Biometrics

US – FBI: Algorithms for Face Recognition not Reliable Enough

A senior FBI technologist declared last month that after decades of evaluation, the agency sees no point in facial recognition. Speaking at last month’s Biometrics 2009 conference in London, James A Loudermilk II, a senior level technologist at the FBI, outlined the agency’s future biometrics’ strategy. He said that 18,000 law enforcement agencies contribute fingerprints and DNA samples to the FBI’s databases and, at their peak, they submit 200,000+ identity verification queries a day. It’s a big operation, and it’s only going to grow, he said. Under the Next Generation Identification initiative, an irisprint database is likely to be added to the existing fingerprint and DNA databases. Fingerprints are likely to be amplified with friction prints of other ridges, probably palmprints and maybe footprints. Voiceprints are also being evaluated. Anything that can feasibly increase public safety. What will be missing from this mix, however, is facial recognition. Facial recognition would be the killer application of biometrics, Loudermilk told the hundreds of conference delegates, and the FBI would dearly love to be able to use facial recognition in its fight against crime. But it can’t. The algorithms just don’t exist to deliver the highly reliable verification required. This is even though the FBI has been evaluating facial recognition technology since 1963, he said. It didn’t invest then. It’s not investing now. Despite the FBI’s rubbishing of the technology, delegates from other policing agencies and vendors queued up to declare their intention to introduce facial recognition or claim the technology worked. [Source]

EU – Irish Council of Bioethics Report Urges Tight Controls in Use of Personal Data

People are in effect giving up a piece of their bodies when they provide personal biometric data, meaning tight controls are needed to ensure the data is properly used, according to the Irish Council of Bioethics. The council has published a considered opinion, “Biometrics: Enhancing Security or Invading Privacy?“ The substantial document raises important questions about the increased use of biometric data, such as fingerprints, iris scans and voice recognition, as a proof of identity. In it the council expresses serious concerns about how personal biometric information is collected and stored and whether there are sufficient controls on who can have access to it. The increased use of biometric data for comparatively trivial reasons encouraged the publication, according to council director, Dr Siobhán O’Sullivan. It was also because Ireland has a growing number of companies developing biometric technologies, particularly around Dublin’s Digital Hub. “It is a little-known fact that Dublin is the European hub for biometrics,” she said, adding that 10 to 12 companies are already operating here. “Biometrics are put forward as a way of enhancing personal security, but we also wanted to see what the threats were,” Dr O’Sullivan said. “The ubiquity of biometrics begs the question whether any of us can lead truly private lives anymore.” Use of biometrics required the surrender of “pieces of people’s bodies effectively”. While there were situations where biometrics could enhance security, there were worries about its overuse, and its application in situations not commensurate with the potential risk. The compulsory application of the technology was also a concern, she said. “We think that is a very serious issue where there is compulsory application of biometrics.” All Irish passports issued since 2005 carry biometric information, a chip that contains a digitised version of the passport photo. It was impossible to travel to places such as the US now without this biometric data, she said. But it was also in use to control access to buildings and for monitoring employee time and attendance, usually by scanning a thumb print, she said. The Minister for Justice set up a committee 12 months ago to review provisions of the existing Data Protection Act. The council raised questions about the type of information collected and whether the amount collected was actually required, how information was stored and whether there was any inappropriate sharing of that information. It concluded any use of biometrics should be matched to the assumed risk. “We want to see that any system introduced is proportional to the perceived risk involved,” she said. It also suggests there should be a balance between individual rights and those of society as a whole. “The [council] recommends that where the common good is to be used as an explanation for using biometrics, then a detailed justification must be provided.” This was particularly true where its use was compulsory. It argues that information collected should not be shared without cause, should not be held for longer than necessary and when no longer needed should be deleted. Biometrics should also be applied in an open and transparent way so that people understand the consequences of their decision to participate or not. [Source] SEE ALSO: [TURBINE: TrUsted Revocable Biometric IdeNtitiEs project] [priv-ID: Private Identity matching] [Biometric Encryption Q&A] [Biometric Encryption IPC]

Canada

CA – Breach Notification Amendments Introduced, Exemptions Irk Commissioner

The Albertan government introduced amendments to the Personal Information Protection Act this week. Bill 54 modifies the act to include breach notification and data transfer requirements. It also makes an offence the failure to notify the Information and Privacy Commissioner’s office in the event of a privacy breach. Service Alberta Minister Heather Klimchuk said the legislation will “result in better protection for Albertans’ information.” But Information and Privacy Commissioner Frank Work expressed disappointment that certain not-for-profit agencies will be exempt from the new rules. “Many of these organizations collect highly sensitive personal information that should be subject to legislative protection,” Work said. [Source] [Bill 54: Personal Information Protection Amendment Act, 2009 which amends the Personal Information Protection Act (“PIPA”) ] [OIPC News Release]

CA – Full-Body Security Scanners Okayed

The Office of the Privacy Commissioner of Canada has given the okay for airports to begin using the controversial full-body security scanner. The scanner can render a three-dimensional naked image of individuals being scanned at airport checkpoints. Assistant Privacy Commissioner Chantal Bernier said that questions about individual privacy have been successfully addressed and procedural protections are in place. “In our view, these privacy safeguards meet the test for the proper reconciliation of public safety and privacy,” Bernier said. The Canadian Air Transport Security Authority has plans to purchase seven of the scanners, but has not yet determined which airports will receive them. [Source] [Source]

CA – Nova Scotia Launches Probe Into Jury Vetting

The Public Prosecution Service in Nova Scotia is conducting an internal review into whether or not its Crown attorneys have been conducting improper background checks of potential jurors. The review was prompted by a request for information from the Nova Scotia Criminal Lawyers’ Association. The Privacy Commissioner also cited a senior Crown official in Nova Scotia who said it was common for jury lists to be given to police to do background checks -- information “generally not shared with the defence.” In a written response to the lawyers’ association, the director of public prosecutions in Nova Scotia announced that he had initiated an internal review. “I anticipate that our review will ultimately result in a policy statement or practice advice being prepared which will be distributed to our Crown attorneys. A copy of that advice piece will be provided to you,” wrote Martin Herschorn in the letter dated Oct. 20. Mr. Herschorn also imposed an interim directive. It states that if a background check is requested, it should only be to see if an individual has been previously sentenced to more than two years in prison, which would make the person ineligible to serve as a juror in Nova Scotia. [Source]

Consumer

CA – Canadians Worry Less About Online Security: Survey

Fewer Canadians are very concerned about their online security than they were 6 years ago, a marked shift in attitude spawned by increasing reliance on online shopping and bill-paying, a new survey reports. While overall concern about online safety remains the same as it was in 2003 at 80%, the number of Canadians who are “very concerned” has fallen to 34%, a decline of 13 percentage points, according to Ipsos Reid. “As more Canadians bank online, pay bills and purchase products and services, online users clearly see the Internet as being more secure,” said study author Mark Laver. In fact, from two-thirds to three-quarters of Canadians surveyed bank online, Laver said in an interview. “It’s the big unknown success story on the Internet.” That doesn’t mean their worries were gone entirely, however. The number of Canadians who report they are “somewhat concerned” about online safety increased by 11%, Laver said. Age and location were also factors. Online Canadians age 35 or older are “significantly more likely” to be concerned about computer safety: 82%, compared with 72% of those 18 to 34. The study found Ontarians the least likely to be concerned, at 76%. “Concern also declines as household income increases,” the study reported. Laver explained that increasing familiarity — the higher the income, the more online banking — was behind that. [Source]

