Privacy News Highlights
21–27 November 2008
Contents:
CA – Minister of Justice Announces Appointment of
Assistant Privacy Commissioner
CA – Privacy Commissioners Formalize Cooperation
WW – The Value of Privacy? Make an Offer
WW – Civil Society Participation at the OECD
UK – Revenue in Storm Over Disclosure of Taxpayer
Data to Researchers
UK – Ministers
Planning to Ban Sale of Addresses on Electoral Register
US – Nevada Governor’s e-Mail Privacy Defended
WW – Facebook Wins $873 Million Case Against Spammer
WW – New Online Service Allows Anyone to Data-Mine
US – IBM Denies
Breach of Texas Data Center Contract
EU – France Drops Security Database Over Privacy
Fears
UK – Database of Everyone’s Emails and Web-Browsing
Habits Delayed
UK – Information Commissioner Seeks Authority to
Impose Increased Fines
UK – The UK Does Not Need A Data Breach Notification
Law, Says Government
UK – Credit Card Firms to Share Debtors’ Data
WW – Market for
Stolen Goods Valued at £184m
NZ – DNA Data Retention “Not Supportable”
US – Healthcare Workers Not Taking Adequate Security
Precautions with Data
ID – Indonesia May Tag AIDS Victims
US – Obama’s Cellphone Account Breached by Verizon
Employees
CA – PayPal Canada Introduces Security Key to Boost
Protection for Online Consumers.
UK – £1,000 Penalties for Out-Of-Date ID Details
CA – New Bruncwick Bans Facebook During School Hours
US – Jurors Set To Deliberate Over Myspace Suicide
Case
WW – SearchWiki: Boon for Google, Bust for Privacy
(Commentary)
HU – Constitutional Court Annuls Rules Harming
Privacy
US – New Commerce Chair Bodes Well for Privacy, Net
Neutrality
US – Oregon: Statewide Movement: Privacy of
Concealed Handgun Permits
US – Arizona License-plate Scanning & Mapping
Motorists
US – Embedded IDs Now Read at Five Border Crossing
Stations
US – NIST Issues Guidelines on Cell Phone Security
WW – PriceWaterhouseCoopers Releases 2008 The Global
State of Information Security
UK – British Government’s Identity Card Plan Begins
CA – “Security-Certificate” Subject Demands Jail not
Surveillance
CA – CRTC launches Public Proceeding on ISP
Throttling
CA – CRTC Decision on Bell throttling Renews Calls
for Net Neutrality Protections.
US – Senator Probes Privacy Law Over Cellphone Data
Breach
US – Chertoff: We’re Closing that Boarding-Pass
Loophole
US – Behavioral Surveillance: Effective
Counterterrorism or Invasion of Privacy?
US – Security Audit Guidelines to Focus Attention on
Frequently Exploited Flaws
The
Canadian federal Minister of Justice has announced the appointment of Chantal
Bernier as Assistant Privacy Commissioner (to assist the OPCC in carrying out
her duties and responsibilities under the Privacy
Act). The appointment, effective December 8, 2008, is for a term of five
years. [Source]
Three
Commissioners responsible for enforcing three private sector privacy laws in
Canada have signed a Memorandum of Understanding that sets out a framework for
collaboration and cooperation. The offices of the Privacy Commissioner of
Canada, the Information and Privacy Commissioner of Alberta and the Information
and Privacy Commissioner of British Columbia recently formalized their approach
to cooperation in a number of areas: enforcement; policy; public education and
compliance resources; and information sharing. [Source] [Memorandum of Understanding]
New
research has been published about consumers’ attitudes on receiving ads and
sharing personal information in exchange for free or discounted mobile
services. The study, conducted by research firm iGR and cellular infrastructure
provider Transverse, asked more than 800 wireless customers detailed questions
about privacy, finding that, despite worry over how their personal information
might be used, overall they are willing to share certain data. About 46% of
mobile users would trade their usage data for discounts on marketer products or
mobile services, as long as the discounts have real value. [Source]
At
the OECD Ministerial Conference on the Future of the Internet Economy, the OECD
Secretary General expressed support for an effort to formalize the
participation of civil society in the work of the OECD concerning the future of
the Internet. Now, after several months of drafting and deliberation, the civil
society participants of The Public Voice Coalition have submitted a consensus
proposal to the ICCP OECD Committee for the establishment of the Civil Society
Information Society Advisory Council (CSISAC) for its approval at its meeting
on December 11-12, 2008. Under the Charter, the CSISAC will:
o
Engage in constructive
input and dialogue with the ICCP Committee about policy issues
of interest to civil society;
o
Pursue the agenda set
out in the Civil Society Seoul Declaration of 2008;
o
Report to civil society
organizations about the OECD publications, events, and policy recommendations
of interest to civil society;
o
Identify and publicize
opportunities for participation by civil society organizations
in the work of the OECD;
o
Maintain appropriate
communications tools (e.g. content management system, mailing list,
social network platform) that highlight key OECD-ICCP developments of interest
to civil society
and facilitate broader civil society participation; and
o
Report on an annual
basis the accomplishments of the past year and the goals for the next year.
