Biometrics

IS – Israel MKs Pass Controversial Bill to Set Up Biometric Database

The Knesset passed a bill to establish a biometric database that might require all Israelis to have a chip installed in their ID cards and passports with their fingerprints and facial scans. The bill passed by a large majority in second and third readings following a prolonged debate and after its original version had been modified. The new law postpones the controversial database for two years, during which a partial database will be set up to give the state time to examine ways of safeguarding the information. uring those two years, only people who agree to have their details on a chip would receive “smart” ID cards and passports. After that, the interior minister would be able to apply the law to all citizens or extend the probation period by another two years. If after four years it is decided not to implement the law in full, the entire biometric database would be deleted. Under the original bill, all citizens’ fingerprints and facial scans were to be stored in the database. It said ID cards and passports that were updated as “smart” documents would significantly reduce forgery. The database was supposed to help solve crimes, but amid sharp criticism by human rights groups and fears that sensitive information might leak to criminals or Israel’s enemies, a ministerial committee was set up to hammer out the compromise. The main fears were that criminals could access the database and plant false biometric information at crime scenes, or that countries could expose the identities of Israeli secret agents. MK Meir Sheetrit, who initiated and spearheaded the bill, said that strict security precautions would be taken to prevent leaks. He said the facial-scan data would be kept separately from the fingerprint data. [Source]

US – Coke Tries Facial-Recognition on Facebook

Coca-Cola wants you to know that Coke Zero is a lot like Coca-Cola Classic. It believes this so strongly that it’s willing to do something unusual to drive the point home, like introducing you to your own doppelganger. Enter the Facial Profiler. The Profiler is a new Facebook application that lets members upload photos of themselves and match them with a similar-looking Facial Profiler user. The idea is that you can find your mirror image, just the way Coke has found its reflection in Coke Zero. The app, which launched this week, has been soliciting submissions to build a database with enough photos to reach critical mass. Once a photo is uploaded, its features are analyzed and rated. Users can then vote on the results, which the developers hope will improve its ratings over time. The software is based on the same kind of technology used by law-enforcement agencies to locate individuals within large pools of people. But according to Alex Burnard, a creative director at Crispin Porter + Bogusky, the ad firm that worked with Coke, the app was modified so that it won’t give an exact match - so users don’t get paired with more images of themselves. The Atlanta beverage giant said it’s aware of the potential privacy concerns that a facial-recognition app could raise. It has been working with Facebook for months to ensure the app follows the site’s privacy rules, a Coca-Cola spokeswoman said, pointing out that it only looks at photos from members who have opted in to the app and will remove their photos if they uninstall it. Facial Profiler users will be able to reach out to their lookalikes through friend requests, but Coke admits it doesn’t quite know how members will use it. Mr. Burnard, who has watched members’ reactions when they find their matches, said it introduces “a new social dynamic” that people haven’t dealt with before. He wondered, “Are you going to find five of you and start a men’s basketball league?” [Source]

WW – Google Blocking Facial Recognition Component of Goggles Image Search Service

Google is blocking the facial recognition component of its Goggles image search service in the wake of privacy concerns. Goggles allows users to take a picture of an object with their smart phones and then uses the Google database to try to match the object - it has the most success with landmarks, artwork and books. A Google executive said that “Until [the company] understand[s] the implications of the facial-recognition tool, [it has] decided to block out people’s faces.” Goggles is available only on mobile devices that use Google’s Android operating system. [nzherald] [DailyMail]

Canada

CA – Canada’s Chartered Accountants Update GAPP Guide

The Canadian Institute of Charted Accountants has officially launched its updated privacy principles guide. The organization was motivated by portable computing devices and the steady increase in data breaches. The expansion of the Generally Accepted Privacy Principles (GAPP), which is jointly drafted by both CICA and the American Institute of Certified Public Accountants, is the first update to the privacy guide since 2006. The additions to GAPP, which can be found on CICA’s Web site, include guidance and best practices to securing portable devices, strategies behind mitigating the risks that come with a data breach, and how to maintain effective privacy controls. The criterion needed to destroy and dispose personal information is also covered in the guide. Other recommendations include at least annually identifying new or changed risks to personal information, a requirement to identify the third parties which might be handling the data, restrictions against personal data in systems and process testing, and the development of a privacy awareness program. CICA said the principles are aimed at chief privacy officers, business executives, compliance officers, legal counsel, and accountants offering technology and IT services to the enterprise. [Source]

CA – Privacy Commissioner Issues Statement on Privacy and the 2010 Olympics

The Office of the Privacy Commissioner of Canada has issued a Statement of Surveillance, Security and Privacy on the Vancouver 2010 Olympic Winter Games. The office is asking the City of Vancouver, the Province of British Columbia and the Government of Canada:

· to moderate the escalation of security measures for Vancouver 2010 and to strive to respect the true spirit of the event;

· to be as open as possible about the necessary security and surveillance practices and rationales

· to withdraw temporary bylaws that restrict Charter rights of freedom of speech and assembly;

· to work constructively with the Provincial and Federal Privacy Commissioners;

· to respect the rights of all individuals and groups, whether they be local people or visitors, and pay particular attention to the impacts on vulnerable people;

· to conduct a full, independent public assessment of the security and surveillance measures, once the Games are over, addressing their costs (financial and otherwise), their effectiveness, and lessons to be learned for future mega-events.

· not to assume a permanent legacy of increased video surveillance and hardened security measures in the Vancouver/Whistler area, and to have full and open public discussion on any such proposed legacy. [Source] SEE ALSO: [Privacy watchdog ‘understands’ police visits to Olympics critics]

CA – Alberta Health Board Cleared in Records Breach

The Alberta privacy commissioner has found that the province’s health board had reasonable security measures in place when a virus targeted a computer network in July, potentially affecting the personal health information of thousands of people. “AHS [Alberta Health Services] had an anti-malware system, firewalls and an intrusion detection system in place. In my opinion, these are reasonable controls to protect health information against malware,” report author Brian Hamilton writes. “I noted some areas for improvement ... but it is important to understand the HIA [Health Information Act] holds custodians to a standard of reasonableness, not perfection.” The virus was a Trojan horse program known as “Coreflood.” It targeted Alberta Health Services’ Edmonton computer network and captured information from some clients’ Netcare electronic health records and transmitted them to a external server. After notifying the public about the incident on July 8, AHS sent letters to 11,582 people whose information might have been compromised by the virus between May 14 and May 29. That move was praised by Hamilton in his report. [Source] See also: [Shredded patient records deliver a gift-wrapped data breach] and [Houston hospital district fires 16 over privacy violation] AND ALSO: [BC gov’t breach calls for an independent inquiry] AND [ITRC Report: Many More Government Records Compromised in 2009 than Year Ago]

Consumer

US – Terms of (Ab)use: Are Terms of Service Enforceable?

In the first of a series of white papers on Terms of Service (TOS) issues, the EFF has released The Clicks That Bind: Ways Users “Agree” to Online Terms of Service. The paper aims to answer a fundamental question: when do these ubiquitous TOS agreements actually become binding contracts? We discuss how courts have reacted to efforts by service providers to enforce TOS, and suggest best practices for service providers to follow in presenting terms to a user and for seeking his or her agreement to them. The white paper examines both clickwrap agreements-whereby service providers require the user to click an “I Agree” button next to the terms-and browsewrap agreements-whereby service providers try to characterize one’s continued use of the website as constituting “agreement” to a posted set of terms. While neither method automatically creates enforceable contracts, some presentations may still be upheld even if the user never actually reads and understands the terms. The key is whether the service provider allows the user reasonable notice and opportunity to review the terms before using the website or service. Of course, just because a TOS creates an enforceable agreement, does not mean that every provision of the TOS will be enforced by a court. In their next white paper, EFF will examine which particular provisions are most unfair to consumers, including provisions that have aroused the skepticism of courts and regulators. [Source]

