Biometrics

ISR – Knesset Likely to Okay New Biometric ID Database

Barring any last-minute surprises, the Knesset will give final approval to a controversial law that would set up a biometric database with information about every citizen of the country. The database would be used to issue “smart” identity cards. Both supporters and opponents expected the bill to pass by a large majority. The bill would require all Israeli identity cards and passports to be “smart” documents, containing an electronic chip with the holder’s fingerprints and facial scan. That information would then be stored in a biometric database. Opponents argue that such a database constitutes a real threat to Israelis’ welfare, as the data could too easily pass into the wrong hands. For instance, criminals might obtain an innocent person’s biometric data, and somehow plant them at a crime scene to cover their own tracks, or enemy states might obtain the data and use them to identify Israeli agents operating on their soil. This argument is based in part on the latest State Comptroller’s Report, which found that items included in the extremely sensitive Population Registry database - which includes every Israeli’s ID number, address, and other personal and family information - were leaked to the Internet because the Interior Ministry had not protected it properly. Nor were police ever able to finger the culprits in this activity. Under such circumstances, say opponents of the bill, what grounds are there for believing the government would do a better job of protecting the biometric database? Moreover, they charge, such a database would turn the government into “Big Brother.” The law also has many opponents outside the Knesset, particularly among human rights organizations. Attorney Avner Pinchuk of the Association for Civil Rights in Israel, for instance, pointed out that other democracies have biometric passports, but no other democracy has a biometric database. [Source] [Minister: Biometric system a danger to democratic regime]

US – NIST Test Proves ‘the Eyes Have It’ for ID Verification

National Institute of Standards and Technology (NIST) computer scientists have released a report that demonstrates the ability of iris recognition algorithms to maintain their accuracy and interoperability with compact images, which means they could be used for large-scale identity management applications. The success of iris recognition largely depends on the ability of recognition algorithms to process standard images from the cameras currently available, which requires images to be captured in a standard format and prepared so they are compact enough for a smart card or for transmission across global networks. The images also must be detailed enough to be identifiable by computer algorithms and be interoperable with any iris-matching product. NIST scientists are working with the international biometrics community to revise iris recognition standards. NIST launched the Iris Exchange IREX program to encourage the development of iris recognition algorithms that use images conforming to the ISO-IEC 19794-6 standard. The international standard, currently under revision, defined three competing image formats and three compression methods. The first IREX test narrowed the field by determining which ones consistently performed at a high level. Two of the image formats that centered and cropped the iris were found to be the most effective, while two compression formats were found to create small enough file sizes for storage and transmission while retaining enough detail. [Source] [IREX I: Performance of Iris Recognition Algorithms on Standard Images]

EU – Researchers Develop a Facial Biometrics System Capable of Creating a Facial DNI

Researchers at Carlos III University of Madrid (UC3M) have developed a facial biometrics system based on individual models. UC3M study author David Delgado Gomez says the objective is to create a model for each person that highlights the most distinguishing features on each face. Delgado says one way to describe a person is through traits that other people do not have, and their new system aims to apply that approach to an algorithm. The researchers say the most complicated part is combining facial geometry and facial texture. “With only the geometric information, very low classifications are obtained, which is why we combine this information with that of facial texture to obtain a more robust model, and a statistical way of combining them occurred to us, which offered very good results,” Delgado says. The researchers have shown that when their system is used in a controlled environment it can achieve 95% accuracy. The biggest challenge to facial-recognition systems is lighting, which can change the color of a person’s face. Aging also is a challenge as people’s faces can become heavier, thinner, or more wrinkled. [Source]

WW – China, Asia Key to Broadening International Biometrics Debate

The EU-funded initiative known as RISE (Rising pan-European and International Awareness on Biometrics and Security Ethics) will hold its third annual meeting in Hong Kong in January in recognition of the increasing influence and importance of China and Asia on the international debate surrounding ethics, data sharing and privacy as they relate to biometrics and biometric technologies, according to a press release issued by the Biometric Research Centre of the Polytechnic University of Hong Kong, host of the upcoming conference. [CORDIS]

Canada

CA – Privacy Watchdog Raises Alarm Over Security Measures

Ottawa is collecting too much information through anti-money laundering agency and failing to regulate no-fly list. Privacy Commissioner Jennifer Stoddart’s annual report, tabled in Parliament, warns that Ottawa, in the drive to combat terrorism and money-laundering with the aid of modern technology, has developed a “seemingly insatiable appetite for personal information about individuals.” Tackling what she called two of the most serious threats to privacy, Stoddart combed through the past year’s activities of FINTRAC, the powerful agency that is responsible for tracking financial transactions among Canada’s banks, trust companies, law firms and other money-handling institutions. As well, she audited how Canada’s air carriers and transport authorities manage the “no-fly” list — known in official Ottawa as the “passenger protect” list. Her conclusions echo previous warnings that in its post-9/11 efforts to be on the watch for terrorists, the federal government has often gone overboard. “The unprecedented scope of government data collection that we are witnessing today heightens the risk of misuses and unauthorized disclosure. The consequences for individuals can be grave,” Stoddart says. Stoddart’s report says however, that overall, in the 26 years since the enactment of privacy legislation, “for most part, Canadians should be satisfied with the way the federal government handles their personal information.” [Source] [Coverage][OPC News Release: Audits of major national security programs raise concerns for privacy] [OPC Remarks at a media briefing at the tabling of the 2008-2009 Annual Report to Parliament on the Privacy Act] [Annual Report to Parliament 2008-2009 Report on the Privacy Act] [Audit of the Financial Transactions and Reports Analysis Centre of Canada][Audit of the Passenger Protect Program of Transport Canada] [Audit of Federal Annual Privacy Reports] [Coverage] [Coverage]

CA – Data Breaches on the Increase

Federal Privacy Commissioner Jennifer Stoddart recently released her annual report to Parliament on PIPEDA, the private-sector privacy law. While her comments on social networking were highlighted and widely reported by the media, the report contained some other interesting trends that have not been as widely discussed. One of the most notable developments related to the increasing regularity with which personal information is being released without the knowledge or consent of individuals. The number of reported data breaches has been on the rise in recent years, from 23 in 2006, to 48 in 2007, to 65 reported incidents in 2008. These breaches can leave personal information exposed for anyone to see. The unanswered question in the report is whether there are more data breaches today or if they are just being more frequently reported. Stoddart notes that her office has been encouraging organizations to report breaches to develop a better understanding of why violations occur and how they can be prevented. The report breaks data breaches into four types: Unauthorized access, accidental disclosure, theft and loss. The report identifies these steps that organizations should consider the following issues to reduce the risk of data breaches:

Ensure personal information is accessible only on a “need to know” basis.
Administrative procedures, including destruction and disposal practices.
Third-party service provider capacity to protect personal information.
Security and procedures related to employees taking data out of the office. [Source]

CA – WCB Complaint Well-Founded

Saskatchewan’s Information and Privacy Commissioner, Gary Dickson, released a report on an investigation that dismissed three of four complaints against Saskatchewan Workers’ Compensation Board (WCB) but found one of the complaints was well-founded. In the report, the commissioner deals with four complaints that were raised by an injured worker regarding WCB actions around some personal information – its collection, use and disclosure. The commissioner determined three of the complaints weren’t well-founded. But, under the Freedom of Information and Protection of Privacy Act (FOIP), the commissioner found that one complaint – dealing with the disclosure of personal information to a third party without complainant consent and without legal authority – was well-founded. Dickson also expanded the investigation to address whether the WCB had met a FOIP duty to ensure personal information collected was accurate and complete. He found the duty wasn’t met. The report contains a number of recommendations around privacy breach guidelines; destruction of unsolicited and uncorroborated opinion information in question from WCB records; segregation of information concerning risk to safety assessments from general files; development of a policy to screen unsolicited personal opinion and information about claimants; bolstering of training; and, publishing of the WCB safety and security policy online so it is available to WCB claimants and the public. “The FOIP act ... sets out kind of a complete code of rules – when a government institution, whether WCB or anyone else, collects personal information, they have to follow the rules,” Dickson said, noting a report is only released when no successful mediation of the grievance can be reached. The report is available on the commissioner’s website. [Source]

CA – CWB Has No Explanation for Disclosing Farmer Info

The Canadian Wheat Board, apparently for no reason, shared “sensitive information” about farmers with companies that handle grain, says a newly released document. An internal audit completed last year says the wheat board couldn’t explain why it sent farmers’ “confidential personal financial data” to the taxman and so-called handling agents. “The CWB has been sending confidential personal financial data to Canada Revenue Agency (CRA) and other organizations for an unidentified period of time,” says the audit. “There does not appear to be any known requirement for the CWB to be sending any individual permit data to third parties. During the course of our review, through numerous inquiries, we were unable to determine why this sensitive information is being sent out. “It appears to be a task that is done as ‘it has always been done’ but no one was able to provide us with the exact reason, if there is one.” Controlled by western Canadian farmers, the Canadian Wheat Board is the world’s largest marketing agency for wheat and barley. The Winnipeg-based organization sells grain to more than 70 countries and returns all sales revenue, less marketing costs, to Prairie farmers. [Source]

CA – Body Armour Bill Brings Concerns

BC Information and Privacy Commissioner David Loukidelis has raised concerns about a law that would require the tracking of individuals who buy and sell body armour. The law does not include restrictions on the sharing of the registry information. Commissioner Loukidelis says that “several sections of the bill raise privacy issues.” He outlined the issues in a letter to Attorney General Kash Heed. Among them, he said: “There are no prescribed limits on other possible uses or disclosure of information contained in the registry.” [Source] See also: [B.C. P.Commish to probe breach of income-assistance files]

CA – Laws Said Needed to Protect Children from Internet Threats

Bernard Richard, the New Brunswick child and youth advocate and privacy commissioner, plans to lobby the Graham government to draft legislation to better protect children from companies that mine their browsing habits for data or from sexual predators bent on exploiting them online. Richard, chaired a national working group that studied the growing threat that specific dangers on the Internet pose to children and teens. The group is releasing a discussion paper today entitled “There Ought to be a Law: Protecting Children’s Online Privacy in the 21st Century.” It’s targeted at lawmakers, many of whom are less web-savvy than their children or grandchildren, in the hope they catch up with the best legal reforms that treat children’s online privacy as a human right. Their 27-page report outlines how Canadian children face threats to their privacy and safety as going online becomes as natural as chatting, thanks to MSN Messenger, Facebook and other social media. [Press Release] [Source] [NB Attorney-General Expresses Support]

