Privacy News Highlights
14–20 November 2008
Contents:
UK – Industry Report: 75% Ready for Biometric Testing to Tackle ID Fraud
US – California Hospital Uses Biometrics to Protect Patient Privacy
CA – Ontario Passes Legislation to Create Enhanced Drivers License
CA – Federal Privacy Commissioner Defines ‘Personal Information’
CA – Children’s Privacy Threatened by Play Websites and Social Networking
UK – Data Watchdog: Access to Patient Files Is Unacceptable
EU – Hustinx: Right to Court Action Essential
UK – ContactPoint Under Scrutiny
EU – Irish Government Approves Covert Garda Measures
CA – 1.7 Million Canadians Are Victims of Identity Fraud
AU – Net Censorship Plan Backlash
AR – Argentine Judges Disappear Celebrities from Internet
CA – Federal Court of Appeal Upholds eBay Power Seller Decision
EU – EU Wants Tougher Rules on Taxes
UK – Freedom of Information to be extended in Scotland? Consultation underway...
UK – Privacy Watchdog Issues Guidance on FOI Exemptions
US – Federal Court Upholds New Hampshire Drug Privacy Law
US – Lack of Enforcement Places Health Information at High Risk: Inspector-General
US – GE Unveils Electronic Medical Records Initiative
WW – Transatlantic Survey: 1/3 Health Workers Leave Data Security to Chance
US – Military ID Theft Ring Steals More than $1 Million, Police Say
US – Arizona State Agency Loses Data on 40,000 Children in Disk Theft
US – University of Florida Warns 333,000 Dental School Patients of Breach
EU – Spanish IT Admin Used Inside Knowledge to Hack and Steal
UK – ‘Deeply disturbing’ Privacy Fears as 1m State Staff Could View Child Database
CA – PIAC Releases Critical Report on Consumer Authentication by Banks
WW – Age-Verification Methods Raise Privacy Concerns
EU – EU Council Refuses to Release ACTA Documents
CA – Canadian Government Re-Launches ACTA Consultations
WW – Privacy Groups Target Google Flu Trends
WW – Microsoft Announces Plans for No-Cost Consumer Security Offering
UK – CRB Database Wrongly Labels Thousands as Criminals
UK – Police Scour Posted Party Membership List to Find Officers Breaching Ban
US – Border Laptop Search Hit Rate: Only 1.4%
US – New Group Wants Tighter Rules for Collecting, Using Consumer Data
US – Keylogger “Stalker” Spyware Ordered Off the Market
UK – Government Ministers in Breach of DPA
UK – Ban on Assisted Suicide No Breach of Right to Privacy
EU – Romania Adopts Data Retention Law
EU – Big Brother Awards Czech Republic 2008
AU – Australia Data Share Plan to Curb Child Abuse
US – Role of Federal Tech Czar to be Defined
US – EFF Proposes a Transparency Agenda for the New Administration
US – Constitution Project: Cloud Computing Raises Privacy Issues
US – Texas A&M Prof Fired For Posting Names of Plagiarists
EU – RFID Stakeholders Worldwide Urged To Join EU Project’s Global Forum
US – Under Worm Assault, Military Bans Disks, USB Drives
WW – Reputation a Major Force Driving Information Security
EU – EU gives up Airport “Strip Search” Scans
US – Visa’s Digital Credit Card Could Raise Legal Stakes For Competitors
US – Murder Suspect Has Witness: A MetroCard
US – FOIA Docs Show Feds Can Lojack Mobiles Without Telco Help
US – Sniff Lets You Find Your Friends in Real-Time
WW – ‘Green’ Building Windows Can Block Cell Signals
US – Employee Data More Vulnerable than Constituent Data: Survey
UK consumers are the most open in Europe to the use of biometric technologies to verify their identities. This is according to the latest Unisys Security Index, the bi-annual global research project into consumers’
security concerns conducted by Unisys, a global biometrics solutions company. The latest UK Security Index reveals that 75% of UK residents would be willing to allow banks, government agencies and other organisations to take fingerprints in order to verify their identity, compared with France (59%), Germany (62%) or Italy (63%). The Security Index also shows that financial security is now the biggest area of concern for UK consumers, with worries over the misuse of debit or credit card information having increased in the last six months. [Source]
The ValleyCare Health System in Pleasanton, Calif. is one of the first hospitals in the U.S. to use a palm vein authentication technology as part of its patient registration and identification system. Thanks to a new slate of regulations from the FTC, hospital officials turned to Fujitsu’s PalmSecure to integrate with the hospital’s Patient Access Lifetime Match solution. The result is system that provides accurate patient identification without being intrusive. Starting Nov. 1, the FTC requires healthcare providers to develop programs to protect against identity theft in compliance with the Identity Theft Red Flag regulations as part of the Fair and Accurate Credit Transactions Act. Healthcare organizations also are required to implement policies and technologies ensuring patients don’t receive improper care or are not incorrectly diagnosed because their electronic medical records have been compromised with information from someone else. [Source]
Ontario is moving ahead with plans to offer enhanced driver’s licenses that can be used as an alternative to a passport at the U.S. border despite objections by critics who say the plan raises privacy and security concerns. The New Democrats voted against the legislation which easily passed this week, opening the door to the new licenses and photo ID cards that will include citizenship information. [Canwest]
The Office of the Privacy Commissioner of Canada has provided guidance on interpreting the meaning of “personal information, published August 15, 2008 [Source]
The Public Interest Advocacy Centre (PIAC) has released a report, “All in the Data Family: Children’s Privacy Online“, calling for amendments to PIPEDA that would prohibit collection, use, and disclosure of the personal information of children under 13 in Canada. PIAC counsel John Lawford noted that many apparently kid-friendly websites and social networking sites routinely use personal information of even young children for behavioural marketing and market research: “There quite simply are no special rules for use of kids’ personal information in Canada. Right now, Internet play websites like Neopets, Webkinz and social networking sites like Facebook use kids’ personal information for profit but are not making it clear that this is their business model.” The report concludes that such personal information collection, use and disclosure for children under 13 violates privacy in all cases and should be explicitly made illegal under Canada’s privacy laws. The report also calls for prohibition of disclosure of personal information of children aged 13 to 15 to any other entity, including marketers. The report goes on to recommend that disclosure of personal information collected by websites only be allowed for information collected from children aged 16-18, and then only with the opt-in consent of the teenager and the explicit consent of the teen’s parent or guardian. The report also recommends that personal information collected from children no longer be retained by websites once the child reaches age 18, unless the newly adult child explicitly consents to the website carrying this information forward. The report also calls for increased enforcement of these new children’s privacy rules via fines and other new powers for the Office of the Privacy Commissioner of Canada as well as specific rules governing the social networking sites, such as requiring these sites to opt children into the highest possible privacy settings on the website by default and to restrict access to children’s profiles from the general internet and by adults from within the social networking site. [Source] [PIAC Report]
