Privacy News Highlights
07–13 November 2008
Contents:
UK – Home Secretary Defends High-Street Biometrics Plans
CA – Report: Don’t Let National Security Trump Privacy
CA – Privacy Controversy Mars Google Apps Rollout at Canadian University
CA – CIPPIC Issues Report on Online Privacy Threats
EU – Customers May Foot Bill for EU Data Law
CA – PIPEDA Complaint Spurred Ticketmaster Privacy Policy Change
US – Audit Reveals Vulnerable Citizen Data
CA – California Tightens Policy on Shielding Personal Information
US – Barack Obama Asks Internet Users to E-Mail Their Policy Ideas
WW – Study Shows How Spammers Cash In
CA – Making Medical Data Anonymous
EU – Data Retention Details Dissected
WW – Researchers Publish Paper on Breaking WPA TKIP
EU – Dutch DPA Calls for Notification Law
EU – Finland’s Holmlund Calls for Privacy Cut In Gun Law
EU – German Parliament Moves to Increase Police Powers
UK – Judge Has Created Privacy Law by Back Door, Says Mail Editor Paul Dacre
EU – CNIL Fines Two Companies for Storing, Transmitting Ethnic Data
UK – Border Controls Before Travellers Start For Britain
UK – Wada Says Player Privacy Will Still Be Protected Under Drugs Code
WW – Internet Foils Belgium Court’s Attempt at Censorship
JP – Fake ATM Cards Used To Steal 400 Million Yen
UK – Report on the Re-use of Public Sector Information 2008
UK – Lords Approve Removal of Some DNA Evidence From Database
CA – New Canadian Website Allows Physicians and Patients to Communicate
US – Prescription Management Company Receives Extortion Threat
US – Express Scripts Offers $1 Million Reward
AU – Medical Records on Show to Medicare Bureaucrats
US – Google Uses Searches to Track Flu’s Spread
EU – Dutch Patient Database Draws Privacy Concerns
US – 330,000 Dental Patients’ Data Exposed in Florida
US – Equifax Unveils Online Identity Card
US – NebuAd and ISP Partners Hit With Class Action Lawsuit
WW – Consumer Group Calls Attention to Google Chrome’s Security Flaws
WW – Placebook Knows Where You Were Last Summer
US – EPIC Supports Privacy of Washington D.C. Metro Passengers:
EU – Privacy versus Internet Security
WW – Zuckerberg’s Law of Information Sharing
BA – Bermuda: Law in the Pipeline to Protect Data
KR – Korea: Data on 4,500 SNU Students Leaked Online
US – Survey: Conflicting Interests Pose Huge Challenge to Privacy Policies
US – Presidential Campaign Systems Attacked, Files Stolen
WW – Five Tips for Preventing (Personal) Data Leakage
UK – ID card costs rise - but is the security weakening?