CA – Ontario Moves to Limit Jury Pool

The Ontario government has introduced legislation that will sharply limit who can serve as a juror in the province. People convicted of relatively minor offences such as shoplifting, assault or mischief would no longer be eligible for jury duty under changes listed deep within an omnibus bill called The Good Government Act 2009. The planned changes, which were not announced publicly, come after the province was forced to admit it had allowed police in some regions to probe the backgrounds of potential jurors. The new rules would effectively make legal what some Crown offices were accused of doing before the Ontario Privacy Commissioner investigated the practice -- empanel juries made up of people who have never had a brush with the law. Several lawyers contacted by the National Post were alarmed by the amendments, saying they would tilt jury trials in favour of the Crown. The amendments are similar to a law enacted in Alberta last month that prohibits individuals even facing a criminal charge from serving on a jury. In Ontario, people called upon to perform their civic duty will also be subject to background checks performed by police and court services staff within the Ministry of the Attorney-General, to confirm eligibility. A short news release issued on Oct. 27 announced amendments to the Juries Act. It made no mention of the eligibility changes. Under the present Juries Act only someone convicted of an indictable offence (the most serious offences) is ineligible to serve as a juror. The amendments expand this restriction to cover anyone convicted of a “hybrid” offence. More than 90% of all offences in the Criminal Code, including minor charges, are considered hybrid in nature. Valerie Hopper, a spokeswoman for the Ministry of the Attorney-General, said the amendments are to “update the language in the Act” and reflect that many indictable offences are now hybrid. It is an explanation that is not sitting well with defence lawyers in the province, who were not consulted about the change in juror eligibility. “This is an affront to democracy,” said lawyer Edward Sapiano. “They got caught doing something wrong and now they are changing the rules to their advantage. Is the Attorney-General saying that someone who got caught stealing a chocolate bar years ago can never serve on a jury,” he asked. Toronto defence lawyer Tyler Smith suggested the province has crafted the new law to try to reduce the chances of anyone who may be skeptical of police or the Crown, from ending up on a jury. The changes in Alberta and Ontario could face challenges under the Charter of Rights, said University of Alberta law professor Sanjeev Anand. “This is really extreme. Basically, anyone ever convicted of a criminal offence will not be permitted to serve,” observed Mr. Anand. “What is prompting governments to do this,” he asked. “There is no evidence that someone with a criminal record will be a biased juror.” The amendments in Ontario will permit the “sheriff” to retain police to conduct criminal record checks to determine the eligibility of potential jurors, using the Canadian Police Information Centre (CPIC) database. Other databases may also be accessed to assist in the record checks since CPIC requires a date of birth, which jurors are not required to disclose. While the new bill refers to the “sheriff,” the administration of jury lists in the province is administered by court services employees within the Ministry of the Attorney-[Source] See also: [National Post: Proposed law would limit jury pool: Excludes most with convictions]

CA – Insurers Take Issue with OPC Video Guidelines

Insurance firms are questioning the federal privacy commissioner’s jurisdiction while private investigators are telling the insurance industry to ignore the commissioner’s guidance on covert video surveillance. The OPC released the guidance earlier this year after receiving complaints about insurance companies’ use of the method, which the OPC says should be used “only in the most limited cases.” “Our advice to industry is, if you need to investigate, do not be deterred by the privacy commissioner’s guidelines,” said a lawyer for the Canadian Association of Private Investigators. State Farm Insurance has asked a federal court to consider whether the information collected during such investigations falls under Canada’s private-sector privacy law. [Source]

CA – Alberta Privacy Commish Concerned Over Bar Patron Law

An amendment to the Liquor and Gaming Act that would allow Alberta bars to collect and share information about problem patrons has drawn the attention of the province’s privacy commissioner, who is concerned that the information may not be handled properly. The law was written to enhance safety by allowing bars to alert other establishments about individuals who may present a problem. Although the Information and Privacy Commissioner’s office has written guidelines for the collection and sharing of information, it remains worried that the system could be abused. “The commissioner still has some doubts as to how this will work,” said Wayne Wood of the Office of the Information and Privacy Commissioner, “... How do you determine who’s a bad guy?” [Calgary Herald] See also: [Lost laptops shock watchdog - Alberta Privacy chief ‘stunned’ by casual way missing personal data treated]

CA – Nymity Recognized as Privacy by Design Ambassador

The Office of the Information and Privacy Commissioner of Ontario (IPC) has officially recognized privacy and data protection research firm Nymity as a Privacy by Design Ambassador for its role in advancing the concept of privacy in business practices. [Source]

Consumer

AU – World Drafts Privacy Standard

Privacy experts from 50 countries have worked out a draft agreement on international standards for the protection of privacy and personal data. The meeting was called the 31st International Conference of Data Protection and Privacy. If the standard is adopted by governments then data may only be processed after obtaining the “free, unambiguous and informed consent” of the data subjects and it should be deleted when it is no longer necessary. The standard requires that data collectors must identify themselves and state in clear language the purpose of the data processing and the recipients of the gathered data. If an organisation wants to transfer private data offshore then it may only be sent to a country that “affords, as a minimum, the level of protection provided for in the document”. According to a statement, the participants hope the draft international standards will serve as the basis for a universal, binding legal instrument on data protection. More than 1,000 participants from around the world took part in the conference, which was backed by the US Homeland Security Secretary, Google and Facebook. [Source]

US – CMU Releases Study of How People Perceive Online Behavioral Advertising

Aleecia M. McDonald and Lorrie Faith Cranor, researchers at Carnegie Mellon, have completed a report about consumers’ attitudes toward and perceptions about online behavioral advertising, “An Empirical Study of How People Perceive Online Behavioral Advertising.” The abstract explains: “We performed a series of in-depth qualitative interviews with 14 subjects who answered advertisements to participate in a university study about Internet advertising. Subjects were not informed this study had to do with behavioral advertising privacy, but raised privacy concerns on their own unprompted. We asked, “what are the best and worst things about Internet advertising?” and “what do you think about Internet advertising?” Participants held a wide range of views ranging from enthusiasm about ads that inform them of new products and discounts they would not otherwise know about, to resignation that ads are “a fact of life,” to resentment of ads that they find “insulting.” Many participants raised privacy issues in the first few minutes of discussion without any prompting about privacy. We discovered that many participants have a poor understanding of how Internet advertising works, do not understand the use of first-party cookies, let alone third-party cookies, did not realize that behavioral advertising already takes place, believe that their actions online are completely anonymous unless they are logged into a website, and believe that there are legal protections that prohibit companies from sharing information they collect online. We found that participants have substantial confusion about the results of the actions they take within their browsers, do not understand the technology they work with now, and clear cookies as much out of a notion of hygiene as for privacy. When we asked participants to read the NAI opt-out cookie description, only one understood the text. One participant expressed concern the NAI opt-out program was actually a scam to gather additional personal information. No participants had heard of opt-out cookies or flash cookies. We also found divergent views on what constitutes advertising. Industry self-regulation guidelines assume consumers can distinguish third-party widgets from first-party content, and further assume that consumers understand data flows to third-party advertisers. Instead, we find some people are not even aware of when they are being advertised to, let alone aware of what data is collected or how it is used.” [Source: Privacy Lives]

AU – Roger Clarke Unleashes Blast on Privacy

Australian Privacy Medal winner Roger Clarke has accused businesses and government agencies of “investing in image” and “playing the public for fools” over privacy concerns in the surveillance age. In a broadside unleashed at the annual Privacy Awards dinner in Sydney, Dr Clarke said organisations had become “habituated to hands-off stances by parliaments and by regulators”, and simply “got on and did” whatever they wanted. “Public thoroughfares are being converted from anonymous use to identified use, and not one privacy or human rights commissioner takes any interest,” he said. “Police, working through CrimTrac, regard the building of a national vehicle surveillance database as unthreatening to democracy. “And agencies demand access to body fluids and people’s biometric measurements on the flimsiest of excuses, and in the absence of any effective regulatory framework.” Dr Clarke said public interest representatives were being kept at arm’s length, and disenfranchised by terms such as “the same old faces”. “Organisations as diverse as the Human Services Department, the ABC, the National E-Health Transition Authority and the major banks act as though advocates have horns on their heads, and do everything they can to avoid engagement,” he said. But the foundation “advocates all wear suits, they are conservative, and they don’t have horns”. “There will be more massive disappointments, not least in the e-health arena, because the lessons aren’t being learnt.” [Source]

E-Government

US – Feds Wanted Private Data on All Visitors to Liberal Internet News Site

A Justice Department subpoena requesting all available information on all visitors to an independent news site is raising serious privacy concerns, and questions about how much information the US government is storing about its citizens’ news reading habits. Privacy watchdog Electronic Frontier Foundation has released an extensive report on a “bogus” attempt by a US attorney in Indiana to get Indymedia.us, an independent left-leaning news site, to hand over all the data it had about all the users who visited the site on a particular day. Further adding to civil libertarians’ and privacy watchdogs’ concerns is the fact that the Justice Department ordered Indymedia to keep silent about the request. [EFF]

UK – Gov’t Data Collecting Obsession Now Extends to 5yr Olds

The UK government obsession with collecting data has now extended to five-year-olds, as local Community Health Services get ready to arm-twist parents into revealing the most intimate details of their own and their child’s personal, behavioural and eating habits. The questionnaire - or “School Entry Wellbeing Review” - is a four-page tick-box opus, at present being piloted in Lincolnshire, requiring parents to supply over 100 different data points about their own and their offspring’s health. Previously, parents received a “Health Record” on the birth of a child, which contained around eight questions which needed to be answered when that child started school. The Review asks parents to indicate whether their child “often lies or cheats”: whether they steal or bully; and how often they eat red meat, takeaway meals or fizzy drinks. However, the interrogation is not limited to intimate details of a child’s health. Parents responding to the survey are asked to provide details about their health and their partner’s health, whether they or their partner are in paid employment, and even to own up to whether or not their child is upset when they (the parent) returns to a room. Completing the review is, according to a spokeswoman for Lincolnshire Community Health Services (CHS) “entirely the choice of the parent”. However, the letter accompanying the review states: “Please complete the enclosed questionnaire and return it to school in the envelope provided within the next 7 days.” There is no indication on the letter of a parent’s right to opt out, and parents we have spoken with have expressed fears that failure to fill out this questionnaire might mean their child’s access to health services would be diminished. [Source]

E-Mail

UK – Every Phone Call, Email and Internet Click Stored by ‘State Spying’ Databases

