
protections for e-health data, top panel recommends] [NCVHS HHS Report] and [Wisconsin Seeks
Changes to Health Data Privacy Laws] and [NYC Unveils State-of-the-Art Electronic Health
Record Technology] and [Medical
identity theft is often an “inside job” ]
Google
will begin storing the medical records of a few thousand people as it tests a
long-awaited health service that’s likely to raise more concerns about the
volume of sensitive information entrusted to the Internet search leader. The
pilot project announced last week will involve 1,500 to 10,000 patients at the
Cleveland Clinic who volunteered to an electronic transfer of their personal
health records so they can be retrieved through Google’s new service, which
won’t be open to the general public. Each health profile, including information
about prescriptions, allergies and medical histories, will be protected by a
password that’s also required to use other Google services such as e-mail and
personalized search tools. Google views its expansion into health records
management as a logical extension because its search engine already processes
millions of requests from people trying to find about more information about an
injury, illness or recommended treatment. [Source]
[Source]
See also: [Google
not covered by the US Health Insurance Portability and Accountability Act
(HIPAA) ] [Googling
Medical Records Gets Mixed Reactions] and [World
Privacy Forum released a report of health privacy]
The
Washington State legislature is considering a ban on medical data mining by
pharmaceutical sales organizations. The bill would prevent drug companies from
obtaining prescription data for the purpose of marketing their products to
medical offices. Similar laws have already passed in Vermont, New Hampshire and
Maine, however the laws in Maine and New Hampshire were overturned following
legal challenges by the pharmaceutical industry. [Source]
Want
to break into a computer’s encrypted hard drive? Just blast the machine’s
memory chip with a burst of cold air. That’s the conclusion of new research out
of Princeton University demonstrating a novel, low-tech way hackers can access
even the most well-protected computers, provided they have physical access to
the machines. The Princeton report shows how encryption, long considered a
vital shield against hacker attacks, can be defeated by manipulating the way
memory chips work. The researchers say the ease of their attack raises fears
about the security of laptop computers increasingly used to store sensitive
information. Freezing a dynamic random access memory, or DRAM, chip, the most
common type of memory chip in personal computers, causes it to retain data for
minutes or even hours after the machine loses power, the report found. That
data includes the keys to unlock encryption. [Source] [Source] [Paper][PGP Responds
to Cold Boot Attack Paper] [Encryption may
not be enough] See also: [Enclosed but
not Encrypted] and [GSM
for Cellphones Being Cracked]
The
Art. 29 WP elected its new chairman and vice chairman, decided upon its work
programme for the next two years, adopted an opinion on children’ privacy,
resolved to continue its joint enforcement measures, and prepared for the next
Safe Harbor Conference to take place in Brussels later this year. The Art. 29
WP elected Alex Türk, the head of the French Data Protection Authority as its
next chairman. Jacob Kohnstamm, the president of the Dutch Data Protection
Authority, became the new vice chairman. [Source]
[Source].
European
data privacy regulators said that Internet search engines based outside Europe
must also comply with EU rules on how a person’s Internet address or search
history is stored. EU rules that someone must consent to their data being
collected and give individuals the right to object or verify their information
apply to search engines, the regulators’ group said in a short statement as
they prepare a full report due by April. [SiliconValley.com]
The
UK government faces calls to scrap a database containing the details of every
child in England after a report said it could never be secure. The report, by
accountants Deloitte & Touche, was ordered after last year’s missing data
discs crisis. ContactPoint will begin operation in September or October this
year, five months later than planned. It will list the name, address and date
of birth of every child in England and contact details for their parents,
doctors and schools. Every child will be given a “unique identifying number”. [Source]
New
research lays out the cost of a data breach in the UK, and finds most such
incidents are caused by lost laptops or other devices. The average cost of a
data breach is £47 per record, and the bulk of that cost is from lost business.