[The CSISAC Charter]
[The
OECD Civil Society Seoul Declaration] [The OECD Civil Society
Background Paper] [OECD, “The
Future of the Internet Economy OECD Ministerial Meeting,” June 17-18, 2008,
Seoul, South Korea] [“Closing
remarks by Angel Gurría, OECD Ministerial Meeting on the Future of the Internet
Economy,” June 18, 2008] and: [India
Hosts the Third Internet Governance Forum]
A
year after HM Revenue & Customs lost 25m people’s personal data it is
writing to some taxpayers telling them it will pass on their names and details
to a market research company - unless told not to do so before next Tuesday. [Source]
The sale of addresses off the
electoral register to companies which bombard the public with junk mail could
be banned. The move comes after an inquiry by the Information Commissioner
Richard Thomas and Dr Mark Walport, director of the Wellcome Trust, criticised
the way councils sell millions of householders’ details to direct marketing
firms. Details are used to send out three billion junk mail items a year. The
Walport review said the ‘edited’ electoral roll which is sold by local
authorities in electronic form should be scrapped. The roll contains the names
of anyone who fails to opt out when filling in their electoral registration
card - around 60% of householders or 15 million. It is used by marketing firms
to cross-reference data they hold on us from other sources. The Ministry of
Justice will start a public consultation - the first step towards a ban. [Source]
A
newspaper’s lawsuit seeking copies of e-mails between Nevada Gov. Jim Gibbons
and 10 individuals should be rejected because the e-mails aren’t public records
or don’t exist, the attorney general’s office said. State attorney Jim Spencer,
in a brief filed in response to the Reno Gazette-Journal lawsuit, said Carson
City District Judge Bill Maddox can privately review the e-mails on the
governor’s state account that do exist to verify their nonpublic status. [Source]
Last
week, the US District court for the Northern District of California ruled in
favor of Facebook in a spam case, saying that Adam Guerbuez and his company
Atlantic Blue Capital were guilty of violations of the CAN-SPAM Act. Guerbuez phished for Facebook log-in
credentials and then used compromised accounts to send more than four million
spam messages to friends associated with the accounts. The court also ruled that the defendants
must pay Facebook damages of US $873 million; Guerbuez and his co-defendants
are forbidden from accessing Facebook data in the future. [Source]
Roelof
Temmingh, a 35-year-old South African electronic engineer, has created a tool
he calls Maltego that lets just about anybody do the kind of data mining that
in the past only fraud investors, government specialists and hackers typically
could do. Since Temmingh released the first commercial version of Maltego this
past summer, even several national intelligence agencies have made use of the
software, he says. Temmingh’s software scans open data repositories on the Web
and allows users to match the results with their own data. The data are then
graphically depicted. The commercial version of Maltego lets users save these
visualizations in popular data formats like XML so the information can be used
by other programs. The company offers a watered-down version free. Law enforcement,
government and intelligence agencies can apply for a 10% discount. [Source]
IBM Corp. denied that the
company had failed to live up to the terms of the $863 million contract with
the State of Texas to consolidate the data centers of 27 state agencies in
1,300 locations across the state. The letter from the IBM VP for the data
center project, was the latest volley in a back-and-forth exchange with state
officials over IBM’s failure to back up data on some agencies’ servers. The
long-simmering dispute popped into public view last month when Gov. Rick Perry
ordered that work stop on the contract after the loss of critical state data
came to light. The objective of the data center contract is to upgrade and
streamline the agencies’ data storage and protection. [Source]
The
French prime minister has issued a decree to scrap a proposed database that
would have tracked citizens, including minors. Dubbed “Edvige,” the database
was intended to help find criminals, but critics were opposed to the degree of
personal information officials intended to collect. The government will develop
plans for a scaled-down security database, instead. [Source]
The
Home Office confirmed that new Communications Data Bill would not form part of
the legislative programme in next month’s Queen’s Speech. Instead legislation
will only be proposed after a three month consultation period which starts in
late January. The Government will then reply in the summer, and new legislation
could be proposed for next year’s Queen’s Speech. But that would leave the Home
Office with little time to bring the controversial law onto the statute book
before the general election, which must be held by May 2010. The news of the
delay was welcomed by Opposition parties. Chris Huhne MP, Liberal Democrat home
affairs spokesman, said: “These Orwellian proposals have always been incompatible
with a free country and a free people. They should be scrapped immediately and
permanently.” [Source]
The
UK Information Commissioner’s Office (ICO) wants the authority to fine
companies up to 10% of their revenue for violations of the Data Protection Act,
which would match the maximum penalty that can be imposed by the Financial
Services Authority on companies that do not comply with financial regulations.