US – Federal agencies miss smart card ID deadlines by wide margin
US – Bush Domestic Spying Revelations Expected After Obama Sworn In
CA – Lie-Detector Hiring Tests Slammed
Jacqui Smith has said biometric enrolment for ID cards in high-street businesses would not pose a risk to security. Home secretary Jacqui Smith has insisted biometrics taken from people in high-street businesses will be secure. While anti-ID campaigners have said it will be almost impossible to lock fingerprints to biographical details in a secure manner if those biometrics are taken in a high-street business, Smith said on Thursday that the process would be secure. “It is clearly important, and part of the work we are doing and the plans we have in place, to ensure the secure, controlled transfer of any biometrics,” Smith told ZDNet UK at a press event. “I believe it is technically possible to do that. I don’t see the challenge is greater because more people are accredited to do it.” Smith added that accredited businesses would have a strong competitive reason to ensure that the biometric transfers they perform are secure, as failure to do so would have an impact on their reputation. However, so far the Home Office has given no precise information as to how fingerprints would be linked to biographical data, or any details about how the National Identity Scheme would be implemented. [Source]
The report from a June gathering of 40 privacy, security, and legal experts has just been released. The group convened to discuss the modernization of Canada’s Privacy Act, reports the Canadian Press. Among the findings, experts noted that privacy should not be sacrificed in the fight against terrorism, and that stakeholders must do a better job communicating how a reduction in privacy causes a reduction in security. The group also noted that technological developments have outpaced the 25-year-old Act. “While the landscape has shifted, Canada’s federal privacy framework has stood still,” the report states. The group agreed that interest in these matters among elected officials is necessary for change to take place. [Source]
Lakehead University staff are engaged in sensitive privacy arbitration with the administration over the rollout of Google Apps. Staff fear their e-mail accounts and data will subject to scrutiny by U.S. intelligence agencies under the U.S. Patriot Act. Last March, Lakehead faculty entered into arbitration with the university. At the heart of the issue was a perceived threat to academic freedom, says Jim Turk, the executive director of the Canadian Association of University Teachers and lawyer representing the Lakehead faculty. “What if you’re a political scientist doing research on the rise of terrorism in the 20th century?” he says. “If all your data goes through a Google e-mail system, it may trigger an algorithm [that has] you labeled as a person of interest.” It wouldn’t take much for a professor to end up on a no-fly list and find their ability to travel hamstrung. “If you become a person of interest to U.S. intelligence agencies, it can have serious consequences for your life,” he says. “There have been cases of people who’ve got on no-fly lists wrongly and have to go to great lengths to get off them.” Privacy concerns aren’t limited to Lakehead. Google has run into problems pushing their service to faculties of many post-secondary institutions around the world as a result of worries over the Patriot Act. While there are more than 2,000 schools using the e-mail service for students in 100 countries, he could only name two using it for faculty e-mail – Abilene Christian University in Texas, and St. Louis University in Missouri. [Source]
The Canadian Internet Policy and Public Interest Clinic (“CIPPIC”) has published a 72-page report analyzing: the nature and scope of online privacy threats; the range of responses to the threats; and PIPEDA’s capacity to address these threats. The report is entitled “Online Privacy Threats: A Review And Analysis of Current Threats” and contains an extensive assessment of the motivations, tools and behaviours of online privacy threats; global responses include privacy legislation, industry self-regulation and technology-specific laws and tools. [Paper]
Customers are likely to foot the bill as the State looks to force telecoms operators to retain more data than was originally specified in European Union-mandated data retention legislation. The EU directive requires operators and internet service providers to retain data in case they are needed for criminal investigations. But operators and service providers say the huge costs of complying with the legislation will affect their industry and be passed on to customers. [Source]
In a recent decision, Canada’s assistant privacy commissioner expressed “grave concern” after finding a major online company operating nationwide was violating federal privacy laws, years after the Personal Information Protection and Electronic Documents Act (PIPEDA) took effect. A citizen’s complaint led the Privacy Commissioner to probe Ticketmaster Canada Ltd.’s privacy policy. The complaint alleged Ticketmaster’s practices contravened “principles of access, openness, accountability and consent” required by PIPEDA. In particular, the complainant believed:
The commissioner found Ticketmaster’s privacy policy was confusing and inconsistent, and customers weren’t adequately informed of the use and disclosure of their personal information. Most notably, customers were forced to consent to Ticketmaster’s collection and disclosure to third parties of personal information as a condition of service, in direct contravention of PIPEDA. Thus, the allegations that Ticketmaster’s practices violated the principles of openness and consent were well-founded. As a result of the findings, Ticketmaster revised its privacy policy to meet PIPEDA requirements. Customers are now given the up-front opportunity to opt in to receive marketing material from Ticketmaster, and to allow the firm to share their personal information with third parties for secondary marketing. This puts control back into the consumer’s hands. [Source]
A routine audit by officials in Pinellas County, Florida found that state and county agencies have left vulnerable the sensitive data of citizens. In searching the trash bins at 13 government campuses, auditors found records containing medical information, attorney-client communications and juvenile court records, among other unshredded private data. “When private citizens are obliged to turn over personal information to the state, they should have every reason to believe that such sensitive material will be properly handled,” says a St. Petersburg Times editorial. “More needs to be done in Pinellas government to safeguard the public’s privacy...” [Source]
The California State and Consumer Services Agency has implemented a new policy for better protecting the confidential information of citizens. In a memo sent statewide last week, undersecretary Michael Saragoza said: “Safeguarding against and preventing security breaches involving personal information is essential to maintaining the public’s trust in government.” The policy encourages agencies to reduce the amount of personal information it collects and stores, and recommends finding alternatives to using Social Security numbers as identifiers. In addition, going forward, state agencies that experience a security breach will be required to consult with the Office of Information Security and Privacy Protection before issuing notifications. [Source]
Barack Obama launched the official website for his transition to the White House, inviting users to send in their ideas for the future of the country. Users can also blog, and apply for jobs in an Obama administration via the website. The website continues a tactic Mr Obama employed to such brilliant effect during his campaign: make people feel they have a stake in his strategy, while simultaneously galvanising an army of supporters and new donors, who were kept in almost daily contact with the campaign through e-mails and text messages. [Source] See also: [The Obama Background Check Questionnaire]
Spammers are turning a profit despite only getting one response for every 12.5 million e-mails they send, finds a study. By hijacking a working spam network, US researchers have uncovered some of the economics of being a junk mailer. [BBC] [Study]
As hospitals, municipalities and other data-rich organizations deal with the need to protect private information in an online environment, tools are emerging to do just that. Children’s Hospital of Eastern Toronto (CHEO) is trialing a tool for anonymizing medical records. The privacy tool strips away identifiable portions of patients’ medical records, leaving behind only the medical data. For CHEO, the anonymization method is expected to help make data available to medical researchers, while protecting patients’ privacy and complying with provincial legislation guarding such data. [Source]
Privacy advocates and others are expressing concern about a draft statutory instrument proposed by the Irish government regarding the retention of citizens’ phone and Internet activity data. The draft proposes that telecom operators retain data for the maximum period slated under the EU data-retention directive--two years--and also calls for the retention of data for calls’ full duration, rather than just the beginning and end points. The Data Protection Commissioner’s Office is said to object to that proposal and a provision that would reduce law enforcement authorities’ burden in obtaining call and Internet data. [Source]
Two German university researchers have discovered a combination of techniques that could allow an attacker to compromise Wi-Fi Protected Access (WPA) encryption in less than 15 minutes. The attack does not result in the encryption key being discovered. Rather, the technique allows attackers “to decrypt packets and inject packets with custom content.” Martin Beck and Eric Tews present their findings at the PacSec 2008 conference in Tokyo this week. The attack targets the WPA’s Temporal Key Integrity Protocol (TKIP). [Source] [Source] [Source]
There should be a law requiring banks and credit card companies to report data theft. That’s according to the Dutch Public Prosecutor’s Office and the Data Protection Authority. Radio Netherlands Worldwide reports that public prosecutor Fred Speijers and Data Protection Authority Jacob Kohnstamm told the television news program, Zembla, that these financial institutions should be obligated to notify clients whose information is compromised in a security breach. The program revealed the ease with which personal financial information could be purchased online and inexpensively. [Source]