WW – Yahoo Introduces Ad-Preferences Manager

This week Yahoo launched a new page on its site that tells visitors just what it thinks of them. This “Ad Interest Manager” lists the data that the Sunnyvale, Calif., company has gathered about you for advertising purposes – your perceived interests, your usage habits at Yahoo’s own sites and some technical data about your computer – and lets you correct some of that information or opt out of its tracking altogether. As the company explains in a blog post, the idea is to dispel some of the mystery of online advertising: In this move, Yahoo is following the example of Google, which launched a similar “interest-based advertising” ad-preferences page in March. [Source]

US – Interactive Advertising Bureau Launches Privacy Education Campaign

A group of leading Internet publishers and digital marketing services have launched an online campaign to educate consumers about how they are tracked and targeted for pitches on the Web. The Interactive Advertising Bureau, based in New York, unveiled its “Privacy Matters“ Web site. The site explains how Internet marketers track where people go and what they do online and then mine that data to serve up targeted ads. The practice, known as behavioral advertising, has raised concerns among privacy watchdogs and lawmakers in Congress. A number of IAB members plan to run banner spots on their Web pages linking back to the Privacy Matters site. Those include Internet-only players such as Yahoo Inc. and Google Inc. and traditional media outlets such as Walt Disney Co. and The New York Times Co. The goal of the program, explained IAB Senior Vice President David Doty, is to describe “in plain English” how online advertising works. Among other things, the Privacy Matters Web site offers explanations of demographic targeting, interest group targeting and data-tracking files known as cookies. The site also informs consumers how they can control the information collected about them by changing their cookies settings. The new campaign is part of a broader self-regulatory push by the Interactive Advertising Bureau and other advertising trade groups that want to head off federal regulation. [Source] [Privacy Measures Ramp Up As New Regs Loom]

E-Government

US – Obama Promotes New Open Government Initiative

U.S. government agencies must publish their information online in “open formats,” under a new open government plan released by U.S. President Barack Obama’s administration. Agencies, to the greatest extent that is practical, should publish their data online in an open format that can be “retrieved, downloaded, indexed, and searched by commonly used web search applications,” wrote Peter Orszag, director of the Office of Management and Budget (OBM) in an 11-page memo released this week. The Obama administration’s Open Government Initiative also requires U.S. agencies to preserve and maintain electronic information, and it calls on them to proactively release data using modern technologies, instead of waiting for Freedom of Information Act requests from the public. “The three principles of transparency, participation, and collaboration are at the heart of this directive,” Orszag wrote in a blog post. “Transparency promotes accountability. Participation allows members of the public to contribute ideas and expertise to government initiatives. Collaboration improves the effectiveness of government by encouraging partnerships and cooperation within the federal government, across levels of government, and between the government and private institutions.” Federal agencies must set up open government Web pages within 60 days, publish three “high-value” data sets online within 45 days, and publish a plan on improving transparency within 120 days. Members of the Obama administration will create an open government dashboard designed to track open government progress within 60 days, Orszag said in the memo. [Source] See also: [NZ Privacy Commissioner to Civil Service: do more to protect privacy]

US – Legislators Want to Keep TSA Document from Being Reposted

US legislators have sent a letter to Department of Homeland Security (DHS) secretary Janet Napolitano asking if there are legal remedies to prevent a leaked Transportation Security Administration (TSA) document from being reposted to the Internet. The airport passenger screening procedures document was posted to the Internet with inadequate redaction; when the problem was detected, the document was removed, but not before other people made copies and reposted it to other sites. The legislators also asked Secretary Napolitano if the DHS is considering establishing rules to prohibit reposting to prevent similar issues in the future. [CSOOnline] [FAS] [TSA Screening Management- Standard Operating Procedures – May 28, 2008]

US – TSA Employees on Administrative Leave Following Information Leak

The US Department of Homeland security (DHS) has put five TSA employees on administrative leave following the leak of confidential information on the Internet. A manual for document airport passenger screening procedures was posted to a government procurement website without sensitive information properly removed. The document has been removed from that site, but copies still exist. The incident is under investigation. [eWeek] [WIRED] [ComputerWorld]

US – EFF Suing Govt Agencies for Information on Social Networking Site Surveillance

The Electronic Frontier Foundation (EFF) and the University of California, Berkeley’s Samuelson Law, Technology, and Public Policy Clinic are suing six US government agencies that failed to respond to Freedom of Information Act (FOIA) requests regarding their use of social networking sites in their investigations and surveillance. Law enforcement agencies are reportedly using phony profiles to trick users into allowing them to be online friends and then using evidence gathered from the profiles in cases against them. The FOIA requested records “about federal guidelines on the use of social-networking websites ... for investigative ... or data gathering purposes created since January 2003.” [CNet] [TheRegister] [InformationWeek] [ComputerWorld] [NYT Opinion: Government Monitoring Social Nets for Miscreants] [Suit wants details about cops’ online probes] [EFF Complaint]

US – Sequoia Releases eVoting System Source Code

Sequoia Voting Systems has published the source code for its Frontier end-to-end electronic voting system, making it the first electronic voting machine maker to do so. The company plans to release code for all of its system software before June 2010. Electronic voting machine makers have previously insisted that publishing their source code would violate their proprietary rights and make it easier to manipulate election results. Sequoia announced its plan to release the code earlier this year. [TheRegister] [WIRED] SEE ALSO: [New N.Y. voting system raises privacy concerns]

E-Mail

US – 2 Million Bush White House eMails Recovered

Technicians have recovered about 22 million emails that the George W. Bush administration had claimed were missing. The National Security Archive at George Washington University said the errant messages were “mislabeled and effectively lost.” The emails are not likely to be made public for several years. The email problem has its origins in the 2006 firings of federal prosecutors across the country. When Congressional committees asked for documents related to the decisions and the actions, the Bush White house said the messages had been lost from servers. The missing emails were retrieved as a result of lawsuits filed by the National Security Archive and Citizens for Responsibility and Ethics in Washington. [NYT] [CNN] [Source] SEE ALSO: [US fines NZ spammer US$15.15m]

Electronic Records

US – Health IT ‘Beacon Communities’ to be Funded by Health & Human Services

The U.S. Department of Health and Human Services (HHS) is dedicating a total of $220 million in grants to support test cases for health-care IT and data exchange within 15 communities, the department announced this week. The initiative, called the Beacon Community Cooperative Agreement Program, will build infrastructure for health IT, and will implement privacy and security measures for the health-care information that is exchanged, HHS Secretary Kathleen Sebelius and Dr. David Blumenthal, the department’s national coordinator for health IT, jointly announced in a press release. The participating communities have not yet been named. Cooperative agreements will be awarded to 15 nonprofit or government entities chosen to reflect geographic diversity, according to the HHS. [Source] See also: [Review of Fed. AG’s Report on Canada Health Infoway]

AU – Security for Australian E-Health Data

Insurance companies and employers will be locked out of Australia’s national health database planned to start next year. Medical researchers and health bureaucrats will be given access to the database, which could include a patient’s clinical history, prescriptions, address and birthdate. Every newborn, as well as every Australian holding a Medicare card or Veterans Affairs card, will automatically be allocated a “healthcare identification” number that privacy groups have branded a de facto national ID card. [Australian IT] SEE ALSO: [Can Electronic Medical Records Be Secured?]