Presently, the maximum fine the ICO may impose is GBP 5,000 (US $7,366). [Source]
The
UK Government has rejected calls for a law that would require significant data
security breaches to be notified to the country’s privacy regulator. It said
that notification to the Information Commissioner should be a matter of good
practice, not law. The announcement came in a Ministry of Justice report on the
Information Commissioner’s inspection powers and funding arrangements. [Source] (See also: Government announces new law for
increased data sharing] and [ICO
to get powers to audit public bodies without consent]
UK
payments association APACS has brokered a deal between its credit card issuing
members for them to share a greater wealth of customer information. Up to now
credit card companies have shared data on customers’ balances, credit limits
and whether their payments are up to date. From December, Barclaycard, Capital
One, GE Money, HBOS and MBNA will share data on customer behaviour to get a
better idea on whether a customer is likely to be able to repay their balance.
New data covered by this sharing agreement will include information on the
amount of a customer’s last payment, whether it was only the minimum payment,
changes to credit limits, the extent to which a customer withdraws cash on
their account and if the customer signed up to any promotional deals. APACS
head of card payments Paul Rodford said the new data sharing will enable
lenders to intervene, at an earlier stage, on behalf of those having
difficulties with their debts and ensure they aren’t given further credit. [Source]
Credit card details sold on
the black market could be worth over £57m, according to new research on the
‘underground economy’ released by Symantec. The security vendor monitored the
internet chat rooms and forums where personal information stolen by hackers via
Trojans, phishing attacks and other methods are bought and sold. Symantec found
nearly 70,000 active advertisers selling compromised bank account and credit
and debit card details, email accounts and pirated desktop games. [Source]
Privacy
Commissioner Marie Shroff has made recommendations to improve the privacy
protections of a programme that collects and stores DNA samples on newborns.
Since the late 1960s, the Newborn Metabolic Screening Programme has been
collecting such data through infant heel-prick tests to screen for childhood
diseases. The data is stored indefinitely. Ms Shroff says retaining such
personal information could make Kiwis vulnerable to identity fraud and job
discrimination, among other privacy implications. “The status quo, where a vast
collection of blood samples is being held well beyond the expiry of the purpose
for which it was collected, is not supportable,” the commissioner said. [Source]
A
survey of 1,000 healthcare workers in the UK and the US found that more than
one-third store sensitive patient data on portable data storage devices,
including laptop computers, Blackberrys and USB sticks. One-fifth of
respondents said they stored data on their personal devices to transport the
information. One-third of those responding said they use passwords as the only
form of data protection. 6% of UK respondents said they use no data protection
at all; in the US, that figure is 18%. Of the UK workers, 56% use strong data
protection methods, including encryption, two-factor authentication, biometrics
and smart cards. Among US respondents, just 23% use strong data protection
methods. [Source]
See also: [Doctors
Slow To Use Online Prescriptions]
Lawmakers
in Papua, Indonesia’s largest province, have thrown their support behind a
controversial HIV/AIDS bill requiring some sufferers to be implanted with a
microchip to track their whereabouts. One legislator said by implanting a small
computer chip beneath the skin of “sexually aggressive” patients, authorities
would be in a better position to identify, track and ultimately punish those
who deliberately infect others. Those charged could face up to six months in
jail or a $5,000 fine. A high-ranking U.N. AIDS worker echoed the fears of
Indonesian activists who say the law would be a blatant violation of human
rights. The technical and practical details of the law still need to be
hammered out. But if the proposed legislation gets a majority vote as expected,
it will be enacted next month. Indonesia is the world’s fourth most populous
country and has one of Asia’s fastest growing HIV rates, with 290,000
infections among its 235 million people. [Source]
Verizon
Wireless disclosed that several of its employees accessed and viewed
President-elect Barack Obama’s personal cellphone account, and said it planned
to discipline workers for the privacy breach. Verizon said it discovered the
unauthorized account access this week and said it related to an account that has
been inactive “for several months.” The company said it has put all employees
with access to the account on leave, with pay, as it sorts out which of those
workers accessed the account without a justifiable business purpose. Those who
did not have a good reason to view the account will be punished, the company
said. [Source] UPDATE : [Verizon
fires workers for spying on Obama] [Obama
Privacy Breach Common, Advocates Say] AND ALSO: [Data “Dysprotection:”
breaches reported last week] see also: [In
Pictures: The Year’s Biggest Data Breaches].