Anne Holmlund, the Finnish interior minister, said Monday that some privacy must be sacrificed for internal security. The minister added at the opening of a national defence course that some of the impediments to information exchange between authorities should be lifted as part of the ongoing overhaul of the Firearms Act. Ms Holmlund said issues to be considered included giving the police automatic access to a firearm licence applicant’s health records, including prescriptions, and national service records. She also called for increases in training and resources in internet policing. [Source]
After months of debate, Germany’s lower house of parliament passed anti-terrorism legislation Wednesday granting federal police the capacity to spy on computers and tap conversations. Those powers are now held only by Germany’s foreign intelligence service. The measure, which passed 375-168 with six abstentions, is expected to easily pass the upper house and take effect before the end of the year. The law has been sharply criticized by the opposition and rights groups as infringing on the privacy rights guaranteed by the constitution. Members of the opposition Free Democrats have said they will challenge the law in the nation’s constitutional court. [Source]
Paul Dacre, the Daily Mail editor-in-chief, has launched a scathing attack on a High Court judge whom he accused of bringing in a privacy law by the back door. Mr Dacre said the “arrogant and amoral” judgments of Mr Justice Eady were “inexorably and insidiously” imposing a privacy law on the British press. Mr Justice Eady had used the privacy clause of the Human Rights Act against newspapers and their age-old freedom to expose the moral shortcomings of those in high places. “If Gordon Brown wanted to force a privacy law, he would have to set out a bill, arguing his case in both Houses of Parliament, withstand public scrutiny and win a series of votes,” Mr Dacre said. “Now, thanks to the wretched Human Rights Act, one judge with a subjective and highly relativist moral sense can do the same with a stroke of his pen.” Two years ago, Mr Justice Eady had ruled that a cuckolded husband could not sell his story to the press about another married man - a wealthy sporting celebrity - who had seduced his wife. [Source]
The French data protection authority (CNIL) has fined two companies €15,000 for violating article eight of the informatique et libertes, reports the Data Protection Review. A CNIL investigation revealed that Fac International and Impact Net created a database to house ethnic information on foreign citizens and used the database to advertise services to those citizens. Article 8 prohibits the collection or processing of sensitive data without the data subjects’ consent. [Source]
Immigration, customs and visa checks will be united in a new UK Border Agency, it was announced this week. At the same time the Government announced a £1.2bn programme to strengthen the UK’s offshore border controls with new passenger screening technology. By integrating the work of Customs, the Border and Immigration Agency and UKVisas, overseas and at the main points of entry to the UK, the UK Border Agency will have in place both the resources and remit to strengthen the UK’s security through strong border controls beginning before travellers start for Britain. The new agency will have a central role in helping tackle the threats faced from both crime and terrorism, and the £1.2billion programme includes a £650million contract signed today with consortia Trusted Borders for a passenger screening system, which will work alongside the global rollout of fingerprint visas to keep the UK’s border secure. The electronic border security system will screen all passengers before they travel to the UK against immigration, customs and police watch lists. Successful trials of the new system have already led to more than 1,000 criminals being caught and more than 15,000 people of concern being checked out by immigration, customs or the police. The Home Secretary Jacqui Smith said: “A unified border force means a stronger British border. All travellers to Britain will be screened against no fly lists and intercept target lists and, together with biometric visas, this will help keep trouble away from our shores. “As well as the tougher double check at the border, ID cards for foreign nationals will soon give us a triple check in country. Together this adds up to some of the most advanced security anywhere on the globe. These are the most sweeping changes to our border security for decades.” Today’s contract is an essential step in enabling all passengers coming to the UK to be screened against watch lists before they arrive, stopping those with no right to be here from entering the UK. These new measures are in addition to the roll out to more than 100 countries of fingerprint visas. The contract’s signature signals the roll-out of electronic security passenger checks across the country at international air, rail and sea ports with all high risk routes into the UK covered by mid-2009 and all journeys into the UK by foreign nationals. [Source]
