EU – New Biometric Passports Introduced in France

New passports in France will be issued with RFID technology, embedded chips carrying digital images of the bearer’s face and eight fingerprints. Children below the age of 6 will not be photographed digitally. The first of the new biometric passports will be available in autumn 2008, but it not be until June 2009 that this new identity document will be widely offered in 2,000 town halls, that is to say around 20 per French department or administrative district. The new RFID biometric French passports can be read from several feet away. They will be issued with a 10-year validity. Since 9/11, the US has been using RFID biometric technology in passport and has been urging other countries to do the same, threatening those who resist with difficulty entering the US. [Source]

US – IBM Joins Lockheed Martin for FBI’s Next Generation Identification Program

Lockheed Martin has announced that IBM will join its industry team to develop and maintain the Next Generation Identification (NGI) system for the FBI – the new multi-modal, state-of-the-art biometrics system to be used by state, local and federal authorities. As the prime contractor on the FBI’s NGI program, Lockheed Martin will provide program management and oversight as well as biometric and large systems development and integration expertise. Joining the NGI team as a subcontractor, IBM will provide some information technology services, as well as specific software and hardware to be used in the NGI system. [Press release]

CA – Airport Employee Iris-Scan, Fingerprint System Updated

A new system for biometrically identifying employees who access restricted areas of airports is being put in place across Canada - one year and three months after the old system was announced. Unisys Canada was granted the $4.5-million contract to supply the system that will use iris scans and fingerprints to ensure security in 29 of the country’s major airports. It will replace an existing system that was problematic and costly from the start. The Unisys system promises to be more accurate. It will be used by an estimated 100,000 workers at large Canadian airports. They will be given “smart cards” that contain templates of both their irises and fingerprints, which will then be matched by the readers. Most workers opt for the eyes because fingerprints are associated in many people’s minds with criminality. [Source]

UK – Canadian Shoppers Foresee Fingerprint Scanning

Most respondents to a recent survey expect they will be using biometrics to pay for products within seven years, and one analyst says this would be one way of fighting fraud. Taylor Nelson Sofres plc (TNS) of Britain announced results of a survey of shoppers. 60% of respondents said they “believe” they will be able to pay for purchases using fingerprint readers by 2015, though only a quarter said they are likely to use the technology. [Source] See also: [Fingerprinting program threatens privacy for CPAs, accountants]

CA – Ontario & B.C. Privacy Commissioners Issue Joint Message About PHI

Privacy commissioners in British Columbia and Ontario are developing support materials to help guide education officials when faced with decisions about student privacy and personal health and safety. The initiative comes after the suicide death of an 18-year-old Carleton University student in March. University officials had not released details of the student’s mental health with the woman’s family prior to her death due to privacy law concerns. But “privacy laws do have provisions that enable disclosure to protect health and safety,” said David Loukidelis, B.C.’s privacy commissioner. The commissioners hope that the new support materials will help guide what can be a very difficult decision. [Source] [Coverage]

CA – Random Searches Curbed by Supreme Court

Police can’t go into a high school or most public spaces with drug-sniffing dogs and conduct searches without justification, Canada’s top court ruled last week. The Supreme Court of Canada ruled in a 6-3 decision that “completely random” drug searches breach privacy provisions under the Charter of Rights and Freedoms, when not based on “reasonable suspicion. “Teenagers may have little expectation of privacy from the searching eyes and fingers of their parents, but they expect the contents of their backpacks not to be open to the random and speculative scrutiny of the police. This expectation is a reasonable one that society should support,” the decision said. [Source] [Ian Kerr commentary] See also: [Warrantless searches not BC fire chief’s only tactic]

CA – Manitoba to Overhaul Access and Privacy Acts, Hire Privacy Chief

After four years, the province is about to overhaul its access to information legislation and appoint Manitoba’s first-ever privacy watchdog. The Doer government will propose amendments to the Freedom of Information and Protection of Privacy legislation that would mandate polling paid for by taxpayers must be made public. The Doer government is also likely to speed up the time it takes to unseal cabinet documents. The bill will also create a privacy commissioner who will have the power to hold quasi-judicial hearings and issue binding orders that can only be challenged by going to court. Right now, both privacy and access issues are handled by the Manitoba Ombudsman, who does more informal investigations of public complaints and issues recommendations. Manitoba will be the first province to follow Ottawa’s lead and create its own privacy commissioner. [Source]

CA – Office Equipment Stores Personal Data

Saskatchewan’s information and privacy commissioner Gary Dickson is reminding public bodies and health trustees to purge personally-identifiable information from office machines before selling or disposing of the machines. In March, Dickson’s office received a roll of thermal film from a fax machine that had been sold as surplus equipment by a health care outfit. When held up to light, the film showed health information of 100 people. “I think people do a good job of managing computer hard drives. They know that’s a problem,” Dickson said, adding “They may not be thinking in terms of the fax machine or the scanner or the printer.” [Source]

US – FTC Hears Mobile Marketing Complaints

Two groups have filed complaints with the FTC against mobile marketers. The Center for Digital Democracy (CDD) and the U.S. Public Interest Research Group announced their intent to protest mobile marketing early in the industry’s development in an attempt to influence policy before marketers abuse the medium as they believe online marketers did before. “We’re filing a complaint to force the FTC to take a proactive stance,” said the CDD, who worries that mobile marketers will “incorporate the same problematic business practices that we witnessed with PC-based broadband marketing, including behavioral targeting and profiling techniques – except that this time they know your location.” [Source]

CA – Data Breach Notification Proposal is Carte Blanche for Business Data Spills

The Public Interest Advocacy Centre (PIAC) appeared at the stakeholder consultation meeting held by Industry Canada on April 11, 2008 regarding a Proposed Model for Data Breach Notification. At the close of this meeting, it was indicated that parties could submit final comments on the proposed model. PIAC submitted its comments on the proposal, criticizing it for giving companies and other organizations that suffer a data breach the discretion to decide if the breach would cause “high risk of significant harm” to Canadians – a standard it said was so high as to be carte blanche. PIAC also noted that the proposal had no sanctions for companies that refuse to report to the Privacy Commissioner of Canada nor inform Canadians of data breaches. PIAC called into question likelihood of public knowledge on breach notifications in light of the lack of reporting requirements. CIPPIC also filed comments echoing the same concerns. [PIAC Submission to Industry Canada Concerning Data Breach Notification Proposal] and [CIPPIC files comments on data breach notification proposal] [Draft Legislation on Data Breach Notification]

CA – Ottawa Should Follow Same Personal Privacy Rules as Business: Commissioner

The federal privacy commissioner is seeking a wider mandate to inform and educate Canadians about how their personal information is used or abused by government departments and agencies. But her proposals for greater oversight powers come as the Harper government goes to war with arms-length watchdogs and independent officers of Parliament. Stoddart, in an interview with The Canadian Press, acknowledged that a minority Parliament may not be the best place to completely overhaul the 1982 Privacy Act. “This is why I’m coming forward with what I call quick fixes - things where there should not be a huge debate because they’re already done elsewhere or they’re done in practice,” she said. Stoddart’s proposed reforms would allow her to quickly and publicly blow the whistle on serious privacy abuses; give her the power to order fixes; and would legally compel Ottawa to follow existing privacy guidelines when sharing personal information with foreign governments. None of the reforms, she said, “step into wildly uncharted territory.” [Source]

IT - Italy Posts Income Details On Web

At the end of April, without warning or consultation with the data-protection authority the Italian tax authorities put all 38.5m tax returns for 2005 up on the internet. The site was promptly jammed by the volume of hits. Before being blacked out at the insistence of data protectors, vast amounts of data were downloaded, posted to other sites or, as eBay found, burned on to disks. [Source] [Source] [How Much Do You Make? The Nation Already Knows] [Gov’t website deliberately publishes 38m tax Returns] [Italy Halts Online Publication of Taxpayer Incomes] [Outrage over deliberate exposure of tax payer Info] [Italy - Every citizen’s personal tax details posted to Web]

UK – HMRC Staff Sacked For Data Breaches

More than 600 civil servants have been disciplined or sacked for accessing personal or sensitive tax data, the government has admitted. Treasury minister Jane Kennedy said that HM Revenue and Customs (HMRC) had a “strict” policy banning staff from accessing customer records without a legitimate reason. In a Commons written reply, she said the penalty in many cases was dismissal. Figures provided by the Treasury show 238 people were disciplined or dismissed between April 2005, when HMRC was formed, and December 2005. A further 180 cases occurred in 2006 and 192 in 2007. [Source] See also: [Man fired after privacy breach at Ontario driving centre]

