Privacy News Highlights
23–30 September 2009
Contents:
US – ‘Clear’ Security Service May Return at Airports
CA – Supreme Court Chief Justice McLachlin Warns Against Overzealous Terror Laws
CA – Privacy Commissioner Issues Final Review of ISP Traffic Management Practices
CA – Privacy and the 2010 Olympics
CA – New Privacy Act Proclaimed in Nova Scotia
US – Two-Thirds of Americans Object to Online Tracking: Study
WW – Civil Society Coalition Discuss Global Privacy Standards
CA – Ontario Government Agency Breaches Confidentiality
UK – Drivers’ Details Sold by DVLA Used in Bizarre Roadside Adverts for Castrol
EU – Statewatch Issues Report on the EU Security-Industrial Complex
US – Survey: 71% of Firms Struggling on Payment Data Security
WW – EPIC Celebrates International Right to Know Day (September 29)
US – White House Announces New Transparency Policy for Visitor Logs
UK – Genetic Disease Patients May Lose Privacy Rights to Protect Families
US – Survey: Medical Students Reckless on Internet With Patient Privacy
US – Florida AHCA Debuts Health Information Privacy Law Tool
US – UNC Notifying 163,000 Mammography Research Project Participants of Data Breach
US – Doctors Mistakenly Fax Patients’ Data to Indiana Company
EU – French Parliament Approves ‘Three-Strikes’ Anti-Piracy Law
CA – RCMP Shares Gun Registry Info with Research and Marketing Firm
US – Judge Orders Google to Deactivate Account
US – New “Irresponsible” Netflix Contest May Violate Customer Privacy
US – Survey Says New Massachusetts Data Security Compliance Isn’t Cheap
US – EPIC to FTC: "Parental Control" Software Firms Gather Data for Marketing
US – Universities Spar Over Disappearing Electronic Messages
US – CDT Banking on RFID Privacy Invasion
PH – Vehicle Tagging Plans Criticized
CA – TELUS-Rotman Breach Study Released: Numbers, Costs Up
KR – Controlling the Language of Security
WW – Study: Only 33% of Users Actively Back Up Their Files
US – DOD IG Audit Finds Data Sanitization Problems for Decommissioned IT Equipment
US – DOD to Lift USB Ban With Restrictions
AU – Threats to Privacy in Proposed New Intercept Rules Averted, says EFA
US – Administration Wants to Continue Surveillance Law
EU – EU Funding “Orwellian” Plan to Monitor Public for “Abnormal Behaviour”
EU – Startling Irish Memo on Retaining Data
IN – India Wants Internet Telephony Ban
US – FBI’s Data-Mining System Sifts Airline, Hotel, Car-Rental Records
US – TSA Needs Privacy IT Tools, Inspector General Report
US – DHS Privacy Office Releases Annual Report to Congress
US – Details on Border Searches in DHS Report
US – Energy and Commerce Committee Vote on Nationwide Breach Notification
US – House Subcommittee Approves Cyber Security R&D Bill Amendment
US – Critics Say Pandemic Emergency Bill Tramples Privacy Rights
CA – Union Executive Sues CUPE, Alleges Email Spying
Biometrics
Verified Identity Pass was a company that offered travelers a tempting proposition: pay up to $199 a year, submit to a fingerprint and iris scan, and skip to the front of interminable airport security lines. But last June, the company left its roughly 200,000 paying customers stranded, saying that it was ceasing operations and did not have cash to offer refunds. Now it appears those customers will get a break. A California investment banker said that his new investment group, Henry Inc., had signed a letter of intent with the defunct company’s largest debt holder to buy its assets and reopen its fast-lane security service, called Clear. The group thought it could bring back the service as soon as this holiday season. It will offer former Clear members, some of whom had paid for years of the service in advance, the option of rejoining with their membership intact. If the former members choose not to sign up, their personal information will be destroyed. [NYT]
Canada
Canada’s most senior judge has cautioned against going overboard in the fight against terrorism by putting too much emphasis on the 9/11 attacks in the U.S. at the expense of sacrificing civil rights and charter protections. Chief Justice Beverley McLachlin’s warning that lawmakers, judges and citizens must heed the big picture comes as the federal government’s war on terror is taking a beating in the nation’s courts. “The fear and anger that terrorism produces may cause leaders to make war on targets that may or may not be connected with the terrorist incident,” McLachlin said in a luncheon speech. “Or perhaps it may lead governments to curtail civil liberties and seek recourse in tactics they might otherwise deplore... that may not, in the clearer light of retrospect, be necessary or defensible.” The chief justice, citing historic examples of terrorism over the decades, described it as “an ongoing phenomenon that neither started nor ended with 9/11” and therefore must be dealt with in a broad, systemic and sustainable way. “It’s not a do it once and it’s over situation,” McLachlin said of short-term efforts to crack down. Nor is it an “either-or” situation in which society must choose between rights or terrorism, she said. The challenge in putting civil liberties on equal footing is that terrorist acts themselves breed fear that “there is a terrorist around every corner” who must be caught at all costs, she said. [Source]
In February 2009, the PCC made a submission in the CRTC’s public proceeding to review the Internet traffic management practices of ISPs. The PCC’s comments addressed privacy concerns about the potential use of Deep Packet Inspection (DPI). The CRTC held public hearings in July 2009, and invited parties to submit a Final Reply. The PCC’s Final Reply addresses four issues:
1. The CRTC has a statutory obligation and recognized expertise to protect privacy.
2. PIPEDA provides a basic standard for privacy protection - the CRTC may set higher, industry specific guidelines.
3. Privacy and legitimate business interests can be addressed using a balancing test - for example, the PCC has applied the reasonable person test, with its consideration of less privacy-invasive methods, as part of an overall assessment of reasonableness under PIPEDA.
4. Canadians care about personal privacy and are entitled to know how their personal information is being handled and protected.
The Office of the Privacy Commissioner of Canada has created a web page to address privacy concerns and the 2010 Winter Olympics and Paralympic Games. As the first international “mega-event” to take place in Canada in the post-9/11 era, the Vancouver Winter Games pose unprecedented security challenges. But while keeping athletes, visitors, staff and volunteers safe will be of paramount importance, it is crucial that security officials uphold another core Canadian value: Respect for the privacy of individuals and the integrity of their personal information – before, during and after the Games. The Office of the Privacy Commissioner of Canada, in conjunction with the Office of the Information and Privacy Commissioner of British Columbia, has been communicating with the Integrated Security Unit responsible for Olympic security, to ensure that surveillance and other security measures do not unduly infringe on the rights of participants, workers, visitors or nearby residents. This website explores the preservation of privacy in the context of Olympic security, and provides links to further information. We invite you to return as the countdown to the Vancouver 2010 Games continues. [Source] [Fact Sheet: Privacy and Security at the Vancouver 2010 Winter Games] [Website]
Personal information will be more secure under the Privacy Review Officer Act that takes effect Sept. 25. The new act provides authority to a review officer to investigate breaches of privacy when people and organizations are not satisfied with how information shared with government or public bodies such as hospitals, universities and school boards is handled. The government has appointed Freedom of Information Review Officer Dulcie McCallum, to this new position. A former ombudsman for the Province of British Columbia, Ms. McCallum was appointed the Freedom of Information Review Officer in 2007 for a five-year term. Nova Scotia joins all other Canadian provinces and the federal government which have some kind of legislative authority for external review or oversight. [Source]
Consumer
About 2/3 of Americans object to online tracking by advertisers — and that number rises once they learn the different ways marketers are following their online movements, according to a new survey from professors at the University of Pennsylvania and the University of California, Berkeley. The professors say they believe the study, released this week, is the first independent, nationally representative telephone survey on behavioral advertising. The topic may be technical, but it has become a hot political issue. Privacy advocates are telling Congress and the FTC that tracking of online activities by Web sites and advertisers has gone too far, and the lawmakers seem to be listening. Representative Rick Boucher, Democrat of Virginia, wrote in an article for The Hill last week that he planned to introduce privacy legislation. And David Vladeck, head of consumer protection for the FTC, has signaled that he will examine data privacy issues closely. Marketers are arguing that advertising supports free online content. Major advertising trade groups proposed in July some measures that they hoped would fend off regulation, like a clear notice to consumers when they were being tracked. The data in this area, however, has been largely limited to company-financed research or Internet-based research, which survey experts say they believe is not representative of all Americans. So the study — among the first independent surveys to examine this issue — has attracted widespread interest. “This research is going to ignite an intense debate on both sides of the Atlantic on what the appropriate policy should be,” said Jeffrey Chester, executive director of the privacy group Center for Digital Democracy. [NYT Source] [Survey] See also: [Digital fingerprinting ‘may be unlawful in Canada’, warns MRIA]