E-Government

CA – City of Toronto Opens Up Data

While Toronto is already one of the most transparent cities in Canada – publishing all its reports to committee and council ahead of time and putting them on the web – it took a further step by putting its data sets on line. This includes everything from lists of licensed day cares to maps of neighbourhood boundaries. The city took the most commonly requested types of data and put them online, but it is still seeking input on what kind of information it should make available. “More datasets will become available in the future,” a city release stated. “Each new dataset will be reviewed to ensure that the privacy of the public is protected.” Although there are no restrictions on what people can do with the data, there are terms of use, including giving proper credit. For more information on the City of Toronto’s open data website visit www.toronto.ca/open [Source]

US – Privacy Looms Over Gay Rights Vote

The identities of more than 138,000 voters who signed a petition placing a referendum against the legalization of same-sex marriage in Washington State will be shielded from disclosure by those who support the policy. The U.S. Supreme Court last week ruled in favor of a lower court decision ordering Washington’s secretary of state to not disclose the identities of those who signed the petition. Groups that support disclosure say the policy is a necessary part of an open, democratic process; groups supporting petitioner privacy say disclosure would amount to intimidation and an infringement of First Amendment protections of free speech. [New York Times]

US – DHS Publishes Gov 2.0 Privacy Best Practices

The DHS Privacy Office has announced the publication of Government 2.0: Privacy and Best Practices, Report on the DHS Privacy Office Public Workshop June 22 and 23, 2009. [Workshop report] See also: [CIO Council, Information Security and Identity Management Committee (ISIMC), Network and Infrastructure Security Subcommittee (NISSC), Web 2.0 Security Working Group (W20SWG), Guidelines for Secure Use of Social Media by Federal Departments and Agencies, Sept. 2009].

E-Mail

CA – Anti-Spam Bill Passes Committee Without Copyright Lobby Spyware Provision

Bill C-27, the anti-spam bill, passed through the Industry Committee this week with the bill largely intact. Industry Minister Tony Clement was true to his word as the several provisions that would have watered down the legislation were dropped (third party referrals, exceptions for survey companies and self-regulated industries) as was a provision promoted by the copyright lobby that would have permitted unauthorized access to personal computers in certain circumstances. The Liberals on the committee did attempt to introduce several watering down provisions, but each failed. First, the third party referral provision - dropped by the Conservatives - was brought back by the Liberals as Marc Garneau warned that it was important for realtors. The amendment was ruled out of order. Second, a provision to tighten the provision on false subject headers, so that it would only apply in more limited circumstances. The proposed amendment was defeated. Third, the Liberals introduced a provision to limit the scope of spyware to specifically enumerated concerns. It too was defeated. [Source] [UPDATE: The Standing Committee on Industry, Science and Technology recommends a number of amendments to Bill C-27]

US – Facebook Awarded US $711 Million in Damages in Spam Case

A California court has awarded Facebook US $711 million in damages for spam sent through its network. Sanford Wallace accessed Facebook accounts without authorization and used them to send spam to other Facebook users. Wallace has been ordered to pay the damages, but as he has declared bankruptcy, it is unlikely that Facebook will see much of the money. In May 2008, Wallace and a business associate were ordered to pay US $223 million in damages for a similar spam campaign that targeted MySpace users. [Source] [Source] [Source] [Source] See also: [Texas Woman Sues Facebook for Privacy Violations]

Electronic Records

CA – Auditor General: Federal eHealth Initiative Gets Clean Bill of Health

Canada’s national eHealth project has received a generally clean bill of health from the auditor general, escaping the scathing attacks heaped on its cousins in Ontario and British Columbia. But Sheila Fraser’s report to Parliament this week nevertheless found a raft of contracting and reporting problems that have become endemic to the ambitious plan to ensure everyone in Canada eventually has an electronic health record rather than a paper one. Canada Health Infoway Inc. has already received $1.6 billion in federal money since 2001. Another $500 million promised by the Conservative government last January has been put on hold while Health Canada carries out “due diligence” on whether the money will be spent wisely. Fraser lauds the non-profit corporation for progress in the last eight years, including the difficult job of co-ordinating work with provinces and territories, each with their disparate medical systems. Infoway has said it will ensure half the population has an electronic record by the end of 2010, and everyone will have one by 2016. But Fraser pokes some holes in those promises, noting that just because an electronic record has been created does not necessarily mean it will be used. Fraser also says Infoway touted its success in creating electronic health records for 17% of Canadians by March this year - without also acknowledging this was 11 percentage points short of its goal. The report finds fault with the way Infoway hands out contracts. Contracts worth $50,000 or more must be awarded only after a competition, but there have been no restrictions on contract amendments. [Source] See also: [OPC Canada - Privacy In The Time Of Pandemic: Guidance for Organizations]

US – Rhode Island Tracks H1N1 Using Electronic Prescription Data

To help track H1N1 trends, Rhode Island health officials are receiving electronic prescription data to identify outbreaks based on age groups and ZIP codes. The state receives e-prescription data from retail pharmacies through an electronic link with Surescripts, an e-prescriptions network. State health officials view the data, which excludes personal information, to identify increases in Tamiflu prescriptions or other anti-viral medications. Surescripts uses the pharmacies’ data to report how much Tamiflu and other anti-virals are being dispensed to patients and categorizes the information by ZIP code and age group. The reports are sent to the state every two weeks and the data excludes personal information, said Amy Zimmerman, chief of health information technology for the Rhode Island Department of Health. [Source]

US – Government Accountability Office Releases Report on Archiving Public Records

Progress and Risks in Implementing its Electronic Records Archive Initiative. GAO-10-222T, November 5 | Highlights

Encryption

US – First Test for Election Cryptography

An election in Tacoma Park, Md., held this November will be the first to use Scantegrity, a new vote-counting system that uses cryptography to ensure that votes are cast and recorded accurately. Scantegrity’s inventors say the system could eliminate the need for recounts and provide better assurance that an election was conducted properly. Scantegrity allows voters to check online to ensure their votes were counted correctly, and officials and independent auditors can check to make sure ballots were tallied properly without seeing how an individual voted. Scantegrity developer David Chaum says the system uses a familiar paper ballot, which requires that voters fill in the bubble next to the name of their preferred candidate. The ballot is then fed into a machine that scans it and secretly records the result. The difference from other systems is that a special type of ink and pen are used, and when the voter fills in a bubble on the ballot a previously invisible secret code appears. The voter can record the code or codes and check them online later. If the code appears in the online database, the ballot was counted correctly. Every ballot has its own randomly assigned codes, which prevents the process from revealing which candidates a voter selected. Auditors can ensure all votes were counted correctly by comparing a list of codes corresponding to votes and a list of the results. University of Maryland, Baltimore County professor Alan Sherman says Scantegrity is fundamentally better than other systems in regards to integrity, and makes it possible to audit elections with much greater accuracy and certainty. [Source] [Scantegrity]