AU – ACS Supports Privacy Laws, Calls for E-Mail Safeguards

The Australian Computer Society (ACS) has called on government to enforce rigid privacy laws on organizations which intercept employee e-mails. Under new legislation, businesses may be given powers to intercept e-mails sent and received by staff without notification. The changes remove the need for disclosure in employee contracts, required by existing law, under the guise of counter-terrorism and national security. ACS President Kumar Parakala said tough privacy laws are essential for interception provisions because staff often send personal e-mails from work. Bosses should be forced to log which e-mail addresses are monitored and when. Stringent policy should detail which individuals are allowed to monitor communications, while supplemented by an alert system to warn staff if an unauthorized person gains access. Random privacy audits would be conducted to enforce privacy requirements. “Australia should develop and implement contemporary email policies, which are in line with a work-life balance,” Parakala said. The ACS recommended businesses create a code of conduct to discipline staff in breach of policy. The policy would prevent staff from modifying captured e-mails or divulging content, and would give employees pause to reconsider e-mailing personal information which may be sequestered by law. [Source] See also: [UK: Office snooping software attacked by privacy groups]

US – FTC Approves New Rules for CAN-SPAM

The FTC approved 4 new rule provisions to clarify requirements of the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003). The new rule provisions address four topics, including modifying the definitions of the terms “sender” and “person,” and tightening restrictions on what companies can and cannot require of e-mail recipients who opt-out of future emails. The new rules are based on numerous comments and suggestions from a broad spectrum of online commerce industry professionals, trade associations, consumers, and consumer and privacy advocates. [Source]

US – Myspace Reports It Has Won $234 Million Spam Judgment

MySpace has won a $234 million judgment over junk messages sent to its members by two of the Internet’s most prominent spam defendants. MySpace says it believes this is the largest award ever under the 2003 U.S. anti-spamming law known as CAN-SPAM. [SiliconValley.com]

CA – N.B. Ombudsman Says the Government Failed to Protect Health Information

The governments of New Brunswick and British Columbia failed to protect the personal information of residents in both provinces when a courier lost tapes containing health information, two reports concluded last week. Billing and treatment information was lost in transit in early October. The tapes have never been found and the information wasn’t protected by encryption. In one of two reports released concurrently, New Brunswick ombudsman said the provincial Health Department failed to ensure the information was protected. David Loukidelis also released his report into the incident. “B.C.’s Health Ministry should not have been couriering around unprotected tapes of personal health information like this,” he said. “It doesn’t matter that the tapes can only be read using technology that’s not commonly available. “Proper encryption is the basic standard for portable data storage like this.” [Source]

US – Breaches Undermine Electronic Records Effort

Electronic health records offer the promise of convenience and security to patients everywhere, but an ongoing slew of privacy breaches in the healthcare sector may undermine efforts toward this. A Wall Street Journal report cites several recent breaches involving the PII of hundreds of thousands of Americans, such as those at UCLA, the National Institutes of Health, Johns Hopkins and others. “What patient is going to want their data to be transmitted electronically if they can’t trust the system to keep their data safe?” asks Jill Dennis of the American Health Information Management Association. [Source] [Patients “have no faith in NHS records database”] [Privacy, shmivacy: How many people can see your medical records?] [Wall Street Journal: Are Your Medical Records at Risk?] [Should You Trust Your Health Records to Google and Microsoft?] See also: [Opinion: Benefits of personal health records will eclipse privacy concerns]

HK – Hong Kong Sets Up Task Force on Patient Data Security

Hong Kong’s Hospital Authority announced it has set up a task force on patient data security, in a move that came after several cases of data loss were reported due to missing electronic devices in the recent months. The task force will be charged with reviewing the clinical and operational requirements for exporting of clinical data in the Hospital Authority, assessing data security protection mechanisms in place and suggesting possible improvements. They will submit a report to the Hospital Authority in three months. [Source] [Nine Memory Sticks Stolen from Hong Kong Hospitals] [Source] [More UCLA Med Employees Linked to Snooping

US – Privacy Enforcement Data on Web Site

The Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) has added new enforcement data to its Web site on HIPAA privacy compliance and enforcement. The OCR is the agency responsible for investigating and enforcing the HIPAA Privacy Rule. Over the last five years, the OCR has resolved more than 28,000 complaints. The number of complaints received each year has grown steadily since 2003, from about 3,400 in that year to roughly 8,100 in 2007. [Source]

WW – Xerox Showcases Erasable Paper, Smart Documents

Xerox’s research arm showcased its latest innovations, including erasable paper and tools that make documents “smart” by adding a deeper meaning to words and images. Scientists demonstrated paper that can be reused after printed text automatically deletes itself from the paper’s surface within 24 hours. Scientists also demonstrated technologies to make documents more intelligent by providing a deeper meaning to text and images. This is done by cross-referencing similar data and images mined off the Internet and incorporating other sources like e-mail messages and corporate networks. The technology could be used in search engines, but it is more relevant for areas like the legal discovery process during litigation. Xerox PARC is also developing algorithms to better secure data on a document through its intelligent redaction technology, which automates the process of blacking out certain parts of a document considered confidential. For example, when there is a legal subpoena of medical records, information like diseases, drug use, or mental health conditions can be automatically blacked out. The current data redaction rates show about 75% accuracy. Data redaction processes are currently inefficient as they require domain experts and hours of manual labor. The intelligent redaction technology computerizes the process and provides the expertise based on artificial intelligence software tools and algorithms. [Source]

UK – New Law Will Allow UK ICO to Impose Big Fines for Reckless Data Disclosure

The UK’s Information Commissioner’s Office (ICO) will have the authority to impose “substantial” fines on anyone who “intentionally or recklessly disclose[s] information [or] repeatedly and negligently” allows exposure of personal data. MPs approved an amendment to the Criminal Justice and Immigration Act creating the new civil offense. The bill received Royal Assent on May 9, but it is not known when the new law will take effect. [Source] [Source] [Source] [Information Commissioner welcomes new powers to fine organisations for data breaches] [ICO warns of ‘substantial’ fines for data breaches]

EU – Irish Data Protection Commissioner Issues Annual Report

According to the recently released Irish Data Protection Commissioner’s annual report, the number of new complaint investigations in 2007 was 1,037, up from 658 in 2006. The increase is due in large part to an escalating number of complaints about unsolicited text messages, according to Data Protection Commissioner Billy Hawkes; 38% of all complaints received were in regard to text messages. More than 350 cases initiated by the DPC’s Office are now in the courts. Interestingly, a blogger managed to access the report through the DPC Office’s website before it was released. [Source] [Source] [Ireland: State intruding into private lives, data watchdog warns]

UK – Anger Over Council Use of Spy Laws

Campaigners have called for a “root and branch review” of spy laws after it emerged local councils were using them to track dog-foulers and litter bugs. Some local authorities have used the Act more than 100 times in the past 12 months to conduct surveillance under the Regulation of Investigatory Powers Act (RIPA), originally designed to combat crime and terrorism, to combat rogue traders, benefit fraud, counterfeit goods and anti-social behaviour - like noise nuisance and criminal damage. But new research found the law was also used to find out about people who let their dog foul, a breach of planning law, an animal welfare case and an instance of littering. Surveillance was also used to investigate alleged misuse of a disabled parking badge. The findings have fuelled the debate on the surveillance culture in Britain and whether councils are using RIPA, which has been dubbed “a snoopers’ charter”, proportionately. Privacy International director Simon Davies called for a “root and branch review” of RIPA and questioned the huge cost to the taxpayer of the council surveillance. [Source]

CA – 80% of Canadians Grant Statscan Access to Their Tax Records: Census

Statistics Canada’s request to view your confidential tax information proved overwhelmingly popular with respondents to the 2006 census, with 8 in 10 agreeing to hand over their tax records. Whether it was an issue of trust or a desire to not manually plug in their income, 82.4% of the population aged 15 and over agreed to the method. [Source]

CA – Bell Canada Hit With Privacy Complaint Over Deep Packet Inspection Practices

CIPPIC has filed a privacy complaint with the Privacy Commissioner of Canada over Bell’s deep packet inspection practices. CIPPIC highlights several privacy concerns with Bell’s network management practices including:

§ Bell’s failure to obtain consent for the collection of personal information through DPI from customers of the independent ISPs

§ Bell’s failure to obtain informed consent from its own customers given the lack of information on network management practices

§ Bell’s violation of the principle of limiting collection, since the evidence “suggests that Bell can manage its network adequately without inspecting the content of user communications.” CIPPIC notes that other providers do not engage in the same practice and that there are less privacy invasive means to address network congestion concerns.

§ Bell’s violation of the openness principle, given its failure to disclose “in a clear and conspicuous manner to the public its use of DPI for traffic management purposes.”