All UK telecoms companies and internet service providers will be required by law to keep a record of every customer’s personal communications, showing who they are contacting, when, where and which websites they are visiting. Despite widespread opposition over Britain’s growing surveillance society, 653 public bodies will be given access to the confidential information, including police, local councils, the Financial Services Authority, the Ambulance Service, fire authorities and even prison governors. They will not require the permission of a judge or a magistrate to access the information, but simply the authorisation of a senior police officer or the equivalent of a deputy head of department at a local authority. Ministers had originally wanted to store the information on a massive Government-run database, but chose not to because of privacy concerns. However the Government announced last week it was pressing ahead with privately-held “Big Brother” databases which opposition leaders said amount to “state-spying” and a form of “covert surveillance” on the public. It is doing so despite its own consultation showing there is little public support for the plans. The Home Office admitted that only a third of respondents to its six-month consultation on the issue supported its proposals, with 50% fearing that the scheme lacked sufficient safeguards to protect the highly personal data from abuse. The new law will increase the amount of personal data which can be accessed by officials through the controversial Regulation of Investigatory Powers Act (RIPA), which is supposed to be used for combatting terrorism. Although most private firms already hold details of every customer’s private calls and emails for their own business purposes, most only do so on an ad hoc basis and only for a period of several months. The new rules, known as the Intercept Modernisation Programme, will not only force communication companies to keep their records for longer, but to expand the type of data they keep to include details of every website their customers visit - effectively registering every click online. While public authorities will not be able to view the contents of these emails or phone calls - but they can see the internet addresses, dates, times and users of telephone numbers and texts. The firms involved in keeping the data, such as Orange, BT and Vodafone, will be reimbursed at a cost to the taxpayer of £2billion over 10 years. The Information Commissioner’s Office has opposed the moves. “The Information Commissioner believes that the case has yet to be made for the collection and processing of additional communications data for the population as a whole being relevant and not excessive.” [Source] See also: [ISPs and public believe Government data safeguards inadequate] and [Simon Davies on Email surveillance Plan: ditch it for good]

Electronic Records

AU – Steps Taken to Safeguard Health IDs

Federal and state health ministers have committed to restrictions on the use of national health identity numbers, reports the Australian. In a communiqué released on Friday, the ministers said they will give the public an opportunity to review draft legislation on the issue and that the Unique Healthcare Identifier (UHI) scheme “will be underpinned by effective national privacy arrangements to protect health information wherever it is associated with identifiers, regardless of whether the information is held by a public or private organization.” The UHI program is set to take effect in mid-2010. [Source]

UK – London Medical Records Go Online

Millions of patient records will go digital in London tomorrow when the government launches its Electronic Summary Care Records program. The system is intended to ease information sharing among healthcare providers and potentially improve patient outcomes in urgent care situations. Concerns about the protection of sensitive medical data in the online environment led officials to include an opt-out provision in the system. Patients may choose not to have an electronic record created, however some patients have reported that opting out is difficult. “This is completely unacceptable,” said the director of The Patients Association. [Source]

US – Electronic Medical Records Don’t Save Money, Says Study

Researchers affiliated with Harvard institutions are reporting a variation on the theme “the emperor has no clothes” regarding benefits from health information technology, the second such report to become public this week. The latest study, published today in The American Journal of Medicine, says that despite Congressional support to the tune of $19 billion, claims of efficiencies from computerizing hospital system records “rest on scant data.” Even “the 100 banner hospitals that are the most wired” are not seeing any cost savings nor do their electronic medical record systems make the administration of healthcare more efficient, says author David U. Himmelstein, MD., associate professor at Harvard Medical School and former director of clinical computing at Cambridge Hospital. His study was based on a review of 4,000 hospitals over a five-year period that had implemented various levels of electronic records. “The idea from this administration that we’re going to pay for health reform out of savings from electronic medical records is baseless propaganda,” Himmelstein tells HealthLeaders Media. “It may be politically attractive, but it’s nonsense.” Himmelstein’s study is the second this week that disputes the benefits of EMR. Last week, The New York Times reported on a presentation by Ashish K. Jha and Catherine M. DesRoches of Massachusetts General Hospital. They compared 3,000 hospitals at various stages of adoption of computerized health records, and according to the article “found little difference in the cost and quality of care” between those that had adopted and those that hadn’t. [Source] See also: [Projections of savings from health IT are baseless, Harvard researchers say]

Encryption

WW – Only Half of CEOs Strongly Support Data Security Efforts

More than half of IT and security professionals worldwide believe their company’s laptops and other mobile devices pose security risks to their organizations, and only half of them have CEOs who are strong advocates and supporters of data security efforts, according to new Ponemon report. The new Ponemon Institute report, “State of the Endpoint: IT Security & IT Operations Practitioners in the United States, United Kingdom, Australia, New Zealand & Germany,” which was commissioned by Lumension Security, also found that IT security is more worried about endpoint security (60%) than IT operations (53%), as well as other signs of inadequate communication and collaboration between the two groups. And security and IT pros in the U.S. tend to be more pessimistic about security than their counterparts in other parts of the world. Only 40% of U.S. IT and security pros said their CEOs were strong supporters of data security efforts, and while 77% of German firms and 57% of U.K. firms said their networks are more secure now than a year ago, only 44% of U.S. firms thought so. Only 42% of Australian firms said their networks were more secure this year than last. “I was surprised at the challenges in the U.S. market and how they didn’t feel they had buy-in at the ‘c’ level,” says Ed Brice, senior VP of worldwide marketing for Lumension. U.S. firms are also the least likely to get bigger budgets for security in fiscal year 2010 -- 11% of U.S. security pros expected more money, and 6% of IT pros. “They had the lowest [numbers] in looking to increase their budget,” Brice says. Around 53% of all firms expect their security spending to remain flat, according to the report. Lumension’s Brice says the survey demonstrates that adoption and implementation of cloud computing, Web 2.0, and virtualization technologies are coming faster than most organizations expected. “The adoption and implementation of these approaches is going to be more rapid than people are currently perceiving. The pressure to drive efficiency has never been greater as a result of the economic climate,” he says. “And IT is no longer in position of saying, ‘No, you can’t do that.’ “At the same time, they have to be careful that they don’t bring in additional risks. If you don’t have the resources, you could have more risk coming into the endpoint as you try to cut costs.” Another big hurdle is the remaining disconnect between IT and security departments within organizations. Only 17% of the firms in the survey said they had “excellent collaboration” between the two departments, while 42% said it was “adequate” but needs improvement. Around one-third said collaboration was poor or nonexistent, Brice says. [Source] [Report suggests discrepancy between reported and actual data loss incidents]

EU Developments

EU – Commission Forms Industry Body to Solve Behavioural Advertising Problems

The European Commission has formed a new group in an attempt to regulate companies’ growing gathering and use of customers’ personal data. The group has been formed to address problems the Commission says are eroding consumer trust. European Consumer Commissioner Meglena Kuneva said that “10% of European advertisers used [behavioural targeting] in 2007. Only one year later, it had already reached 28%. And almost 60% of advertisers said they wanted to use it this year. This development has an increasingly significant impact on consumers, who are genuinely concerned about the use of their private data in cloud computing and location-based services. She has created the Stakeholder Forum on Fair Data Collection, a collection of businesses who will have to outline their plans for protecting consumers’ information. The Forum is scheduled to meet three times next year, with the first meeting taking place in February. According to the Commission it will discuss the use of incomprehensible privacy policies; misleading and aggressive personal data collection methods; the breaking of existing rules on data collection; the best way to obtain informed consent for data collection; how to allow consumers to see what information is held on them; and whether or not consumers are told enough about the collection of data and use of it to profile them. [Source]

UK – UK Considering Raising Maximum Data Breach Fine by ICO

The UK Ministry of Justice is considering raising the maximum penalty for violations of the Data Protection Act that result in serious data breaches to GBP 500,000 (US $830,000). The Information Commissioner’s Office (ICO) presently has the authority to impose a maximum fine of GBP 5,000 (US $8,300) for serious Data Protection Act violations. The possible significant increase in the maximum penalty is seen as a deterrent to lax security provisions, as is the fact that proceedings following a breach would be conducted publicly according to a recently added clause to the law. The Ministry of Justice is also looking at jail sentences for malicious breaches and pending legislation would allow the ICO to conduct data protection inspections. [Source]

UK – ICO: Number of Breaches “Unacceptable”

The Information Commissioner’s Office (ICO) says the number of data loss incidents has risen to an “unacceptable” level over the past year and that more management teams need to take seriously data protection. Breach numbers are up nearly 50% from the previous year--434 organisations have reported data loss incidents, compared to 277 in 2008. NHS hospitals, the ICO says, are among the most breached. Beginning next year, the ICO may be able to levy fines for serious breaches. The Ministry of Justice has launched a consultation on whether to give the ICO fining powers for serious breaches, according to a Denton Wilde Sapte report. [BBC News]

EU – Swiss DPA Taking Google to Court

Financial Times reports on the Swiss data protection commissioner’s legal action against Google. Hanspeter Thür announced Friday that he would take the company to Switzerland’s Federal Administrative Court for failing to protect the privacy of those captured in the company’s StreetView mapping feature. “Google announced that it would primarily be filming urban centres, but then put comprehensive images of numerous towns and cities on the Internet,” Thür said. “In outlying districts, where there are far fewer people on the streets, the simple blurring of faces is no longer sufficient to conceal identities,” he said. Google’s global privacy counsel expressed disappointment in the action and said: “We will contest any case vigorously.” [Source]

Facts & Stats

US – Corporate Data Compromise Leads to Increased Risk of Identity Fraud

People who have received data breach notification letters from companies are four times more likely to be victims of identity fraud. This is despite claims made by many companies that they do not see any indication that the compromised data are being used by criminals. The study also found that most consumers do not see a direct correspondence between breach notification letters and identity fraud. [Source]

Filtering

VN – Vietnam Internet Users Fear Facebook Blackout

Vietnam’s growing legions of Facebook users fear that the country’s communist government might be blocking the popular social networking Web site, which has become difficult to access over the past few weeks. Facebook has more than 1 million users in Vietnam, and the number has been growing quickly since the company recently added a Vietnamese language version of the site. [SiliconValley]

Finance

US – Banks Reissuing Credit Cards After Report of Breach at Spanish Payment Company

A German bank has recalled 60,000 credit cards after learning that the card numbers may have been compromised in a security breach at a Spanish payment company. The German Central Credit Card Commission says the recall is precautionary. Other German banks have recalled cards as well; in all, more than 100,000 German credit cards were recalled. The banks were alerted to the breach by Visa and MasterCard. People who have traveled to Spain recently and used credit cards there are urged to check their statements carefully. Banks in the Czech Republic have begun blocking cards in light of the breach, which is likely to affect citizens of other countries as well. [Source] [Source] [Source] [Source]

EU – Nations Oppose SWIFT Draft Agreement

Several European nations are backing away from a draft agreement to allow the sharing of European citizens’ financial data with U.S. authorities for the purpose of fighting terrorism. “Some countries have reservations,” said a spokesperson for the Swedish government, which is negotiating the accord. Germany, France, Austria and Finland have expressed reservations about the deal, which would share information, including bank account numbers, addresses and other personal details, from the SWIFT banking network. German Justice Minister Sabine Leutheusser-Schnarrenberger told the Berliner Zeitung newspaper that she was against the deal because it did not include “legal protection provisions.” [Source]