WW – Serious SSL Vulnerability Found

Two security researchers with PhoneFactor, a provider of phone-based two-factor authentication, said that they had discovered a serious flaw in the SSL protocol, which is used to protect sensitive data in online transactions. SSL, short for Secure Sockets Layer, is used for online banking and for secure e-mail and database access, among other things. Discovered in August and disclosed by PhoneFactor researchers Marsh Ray and Steve Dispensa to a consortium of major tech industry companies and standards groups in September, the vulnerability was slated for disclosure next year, to give affected vendors time to patch their softwareThe vulnerability could allow an attack to conduct a man-in-the-middle attack, whereby he or she could hijack an authenticated SSL session and execute commands. In theory, neither the Web server nor Web browser would provide any indication that the session had been subverted. “Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching,” said Steve Dispensa, CTO of PhoneFactor, in a statement. “All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL.” [Source] [SSL Hole Cracks Open Secured Web Traffic]

EU Developments

EU – Privacy Experts Gather in Madrid to Hash Out Global Data Privacy Rules

More than 1,000 privacy leaders representing many of the world’s governments have convened upon Madrid this week to discuss international standards for managing and protecting personally identifiable information. The 31st International Conference of Data Protection and Privacy Commissioners, organized by the Spanish data protection agency, began this week, where authorities discussed harmonized data collection standards and the protection of digital medical records, among other topics. In a statement, the conference organizers said: “The lack of harmonized regulations causes difficulties to citizens when it comes to exercising their rights, which benefit from different levels of protection depending on the state in which their data are being processed,” it said in a statement. Participants hope the international standards reached at the gathering will serve as the basis for a universal, binding legal instrument on data protection. [Source][Source] SEE ALSO: [Global Privacy Standards for a Global World - The Civil Society Declaration – 03 November 2009]

EU – EC Passes Telecommunications Data Breach Law

The European Commission this week passed an amendment to the EU Directive that would require telecommunications companies to notify their customers in the event of a data breach. Although the commission refused the urging of the European Parliament to do so in the telecoms reform package earlier this year, Information Society Commissioner Viviane Reding said last week that breach notification is now “firmly on the European policy agenda,” and that the EC would “extend the debate to generally applicable breach notification requirements and work on possible legislative solutions.” Reding cited the recent breach of German social network Schueler VZ, saying it “clearly demonstrates that obligations to ensure protection against data breaches cannot be limited to electronic communications networks alone...” In spite of calls from some parties to extend the amendment’s reach to include other industries, the scope was limited to telcos in order to provide protections for individuals who increasingly do business over the Internet. In a statement of support for the amendment earlier this year, the Article 29 Working Group said, “An extension of personal data breach notifications to Information Society Services is necessary given the ever increasing role these services play in the daily lives of European citizens, and the increasing amounts of personal data processed by these services.” [Source] [EC to Consider Wider Breach Notification Mandate] [Reding’s speech] See also: [US Senate poised to pass national breach-notification law – or maybe not]

EU – European Commission to Consider Additional Data Privacy Rules Next Year

In 2010, the European Commission plans to review privacy and data protection rules in the European Union. While the Commission has a telecommunications package that addresses data breach response, it will also consider new rules that would require organizations to publicly acknowledge data loss incidents. The entities would be required to notify authorities and those affected by the breaches. [Source] [Source]

EU – EU Starts Action Against Britain Over Data Privacy

The European Commission has taken another step in its infringement proceeding over the UK regarding privacy laws. The commission says that Britain has not fully implemented European laws designed to ensure the confidentiality of electronic communications. EU Telecoms Commissioner Viviane Reding said that people’s privacy is a fundamental right. “I therefore call on the UK authorities to change their national laws to ensure that British citizens fully benefit from the safeguards set out in EU law...” The EC sent a formal notice to the UK in April following an inquiry into its handling of citizens’ complaints about ISP behavioral targeting. The UK has two months to respond to this latest action. [Source] [Source] [EC Presses UK on BT’s BT Trial]

EU – US and EU Agree to Common Policies on Data Protection

The U.S. and the E.U. have agreed to treat cybersecurity, cyber crime and data protection as international issues, cooperatively developing polices based on shared values. Mary Ellen Callahan, chief privacy officer of the Homeland Security Department, called the recent joint statement on these principles by U.S. and E.U. officials a major milestone in data protection and data sharing. “The next step is negotiating a binding international E.U.-U.S. agreement based on these common principles to facilitate further cooperation while ensuring the availability of full protection for our citizens,” she said. The pledge is intended to extend ongoing efforts to align U.S. and E.U. policies on transatlantic issues, as Europe updates its human rights policies in the Stockholm Programme, expected to be completed this year. “We would like to take this opportunity to renew our partnership for the next five years,” the statement said. The statement is short on specifics, setting a goal of deepening transatlantic cooperation “in the pursuit of greater justice, freedom and security.” It cites achievements made by the two communities in areas ranging from the exchange of airline passenger information to efforts to close the Guantanamo Bay detention facility, and lays out areas where there is need for continued “balanced, agile, creative and forward-thinking” cooperation, including technology issues. [Source] [Source]

EU – German Federal Employment Agency’s Data Protection Questioned

German citizens whose sensitive personal information is stored on Federal Employment Agency computer systems may be at risk of a data breach. Information security at the agency is insufficient, insiders say, and the problem may allow certain information, including addictions, debts and family issues, to be exposed. Lax security means that 100,000 agency employees have unfettered access to data, a problem that resulted in information on two individual candidates for a television show being accessed more than 10,000 times. “Some of those responsible at the Federal Employment Agency have obviously not grasped” that data protection requires the “highest sensitivity,” said Federal Data Protection Commissioner Peter Schaar. [Source]

EU – New Danish Law Strips Blind of Voting Privacy

A new directive from the Danish Interior and Social Ministry that visually impaired voters must have a council representative present with them in the voting booth has raised the ire of human rights groups, who argue that the new requirement is in violation of both the constitution and the United Nations’ Convention on the Rights of Persons with Disabilities. The rule states that ‘the visually impaired person may themselves choose to have a helper with them in the voting booth, so long as there is also a council representative assisting’. But the constitution ensures the right of all citizens to secrecy during the voting process. And, according to the new requirement, the visually impaired voter must verbally tell the council representative for whom they are casting their ballot. [Source]

Facts & Stats

CA – CRTC Posts Updated Stats on Do-Not-Call

The CRTC has posted updated data on the experience with do-not-call. It reports that as of September 30, 2009, there have been over 7.6 million registrations and 200,000 complaints. The CRTC has 87 active investigations, issued 145 warning letters, 10 notices of violations, and imposed 7 administrative monetary penalties. [Source]

Filtering

US – Congress May Require ISPs to Block Fraud Sites

For the last decade or so, ISPs have been dealing with requests to block access to pornographic or copyright-infringing Web sites, or in China, ones that dare to criticize the government. Now a U.S. House of Representatives bill is taking the unusual step of requiring Internet providers to block access to online financial scams that fraudulently invoke the Securities Investor Protection Corporation, or face fines and federal court injunctions. [CNET]