The case has implications that extend beyond just Bell. Indeed, CIPPIC urges the Privacy Commissioner to also investigate DPI usage by other Canadian ISPs. [Source] [CBC] [CIPPIC press release] [CIPPIC complaint] See also: [Charter Will Monitor Customers’ Web Surfing to Target Ads]

UK – Revised British Banking Code Could Place Fraud Liability on Customers

The recently revised British Banking Code permits banks to place liability for fraud on customers if they have not taken adequate security precautions to protect their information. The measure has been criticized for lacking fundamental, concrete information about how to secure systems because “many customers have not been educated to maintain a high enough level of vigilance when it comes to security.” Section 12.11 of the revised code says, “If you act without reasonable care and this causes losses, you may be responsible for them.” Reasonable care includes but is not limited to keeping PINs and other account details secret, using current anti-virus and anti-spyware software and a personal firewall, and accessing online banking sites by typing the address into browsers. [Source] [Source] See also: [Car dealers running unauthorized credit checks: CBC News investigation]

EU – Payment Fraud Moves to Internet in Europe, says European Commission

Despite recent efforts to clamp down on electronic payments fraud, the crime is still rife and is undermining citizens’ confidence in buying and selling over the internet, the European Commission. A Commission report on fraud and countermeasures taken between 2004 and 2007 shows that even though the number of discovered cases is a small minority of the overall number of transactions using new payment services, they undermine the general level of confidence among EU citizens. In addition, electronic payment fraud is increasingly moving to non-face-to-face situations such as Internet payments. [Source]

CA – Tories Kill Access to Information Database

The federal Conservatives have quietly killed an access to information registry used by journalists, experts and the public that users say helped hold the government accountable. The Coordination of Access to Information Requests System, or CAIRS, is an electronic list of nearly every access to information request filed to federal departments and agencies. Originally created in 1989, it was used as an internal tool to keep track of requests and co-ordinate the government’s response between agencies to potentially sensitive information released. Now, users mine the database to do statistical studies, fine tune phrasing on new requests and discover obscure documents - often using the information against the government. [Source] see also: www.onlinedemocracy.ca.

US – Genetic Data Bill Lacks Privacy Protections, Advocate Warns

Deborah Peel, founder of Patient Privacy Rights, said the Genetic Information Nondiscrimination Act, approved last week by the Senate Health, Education, Labor and Pensions Committee, would not fully protect people from losing their jobs or health coverage because it allows insurers and employers to hold patients’ electronic health information. The bill would prohibit health insurers from adjusting premiums based on genetic testing, restricting enrollment or requiring genetic testing to qualify for insurance. It also would prevent employers from using genetic information to discriminate in hiring, compensation and other personnel processes, and require employers to confidentially maintain any genetic data they possess. Peel said the bill “forbids employers or insurers from using our genetic information to discriminate against us, but there is literally no way to stop them from doing that when they hold and possess the sensitive information.” She added that the nondiscrimination legislation underscores the need for a comprehensive federal health privacy bill to give U.S. residents control over their electronic health records. According to Peel, the Technologies for Restoring Users’ Security and Trust Act (HR 5442), introduced in February by Rep. Edward Markey (D-Mass.), would restore patient control over EHRs that was lost in 2002 under HIPAA. [Source] [Senate Approves Genetic Privacy Bill]

US – SC: House Panel to Consider Requiring DNA Samples After Arrests

Anyone charged with a felony punishable by at least five years in prison would be required to provide DNA samples to the state under a bill sent to the South Carolina House floor. The House Judiciary Committee approved the bill on a voice vote Tuesday. The state already takes DNA samples from people convicted of felonies. But under the measure, DNA samples would be taken from people upon their arrest. The information would be removed from the state database if the individual is later cleared. [Source] See also: [Vermont DNA database constitutional, high court rules] and [DNA Tests heading underground: Insurance Fears Lead Many to Shun DNA Tests]

US: -- Privacy Advocates Seek to Protect Medical Prescription Information

The Coalition for Patient Privacy and 25 of its member organizations are asking Congress not to pass an e-prescribing mandate unless it includes provisions for protecting the privacy of prescription information. In a letter to lawmakers, the coalition said the sale of prescription information for data-mining purposes has been a reality for more than a decade. “Mandating e-prescribing without privacy provisions endorses and encourages the current practices,” the letter states. “It sets Americans up for even greater violations of their private health records in the future.” The letter requests that 11 protections be included in any e-prescribing legislation, including a provision that would allow doctors to continue writing paper prescriptions without penalty. Another would “require that any prescription data transmitted via e-prescribing be used only for the express purpose of prescription filling and submitting the necessary codes to the insurer for payment.” Other proposed provisions would require annual reports to patients listing everyone who accessed their data, notifications of security breaches and strong technical protections for data. Among the organizations co-signing the letter are EPIC, the ACLU, the American Psychoanalytic Association, the National Association of Social Workers and the Gun Owners of America. [Source] See also: [Missouri Senate OKs drug prescription database]

US – Canadian Company Pushing Pill Dispensing Kiosk

An Ontario-based start-up is introducing what could well be the world’s first self-serve, video conferencing prescription drug dispenser. PCA Services says it can help the healthcare industry cut down prescription errors and improve patient-pharmacist contact by installing automated pill dispensing kiosks at doctors’ offices, clinics, drugs stores and hospitals. PharmaTrust, a sleek green and white box similar to an automated teller machine (ATM), can read doctor’s prescription scripts, dispense 150 commonly prescribed drugs, collect and manage patient records and set up a remote live video conference with a pharmacist. The machine, developed by PCA Services, will soon be tested by the Sunnybrook Health Services Centre in its hospital pharmacy in Toronto. The kiosk is a complex system which incorporates RFID technology, data encryption, Web-based video communication and robotics, but it’s as easy to operate as any run-of-the-mill ATM, according to Don Waugh, co-founder and CEO. [Source]

WW – Six Million (40%) Chileans PII Exposed on the Net

A hacker allegedly trying to make a point about poor data security stole the personal information of about six million Chilean residents from government and military servers and posted it on a technology blog. Identification numbers, addresses, telephone numbers, email addresses and academic records were exposed for an unknown period of time before the information was removed. [Source] [BBC]

US – Thieves Pilfer Backup Tapes Holding 2M Medical Records

University of Miami officials have acknowledged that six backup tapes from its medical school that contained more than 2 million medical records was stolen in March from a van that was transporting the data to an off-site facility. For reasons not explained, Archive America waited 48 hours before finally notifying the university about the break-in and theft. The university posted an alert about the incident on April 17, a full month after the backup tapes were stolen. [Source]

US – UCSF Delays Notifying Patients of Data Exposure

The University of California San Francisco (UCSF) waited nearly six months to notify more than 6,000 patients that their personally identifiable information had been accessible on the Internet for more than three months. UCSF discovered the data security breach in early October 2007, but sent out notification letters in early April 2008. UCSF has been sharing patient information with Target America and paying that company US $12,000 a year to establish a list of potential donors from the patient list. Target America performs data mining on lists they are provided to determine who would be a good target for donation solicitations. Shortly after discovering the breach, UCSF terminated its relationship with Target America. As of January 2008, health care providers in California are required to inform patients if their information has been compromised. [Source]

US – Hundreds of Laptops Missing at U.S. Dept of State

An internal audit has discovered that hundreds of employee laptops are unaccounted for within the U.S. Department of State. Up to 400 of those laptops belong to the Anti-Terrorism Assistance Program, which provides assistance to foreign police and security forces in the form of counterterrorism training and equipment. [Source] See also: [Five IRS Employees Charged With Snooping on Tax Returns]

US – Another Data Security Breach for Pfizer

Pfizer has suffered another data security breach, the 6^th since May 2007. A company laptop and flash drive stolen a month ago contain PII of approximately 13,000 employees. The data include names, addresses, employee ID numbers, job descriptions and salaries, but no SSNs. [Source]

HK – Sensitive Hong Kong Immigration Document Leaked Through Filesharing Network

A Hong Kong immigration department watch list was leaked to the Internet through a filesharing program. The breach occurred when a new immigration officer took home some classified files without authorization and used them on a home computer, which contained the filesharing software. The work files were inadvertently distributed. The compromised data include a list of names for officers to look out for as well as travel history records. [Source]