Government plans to allow medical researchers access to patients’ records were branded ethically unacceptable by the chairman of the health data watchdog. The proposals would give Britain’s research institutes access to more than 50 million records. They could then use this information to identify and write to patients who could take part in trials of new drugs and treatments. Harry Cayton, chairman of the National Information Governance Board for Health and Social Care, said that the situation had arisen because of an eagerness to boost UK research ahead of foreign companies. He said: “There is pressure from researchers and from the prime minister to beef up UK research. They want a mechanism by which people’s clinical records could be accessed for the purposes of inviting them to take part in research, which at the moment is not allowed. I think that would be a backward step. “We believe this is a breach of good practice in confidentiality and consent, and have questioned if there is a sound legal basis for it.” [Source] See also: [Arkansas hospital fires 6 for accessing files]
European Data Protection Supervisor Peter Hustinx has published his opinion on EU-U.S. plans to increase personal data sharing in criminal cases. Hustinx says that before the agreement can go forward, improvements are needed. Specifically, the plan must include a right to court action for any individuals whose data is wrongly processed, regardless of their nationality. “The availability of adequate means for redress needs to be properly addressed,” said Hustinx in a statement. “Strong redress mechanisms, including administrative and judicial remedies, should be available to all individuals, irrespective of their nationality.” [Source] [The Opinion] [The EU-US report]
A database intended to ease data-sharing among public schools in England and Wales is drawing more criticism. Under Department for Children, Schools and Families plans, the ContactPoint system would house the personal information on 11 million children and their legal guardians. The system has been controversial since first announced, but new revelations that up to one million public sector workers will have access to the database have sparked renewed outcry. Opponents of the plan say the more people who have access to the system, the greater the likelihood of information abuse. [Source] See also: [Street Yourth Workers Blast ContactPoint - angry over information-monitoring demands]
The Government today approved proposals to allow the Garda carry out covert surveillance, including bugging, in order to fight gangland crime. The Cabinet approved proposals outlining the circumstances in which covert surveillance can be used and dealing with the procedures gardai must go through to authorise such covert methods. In general, gardai will need a judge’s approval, but in urgent cases, a Garda chief superintendent can give authorisation. [Source]
Nearly 1.7 million Canadian consumers were victims of identity fraud in the past year, according to a new national survey conducted by researchers at the DeGroote School of Business at McMaster University. These victims spent more than 20 million hours and more than $150 million of their own money to resolve the fraud. The survey found that in the past year 6.5% of Canadian consumers - about 1.7 million people - experienced some kind of identity fraud, such as unauthorized credit card purchases or account access, having new accounts or loans taken out in their name, and being impersonated. Online transactions were the source for 15% of identity theft cases. Debit card skimming made up another 13% of cases. While most respondents said they take steps to protect their personal information, the survey showed that Canadians are not going far enough to minimize the chance of identity fraud. Only 13% of identity fraud cases were reported to the police. And nearly half of respondents – 49% - had never requested a copy of their credit report. Fully 20% of survey participants report that they have stopped or reduced the amount of shopping they do online because of concerns about identity fraud, and 9% report that they have stopped or reduced online banking activities. [Source]
Opposition grows against the Government’s controversial plan to censor the internet, and the head of one of Australia’s largest ISPs has labelled the Communications Minister the worst in the past 15 years. Greens senator Scott Ludlam accused the Communications Minister, Stephen Conroy, of misleading the public by falsely claiming his mandatory censorship plan was similar to that already in place in Sweden, Britain, Canada and New Zealand. Despite significant opposition from internet providers, consumers, engineers, network administrators and online rights activists, the Government is pressing ahead with its election promise of protecting people from unwanted material, this week calling for expressions of interests from ISPs keen to participate in live trials of the proposed internet filtering system. [Source] See also: [UK ISPs to be Named Over Offensive Content]
An anonymous reader writes “Since 2006, Internet users in Argentina have been blocked from searching for information about some of the country’s most notable individuals. Over 100 people have successfully secured temporary restraining orders that direct Google and Yahoo! Argentina to scrub the results of search queries. The list of censorship-seeking celebrities includes judges, public officials, models and actors, as well as the world-cup soccer star and national team head coach Diego Maradona. Try it yourself — compare the results for a Yahoo! Argentina search for Diego Maradona (0 results) to a search at Yahoo! Mexico and Google Argentina (both with millions of results).” [Source]