WW – Researchers Find Shortcomings in Online Privacy Regulations

Researchers from Tel Aviv University (TAU) and the University of Haifa say they have identified shortcomings in security policy that puts the privacy of Israeli citizens at risk, PhysOrg.com reports. Dr. Michael Birnhack of TAU and Prof. Niva Elkin-Koren of the University of Haifa say their study shows that online privacy risks extend far beyond Facebook, and that lawmakers should take note in rethinking national policy. The ways Web sites collect information can be subtle, but over time, the research shows, organizations can compile a detailed “digital dossier” on individuals. “Unless there are specific laws in place, this personal digital information is up for grabs. It can be bought and sold between governments and private companies, which can then conduct data mining and analysis on it and sell the results to third parties,” Birnhack said. [Source] [Paper: Does Law Matter? Informational Privacy and Online Compliance in Israeli Web Sites]

Finance

US – Delaware - Survey: World’s Best Protection for Financial Privacy

The US state has been named the world’s most opaque jurisdiction in a major new survey of financial secrecy Delaware’s top position in the index will be greeted with raised eyebrows in Switzerland, which has just emerged from a bitter two-year legal dispute with the US over Swiss bank UBS’s role in facilitating tax evasion on a vast scale. London, Luxembourg and Zurich are in the top five most secretive jurisdictions, according the first comprehensive index of financial transparency ever compiled. Yet top of the pile, beating the British Virgin Islands, Belize or Liechtenstein as the best place to hide wealth, is Delaware. One of the smallest states in the US, it offers the best protection for anyone who does not want to disclose their identity as a beneficial owner of a company. That is one very good reason why the East Coast state hosts 50% of the US’s quoted firms and 650,000 companies - almost equivalent to one company per Delaware resident. The Financial Secrecy Index took 18 months to compile, was researched by senior academics, accountants and investigators under the banner of the Tax Justice Network, and runs to 1,800 pages.[Source] [Financial Secrecy Index]

US – Virginia Fines Insurer for Failure to Protect Policyholder Privacy

In its first enforcement of a 2003 law, the Virginia State Corporation Commission Bureau of Insurance (VSCCBI) fined insurance agent Caryn J. Williams and SCK Enterprises on seven counts of failing to properly protect the personal information of policy holders. The VSCCBI, which issued an administrative letter to remind insurance agents and agencies of their obligation to draft and implement written security policies for the protection of policyholder privacy, took action against Williams and SCK Enterprises for “failing to obtain a signed consent form from a policyholder, charging an administrative fee in addition to premium, failing to retain three years of insurance records, failing to make records available to regulators promptly and failing to properly handle fiduciary accounts.” [Source]

FOI

US – Metadata in State Documents Is Public Record, Court Rules

Arizona’s Supreme Court has declared that electronic metadata is part of the public record under state law, in a case involving an Arizona police officer who suspects his superiors of backdating a document related to his work performance. Phoenix, Arizona, police officer David Lake had filed a federal lawsuit against the city alleging employment discrimination. He’d also filed a public records request to obtain documents related to his work, including notes written by his supervisor documenting his performance. When he subsequently sought the electronic metadata for the records, because he believed at least one of the paper documents had been backdated, the city refused. The city argued that metadata — digital information that can reveal when a document was created and subsequently accessed or modified — was not part of the public record. Releasing such information to the public would result in an “administrative nightmare” and force public officials to spend “countless hours” trying to identify the metadata, the city claimed. Two lower courts agreed with the city, noting a distinction between “record” and “public record.” But the state Supreme Court ruled that “if a public entity maintains a public record in an electronic format, then the electronic version, including any embedded metadata, is subject to disclosure under our public records laws.” Supreme Court Justice W. Scott Bales wrote in the ruling that metadata “is part of the underlying document; it does not stand on its own. When a public officer uses a computer to make a public record, the metadata forms part of the document as much as the words on the page.” The court responded to the city’s claim that supplying metadata would place an unnatural burden on city workers by noting that the request for metadata could easily be satisfied by supplying requesters with documents in their original electronic format, rather than printing them out. Although the ruling applies only in Arizona, the case could influence other courts. The Supreme Court in Washington state is set to hear a similar metadata case. [Source]

US – House Ethics Committee Report Accidentally Leaked Through P2P Network

A confidential House Ethics Committee report was inadvertently leaked through a P2P file-sharing network. The report details inquiries into ethics issues involving more than 30 legislators and legislative aides. Ethics Committee members sign oaths not to reveal activities relating to any investigations past or present. Committee chairman Zoe Lofgren (D-Calif.) interrupted a series of House votes on Thursday afternoon to notify legislators of the breach. The leak is being blamed on a junior staff member’s use of P2P software while working from home. That staff member has been fired. The leak has prompted House Speaker Nancy Pelosi (D-Calif.) and Minority Leader John A. Boehner (R-Ohio) to call for an “immediate and comprehensive assessment” of cyber security policies. [Source] [Source] [Source] [Source] [Source] [Source]

Genetics

US – Ohio University Backs Away From New-Hire DNA Testing

The University of Akron is backing away from a controversial new policy, which appears to be the first in the nation, saying that new hires can be DNA tested as part of a background check. William Rich, the vice chairman of the Ohio university’s Faculty Senate, said that the administration was now willing to remove references to DNA testing from its background check policy. As reported last week, the university’s board of trustees adopted a rule saying a “DNA sample for purpose of a federal criminal background check“ may be collected from any prospective faculty, staff, or contractor. That policy, which includes no explicit privacy guarantees, appears to violate a federal law that takes effect on November 21 called the Genetic Information Nondiscrimination Act. Rich, a law professor at the University of Akron who teaches constitutional and criminal law, introduced a resolution during a Faculty Senate meeting, saying the policy “poses a serious threat to the personal privacy of university employees,” which the group unanimously approved. Rich says he believes the DNA testing rule is far broader than necessary, in part because it “does not limit the use of the genetic information to background checks.” A spokeswoman for the University of Akron, Laura Massie, did not respond to a request for comment. The College and University Professional Association for Human Resources, or CUPA-HR, believes that the University of Akron’s policy is a first. Massie previously said that no job applicants had been DNA tested so far. [Source]

US – Look Out! Your Genes Make You a Bad Driver

No need to curse that bad driver weaving in and out of the lane in front of you – he cannot help it, U.S. researchers report. They found those with a particular gene variant performed more than 20% worse on a driving test than others with a different DNA sequence. About 30% of the population have the variant, the University of California Irvine team say. His team tested 29 people – 22 without the gene variant and seven with it – asking them to drive 15 laps on a simulator and then repeat the task a week later. To their surprise, those with the mutant gene did worse consistently. The gene controls brain-derived neurotrophic factor, a protein affecting memory. “I’d be curious to know the genetics of people who get into car crashes. I wonder if the accident rate is higher for drivers with the variant,” he said. [Source]

Health / Medical

US – Survey: Health Providers Not Ready for New Privacy Rules

Many healthcare organizations are not prepared to meet tougher privacy and security terms contained in the health IT stimulus law, according to a survey by the Healthcare Information and Management Systems Society. The HITECH provisions of the law strengthened penalties for mishandling personal health information by providers. Security budgets are low and organizations lack a plan for responding to threats or a security breach, according to the findings, which were published Nov. 3. Many healthcare organizations also have not named a chief security officer or chief information security officer. According to the survey findings, healthcare organizations are not taking advantage of all currently available security technologies to keep patient data safe. For instance, respondents said they use audit logs of data from firewalls and servers as common information sources. Yet only 25% reported that they electronically analyze the data. Also, while 67% said they use encryption to secure data in transmission, fewer than half encrypt stored data. Passage of the HITECH Act did not result in larger security budgets, the survey found. About 60% reported that their organization spends 3% or less of their IT budget on information security. This is consistent with the spending level in the 2008 study, the first year HIMSS conducted the survey. Nearly all those responding said their organizations share patient data in electronic formats, most often with state agencies. In the future, they are most likely to share data with health information exchanges, the survey showed. About 40% said these sharing arrangements have enhanced health information security in their organizations. [Source] [Report] [Survey: Most Health Care Orgs Spend 3% or Less of IT Budget on Security]