US – AICPA Sues FTC over Red Flags

The American Institute of CPAs (AICPA) has filed a lawsuit against the Federal Trade Commission (FTC) over the Red Flags Rule,. AICPA says the FTC is wrong to interpret that the rule should apply to accountants. The Red Flags Rule requires that financial institutions and creditors take certain measures to prevent and recognize identity theft. “We do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered,” said AICPA president and CEO Barry Melancon. Late last month a U.S. District Court judge granted an American Bar Association motion to prevent the FTC from holding practicing attorneys accountable to the rule. [Source] [Complaint]

US – T-Mobile Admits Employee Sold Private Customer Data

T-Mobile has acknowledged that an employee stole customer records and sold them to data brokers who in turn sold the information to T-Mobile competitors. The breach affects millions of T-Mobile customers. The information included contract expiration dates, which the rival companies used to target consumers at a time when they might be enticed to switch to another provider. The incident was disclosed by the UK Information Commissioner’s Office (ICO). T-Mobile was surprised that the ICO chose to make the case public, because they had been “asked to keep this issue confidential for legal reasons.” The individual who is suspected of stealing the information no longer works for T-Mobile. [Source] [Source] [Source] [Source] [Washington Post] [ICO Prosecuting T-Mobile Breach “biggest of its kind” ]

FOI

WW – Microsoft Releases Paper on Cloud Privacy

In a paper released this week at the International Conference of Data Protection and Privacy Commissioners in Madrid, Microsoft outlines privacy concerns associated with cloud computing. While the cost-savings potential is real, “Privacy protections are essential to building the customer trust needed for cloud computing and the Internet to reach their full potential,” said Microsoft Senior Director of Privacy Strategy Brendon Lynch. Lynch said that privacy and security are the top concerns that organizations have about entering the cloud. “We want to take the initiative in regard to our position on privacy in the cloud,” Lynch told AFP. [Brendon Lynch blog posting] [Privacy in the Cloud Computing Era: A Microsoft Perspective] [Peter Cullen blog statement] [InformationWeek] [AFP] [SMH] [Physorg]

WW – Google Dashboard Debuts

Google announced yesterday that it has created a Web site where users can view the data Google stores on them and make privacy adjustments, reports the Wall Street Journal. Google Dashboard lets users of Gmail, Google Calendar and other products view their activities and delete their search histories, for example. The company says the dashboard is intended to give consumers more control over their data. In a blog post announcing the feature, the company wrote: “We are very aware of the trust you have placed in us, and our responsibility to protect your privacy and data.” [Source] [Google blog]

US – Opinion: Google Dashboard Changes our Thinking about Privacy

In the history of privacy, everything old is new again--only better. That’s according to Judy Shapiro, writing for Advertising Age. Shapiro says that last week’s introduction of Google Dashboard “is an important step in the right direction” because it will “help us evolve our thinking about digital privacy to focus our attention on managing what is digitally public about us rather than on doggedly focusing solely on keeping information private.” She asserts that operators of social networks, Web sites and other online communities should continue the momentum, saying that the shifted model will free Netizens to “take full advantage of our newly expanding digital social lives.” [Source] See also [Google trying not to cross ‘the creepy line’ ]

CA – In-Home Technology Must Protect Privacy

Networked medical technology that can monitor a patient’s condition, provide feedback and even facilitate an online consultation may soon be a central part of in-home healthcare, but networked medical devices must be designed to protect patient privacy, experts say. The Ontario Information and Privacy Commissioner Dr. Ann Cavoukian has issued a white paper, “Remote Home Health Care Technologies: How to Ensure Privacy? Build It In: Privacy by Design,” establishing parameters for privacy and data protection for the medical device industry working on such innovations. “As with virtually all significant steps forward with technological advances, concerns about privacy arise,” Cavoukian commented. [Source] [News Release] [Paper]

Genetics

US – Part 2 of “Genetic Information Non-discrimination Act” Takes Effect

A new federal law designed to prevent certain health information from being used against workers in job decisions is expected to have far-reaching effects in both health care and the workplace. Under the law, the second part of which takes effect today, employers are prohibited from asking employees or job candidates to take genetic tests or to provide their family medical histories. Some businesses and trade groups are concerned the law could open them up to lawsuits if they unintentionally obtain an employee’s health information. For instance, medical examinations used to determine whether a job candidate is physically fit to perform heavy labor or information provided by a worker taking a leave of absence to care for a sick family member could inadvertently contain genetic information. Chris Kuczynski, assistant legal counsel for the EEOC, said the law does not make it illegal to require employees or job candidates to have medical examinations for certain types of positions but prohibits an employer from disclosing any genetic information it advertently obtains through the examinations. The law also includes exemptions for managers who overhear an employee discussing a medical condition at work - called the “water-cooler” exemption - or from learning about a worker’s family medical history through public and commercially available means, such as a newspaper obituary. However, the employer would be prohibited from using such information in job decisions. An employer’s decision could be based on a number of variables, so “there has to be a connection,” he said, “between the employer’s knowledge and the employment decision.” [Source]

UK - DNA of Anti-War Protesters Could Be Held For Life

Innocent members of the public detained but not charged or convicted under terrorism legislation may never have their profiles wiped from the national database because they are to be treated differently to all other alleged offences. The proposal is directed at those arrested for suspected terror offences but could apply to anyone held under a Terrorism Act. In contrast, those innocent of any other suspected crime will be kept for a maximum of six years. The proposals have been drawn up in the wake of a European Court of Human Rights ruled last year that a blanket policy of retaining profiles of innocent people indefinitely was illegal. Up to a million innocent people are currently held on the national database. As part of a climb-down, the Home Office now plans to keep the profiles of children innocent of alleged minor crimes for three years instead of the six previously proposed. However, youngsters convicted of a minor offence will be kept on the DNA database for five years and indefinitely if they are guilty of a second offence. Alan Johnson, the Home Secretary, published revised proposals for the retention of DNA following widespread criticism of plans earlier this year that would have seen some innocent people stay on the database for 12 years. Under the revised plans, the DNA of those arrested but not charged or convicted of terror offences will stay on the database for a minimum of six years but senior police officers will then be able to review each case every two years on national security grounds to see if continued retention is warranted. Even under 18s arrested but not charged could have their DNA profiles stored for much longer periods than for other crimes. [Source] [Out-Law] [The Independent] [BBC]

US – Using Relative’s DNA Cracks Crime, but Privacy Questions Raised

Certain investigative methods employed by the Denver police have raised privacy concerns. Earlier this year, Denver police used software created in conjunction with the District Attorney’s office to identify a crime suspect through his brother’s DNA data. According to DA Mitch Morrissey, it is one of the first cases in the country to use software to find familial DNA matches, the report states. “...It’s a valuable way to generate leads,” Morrissey said. But a Maryland attorney says that “people have a reasonable expectation of privacy of their DNA.” Maryland was the first state to outlaw familial DNA searches, the report states. [CNN] SEE ALSO: [Privacy fears as DNA testing firm deCODE Genetics goes bust]

Health / Medical

CA – Privacy Czar Targets Forms

Ontario’s hodge-podge of different consent forms for people seeking the H1N1 flu vaccine has raised concerns for Ontario’s information and privacy commissioner. It has also led Ann Cavoukian’s office to investigate why at least one regional health unit has requested both drivers’ licences and OHIP cards at public vaccine clinics. Cavoukian said that in the run-up to the mass immunization program, no public health units consulted her office, nor did the province’s ministry of health and long-term care. As a result, not all of the forms -- which people must sign to obtain their shot – explain properly how personal information will be protected. Instead, H1N1 consent forms vary in detail and length. In York Region the consent form is a single sheet. In Ottawa, however, it’s three pages. Most forms ask whether a person is a member of a high-risk group, and contain questions to ensure it is safe for them to be vaccinated. Cavoukian said she would investigate why some people at public clinics in the Ottawa area have had both their OHIP cards and their drivers’ licences swiped through a computer system. Dr. Nadine Sicard, associate medical officer of health for Ottawa Public Health, said public clinics collect the details to ensure people don’t accidentally get the vaccine twice, or can be contacted if they need a second dose, or notified of any problems with a vaccine batch. Other information is submitted to the provincial health ministry as “aggregate” data for demographic studies, but doesn’t contain identifying information. Nor does the Public Health Unit hold information about driving records. “We’re really only using basic information,” she said. To get the vaccine, Ontarians should only have to show that they live, work or study in Ontario, said ministry of health and long-term care spokesman David Jensen. [Source]

Horror Stories

US – Hospital Privacy Leak Could Harm Patients

In the last few weeks, there have been numerous stories about insiders accused of abusing their access to government or corporate databases. A police chief in Iowa has been suspended while there’s an investigation into whether he misused his access to driver’s license and criminal history data. The Associated Press reported that a T-Mobile employee is accused of violating the privacy of millions of T-Mobile UK by selling their data to rival companies. In Australia, a former police officer “pleaded guilty to repeatedly using [a police] computer between 2006 and 2008 to get the details of women he had seen in public.” Also, it was revealed that President Obama’s nominee to head the Transportation Security Administration had been censured for misusing government database information for personal reasons. Now, the Las Vegas Sun reports, “Private information about accident victims treated at University Medical Center has apparently been leaking for months, the Sun has learned, allegedly so ambulance-chasing attorneys could mine for clients.” Sources say someone at UMC is selling a compilation of the hospital’s daily registration forms for accident patients. This is confidential information — including names, birth dates, Social Security numbers and injuries — that could also be used for identity theft. Hospital officials knew of rumors of the leaks since the summer, but doubted them until provided evidence Thursday by the Sun. Now they’re scrambling to catch up to a crisis that may affect hundreds, if not thousands, of patients. [Source: Privacy Lives]

US – T-Mobile Admits Employee Sold Private Data

An employee of mobile phone operator T-Mobile is facing prosecution after selling personal details of thousands of British customers to rival companies in an alleged major breach of data protection laws. Information Commissioner Christopher Graham said the data was sold for “substantial amounts of money” to brokers working for other mobile phone companies. The privacy watchdog said it planned to prosecute and would push for jail terms for anyone convicted. [Washington Post]

US – Connecticut AG Investigating Data Breach that Compromised Doctors’ Information

Connecticut Attorney General Richard Blumenthal has launched an investigation into the Blue Cross Blue Shield data breach. In August, a laptop computer containing personally identifiable information of 800,000 healthcare providers was stolen in Chicago. The affected individuals include at least 18,000 healthcare workers from Connecticut. Blumenthal said that Blue Cross Blue Shield and its affiliates “may have violated state law by losing the information and failing to notify providers in a timely fashion.” He says the offer of one year of credit monitoring is “inadequate and unacceptable.” The compromised information includes names, tax identification numbers and Social Security numbers (SSNs). [Source] [Source] See also: [Australian officer used police computer to access women’s details] and [Ottawa Police officer found guilty of insubordination]