UK – Data Fear Haunts ID Card Scheme: Report

The UK government has been warned that it should deal with the risk of data loss from its Identity Card Scheme before it proceeds any further. The latest data warning follows repeated requests from the Information Commissioner’s Office (ICO), the UK data guardian, that the Identity and Passport Service (IPS) conduct a proper assessment of the risks of data loss from the ID Scheme. That advice was ignored and now, in the wake of the HMRC data fiasco, the IPS has been told that it must improve its data standards across the whole of government to avoid data leaks from the ID scheme. The 2007 report of the Independent Scheme Assurance Panel, which provides official oversight of the ID Scheme, said yesterday that the data risks were so serious that they needed ministerial direction and that its precautions ought to be transparent because public trust was vital to the scheme’s success. “The Government’s top priority is the trust people can have in the security and safety of their personal data and central to this is identity data; therefore that is where to start,” said the report. “There would be benefits to the programme in clearly setting out a rigorous analysis of these risks and the strategies and plans to address them,” it said. This should be done “across government...in advance of procurement” because the risks of ID data loss would be heightened by the scheme’s integration with people and systems across all government departments. The risks of ID data loss were therefore not merely a matter of improving the data security of the ID system, it required the government to address data security in all its guises across all levels of government to avoid mishaps like the HMRC’s loss of 25m child benefit records in the post. This meant considering data risks from the outset, in process design, staff training, governance, monitoring and assurance standards, regulatory constraints and customer advocacy. These were all matters that the ICO became exasperated about last year after its repeated requests for a proper privacy impact assessment of the ID scheme were ignored. The ICO believed data privacy can only be addressed if it is built into the very foundations of a project. The ISAP said it had been “encouraged” by some initiatives the IPS had started to tackle the data fear. But warned that the issue needed to be addressed more widely. “Data governance standards and their management for the NIR and its users across Government should be addressed in advance of procurement (and this goes beyond simple data security),” it said. “This will require change across Government which IPS can specify but which will only succeed with the active participation of each department and agency,” it added. The IPS published the ISAP report yesterday, the same day it admitted the full rollout of the system would begin up to four years late. It did not say why the scheme had been delayed. The ISAP had other fundamental reservations about the ID scheme. The IPS needed to check it could manage the work, or verify that it had the means to handle the “complexity of integrating increasingly interdependent systems across Government”. It also needed to be clear that there was cross-governmental agreement on how identities would be managed, that they were all using the same technical and procedural standards. More fundamentally, the IPS still wasn’t clear what its priorities were for the ID system. This is not only recognised as necessary for the smooth implementation of large IT projects, but has been identified by the ICO as one of his concerns regarding the potential for data loss. The IPS also needed to do more to reassure people what it was doing to protect their identity data, including being up front about what its toleration level was for errors. [Source] [UK government admits ID cards have no business case] [Report]

CA – Manitoba Proposes Enhanced Driver’s Licence and Identification Cards

Proposed legislative amendments have been introduced which would allow Manitoba to develop a voluntary enhanced driver’s licence as well as an identification card that would meet border travel requirements in the U.S., Attorney General Dave Chomiak, minister responsible for Manitoba Public Insurance (MPI), announced last week. [Source]

UK – Electronic Pet ‘Could Soon Replace Passwords and PINS’

London (PTI): If scientists are to be believed, portable electronic pets able to recognise their owner’s voice and walking style could soon replace passwords and PINs as a way to keep personal details and accounts secure. A British team, led by Pamela Briggs of Northumbria University, is developing a gadget called biometric daemons which will match the security of biometric security systems and avoid the privacy fears these systems raise. According to Briggs, instead of a person’s biometric signature being stored on a distant database, they will reside only in the daemon carried around by its owner. Like a real pet, that daemon would learn to imprint itself on its owner. After that it would thrive on their unique biometric signals, such as voiceprint, fingerprints or walking style. The human-daemon bond would be further cemented by games and interaction between the two. “Think how people bond with babies. You would do the same things with your daemon -- cuddle it, stroke it, play verbal games,” Briggs said. In the presence of its owner, those nourishing signals make the daemon “happy” and able to verify the owner’s identity, just like a PIN or password. However, separated from its owner, a daemon would no longer receive nourishment in this way and would pine away and die. The researchers are reluctant to discuss exactly what form that the daemons would take. “The key thing is not the daemon’s physical form, but the way one interacts with it,” Briggs was quoted by the media as saying. According to her, the daemon could be made in any form, she says, depending on what people relate to best -- for example, a toy animal. “If a person lost their daemon, their access to their online life would be lost too, so a way to get a new one would be needed.” [Source] [uTube video clip]

EU – Outstanding Identity Management Projects Honoured

The recent European Identity Conference 2008 featured the presentation of Kuppinger Cole’s European Identity Awards. Vendors, integrators, consultants and user companies were asked for nominations. For each category, 3 outstanding projects and innovations were nominated as finalists. Here are the results:

§ Best Innovation: The award went to a group of companies that are driving forward the process to outsource authentication and authorisation, making it easier to control application security ‘from outside’. The winners in this category are Bitkoo, CA, iSM, Microsoft and Oracle.

§ Best New/Improved Standard: The award went to the OpenID Foundation and to Microsoft for their InfoCard initiative. These standards form the base for Identity 2.0, the so-called user-centric Identity Management.

§ Best Internal Identity Management Project: The award went to BASF for their AccessIT project, which realises ID Management within a complex corporate structure and excels in consistent approaches to centralised auditing.

§ Best B2B Identity Management Project: The award went to Orange/France Telecom. Their project is revolutionary due to the consistent use of federation and the opening of systems to partners.

§ Best B2C Identity Management Project: The award went to eBay and Paypal which support strong authentication mechanisms, thus making a significant contribution to the protection of online transactions and creating more awareness on this issue among the wider public.

§ Best eGovernment Identity Management Project: The Republic of Austria received the prize in the “Best eGovernment Identity Management project” category for their eGovernment initiatives which we think are leading with regard to the implementation of Identity Management.

Special prizes were given to two initiatives considered as groundbreaking.

§ The VRM project by Doc Searls is an innovative approach that applies user-centric Identity Management concepts to customer management.

§ The second special prize went to open source projects Higgins and Bandit considered as the most important open source initiatives in Identity Management.
[Source] [Source] [EU ID Conference website]

US – US Court Says Making Music Available is Not Copyright Infringement

A US District Court judge in Arizona has denied the Recording Industry Association of America’s (RIAA) request for a summary judgment against Pamela and Jeffrey Howell for making music files on their computer available to filesharers. The Howells copied music files from CDs they owned onto their computer and downloaded peer-to-peer file sharing software onto the same machine. The Judge said that merely making music files available is not tantamount to distribution or primary copyright infringement. Even if the Howells had placed the files in a shared folder, which they maintain they did not, they would be responsible only for contributing to copyright infringement if someone copied the file. The Electronic Frontier Foundation (EFF) has filed an amicus brief on behalf of the Howells. The suit will now go to trial. [Source] [Source] See also: [TorrentSpy Fined US $111 Million for Copyright infringement] and also [US Legislators Approve Intellectual Property Bill]

UK – UK House of Lords Criminalizes Negligent Disclosure of Personal Data

The House of Lords last week approved legislation to criminalize the negligent disclosure of personal data, says a Computing report. This proposed amendment to the Data Protection Act intends to help prevent data breaches. “Data controllers need to wake up to the importance of personal data, whether in the public or private sector,” said Lord Erroll. A second amendment increases the jail term to two years for “deliberately trading in personal data,” according to the report. The House of Commons is expected also to pass the amendments. [Source]

US – Major US ISP Will Monitor Customers’ Web Surfing to Target Ads

Charter Communications, the fourth-largest cable system in the United States, has started telling its high-speed Internet customers that it is going to keep track of every site they visit on the Web. The cable company will sell the data to a firm called NebuAd, which in turn will use it to show ads to Web-surfing Charter customers that are meant to be related to their interests. [Source] See also [Comcast mulling Internet usage cap to discourage ‘excessive’ use]

UK – CCTV Boom Has Failed to Slash Crime, Say Police

Massive investment in CCTV cameras to prevent crime in the UK has failed to have a significant impact, despite billions of pounds spent on the new technology, a senior police officer piloting a new database has warned. Only 3% of street robberies in London were solved using CCTV images, despite the fact that Britain has more security cameras than any other country in Europe. [Source] SEE ALSO: [Surveillance cameras don’t cut crime, says Canadian expert]

UK – ‘Crime Server’ Found with Thousands of Bank Customer Records

More than 5,000 customer records from 40 international financial institutions were discovered last month on a computer server in Malaysia. Dubbed a “crime server” by Finjan, the information security vendor that discovered it, this machine held more than 1.4 gigabytes of business and personal data stolen from Trojan-infected computers. The compromised data (all less than one month old), consists of 5,388 unique log files, comes from around the world and contains information from individuals and businesses alike. The types of compromised data found on the crime server includes user names, passwords, account numbers, social security numbers and credit card numbers. Finjan estimates that more than 60% of the information on the server was bank customer data. Other information includes compromised patient data, business-related email communications, as well as captured Outlook accounts containing emails. [Source] See also: [Microsoft highlights efforts to police the Net]

EU – International Data Protection Group Issues Guidance on Privacy in Social Networks

The International Working Group on Data Protection has issued a report and guidance on social networking. The report provides guidance to regulators, social networking providers, and individual users: Regulators should

1. Introduce the option of a right to pseudonymous use – i.e. to act in a social network service under a pseudonym –, where not already part of the regulatory framework.