The Federal Court of Appeal has upheld an earlier decision ordering eBay to provide information on Canadian power sellers. The Globe and Mail reports that the Canadian Revenue Agency plans to escalate its investigation in light of the decision. A key part of the case turns on the fact that the requested information is located on servers outside the country. This leads the court to discuss concerns associated with Internet jurisdiction and cloud computing, with it arriving at the view that for the purposes of the Income Tax Act, the availability of electronic documents on computer servers located anywhere in the world can be treated as located in Canada. It notes that: “it makes no sense in my view to insist that information stored on servers outside Canada is as a matter of law located outside Canada for the purpose of section 231.6 because it has not been downloaded. Who, after all, goes to the site of servers in order to read the information stored on them?” While this conclusion may be limited to the specific Income Tax Act provision, the concept that the mere accessibility to an electronic document (wherever located) can be treated as being located in Canada could have enormous implications for many other areas of the law if there were attempts to extend the analysis. [Source]
Account holders at financial institutions across the E.U. may find themselves with less financial privacy if the 27-nation bloc approves new rules to stamp out tax evasion. EU officials have proposed plans to tighten restrictions on interest-income reporting, and called for banks and investments companies to better identify those who stash cash in foreign banks to avoid taxes. Regulators acknowledge that in order for the crackdown to be effective, nations where many Europeans store such funds will need to cooperate. “Switzerland certainly is a key country,” said EU Taxation Commissioner Laszlo Kovacs. [Source]
A discussion paper that raises the prospect of extending the Freedom of Information (Scotland) Act to more organisations has been published by the Scottish Government. It seeks views on extending the Act to cover:
Ø Contractors who provide services that are a function of a public authority
Ø Registered social landlords
Ø Local authority trusts or bodies set up by local authorities
Also Minister for Parliamentary Business Bruce Crawford announced that the Government would
be pro-actively publishing Ministerial car travel and diary information. In addition, the Minister also announced the publication of the latest Scottish Government Annual Report on request handling. [Source]
Public authorities who want to keep information secret to protect the commercial interests of companies they work with must explain exactly what damage will be done by disclosure, the Information Commissioner’s Office (ICO) has said. The privacy regulator has issued three sets of guidelines on when public authorities can keep information secret despite requests for its release under the Freedom of Information (FOI) Act. Another piece of ICO guidance outlined when authorities can publish personal information. If a request is for information about an identifiable individual that is not the person making the request, then an authority must consult the Data Protection Act. The ICO’s publication also offers guidance on in what circumstances a public interest in disclosure, and how this balances with an individual’s privacy. [Source] [The guidance for third party commercial concerns] [The guidance for contracts] [The guidance for personal information]
A federal appeals court has dealt a setback to the pharmaceutical industry and companies that collect prescription data for use in drug marketing. Ruling in support of a New Hampshire law, the court upheld the right of states to prohibit the sale of doctor-specific prescription drug data that is widely used in pharmaceutical marketing. The case is a defeat for two large data-mining companies, IMS Health and Verispan. They sued in 2006 to block implementation of the New Hampshire law, which prohibited the sale of computerized data showing which doctors were prescribing what drugs. The decision could also have implications in other states that have either adopted or are considering similar legislation, particularly Maine, which is in the same appellate district as New Hampshire and where a similar law was also struck down by a district court this year. Vermont has also enacted a similar law that is to take effect next year but is also facing a court challenge. Other states are now likely take a more serious look at enacting such laws. [NYT Source] [Source]
The Inspector General (IG) for the Department of Health and Human Services (HHS) issued a study on implementation of HIPAA’s Security Rule. The findings were alarming in what they suggested about the integrity of American medical records. Ineffective oversight has led to “numerous, significant vulnerabilities” in the system that safeguards electronic protected health information (EPHI). In addition, the report found that the agency charged with oversight of HIPAA’s Security Rule had not conducted a single compliance review nor levied any civil penalties at the time of publication. The report also warned that poor enforcement has placed confidentiality of EPHI at “high risk.” The report also called for stronger enforcement of the HIPAA Privacy and Security Rules. [Source] [Study]
General Electric’s healthcare division, in partnership with several top medical institutions, has announced a $200 million initiative to digitize patient medical information. Although electronic medical records have the potential to greatly reduce costs and errors, implementation has been a challenge, due to patient privacy and security issues. GE Healthcare wants to provide the technology to enable medical professionals to more efficiently share patient records. The company also hopes to provide physicians with near real-time alerts on cutting-edge research and treatment findings, according to CNN.com. Eventually, the company wants doctors to be able to find the best medical treatments for individual patients based on databases of extensive medical histories, the Associated Press reported. The company’s announcement came at a time when GE Healthcare has been struggling financially. Earnings during the first half of this year fell 4% after declining 3% last year. [Source] [GE Healthcare website]