US – Class Action Settlement Approved in Data Breach Case

A judge has approved a class action lawsuit settlement in a case involving a data security breach at financial services firm D. A. Davidson & Co. The settlement makes approximately US $1 million available to reimburse affected individuals for losses incurred as a result of identity fraud related to the breach. The settlement allows class members to file claims until June 2011. The attackers broke into a D. A. Davidson customer database in December 2007. Three people have been arrested in connection with the breach. [Source]

CA – Govt. Pays Compensation to Avoid Class-Action Lawsuit in Data Breach Case

The Canadian government has paid $751,750 to approximately 4,100 people whose personal information was compromised when six computers were stolen from a Canada Revenue Agency (CRA) office. The settlement pre-empts a potential class action lawsuit. The breach affected as many as 120,000 individuals. The payments of CAD 150 (US $142) and CAD 200 (US $189) are to compensate people for the time they spent contacting credit agencies to put notices on their accounts that their information had been compromised. A 2008 audit of the CRA found inadequate security at offices in Quebec and Ontario. [Source]

US – Lost Hard Drive Holds Seven Years of Health Net Patient Data

A hard drive containing personal and medical information of 1.5 million Health Net customers was lost in May, but the loss was not disclosed until earlier this week. The drive contains unencrypted Social Security numbers and medical information dating back to 2002; the breach affects customers in Arizona, Connecticut, New Jersey, and New York. Connecticut Attorney general Richard Blumenthal is investigating why the company waited six months to disclose the device’s loss. Health Net, which is based in California, is also investigating the incident. The company will send out breach notification letters to affected customers the week of November 30. [Source] [Source] [Source] [Source] [Source]

CA – Edmonton City’s Laptop Loss Rate = One Per Month

The City of Edmonton lost 48 laptop computers over the past four years, and only half of the incidents were investigated. City auditor David Wiun released that information in a report this week. Alberta Information and Privacy Commissioner Frank Work said: “I’m just stunned.” The report also noted that only in one instance did city officials determine whether the lost computer contained personal information. “The troubling thing is,” said Work, “because they only investigated 50%, I assume they don’t really know what they lost.” [Source]

Identity Issues

EU – STORK Completes Pan-EU Interoperability Framework For Electronic Identity

STORK, a pilot scheme co-funded by the EU that aims to implement EU-wide interoperability of electronic identities (eIDs), has announced that it has defined and completed the common framework and specifications that will be used in five pilot projects in 2010. The model was agreed over a 12-month period by the 14 Member States participating in STORK and was unveiled at the second Member States Reference Group meeting in Malmö City. Launched in 2008, STORK (Secure idenTity acrOss boRders linKed) is a three-year pan-EU initiative aiming to enable businesses, citizens and government employees to use their national electronic identities (eID) in any Member State. Such a system will simplify administrative formalities by providing secure online access to public services across EU borders. One of the key steps towards achieving this goal is to approve the technologies, standards and specifications required to form a universal framework, which will be heavily tested by the Member States during the five major pilot projects next year. Crucial to the process of defining the common specifications within the framework was to be respectful of each Member State’s organisations, legal and infrastructural limitations, as well as taking trust and scalability into account. One of two leaders in STORK in charge of defining the Common Specifications, Miguel Alvarez Rodriguez comments, “The main objective now is to test the model in real-time, with real people. Usability is critical to the success of the framework, so during the pilots we are expecting to refine and improve elements where necessary. Although it was a key factor in the conceptual design, scalability is also a challenge to be addressed in any future extensions of the project.” The five pilot projects, which will run for a period of 12 months, are:

A demonstrator showing that cross-border electronic services can operate in a number of Member States. The applications include national portals from Austria; Estonia; Germany; Portugal and the UK; one regional portal from Catalonia in Spain and one specific service for compliance activities for working in Belgium
Safer Chat, to promote safe use of the internet by children and young people
Student Mobility, to help people who want to study in different Member States
Electronic Delivery, to develop cross-border mechanisms for secure online delivery of documents
Change of Address, to assist people moving across EU borders

The pilots will be run on a very flexible basis, with different Member States involved in each one. An overall evaluation work package will provide consistency for the assessment of pilot results. STORK is currently supported by the European Commission (Competitiveness and Innovation Programme) and involves 14 EU Member States: Austria, Belgium, Estonia, France, Germany, Italy, Luxembourg, Netherlands, Portugal, Slovenia, Spain, Sweden, the UK and Iceland (as an EEA member). [Source]

US – NGA Urges Passage of PASS ID, 36 States Unable to Meet REAL ID Deadlines

The National Governors Association (NGA) today sent a letter to Senate and House leadership urging Congress to pass S. 1261, the “Providing for Additional Security in States’ Identification Act” (PASS ID), this year. The letter, signed by NGA Chair Vermont Gov. James H. Douglas and NGA Vice Chair West Virginia Gov. Joe Manchin III, states that “as many as 36 states will not meet the requirements of REAL ID by the end of the year.” PASS ID offers a “practical solution” to REAL ID and “enjoys bipartisan support and the endorsement of the U.S. Secretary of Homeland Security.” [Source]

US – Pre-Paid Legal Services Says FTC May Sue

Pre-Paid Legal Services Inc., a network of independent law firms, said that the FTC may sue the company over allegedly misleading representations made by its identity theft prevention program. The identity theft program offers regular monitoring of credit reports, sending alerts if new accounts are opened in a customer’s name or if negative items are added to credit reports. It also offers to help a customer restore their credit rating if they are victimized by identity theft. [Washington Post]

US – Don’t Blame Me for Celeb Burglaries, Website Operator Says

David Ruppel may have inadvertently helped people accused of breaking into the L.A. homes of various celebrities. But that’s no concern of his. Six teens have been charged with stealing jewellery and other items from the homes of celebrities including Paris Hilton, Lindsay Lohan, Rachel Bilson and Orlando Bloom over an 11-month period. An unsealed search warrant revealed the burglars used sites like TMZ.com, Google Maps and www.celebrityaddressaerial.com to cyberstalk their targets. Ruppel, who is from Toronto, is the man behind that last site, which lists locations and photos of celebrity homes. The site is now the focus of privacy concerns from some celebrities. Currently unemployed, Ruppel describes the site as a paid hobby and sees it as another extension of our celebrity-obsessed world. [Source] [Royal Mail worker demands baby’s signature: cites data protection law]

Intellectual Property

UK – UK Government Lays Out Digital Plans

The UK government has laid out its plans to deal with illegal file-sharers as part of its Digital Economy Bill, outlined in the Queen’s Speech. It includes the power to disconnect persistent pirates.But its controversial broadband tax is not mentioned and will be launched as part of the Finance Bill, due next year. [BBC]

EU – EU Legislators Reach Agreement on Internet Access Rights & Illegal Downloading

European Union legislators have reached an agreement that strikes a balance between citizens’ rights to Internet access and the need to protect copyright holders’ interests. Internet users are granted protection from having their Internet access arbitrarily cut off if they are suspected of illegal filesharing. Internet access can be cut off only if national authorities have proof that users have illegally downloaded copyrighted material. The EU agreement, which has yet to be confirmed, does not require that authorities obtain a court order before cutting suspected offenders off from the Internet. France has already enacted a three-strikes policy for illegal downloaders, but connections cannot be severed without an order from a judge. Britain is considering similar rules. Spain has said it will not cut illegal downloaders off from the Internet. [Source] [Source] [Source] [Source] [Source]

Internet / WWW

WW – Privacy Chiefs Address Behavioral Targeting

Among the many developments coming out of last week’s 31^st International Conference of Data Protection and Privacy Commissioners in Madrid, the world’s privacy leaders have agreed to implement steps aimed at curbing the rate and volume of data collected about consumers online. In spite of a current policy of self-regulation, the decision by both the U.S. and EU member nations seems motivated by public opinion polls showing that a majority express concern over the collection and use of personal information and online habits. [Source]

EU – Europe Approves New Cookie Law

The Council of the European Union has approved new legislation that would require Web users to consent to Internet cookies. While the current EU telecom law states that cookies are allowed if Internet users are notified of them and have an opt-out option, in practice, the law has been interpreted more loosely. In the U.K., for example, the information commissioner’s office issued a directive emphasizing that sites should clearly direct users to a page where they can opt out. But once the law goes into effect, users must provide consent to cookies being stored on their computers, meaning that they could be bombarded with annoying pop-ups or pages asking for permission. The new legislation does offer an exception for when a cookie is “strictly necessary” - for example, if a user is shopping online, a cookie can go from a product page to the checkout page without the need for consent. The law could have broad repercussions for online ads. “Almost every site that carries advertising should be seeking its visitors’ consent to the serving of cookies,” wrote the editor of Out-Law.com. “It also catches sites that count visitors - so if your site uses Google Analytics or WebTrends, you’re caught.” The legislation is part of a draft telecom law that the EU Council recently approved and will be signed into law within the next 18 months. Its main purpose, which the Council spent months debating, was to strike a balance between cracking down on illegal downloading and broad rights to Internet use. The Council struck down a so-called three strikes law, which would have allowed authorities to cut off Internet access to repeat online-piracy offenders. Instead, it ensures that Web users engaging in illegal downloads must be given a trial that guarantees the “right to be heard” before Internet access is shut off. Mr. Robertson said, however, that the bigger argument over three strikes caused the new cookie provisions to go unnoticed. “The consent standard is surely closing the loophole we’ve all been exploiting,” he wrote in an op-ed last month. He said the law will tempt businesses to break the rules and that “to legislate against the technology is unnecessary, short-sighted and destined to fail.” [Source]

WW – Hackers Hijack Hundreds of Facebook Groups to Make a Point

An anonymous group calling itself “Control Your Info” has taken over hundreds of Facebook groups to highlight what it claims is a major security weakness on the social networking site. Facebook downplayed the incident and said no hacking or confidential information was involved. More than 200 Facebook groups had been hijacked and renamed Control Your Info. Pasted on each group’s Wall was a message announcing that it had been “hijacked” and reminding members to be careful about controlling personal information on social networking sites. “This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image,” the message said. “For example we could rename your group and call it something very inappropriate and nasty, like ‘I support pedophile’s rights,’ “ the message said, while going on to assure group members that Control Your Info wouldn’t do that. The message also promised to restore each hijacked group’s name by the “end of next week” and promised not to “mess anything up.” [Source]

US – Social Networking Site Tagged Fined, Must Overhaul Practices

A social networking site has been fined $500,000 and told to overhaul its practices following charges it tricked members into providing personal details to lure new members and send out tens of millions of spam emails. New York Attorney General Andrew Cuomo said the site, Tagged Inc, would provide clear disclosures when seeking access to new users’ email contacts, and would be unable to access those contacts or send messages on behalf of Tagged.com members without permission. Tagged.com is the third-largest U.S. social networking site, according to its website. It said it had 16 million members active monthly, two-thirds of whom are outside the United States, and 7 billion page views a month. Mr. Cuomo accused Tagged.com of sending more than 60 million emails stating that friends had sent some photos, which in fact did not exist, and that recipients were told to sign up for Tagged.com to access them. The company would then use these contacts to send out more misleading emails, Mr. Cuomo said. Tagged has said it stopped using the alleged misleading registration process before Cuomo’s office first contacted it. Source] [Source]