The study, by the Ponemon Institute, contacted every UK company known to have
suffered a data breach in the past year. Some 21 organisations across eight
sectors replied. The average cost per record lost is £47, the study found. The
average total cost for the companies which took part in the survey was £1.4
million, although some topped out at £3.8 million. Lost business leads to 46%
of the total cost of a data breach, as a loss of trust leads to higher churn
and higher customer acquisition rates, the study found. Churn climbs by some
2.5% on average, but some firms saw rates as high as 4%. The rest of the cost
is made up from notification (£1 per record), detection (£15) and ex-post
activities (£15), which are the costs after the event to help victims watch
their credit or the reissuing of account cards, for example. “Notification is
not the biggest part of the cost. The largest point is loss of customers.” [Source] [Lost
Mobile Devices Behind Most UK Breaches]
The
British tax authorities have paid an informant for the bank details of scores
of wealthy Britons. The records were stolen from one of the world’s most
secretive tax havens. HM Revenue & Customs paid £100,000 for data that it
is using to launch investigations of up to 100 British citizens who have
accounts at Liechtenstein’s biggest bank. British authorities regard it as a
coup to have penetrated accounts that have been beyond their reach for decades.
“There will be many frightened people who thought Liechtenstein was secure,”
said a City accountant. The bank informant has already provoked a storm in
Germany by selling data on 750 wealthy Germans’ accounts to the country’s
intelligence service for £3.2m in January last year. The suspected
whistleblower, accused of stealing data from the bank, was sacked and convicted
of fraud. He also offered data to tax authorities in America, Canada, Australia
and France. [Source]
The
government of Liechtenstein is rewriting the rules governing its financial
foundations, used as tax havens by many wealthy Europeans, to protect the
identities of account holders. The move was made following a tax evasion
scandal in Germany involving the foundations. While Liechtenstein said it would
cooperate and share information with governments in cases where there was
evidence of criminal activity, it refuses to budge on requests to provide the
names of account owners simply because they may be using foundations to avoid
paying taxes. Liechtenstein’s justice minister said, “If someone puts their
money in a mattress to avoid paying taxes, I can’t say, ‘You have to stop
making mattresses.’” [Source]
A
controversial website that allows whistle-blowers to anonymously post government
and corporate documents has been taken offline in the US. Wikileaks.org, as it
is known, was cut off from the internet following a California court ruling,
the site says. The case was brought by a Swiss bank after “several hundred”
documents were posted about its offshore activities. [BBC] Update: [Whistleblowing
website vows to defy court gag] [Public
Support Grows for Wikileaks]
The
Association of Government Accountants (AGA) released a survey of public
attitudes about government transparency and accountability. The survey,
conducted by Harris Interactive, revealed a “deep dissatisfaction among the
American public with both the availability of government financial information
and the way it is delivered to the people. Much of this dissatisfaction has to
do with issues of trust and a gap between what the public expects and what is
actually delivered. The survey also captured information relating to how the
public would use fiscal information, were it provided to them in a usable
form.” The survey was commissioned as part of AGA’s flagship Advancing
Government Accountability campaign. [Source] [Survey]
[Powerpoint]
The
UK Home Office has admitted that a mandatory DNA database “would raise
significant practical and ethical issues”. The DNA database, which covers
England and Wales, currently contains around 4.5m profiles - routinely taken
from criminal suspects after most arrests. It is already the largest of its
kind in the world but is controversial. Since 2004, the data of everyone
arrested for a recordable offence - all but the most minor offences - has
remained on the system regardless of their age, the seriousness of their
alleged offence, and whether or not they were prosecuted. The Association of
Chief Police Officers (ACPO) is also calling for a debate on the issue. Said
the Home Office minister: “How to maintain the security of a database with 4.5m
people on it is one thing. Doing that for 60m people is another.” [Source] See also: [Scientists say they can track people’s
movements using hair] See also: [Washington Senate
votes to expand criminal DNA database] [Tennessee
DNA law creates police confusion]
The
World Privacy Forum has published a new legal and policy analysis examining
Personal Health Records – or PHRs – and the privacy issues associated with
them. This analysis, Personal Health Records: Why Many PHRs Threaten Privacy,