A transatlantic survey of more than a thousand healthcare professionals has shown that over a third are unwittingly putting personal information at risk by storing patient records, medical images, contact details, corporate data and other sensitive information on mobile devices such as laptops, BlackBerrys and USB sticks - and not adequately securing them. The “mobile device usage in the healthcare sector” survey released this week was carried out amongst senior clinicians, GPs, policy makers, IT directors, IT and general managers by mobile security experts Credant Technologies, together with E-Health Insider in the UK and Outpatient Surgery Magazine’s subscribers in the US. A fifth of healthcare practitioners use their own devices for work - creating a security nightmare for the NHS if not managed and secured properly. 35% of healthcare practitioners rely on just passwords to secure their work laptops and other mobile devices When asked how these health practitioners are securing their data, many are relying on very basic security. 35% of those in the UK said they were using just a password. Using basic hacker software downloaded from the Internet, it would take 5 minutes to bypass basic passwords made up of a name, dictionary word or easily remembered number. In the UK, 6% admitted to storing sensitive patient details with no security whatsoever. However, this was even worse in the US, with a shocking 18% having this cavalier attitude to the information they are storing on their devices. [Source]
A former U.S. Navy petty officer at Fort Worth’s Joint Reserve Base accessed secret military databases and compromised the identities of 8,000 sailors and reservists, police said. Investigators said the information was used to make fraudulent checks and identification cards. More than $1 million was stolen, police said. [Source]
Arizona’s Department of Economic Security (DES) is notifying the families of about 40,000 children that their personal data may have been compromised following the theft of several hard drives from a commercial storage facility. The information stored on the stolen disks included the names, addresses and phone numbers of families whose children were referred to the DES for early intervention services over the past several years. In the cases of families that had applied for and received services from the agency, their records also included Social Security numbers, a DES spokeswoman said. [Source]
The University of Florida yesterday disclosed that it has notified more than 333,000 people about the potential compromise of their personal data following a system intrusion at its dental school. The compromised data included the names, dates of birth, SSNs, and addresses of current and former College of Dentistry patients dating back to 1990, as well as information about dental procedures in some cases, the university said in a statement. The data had been stored unencrypted in a database on the breached server, it added. In addition to the 330,000 people who were notified, another 8,000 individuals whose current mailing addresses couldn’t be found were affected by the intrusion, according to the statement. Officials at the university in Gainesville hope that those patients will learn about the data breach through media coverage of yesterday’s disclosure. [Source]
A former San Jose network administrator is facing 12 years in prison after pleading guilty to hacking, ID theft, burglary and drug charges. According to the Santa Clara District Attorney’s office. “This was one of the most sophisticated computer crimes our office has prosecuted,” said Ben Field, Santa Clara’s deputy district attorney. “There’s computer intrusion in the first place, there’s the introduction of spyware, there’s the theft of proprietary data from a computer network and sometimes the destruction of proprietary data from a computer network.” [Source] SEE ALSO: [Former inmate nabbed for allegedly breaking into prison’s IT systems] and [FBI probes data theft blackmail scheme] and [Ohio gov’t. contractor suspected in ‘Joe the Plumber’ privacy breach] and [UK: Children’s data memory stick lost] and [NC: State failed to encrypt private data] and [UK: Identity theft fears over stolen UPS laptop]
Up to a million public sector workers could be allowed to access a Government database containing sensitive information on every child in England and Wales, it has emerged. Critics say the figure is three times higher than ministers told Parliament, and raises further privacy concerns about the controversial ContactPoint system. The database will contain the name, home address and school of all 11 million children. It will also include information about their legal guardians. [Source]
The Public Interest Advocacy Centre (PIAC) has released “‘Are You Sure You Want to Continue?’: Consumer Authentication at the Crossroads,” a report that calls for a major overhaul to Industry Canada’s “Authentication Principles”. The report laments the Authentication Principles’ failure to provide Canadian consumers with adequate protection when using the Internet to conduct business transactions such as online banking. The report offers a host of recommendations aimed at protecting the security and privacy of consumers who use electronic authentication to access finances or to shop online. The report notes that consumers are becoming increasingly wary of growing security and privacy risks, such as phishing, that are threatening the way they conduct online retail and banking transactions. In order to ensure consumer safety and confidence in online commerce, the report urges a greater role in the regulatory process be played by both the federal and provincial governments, and recommends that much stricter authentication regulations be applied to financial institutions under the Bank Act and other federal financial legislation. To adequately protect consumers’ privacy while online, PIAC suggests the Authentication Principles be amended to include direct references to the standards of PIPEDA and that consumers be given more choice in how to protect their privacy, such as the ability to decide which personal information will be used for authenticating them during an online transaction. The report warns that consumer liability should also not be increased by new authentication and that contracts issued by banks and retailers make the provider of the payment system responsible for losses due to authentication failures, fraud and hacking. The report calls for consumer education about authentication coupled with disclosure requirements for banks and retailers to ensure consumers are told of problems with authentication systems. Finally, the report suggests that a federal regulatory body be instructed to audit the authentication systems of financial institutions, in order that industry standards and the new Authentication Principles and legislation are followed, and that a similar audit system should occur at the provincial level to oversee retail authentication systems. [Source] [PIAC Report] See also: [European banking sector study focuses on e-banking and data security]