CA – Public Entitled to Info, New Manitoba Health Pamphlet Says

The Manitoba government announced this week that it is distributing pamphlets and posters to let members of the public know they are entitled to information if a family member is unexpectedly hurt or dies while under hospital care. Health Minister Theresa Oswald said the resources support new legislation that requires health facilities to investigate and share information with families in the event of a critical incident -- defined as an event when something unexpected happens during the course of patient care that has a serious adverse effect on the patient. Manitoba is one of three provinces with critical incident legislation. [Source]

Horror Stories

US – Manhattan DA Brings Indictment for Major ID Theft Operation

The district attorney’s office for Manhattan has brought a 149-count indictment against a suspect in an 8-year identity theft operation. The charges accuse a 27-year-old computer technician of stealing the personal information of Bank of New York Mellon employees and using it to open bank and brokerage accounts under those names at other financial institutions. Those accounts were then used to steal $1.1 million from a number of charities as well as from the employees themselves. Among the charges included in the indictment are identity theft, grand larceny, money laundering, computer tampering and the unlawful possession of personal information. [Source] See also: [US Judge spanks lawyer for leaking personal details in brief]

US – CalOptima Locates Disks Containing Patient Data

Several disks that disappeared when they were sent through the mail two weeks ago have been located at a US Postal Service facility in Atlanta, GA. The disks had been sent via certified US mail to California managed health care provider CalOptima from a vendor, but when the package arrived, the smaller package inside was missing. The unencrypted disks contain patient names, addresses, dates of birth, medical procedure and diagnosis codes and in some cases, SSNs. Now that the disks have been recovered, CalOptima no longer plans to notify the 68,000 affected individuals. [Source]

Identity Issues

US – CDT Highlights Policy Issues Related to New Identity Management Systems

CDT has released a whitepaper highlighting policy issues related to responsible user-centric identification systems. The paper comes as the U.S. Government begins launching a series of pilot programs that will use third party user credentials to authenticate users to federal Web sites and discusses possible challenges to be considered as these activities are expanded in order to provide a better user experience. The term “user-centric identity” refers to systems where users, rather than service providers, control their identity credentials. These new online systems must be designed with privacy and security as the foremost concerns due to the sensitive nature of the information held by the identity provider. The U.S. government recently announced three pilot programs using this identity management method to help improve access to government information while leveraging existing credentials for users. “User-centric federated identity has great promise to make online interactions easier,” says Heather West, Policy Analyst at CDT and author of the whitepaper. “But questions should be addressed as trust frameworks are created in order to help establish solid relationships online.” The whitepaper discusses how the key components of a user-generated identity system (such as trust frameworks, users and identity providers) can work in concert to create a successful program. The paper also details the benefits and liabilities in federated identity management. [whitepaper] [Press Release]

US – Analysis: Real ID Program on Life Support

A decision by lawmakers to slash funding for the unpopular Real ID national driver’s license program has put an already struggling program on life support. Earlier this week, the U.S. Senate approved a $43 billion budget for the U.S. Department of Homeland Security (DHS) for fiscal year 2010, which began Oct. 1. The measure included substantial increases in DHS spending in several key technology areas, but slashed Real ID funding by 40%, from $100 million to $60 million in 2010. That reduction all but ensures that Real ID is going nowhere, said Jim Harper, director of information policy studies at the Cato Institute. But continuing hesitation by Congress to kill the program entirely highlights the somewhat touchy political nature of the program, he said. “A straightforward repeal of Real ID is too much for our Congress to handle at this point,” Harper said. “There isn’t any love for Real ID in Capitol Hill. Most in the Senate and the House don’t want it.” At the same time, many lawmakers are reluctant to openly reject it for fear of being seen as being too soft on national security issues, he said. [Source]

Internet / WWW

US – Court: Whois Privacy Is ‘Material Falsification’

A ruling by the US Court of Appeals 9th Circuit in the case of U.S. v Kilbride has determined that using whois privacy on domains can be considered “material falsification”. The case involved an appeal on criminal charges of spamming. The ruling in this case provides the courts opinion on provisions of the CAN SPAM Act that specifically relate to the use of domains and were argued by the defense as “vague”. The ruling doesn’t make use of whois privacy illegal. However coupling the use of privacy services with an allegation of intentional spamming and you’ve got the cards stacked against you. [Source]

US – National Cybersecurity and Communications Integration Center Opens

The US Department of Homeland Security (DHS) has unveiled a cyber security operations center designed to help the government coordinate cyber attack response. The National Cybersecurity and Communications Integration Center merges the US Computer Emergency Readiness Team (US-CERT) and the National Coordinating Center for Telecommunications. Legislation currently being drafted would require agencies and private companies to establish a system to share cyber threat information. [Source] [Source]

Location

US – CMU Study Released: Location-Sharing Technologies: Privacy Risks and Controls

Massive numbers of Americans are carrying around on their persons electronic devices that permit tracking of their locations. They are concerned about the drawbacks, but apparently not concerned enough to curtail their usage, according to a study by the privacy-oriented researchers at Carnegie Mellon University in Pittsburgh. Carnegie-Mellon PhD students Janice Y. Tsai and Patrick Gage Kelley and computer science professor Norman Sadeh, plus Lorrie Faith Cranor, director of the CyLab Usable Privacy and Security Laboratory, wrote the paper, “Location-Sharing Technologies: Privacy Risks and Controls“ They reported that in their survey of nearly 600 persons, “We find that although the majority of our respondents had heard of location-sharing technologies (72.4%), they do not yet understand the potential value of these applications, and they have concerns about sharing their location information online. Most importantly, participants are extremely concerned about controlling who has access to their location.” Those who are wary of the technologies said that strangers can stalk them, can tell if they are away from home or at home, and can locate them at any given time. By contrast, young persons and adults with children like the tracking technologies. They can give directions quickly to friends, track loved ones and surprise someone for a special event, be found by acquaintances, and keep track of where friends are. [Privacy Journal report] [CMU Study] [Study home]

US – Massachusetts Court Rules Police Must Have Warrant for GPS Devices

According to a recent ruling by the Massachusetts Supreme Judicial Court, police must have a search warrant before installing a global positioning system (GPS) device in a private citizen’s vehicle. This past September, the Massachusetts Supreme Judicial Court issued an opinion on a subject that has become contentious across the country: are the police required to have a search warrant before installing a global positioning system (GPS) device in a private citizen’s vehicle? In Commonwealth v. Connolly, the state’s highest court answered this question in the affirmative and limited the monitoring period to 15 days. While many view the ruling in this case as a win-win for privacy rights and law enforcement personnel, there are still concerns about the broader implications of government use of GPS devices to track private citizens’ movements… [Source]