was prepared by Robert Gellman for the World Privacy Forum. The analysis finds
that significant, serious threats to privacy exist in some PHRs. [Report:] See also: [Georgetown Law
Journal: Public
Health Surveillance in the Twenty-First Century: Achieving Population Health
Goals While Protecting Individuals’ Privacy] and also: [New
California Law Strengthens Health Data Privacy]
A
Saskatoon man who has been battling the Saskatchewan Cancer Agency for a
complete copy of his health records is taking his plight to court. Since
November 2005, Peter Hnatuk, who has prostate cancer, has been asking the
agency to give him his entire medical record so he can seek a second opinion
from a Calgary doctor. With the help of an advocate, Hnatuk was able to wrestle
most of his record from the agency. It is withholding 12 pages it says could
put staff in jeopardy if released to him. Hnatuk appealed to the province’s
privacy commissioner. In November, the commissioner released a report saying
the agency made a mistake when it withheld part of Hnatuk’s record. However,
the commissioner’s decisions are not binding, and the agency still refuses to
hand over the records. Now, according to court documents, Hnatuk is asking a
Queen’s Bench judge to order the agency to release the whole document. “I seek
disclosure of my entire file with (the agency) because am entitled to access my
personal health information and because it may be relevant to my health and my
treatment options,” Hnatuk says in an affidavit to the court. The problem with
releasing the information, according to the cancer agency, is Hnatuk was
abusive and threatening to cancer agency staff and releasing the records might
put workers at risk. In his ruling, the privacy commissioner said dealing with
angry or unpleasant people is part of the business of health care and does not
deny a patient the right to his personal health records. [Source]
Dallas-based
Tenet Healthcare Corp. last week sent out notices to about 37,000 patients
informing them about the potential compromise of their personal and financial
data. The warning came after a former data processor at a Tenet bill-processing
center in Texas, was arrested last month and subsequently pleaded guilty to
five counts of fraudulent possession and use of identification information
stolen from Tenet. [Source]
British
government officials disclosed that government agencies have lost hundreds of
laptop computers, PDAs and mobile phones either though theft or negligence
since 2001, according to Silicon.com. Among the offending agencies are the Ministry
of Justice (341 devices), Department for International Development (61
devices), Northern Ireland Office (33 devices) and Department for Communities
and Local Government (33 devices). [Source]
SEE ALSO: [Disc
Of Suspects’ Dna ‘Mislaid’ For A Year] [ICO:
Financial Services Firm Violated Data Protection Act] [Source]
and: [Lawyers Fined £815 by the
Information Commissioner for Data Security Failures] and [Marks & Spencer
ordered by ICO to encrypt data after laptop theft]
More
than 171,000 Irish blood donors whose personal details were on a computer
stolen in New York earlier this month will be contacted by the Irish Blood
Transfusion Service (IBTS) this week. The blood service said yesterday it was
very concerned at the theft of the laptop on February 7th and while records
were securely encrypted on the computer, there was a “remote” chance the data
might be accessed by a third party. [Source]
Liberty
Alliance, a global identity consortium, has announced the launch of a global
public forum formed to develop an interoperable, secure and privacy-respecting
information exchange system for the healthcare sector. The Liberty Alliance
Health Identity Management Special Interest Group (HIM SIG) is leveraging the
Liberty Alliance model of addressing the technology, business and privacy
aspects of digital identity management to meet the unique identity management
and regulatory challenges facing the international healthcare industry. Members
are working to address how the healthcare industry will deliver secure identity
management solutions that meet global regulatory mandates and ensure patient
privacy. The public group is working closely with the Liberty Identity
Assurance Expert Group to ensure requirements for standardized and certified
identity assurance levels in the healthcare sector meet criteria established in
the policy-based Liberty Identity Assurance Framework. [Source]
[Background]
[Background]
See also: [Firewalls
a useless relic, says expert: need to focus on identity access management]
[New
Zealand Privacy review finds technology outpacing the law]
Canadian
travellers will be issued a higher-security electronic passport starting in
2011 that will be valid for 10 years instead of the current five, the federal
budget announced yesterday. Details of the new passport were contained in a
two-year, $165-million spending package aimed at enhancing border security
while still keeping people and goods moving. The introduction of the new
passport is the most novel of the new security measures outlined in the budget.