Although age-verification systems have long been coveted for helping protect children online, the technologies now emerging to satisfy that want are not being welcomed with open arms. Privacy concerns surrounding some age-verification firms’ plans to share information with Internet companies have child safety activists crying foul. “It’s particularly upsetting,” said one Internet safety expert, that “age verification companies are selling parents on the premise that they can protect the safety of children online, and then they are using this information for market profiling and targeted advertising.” [Source]
The EU Council refuses to release secret Anti-Counterfeiting Trade Agreement documents, stating that disclosure of this information could impede the proper conduct of the negotiations, would weaken the position of the EU in these negotiations, and might affect relations with the third parties concerned. The Foundation for a Free Information Infrastructure requested these documents last week. FFII’s response questions ACTA’s secrecy saying: ‘The argument that public transparency regarding ‘trade negotiations’ can be ignored if it would weaken the EU’s negotiation position is particularly painful. At which point exactly do negotiations over trade issues become more important than democratic law making? At 200 million euro? At 500 million euro? At 1 billion euro? What is the price of our democracy?’ [Source]
Michael Geist reports that the Canadian government has re-launched its consultation on the Anti-Counterfeiting Trade Agreement. The last consultation was conducted in the spring. The new consultation will be treated as ongoing, meaning that there is no fixed deadline for submissions. The government notes that responses to this consultation may be made available to the public. According to Geist, while it is good that the government is open to public input on ACTA, this new approach raises at least two concerns. First, it has provided no new information about ACTA, effectively asking Canadians to comment on a treaty that they know virtually nothing about (almost all public information comes by way of leaks). Second, the rolling consultation may simply allow the government to claim that it has continuously consulted the public, while knowing that the response will be ad-hoc and (by virtue of the lack of information) uninformed. What is needed is more public information about ACTA. Other countries have brought together all stakeholders for more open and transparent discussions about the treaty and the negotiations. Similar open discussions in Canada are long overdue. [Source] [Report on findings of last consultation]
Google’s announcement that it may have found a way to predict U.S. flu trends has led to expressions of concern from some privacy groups. The Electronic Privacy Information Center and Patient Privacy Rights sent a letter last week to Google CEO Eric Schmidt saying if the records are “disclosed and linked to a particular user, there could be adverse consequences for education, employment, insurance, and even travel.” It asks for more disclosure about how Google Flu Trends protects privacy. [CNET]
To address the growing need for a PC security solution tailored to the demands of emerging markets, smaller PC form factors and rapid increases in the incidence of malware, Microsoft Corp. plans to offer a new consumer security offering focused on core anti-malware protection. Code-named “Morro,” this streamlined solution will be available in the second half of 2009 and will provide comprehensive protection from malware including viruses, spyware, rootkits and trojans. This new solution, to be offered at no charge to consumers, will be architected for a smaller footprint that will use fewer computing resources, making it ideal for low-bandwidth scenarios or less powerful PCs. As part of Microsoft’s move to focus on this simplified offering, the company also announced that it will discontinue retail sales of its Windows Live OneCare subscription service effective June 30, 2009. [Source]
More than 12,000 people have been wrongly branded criminals due to mistakes on their criminal records, the government has revealed. A Parliamentary answer reveals that 12,225 people have disputed the results of a criminal record check and had their complaint upheld in the last five years. The number of complaints upheld has risen slightly - from 2,265 in 2004-2005 to 2,785 in 2007-2008 - but over the same time the number of records disclosed has risen from 2.4 million to 3.3 million. [Source]
Every police force in the UK was scouring the leaked British National party membership list for names of serving officers, after the Merseyside force confirmed it was investigating one officer’s links to the far-right party. The Prison Service pledged to oust any employee on the list and far-right supporters spoke of fear for their livelihoods as the BNP was plunged into crisis. Party officials complained that hundreds of members had received threatening or abusive telephone calls within hours of the list being posted on the internet, and feared that the episode could lead to a damaging slump in support and membership. [Source] [Source] [Out-Law: BNP membership data breach: the workplace implications] [Outed supporters face losing their jobs, or far worse] [Death Threats & Sack For ‘Outed’ BNP Supporters] [Far-right UK party’s member list is posted online]
The overwhelming majority of laptop searches at the border turn up no evidence of crime, according data presented by Deputy Commissioner of Customs and Border Protection, Jayson P. Ahern. At a panel discussion on October 20, Ahern revealed that of the 169 laptops searched at the border in August 2008, only two were seized – a mere 1.4% “hit rate.” Another 10 computers were “detained” for further analysis, such as language translation and decryption, to determine whether they contain evidence of crime. Under Customs’ laptop search policy– first revealed on July 16, 2008–computers, other digital media, and documents can be searched at the border with no individualized suspicion at all, and can be seized as evidence only when a Customs agent determines that there is probable cause. The policy permits agents to conduct the search without having either evidence of wrongdoing or even approval of a supervisor. It authorizes Customs agents to copy the contents of a laptop or other digital medium and send it to a distant location where persons unseen and unknown to the traveler decrypt and translate data in the laptop, and it permits Customs to “detain” the computer for weeks or for months while this occurs. A 1.4% hit rate means that a very intrusive search is being visited on passengers who have done nothing wrong, and strongly suggests that Customs should re-evaluate its laptop search policy. Indeed, of the two computers seized in August, neither was seized because a search of the computer’s hard drive revealed evidence of crime. One of the computers was outfitted to hold drugs instead of data, the other computer was itself contraband. In other words, all of the searches of laptop data at the border in August 2008 turned up nothing. [Source]