Data Breach Roundup: In the
U.S.:
In the U.K.:
Elsewhere:
Updates on previously reported
breaches from here and abroad:
PayPal
Canada has announced a new security measure for Canadian e-commerce
enthusiasts. The PayPal Security Key offers members an extra level of
protection in two formats: token and mobile. The PayPal Security Key token is a
portable device that generates a one-time six-digit security code every 30
seconds, providing PayPal users with an extra layer of security. Members use
the temporary code along with their standard username and password to sign in
to their accounts from anywhere in the world. The mobile version uses the same
infrastructure as the token format, but delivers the unique six-digit security
code via text message to the member’s mobile device. Both the PayPal Security
Key token and the SMS security codes are now available to customers in the
U.S., Australia, Austria, Canada and Germany. PayPal does not charge for
delivery of security codes to a mobile device; however, the mobile provider’s
standard text messaging charges will apply. To use the service, customers need
a mobile device and wireless service set up to receive SMS text messages. The
PayPal Security Key is part of the VeriSign Identity Protection (VIP) Network.
[PayPal Security Key] [Source]
People
who fail to tell the UK authorities of a change of address or amend other key
personal details within three months will face civil penalty fines of up to
£1,000 a time when the national identity card scheme is up and running,
according to draft Home Office regulations published this week. The Home Office
made clear that repeated failures to keep an entry on the national identity
register up to date could ultimately be enforced by bailiffs being sent round
to seize property. But yesterday’s detailed regulations to implement the
national identity card scheme make clear that they intend to avoid the creation
of ID card “martyrs”, by levying no penalty on those who refuse to register for
the national identity card database in the first place. The NO2ID campaign say
that in just four weeks in 2005, more than 10,000 people pledged online to
refuse to register for an ID card. “It is possible that refusal could be made a
crime but the government has shied away from that so far. If enough people say
no, it will be impossible,” said a campaign spokesman. [Source]
Students
and teachers will no longer face the challenge of continuously changing their
Facebook status updates while in schools in New Brunswick. The Department of
Education has unplugged the popular social networking site from teachers and
students during school hours. A provincewide Facebook ban took effect at the
beginning of this week. The ban stretches from 7 a.m. to 3:30 p.m. Anyone still
hanging around the halls after that is free to view their Facebook accounts.
But that doesn’t apply to personal devices such as BlackBerrys or laptops,
which still have access to all sites. Facebook has already been restricted in
almost half of the departments inside the New Brunswick government. [Source]
Jurors
began deliberating whether Lori Drew conspired with her daughter and an
assistant to harass 13-year-old Megan Meier with Internet messages that
allegedly prompted the girl’s suicide. [Source]
Google
recently launched SearchWiki, allowing users logged into their Google Account
to customize their search results by re-ranking, deleting, adding, and
commenting on search results. And what do users get in return for providing
this labor to Google? Better results, perhaps. But also some serious privacy
concerns. David Weinberger has revealed how Google’s SearchWiki automatically
displays the user name of other searchers who have voted to increase a page’s
ranking. [Source]
Hungary’s
Constitutional Court declared some rules pertaining to criminal records as
unconstitutional and annulled them on Tuesday. In the court’s view, the rules
in question limited the individuals’ constitutional rights to protection of
personal data and informational privacy. [Source]
Henry
Waxman’s (D-CA) appointment as chair of the House Energy and Commerce committee
met wide acceptance by privacy advocates who call it a win for consumers.