The government announced its intention four years ago to move to upgraded
passports, but key details emerged in this week’s budget. [Source]
See also: [Demand for
Hybrid Driver’s Licenses High in Washington]
The
German Home Office has confirmed that a new electronic identity card for German
citizens will incorporate the use of pseudonyms for secure web access.
According to the plans of the German Home Office, a credit card sized
electronic identity card will be introduced in 2009. It will replace the
larger, non-electronic identity cards currently in use. “Apart from the usual
personal information, the electronic identity card will contain biometric
information, in particular digital fingerprints of both index fingers, and
additional information for facial recognition”, said secretary of state August
Hanning, who confirmed that the new identity card will contain a pseudonym
function. In a leaked letter, Hanning stated that the card could be used as a
“passport for the internet” in the future. “The new identity card offers the
possibility of an electronic identity proof for E-Government- and
E-Business-applications.” [Source]
The
RIAA has sent another wave of pre-litigation settlement letters to universities
this week for its member labels. Another 401 letters went to administrators of
12 universities, who were asked to forward them to the individuals associated
with certain specified IP addresses. [Billboard]
The
stereotype of a pedophile masquerading as a teen on the Internet to stalk naive
young victims is not only false, it’s also distracting parents, educators and
policy makers from addressing the sex crimes that are being initiated via the
Internet, according to a new paper. Almost all online-initiated sex crimes
involve adults openly seducing teenaged victims into sexual relationships,
according to data culled from two surveys of 3,000 Internet users aged between
10 and 17 and one involving more than 2,000 U.S. federal, state and local
law-enforcement agencies, most specializing in sex crimes against minors.
Internet offenders pretended to be teenagers in only 5% cent of the crimes
studied by researchers at the University of New Hampshire’s Crimes Against
Children Research Center. They also found that nearly 75% of victims who met
offenders face to face did so more than once. Very few cases involved violence,
stalking or abduction. As well, none of the victims were under 12 years of age,
a finding that contrasts sharply with conventional, “offline” child
molestation, which includes a large proportion of victims younger than 12. The
authors say it’s premature to talk about the Internet as an established
facilitator of sex crimes outside of the possession and distribution of child
pornography. “It’s not clear that the Internet is spawning a new wave of
crime.” The authors offer a number of prevention and public policy
recommendations aimed at reaching teens identified as high risk. [Source]
[Study news
release] [Fact
Sheet] See also: [Online
Photos Not as Private As District Mother Assumed]
Australian
High Court Judge Justice Kirby says computer code is more potent than the law
and that legislators are powerless to do anything about it. Technology has
outpaced the legal system’s ability to regulate its use in matters of privacy
and fair use rights, said Kirby. Kirby said the judicial system has faced
difficulties in coping with changes the Internet and computing have brought.