CA – IBM Secures C$22.5 Million EHR Deal with Government of Manitoba

In a step towards facilitating the delivery of quality, efficient and cost-effective patient care across the province of Manitoba, the Government of Manitoba has roped in IBM Canada, to develop an interoperable electronic health record system (EHR). The design and development of the EHR system is in progress, and the deployment is expected to happen in 2010. The project is fund-supported by the Canada Health Infoway and Province of Manitoba. [Source]

Encryption

WW – Cloud Cracking Service Steals Wifi Passwords in 20 Minutes

For US$34, a new cloud-based hacking service can crack a WPA (Wi-Fi Protected Access) network password in just 20 minutes, its creator says. Launched this week, the WPA Cracker service bills itself as a useful tool for security auditors and penetration testers who want to know if they could break into certain types of WPA networks. It works because of a known vulnerability in Pre-shared Key (PSK) networks, usually used by home and small-business users. To use the service, the tester submits a small “handshake” file that contains an initial back-and-forth communication between the WPA router and a PC. Based on that information, WPA Cracker can then tell whether the network seems vulnerable to this type of attack or not. The service could save security auditors a lot of time, but it will probably make it easier for senior management to understand the risks they’re facing, said the CEO of a penetration testing company. “When I show this to management and say it would cost $34 to crack your WPA password, it’s something they can understand,” he said. “That helps me a lot.” [Source]

US – NIST Issues FIPS 140-3 Crypto Standard Draft for Public Comment

The National Institute for Standards and Security (NIST) has released a draft document, Federal Information Processing Standard 140-3 (FIPS 140-3), Security Requirements for Cryptographic Modules, for public comment. The first draft of FIPS 140-3 was released in July 2007; comments on that draft have been taken into account in drafting the current version. [GCN] [NextGov]

EU Developments

UK – Government Slams Critical Database Report as Opaque, Flawed, Inaccurate

The UK Government has slammed as opaque, inadequate and riddled with factual errors a think tank report that claimed that a quarter of Government databases were operating illegally. The Government has said the report was methodologically flawed. In March independent political reform body the Joseph Rowntree Reform Trust published ‘Database State’, a report which said that 11 of the UK’s 46 databases were almost certainly operating in breach of data protection and other laws. The report assigned each database a status based on traffic lights. Only six of the 46 databases were assigned the ‘green’ status that indicated they worked properly and legally. “In too many cases the public are neither served nor protected by the increasingly complex and intrusive holdings of personal information invading every aspect of our lives,” said the report. “A quarter of the public-sector databases reviewed are almost certainly illegal under human rights or data protection law; they should be scrapped or substantially redesigned.” But the Government has hit back, tackling the report’s conclusions on each database in turn and claiming that the report had an inadequate methodology that rendered the report useless. The Rowntree report contained 10 recommendations for Government. The Government has responded to each. The Rowntree report said that data should only be gathered when necessary and with full consent. The Government was scathing about the recommendation. “It is not clear why the report felt it necessary to make it as it is simply a statement of principle and practice and an accurate summary of the law,” its response says. “The report claims that the vision of Transformational Government is to collect all data about everyone and keep it forever. This is not the case nor is it clear why the report asserts that it is.” The Government rejected the idea of funding all legal challenges to the databases and the proposal that a full review of the databases should be carried out. Its report says that other recommendations, such as establishing the right to access public services anonymously or the deletion of all data after six years, are impractical. The Government did, though, partially accept criticism of the ability of the civil service to procure and manage large and complex systems. “It is accepted that the procurement and delivery of Government IT programmes needs to improve,” says the response. “But it is wrong for the Rowntree Report to imply that nothing is being done about this and the Government is complacent about the need for improvement.” “Insofar as [one recommendation] suggests the need for cultural change in the way Government IT projects are procured and delivered, the Government accepts the needs for this and is taking action to secure it,” it says. [Source] [The Rowntree Report - Database State] [The Government’s response to the Rowntree Report] [Government to review its use of databases as minister admits critics are not always wrong] and [The great ‘big state’ debate]

UK – ICO Launches Online Privacy Code of Practice Consultation

The UK Information Commissioner’s Office (ICO) has launched a consultation for a code of practice for online privacy. The draft document asks that organizations give consumers choice and control over how their personal information is used. It describes what kind of activities the code addresses: collecting information through online application forms; creating profiles of website visitors; collecting data to use in targeted advertising; processing data with cloud computing services; and other types of profiling. The document is designed to help organizations comply with the requirements of The Data Protection Act. The European Commission recently said it would investigate the UK for the way it handled Phorm - a deep packet inspection targeted advertising company that ran trials without web users’ permission or knowledge. The consultation began on December 9, 2009 and runs through March 5, 2010. [SCMagazine] [ComputerWeekly] [Organizations Should Be Proactive And Use Common Sense Approach To Protecting Individual Privacy Online says ICO]

Facts & Stats

WW – Nielsen: More Seniors Becoming Web Regulars

Although those aged 65 and older make up less than 10% of active Web users, a new Nielsen study has found that over the past five years, the number of seniors using the Internet regularly has increased by a 55%. According to Nielsen, there were just 11.3 million seniors actively using the Web in November 2004. Five years, later, there are now more than 17.5 million seniors surfing around. Senior women have picked up the Web faster than men, outpacing men by 6%. [CNET]

Finance

EU – EU Nations Reach Deal to Transfer Bank Data to US in Anti-Terror Probes

EU governments have agreed to allow the United States to access European banking data in anti-terror probes - but only for nine months while they seek a longer-term deal that could allow them see U.S. information. Such a deal would formalize a secret program launched in the wake of the Sept. 11, 2001, terror attacks that skirted Europe’s strict privacy rules. It did that by transferring millions of pieces of personal information from the U.S. offices of the bank transfer company SWIFT to American authorities. Since news of the U.S. anti-terror program broke in 2006 - angering European legislators - American authorities have promised that the information it collects from the databases is properly protected and used only in anti-terror probes. They said “data mining” - or open-ended searching - is strictly forbidden. Overall, the program has generated some 1,450 tip-offs to European governments and 800 to other states - 100 of them from January to September this year, officials said. The interim agreement reached Monday is due to come into force on Feb. 1 and to last for up to nine months. EU Justice and Home Affairs Commissioner Jacques Barrot said the deal was essential to allow the data-sharing to continue while the bloc tries to negotiate a longer-term agreement that would ask U.S. authorities to share banking data with the EU. The European Parliament has been fiercely critical of how U.S. Treasury officials accessed the European operations centres of SWIFT without EU governments’ knowledge or permission. The assembly had asked EU nations to delay approving the deal until after Dec. 1, when the EU’s Lisbon Treaty enters into force, granting the parliament more power to examine negotiations with the United States. German Interior Minister Thomas De Maiziere said the parliament would get the chance to vote on the deal and that it would not enter into force if lawmakers opposed it. [Source] [Council overrules Parliament on banking data deal] [EU clears bank data transfers to U.S.]

WW – Credit Card Fraud Prevention Security Questions are Privacy-Invasive

When Roger Thompson attempted to check out of a London hotel last week, the clerk informed him his credit card had been declined. After contacting his bank, he learned that because he had not informed the bank that he would be traveling, the transaction appeared to be suspicious. The bank eventually cleared the card for Thompson’s use so he could check out of his hotel, but not before a Fraud Department representative asked him a slew of questions to ascertain his identity, including obscure questions about his daughter-in-law that the bank maintains had been obtained from “publicly available information.” [Thompson] [ComputerWorld]

US – PCI Will Toughen Standard in 2010 to Fight ID Theft

Payment card companies have announced that they will toughen security standards for financial institutions, merchants and consumers in 2010 in an attempt to stop the growth of identity theft and other forms of payment system fraud. The Payment Card Industry Security Standards Council, whose members include Visa, MasterCard, American Express, Discover Financial Services and JCB International, is pushing to have a broader group of merchants and service providers comply with the Council’s security standard (PCI DSS). And Visa has announced that it will start moving to universal chip and PIN technology for credit, debit and ATM transactions next year. The industry accepts that it has a serious problem, with criminal activity directed at online payment data growing fast. But there is plenty of debate about whether the self-regulatory moves being made by bodies like the Payment Card Industry Security Standards Council are adequate. [Source] see also: [Study: 81% of organizations subject to PCI DSS non-compliant]

US – Colo. Court: Immigrants Tax Records are Private

The Colorado Supreme Court ruled Monday that authorities violated the constitutional and privacy rights of suspected illegal immigrants when they used tax returns to try and build hundreds of identity theft cases against them. The investigation, dubbed “Operation Numbers Game,” marked the first and only time in the U.S. that authorities used tax returns, which are confidential under federal law, to prosecute suspected illegal immigrants. [Washington Post]