Waxman’s history of consumer advocacy and his alignment with fellow committee
member Rep. Ed Markey (D-MA), another supporter of online privacy rights, is
expected to bring important privacy protections. The appointment is “terrific
news for consumers,” says Jeff Chester of the Center for Digital Democracy. Of
the Waxman-Markey association he added: “We now will have the dynamic duo for
consumer protection and online marketing.” [Source]
The
Umatilla County Sheriff’s Office has joined a burgeoning statewide movement to
keep private the identities of concealed handgun license holders. Sheriff John
Trumbo issued a statement that said a Portland attorney has requested
information about all the people who have concealed handgun licenses. Trumbo
said he refused the request because an Oregon statue allows an exemption to
Oregon’s public records law. “... The statute said if you were getting it for
personal defense, you don’t have to disclose the name and address,” Trumbo
said. “Why would a person need one if it were not for personal defense?” The
sheriff was talking about ORS 192.501(23), which provides an exemption for
“records or information that would reveal or otherwise identify security measures,
or weaknesses or potential weaknesses in security measures, taken or
recommended to be taken to protect an individual, buildings or other property.”
About 2,400 people in Umatilla County have concealed handgun licenses, Trumbo
said. [Source]
Infrared
units mounted to the front of Arizona patrol vehicles scan the license plates
of interstate drivers in the hunt for stolen vehicles. Every plate is
photographed, time-stamped, labeled on a GPS map and automatically logged into
an Arizona Department of Public Safety database. An electronic voice alerts
officers to stolen vehicles within seconds after they pass, giving them the
ability to make quick arrests. In a state that routinely ranks among the top
five in the U.S. in auto theft, DPS scanned more than 1.6 million plates since
introducing its first cameras in 2006 – leading directly to 122 felony arrests.
A spokeswoman said discussions about how to regulate DPS plate-reader data are
ongoing. The ACLU of Arizona is concerned about how police technology could
outpace legal standards. “The problem is we really have no reassurance it’s going
to be focused on the bad guys.”. Arizona legislators have provided little
guidance on how to regulate the technology since Mesa police pioneered
Arizona’s first plate-readers in 2005. [Source]
Five
stations along the U.S. borders with Canada and Mexico are now outfitted with
machines that read RFID-enabled passports and IDs. The Department of Homeland
Security (DHS) says the use of RFID at border crossings will speed processing,
but some fear that the technology leaves travelers open to identity fraud
through “skimming,” where thieves with their own RFID readers obtain information
from the chips. Others fear it opens up society to increased surveillance. DHS
officials say that the chips do not reveal a person’s personal information,
only a code that only border agents can access. [Source]
[New machines scan IDs at border
crossings] [US rolls out ‘Vicinity
RFID’ to check IDs in moving vehicles]
The
march of technology has seen personal communication devices evolving into
smartphones and becoming mini-computers. As the volume of data on these devices
continue to grow, the risk of data theft and security breaches assumes
paramount importance. The National Institute of Standards and Technology (NIST)
has released guidelines, (Special Publication 800-124), for mitigating these
risks. The NIST recommended that organizations should initiate security
policies for mobile devices after conducting a risk assessment and training
workers. The guidelines included disabling unnecessary applications, using
authentication to restrict access, restricting the use of cameras, microphones
and removable media, the use of encryption technology and installation of
firewalls, antivirus and anti-malware programs. [NIST:
Guidelines on Cell Phone and PDA Security, (SP 800-124) ]
Survey
reveals that many organizations still lack coherent, enforced and
forward-thinking security processes; over 40% do not have an overall
information security strategy. [PwC
Study]
The
British government began its identity card program for foreign nationals this
week—six years after heated debate over whether the costly plan is an effective
tool against terrorism, identity theft and welfare fraud. The program will
start with roughly 50,000 foreign students and spouses of permanent residents
who will receive cards if they qualify for visa extensions. Other foreign
nationals living and working in Britain will not be immediately affected, but
they will eventually need cards as the program is expanded. Officials have not
provided details about the national plan, although airport workers are expected
to need cards next year out of security concerns. The plan has drawn fire from
opposition lawmakers who say it will be costly and unproductive and from
privacy advocates who complain that the British government is compiling an
unprecedented database on British residents. “This is a huge infringement of
our privacy,” said Mairi Clare Rogers, a spokeswoman for the Liberty group. “As
they extend it to more and more people, we will keep repeating our objections.