While the soon-to-be-reviewed Privacy Act has incorporated key privacy
principles such as “usage limitation”--which states that data collected about
an individual cannot be used for other purposes, except by the approval of the
law or the person’s consent--Google and Yahoo have rendered that principle
defunct, Kirby said. [Source]
SEE also: [Experts Say
UK Filesharing Law ‘Unworkable’ ]
Google
has responded to European regulators who have suggested that Internet Protocol
addresses of users be considered personally identifiable information. Not
surprisingly, it disagrees. In a post on the Google Public Policy Blog, Alma
Whitten, a software engineer, points out that often the I.P. address assigned
to any one computer is changed on a regular basis by the Internet provider that
services that computer. Technically, fixed I.P. addresses — those that are
permanently assigned to a given computer — are also not personal information,
because a Web site doesn’t know who is using that computer. [Source] [Google’s Posting] [Coverage]
Enduring
backlash from subscribers and critics for an account deletion process that was
both difficult to navigate and which some alleged did not completely erase a
former subscriber’s data, Facebook says they have fixed the problem. The New
York Times reports that those who attempted to delete accounts using Facebook’s
new form experienced some glitches, but that the company fixed the problem
within 24 hours. Facebook CPO Chris Kelly,CIPP confirmed this week that,
following the fix, the new process “removes all personal information from the
account.” [NYT]
Roderick
Woo Bun, the Hong Kong privacy commissioner for personal data, is calling for
reforms to existing privacy law that would make transmitting personal
information about an individual without their consent a punishable offense. The
issue, which was already being considered, has taken on new urgency following
the distribution of compromising images, including nude photos, of a celebrity
with other Hong Kong performers. [Full
Story]
Pending
South African data protection law has been held up in process and is not
expected to be enacted before 2009. The South African Law Reform Commission is
working on the Protection of Personal Information Bill, which is
intended to help protect people from abuse of their personally identifiable
information by holding individuals and organizations criminally responsible for
failing to adequately protect information, and requiring notice if a breach
occurs. The bill is awaiting action by the justice department. [Source]
Proposed
changes to Australia’s Privacy Act would require organizations to notify
in the event of a data breach involving the personal information of
individuals, and would give the privacy commissioner enforcement powers under
the Act and the ability to make amendments based on technology-based changes.
Under the proposed changes, notice requirements would be used as an incentive
to provide protections, but would not impose undue burden on companies.
Speaking at a security conference, Andrew Hayne, deputy acting director for the
Office of the Privacy Commissioner said, “Notification should only be needed in
cases where breaches could cause serious harm [to customers] such as financial
damages or risk of discrimination or embarrassment.” [Source]
[New
Zealand Privacy Commissioner Wants Mandatory Breach Notice]
Nearly
two years after an embarrassing flap in which veterans’ personal information
was put at risk of identity theft, federal agencies are still not doing all
they can to prevent further lapses, investigators have found. Most of the two
dozen federal agencies examined by the Government Accountability Office had not
implemented five federal recommendations aimed at protecting personal
information. Only two agencies met each of those recommendations. Two others
had met none of them, the GAO found. The other 18 agencies met the
recommendations to varying degrees. [Source]
[Source]
Missouri
Attorney General Jay Nixon is suing a Texas Web site operator in Jackson County
Circuit Court for running a site that aggregates consumer data, in some cases
including sensitive information including SSNs and physical descriptions. Nixon
claimed that paying users of www.publicdata.com can access wide-ranging
personal information, which can turn into a treasure trove for criminals.