Law Enforcement

US – How Dumping IP Logs Helped News Site Preserve Readers’ Privacy

In a stunning show of disrespect for civil liberties, the federal authorities recently attempted to subpoena the IP addresses of Web visitors to the left-wing news site Indymedia.us, the digital rights group Electronic Frontier Foundation reports. Not only did the government attempt to obtain all IP addresses of people who visited on a particular day – June 25, 2008 – but authorities also ordered site administrator Kristina Clair to keep quiet about the subpoena. “This overbroad demand for internet records not only violated federal privacy law but also violated Clair’s First Amendment rights,” the EFF states in a new post about the case. Given that judges and lawmakers have long protected people’s right to read anonymously, it’s hard to imagine any scenario in which the government could legitimately demand to learn the identities of all readers of a lawful Web site. As it turns out, Indymedia.us destroys IP logs after five weeks, so Clair wasn’t able to comply with the subpoena, which was issued in January. The EFF also convinced the government to back off its demand that Clair keep quiet about the subpoena. Nonetheless, this incident marks more than just an example of government overreaching. It demonstrates that one sure way to guarantee Web users’ privacy is to destroy information that could be used to identify individuals. Privacy advocates have warned repeatedly that merely keeping records about Web visitors can potentially compromise their privacy. The advocates argue that when information exists, it can be obtained; the government can subpoena it, or people can hack into databases, or employees can simply release it. [EFF] [Source] [Declan McCullough post]

CA – N.S. Appeal Court Rules Alleged Drug Courier’s Charter Rights Weren’t Violated

A man who successfully argued his charter rights were violated when he was arrested with three kilograms of cocaine at Halifax airport four years ago has to stand trial again, Nova Scotia Appeal Court has decided. The original trial judge ruled that Mandeep Singh Chehil’s charter rights were breached on Nov. 16, 2005, when WestJet workers allowed the RCMP to check his electronic ticket information, court documents say. The Mounties asked to look at a number of passengers’ ticket information as part of Operation Jetway, a program the RCMP designed to ferret out drug runners leaving Vancouver on overnight flights bound for various destinations. Jetway co-ordinators developed a “courier profile” of such smugglers, and police then zeroed in on anyone who bought a one-way ticket with cash at the last minute at the airline counter in Vancouver, court papers say. Mounties at the Halifax airport wanted to check out any people who fit that profile, and when WestJet employees showed them the ticket information, Chehil, then 28 and of Surrey, B.C., was the last passenger on the list of those who had bought a ticket at the last minute. His bag, along with those of nine others, was put aside for inspection by a drug-sniffing dog. The dog detected the cocaine in Chehil’s bag, the court documents state, and the traveller was arrested when he claimed the bag at the carousel. Chehil argued during his trial that his rights were violated under the Personal Information Protection and Electronic Documents Act. The trial judge agreed and excluded the drug evidence. Chehil was subsequently acquitted. The Crown appealed and a hearing was held Sept. 21, with the Canadian Civil Liberties Association having intervener status. The Appeal Court ruled that a balance must be struck between privacy rights and protection of the public from crime. Protection of privacy under the charter “extends only to reveal intimate details about a person’s lifestyle and personal choices or meaningful information intended to be private and concealed and in relation to which there is a reasonable expectation of privacy,” the court decision said. The Appeal Court didn’t accept Chehil’s contention that police violated his rights by looking at his ticket information. The court also said the trial judge erred because he didn’t consider the “totality of the circumstances test” in deciding whether Chehil had a reasonable expectation of privacy regarding his ticket information. “Mr. Chehil undertook his transaction with WestJet in full public view,” the appeal decision states. The court also pointed to WestJet’s legal and privacy policies that state there might be situations in which passengers’ personal information is provided to the authorities without their consent. “As the Crown points out, the policy is a warning to passengers that any information maintained by WestJet is subject to disclosure to the authorities,” the decision states. The court also noted that WestJet employees gave the information to the RCMP officers, who did not view it using “surreptitious means or intrusive technologies.” The Mounties did not have unlimited access to WestJet’s database, nor did they monitor passenger manifests continuously. “There was a point-in-time inquiry about a particular flight,” the decision said, and police were merely using an investigative tool to find out if any potential drug smugglers were on that plane. A date for Chehil’s second trial has yet to be set. [Source]

Online Privacy

WW – Facebook Offers Poor Personal Data Protection

A study of Norwegian Internet users and social media found that people are willing to post their personal information on social media sites even when they are not aware how it will be used. Conducted by SINTEF for the Norwegian Consumers’ Council, the researchers found that 60% of Norweigan Internet users are on Facebook. SINTEF’s Petter Bae Brandtzaeg and Marika Luders conclude that Facebook offers relatively poor personal data protection due to the service itself, its design, the level of competence of its users, and their lack of awareness of how to protect themselves. “Facebook has become an important arena for social participation in our personal environment,” Brandtzaeg says. “However, it is becoming ever more easy to gather and aggregate personal information, outside the control of users.” Still, people are willing to post their personal information because so many other people use Facebook, and they rarely hear of unfortunate incidents. Respondents were usually not aware that Facebook uses personal information for commercial purposes, and their personal information also can be used against them, such as when they apply for a job. The researchers say that people and objects will be woven together ever more closely by the next wave of Internet media such as Google Wave and mobile smartphones. “This can make us even more vulnerable to failures of personal data protection,” Luders says. [Source]

WW – Facebook Adopts New Privacy Policy

Facebook announced late last night that it has adopted its new proposed privacy policy, which it rejigged to fulfil its commitment to Canadian privacy commissioner Jennifer Stoddart to update the policy to make it more accessible and easier to understand. Last month, the popular social-networking website opened up its proposed changes to comments, followed by a possible vote by users. But by the Nov. 5 deadline, fewer than 7,000 comments had been submitted – the threshold that would trigger a vote under the site’s statement of rights and responsibilities. “Because of this – ad the fact that many of the comments were positive – we’ve decided to adopt the revised policy,” said Michael Richter, Facebook’s deputy general counsel for intellectual property, product and regulatory affairs. In August, problems outlined by Stoddart forced the California-based company to change the way it handled the personal information of its 300 million users. [Source]

CA – Depressed Woman Loses Benefits over Facebook Photos

Manulife, a major Canadian insurance company, has revoked an Ontario woman’s sick leave benefits after the company accessed photos from Nathalie Blanchard’s Facebook profile — a profile that she had set as private and only viewable by approved friends. Blanchard had been on sick leave for the last year and a half while battling depression, but the checks recently ended. CBC News reports that when she called Manulife to ask why, the company said, “I’m available to work, because of Facebook.” She said her insurance agent described several pictures Blanchard posted on the popular social networking site, including ones showing her having a good time at a Chippendales bar show, at her birthday party and on a sun holiday — evidence that she is no longer depressed, Manulife said. Blanchard said that on her doctor’s advice, she tried to have fun, including nights out at her local bar with friends and short getaways to sun destinations, as a way to forget her problems. She also doesn’t understand how Manulife accessed her photos because her Facebook profile is locked and only people she approves can look at what she posts. Manulife wouldn’t comment on Blanchard’s case, but in a written statement, the insurer said: “We would not deny or terminate a valid claim solely based on information published on websites such as Facebook.” It confirmed that it uses the popular social networking site to investigate clients. In the United States, data from social networking sites (such as MySpace, Facebook or Bebo) are being used to gather evidence in criminal trials, against employees and applicants to jobs, and high school students as well as applicants to colleges and graduate schools, Here’s more on social networking sites and privacy. [Source: Privacy Lives]

EU – Two German Killers Demanding Anonymity Sue Wikipedia’s Parent

A lawyer for two convicted killers in Germany is suing the Wikipedia Foundation to have his clients’ names removed from a Wikipedia entry that mentions them. German law holds that once a criminal has served his time, suppression of his name in news reports is feasible. German publications and Wikipedia editors have already removed the men’s names from their online sites, the report states. An Electronic Frontier Foundation lawyer says the case “really is about editing history.” A First Amendment lawyer told the NYT that every justice on the U.S. Supreme Court would agree that the Wikipedia article “is easily, comfortably protected by the First Amendment.” [New York Times]

Other Jurisdictions

AU – Ludwig Flags Data Privacy Overhaul

The Rudd government is planning to reform the Australian federal Privacy Act to ensure businesses regularly assess the impact of new technology on their handling of personal data, Special Minister of State Joe Ludwig says. “Rapid technological changes have meant a vastly increased capacity to collect, retain and disseminate personal information,’’ Senator Ludwig told the Privacy Awards dinner in Sydney. “Under the new openness principle, government agencies and businesses will be required to express – in a privacy policy – how they handle personal information at each stage of the cycle, allowing people to make informed and confident decisions about how they engage with these organisations,’’ he told the audience. “As working documents, the policies will require organisations to regularly consider how new technologies and ways of working affect their handling of personal information.’’ Senator Ludwig said the definition of personal information would be changed to “ensure that where an internet protocol or email address is linked to other reasonably accessible identifying information, that it will be considered personal information and covered by the law’’. The Australian Privacy Awards were established by the federal Office of the Privacy Commissioner last year to encourage organisations to adopt good privacy practices in their governance. The Victorian Department of Justice won this year’s Grand Award for its campaign of staff awareness, which resulted in a reduction in privacy incidents. Other winners included Customs for its airline passenger data sharing accord with the European Union, health insurer Australian Health Management for its work on staff privacy obligations, FlyBuys for its customer protection arrangements and the Association of Market and Social Research Organisations for its industry privacy code. [Source] [Summary: Australia: Privacy Law Reforms And Privacy Regulation Simplification]

Privacy (US)

US – ACLU Releases Report on Enforcing Privacy in America

The ACLU has released a new report recommending steps Congress should take to create the vigorous privacy oversight institutions that are desperately needed in the U.S. to counterbalance the rush of new technologies and expanding government powers, and called for the Obama administration to move quickly to fill the seats on the Privacy and Civil Liberties Oversight Board (PCLOB). The ACLU report, Enforcing Privacy, is a blueprint for the creation of an American equivalent to something nearly every industrialized nation other than the United States has: a privacy commissioner charged with protecting citizens’ privacy from the government and private sector. Based on interviews with a wide range of experts on government and privacy, including privacy officers in other countries, it makes two primary recommendations to Congress. First, the report recommends building on the existing – but never filled – PCLOB by expanding its scope and powers to turn it into a full-fledged public-sector privacy oversight body. Second, the ACLU calls for an augmentation of the powers of the Federal Trade Commission to make it a full-fledged private-sector privacy regulator. [ACLU report: Enforcing Privacy] [Source]