A group of privacy scholars, lawyers and corporate officials have launched an advocacy group to help shape standards around how companies collect, store and use consumer data for business and advertising. The group, the Future of Privacy Forum, will be led by AOL’s Jules Polonetsky, and is sponsored by AT&T, aims to develop ways to give consumers more control over how personal information is used for behavioral-targeted advertising. [Source] [Source] [New privacy group to shape policy]
An Orlando company has been ordered to stop selling keylogger spyware. Cyberspy Software touted its RemoteSpy product as a “100 percent undetectable” means of spying on anyone, from anywhere, the report states. In its ruling, the U.S. District Court said that the company engaged in unlawful acts or practices that had a negative impact on U.S. consumers. The ruling sustains a Federal Trade Commission action of the same nature. Cyberspy has also been ordered to disconnect servers associated with the service. [Source] [FTC Notice on Court Action, November 17, 2008]
The names of nearly a dozen government ministers have been handed to the Information Commissioner’s Office (ICO) for their failure to list themselves on the Data Protection Register. Under the Data Protection Act, MPs who collect, store or use constituents’ personal details must place themselves on the list, the report states. It is expected that the ICO will issue warnings to the ministers in question. Non-compliance could result in fines of up to £5,000. [Source]
The statutory prohibition on assisted suicide did not engage the right to private life protected under article 8.1 of the European Convention on Human Rights. The Queen’s Bench Divisional Court so held when dismissing claims by way of judicial review and under section 7 of the Human Rights Act 1998 by the claimant, Ms Debbie Purdy, for a declaration that the defendant, the Director of Public Prosecutions, had acted contrary to section 6(1) of the 1998 Act in that it was incompatible with her right to private life under article 8.1 for the defendant to refuse to promulgate a policy as to the circumstances in which a prosecution would be brought for aiding and abetting a suicide contrary to section 2(1) of the Suicide Act 1961, in particular where the assisted suicide took place in a country where the practice was lawful. Lord Pannick, QC and Mr Paul Bowen for Ms Purdy; Ms Dinah Rose, QC and Mr Jeremy Johnson for the DPP; Mr Charles Foster for the Society for the Protection of Unborn Children, intervening. [Source]
Following the adoption of the draft law on data retention by the Chamber of Deputies on 4 November 2008, the Romanian President made the final step in adopting the law on 17 November. From now on, it is just a matter of time until the law will be published in the Official Journal and until its entry into force (60 days from its publication date). The Internet-related data will be kept from 15 March 2009. The lack of any relevant debates from both chambers of the Parliament or its commissions was not surprising. It seems that all the parties involved in adopting the law did it only because it was based on an EU directive and the politicians didn’t see any solution to avoid it. [Law 298/2008 on data retention (only in Romanian)] [Draft data retention law file at the Chamber of Deputies (only in Romanian)] [6 months for traffic data retention (only in Romanian, 17.11.2008)] [EDRi-gram: Romanian Govt adopts Data retention law, but calls it inefficient]
The fourth edition of Big Brother Awards was announced in the Czech Republic in Prague on 14 November 2008. Under the direction of Czech EDRi-member Iuridicum Remedium, seven worst perpetrators of the right to privacy were awarded. The positive prize was granted to German Working Group on Data Retention AK Vorrat. The prizes were chosen by an expert jury from more than seventy nominations submitted by the public. The Municipal-Council of the city of Prague received the prize for the Worst Public Agency for the multifunctional chip card it introduced for public transport earlier this year. Although the card is designed to replace all currently available season tickets, it is available only after presentation of an ID and the signed agreement for the processing of personal data. Along with the plans to reintroduce electronic gates in Prague underground, the possibility to use public transport anonymously slowly diminishes. The award in the category of the Greatest Corporate Invader was granted to the AQUER.CZ for its products specifically aimed at devaluation of personal privacy in terms of providing full software for complete monitoring of one’s computer activity. Deutsche Telekom AG got the Lifetime Menace prize for the massive data loss it incurred two years ago and willingly ignored until Der Spiegel proved the data concerned were available for sale on the Internet. Until then, Deutsche Telekom AG had not taken any steps to inform its customers about potential threats that could have resulted from its failure to protect the customer’s data. The USA government has again kept its position of the world leader in the category of the Worst Snooper among Nations for setting bilateral agreements on personal data transfers that were concluded between the governments of USA and several EU member states in exchange of visa waiver. The agreement with the Czech government is kept under secret regime and will not be subjected to democratic vote of the Parliament. It raises fears concerning the quality, quantity, as well as protection of the data to be transferred. The Electronic road-toll system provided by Kapsch AG for monitoring and regulating the traffic on the country’s highways won the prize in the category of Dangerous New Technology. The original intention to use this system to charge extra fees from transportation entrepreneurs will soon be extended to include every car on the road. Although the Ministry of Transportation claims that anonymity of transport is its priority, it has provided neither guarantees nor any information how the anonymity will be achieved. In the category Big Brother´s Precept of Law the award was given to the European Commission for its proposal to introduce virtual strip search cameras in European airports. The virtual strip search provides