[Kansas City Business Journal]
According
to ClickZ, the Federal Trade Commission has opted to take a “wait and see”
approach to new privacy guidelines put forth by the Interactive Advertising
Bureau (IAB). The IAB’s guidelines touch broadly on five areas of concern to
the FTC, including notice, collection, use, security and accountability. By
design the guidelines are vague, the IAB says, but the FTC has decided to give
the industry time to debate the matter and adjust practices before it decides
if further action is warranted. The FTC is also waiting for the April 11
deadline for public comment on its own guidelines to pass before deciding its
next step. [Source]
[IAB Privacy Guidelines] [FTC Principles]
Adam
Laurie, an RFID security expert, used the Black Hat DC
2008 conference here, to demonstrate a new Python script he’s working on to
read the contents of smart-chip-enabled credit cards. As part of his presentation Wednesday, Laurie asked for someone
from the audience to volunteer a smart card. Without taking the card out of the
volunteer’s wallet, Laurie both read and displayed its contents on the
presentation screen--the person’s name, account number, and expiration clearly
visible. Demonstrations like that show the potential misuse of RFID technology
in the near future. Without touching someone, a thief could sniff the contents
of an RFID-enabled credit card just in passing. The same is true for embedded
RFID chips in the human body, work access badges, some public transit cards,
and even the new passports in use in more than 45 countries. Laurie, who has an
injected RFID-tag, showed how easy it was not only to read the tag, but also to
re-write the tag. During his demo, he used the coding sequence reserved for
animal tagging to have his RFID chip declare him an animal. On his RFIDiot Web site, Laurie offers the Python
scripts free of charge and also sells the hardware necessary to read and write
to RFID tags and cards. [Source]
The
European Commission has published a preliminary guideline on RFID usage, with
an emphasis on protecting consumers from unwarranted access and use of personal
information. The guideline is seen as the starting point for industry dialog
that will result in establishing security and privacy standards in keeping with
European privacy law. The preliminary draft offers a number of recommendations,
including privacy risk assessments, codes of conduct and provisions for
government oversight. Other proposals are for use of a symbol indicating which
products may be fitted with RFID tags, and automatic disablement of RFID tags
at the time of purchase Speaking for the Commission, Martin Selmayr said the
guidelines are intended to help promote RFID. “The new technology will only
take off in a sound environment where data protection is safeguarded,” Selmayr
said. [Source]
[Source]
[EU
website] [Industry
coverage and response]
The
deployment of RFID in a large number of application areas is promising. This
paper introduces the main characteristics of RFID technologies and focuses on
the information security and privacy aspects of RFID in the short term. It will
be complemented by an overview of RFID applications and an analysis of economic
aspects of RFID carried out by the OECD Working Party on the Information
Economy (WPIE).1 Later on, and based on both sets of work, a common set of
policy principles related to RFID will be developed.2 This report represents
the first step of OECD work related to sensor-based environments. Follow-up
work will address security and privacy issues raised by a number of possible
longer-term trends such as the generalisation of object tagging (pervasive
RFID), of open loop RFID and of other sensors and sensor networks that can
monitor the environment. (Source:
www.olis.oecd.org ) See also: [GS1, ETSI, CEN
Establish Global RFID Standards Forum]
According
to an anonymously obtained copy of a non-public Federal Deposit Insurance
Corporation (FDIC) quarterly Technology Incident Report, financial
institutions in the US experienced a considerable increase in the number of
intrusions leading to account hijackings and stolen money over the last year.
The report indicates that the cost of these breaches is increasing for all
involved - banks, businesses, and consumers. The report looks into suspicious
activity reports, or SARs. Banks are required to report fraudulent and
suspicious transactions of US $5,000 or more. The report says that the average
cost per SAR in the second quarter of 2007 was US $29,630; the average cost per
SAR in the same period a year earlier was US $10,536. The majority of SARs were
classified as “unknown unauthorized access - online banking.” The report
suggests that Trojan horse programs and keystroke loggers are used in many
instances of unauthorized access. [Source]
[Source]
Utah
House Committee United In Rejecting REAL ID Program: A Utah House committee has unanimously passed a bill
that would prohibit implementation in Utah of the federal Real ID program. [Source] --- West Virginia
Senator wins round one in war over Real ID card: After two airings of his
bill to block West Virginia’s participation in the controversial ID card, the
Senate Transportation and Infrastructure committee agreed Wednesday to endorse
it. [Source]
--- New Hampshire’s Governor drafting letter to delay Real ID enforcement:
N.H.-Gov. John Lynch is drafting a letter to ask federal authorities to delay
enforcing the Real ID law on New Hampshire residents so they don’t encounter
problems boarding airplanes and entering federal buildings starting in May. [Source]