2. Ensure that service providers are honest and clear about what information is required for the

basic service so that users can make an informed choice whether to take up the service, and that users can refuse any secondary uses (at least through opt-out), specifically for (targeted) marketing. Note that specific problems exist with consent of minors (note the work of the data protection commissioners)

3. Introduce an obligation to data breach notification for social network services. Users will only be able to deal especially with the growing risks of identity theft if they are notified of any data breach. At the same time, such a measure would help to get a better picture of how well companies secure user data, and provide a further incentive to further optimise their security measures.

4. Re-think the current regulatory framework with respect to controllership of (specifically third party) personal data published on social networking sites, with a view to possibly attributing more responsibility for personal data content on social networking sites to social network service providers (on this point, the Data Protection Directive is fairly clear about the obligations of data controllers)

5. Improve integration of privacy issues into the educational system. As giving away personal data online becomes part of the daily life especially of young people, privacy and tools for informational self-protection must become part of school curricula.” (note the work of the data protection commissioners)”

[Report and Guidance on Privacy in Social Network Services “Rome Memorandum”] See also: [First Monday journal on Web 2.0] and [Digital Deception - Are you a human or a computer?] and [Social networking applications can pose security risks]

UK – Ofcom Issues Report on Social Networking

The UK Office of Communications (Ofcom) has published a recent study on Social networking. Some of the results stems from attitudes to social networking websites (no surprises about the likely usergroups). Social networkers differ in their attitudes to social networking sites and in their behaviour while using them. Ofcom’s qualitative research indicates that site users tend to fall into five distinct groups based on their behaviours and attitudes. These are as follows:

Alpha Socialisers (a minority) – people who used sites in intense short bursts to flirt, meet new people, and be entertained.
Attention Seekers – (some) people who craved attention and comments from others, often by posting photos and customising their profiles.
Followers – (many) people who joined sites to keep up with what their peers were doing.
Faithfuls – (many) people who typically used social networking sites to rekindle old friendships, often from school or university.
Functionals – (a minority) people who tended to be single-minded in using sites for a particular purpose.

Non-users also appear to fall into distinct groups; these groups are based on their reasons for not using social networking sites:

Concerned about safety – people concerned about safety online, in particular making personal details available online.
Technically inexperienced – people who lack confidence in using the internet and computers.
Intellectual rejecters – people who have no interest in social networking sites and see them as a waste of time.

Although privacy was not given a high priority, some of the reasons that Ofcom has identified:

a lack of awareness of the issues;
an assumption that privacy and safety issues have been taken care of by the sites themselves;
low levels of confidence among users in their ability to manipulate privacy settings;
information on privacy and safety being hard to find on sites;
a feeling among younger users that they are invincible;
a perception that social networking sites are less dangerous than other online activities, such as internet banking; and, for some,
having consciously evaluated the risks, making the decision that they could be managed.

[Executive Summary: Engaging with social networking sites ] [Full report] [Full literature review]

WW – Google Begins Blurring Faces on Streetview

Google has begun testing face-blurring technology for its Street View service, responding to privacy concerns from the search giant’s all-seeing digital camera eye. The technology uses a computer algorithm to scour Google’s image database for faces, then blurs them. Google has begun testing the technology in Manhattan, the company announced on its LatLong blog. Ultimately, though, Google expects it to be used more broadly. [Source] [Coverage] [Coverage]

WW – Facebook Adding Safeguards Against Cyber-Bullying, Porn

Social networking giant Facebook, which has faced political pressure to increase online safety, is putting in place 40 safeguards to protect young people from sexual predators and cyberbullies. The procedures, part of an agreement with attorneys general from 49 states, include age and identification tools and automatic warning messages when a child is in danger of giving personal information to an unknown adult. Facebook followed the steps of MySpace, which agreed in January to implement similar safeguards. [Source] [Source] SEE ALSO: [UK “Good practice guidance for the providers of social networking and other user interactive services 2008”]

WW – MySpace Announces Data Availability Project

News Corp.-owned social-networking site MySpace has announced a new initiative called Data Availability, a way for members to share profile data with other social and community sites across the Web. Inaugural partners in the project are Yahoo, eBay, Photobucket, and Twitter. The program, available to MySpace’s users worldwide, will be rolling out to a full version in the coming weeks. [Source] [Source]

CA – CIRA to Implement New Whois Policy for Dot-Ca

The Canadian Internet Registration Authority’s is implementing a new WHOIS policy. Michael Geist argues that the policy will better protect the privacy of hundreds of thousands of Canadians and serve as a model for domain name registries around the world. [Toronto Star]

HK – Privacy Law Revision Urged

Hong Kong’s Privacy Commissioner for Personal Data, Roderick Woo, is urging the government to revise the Personal Data (Privacy) Ordinance, says a report from Hong Kong’s Information Services Department. The commission submitted more than 50 recommended changes to the government after reviewing the ordinance in 2006, but to date none have been implemented. Recommendations include revising areas related to striking a balance between public interest and privacy, enhancing the ordinance’s efficiency and effectiveness, and introducing preventative measures against potential data leakage, among others. [Source] See also: [Hong Kong ex-privacy boss found guilty in dishonest expense claims]

TU – Turkish Law Safeguards Privacy

A bill to safeguard privacy rights went to the Turkish Parliament this week. The bill, along with another submitted in April regarding state secrets and transparency, are part of reforms aimed at easing Turkey’s bid to become part of the EU. The new privacy law introduces restrictions on the handling of a variety of personal data, terms for data collection, punishments for violations of privacy law and many other considerations. It would mandate the establishment of an independent privacy watchdog, as well. [Source]

EU – Finland May Amend Data Protection Act

Amendments to Finland’s Data Protection Act will enable companies to, in certain situations, examine emails sent by employees and the addresses to which they were sent. The proposal is designed to keep Finland’s corporate secrets in the hands of Finnish corporations. The proposal has government approval, but must be passed by Parliament to go into effect. [Source]

AU – Law Reform Commission Readies Information Privacy Dossier

After its largest public consultation exercise ever, the Australian Law Reform Commission (ALRC) expects that the single biggest reform to Australia’s information privacy laws will be the proposal for a set of uniform and simplified principles for businesses, organizations and individuals. The ALRC is due to present its final report and recommendations on amendments to Australia’s information privacy laws to the Attorney General at the end of this month, which will bear significant impact on IT practices and the way electronic data is collated, stored and maintained. [Source]

US – Domestic Spying Far Outpaces Terrorism Prosecutions

The number of Americans being secretly wiretapped or having their financial and other records reviewed by the government has continued to increase as officials aggressively use powers approved after the Sept. 11 attacks. But the number of terrorism prosecutions ending up in court – one measure of the effectiveness of such sleuthing – has continued to decline, in some cases precipitously. The trends, visible in new government data and a private analysis of Justice Department records, are worrisome to civil liberties groups and some legal scholars. They say it is further evidence that the government has compromised the privacy rights of ordinary citizens without much to show for it. The emphasis on spy programs also is starting to give pause to some members of Congress who fear the government is investing too much in anti-terrorism programs at the expense of traditional crime-fighting. Other lawmakers are raising questions about how well the FBI is performing its counter-terrorism mission. Lawmakers urged that the FBI set specific benchmarks to measure its progress and make more regular reports to Congress. These concerns come as the Bush administration has been seeking to expand its ability to gather intelligence without prior court approval. It has asked Congress for amendments to the 1978 Foreign Intelligence Surveillance Act to make it clear that eavesdropping on foreign telecommunications signals routed through the U.S. does not require a warrant. [Source]

US – World Privacy Forum Files Comments on Proposed Changes to FERPA

WPF requests changes to protect student and parent privacy: The U.S. Department of Education has published proposed changes to its FERPA (Family Educational Rights and Privacy Act) regulations, which controls how students’ school records and “directory” information may be shared. The proposed regulations have one item the WPF is supporting, which is that SSNs are not considered part of the directory information. However, other aspects of the proposed regulation still need work to adequately protect students’ and parents’ privacy interests. The WPF commented in particular that schools should not be allowed to request and then store a full tax refund from parents in order to prove students’ eligibility. The Forum also requested that students’ electronic identifiers are not included in the definition of directory information. One area of substantial concern is that the Department of Education has not expressly provided that students who opt-out of having their directory information shared should not be penalized for opting out. Currently, the proposed regulations may be read to suggest that schools may be able to deny benefits, services, or even required activities to students who have exercised the right to opt-out of the publication of directory information. [Source]

US – Back to My Mac and PhotoBooth Used to Identify Thieves

Police were able to track down a pair of thieves after the owner of a stolen laptop computer used the “Back to My Mac” service to gain access to the computer when the thieves used it to surf the Internet, and then took pictures of the suspects using PhotoBooth, a standard software on new Apple laptops. One of the woman’s roommates recognized one of the men from the photo as a guest at a recent party. The two men were arrested and police recovered two laptops, two flat screen televisions, two iPods, and other electronic and related items. [Source] [Source]