FOI

CA – No Hiding Behind Privacy Act, Bureaucrats Told

The Commons public accounts committee is reminding Canada’s senior bureaucrats that they can’t hide behind the Privacy Act and other statutes when MPs demand documents so they can hold the government to account. In an unusual move, the committee recently tabled a report outlining the constitutional right of Parliament to demand information and how its supremacy trumps all other laws. It recommended the government revamp its policies to reflect this right so bureaucrats understand them and that Justice Department lawyers get “adequate training” and brush up on parliamentary law. The committee’s chair, Liberal MP Shawn Murphy, said he intends to go a step further and send letters to all deputy ministers, reminding them of their obligations as “accounting officers” to comply with parliamentary law and hand over documents and records when demanded by committees to do their work. “Parliament has an unfettered right to obtain persons, papers and records, and this notion of the executive or deputy ministers to black out or decide not to give a document or to provide half documents is not in accordance with parliamentary laws,” Mr. Murphy said in an interview. The committee’s Conservative members, however, issued a “supplementary opinion.” They argued the “public interest needs to be the most important consideration” when committees demand documents. [Source] See also: [BC Supreme Court Upholds BC P.Commish on Gov’t Contracts to IBM]

UK – Secret Evidence on Drugs Policy: Inconvenient Truths – The Economist

According to the The Economist, stretching the law on the disclosure of public documents has been a competitive sport among civil servants ever since the UK Freedom of Information Act was passed in 2000. It requires public bodies to reveal information on request, but provides 23 get-outs, designed to protect secrets that ought to stay under wraps because they threaten national security, personal privacy and so on. The rules are often interpreted in a creative way. Now The Economist has discovered a contender for the most inventive interpretation to date. After thinking about it for nearly two years and trying out various exemptions, the Home Office has refused to release a confidential assessment of its anti-drugs strategy requested by Transform, a pressure group. The reason is that next March the National Audit Office (NAO), a public-spending watchdog, is due to publish a report of its own on local efforts to combat drugs. The Home Office says that to have two reports about drugs out at the same time might confuse the public, and for this reason it is going to keep its report under wraps. This is believed to be the first time that a public body has openly refused to release information in order to manage the news better. The department argues that releasing its internal analysis now “risks misinterpretation of the findings of the [NAO] report”, because its own analysis is from 2007 and predates the NAO’s findings. The argument uses section 36 of the FOI act, which provides a broad exemption for information that could “prejudice the effective conduct of public affairs”. The information commissioner, who polices the FOI act, declined to comment because the case was still open. But his predecessor, Richard Thomas, who stepped down in June, questioned the novel defence. The legality of the decision is also in doubt, after the department admitted that its refusal to release the document had not been approved by a minister, as is required by law. A Home Office spokeswoman called it an “administrative error”. Retrospective ministerial authorisation was being sought as The Economist went to press. Legally or not, the Home Office will be able to hang on to its report for now because the FOI act takes so long to enforce. The commissioner’s office is said to be ready to order the release of the report now. If it does, the Home Office has 28 days to launch an appeal, which could take a year. In the meantime, drugs policy will continue to be shaped—or not—by research that the public paid for but may not see. [Source]

Genetics

US – Minnesota Judge: State Can Take, Keep Biological Samples from Newborns

A judge in Minnesota has ruled the state can routinely collect, analyze, store and retrieve biological samples that include DNA from all newborns even though a state law specifically requires prior written authorization. The decision from County District Judge Marilyn Rosenbaum dismissed a case brought by members of nine families who alleged the state was going beyond what it was authorized to do. Although not part of the lawsuit, Twila Brase, president of the Citizens’ Council on Health Care, has been monitoring the dispute since its beginning, battling the state Department of Health, which reportedly has been taking and warehousing newborns’ genetic makeup for years but not following “written consent requirements.” The group has cited a number of cases in which the state’s genetic privacy act law apparently was ignored, or there was an attempt to ignore it. Brase has warned the collection and assembly of DNA on an entire generation of citizens largely is unnoticed, but such newborn screening “represents the largest single application of genetic testing in medicine.” She’s issued an extensive report on the problem. [Source]

Health / Medical

US – Good News for UMC: Privacy Violations Seldom Punished

In spite of recent revelations that confidential patient information has been intentionally leaked from University Medical Center (UMC) in Las Vegas, the Las Vegas Sun reports that the chances are slim there will be any action taken by federal regulators. Of the 47,632 allegations of HIPAA violations since the law went into effect in 2003, 9,501 were found to be valid, the paper reports. Of those valid complaints, fewer than 20 cases resulted in fines. HIPAA legal expert Kirk Nahra, CIPP, told the Sun, “For the most part, if you make a mistake under HIPAA and acknowledge it, they don’t penalize you.” UMC CEO Kathy Silver notified the FBI of the breach in November. [Las Vegas Sun] SEE ALSO: [Judge Tosses Express Scripts Class-Action: Plaintiffs failed to show direct harm] AND ALSO: [Connecticutt and Arizona State AGs Get Chance to Exercise Their New HIPAA Powers ]

Horror Stories

WW – Number of Records Compromised in Breaches of Government / Military Soars

Although the number of reported data security breaches of US military and government systems has dropped over the last year, the number of records compromised by those breaches has climbed, according to statistics from the Identity Theft Resource Center. During 2008, US government and military organizations reported 110 breaches; so far this year, 82 breaches have been reported. However, the breaches this year have compromised more than 70 million records, while last year’s breaches compromised a total of fewer than 3 million. [GovTech]

UK – MOD Laptop and Encryption Key Stolen

The theft of a laptop computer from the UK Ministry of Defence headquarters in Whitehall has prompted an investigation. The computer was stolen late last month along with an encryption key that could be used to decrypt files. Although it was not specified, the key is likely stored on a USB stick or other security token. Statistics released by MOD indicate that 28 laptops have been stolen from the ministry between January 1 and May 11, 2009; in the last four years, 658 MOD laptops have been stolen. [BBC] [SCMagazine] [InfoSecurity] SEE ALSO: [Royal Navy Investigating Loss of USB Stick]

US – Restaurants Suing Point-of-Sale Vendor After Customer Cards Compromised

Seven restaurants in Louisiana and Mississippi are suing point-of-sale vendor radiant for failing to provide adequate security precautions. The case involves a payment processing program called Aloha that allegedly stored magnetic stripe data in violation of the Payment Card Industry Data Security Standards (PCI DSS). Hundreds of the restaurants’ customers had their personal information stolen as a result. An attorney associated with the lawsuit said a US Secret Service investigation found that Computer World, which is a radiant distributor, violated PCI DSS. [SecureComputing] [AJC]

CA – B.C. Gov’t Releases Details How It Will Conduct Privacy-Breach Investigations

After two weeks of embarrassing revelations about a major privacy breach, the B.C. government yesterday revealed plans for a pair of internal reviews that it hopes will regain the public’s trust. Citizens’ Services Minister Ben Stewart said the reviews, which are due on his desk by the end of January, will examine all aspects of the case. Stewart, who has been under fire for trying to downplay the breach since it became public last month, acknowledged the case has affected all the “hard-working employees” in government. “The reality is that this basically is an issue about trust,” he said. “And we’re really wanting to make certain that we can try and restore that trust. And that’s what concerns me most.” [Source]

Identity Issues

US – U of Denver Panel Recommends You Have a National ID

Cato’s Jim Harper writes: If you have a job, a panel convened by the University of Denver thinks you should have a national ID card. DU’s “Report of the Strategic Issues Panel on Immigration“ says: The idea of a national card for identifying citizens and non-citizens has become the third rail of immigration politics. But in truth, without a means of positive identification, it makes very little difference what immigration policies are adopted because they can’t be effectively enforced. A means of positive identification is essential to prevent the employment of illegal immigrants.” Much hand-waving animates the report. It imagines a card system that is “extremely difficult or impossible to counterfeit.” But that’s a product of how much value your card system controls-the more value, the more effort goes into forging it-and access to employment in the U.S. is worth a lot. The report says nothing about fraud in the card issuance process. Nor does it calculate the expense to the nation’s 7 million employers-many of them small businesses, families, and individuals-for getting card readers. Their proposal to hold employers harmless is an embossed invitation to fraud on the system-unless those inexpensive card readers are also fingerprint or iris scanners. If the system is going to work, someone legally responsible has to verify that the card belongs to the person presenting it. And if you’re going to use biometric scanners, there is a lot of work yet to be done to control error rates. Of privacy concerns, the panel says it listened to “experts and advocates on all sides.” But the advisors listed in the report do not include any privacy expert or civil liberties advocate. They do include an advocate for restrictionist immigration policies, a police chief, a former U.S. attorney, a federal Immigration and Customs Enforcement official, a Colorado state homeland security official, a federal DHS official, a sheriff, the Colorado Attorney General, and a CIA officer. It is unlikely that the one “immigrant rights” advocate addressed the privacy issues for U.S. citizens, much less the technical and data security problems. [Source]