the airport controllers with detailed picture of the traveler’s body construction which is in breach not only with the right to privacy but also the fundamental principles of human dignity. Mr Rudolf Marek was awarded in the category Boot in the Mouth for the statement in his article in the EURO magazine on spying called “Hon na skodnou nebo paranoia?” (Chasing the Vermints or Paranoia?), which presents the possibility of hidden spying on employees as normal and usual, although it is strictly prohibited by law. At the end, the organizers were pleased to award the group of privacy advocates AK Vorrat the Positive Winston Smith prize for its unceasing endeavor to remedy the critical situation in the field of personal data protection and defense of the fundamentals right to privacy not only within the country of its origin, Germany, but within the entire Europe. The recent successes of AK Vorrat have proven that its strong mission can mobilize tens of thousands of people who do not hesitate to take part in process of achieving the vision of the world we all share - world where the Big Brother does not exist. [Big Brother Awards Czech Republic Official Web Site (only in Czech)] [Big Brother Awards Czech Republic 2007 (in English)]
CHILD protection authorities may gain access to sensitive information held by the Family Court and Medicare Australia to help locate families with children at risk of abuse and neglect, under recommendations the Federal Government is considering. A report commissioned by the Government has urged work be done to investigate opportunities for sharing information between the states and federal agencies and the Department of Immigration and Citizenship, in time for the Council of Australian Governments meeting in March. But the Minister for Families and Community Services, Jenny Macklin, said privacy issues around divulging sensitive information would have to be considered before any changes were made to allow greater information sharing. [Source]
The most talked-about tech job in government is one that never before existed. On the campaign trail, Barack Obama said he would appoint the nation’s first chief technology officer who would, according to his Web site, help federal agencies use technology “to make government work better.” However, he has given no specifics about the job, leaving the tech community to speculate about the role and who might fill it. [Washington Post]
According to EFF, the past 8 years have seen an increase in government secrecy and a decrease in government accountability. These factors have led to record levels of distrust in government. EFF offers three steps the new leadership should take to begin to restore that trust:
Government standards for accessing data stored in cloud computing applications, in terrorist watch lists and shared among law enforcement and private entities all need to be reassessed and modified to reduce their risks of harming privacy, according to recommendations issued by the Constitution Project coalition of civil liberties and First Amendment organizations. The report, titled “Liberty and Security: Recommendations for the Next Administration and Congress,” suggests executive and legislative actions on immigration, national security, surveillance and privacy. For example, it recommends that the Electronic Communications Privacy Act of 1986 be updated to include privacy safeguards for new electronic services, including protections on distribution of location information for cell phones. In addition, cloud computing, which allows for storage of photos, calendars, address books, and other personal and business information on remote computers, should be examined and privacy standards set, the report said. Cloud computing raises new privacy issues that require clear standards for custodians of this information who receive government requests for access to it, the document added. “Currently, this information is on a weaker privacy footing than the same information when it resides in the user’s computer,” the report said. [Source]
A professor at Texas A&M International University in Laredo was fired Nov. 5 for displaying on his course blog the names of six students accused of plagiarism. Loye Young, formerly an adjunct professor of management information systems, said his course syllabus warned students he would “publicly fail and humiliate” any student caught plagiarizing. This would serve as an additional punishment to the standard university repercussions. Young was fired for violating laws set by the Family Educational Rights and Privacy Act. The act is a federal law that protects the privacy of students’ educational records by prohibiting their release without proper consent. “The university is never going to publish a student’s grades on public Web sites,” he said. “It’s a violation of federal law.” Texas A&M International has a strict policy concerning students who plagiarize on assignments, Keck said. Faculty members can address the situation in several ways, but the university does not condone publicly announcing students’ grades. [Source]
RFID stakeholders around the world are being urged to participate in the European Commission-funded CASAGRAS project by joining its new, free, Global Forum at www.rfidglobal.eu CASAGRAS is an EU Framework 7 project aimed at promoting international collaboration on RFID standardisation with particular reference to the emerging Internet of Things. Its partners represent the UK, Korea, Japan, China, USA, Germany and France. CASAGRAS would consider how best to meet the global challenges and maximize the opportunities. It would examine global standards, regulatory and other issues concerning RFID and provide a framework of foundation studies to assist the international community to accommodate the issues concerning RFID and the Internet of Things, Smith added. Among the key topics being addressed by CASAGRAS are:
The Defense Department’s geeks are spooked by a rapidly spreading worm crawling across their networks. So they’ve suspended the use of so-called thumb drives, CDs, flash media cards, and all other removable data storage devices from their nets, to try to keep the worm from multiplying any further. In some organizations, the ban would be only a minor inconvenience. But the military relies heavily on such drives to store information. Bandwidth is often scarce out in the field. Networks are often considered unreliable. Takeaway storage is used constantly as a substitute. [Source]