The World Anti-Doping Agency yesterday said it would meet the English footballers’ union to reassure it that its testing rules would not impose an infringement on player privacy. The Professional Footballers’ Association has objected to having a pool of 30 Premier League players targeted for regular drug testing next year, when UK Sport implements the Wada code, saying it was unhappy that players would need to provide details of their whereabouts every day of the year so they could be tested. UK Sport was worried that players could “disappear off our radar” during the off-season, making it impossible to track them. Under the Wada code, missing three tests in an 18-month period would constitute an anti-doping violation. [Source]
Wikileaks is vividly demonstrating why “You can’t effectively censor the Internet.” It seems that a Belgium satirical magazine just published a “sex satire” story involving the country’s chief of police. It was enough to trigger the Belgium legal system’s ordering that all copies of the magazine be recalled from stores, presumably to try block distribution of the satire and its associated images. The result is predictable to anyone who grasps the power of the Internet. Wikileaks has placed the materials in dispute online, where they will now garner far more attention – and on a global scale – than they ever would have if the Belgium authorities’ censorship attempt hadn’t been initiated. By now the story and photos have been replicated on the Web around the planet. It’s notable in this case that the original source materials didn’t start on the Net. But the Internet’s power to foil censorship can – as this example makes clear – easily extend beyond the Net back to conventional media that can easily be brought online with a simple scanner or video capture card. [Source] [Source]
About 400 million yen in cash has been illegally withdrawn from six banks using counterfeit ATM cards made with personal information leaked from another company since December 2006, according to police. Police suspect criminals are using a new counterfeiting technique to create the phony ATM cards used in these crimes. The Metropolitan Police Department plans to set up a joint investigative office with other police forces to conduct a full-fledged probe. [Source]
(OPSI) This time last year OPSI produced a report marking the first two years of operation of the UK regime for public sector information (PSI) and tracking progress made to date. As with the first report, OPSI’s aim was to ensure that the legislation that underpinned the various UK tools and initiatives to deliver PSI services ‘is recognised, understood and put into practice’. The Report highlights the key milestones and tracks the progress made by OPSI and the UK government over the past year. [Source]
The UK House of Lords has approved an amendment to the Counter-Terrorism Bill that would allow innocent people to apply to have their biometric information removed from national databases. The data, which include DNA and fingerprints, are gathered during investigations, but are presently retained even when the individuals have been cleared of wrongdoing. [Source] [Source]
The Canadian Medical Association launched its mydoctor.ca website in Vancouver, saying it will let patients to share information online with their doctors. It may also mean a range of new fees as patients are asked to pay for the privilege of communicating with their doctors via the Internet. The CMA, which represents the country’s doctors, called the health portal site “the first physician-driven Canadian electronic patient health record platform” and said it will act as an add-on -- or sometimes as a substitute -- for office visits. CMA president Dr. Brian Day told the Vancouver Board of Trade the site will offer secure messaging between patients and doctors and will improve care “with the click of a mouse.” Dr. Jay Mercer, who demonstrated the software that runs the site in a multimedia news conference from his office in Ottawa, said the process is “patient-controlled so patients can choose how much information to share with their doctors.” The CMA initiative is separate from an electronic medical records plan being implemented across Canada with federal and provincial government funding. In that plan, hospitals, health authorities, laboratories and diagnostic clinics are integrating information-technology systems to share patient records so that duplication of tests can be avoided and patient safety can be protected. [Source]
Express Scripts, a company that manages prescription benefits for approximately 50 million individuals through thousands of clients, has received a threat that customer records will be exposed unless the company pays a ransom. In a letter turned over to federal investigators, the extortionists included personally identifiable information of 75 people, all of whom have been notified. The exposed data include birth dates, Social Security numbers (SSNs) and some prescription details. [Source] [Source] [Source] [Express Scripts Reports New Threats Tied to Data Security Breach]