But the government seems to be plowing ahead, even though the timetable has
slowed down a bit.” She said there is no evidence the cards will be a useful
tool against terrorists. [Source]
An
Egyptian who was once Osama bin Laden’s farmer asked federal officials to
return him to a Canadian prison, saying he could no longer handle the 24-hour
surveillance the federal government has him under. In March, Toronto resident
Mohammad Zeki Mahjoub took a taxi to a federal office, complaining that
constant surveillance had brought him to his breaking point. But officials told
him he had committed no crime, nor had he breached a judge’s order, so he had
to go back home and continue living under his strict release conditions. One of
five non-citizens currently deemed a high-level threat under the terms of a
federal security certificate, Mr. Mahjoub is monitored 24 hours a day, seven days
a week. He submits to electronic monitoring inside his house, and when he
leaves, federal agents follow. Jailed from 2000 to 2007, Mr. Mahjoub was
released on the specific condition that he submit to these and many other
measures, all intended to satisfy the state he is not endangering anybody. Mr.
Mahjoub was back before a judge last week, pleading for leniency. Filings,
testimony and arguments before Federal Court revealed the full extent to which
the state is going to keep tabs on him:
o
Federal agents have been
surreptitiously taking photos of Mr. Mahjoub and other released ex-detainees.
But sometimes the pictures have been snapped outside their children’s schools
or mosques, with innocent bystanders popping up in the frame.
o
The photos, along with
every piece of mail Mr. Mahjoub and the others have received in the past two
years, have been scanned and archived in a federal government database in
Ottawa that analysts sift through for clues of anything suspicious.
o
A policy of “eyes on”
tracking by federal agents is alleged to be disrupting family life and privacy
to the point where Mr. Mahjoub’s wife, Mona El Fouli, testified that her recent
miscarriage became a matter of federal scrutiny. She said agents raised a
ruckus at St. Joseph’s Hospital, Toronto, after losing sight of Mr. Mahjoub -
who was in the emergency room by her side. Neither the Canada Border Services
Agency nor the hospital would comment.
Defence
lawyer Barbara Jackman has asked a judge to order federal agents to be more
covert, so as to minimize the disruption they now cause while overtly tailing
Mr. Mahjoub. The haggling over surveillance is the latest wrinkle in the
conundrum that is Canada’s “security-certificate” process. Closed hearings,
long detentions, and proposed deportations to states that practise torture have
given rise to concerns that have all but paralyzed the program’s original
intent. [Source]
See also: [Social services ‘set up CCTV
camera in couple’s bedroom’]
Having
decided that Bell’s throttling of competitor P2P traffic does not violate
existing net neutrality rules, the CRTC has initiated a new proceeding to
examine the issue of ISP traffic-shaping practices more broadly. The CRTC is
seeking more evidence regarding the effects of traffic-shaping and alternative
solutions to network congestion problems. Written comments from the public are
due by Feb.16, 2009. An oral hearing will be held in July 2009. [Source]
[CRTC
Allows Bell to Continue Internet Throttling]
In
a decision that has disappointed many internet users and public interest
groups, the CRTC has found that Bell Canada’s controversial throttling of
competitor P2P traffic is neither anti-competitive nor unjustly discriminatory.
The decision
has renewed calls for Canada’s policymakers to protect “net neutrality,” the
principle that all online content and services should be treated equally
without discrimination. [SaveOurNet.ca
News Release] [CRTC
denies request to ban Internet ‘Throttling’]
In
light of the recent breach of President-elect Barack Obama’s cell phone
records, a senator has sent a letter to the Justice Department asking how many
investigations or prosecutions the department has undertaken for violations of
the Telephone Records and Privacy
Protection Act. Senate Judiciary Committee Chair Patrick Leahy sent the
letter to Matthew Friedrich, acting assistant attorney general, noting that
“data privacy breaches involving the sensitive phone records of ordinary
Americans are occurring with greater frequency.” [CNET]
There’s
a hole in airline security big enough to get Osama bin Laden himself onto a
domestic flight, Homeland Security chief Michael Chertoff acknowledges, but
that’s no reason to ditch watch lists or ID checks at the airport, he says.