CA – BC’s DL Face-Recognition Software Led Cops to Welfare Breach

New computer technology designed to protect B.C. driver’s licences from fraud and identity theft red-flagged a civil servant last February and led to the discovery of a serious government privacy breach, court documents show. By simply renewing his driver’s licence, the bureaucrat set in motion a series of events that would eventually cost him his job, trigger a police investigation and ensnare the provincial government in controversy, the documents show. The technology was unveiled by Solicitor General John van Dongen when he rolled out B.C.’s new high-tech driver’s licences earlier this year. Among the trumpeted security features was facial-recognition software, which looks at an image and analyzes the size and location of cheekbones, the distance between eyes and other facial characteristics that do not change. ICBC said the technology, which it began using in November 2008, allows the corporation to compare a cardholder’s new photograph to the one already on file, as well as millions of other images in its database. [Source]

US – Feds Secure Access Using PKI

The Canadian government plans to give all federal employees and contractors secure access to IT systems next year using Entrust Inc.’s public key infrastructure (PKI), an official said earlier this week. “PKI certification to employees is being rolled out as we speak,” said Jirka Danek, director general and chief technology officer at Public Works and Government Services Canada (PWGSC). “By next summer every employee will have an identity-based PKI certificate.” PKI works by giving each user a device with a digital signature. The private key is used to sign and the public key is issued by the certificate authority so other authorized users can decrypt and verify the private keys. Danek said it costs $36 per employee per year to administer PKI. The keys used by federal employees and contractors will have three certificates: one for encryption, one for authentication and one for signatures. “One of the drivers was giving employees access to things like their own pension and payroll information,” he said. [Source]

US – Gartner Report Says Two-Factor Authentication Isn’t Enough

A report from Gartner says that two-factor authentication is not providing adequate security against fraud and online attacks. Specifically, Trojan-based, man-in-the-middle browser attacks manage to bypass strong two-factor authentication. The problem resides in authentication methods that rely on browser communications. The report predicts that while bank accounts have been the primary target of such attacks, they are likely to spread “to other sectors and applications that contain sensitive valuable information and data.” Gartner analyst Avivah Litan recommends “server-based fraud detection and out-of-band transaction verification” to help mitigate the problem. [Source] [Source]

Intellectual Property

US – Judge Signs Off on Filesharing Fine, But Rejects Request to Limit Speech

US District Judge Nancy Gertner has finalized a US $675,000 verdict against Boston University student Joel Tenenbaum for illegal filesharing. The lawsuit was brought by the Recording Industry Association of America (RIAA). Judge Gertner made clear in her decision that she feels that the “astronomical penalties” allowed music companies under current copyright law are out of line. She also noted that had Tenenbaum’s defense team narrowed its fair use argument to Tenenbaum’s own activity rather than “mount[ing] a broadside attack that would excuse all file sharing for private enjoyment,” she would have been willing to consider the argument. Judge Gertner issued an injunction prohibiting Tenenbaum from further filesharing, but declined to grant the RIAA’s request to prohibit him from encouraging filesharing, writing that “Although plaintiffs are entitled to statutory damages, they have no right to silence defendant’s criticism of the statutory regime under which he is obligated to pay those damages.” [ComputerWorld] [WIRED] [Boston.com] [WIRED2]

UK – Pub Sued for Patron’s Illegal Downloading on Wi-Fi Hotspot

In a case believed to be the first of its kind, a UK pub has been fined GBP 8,000 (US $13,000) because someone used its Wi-Fi hotspot to download copyrighted content. If the UK’s Digital Economy Bill goes into effect, similar cases could conceivably be prevented. That bill defines Wi-Fi hotspots as “public communications services,” and says that users are responsible for the activity on the connection, not the connection’s provider. The bill is proving controversial, as it would require Internet service providers (ISPs) to monitor customers’ use of their networks. [ZDNet] [eWeekEurope] [v3]

Internet / WWW

WW – Facebook Privacy Changes Draw Mixed Reviews

Facebook’s revamped privacy settings will push more user data onto the Internet and, in some cases, make privacy protection harder for Facebook users, digital civil liberties experts said. While acknowledging that many of the changes unveiled this week will be good for privacy, Electronic Frontier Foundation (EFF) Attorney Kevin Bankston said the social-networking giant is also removing some important privacy controls that it should have kept. Ari Schwartz, chief operating officer of the Center for Democracy and Technology, offered a similarly mixed review. According to him, giving people more control over who sees their individual posts is a good thing, but the new default privacy settings will push a lot more information into the public realm. That “actually has a negative effect on privacy,” he said. Bankston was more forthright in an EFF blog post. “Our conclusion? These new ‘privacy’ changes are clearly intended to push Facebook users to publicly share even more information than before,” Bankston wrote. “Even worse, the changes will actually reduce the amount of control that users have over some of their personal data.” To date, between 15 and 20 percent of Facebook’s 350 million users take the time to adjust their privacy settings. But with the changes unveiled this week, all users will have to go through a privacy configuration wizard to set their preferences. [Source] [EFF: Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly] [Facebook to Roll Out New Privacy Controls To Its 350 Million Users, Kills Regional Networks] [Facebook Promises More Privacy Controls, But Users Want More]

WW – Google Gets Live and Personal

Over the past few days, Google has rolled out a handful of major upgrades to its core Web query product that are designed to make its search engine more immediate and personal for individual users. Google announced it would be adding a new service known as “real-time search” to its search engine, which will incorporate breaking and up-to-the-minute information from news organizations and such social networking services as Twitter and Facebook into search results. Google’s technology will now comb the Web for the latest results on search terms – the real time results will appear on the company’s usual search results page – and by clicking on a new tab labelled “latest results” users will have the option of displaying only live Tweets, blogs and other freshly published Web content on a given subject. The real-time search announcement comes on the heels of Google’s revelation that the company plans to roll out its existing “personalized search” service beyond those users already signed into a Google account to all Google users. Previously, only users who were signed into a Google account, such as Gmail, had access to the service. By accessing information stored in a small file on the user’s computer, known as a “cookie,” Google can access up to 180 days of search activity to analyze the user’s search habits and can tailor search results to their history and preferences. Users will see a “view customizations” link at the top of the search page which will display how Google has customized the search for that user, as well as information regarding how to turn off these personalized features. While the service has raised concerns with some privacy advocates -- primarily because the service operates on an “opt out” basis, rather than requiring user consent – David Fewer, acting director of the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa, said it’s a positive sign any time Google offers greater transparency about its practices and what it knows about its users. [Source] [Source] SEE ALSO: [Google Street View launched in Winnipeg] AND ALSO: [Google Public DNS: What It Means For Your Privacy]

EU – German DPA Concerned About Google Analytics’ Data Protection Compliance

German data protection authorities are investigating whether Google’s web traffic measurement system Google Analytics routinely infringes privacy laws. Several regional authorities, as well as the national Federal Data Protection Commissioner, are investigating whether the use of the system is a breach of web users’ privacy rights unless their permission is obtained. Google Analytics gathers, stores and collates information about website visitors. It tells web publishers how many unique visitors have been to a site, what pages they visited in what order and for how long. Such information is essential for web publishers in the creation of their sites and the management of advertising. While other measurement services are available, Google Analytics has become extremely popular because it is free to use. The data protection authorities in Germany, though, are considering action against those publishers who use the system because it uses unique identifiers of users. Zeit reported that data protection authorities are concerned in case Google combines that information with other details held by it on the owner of that internet protocol, or IP, address from other services it operates such as its search engine or email system. Though Google’s terms and conditions say that it will not tie the Analytics data to other information it gathers, the data protection authorities are reportedly concerned about another clause in the terms and conditions that allows those terms to be modified by Google. [Source]