US – Ari Schwartz Named to Government Information Security & Privacy Advisory Board

The Center for Democracy & Technology is pleased to announce that Ari Schwartz, Vice President and Chief Operating Officer, has been appointed to the US Department of Commerce National Institute of Standards and Technology (NIST) Information Security and Privacy Advisory Board. The Board advises the Secretary of Commerce, and the Director of the Office of Management and Budget on information security and privacy issues pertaining to information systems in the Federal Government. The Board was created by the Computer Security Act of 1987, and its name was changed and mission reaffirmed by the E-Government Act of 2002. [Source]

US – Court Ruling on Electronic Border Searches Worry Travel Execs

The Association of Corporate Travel Executives (ACTE) is warning members “and all business travelers to limit proprietary information on laptop computers when crossing US borders.” ACTE issued the warning after an April 21 federal appeals court ruling that “gives customs officials the unfettered authority to examine, copy, and seize traveler’s laptops - - without reasonable suspicion.” The decision covers a range of electronic devices; in addition to seizing data from laptops, US Customs and Border protection officials can seize data from cell pones, handheld computers, digital cameras and USB drives. The EFF, the American Civil Liberties Union (ACLU), and the Business Travel Coalition have written a letter asking that the House Committee on Homeland Security “consider legislation to prevent abusive search practices by border agents and protect all Americans against suspicionless digital border inspections.” [Source] [Source] [Source] [Source]

US – Florida Court: State DMV Data Not Protected

After Colin Thomas of Miami Beach registered his Chevrolet Impala in 2002, his vehicle registration information – along with 284,000 others – was sold by the state to a Florida law firm researching litigation against car dealerships. Thomas sued the law firm, claiming the attorneys violated the federal Driver’s Privacy Protection Act. The law drastically limiting the release of state motor vehicle data was designed to eliminate easy access to private information after the slaying of an actress by a stalker. The law firm said it was just trying to build a case against unscrupulous car dealers. But the 11th U.S. Circuit Court of Appeals found no abuse of discretion April 24 when a U.S. District Judge in Miami granted summary judgment. He ruled Thomas was out of luck because the law firm’s work met one of 14 exceptions to the law amended in 2000. The appeals court also refused to consider whether the law firm waived attorney-client privilege under a work-product exception because the discovery issue wasn’t raised before Martinez. [Source] [Decision]

US – Coalition Launches I.D. Theft Prevention Center

Utica College has created the Center for Identity Management and Information Protection, a project intended to become a clearinghouse for identity-related research projects. It has partnered with LexisNexis and IBM, as well as the U.S. FBI and Secret Service. Several other academic institutions have also committed their support. The group has stated that its goal is to do more than simply provide access to research. It says it wants to see the research acted upon, in the form of best practices, new policies, regulations and legislation. [Source]

US – U.S. Government Mandates Laptop Security

The U.S. president has mandated that controls outlined by the U.S. NIST Special Publication 800-53 (Recommended Security Controls for Federal Information Systems) be fully implemented within 45 days. It has also been mandated that all sensitive data contained on mobile computers/devices be encrypted, two factor authentication be used for remote access with one factor not residing on the computer itself, 30-minute inactivity time-outs on remote access, and database extracts be tracked and deleted within 90 days of last use. [Memo] [Source]

US – Supreme Court Justices Uphold Voter ID Law

The Supreme Court upheld Indiana’s voter identification law last week, concluding in a 6-3 decision that the challengers failed to prove that the law’s photo ID requirement placed an unconstitutional burden on the right to vote. The issue has been intensely partisan, with Republicans supporting increased identification requirements for voters and Democrats opposing them. [Source]

US – FTC to Investigate Wireless Payment Systems

The FTC has announced a town hall meeting for the purpose of looking into the security and privacy implications of contactless payment systems that utilize radio frequency identification, Network World reports. Contactless payment systems have grown increasingly popular recently within a number of applications, including toll road collections, gasoline payment, and retail settings and may come in the form of a dashboard transponder, key fob, or RFID-enabled smart card. The public town hall meeting will take place on July 24 at the University of Washington at Seattle. [Source] [FTC Notice] [RFID encryption flawed in smart cards, researchers claim]

US – Newest Drug Pedigree Proposal Highlights RFID

New legislation has been introduced to require individual identification and pedigrees for prescription drugs in the US, and RFID technology is again highlighted as a potential solution. Last week congressmen Rep. Jim Matheson (D-UT) and Rep. Steve Buyer (R-IN) introduced H.R. 5839 Safeguarding America’s Pharmaceuticals Act of 2008, a bill that calls for the federal government to develop drug identification and tracking systems to prevent counterfeiting. It specifically requires drug pedigrees and directs the Secretary of Health and Human Services to submit a feasibility report for using RFID, bar code, and other technologies. The Safeguarding America’s Pharmaceuticals Act of 2008 is new legislation and should not be confused with the Food and Drug Administration Amendments Act of 2007, a federal action that required the FDA to establish national standards for drug identification and pedigrees. “The Buyer-Matheson bill gives teeth to the FDAAA provision which called upon FDA to develop standards for an identifier and for a track and trace system,” Rep. Matheson said in a statement. “Under FDAAA, the FDA was given 30 months to develop the identifier standard; no such deadline was given for the track and trace standard. Our bill directs FDA to announce the standard by the end of March 2010 (which would be the 30 month deadline given in FDAAA), and within 18 months of the standard’s announcement, manufacturers of high-risk drugs (those at high risk for counterfeiting or diversion) must place identifiers (which meet the FDA standard) on their high-risk products.” [ press release ] As overlapping federal efforts slowly work their way through the legislative process, states are creating their own drug pedigree and identification laws (for a summary, see this useful visual by the Healthcare Distribution Management Association). The NACDS recently helped block implementation of pedigree requirements in California, where there were concerns about industry readiness and the ability to ensure an adequate drug supply if the new regulations took effect. [U.S. Congressmen Seek to Specify a Track-and-Trace Technology for Drugs]

PH – RFID Electronic Vehicle Registration Spreads

More evidence that electronic vehicle registration is growing as a niche RFID application came this week as the Philippines Land Transportation Office (LTO) announced its intention to deploy RFID stickers for vehicles across the country. The stickers will serve as documentation that a vehicle is registered, that appropriate taxes have been paid, and that it complies with government regulations pertaining to the environment and emissions. Additional information will be stored for non-standard vehicles like public utility trucks. The Filipino government cites two primary benefits for the program. The first is an improvement in compliance; the RFID stickers will allow officials to better enforce compliance by detecting non-compliant vehicles. The second, and perhaps more impactful, benefit is the increased tax revenue. “A 20-25 % increase in collection is expected with the implementation of the RFID project,” said Transportation Secretary Leandro Mendoza. Electronic vehicle registration, or EVR, is gaining traction with governments around the world. Last year, Bermuda announced an RFID-based EVR initiative with similar goals as the Filipino one: recouped tax revenue and increased vehicle regulatory compliance. The Bermuda government also estimates that lost taxes are in the millions. [Source]

JP – Rail Payment Card Used to Track Students

An RFID-enabled smart card used in Japan to pay for train travel is being used to track the whereabouts of school children. The card, known as PASMO, is also being used to pay for meals in school cafeterias, and the card’s maker says plans are underway to provide parents and guardians a means of tracking the children based on their use of the card, whether in school or within the rail system. Other future uses of the card include tracking adults in a similar manner -- the possibility of which may lead to questions of personal privacy. [Source] see also: [ParentConnect: Tracking your kid’s school day]

US – VeriChip Markets Its Implantable RFID Tags and Services Direct to Consumers

The company has launched a three-month advertising campaign for its newly rebranded Health Link system, and hopes to convince 1,000 South Floridians to get injected with rice-grain-sized transponders linked to health records. [Source]

US – Asset Tracking Underway at WakeMed Cary Hospital

The multi-facility operator is launching an RFID system at its Cary hospital, with plans to expand to Raleigh and other locations. [Source]

UK – 2008 Information Security Breaches Survey

Survey conducted by PriceWaterhouseCoopers in conjunction with Symantec for the Department for Business, Enterprise and Regulatory Reform. 79% of businesses believe they have a clear understanding of the security risks they face, but only 48% formally assess those risks. 88% are confident that they have caught all significant security breaches, but only 56% have procedures to log and respond to incidents. 81% believe security is a high priority to their board, but only 55% have a security policy. 77% say protecting customer information is very important, but only 11% prevent it walking out of the door on USB sticks. 71% have procedures to comply with the Data Protection Act, but only 8% encrypt laptop hard drives. [Source] [Full report]

US – PCI Update Requires Both Network and Application Penetration Testing

The Payment Card Industry Data Security Standards, which are being closely followed by tens of thousands of governments and commercial organizations and schools around the world, were updated to clarify what the required penetration testing must cover: “Penetration testing is different than the external and internal vulnerability assessments A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing should include network *and* application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network. [Source] [Source] [Source]

US – Many Won’t Meet Deadline for PCI-DSS Web App Security Compliance

Most retailers will not meet the June 30 deadline for complying with new Payment Card Industry Data Security Standard (PCI-DSS) requirements for securing web applications. Companies can achieve compliance with either a specialized firewall or web application software code review, which entails finding vulnerabilities and fixing them. Many retailers appear to be opting for firewalls, which are “quick fixes,” according to Gartner analyst Aviva Litan. “Application firewalls are a reactive measure. You have a lot of vulnerable applications that still need to be fixed,” she added, and noted that scanning for vulnerabilities and fixing them should take precedence over firewalls, and that firewalls should be used in addition to scanning, not instead of it. [Source] See also: [Google launches Web security for corporations]

UK – UK Companies Leaking Personal Data Like a Sieve?