--- Pennsylvania Political opposites join in REAL ID fight: One of the
Pennsylvania General Assembly’s most conservative members and one of its most
liberal have teamed up in a bid to block a federal program they say would put
the personal privacy of millions of Americans at risk by creating a national
identity card. State Rep. Samuel Rohrer, R-Berks, and Rep. Babette Josephs,
D-Philadelphia, are co-sponsoring legislation that would bar the implementation
of the federal REAL ID program in Pennsylvania. [Source]
--- Alaska
Lawmakers oppose national ID by opposing funds for it ---
A
little-noticed system that allows printed documents to be tracked by government
agents has gotten the attention of the EU Commissioner for Justice Freedom and
Security, who says the technology may violate EU human rights guarantees. The
technology is baked in to many popular color laser printers and photocopiers,
including those made by Brother, Canon, Xerox and HP, according to a list
compiled by the Electronic Frontier Foundation. It embeds almost invisible
tracking dots onto documents that uniquely identify the machine that printed
them. The enables the tracking of currency counterfeiters, but the EFF has been
warning for years there’s nothing that prevents government spooks from using
them for broader types of surveillance. Those concerns have at last found a
home with Commissioner Franco Frattini. “To the extent that individuals may be
identified through material printed or copied using certain equipment, such
processing may give rise to the violation of fundamental human rights, namely
the right to privacy and private life,” he wrote last month in response to a
question about the legality of the system. “It also might violate the right to
protection of personal data.” [Source]
[Source] [Printer Listing from EFF]
A
Madison man allegedly stalked his wife, a Madison police officer, by placing
GPS devices in her vehicles, using sophisticated computer software to track her
movements through her cell phone and hacking his way into the Madison Police
Department’s human resources computer program to learn her work schedule.
Dustin Farberg faces charges on felony counts of stalking, identity theft and
vehicle theft and a misdemeanor computer crime for the alleged three-month-long
stalking of both his wife and another police officer with whom she was having an
affair. [Source]
In
a ruling that has national ramifications, a B.C. Supreme Court judge has struck
down a section of the Criminal Code that allowed police to intercept private
conversations without a judge’s authorization. The section applied to emergency
situations when a person’s life is in danger. Justice Barry Davies ruled last
Friday that Section 184.4 of the code is unconstitutional because it violates
the “Section 8” rights of six people accused of kidnapping. Section 8 of the
Charter of Rights and Freedoms covers the right to be free from unreasonable
search and seizure. Since the ruling was made by a justice of a superior court,
it applies across Canada. But it will not take effect immediately. While Davies
declared the law was constitutionally invalid, he decided his ruling will not
take effect for either 18 months, or 30 days after the charges in the case in
question have been resolved, whichever is longer. That will give Parliament
time to fix the deficiencies in the law. In an excerpt of his ruling made
public Monday, Davies said he was particularly concerned about the lack of a
requirement for notice to be given to persons whose communications have been
intercepted, and the lack of any requirement for police to report to the
government justice officials when they have used the section. Notice would at
least provide a constitutional safeguard, he said. [Source] [Ruling] SEE ALSO: [Canadian Constitutional challenge launched
over search warrant] and also: [U.S. Supreme
Court rejects domestic wiretap appeal] and [Supreme
Court dismisses challenge to Bush’s wiretapping policy]
Germany’s
highest court ruled Wednesday that spying on individuals’ personal computers
violates their right to privacy, restricting security officials’ ability to use
virus-like software to monitor suspected terrorists’ online activity. The Constitutional
Court in Karlsruhe said security services could carry out such activity only in
exceptional cases and with a judge’s permission beforehand. [Source]
Annual
shipments of GPS-enabled phones will grow rapidly over the period 2008-2012
according to Research and Markets. GPS phones will account for 37 percent of
all shipments (535 million), according to a new report. The number of users of
mobile location services accessed via GPS phones is also expected to grow
strongly. The report predicts that by 2012 the worldwide user base of the most
popular location-enabled services, navigation and mobile social networking,
will reach 150 and 127 million respectively. This growth in the availability of
handset location information (LI) raises many questions about the degree to
which users can be protected from potential abuses of their LI. The report’s
analysis of the emerging LBS market reveals that there is a potential for
serious abuses of location privacy in cases where the use of location
information has not been adequately regulated. [Source] [Details]
At
the Black Hat conference this week, two tech whiz kids demonstrated a technique
for capturing and decrypting cellular telephone conversations broadcast using
the GSM standard, used by such carriers as AT&T, Cingular and T-Mobile.