Law Enforcement

CA – Ontario Police to Scan and Check Thousands of License Plates

Ontario Provincial Police unveiled a new crime-fighting tool that will help catch offenders on the highways. A special camera mounted on three OPP cruisers will make it easier to scan up to 7,000 licence plates per hour. The camera can scan plates that enter its field of view whether the vehicle is parked or moving – even at high speed. Once the image of the plate is captured, it is checked against databases for stolen vehicles and licence plates that are suspended, stolen or expired. OPP Commissioner Julian Fantino made the announcement on the “state-of-the-art” licence plate recognition software at a news conference in Toronto. Not everyone is happy with the new technology. The Canadian Civil Liberties Association (CCLA) acknowledges that licence recognition project will be an efficient tool for the police, but is concerned about maintaining the privacy of drivers. “How long is a person’s information retained by the OPP even after they are cleared as a car of interest,” said Graeme Norton, director of CCLA’s Public Safety project. Ross was unsure of the answer or if the software is capable of recording where a vehicle was seen. [Source]

Online Privacy

WW – User Data Easier Than Ever to Phish on Facebook, New Study Shows

Would you give a complete stranger your email address and date of birth? How about personal information about your friends? If results of a new study on Facebook user behavior is any indication, around half of us would answer “yes” to those questions, depending on how old we are. The study also shows that Facebook users are becoming more lax with protecting their personal data than they were three years ago. What do these results signify in light of recent concerns about user privacy on the world’s largest social network? And now that some user data will be indexed by Google, will users have to adjust what information they share? Sophos created two fake accounts – one for a cat and one for a plastic duck – and went after another 200 Facebook users, this time distinguishing between 20-somethings and middle-aged users. Here’s a snapshot of the information each group revealed. 8 users friended the cat-themed fake account of their own accord, without having been contacted as part of the study; in so many words, these users pretty much volunteered to have their data phished. As Sophos noted, “10 years ago, getting access to this sort of detail would probably have taken a con-artist or an identify thief several weeks, and have required the on-the-spot services of a private investigator.” Apparently, in the 2.0 era, all you have to do is click to send a friend request, and the desire for online popularity and more “friends” makes a phisher’s job easier than giving free candy to kids. [Source]

WW – Facebook Backtracks on Public Friend Lists

It has been a matter of days since Facebook’s new privacy controls went into place, and the company is already making modifications in response to user complaints that they expose too much information. The company has made it easier to prevent people from seeing who users’ friends are. [CNET]

CA – Privacy Commissioner Looks into Facebook Privacy Issues

Two new privacy issues affecting Canadian subscribers of Facebook have drawn the attention of the Office of the Privacy Commissioner, CBC reports. The first is a data gathering application, Contacts, that uploads a user’s contact lists from BlackBerry, Palm and Android 2.0 devices, then supplements the information with data from the contacts’ Facebook accounts. In the process, Facebook has access to contact information of non-Facebook subscribers. While the information is archived on Facebook servers, a company spokesperson told the CBC that “This information is not shared with any other user on Facebook and is not shared with any other third party.” [Source]

WW – Facebook Establishes Safety Advisory Board

Facebook has established the Facebook Safety Advisory Board to address cyberbullying, phishing and other Internet safety issues facing the social networking site’s users. Among the board’s first priorities is to rework the Facebook help site to provide more detailed information and sections tailored specifically for parents, teachers and teens. The board includes Common Sense Media, ConnectSafely, WiredSafety, Childnet International, and The Family Online Safety Institute. [ComputerWorld] [Net-Security] SEE ALSO: [‘Abolish women’s right to vote’: 80,000 Facebook users duped]

US – NY Sex Offenders Purged from Facebook, MySpace

New laws passed in 25 states are making it easier for social networking giants Facebook and MySpace to purge their membership lists of convicted rapists, gropers and child molesters. More than 3,500 offenders registered in New York have been kicked off the two popular Web sites in the months since the state implemented a law requiring sex crime convicts to register their e-mail addresses, as well as their dwellings, attorney general Andrew Cuomo announced this week. Both MySpace and Facebook have long had policies banning sex offenders, and have routinely used state registries in the past to block tens of thousands of convicts from joining. But the task of identifying convicts among millions of users has been both tricky and labor intensive, and the companies said that New York ‘s new law and others like it are streamlining the process. Previously, not every state has kept its data on offenders - usually a list of names and physical addresses - in a form that can be mined easily and automatically by computer. “In some states, when we asked for their list of offenders, they’d fax it to us,” said Facebook spokesman Barry Schnitt. Verifying that a person is actually a sex offender before they are kicked off is also a chore. MySpace has a team of investigators working 24-hours a day, 7 days a week, making sure that people whose names show up on offender lists are who the company thinks they are. That verification process is easier if the sites start with an e-mail address, rather than a brick-and-mortar one, Nigam said. In New York, some 25,000 sex offenders are now required to register their e-mail addresses, as well as any instant-messaging handles or other Internet screen names. To date, 8,100 have supplied that information. New York began making the registration database available to social networking sites this year. So far, Facebook and MySpace have been the only two services to access the data. Since the info became available, Facebook has blocked 2,782 accounts. MySpace has terminated 1,796. Some offenders had accounts on both sites. Cuomo called on similar Web sites to participate in the program, saying “it’s time for all social networking sites to do their part to keep others from being senselessly victimized.” [Source]

WW – Wikipedia Ordered by Judge to Break Confidentiality of Contributor

In the first case of its kind, Mr Justice Tugendhat ordered Wikipedia’s parent company, Florida-based Wikimedia Foundation Inc, to disclose the computer identity, known as an IP address, of one of its registered users. The judge acted after hearing that the mother, who is well known in the business world, had received anonymous letters threatening to disclose to the media details of her professional life and expenses. The mystery Wikipedia user made an “amendment” to the mother’s entry, also referring to her young child, and disclosing confidential and “sensitive” information about them. The businesswoman believes the Wikipedia contributor and the author of the anonymous letters are the same person. The hearing was held in private but the judge published his judgement in open court. He has put a block on the court file so that the businesswoman cannot be identified. He said the mother wanted disclosure of the user’s IP address “in order that she may identify the alleged wrongdoer who has disclosed this private material” and to prevent any further breaches of the privacy of herself and her child. Wikimedia, while stressing it had nothing to do with the amendment, said it would disclose the IP address – but only if ordered to do so – effectively breaching the confidentiality of the contributor. [Source]

Other Jurisdictions

KZ – Kazakh President Signs ‘Privacy’ Law

Kazakh President Nursultan Nazarbaev has signed a controversial law on privacy protection. The law, which Nazarbaev signed on December 8, prohibits any “unsanctioned interference into an individual’s private life,” including the use or acquisition of any written, audio, or video material related to a person’s private life. The legislation has led to protests from journalists, opposition politicians, and human rights activists who say the new law is too general and will be used by authorities to curb opposition media and freedom of speech. Last year, several recorded telephone conversations and transcripts of other discussions between top Kazakh officials were posted on the Internet by Nazarbaev’s former son-in-law, Rakhat Aliev, that suggested political and economic wrongdoing by several government officials. Kazakh authorities said the information had been falsified. Aliev, who has been living in self-imposed exile in Austria since 2007, told RFE/RL that the recordings are authentic. [Source]

Privacy (US)

US – Supreme Court to Review Reasonable Expectation of Privacy in Text Messaging

The US Supreme court will review a federal appeals ruling that the Ontario, California police department exceeded its reach when it accessed and read officers’ personal text messages sent from work accounts. The appeals court also found that the text messaging service erred when it turned over transcripts of the messages without the officers’ authorization. The Supreme Court said it would not hear the text messaging company’s appeal, but would hear arguments in the case against the city. The officers in question said their employer’s informal policy indicated the employer would not monitor their personal messages if the officers paid for any excess use. [Source] [Source] [Source] SEE ALSO: [In study, 1 in 7 U.S. teens say they’re recipients of ‘sexting’ | PEW Internet Report]