Offshore

WW – IAPP Issues Benchmark Report on Data Protection Authorities

The International Association of Privacy Professionals released its Global Data Protection Authority benchmark report at the IAPP Data Protection and Privacy Workshop in Madrid. The report is based on a survey that assessed the objectives, resources, structure and scope of authority of DPAs around the world. Results indicate: a majority of DPAs reported that they focus primarily on handling privacy complaints, education, and advocating for privacy rights; there is no apparent correlation between DPAs’ annual budgets and ability to levy fines; and, only half of DPAs responding to the survey had fining authority, and only two of those surveyed had the power to impart criminal sanctions. [Source]

Online Privacy

WW – New NAI Opt-Out Tool Protects Against Cookie Deletion

The behavioral ad sector’s self regulatory group hopes its latest initiative quiets concerns about cookie-based tools that allow consumers to opt-out from ad targeting. The new downloadable software from the Network Advertising Initiative acts as a browser-based hub for managing ad network opt-outs. The moves come as the FTC plans a series of public roundtable talks on consumer privacy as it relates to behavioral advertising, mobile marketing, and other issues. The FTC, along with critics of industry self-regulation, have argued that employing cookies to indicate that users have opted-out of ad network targeting is futile because people often delete cookies. The NAI Consumer Opt Out Protector is an open-source Firefox add-on that maintains opt-outs even when people clear their browser history or delete cookies. It doesn’t maintain non-opt-out cookies. The plug-in offers a control panel allowing users to review all of the opt-out cookies currently being protected. The plug-in also notifies a user through the control panel if important information or updates are available. A user can also choose to install an additional trusted list of opt-out cookies from other companies via the control panel if they wish. [Source]

WW – Google Dashboard Lifts Curtain on Stored Data

Google is proving to be well aware of the uneasiness among the public over the increasing amount of data it stores from users of its services. Google is launching Google Dashboard, a service that lets you log into a console and see all the personal data that the company maintains on a Google Account user across all its products, from Gmail and YouTube to Blogger and Picasa. It allows users to log into the settings page of their Google account and review links to the personal data stored by Google across many of its products from a single Web page. Users can delete data, change privacy settings, and read the privacy policies from various accounts on that page. A YouTube video outlining the service was published on Google’s Privacy Channel and spotted by the Google OS blog. Google has tried to placate critics, recently emphasizing that it tries very hard to let users export any data they enter into one of Google’s products through the work of the Data Liberation Front. Dashboard is another step in that direction as Google tries to emphasize that users have control over the data it stores on them. [Source] [Google OS blog] See also: [Google privacy controls: Most people won’t care] and [Google Dashboard Creates Security and Privacy Concerns]

WW – New System Preserves Right to Privacy in Internet Searches

A team of Catalan researchers has developed a new computer protocol to distort the user profile generated by Internet search engines, in such a way that they cannot save the searches undertaken by Internet users and thus preserve their privacy. The study has been published in the journal Computer Communications. “It is a model based on cryptographic tools which distort the profile of users when they use search engines on Internet,” explains Alexandre Viejo. He is one of the authors of the study and a researcher at the Computer Engineering Department of the Rovira i Virgili University, “in such a way that their privacy is preserved”. The tool prototype has already been tried in closed (research centre intranets) and open (internet) environments, “and the results allow us to be optimistic with the global implementation of the model.” The researchers are now working on the development of a final user version and trust that it will soon be easily integrated into the main platforms and browsers. [Source]

WW – Microsoft Expresses Cloud Privacy Commitment, Concerns

Cloud computing continues evoke privacy concerns, so Microsoft has published a position paper that attempts to address the questions it’s been hearing. The paper’s publication coincides with the 31st International Conference of Data Protection and Privacy Commissioners. “We know that cloud computing is getting a lot of attention these days and we’ve heard from customers and external stakeholders that they’d like to hear what we’re thinking about it,” said Brendon Lynch, senior director of privacy strategy for Microsoft’s trustworthy computing group. “Privacy and security are the number one concern of organizations that are thinking about going into the cloud space.” The diversity of information being stored in cloud services, the extent to which cloud services are being used by consumers and businesses, and the architectural differences of cloud data storage all provide a reason for Microsoft to clarify its thinking about cloud privacy. Lynch says that Microsoft is working on trying to encourage the harmonization of privacy laws and a consistent global privacy framework that can accommodate the reality of global data flows. “In order to maintain trust and confident in cloud service, we really feel that cloud providers need to put forth strong privacy protections and to be very transparent,” said Lynch. [Source] [Paper: Privacy in the Cloud Computing Era: A Microsoft Perspective] [PDF]

Other Jurisdictions

PH – Philippine Small Businesses Struggle with Cybersecurity

According to a new report, the vast majority of small- and medium-sized businesses in the Philippines have inadequate resources for dealing with cybersecurity. According to the 2009 National Small Business Cybersecurity Study, sensitive information about employees, customers and intellectual property is at risk because of the situation. Some of the results from the report include: 86% of SMBs lack dedicated IT security staff; 53% only update security and anti-virus settings on a weekly basis, while 11% never update; 72% lack formal security policies; and 25% of companies using wireless networks fail to secure their networks. [Source]

Privacy (US)

US – Study: States Violate Students’ Privacy

States violate children’s privacy rights according to the results of a Fordham Law School study released this week. Fordham’s Center on Law and Information Privacy (CLIP) undertook the national study of states’ educational databases last year. The findings reveal that departments of education are storing the sensitive personal data of K-12 school children and are failing to protect that data. States “are trampling the privacy interests of those students,” said CLIP Founding Director Joel Reidenberg. The results come as Congress considers legislation proposing the integration of 43 state education databases. Among its recommendations, CLIP suggests that states institute a chief privacy officer in their departments of education. [Source] [Media Release] [Background] [Full Report]

US – Obama Urged to Reconstitute Civil Liberties Oversight Board

Senate and House committee members wrote to President Obama this week to urge him to appoint members to the currently defunct White House Privacy and Civil Liberties Oversight Board. In their letter Senator Susan Collins (R-ME) and Rep. Jane Harman (D-CA) wrote that a fully engaged and independent privacy panel in the executive branch is important as Congress considers expiring USA PATRIOT Act provisions and other matters, the report states. Earlier this year, Senators Patrick Leahy (D-VT) and Arlen Specter (D-PA) described the board as “a critical government component” in need of reconstitution. [Source] [Letter to US President Obama]

US – FBI Favors National Breach Notification Standard

The Federal Bureau of Investigation is in favor of a national data breach notification standard. Agency officials say it would help law enforcement fight cybercrime. During a cybersecurity discussion in Washington yesterday, the head of the FBI’s Cyber Criminal Section said such a standard “would help us tremendously, particularly in terms of efficiency in conducting investigations.” Troy said that widespread reporting would help cyber cops discover links and potentially prevent similar attacks. About 90% of US states have data notification bills, but federal legislation has yet to be enacted. Federal agencies are already required to report data security breaches to US-CERT. Senator Leahy’s Personal Data Privacy and Security Act, introduced in July, and a Senate cybersecurity bill to be introduced this year includes or will include breach-notification rules. [Source] [Source] [Source]