US – Obama Names FTC Commissioners

President Obama has filled two vacant spots on the Federal Trade Commission. The White House announced that Julie Brill and Edith Ramirez will fill the seats left vacant by republican Deborah Majoras and independent Pamela Jones Harbor. Brill is the senior deputy attorney general and chief of consumer protection and antitrust for the North Carolina Department of Justice, the report states. Ramirez is a partner at Quinn Emanuel Urquhart Oliver & Hedges LLP in Los Angeles. “These individuals bring a depth of experience to their respective roles, and I am confident they will serve my administration and the American people well,” the president said in a statement. [Source]

US – Online Privacy Watchdogs Hammer Away on Capitol Hill

As the data privacy debate heats up, lobbying intensifies. Advocates have converged on Washington, DC this week for a series of briefings about online and offline data collection, reports ClickZ. At a briefing yesterday, representatives from the Electronic Frontier Foundation (EFF), Center for Digital Democracy, American Civil Liberties Union and other organizations brought congressional staffers up to speed on personal data collection methods. “What we’re concerned about is the amount of surveillance and tracking going on without consumer consent,” said Lee Tien of the EFF. Lawmakers will consider the privacy implications of online and offline advertising at a joint House subcommittee hearing, reports. [Source]

WW – Smart Utility Meters Draw Attention of World’s Privacy Leaders

Privacy and data protection leaders from around the world last week discussed the privacy implications involved with the use of “smart” electrical utility meters during the 31st International Conference of Data Protection and Privacy Commissioners in Madrid. The meters’ ability to help conserve electricity may come at the cost of consumer privacy as energy-use patterns betray the habits of residents in the homes being monitored. “The collection and storage and retention of the data makes it vulnerable to security breaches as well as to government access,” said Christopher Wolf, co-chair of the Future of Privacy Forum. [Source] [Opinion column by Commissioner Ann Cavoukian and Jules Polonetsky, of the Future of Privacy Forum, published by the Toronto Star] [New white paper outlines how Commissioner Cavoukian’s SmartPrivacy concept can be used to address the privacy concerns raised by the Smart Grid]

US – Kentucky Pet Privacy Law Restricts Shared Information

A new pet privacy law is taking some heat from animal control agencies. They’re concerned because the law restricts information that can be shared by veterinarians. Kentucky lawmakers passed legislation that restricts veterinarians from sharing any pet record information with animal shelters, grooming facilities and any individual who may have found a stray animal. “They’ll call and they want information about vaccination records, those kind of things, especially rabies vaccinations,” Dr. Monroe Slaton said. “We are not going to be able to share that information over the phone.” New legislation requires pet owners to give consent, either verbal or written to their veterinarian in order to release any information about their animal. The Hopkins County Humane Society receives three to four stray animals per week that have rabies tags but no tag with owner information. The society has concerns with the new law. “If they are not allowed to give us information, then we have no way of knowing if the person we plan on adopting to is a responsible pet owner,” Humane Society Manager Patty Legget said. The Hopkins County Humane Society Board has discussed working with the veterinarians in the county to provide a waiver for pet owners. It is state law for every pet to wear rabies tags which provide contact information to track down a pet’s owner. [Source]

RFID

IR – Road Toll Users to Get More Privacy

The Office of the Data Protection Commissioner has reached an agreement with a toll operator on the information it retains about motorists, reports the Irish Times. BetEireFlow Ltd, operator of the barrier-free toll on Dublin’s M50 motorway, and the National Roads Authority (NRA) say they will make changes to address the concerns of motorists whose information is stored in the BetEireFlow database despite that they are not registered with the system. The NRA will amend certain processes to better protect the privacy of unregistered users and says it will allow toll users to opt for “anonymous” travel in the coming months. [Source]

US – DHS to Produce Tribal ID Cards

The United States Department of Homeland Security (DHS) will produce identification cards for four American tribal nations. The enhanced identification cards, which will be embedded with a radio frequency identification technology (RFID), will be issued to members of the Tohono O’odham Nation of Arizona, Kootenai Tribe of Idaho, Pascua Yaqui people of Arizona and the Seneca Nation of New York, and are approved for use at U.S. border crossings. Design of the cards will closely follow that of the controversial enhanced passport and driver’s licenses that some claim leave the holder vulnerable to electronic eavesdropping. DHS is in discussions with 25 other tribes for the approval and production of identification cards. [Federal Computer Week]

Security

US – For 1/3 of US Government Agencies, Security Incidents are a Daily Occurrence

A CDW-Government survey of 300 US government IT professionals found that 44% of agencies noted an increase in the number of security incidents over last year. 31% of respondents said their agencies experienced at least one cyber security incident every day. The top areas of concern reported by respondents were malware, inappropriate employee activity or network use, managing access for approved remote users, and data encryption. [Source] [Source] [Source]

US – Rutgers Computer Scientists Work to Strengthen Online Security

Rutgers University computer scientists are developing an alternative to online security questions that is designed to be easier for legitimate users and more secure. “We call them activity-based personal questions,” says Rutgers professor Danfeng Yao. “Sites could ask you, ‘When was the last time you sent an email?’ Or, ‘What did you do yesterday at noon?’ “ Initial studies suggest that questions about recent activities are easy for legitimate users to answer but harder for attackers to guess or learn. “We want the question to be dynamic,” Yao says. “The questions you get today will be different from the ones you would get tomorrow.” Initial results from the system will be presented at ACM’s Conference on Computer and Communications Security. Rutgers researchers found that questions related to time were more robust than other questions. Yao says online service providers can create security questions using data from a user’s email, calendar, or transactions, though computers would need to use natural language processing tools to synthesize understandable questions and analyze answers for accuracy. Yao has proposed additional studies to determine the practicality of the new approach and how it could best be implemented. [Source]

WW – Online Users Becoming Less Anxious Over Security, Privacy: Unisys

The results of a study released this week indicate that anxiety levels related to Internet security and personal safety are lower than they were six months ago. The “Unisys Security Index: Global Summary” survey targeted 8,000 individuals in the U.S., UK, Germany, Belgium, Brazil, Netherlands, Spain, Australia and New Zealand. It revealed that anxiety levels are 15% lower than they were earlier this year, possibly due to signs that the economic crisis is easing, according to Unisys. On privacy and security, respondents--particularly those in Brazil, the United States and Germany--indicated worry about the use of bank cards and identity theft. [Source]

US – Small Businesses an Inviting Target for Data Thieves

According to a new study by the U.S. National Cyber Security Alliance, only 28% of small businesses have Internet security policies and only 14% have someone dedicated to information security. As a result, small businesses present a “robust target” for hackers and information thieves, commented Michael Kaiser, executive director for the alliance. “Unfortunately so much in the small to mid-sized market is how do we put out the fire, rather than how do we fireproof the house,” said computer forensics investigator Douglas Brush. “It’s scary the amount of information I come across--people just leave too much sensitive information out in the open.” [Reuters] See also: [Canadian businesses report higher levels of fraud than global counterparts]

US – NARA Admits Violating Internal Policy on Personal Info

The National Archives and Records Administration (NARA) has admitted to violating its own security policy by failing to destroy faulty hard drives containing personally identifiable information (PII) belonging to federal employees and members of the military and, instead, returning the drives to vendors for maintenance. Former acting archivist Adrienne Thomas told the House Oversight and Government Reform Committee’s Information Policy, Census, and the National Archives Subcommittee that, in spite of the violations, she believed no disclosure of PII had occurred. The contractual returns, which took place earlier this year, were in violation of a new security policy implemented in 2008. [Source]

Smart Cards

UK – Police Probe Breach of NHS Smartcard Security as E-Records Launched in London

An NHS trust at the forefront of work on the £12.7bn NHS IT scheme has called in police after a breach of smartcard security compromised the confidentiality of hundreds of electronic records. Patients in Hull have expressed their dismay that an unauthorised NHS employee had accessed their confidential records. Details of the breach emerged as health officials in London were, in an unrelated event, telling journalists about the start of a roll-out of electronic records across London, as part of the National Programme for IT [NPfIT]. The roll-out is part of plans by the Department of Health to create for 50 million people in England an electronic “summary” medical record on a central database run by BT. But doctors say that the breach of security at NHS Hull shows that an insider with a smartcard can access confidential electronic records without authorisation, if the person is determined to do so. They say that this will deepen the scepticism of some doctors that centrally-held medical records will remain confidential under the NPfIT. [Source]

Surveillance

US – Researchers Describe Weakness in Government Wiretap Technology

Researchers at the University of Pennsylvania say they have discovered a vulnerability in the technology the government uses to conduct wiretaps. The surveillance communication is transmitted between telecommunications companies and government agencies over a 64-Kbps data channel. People who think they are being monitored could effectively launch a denial-of-service (DoS) attack by sending a glut of text messages or VoIP calls, which could overwhelm the system. The researchers discovered the vulnerability by examining ANSI Standard J-STD-025, which “defines how switches should transmit wiretapped information to authorities.” [Source] [Source]

Telecom / TV

US – Real ID Program In Deep Trouble

A decision by lawmakers to slash funding for the unpopular Real ID national driver’s license program has put an already struggling initiative on life support. The U.S. Senate recently approved a $43 billion budget for the U.S. Department of Homeland Security for the federal government’s 2010 fiscal year, which began Oct. 1. The appropriation called for substantial increases in DHS spending in several key technology areas but slashed Real ID funding by 40%, from $100 million to $60 million. The budget cut suggests that Real ID is going nowhere, said Jim Harper, director of information policy studies at the libertarian Cato Institute. But Congress’ hesitation to kill Real ID entirely highlights the touchy political nature of the program, he said. “There isn’t any love for Real ID on Capitol Hill,” Harper said, but many lawmakers are reluctant to openly reject it for fear of being seen as too soft on national security. “For all intents and purposes, Real ID has been put on the back burner,” said Pam Dixon, executive director of the World Privacy Forum. “But it isn’t dead yet.” [Source]

US Government Programs

US – Ron Paul Aide Detained in Airport, Prompts TSA Rules Change

An aide to Ron Paul was detained and questioned in March by Transportation Security Administration screeners in St. Louis for nearly 30 minutes about why he was carrying around $4700 in cash and checks, prompting the TSA to modify its rules regarding detaining and questioning air passengers. The new rules forbid TSA agents from questioning passengers on matters unrelated to the potential safety of others on an aircraft. Carrying around large sums of money does not quality under the provisions of the new rules.