In response to an extortion threat, Express Scripts is offering a $1 million reward for information leading to the arrest and conviction of the person or persons responsible. Last week, the prescription benefits management company revealed that it had received an anonymous threat to expose the personal information of Express’ client members unless financial demands were met. The FBI is investigating. In addition to the reward for information, Express has teamed with a risk-consulting firm to provide members with free identity-restoration services in the event they fall prey to identity theft as a result of the incident. [Source]
The private health information of patients will be exposed to Medicare officials in a new anti-fraud initiative, reports Adelaide Now. Doctors will be required to submit patient records to Medicare auditors under the new policy, which aims to identify physicians who overcharge Medicare for their services. The organization will audit 2,500 doctors annually. Doctors and the Australian Medical Association (AMA) oppose the policy, saying it breaches patient confidentiality. “As far as I’m concerned, it’s a breach of my duty to show Medicare clerks my patient notes,” said the AMA’s Rosanna Capolingua. “They will have to come in with a court order.” [Source]
The flu accounts for about 36,000 deaths annually. Google’s philanthropic arm unveiled a service that could serve as an early-warning system for influenza outbreaks, ultimately helping reduce those numbers. The New York Times reports that Google Flu Trends aggregates users’ flu-related Internet searches and charts activity by state and region. The information is expected to help healthcare providers more effectively respond to outbreaks, among other benefits. “The earlier the warning, the earlier prevention and control measures can be put in place,” said Lyn Finelli of the Centers for Disease Control and Prevention (CDC). “This could prevent cases of influenza.” Google says the aggregate data cannot be used to identify individual searchers. [Source]
Physicians in the Dutch national family doctor association (LHV) are enthusiastic about the health ministry’s plans to move all patient records into a central database, but concede that officials might be moving too fast with the project. Fulco Seegers of the LHV said that patient privacy concerns have not yet been resolved. Dutch health minister Ab Klink earlier this month announced plans for the electronic health information system to go live on January 1. Since the announcement, 15,000 citizens have opted-out of the system. [Source]
The University of Florida College of Dentistry has notified 330,000 patients about a security breach that exposed their personal information. The exposed data included names, addresses, dates of birth, Social Security numbers and some dental care information for patients dating back to 1990. The university’s IT department discovered remotely-installed software during a server upgrade on October 3. The FBI and university police are investigating. [Source]
Equifax Inc. has unveiled the Equifax online identity card or I-Card, with a beta test of a first-of-its-kind digital identity management solution that is designed to make online transactions easier and more secure for both consumers and businesses. Information cards (I-cards) are the online equivalent of a driver’s license, passport or similar ID and allow consumers to “click-in” to web and e-commerce sites that accept the I-card and conduct online transactions with greater security and control and without having to fill in forms or remember multiple passwords. It is anticipated that this ease-of-use and security will, over time, facilitate relationships between consumers and businesses by reducing the need for companies to retain customers’ personal identification information, which could also result in the reduction of risks posed by data breaches. Equifax is partnering with Parity, a leader in user-centric identity management, to offer the Equifax I-Card that enables people to verify their identity online. People who obtain the Equifax I-Card will also be offered Parity’s Azigo I-card management software to enable one-click sign-in and identity verification. Consumers can get their Equifax I-Card free of charge at https://equifaxicards.com for use exclusively at a proof-of-concept site (http:/ /watch-this.com). [Source]
NebuAd and 26 of its ISP partners are the targets of a class-action suit that was filed this week in a California Federal District Court. The complaint, filed Monday on behalf of 16 plaintiffs, claims NebuAd and Internet service providers committed illegal privacy and computer security breaches against Internet subscribers. [ClickZ]
The security flaws contained within Google Chrome have been the subject of discussion since its launch in September 2008. Now, Consumer Group has called attention to Google’s auto-suggest feature (built-in within Google Chrome). A video released on YouTube demonstrates how merely typing in letters of a word sends the information to Google which could be revealed by the use of packet sniffers in the network. Also, the letters are stored on Google’s servers which could potentially be acquired through search warrants and may lead to drawing of unwarranted assumptions and conclusions. The video explains that these features are not transparent and no readily visible options exist for disabling them. Other groups such as Center for Digital Democracy, have described Chrome as a “digital Trojan horse to collect even more masses of consumer data”. London based Privacy International has also lamented that it was impossible to track information acquired by Google. [Google’s Growth Raises Privacy Concerns] [Consumer Watchdog Exposes Google Privacy Problems] [Consumer Watchdog’s YouTube video] See also: [Google Fixes Android Flaw]