US – Javelin: Breach Notifications Fall Flat on Consumers

Study findings suggest consumers do not understand the importance of data breach notifications and, as a result, fail to protect themselves from fraud. Javelin Strategy and Research says that consumers who have been notified of a breach of their data were four times more likely than the public at large to experience fraud, the report states. The firm said that 19% of consumers who received a data breach notification over the past year have become the victims of fraud within a year of the notification. [Source] [Media Release] [Javelin Report Summary]

Privacy Enhancing Technologies (PETs)

WW – Privacy Experts Urged to Carry Privacy by Design Concept to Own Jurisdictions

An all-star cast of international privacy professionals gathered in Madrid to consider how the concept of Privacy by Design can be employed in their own jurisdictions. Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario, Canada (IPC) and Yoram Hacohen, Head of the Israeli Law, Information and Technology Authority (ILITA), co-hosted Privacy by Design: The Definitive Workshop.Commissioner Cavoukian’s Privacy by Design concept is based on embedding privacy into the design of new technologies, business practices and infrastructure by proactively treating privacy as the default, rather than adding protection after-the-fact. Three Privacy by Design white papers co-authored by the IPC will be launched at the event: Privacy by Design: Essential for Organizational Accountability and Strong Business Practices (co-authored by HP and The Centre for Information and Policy Leadership), Remote Home Health Care Technologies: How to Ensure Privacy? Build It In: Privacy by Design (co-authored by Intel and GE Healthcare), and A Pragmatic Approach to Privacy Risk Optimization (co-authored by Nymity) [Source]

CA – Ontario IPC Issues Guidance on Secure Data Destruction

Commissioner Cavoukian has issued a new publication in collaboration with the National Association for Information Destruction: Best Practices for the Secure Destruction of Personal Health Information. This joint publication was borne out of a particular Health Order (HO-006) which Commissioner Cavoukian issued this past summer regarding records containing personal health information being found scattered on the streets, in Ottawa, outside a medical centre housing a medical laboratory. The publication outlines a number of Best Practices that can be employed in the secure destruction of personal health information records. These include: developing a secure destruction policy that is clear, understandable and leaves no room for interpretation; segregating and securely storing records; determining the best methods of destruction; documenting the destruction process; considerations prior to employing a third-party service provider; disposal of securely destroyed materials; and ensuring compliance. [Source]

Security

WW – MIT Researchers ID Unusual Data Security Threats

Researchers at the Massachusetts Institute of Technology (MIT) Computer Science and Artificial Intelligence Lab’s Cryptography and Information Security Group have identified a number of common yet overlooked threats to personal data security, including power fluctuations and sounds generated by a personal computer. Because some applications share memory cache, a technique known as cache-timing can give hackers access to sensitive data when running another application simultaneously. Researchers are using similar techniques to investigate whether data shared via cloud computing are vulnerable to cache attacks. [Source]

WW – Global Information Security Report Sees Security Spending Stabilizing

According to PricewaterhouseCoopers’s 7th Annual Global State of Information Security Survey 2010, 63% of CIOs around the world say that they intend to maintain or increase information security spending, despite economic conditions. The study surveyed more than 7,200 executives at companies in 130 countries. The report also indicates that while social networking and cloud computing are increasing in popularity and hold promise for increased productivity, they are also the source of increased security threats. [Source]

WW – Three-Quarters of Small and Mid-Sized Companies Froze or Cut Security Spending

A McAfee survey of 100 small to medium-sized companies in each of nine countries around the world found that while 71% believe a data security breach could put them out of business, three-quarters of the companies either froze or reduced their information security spending in 2009. Two-thirds of the companies responding said they spend less than three hours a week on security. 20% of the companies surveyed said they had experienced a data security breach within the past year; mitigating the damage from the breaches cost an average of US $41,000. [Source] [Source] [Source]

Surveillance

CA – Spy Watchdog Backs Federal Bid to Boost Internet Surveillance

The federal government has an unexpected ally in its bid to broaden Internet surveillance - the watchdog over Canada ‘s spy agency. In its annual report, the Security Intelligence Review Committee says CSIS’s “ability to perform certain investigative procedures will be constrained” until the government enacts new laws. The government has tabled legislation that would require telecommunications service providers to include intercept capabilities in their networks, making it easier for CSIS to gain access to emails and phone conversations. It would also allow authorities to obtain information about subscribers and their mobile devices without a warrant. Opponents have raised concerns about the scope of information involved and how it would be used. The review committee, however, points out that governments in the U.S. and Europe have already passed laws requiring co-operation between security agencies and online service providers. “The committee does believe that the service needs that tool to carry out the mandate that they’ve been asked to do,” said Steve Bittle, a review committee spokesman. Bittle said he could not elaborate because the technical issues in question “are very sensitive matters.” The review committee reached its conclusion after studying CSIS’s scientific and technical services branch, which has specialists in forensics, mechanical engineering, programming and lab analysis. The committee acknowledges that Privacy Commissioner Jennifer Stoddart has argued against the so-called “lawful access” legislation, saying it “raises fundamental issues for rights such as privacy and the ability to communicate freely.” The committee report says “it is important that Canadians engage in a healthy debate” on the issue. [Source] [2008-2009 Annual Report]

UK – Gov’t to Restrict Surveillance Powers of Local Authorities

The “surveillance state” powers of local UK authorities to snoop on the public are to be curbed under reforms announced by the home secretary, Alan Johnson. Junior council officials are to lose the authority to order surveillance operations including secret filming and eavesdropping for “trivial reasons”, such as catching people putting out their rubbish on the wrong day or letting their dogs foul the street. In future only council chief executives and directors will have the power to order covert surveillance operations and a new code of practice will ban their use for minor matters. MPs are to be given assurances that their communications with constituents are confidential and any eavesdropping by police will need high-level authorisation. Elected councillors are to be given a role in overseeing the way their local authorities carry out surveillance operations. The changes will be made to the Regulation of Investigatory Powers Act (RIPA), which was introduced in 2000 to regulate the use of covert surveillance by the police and welfare benefit fraud teams. The powers have been used nearly 50,000 times since 2002 by councils and health teams. It also emerged that the legislation will now be used by child maintenance investigators to track down absent fathers who fail to pay for child support. The Home Office confirmed investigators will be given access to communications data stored by phone companies and internet service providers in cases where other methods of investigation have failed, but that the powers would be used solely in cases where criminal behaviour is strongly suspected. [Source]

EU – EU Proposes Black Boxes for Cars

Cars could be fitted with aircraft-style black boxes, under European Commission plans that opponents fear could lead to an expansion of the big brother state. The European Commission has spent £2.4 million on Project Veronica, a study on how the boxes would work. The boxes, known as an Event Data Recorders (EDR), could monitor vehicles’ speed and the actions of the driver - when and how often the brakes, indicators and horn were applied. The proposals are likely to trigger concern among civil liberties groups over the growth of the surveillance state. [Source]