“. screening may not be conducted to detect evidence of crimes unrelated to transportation security,” the new regulation states. The TSA rule change has prompted the ACLU to drop a lawsuit on behalf of Steve Bierfeldt, Paul’s aide. “We had been hearing of so many reports of TSA screeners engaging in wide-ranging fishing expeditions for illegal activities,” said a lawyer for the ACLU. “Bierfeldt repeatedly asked the agents to explain the scope of their authority to detain and interrogate him and received no explanation. Instead, the agents escalated the threatening tone of their questions and ultimately told Bierfeldt that he was being placed under arrest. Bierfeldt recorded audio of the incident with his iPhone,” the ACLU wrote in a statement. “In the lawsuit, Bierfeldt and the ACLU sought a court order requiring the TSA to bring its search policies into line with constitutional requirements for passenger privacy, arguing that passengers moving through pre-flight screening can only be subject to searches aimed at keeping weapons and explosives off airplanes. Bierfeldt’s experience proved that TSA searches had taken on a much broader scope.” [Source] See also: [The PC Privacy Battle at the Border : Legal overview]

US – GAO Report Finds Network Security Problems at Los Alamos

A report from the Government Accountability Office (GAO) describes various computer network vulnerabilities at Los Alamos National Laboratory (LANL). The weaknesses include failing to identify and authenticate users, failing to encrypt classified information, failing to monitor security policy compliance and allowing users access to data beyond the scope of their duties. The report also made note of LANL’s “decentralized approach to information security program management [which] has led to inconsistent implementation of policy.” LANL has spent US $45 million on security for its classified computer network between 2001 and 2008. [Source] [Source] [Source]

US Legislation

US – U.S. House Subcommittee Holds Hearing about Consumer Privacy Online

MediaPost, the Wall Street Journal and the Hill have stories about this week’s hearing about online privacy. The Journal previews the hearing, “In recent years, marketers have grown more adept at culling consumer data from an array of online and offline sources — including real-estate and motor-vehicle records, consumer surveys, credit-card data and logs of Web visitors’ online behavior — to identify the most receptive audiences for their ads,” and legislators sought to learn more about how these practices affect consumer privacy. ”The scrutiny comes as [...] Internet, advertising and media companies are pouring resources into increasingly detailed consumer research and developing more effective ad-personalization technologies.” The Hill attended the hearing and reports on the discussion, Rep. Rick Boucher (D-Va.) “wanted to know if privacy legislation, if passed, should apply to both online and offline marketing practices. Zoe Strickland, Wal-Mart’s chief privacy officer, said yes, since most services are offered both on and off the Internet. [Chris Hoofnagle of UC Berkeley Law] agreed that a ‘broader approach’ would be useful, and suggested imposing time limits for storing personal information.” MediaPost also attended the hearing and reports that Rep. Ed. Markey (D-Mass.) said, ”We have moved from an era of privacy keepers to privacy peepers and data mining reapers.” Also, Markey “reiterated calls for consumers to have the ability prevent companies from collecting data,” says MediaPost. Pam Dixon of the World Privacy Forum testified that (pdf), “The merging of offline and online data is creating highly personalized, granular profiles of consumers that affect consumers’ opportunities in the marketplace and in their lives. Consumers are largely unaware of these profiles and their consequences, and they have insufficient legal rights to change things even if they did know.” She noted, “The most important idea I would like to convey to you is that information collection and use today is already robust enough and rich enough to influence what a person’s world looks like to them. Two people going to one web site or one retail store could already be offered entirely different opportunities, services, or benefits based on their modern permanent record comprised of the previous demographic, behavioral, transactional, and associational information accrued about them. These same two people can also be subject to a denial of opportunities, services or benefits based on analysis of the same information.” The Hill reports that Bobby Rush (D-Ill.) and Cliff Stearns (R-Fla.) have been considering “legislation that would place restrictions on how Internet and marketing firms collect consumer information,” but “a draft will most likely not be released until early next year.” The Journal’s preview also notes the Federal Trade Commission’s interest in online privacy issues that affect consumers. For more on problems with targeted behavioral ads, see the comments Privacy Lives and nine groups submitted to the FTC privacy roundtable discussion, as well as a legislative primer and overview that the groups submitted to Congress in September and detailed recommended solutions for and informing the public and government officials of important gaps in consumer privacy protection. [Source] [Social media & breaches: Data mining and analysis tools]

US – House Science & Technology Committee Passes Cybersecurity Enhancement Act

The US House Committee on Science and Technology has passed the Cybersecurity Enhancement Act of 2009, which “is based on the concept that in order to improve the security of our networked systems ... the federal government must work in concert with the private sector,” according to committee chairman Bart Gordon (D-Illinois). The legislation incorporates elements of two bills that were approved by House subcommittees earlier this year. It will require the National Institute of Standards and Technology (NIST) to take the lead in the US’s involvement in the development of international cyber security standards and it will require federal agencies to establish strategic long-term cyber security research and development plans. The bill also incorporates recommendations made in the 60-day Cyberspace Policy Review. [Source] [Bill]

US – Proposed Legislation Prohibits P2P Use in Government and Contractor Computers

A bill introduced in the US House of Representatives would prohibit the use of peer-to-peer (P2P) filesharing technology in government computers and those used by government contractors except in cases where its use has been officially approved. The Secure Federal File Sharing Act would also require the Office of Management and Budget (OMB) to publish P2P-use guidance and would prohibit personal use of P2P software on government networks. The legislation comes in the wake of last month’s revelation that a confidential House Ethics Committee document was inadvertently leaked through P2P software. [Source] [Source] [Source] [Bill]

US – House Lawmakers Push Ban on Peer-To-Peer Software

Stung by an embarrassing electronic leak last month revealing ethics investigations into dozens of lawmakers, U.S. Congress moved Tuesday to prohibit federal employees from using the same type of Internet file-sharing software blamed for the disclosure. The Secure Federal File Sharing Act, introduced in the House, would bar government employees and contractors from downloading, installing or using so-called peer-to-peer file sharing software such as Limewire without official approval. The bill also would require the White House to develop rules for employees and contractors working on home or personal computers. [Washington Post]

US – Senate Judiciary Committee Approves Two Breach Notification Bills

The US Senate Judiciary Committee has approved both the Personal Data Privacy and Security Act of 2009 and the Data Breach Notification Act. The bills now go before the full Senate. The Personal Data Privacy and Security Act would require organizations that retain consumer data to establish data privacy and security programs. The bill would also impose significant fines for failing to disclose a data breach and require that entities experiencing data security breaches notify those whose information was compromised and also notify law enforcement authorities. The Data Breach Notification Act would establish a federal law requiring data breach notification that would supersede all existing state breach notification laws. The bill would also require organizations to report large breaches to the US Secret Service. [Source] [Source] [Source] [Source] See also: [Criminals stay ahead of data breach laws, experts warn] See also: [Congress Unlikely to Reform Privacy Act Groundswell of Support Never Materialized to Revise 35-Year-Old Law]

US – R.I. Governor Vetoes Bills Limiting Use of Tracking Devices

Rhode Island Governor Carcieri has vetoed legislation that would have limited the use of electronic devices that track people as well as objects such as motor vehicles. The governor vetoed two bills that would have banned the use of RFID tags to track students and would have required police and other law enforcement agencies to get court orders before they could get access to toll data, similar to the requirements for other searches and seizures. (The data would have remained available without a court order for toll enforcement.) The governor’s veto messages to the General Assembly objected to preventing local officials from using the tags to keep track of students. He cited a number of circumstances where he said the tags could be useful, such as natural disasters, terrorist attacks or even for routine events such as field trips. [Source]

US – Mass. Publishes Final Data Protection Regulations

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has published its final regulations for the state’s new data protection law, Mass 201 CMR 17. In the press release, the OCABR reports that the state is aware of “more than 1 million instances of Massachusetts residents’ personal information being exposed in two years.” The law was originally signed by Governor Deval Patrick in October of 2007, but has been twice delayed from taking effect as state regulators worked to reconcile the law’s provisions with feedback from the Massachusetts business community. Mass 201 CMR 17 is scheduled to take effect on March 1, 2010. [OCABR press release]

Workplace Privacy

WW – Companies Fear Wrath of Ex-Staff

Organizations that have had to let go staff during this economic downturn fear reprisals from disgruntled ex-employees, according to a recent global survey by Ernst & Young LLP. For its annual Global Information Security Survey, the Toronto-based professional services firm surveyed 1,900 organizations, 75% of which reported concern for internal and external attacks perpetrated by ex-staff. In fact, the organizations reported a rise in IT attacks on corporate Web sites and networks in the current economic downturn, with 41% reporting an increase in external attacks, 25% witnessing an increase in internal attacks, and 13% an increase in internally-perpetrated fraud. Claude Francoeur, a partner in Ernst & Young’s IT risk and assurance practice, said the survey addressed the risk of former employees having access to sensitive data. “When we look at the types of the risks that an organization would be concerned about, it would be related to leakage of information,” said Francoeur. The elevated fear of ex-employee reprisals is compounded by 56% of respondents reporting a scarcity of IT resources, an 8% rise from last year. Francoeur said that while this is not a novel issue, the “significant rise” observed this year results primarily from workforce reduction. But that doesn’t mean that organizations aren’t spending on IT security. Only 19% of respondents said they have not yet taken steps to protect themselves in light of increased fear of IT threats from ex-employees. For instance, those that are spending money on IT security are doing so in the areas of data leakage prevention (DLP), identity and access management, and change controls. Respondents also said implementing or improving DLP technologies was the second-highest priority in the next 12 months, with organizations investing in tools and processes to identify and protect sensitive data. Francoeur isn’t surprised that DLP was rated more importance than even security awareness training and regulatory compliance, given the ease with which data can be easily removed from an organization. [Source]

WW – Study: Most Corporate Breaches From Inside Leaks and Vulnerabilities

An international study has found the number of internal security risks is on the rise in corporations and they’re not just malicious attacks from disgruntled workers. In fact, the majority of breaches – 52% - arise from accidental leaks and vulnerabilities, according to the study by International Data Group. The exposure of confidential information is now the single greatest threat to enterprise network security, according to the Enterprise Security Survey. Only 19% of insider threats were considered deliberate, while 26% were a combination of intentional and accidental breaches of security. “This is something that has been really accelerating in the last 15 years,” said one Canadian author. The authors of the study found a “comprehensive risk management framework is the only way to effectively manage operational risk, secure competitive advantage, reduce vulnerabilities . . . reduce the growing number of regulatory compliance violations and control high-profile incidents of information leaks,” the report states. Any plan to combat internal risks should start with a thorough risk assessment that is reviewed or updated regularly. Education of employees and ongoing training to ensure compliance is another step to making the organization secure. Insider threats need to be defined and evaluated based on their risk and what the likely results would be if compromised. Audit all internal user accounts regularly, implement strong security controls, identify high-risk users make regulatory reporting on compliance focused on internal security policy and meeting key performance targets, outlines the report. [The Montreal Gazette]