Most UK companies are losing data every month a survey has found. The majority of UK businesses, 79%, are losing data at least once per month, according to the survey of 250 senior IT staff at businesses larger than 1,000 staff. More than a quarter, 28%, suffered data loss on a weekly or more frequent basis the report by IT management company CA found. Network downtime occurs in 24% of companies, application crashes in 30% and slowing of applications in 27%, the study also discovered. IT departments were suffering from underinvestment, with 68% of IT managers saying their budgets were insufficient and 45% saying IT costs were overlooked in new business ventures. [Source]

UK – ID Cards: As Projected Bill Rises, Lib Dems Call It ‘A Colossal Waste of Money’

Commenting on the latest revision in the estimated costs of the ID card scheme, Liberal Democrat Shadow Home Secretary Chris Huhne said: “Minor changes in cost estimates cannot disguise the fact that nearly £5bn of taxpayers’ money will be squandered on a scheme that will fail to combat identify fraud, illegal working, crime or terrorism. This colossal waste of money should go on putting 10,000 more police on our streets instead.” Set-up costs are up 30%, specific costs relating to ID cards have risen by 10% and the cost estimate for foreign nationals has risen by more than 70%. By delaying the rollout of the scheme to 2012, ministers have been able to omit a number of high volume costs that will occur after 2017/18. [Source]

US – Stepped Up Cyber Role for Spy Agencies

America’s spy agencies for the first time would be tasked with gathering intelligence on threats to the nation’s computer networks under a policy that could be detailed by the White House as early as next week. In January, President Bush signed a directive authorizing the intelligence agencies, including the National Security Agency, to monitor all federal network traffic to prevent attackers from breaking in and from stealing sensitive data or disrupting critical systems. A senior administration official said the intelligence community is uniquely suited to counteract today’s malicious actors -- ranging from lone hackers to organized cyber criminal groups and nation states -- who the official said are constantly developing new attacks and exploiting unknown security holes in software and hardware to compromise government networks. The official said the president’s new cyber-security directive will share the intelligence gleaned through monitoring threats across the government space with the private sector, which experts say is being hit with the same types of attacks that the federal dot-gov space is battling. Most of the 18 strategic goals laid out in the cyber initiative are currently classified, and few within the government have been fully briefed on the the plan. But the official said the administration plans to release additional details on at least 12 of those goals next week, after the White House Office of Management and Budget issues rules for assigning classification levels for data collected and shared under the new program. An OMB spokesperson confirmed that the White House plans to release the classification memo as early as next week. [Source]

US – Federal Use of Wiretaps on Increase, Prosecutions Down

Although the federal government touts its growing use of wiretaps as an important weapon in the fight against terrorism, fewer suspected terror agents are being prosecuted – in spite of a spike in the use of surveillance. A Los Angeles Times article reports that warrants issued under the Foreign Intelligence Surveillance Act are up 50% since 9/11, and use of the secretive national security letters increased more than 35% , but anti-terror prosecutions have declined by nearly 50% during that same period. [Source] [Source] See also: [One Firm (Neustar] Routes All Phone Calls in North America]

US – National Security Letter Challenged in Court, FBI Relents

The FBI has backed off from an order seeking information about an Internet Archive patron after the Internet Archive filed a lawsuit to block the order. National security letters require no judicial approval and a gag order prevents recipients from discussing the letter with others. The Internet Archive challenged the order “based on a provision of the reauthorized USA Patriot Act, which protects libraries from such requests.” The case was settled; the FBI withdrew the NSL and dropped the gag order and the Internet Archive withdrew its complaint. There have been two other instances in which national security letters were challenged in court, and both times, the FBI has backed off from its demands. [Source] [Source] [Source] [Source] [Source]

US – D.C. Council Moves to Block Surveillance Camera Project

Privacy advocates are applauding the recent decision by a key committee of the District of Columbia Council to eliminate nearly $900,000 in proposed funding for consolidating the operations of 5,200 city surveillance cameras. Mayor Adrian Fenty unveiled the Video Interoperability for Public Safety program a month ago to connect the city’s surveillance cameras to a single network with an advanced monitoring system to assist in prevention of and response to crimes, terrorism and other emergencies. He requested the $900,000 in funding for fiscal 2009. But the D.C. Council’s Public Safety and Judiciary Committee recently withheld $886,000 for the project and is planning a public hearing later this month to examine the proposal. Privacy groups, including the American Civil Liberties Union and the Electronic Privacy Information Center (EPIC), support those decisions. The privacy groups have questioned whether the cameras are effective in preventing crime. They also have noted concerns about the possibility for privacy and civil rights infringement through the monitoring of political protests and rallies. EPIC and the other groups have called for guidelines and legislation to address the effectiveness, purpose and use of the video surveillance; sharing and retention of the images recorded; and oversight mechanisms. [Source] [D.C. Forging Surveillance Network] See also: [Vancouver Olympics security cameras raise privacy concerns]

WW – NXP, Siemens to Develop Private Car Toll System

NXP and Siemens Mobility said they are developing NXP’s Automotive Telematics On-Board Unit Platform (ATOP) for automatic toll road toll collection in private cars based on GPS and cellular communication. ATOP will be based on a single chip that incorporates both GPS and GSM cores. Users will be able to install the device in their vehicles within a matter of minutes. The companies hope to have ATOP on the market by the first half of 2010. The ATOP-based on-board unit will receive GPS satellite signals and will use GSM-based radio technology for transmitting data to the central system for toll calculation. The system will also include a non-removable adhesive vignette which is fitted with RFID tag attached to the vehicle windscreen. It will communicate with the on-board unit in order to ensure that the on-board unit is actually present in the vehicle and is being operated in accordance with the use for which it is intended, the companies said. The RFID vignette can also be used for other applications such as parking space management, NXP and Siemens suggested. Secure toll charging would take place through monthly invoicing but, in order to ensure privacy, a prepaid card could be purchased instead, the companies said. In this case, no details of the driver or the routes they drive would be disclosed. The current fee for car journeys can be displayed by the on-board unit at all times. The police or authorized monitoring bodies could also carry out a check at any time to make sure the driver is using the system in the way for which it is intended, according to NXP and Siemens. In this case a portable device would communicate with the RFID vignette on a vehicle windscreen through NFC technology. The vignette would also serve as a security mechanism in conjunction with the on-board unit in order to ensure that only the unit specifically assigned to the vehicle could be used and not exchanged with another vehicle, the companies said. Similar systems are already in use in Europe for commercial vehicles; Germany was among the first to consider such as system using GPS in concert with GSM, mandating its use for commercial trucks in 2002. Germany subsequently launched the system, which proved somewhat controversial prior to its implantation, in 2005. [Source]

UK – New Book Chronicles, Questions Endemic Surveillance

A new book by two University of Southampton computer science professors chronicles the rapid advance of endemic surveillance society. The Spy in the Coffee Machine: The End of Privacy As We Know It, by Kieron O’Hara and Nigel Shadbolt, details the use of CCTV, RFID, electronic payment cards, and the accumulation of personal information available through online search. The authors assert that, while surveillance of public places is often touted as a security benefit, the opposite is true. “We’re far more worried about being beaten up by drunken thugs on the street on a Friday night. We’re also quite cynical, and most of us have a sense, for instance, that CCTV data is probably completely useless 90% of the time,” said O’Hara. [Source]

UK – Surveillance ‘Breached Human Rights’