The Ernst & Young 2008 Global Information Security Survey shows that a growing number of organizations recognize the link between information security and a strong brand and reputation. The survey, which canvassed nearly 1,400 senior executives in public and private sectors in more than 50 countries, shows that most believe that a security incident would have a greater impact on reputation and brand than on revenues, with 85% of respondents citing damage to reputation and brand as significant, compared with 72% for loss of revenues. Regulatory sanction is cited by only 68%. Despite tightening economies, the survey indicates that organizations are increasing investments in information security and more organizations are adopting international security standards. More than two thirds (67%) of respondents interviewed say they have now implemented controls to protect personal information. “Overall, the results of this year’s survey are encouraging; however, there are some key areas – such as insider threats, privacy and third-party relationships – that need more focus and investment.” [Source]
The European Commission is shelving plans for airport security checks that would show passengers naked on a scanner screen, condemned by critics as a “virtual strip search.” Opposition to the plan in the European Parliament had threatened to delay a wider airport security proposal that includes dropping an EU ban on liquids in hand luggage, European Commission Transport spokesman Fabio Pirotta said. A number of EU states already use body scanners. Pirotta said they could continue to use them under national legislation. The withdrawn EU proposal would have helped harmonise the conditions under which they are used, he said. [Source]
Visa has introduced a computerised credit card which it hopes will help banks battle fraud. The innovation could force other card issuers and banks to implement similar technology, one data protection expert has said. The credit card featuring a keypad. Four banks have agreed to trial Visa’s card, which generates a unique, one-use code to verify each transaction. The idea of a one-use number to make sure that the person behind a transaction is the genuine card owner is not new. Some banks currently issue users of online banking with calculator-sized devices to generate unique codes. [Source] [Video demo]
When Jason Jones was arrested in a fatal shooting in the Bronx in May, he told the police that he had been nowhere near the scene. He said he had left work, ridden the bus with some co-workers and cashed his paycheck, and later had taken a subway to see his girlfriend. James B. Dowd, a retired detective working for Jason Jones’s lawyers, found Mr. Jones’s MetroCard in jailhouse storage. Mr. Jones’s lawyers then asked New York City Transit to use the card to trace his movements the night of the shooting. The results supported his account, showing that the card had been used on a bus, and later on a subway roughly five miles from the shooting, just as he had described. With that, and a photograph snapped of Mr. Jones, 26, as he cashed his paycheck, his lawyers argued that it was impossible for him to have committed the crime. Both brothers have been released on bond for now, an unusual step in a federal murder case, while prosecutors say they are continuing to investigate. [Source]
Courts in recent years have been raising the evidentiary bar law enforcement agents must meet in order to obtain historical cell phone records that reveal information about a target’s location. But documents obtained by civil liberties groups under a Freedom of Information Act request suggest that “triggerfish” technology can be used to pinpoint cell phones without involving cell phone providers at all. Triggerfish, also known as cell-site simulators or digital analyzers, are nothing new: the technology was used in the 1990s to hunt down renowned hacker Kevin Mitnick. By posing as a cell tower, triggerfish trick nearby cell phones into transmitting their serial numbers, phone numbers, and other data to law enforcement. Most previous descriptions of the technology, however, suggested that because of range limitations, triggerfish were only useful for zeroing in on a phone’s precise location once cooperative cell providers had given a general location. This summer, however, the ACLU and EFF sued the Justice Department, seeking documents related to the FBI’s cell-phone tracking practices. Since August, they’ve received a stream of documents, including one intended to provide guidance for DOJ employees which explains that triggerfish can be deployed “without the user knowing about it, and without involving the cell phone provider.” The Justice Department’s electronic surveillance manual explicitly suggests that triggerfish may be used to avoid restrictions in statutes like CALEA that bar the use of pen register or trap-and-trace devices-which allow tracking of incoming and outgoing calls from a phone subject to much less stringent evidentiary standards-to gather location data. “By its very terms,” according to the manual, “this prohibition applies only to information collected by a provider and not to information collected directly by law enforcement authorities. Thus, CALEA does not bar the use of pen/trap orders to authorize the use of cell phone tracking devices used to locate targeted cell phones.” [Source]
A mobile location company that lets friends sniff or be sniffed has entered the U.S. market. Useful Networks has teamed up with Sprint to let users follow the movements of family and friends, in detail and with permission, for 25 cents per sniff. Standard text messaging rates apply. “Privacy is the most important aspect of Sniff,” said Useful CEO Brian Levin. The company says users can become “invisible” at any time and are frequently reminded of their privacy status. [Source]
Your green building may also be unexpectedly reflective, as Bank of America discovered when the new energy-efficient windows in some of their Charlotte buildings started blocking cellular phone signals. [Source]
Personal information about employees is more than twice as likely to be compromised in government security breaches than is constituent data, according to an online survey released by consulting firm PricewaterhouseCoopers (PwC) in partnership with CIO and CSO magazines. The survey also found that most governments don’t keep accurate inventories of where their data is stored in their organization. 42% of the public-sector respondents reported that employee data was more likely to be impacted by security breaches than constituent data. Only 19% reported otherwise. Other data from public-sector respondents indicates:
“The organization, first and foremost, needs to perform a risk assessment around this data to determine which data is considered sensitive, or, in some cases, personally identifiable information.” Once sensitivity and importance of data is assessed, organizations can proceed more coherently with protection in mind. [Source]
+++