A next-generation social networking application gaining traction across Europe has sparked a next-generation privacy debate. Placebook, the product of Polish startup Belysio, lets users track friends’ physical locations in real time via mobile phone. The service is free and legal, but users (or their parents) must provide consent before the tracking begins. Patrick van Eecke of DLA Piper says the development brings with it the possible need for new legislation surrounding consent in the Web 2.0 age. “Without it, today’s youth could be plagued with an indelible digital trail years from now.” [Source]
On October 29, 2008 EPIC staff joined the organizers at FlexYourRights.org who were handing out flyers at Dupont Circle Metro station against the searching of carry-on items of passengers for possible explosives, before entering the Metro stations. The EPIC staff also handed out the flyers and displayed the “Privacy ‘08” banner. The Washington Metropolitan Area Transit Authority recently announced a rule authorizing officers to randomly select passengers items for inspection. However, in the process, if an illegal item, unrelated to the reason for the search, is discovered, the item can be confiscated as evidence and the police will cite or arrest the individual. Also, if a “suspicious” person is not selected for inspection, even then the carry-on bag will still be subject to inspection if the officer has a reasonable suspicion about the person. The legality of these searches is based on a Circuit Court decision arising from New York holding such searches to be constitutional if, among other things, the passengers receive notice of such a search and that it is voluntary. Although a passenger may decline the search and leave the Metro, police may arrest anyone who refuses to be searched and later attempts to re-enter the Metro. The decision also dictates that officers conducting the search may not exercise any discretion in determining whom to search and may not conduct the inspection for longer that necessary to determine that the individual is not carrying an explosive device. [Washington Metropolitan Area Transit Authority Press Release] [Washington Metropolitan Area Transit Authority Search FAQs] [FlexYourRights.org flyer] [MacWade v. Kelly (2nd Cir. 2006)] [Facebook - Stop DC Metro Searches] [Protesters Oppose Metro Bag Searches, ABC 7 News]
Finland’s interior minister Anne Holmlund said today that a reduction in privacy is necessary to prevent crime. In discussing ongoing revisions to the nation’s Firearms Act, the minister called for greater information exchange among authorities. Specifically, Holmlund called for greater police access to gun licence applicants’ information, such as their health, prescription and national service records. She also wants more resources directed toward policing the Internet, saying that the medium offers new opportunities to plot crimes, as was the case with two school shootings in the country this year. [Source]
At the Web 2.0 Summit last week, Facebook founder and chief executive Mark Zuckerberg predicted that the amount of information people reveal through social networking sites will double next year due to Internet users’ increasing willingness to share information. “I would expect that next year, people will share twice as much information as they share this year, and next year, they will be sharing twice as much as they did the year before,” he said. “Call it Zuckerberg’s Law,” Saul Hansell wrote in a New York Times “Bits” blog, citing the similarities to Intel co-founder Gordon E. Moore’s law about transistor chips. [Source]
Plans announced in the Throne Speech to draw up draft legislation on electronic data protection will provide a boost to Bermuda’s international business community. Currently international companies that operate in the European Union face restrictions on moving data on EU clients to Bermuda, because the Island does not have equivalent data protection laws. US laws are much less stringent. The implementation of such laws by Bermuda may see the EU restrictions eased. [Source]
Personal information of more than 4,500 students and professors at Seoul National University was leaked online and has been available to anonymous people. According to the school, its French literature department uploaded an article in May giving notice of mandatory reserve force training on its Web site. However, a Microsoft Excel file of 4,500 males subject to the training at the school was attached to it along with their names, mobile phone number, military serial number and birthday. The information was originally kept by the reserve force regiment to update the contact information since many changed their phone numbers, the school said. The school said that an assistant to the department has mistakenly uploaded the list and expressed regret. It is investigating where and how the leaked information was used. The case comes after public concern over personal information leakage has been rising. Online auction site www.auction.co.kr was hacked to expose the personal data of 10 million members in February. Oil refinery GS Caltex had its information on 11 million customers stolen and leaked in September. [Source]