US – Man Sues Over Leaky Baby Monitor

Wes Denkov, an Illinois man, is suing the maker of a video baby monitor after discovering that he and his neighbor could spy on each other through the devices. Denkov discovered that the microphone on the monitor was so sensitive it even picked up conversations occurring in rooms outside the nursery. According to the complaint, Denkov purchased his monitor in June 2008 and discovered the problem about six months later, after a neighbor’s wife gave birth to twins. Denkov said there were no warnings on the box to indicate that others outside the home would be able to view activities or hear conversations in the room where the monitor was placed. Denkov said his wife often breastfed their infant son in the room. They believed the product was “secure” when they bought it. When he contacted the manufacturer to complain, Denkov was allegedly told that he should have known the device was not secure and that if he wanted real security he should purchase a more expensive monitor. Denkov no longer had a receipt for the product, and the company refused to give him a refund. Media reports have long discussed the security problems with wireless baby monitors and web cameras. But Denkov alleges in his suit that the manufacturer and the seller should have disclosed this information on the product packaging, on the product website and in the store where the products are sold. He accused the company of deceptive conduct. As a result of the vendor’s conduct, the suit claims, Denkov and other consumers who purchased the product, “will likely continue to incur emotional distress as a result of being watched within their homes by third parties, or simply knowing that they may have been watched by others.” [Source] See also: [Orwellian state of security – CCTV] [ICO CCTV Code of Practice]

Telecom / TV

UK – Public WiFi Networks in UK Vulnerable to Hackers

According to a study by the group Watchdog, the top three providers of WiFi Internet access in the UK have left their networks vulnerable to attack by hackers. According to the report, users of BT Openzone, The Cloud and T-Mobile have been exposed to the potential for fraud and unauthorized surveillance by hijacking hotspot access. Watchdog offered their findings at a presentation during which they were able to access the accounts of two members of the audience, including their e-mail and social networking activities. All three WiFi providers responded to the report, saying they would do more to help users protect their accounts but that sufficient tools and security measures are already in place for subscribers. [Source] [Source]

US Government Programs

US – FTC in Transition on Privacy

According to the Privacy Journal, the Federal Trade Commission is undertaking what seems the most fundamental reexamination of its compliance program since it first acquired jurisdiction over privacy practices with passage of the Fair Credit Reporting Act in 1970. It begins with a “fundamentals‟ roundtable discussion at the FTC headquarters in Washington Dec. 7. Information about participation and the content is at privacyround@ftc.gov, FTC Roundtables. An addition-al session is planned – tentatively – for Jan. 29, 2010, at University of California Berkeley Law School and a third in mid-March in Washington. The new guard at the Bureau of Consumer Protection wants to move beyond the “harms-based” enforcement effort, which some regard as too narrow and reactive. Instead, new practices like social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, databrokers, third parties, Google Books, and other diverse businesses, plus the new technologies that they employ, have led the FTC staff to seek out a new approach for setting compliance priorities, according to attorney Christopher Olsen, who is coordinating the effort. “The current scheme of insisting on notice to consumers just doesn’t work,” he told privacy activists at a briefing Oct. 30. [Source: Privacy Journal newsletter Nov 2009]

US – GAO Report Exposes OMB Mismanagement of FISMA PII

A GAO report faults OMB for reliance on “inadequate performance measures.” OMB relies too heavily on NIST’s procedural guidance that agencies use to report “measures that do not demonstrate the effectiveness of control activities or the impact of information security programs.” Senator Tom Carper noted that more than $5 billion has been wasted over the past five years on “ineffective and useless” certification and accreditation, producing reports that cost more than $1,400 per page and are out of date when delivered and sit in store-rooms. GAO identified 5 characteristics of metrics OMB should be demanding. The characteristics reinforce the need for agencies to move away from NIST procedural controls and toward controls that are performance oriented, continuous, reliable, and that are prioritized to ensure they actually reduce risk. [Senator Carper’s Statement] [The GAO Testimony] [Additional testimony from the October 29 hearing on “More Security, Less Waste”]

US – FBI Watch List at 400K, 1,600 Additions Suggested Daily

Newly released FBI data offer evidence of the broad scope and complexity of the nation’s terrorist watch list, documenting a daily flood of names nominated for inclusion to the controversial list. During a 12-month period ended in March this year, for example, the U.S. intelligence community suggested on a daily basis that 1,600 people qualified for the list because they presented a “reasonable suspicion,” according to data provided to the Senate Judiciary Committee by the FBI in September and made public last week. The ever-churning list is said to contain more than 400,000 unique names and over 1 million entries. The committee was told that over that same period, officials asked each day that 600 names be removed and 4,800 records be modified. Fewer than 5 percent of the people on the list are U.S. citizens or legal permanent residents. 9% of those on the terrorism list, the FBI said, are also on the government’s “no fly” list. This information, and more about the FBI’s wide-ranging effort against terrorists, came in answers from FBI Director Robert S. Mueller III to Senate Judiciary Committee members’ questions. In a different vein, the FBI was asked why it is losing new recruits as special agents and support personnel at a time when terrorist investigations are increasing. The FBI responded that failed polygraph tests rather than other factors, such as the length of time for getting security clearances, are the main reason recruits are ending their efforts to join the bureau. In the past year, polygraphs were the cause of roughly 40% of special-agent applicants dropping out, the records showed. [Source]

US Legislation

US – Senate Panel Approves Data-breach Notification Bills

The U.S. Senate Judiciary Committee has approved two bills that would require organizations with data breaches to report them to potential victims. The Committee voted to approve both the Personal Data Privacy and Security Act and the Data Breach Notification Act by large majorities. The Data Breach Notification Act, sponsored by Senator Dianne Feinstein, a California Democrat, would require U.S. agencies and businesses that engage in interstate commerce to report data breaches to victims whose personal information “has been, or is reasonably believed to have been, accessed, or acquired.” Feinstein’s bill would also require agencies and businesses to report large data breaches to the U.S. Secret Service. The Personal Data Privacy and Security Act would also require that organizations that maintain personal data give notice to potential victims and law-enforcement authorities when they have a data breach. It would increase criminal penalties for electronic-data theft and allow people to have access to, and correct, personal data held by commercial data brokers. The second bill, sponsored by Senator Patrick Leahy, the Judiciary Committee chairman, would also require the U.S. government to establish rules protecting privacy and security when it uses information from commercial data brokers. Both bills now head to the full Senate for votes. The timeline for action in the Senate is unclear. [Source]

US – U.S. Department of Health Strengthens HIPAA Enforcement Rules

The U.S. Department of Health and Human Services (HHS) has issued an interim final rule with request for comments to strengthen its enforcement of the rules promulgated under HIPAA. The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, modified the HHS Secretary’s authority to impose civil money penalties for violations occurring after Feb. 18, 2009. These HITECH Act revisions significantly increase the penalty amounts the Secretary may impose for violations of the HIPAA rules and encourage prompt corrective action. The interim final rule with request for comments conforms the HIPAA enforcement regulations to these revisions made by the HITECH Act. It may be viewed and commented on at: www.regulations.gov. This rulemaking will become effective on Nov. 30, 2009, and HHS will consider all comments received by Dec. 29, 2009. [Source]

Workplace Privacy

EU – Pre-Employment Blood Tests “Illegal,” Says DPA

A German data protection official says that the pre-employment blood tests carried out by Daimler are illegal and that the data must be deleted. The tests are voluntary and the company tests candidates only in the final stages of the job selection process, however Marit Hansen of the Schleswig Holstein data protection authority said the practice breaks “all existing data protection regulations.” Hansen said: “The data has to be deleted and all those affected have to be informed.” A company spokesperson said that Daimler has submitted information about the tests to data protection officials. [Source]

+++