US – Judge Dismisses Shareholder Suit Against Heartland

A US District Court Judge has granted a motion by Heartland Payment Systems to dismiss a class-action lawsuit filed by company shareholders. The lawsuit was filed after Heartland disclosed a data security breach that compromised as many as 100 million records. The breach occurred in 2007, but was not detected until later. The suit alleged Heartland made “false and/or misleading statements and failed to disclose material adverse facts about the company’s business, operations and prospects” and that the company’s cyber security measures were “inadequate and ineffective.” Heartland stock lost nearly 80 percent of its value following the breach disclosure. Heartland disclosed the breach in January 2009. Judge Anne Thompson said there was no evidence that Heartland executives were not “paying proper attention to [the company’s] security problems.” [SCMagazine] [PCWorld]

US – N.J. Supreme Court Weighs Travellers’ Right of Privacy in Unclaimed Baggage

A case heard by the New Jersey Supreme Court this week may clarify whether a passenger who doesn’t claim his luggage can assert a Fourth Amendment right against search and seizure of its contents. It’s a question that surprisingly has not yet been answered with a high court ruling, despite the frequency with which situations like the one in this case arise. When Pablo Carvajal got off a bus from Miami in Union City, N.J., he ran into local police who had been tipped that a man matching his description would be carrying a suitcase filled with drugs. Carvajal denied having any luggage, but after the other passengers claimed their own and left, all that remained was a black duffle bag. A drug-sniffing dog reacted positively after smelling it. Without a warrant, the police opened it and found needles, prescription narcotics and a large quantity of heroin. Carvajal then confessed the bag was his and was arrested, but he moved to suppress the evidence as the product of a nonconsensual, warrantless search. Hudson County Superior Court Judge Kevin Callahan denied the motion, saying: “There’s no factual discrepancy here as to whether or not [the bag] was abandoned or not. It certainly was abandoned, and therefore, if it’s abandoned it was not his, so what good would consent do? From all of this and from what I review and the facts, defendant acted consistent with someone who had no ownership rights or interest in the bag even if it was his bag and wanted to convey that to the police. Therefore, that in effect abandons the property. Therefore, no Fourth Amendment right attaches.” “What were the police to do? They can’t ask for consent because he said it wasn’t his bag. They’re allowed to determine what’s in the duffle bag. Are the police expected to ask him over and over again if the bag is his?” Chief Justice Stuart Rabner said Carvajal was in a dilemma. He could claim the bag and a search, backed by a warrant, would have revealed the drugs, or he could deny ownership and a warrantless search would also reveal the drugs. “He was faced with a dilemma, that’s for sure,” said a commentator. “But who created the dilemma? Any dilemma was created by him. He had two options, neither of which was good for him. [Source]

RFID

US – Hi-Tech Labeling of Kids OK in Rhode Island

Governor Donald Carcieri of Rhode Island not only vetoed a bill that would have restricted the use of radio-frequency identity chips (RFID) on school children, he proclaimed in his veto message that tracking children is a great idea. “Why would the General Assembly therefore place restrictions on the use of this technology as an option for all students?” Carcieri, a Republican, wrote. “In certain circumstances, it may be helpful for schools to have the ability to quickly identify where each of their students is located. Such circumstances may include weather-related natural disasters, terrorist or criminal events or even a need for use during field trips and outside school activities.” This is the third time that Carcieri has vetoed a version of RFID privacy legislation. In 2006, lawmakers passed a bill that would have prohibited state and local government from using RFID to track their employees and school children in addition to restricting the use of highway-toll transponder information using RFID technology. The governor made no comment about a part of the bill, S. 211, which specified that the RFID information used in a toll-road transaction could not be considered public information. The bill further clarified that no law enforcement agency could gather or use RFID information without a court order – unless investigating someone for not paying tolls. Courts around the country are split on the question of whether warrantless use of automobile tracking devices is lawful. [Source: Privacy Journal]

WW – E-Fingerprinting System Developed for RFID Tags to Prevent Counterfeiting

A unique and robust method to prevent cloning of passive RFID tags has been developed by engineering researchers at the University of Arkansas. The technology, based on one or more unique physical attributes of individual tags rather than information stored on them, will prevent the production of counterfeit tags and thus greatly enhance both security and privacy for government agencies, businesses and consumers. “RFID tags embedded in objects will become the standard way to identify objects and link them to the cyberworld,” said Dale Thompson, associate professor of computer science and computer engineering. “However, it is easy to clone an RFID tag by copying the contents of its memory and applying them to a new, counterfeit tag, which can then be attached to a counterfeit product - or person, in the case of these new e-passports. What we’ve developed is an electronic fingerprinting system to prevent this from happening.” [Source]

Security

US – Verizon Report Details Top Cyber Attack Vectors of 2009

Verizon Business’s “An Anatomy of a Data Breach“ report lists the top 15 most common cyber attack vectors in 2009. Topping the list are keylogging and spyware; backdoor or command and control malware; and SQL injection. Further down on the list are RAM scrapers, attacks that are designed to seek plaintext data from the random access memory of point-of-sale terminals. They have emerged in the wake of the growing use on encryption in the payment card industry. RAM scrapers are often narrowly targeted attacks because they are often “customized to work with specific vendors’ POS systems.” [SCMagazine] [TheTechHerald] [TheRegister] [Verizon Business report] SEE ALSO: [Yahoo, Verizon: Our Spy Capabilities Would ‘Shock’, ‘Confuse’ Consumers] and [Surveillance Shocker: Sprint Received 8 MILLION Law Enforcement Requests for GPS Location Data in the Past Year]

WW – Report Finds Enterprises Failing to Protect Sensitive Data

Confidential data remains unprotected in many large enterprises, according to a recent survey released by Enterprise Strategy Group (ESG) on behalf of database security firm Application Security. In the second annual survey of 175 IT and information security professionals from North American enterprises with 1,000 or more employees, 40% said most of their data is adequately secured and 11% said some confidential data is secured. 2% percent of respondents said most confidential data is not secured and another two percent said they did not know. The remaining 40% of respondents said they believe that all of their organization’s confidential data is adequately protected. In addition, fewer than half of respondents believed that their existing database security controls provide adequate protection for all databases that contain confidential data, according to the survey. Many organizations have trouble securing databases due to budget constraints and a lack of resources. The ESG survey also found that just 37% of respondents believe they can meet regulatory compliance requirements and ensure the security of confidential or sensitive information at all times. In addition, nearly 30% of organizations surveyed said they have failed a data security compliance audit in this past three years. There are some bright spots to the report: 22% of respondents said their organization has suffered at least one confidential data breach in the past 12 months, compared to 56% of respondents who said the same last year. However, while the number of organizations that were breached went down, the amount of records that were lost rose, Jon Oltsik, senior security analyst with ESG, said in the report. [Source] [Survey Report] See also: [The top five security trends of the next decade: hackers to ‘resemble drug cartels’]

US – Electronic Data Redaction Not Always Effective

The US TSA redacted portions of a screening techniques document, but the blacked-out data could be viewed by cutting and pasting sections of the .pdf document. HSBC Bank is blaming an accidental data leak on a flaw in the imaging software it uses. HSBC Bank says it redacted information from bankruptcy proof-of-claim forms, but when they were viewed online, the redacted information was visible. The bank notified affected customers earlier this fall. [TheRegister] [ComputerWorld]

Smart Cards

EU – Controversial New German ID Cards Coming in 2010

The German Interior Ministry confirmed this week that new identification cards containing radio-frequency (RFID) chips will be introduced starting November 1, 2010 - but some data protection experts are critical of the decision. The information on the card itself will be digitally stored on the RFID chip inside the card, in addition to two fingerprint scans that German citizens can choose to opt out of. The ID will also have a digital signature that can be used to complete official business with government offices and possibly beyond – accessed only by a six digit PIN number. “The citizens choose who they want to give what data to,” Interior Ministry official Hans Bernhard Beus said. But data protection advocates say the RFID chip, which can be detected via radio frequencies from about two metres away without the owner’s knowledge, is problematic despite the fact it has already been incorporated into German passports. Dr. Andreas Pfitzmann, head of the privacy and data security group at Technische Universität Dresden, told The Local on Monday that there is no reason to use RFID chips for identification cards, and that in the worst case scenario, the chips could be used to carry out such things as terrorist attacks. “An extreme example would be that assuming German passports react differently to the radio frequency than American passports, I could use this frequency to set off a bomb where I know there are only Americans or Germans,” he said. Pfitzmann, who specialises in privacy and identity management in Europe, spoke out against using RFID “e-passports” in parliamentary hearings during the late 1990s. He said the new ID cards raise similar concerns. “Unfortunately the technology tempts people to give personal information that shouldn’t be made public to dubious machines,” he said, adding that there was no way to indicate whether a reading machine is officially authorised. “The new identification card has inherited many of the bad traits of the passport.” [Source]