The High Court has heard that the Metropolitan Police’s policy of routinely photographing anti-arms fair activists was a breach of human rights, in a case brought by an Oxford man. Campaign Against Arms Trade member Andrew Wood was photographed while attending the annual meeting of publisher and arms fair organiser Reed Elsevier, at the Millennium Hotel, in Grosvenor Square, London, in April 2005, after buying a share in the company. Before the hearing, Mr Wood said: “I hope this legal action will safeguard our rights to privacy, freedom of assembly and other rights enshrined in the European Convention on Human Rights and in English law.” Martin Westgate, appearing for Mr Wood, told the court: “He asked one question. His behaviour was completely unexceptional, although there was a small disturbance and two other people were ejected.” But he was openly followed by police who took his photograph. The police said the decision to take his picture was made after Mr Wood was seen speaking to one of the people who had been ejected. Mr Westgate said: “It may well be that a group of police officers may consider this was behaving in an entirely amicable, non-intimidatory way, but that is not the way it appears on the receiving end. “It would be unrealistic to assume that someone in Mr Wood’s position would not regard this conduct as being unsettling.” [Source]

UK – Crossed Lines at Vodafone Cause Alarm

Vodafone, Britain’s largest mobile phone company, has admitted some users of its service have recently been able to listen to the calls of other subscribers because of a technical problem with its network. The revelation has alarmed privacy campaigners who want to know how many Vodafone users have been affected and what steps the company is taking to ensure that the glitch does not happen again. [Source] See also: [EarthLink to pull the plug on Wi-Fi in Philadelphia] and [NSW Abandons Free Wifi Plan]

EG - Egypt Asks Mobile Firms to Bar Anonymous Users

Egypt has asked mobile phone companies to block service to anonymous subscribers as a public security measure, and at least two firms have begun efforts to comply. [Source] See also: [Police push ID links to prepaid phones]

US – California Bill to Ban Charges for Unlisted Numbers

California Senator Sheila Kuehl, working with consumer and privacy advocates, is pushing legislation that would prohibit phone companies from charging an extra fee for an unlisted number. Consumer advocates argue that the costs of data processing for an unlisted number are minuscule. Privacy groups suggest it is unfair to impose a surcharge on customers who don’t want their phone number or addresses exposed to telemarketers and other strangers. The phone companies are arguing that it’s inappropriate for state legislators to regulate “specific features on a phone,” as a Verizon spokesman put it, adding that there are costs associated with maintaining separate databases for listed and unlisted customers. Kuehl said the bill (SB1423) has received “enormous pushback” from the industry because of the phone companies’ interest in selling information about listed customers. “It’s a cash cow for them,” Kuehl said. “They make money off you either way.” Verizon, for one, insists its listed numbers are proprietary and not sold or shared with third parties - with the exception of phone directories. Kuehl makes a compelling case that a charge for unlisted numbers is qualitatively different than fees for other types of services. “This is a privacy issue,” she said. It’s also an example of gouging. But the California Public Utilities Commission stopped regulating such fees in 2006. It’s up to legislators to act. SB1423 has overcome an intense lobbying campaign to reach the Senate floor. [Source]

US – Senators, States Beat Up On REAL ID Plans

Democratic and Republican senators alike once again piled criticism upon forthcoming Real ID requirements, with some renewing calls to repeal the law for which many of them voted years ago. Senators Daniel Akaka (D-Hawaii) and George Voinovich (R-Ohio), who presided over a recent subcommittee hearing revisiting the topic, said they remain particularly troubled by Real ID’s multibillion-dollar price tag for state governments. Akaka and others also voiced worries about the mandate’s privacy and civil liberties implications. “The massive amounts of personal information that would be stored in state databases that are to be shared electronically with all other states, as well as the unencrypted data on the Real ID card itself, could provide one-stop shopping for identity thieves,” Akaka said at the hearing. Meanwhile, the Department of Homeland Security has pushed ahead in its defense of Real ID, as necessary to prevent terrorists, criminals, and illegal immigrants from successfully obtaining and using fraudulent driver’s licenses. [Source] See also: [Minnesota Senate passes bill rejecting federal ID program] [Real ID deadline comes and goes with zero states on board] and [Penn State House committee gets earful on Real ID] and [Maine - People’s Veto Petitions Take Aim At REAL ID Law] and [Arizona Bill barring state from new U.S. ID plan gets initial OK][State Real ID rebellion: Here to stay? ]

US – Legislation Needed to Correct Widespread Errors in Use of National Security Letters

The Center for Democracy and Technology (CDT) has issued a briefing on public policy issues affecting civil liberties online. The briefing treats:

1) Legislation Needed to Correct Widespread Errors in Use of National Security Letters

2) Self-Policing Does Not Work to Address the Core Problems with NSLs

3) Intelligence Surveillance Tools Require More Oversight

4) Legislation Would Increase Judicial Oversight and Tighten NSL Standards [Source]

US – ACLU Sceptical About Latest DHS Watch List Band-Aid

The American Civil Liberties Union has expressed skepticism about the announcement last week by the Department of Homeland Security (DHS) of a new program intended to remedy the nation’s disastrous watch list system. “Creating a gigantic new database with Americans’ personal information should not be the solution to the government’s own incompetence with the terrorist watch list system,” said ACLU Technology and Liberty Program Director Barry Steinhardt. “One privacy failure should not beget another. The government needs to fix the root problem of a mismanaged, out-of-control watch list, rather than just collecting more data and creating a new database to patch over the real problem.” On Monday, DHS Secretary Michael Chertoff announced that his department was creating a new database of people who have proven that they are not terrorists, despite being confused with a name on the watch list. [Source] See also: www.aclu.org/watchlist

US – Proposed Legislation Mandates Tougher Cybersecurity Standards at DHS

US Congressman Jim Langevin (D-RI) has introduced the Homeland Security Network Defense and Accountability Act of 2008 (HR 5983). The bill would require DHS to establish more stringent qualifications for cybersecurity positions, including that of CIO. The bill would also address a “fundamental flaw” in the Federal Information Security Management Act (FISMA) that requires agencies to certify and accredit their systems to comply with certain requirements, but does not mandate effective and current vulnerability testing. DHS will be required to test its networks and those of its contractors rigorously against vulnerabilities used in known cyberattacks. DHS will receive information on the attacks to look for from the National Security Agency (NSA), other government agencies, and private sector organizations. If the bill passes, it would take effect immediately. Congressman Langevin chairs the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. [Source] [Source] See also: [DHS Workshop: Privacy Compliance Fundamentals: PTAs, PIAs, and SORNs – May 23, 2008]

US – Breach Notification Bills Stalled in Congress

Hope is quickly fading for federal adoption of a data breach notification bill that would pre-empt state law and create a single, simpler standard for data breach response. Nine bills are hung up in Congressional committee, six of which would have the effect of setting a unified standard for businesses. Currently, 42 states and the District of Columbia have adopted such laws, creating some confusion for situations when breaches cross state boundaries. “There hasn’t been any action on most of these for a very long time,” said Tanya Forsheit, a partner at law firm Proskauer Rose LLP. “Most of the bills have been languishing for almost a year, or in some cases, a year now.” [Source] See also: [Mississippi Gov. OKs measures on ethics, ID theft: Most new laws will take effect on July 1] and [Georgia law may help you avoid identity theft] and [Missouri Identity theft protection near passage] See also: [NCSL list of State Security Breach Notification Laws as of May 1, 2008]

US – Kentucky Bill Dies Seeking to Limit Access to Vehicle Data Recorders

A failed effort in the Kentucky Senate sought to make it harder for information collected from black boxes to be used against drivers of passenger vehicles. Sen. Julian Carroll introduced legislation that called for requiring the disclosure of the presence of “event data recorders,” or “black boxes” in the owner’s manual for vehicles. However, the bill has died. Kentucky law now doesn’t require vehicle owners to be notified that vehicles are sold with EDRs. The boxes can include a variety of information such as the vehicle’s speed, direction of travel, location, steering performance, braking performance, seat-belt status and accident information. Insurance companies, vehicle manufacturers and other interested third parties can access data after an accident. In many newer vehicles, the information is automatically uploaded to a communication center immediately following an accident. [Source]

UK – Dishonest Employees to Be Exposed on National Dismissal Register

A government-backed database of ‘workplace offenders’ will be launched later this month to combat the annual loss of half a billion pounds through staff theft and fraud. The National Staff Dismissal Register will allow employers to share and access details of staff that have been dismissed or have left employment while under investigation for dishonest actions. Such actions include theft, fraud, forgery, falsification of documents and causing damage to company property. An employee need not have a criminal conviction for their details to be added to the database, The register is an initiative by Action Against Business Crime, a partnership between the Home Office and the British Retail Consortium, and is allowable under the regulation of the Data Protection Act 1998. Big names to have thrown their weight behind the register, include retailers Harrods, HMV, Mothercare and Selfridges and outsourcing agency Reed Managed Services. [Source] [Outrage in UK Over Staff Blacklisting Database]

CA – B.C. Arbitrator Says What PII Is Necessary to Assess a Job Competition

British Columbia arbitrator James Dorsey recently considered what personal information needs to be disclosed to fullfil the purpose of a collective agreement clause that gives a union access to information to assess the propriety of a job competition. [Source] [Arbitration Report] [Judgement]

--------