The conflicting interests of stakeholders in large organizations make developing privacy policies difficult, according to a report published last month. Researchers at Hewlett Packard studied the group dynamics involved in creating a corporate privacy policy, finding that: “The various stakeholders do not form a coherent system, and their needs, wishes, and capabilities/constraints are highly diverse.” The report cites examples of conflicting motives, such as the legal department’s desire to collect as little information as possible, versus the marketing department’s desire to collect certain information. The researchers conclude that policies appealing “to a CPO, CSO and the corporate legal department” have the best chance for success. [Source] [Study]
The computer systems of both major party US presidential candidates were reportedly compromised by a “foreign entity.” IT people at the Obama campaign earlier this summer believed they had been hit with run-of-the mill malware, but later learned that “a serious amount of files [were] loaded off [their] system.” The McCain campaign’s computer system was similarly attacked. Investigators speculate that the attackers were gathering intelligence on both candidates’ policy positions. [Internet Storm Center] [Source] [Source] See also: [White House Computers Hacked: Multiple Times]
Gadgets may be great for gift-giving, but employers trying to control their company’s sensitive data may need to step up precautions during this holiday season, says a CNNMoney.com report. The report offers up five tips for data protection in the age of portable devices in the workplace. Among them: developing an auditing process, creating written procedures for data handling, and “encrypting everything.” [Source]
Opponents of ID cards have renewed their attacks on the scheme, claiming security is being watered down even as the cost of the cards rises. Cards will only be checked against biometric details on the National Identity Register (NIR) in a “minority of cases” according to Home Office documents, prompting accusations it has been relegated to a “flash and go” card. The Home Office consultation documents said: “Most transactions involving the identity cards are likely to be visual checks of the card, or a local check of the information held on the card (e.g. using a scanner). [Source]
Federal agencies continue to miss by a wide margin the implementation deadlines for an ambitious government-wide smart card identity credential initiative designed to shore up the security of federal networks and facilities. The most recent deadline passed on Oct. 27. By then, agencies were supposed to have finished issuing new Personal Identity Verification (PIV) smart cards to all their employees and contractors under a 2004 presidential directive, Homeland Security Presidential Directive-12 (HSPD-12). Of the more than 5.5 million federal employees and contractors who were supposed to have been issued PIV cards by that date, less than 1.6 million -- or 29% -- actually did get them, according to numbers by the Office of Management and Budget (OMB), which is overseeing the effort.. [Source]
When Barack Obama takes the oath of office on January 20, Americans won’t just get a new president; they might finally learn the full extent of George W. Bush’s warrantless domestic wiretapping. Since the New York Times first revealed in 2005 that the NSA was eavesdropping on citizen’s overseas phone calls and e-mails, few additional details about the massive “Terrorist Surveillance Program” have emerged. That’s because the Bush Administration has stonewalled, misled and denied documents to Congress, and subpoenaed the phone records of the investigative reporters. Now privacy advocates are hopeful that a President Obama will be more forthcoming with information. But for the quickest and most honest account of Bush’s illegal policies, they say don’t look to the incoming president. Watch instead for the hidden army of would-be whistle-blowers who’ve been waiting for Inauguration Day to open the spigot on the truth. [Source] See also: [In EPIC lawsuit, Federal Judge to Review Warrantless Wiretap Memos]
Nova Scotia’s former privacy watchdog says Halifax Mayor Peter Kelly should put an end to invasive polygraph testing of applicants for jobs with the city. “It’s just not fair,” said Darce Fardy, who retired in 2006 as the province’s freedom of information and protection of privacy review officer. “I’ve heard it discussed and I think people are taken by surprise that there are so many personal questions on these tests.” The Halifax Regional Municipality is conducting a review of the way it uses lie detectors to screen applicants for certain jobs. The mayor called for the review after the Halifax Chronicle Herald quoted a job applicant saying she was humiliated by questions during a recent polygraph test, including one asking whether she had sex with animals. The woman, who asked not to be identified, was applying for an information technology job. She said she did not get the job. [Source]