Surveillance

UK – Gov’t Providing £500 Reward for Snooping on Neighbours

People are to be offered rewards of £500 for effectively snooping on their neighbours by alerting the authorities to the illicit use of council houses under a Government scheme to cut fraud. Whistleblowers will be rewarded for successfully identifying council house tenants who are subletting their taxpayer-funded properties. Such homes are used for prostitution, the growing of drugs, illegal immigrants and other illicit activities. It is thought to be the first time that cash rewards have been offered to people to encourage them to snoop on those cheating the benefits system. Ministers may wish to extend the scheme to other benefits if it is successful in catching council house cheats. However, privacy campaigners claimed the payments would create an “army of citizen snoopers”. [Source]

UK – Virgin to Pilot Deep Packet Inspection Anti-Piracy Effort

Virgin Media says it will start monitoring customers’ data packets without their consent in an effort to determine how much illegal filesharing traffic is traveling over its network. Virgin Media will use deep packet inspection technology that anonymizes the data. Prior to scanning the packets, the technology strips the IP address information. Each packet is scanned to see if it follows the BitTorrent, Gnutella or eDonkey filesharing protocols, and if so, it is opened to see if the content is licensed. Data that are encrypted would not be able to be examined. [ZDNet]

UK – Smart CCTV Learns to Spot Suspicious Types

An international team of computer scientists led by the University of London are developing intelligent video-surveillance software designed to spot suspicious individuals for a next-generation closed-circuit television system called Samurai. The system employs algorithms to profile behavior, and it also can account for changes in lighting conditions so it can track people as they move from one camera’s viewing field to another. The system also can learn the probable routes people will take as well as follow targets as they move in a crowd, zeroing in on their distinctive shape, their luggage, and the people they are walking with. The system issues alerts when it spots deviant behavior, and is designed to adjust its reasoning according to feedback from the operator. “The use of relevant feedback from human operators will be a very important part of these technologies,” says Paul Miller of Queen’s University’s Center for Secure Information Technologies. “The key is developing learning algorithms that work not only in the lab but that are robust in real-world applications.” The Samurai team demonstrated a prototype system in November and said the system successfully recognized potential threats that human operators may have missed, using footage captured at Heathrow airport. [New Scientist]

Telecom / TV

CA – Is Someone Intercepting Your Mobile Voice Calls?

The CEO of voice call encryption vendor Cellcrypt said mobile phone users are only now realizing that voice calls are a form of data that can be intercepted. A Federation of Security Professionals member thinks the average user is still willing to take the risk. 79% of organizations recently surveyed reveal their employees conduct confidential conversations over their mobile phones, yet only 18% of those actually have mobile voice call security in place. Simon Bransfield-Garth, CEO of U.K.-based voice call encryption vendor Cellcrypt, said that while a mobile device like a BlackBerry is a secure device unto itself, a voice call is not necessarily secure as it passes through a network carrier’s infrastructure. The study also found that four out of five respondents currently believe cell phones are equally or more vulnerable to interception than e-mail. People have a similar view of the risk to voice calls and e-mails, but because e-mail has been around much longer users have some sort of protection in place.[Source]

US Government Programs

US – FTC Holds First of Three Privacy Workshops

At a US FTC workshop on privacy held on December 7, FTC Chairman Jon Leibowitz said that his agency will examine its enforcement of consumer privacy standards. In particular, the burgeoning industry growing up around online consumer information data has underscored the need to address online privacy concerns. Leibowitz noted that most consumers are unaware of what information is collected about them and with whom it is shared. The next FTC privacy forum is scheduled for January 28, 2010. [ComputerWorld] [MediaDecoder] [Money.com] [FTC to Consider Stricter Online Privacy Rules] [NYT: Groups Far Apart on Online Privacy Oversight] and [Targeting Privacy: What Businesses Need to Know About Online Behavioral Advertising]

US Legislation

US – House Passes Electronic Data Breach Notification Bill

The US House of Representatives has passed HR 2221, the Data Accountability and Trust Act, which would establish national standards and rules for notification following breaches of electronically stored personally identifiable data. Organizations would be exempt from the requirements if they discern no “reasonable risk of identity theft, fraud, or other unlawful conduct.” The new standards would supersede all current state data breach notification laws. A federal law would simplify breach notification processes for organizations conducting businesses in multiple states. In May, EPIC Director Marc Rotenberg testified before Congress, urging lawmakers to strengthen the proposed law by adopting a broader definition of “personally identifiable information” and permitting stronger state laws to remain. The bill now goes before the Senate, which is also considering a similar measure sponsored by Senator Patrick Leahy. [FCW] [Source] [DataLossdb]

US – Bill to Repeal “REAL ID” Turns Sour: Privacy Journal

The Privacy Journal writes: “When it completes work on health-care reform, the U.S. Senate may abruptly turn its attention to a proposal that many pro-privacy activists think creates a de facto national ID card. The Homeland Security Committee has sent to the Senate floor S. 1261, a bill that seeks to create a uniform drivers license. The bill, called PASS ID, was originally proposed by Sens. Daniel K. Akaka, D-Hi., and George V. Voinovich, R-Ohio, as a bipartisan effort to repeal REAL ID, a mandate for a uniform drivers license that has been unpopular among civil libertarians, state motor-vehicle administrators, Members of Congress, and Western Palinists since it was enacted in 2005. But Sens. Susan Collins, R-Me., and Joseph I. Lieberman, IConn., ranking member and chair of the Homeland Security Committee, have tinkered with it so much that the American Civil Liberties Union now calls it as bad as REAL ID itself.. “PASS ID still requires a massive database of personal information and has no consideration for religious objections. It still creates a national ID,” says Mary Bonventre, who is coordinating opposition for the ACLU Technology & Liberty Program. Lieberman has asked Majority Leader Harry Reid to put the bill on a fast track prior to Christmas, possibly as part of a mandatory appropriations bill.” [Source: The Privacy Journal newsletter]

Workplace Privacy

CA – Rising Demand for Criminal Background Checks Raises Alarm

Demand for criminal background checks for employment has ballooned, growing 40% in the last year, the BC Concessionaires, a security organization, said Wednesday. While the organization touts the growth in its business, the background checks have alarmed a leading privacy advocate, who says employers are sometimes needlessly invading people’s privacy. “Is this the type of culture that we want to engender?” said Darrell Evans, executive director of the B.C. Freedom of Information and Privacy Association. “We’re just gradually going toward a society without privacy.” David Loukidelis, B.C.’s privacy commissioner, also noted that employers face the burden of maintaining confidential information. “You’re going to end up with more information than you want,” he said. “And once you’ve collected that information, you’re responsible for making sure it’s not misused or inappropriately disclosed.” Background checks are on the rise in part because of mandatory security licensing for certain professions, said Allen Batchelar, CEO of BC Commissionaires. But the organization has also seen growth in clearance checks among companies that aren’t legally required to perform background checks, he said. For example, construction companies are running criminal background checks on applicants who might be renovating schools because the worker might be around children, Batchelar said. [Source] See also: [Steelworkers call drug testing intimidation] and [When does a hobby become an employment issue?] and [When push comes to legal shove: Ontario employer asked to deal with domestic discord]

US – New Jersey: Privilege in Private E-Mail at Work

In a case that will directly impact how people in New Jersey communicate with their lawyers while at work, the state Supreme Court considered whether e-mails sent through an employer’s system – but via the employee’s personal, web-based, password-protected account – are protected by the attorney-client privilege. At loggerheads in Stengart v. Loving Care Agency are a company’s policy that says employees’ internet use will be monitored and an employee’s perceived expectation of privacy when she used her Yahoo account to speak to her attorney about a pending lawsuit against the company. [Source and full article: Michael Booth, New Jersey Law Journal]

+++