According to Forbes, the pair said they soon plan to make their breakthrough, a
process which takes about 30 minutes, available to the public. In the meantime,
anyone wishing to purchase a system that can accomplish the feat in 30 seconds
may do so by paying between $200,000 and $500,000. [Source]
See also: [Cell
Phone Service Providers Start Global NFC Initiative]
A
company owned by international airlines said it has won approval from the U.S.
for a system providing passenger details to U.S. border authorities almost
instantaneously. The Geneva-based SITA information technology firm said the
system allows airline check-in desks to get the go-ahead within 2 seconds from
the U.S. Customs and Border Protection service to issue a boarding card. [Source]
The
White House is questioning the need for many changes to the Federal
Information Security Management Act (FISMA) described in the Federal
Agency Data Protection Act. One section would require US government
agencies to inform Congress about the methods they are using to protect their
systems from the risks of peer-to-peer file sharing programs. The objection to
this element stems largely from a reluctance to focus on a specific technology
in outlining security requirements. The proposed legislation “would [also]
require agencies to develop policies and plans to identify and protect personal
information and to develop requirements for reporting data breaches.” Office of
Management and Budget (OMB) administrator for e-government and information
technology Karen Evans is resistant to some of the proposals because they could
“seriously impact established security and privacy practices while not
necessarily achieving the outcomes of improved privacy and security.” The
bill’s sponsor, Representative William Clay (D-Mo.) maintains that it “would
move us toward more rigid security requirements while staying within the FISMA
framework.” [Source]
[Source] [Bill]
As
part of a comprehensive effort to prevent identity theft, Connecticut Governor
M. Jodi Rell has submitted a legislative proposal to create a new privacy
protection statute while strengthening criminal provisions and enforcement
associated with identity theft. The Governor’s bill:
§
Upgrades the crime of
criminal impersonation from a class B misdemeanor to a class A misdemeanor
(term of imprisonment up to one year, fine up to $2,000);
§
Creates a new criminal
statute making it a crime to possess access devices, document-making equipment
and authentication implements for the purpose of obtaining, tampering with, or
using the personal identifying information of another person;
§
Requires the court to
issue an order of restitution against the guilty party to allow full
compensation for the victims;
§
Extends the statute of
limitations for filing a lawsuit pursuant to this section from two years to
three;
§
Creates a new privacy
protection statute that will prevent the stealing and misuse of personal
identifying information, including social security numbers, by businesses; and
§
Amends the asset
forfeiture statute to provide for forfeiture of any money, proceeds, property
or goods obtained directly or indirectly from a violation of identity theft
statutes. [Source]
Alaska
State Senate President Lyda Green, along with a bipartisan coalition of
lawmakers, has introduced a bill that would create a statewide database of
Alaska residents receiving certain prescription drugs. Senate Bill 196 is
designed to provide a system that would alert pharmacists of potential abuse,
but some fear that the creation of such a database would pose a threat to the
privacy of individuals should the information fall into the wrong hands, or be
used for purposes other than its original intent. As written, the bill would
require a record of the patient’s name, prescribing doctor, prescription dates,
pharmacy and method of payment. [Source]
The
Washington State House of Representatives has approved a privacy bill
addressing concerns related to the use of personally identifiable information
in conjunction with RFID technology. HB1031,
sponsored by Rep. Jeff Morris, would make it a felony to “skim” RFID tagged
items in order to capture an individual’s personal data and would prohibit
vendors from capturing and retaining PII contained on an RFID tag without the
user’s consent. The bill provides exemptions for organizations and educational
institutions using RFID-enabled devices to provide emergency services or while
conducting research. [Source] [HB1031]
--------