Chertoff said last week that the government was aware of, and patching, the
so-called boarding-pass loophole, which just came back into the public eye
after a recent Atlantic magazine story where a reporter got though security
using a fake boarding pass. That loophole lets a known terrorist who is on a
government watch list board a plane without needing a fake ID. All
that’s needed is a home computer, a printer and a little skill at HTML.
DHS’s Transportation Security Administration is currently
testing an encrypted 2-D bar code that includes all the information from a
boarding pass and is digitally signed to ensure the data hasn’t been altered. [Source]
Some
experts say more study is needed to determine whether a “behavior detection”
program currently in place at 150 U.S. airports is effective. The program seeks
to identify terrorists or potential terrorists using “behavior detection
officers,” who patrol the airports looking for suspicious behavior. Since the
program began in 2006, Transportation Security Administration (TSA) officers
have identified 160,000 passengers for further scrutiny, resulting in 1,266
arrests. The TSA plans to expand the program over the next year, but some
question the value of the program. A report issued last month by the National
Academy of Sciences said that behavioral surveillance has “enormous potential
for violating privacy.” [Source]
See also: [U.S. air security
called ‘Kafkaesque]
The
Consensus Audit Guidelines (CAG) will enable federal agencies to focus their
security expenditures on fixing the vulnerabilities that are most frequently
exploited, before addressing those that are more hypothetical, and to enable
agency inspectors general to verify that the most important problems are fixed
first. Concentrating resources on known security flaws will improve the value
of the current certification and accreditation process mandated by the Federal
Information Security Management Act (FISMA) by ensuring the right things
are being measured. The group developing the CAG, led by John Gilligan, who
served as CIO of both the Department of Energy and of the US Air Force, is
composed of experts from the key federal agencies involved in computer network
attack and cyber intrusion investigations as well as their counterparts in the
commercial world who do penetration testing and incident response for banks and
other victims. The idea behind the initiative - one that also led to the
Federal Desktop Core Configuration - is that “defense should be informed by
offense.” [Source]
The
Commonwealth of Massachusetts has become the first state in the U.S. to enact
data privacy and security standards and regulations. The Massachusetts Office
of Consumer Affairs and Business Regulation decided on having comprehensive
methods to ensure that businesses are taking steps to safeguard personal
information about Massachusetts residents. The purpose of the new regulation is
to protect against unauthorized access or use in a way that creates a risk of identity
theft or fraud. This can be achieved by ensuring minimum standards in
safeguarding personal information consistent with industry standards which will
protect against anticipated threats or hazards to the security and integrity of
the information. The new regulation prescribes the minimum
standards that are to be implemented. Although it was initially announced
that the rules will come into effect from January 1, 2009 it was subsequently
postponed to May 1, 2009, consistent with the Red Flag rules of the federal
regulators. The new law, dubbed the “Standards
for The Protection of Personal Information of Residents of the Commonwealth“
charges every person owning, licensing, storing or maintaining personal
information about a Massachusetts resident to develop, implement and monitor a
comprehensive, written information security program for any record containing
personal information. The new law establishes a wide spectrum of duties upon
the record holder such as risk identification, developing security policies,
imposition of disciplinary measures and preventing access by personnel unless
specifically authorized. Minimum data collection, annual audits and security
breach documentation also feature in the new rules. The new law will result in
companies installing firewalls to protect personal data and encrypting them
whenever transmitted or saved on a portable device like laptops or flash
drives. Also, as some companies may prefer a singular approach to ensuring data
privacy and security, it may choose to implement nationwide policies. A
violation of such law may also lead to a jury trial in addition to the
imposition of penalties. Additionally, the Massachusetts law may serve as a
model state privacy law. Although, many entities have been clamoring towards a
single federal privacy law, such federal law may end up pre-empting better and
more robust state privacy laws, unless it explicitly states that it establishes
a minimum national baseline and leaves the states to provide better or higher
standards in data privacy or security. [Standards
for The Protection of Personal Information of Residents of the Commonwealth
(201 CMR 17.00)] [201 CMR
17.00 Compliance Checklist] [FAQs regarding 201
CMR 17.00]
+++