The Public Voice, the largest worldwide civil society coalition, will discuss “Global Privacy Standards in a Global World” during its conference on 3 November 2009 in Madrid, Spain, to be held in conjunction with the 31st Annual International Conference of Data Protection and Privacy Commissioners. Prominent advocates and experts from the academic, consumer, digital rights and labor communities will discuss with public officials and the business sector how to raise privacy awareness in the global community and how to promote civil society participation in decision making processes towards the adoption of better privacy and data protection standards globally. The Conference will first review recent privacy and human rights developments and major privacy activism campaigns around the world. It will also include the release of the current edition of the Privacy and Human Rights report. The Conference will also address current challenges raised by emerging technologies and business practices: representatives from the civil society and business sector will discuss privacy implications of issues such as cloud computing or Internet search. It will further address transborder data flows in the public and private sector, from passenger name records and financial transactions to the outsourcing of personal data. The final Conference panel will launch the “Madrid Civil Society Declaration on Global Privacy Standards” that will be discussed by invited public data protection officials from OECD, the EU Article 29 Working Party, USA and Canada. Peter Hustinx, European Data Protection Supervisor, will provide closing remarks. The Conference is sponsored by the Spanish Data Protection Agency and is free to all participants. Registration is compulsory. [Detailed program, registration and practical information]
E-Government
The Ontario Federation of Anglers and Hunters (O.F.A.H.), along with the Canadian Shooting Sports Association (C.S.S.A.) and other organizations representing firearms owners across Canada, have become aware of an apparent breach of confidentiality involving information contained in the firearms registration system. This breach strongly justifies earlier calls to scrap the system, as proposed in Bill C-391, currently before the House of Commons. EKOS Research, a private sector polling company, was contracted by the Canadian Firearms Centre (CFC) to conduct a survey of firearms owners across Canada, and was provided with personal information about firearms owners by the CFC, in an apparent breach of privacy and confidentiality. Worse still, the Minister of Public Safety, who is responsible for the CFC and its parent body, the RCMP, was not consulted prior to the release of the information. The apparent release of information to EKOS, which occurred in violation of government policy, and without the knowledge and approval of the Minister, who in any case would not authorize the release of such information, is the latest in a long line of procedural gaffs and financial disasters associated with the ill-fated long gun registry, which has cost Canadian taxpayers almost $2 billion to date. [Source] [Probe sought over RCMP’s use of data on gun owners]
The UK Government’s controversial Driver and Vehicle Licensing Agency has launched an investigation into how the car registrations of millions of motorists were sold for use by a giant oil firm. Castrol spent hundreds of thousands of pounds on a campaign promoting its oils, using giant advertising billboards on five major routes in London. Roadside cameras recorded number plates before flashing their registration on to screens and revealing the grade of oil recommended for use in the car’s engine. Castrol used another firm to obtain the data, which is believed to have contained most of the 34 million-strong driver details held by the DVLA. This identified the make, year, engine size and model of vehicle, enabling Castrol to specify the lubricant suitable for each car. Liberal Democrat transport spokesman Norman Baker said: ‘This completely inappropriate and unacceptable behaviour by the DVLA shows how cavalier it is with motorists’ information. ‘They don’t even check what the end use is. It seems all you have to do is ask and the DVLA will give, no matter who you are and for what purpose. It’s outrageous this was allowed to happen.’ The row is a fresh embarrassment for the DVLA and raises new questions about how highly sensitive drivers’ information is handled by the agency. [Source] [Source]
EU Developments
“Despite the often benign intent behind collaborative European ‘research’ into integrated land, air, maritime, space and cyber-surveillance systems, the EU’s security and R&D policy is coalescing around a high-tech blueprint for a new kind of security. It envisages a future world of red zones and green zones; external borders controlled by military force and internally by a sprawling network of physical and virtual security checkpoints; public spaces, micro-states and ‘mega events’ policed by high-tech surveillance systems and rapid reaction forces; ‘peacekeeping’ and ‘crisis management’ missions that make no operational distinction between the suburbs of Basra or the Banlieue; and the increasing integration of defence and national security functions at home and abroad. It is not just a case of “sleepwalking into” or “waking up to” a “surveillance society”, as the UK’s Information Commissioner famously warned, it feels
more like turning a blind eye to the start of a new kind of arms race, one in which all the weapons are pointing inwards. Welcome to the NeoConOpticon.” [Press release: Defence industry dominates EU’s security research programme] [NeoConOpticon - The EU Security-Industrial Complex by Ben Hayes]
Finance
According to the PCI DSS (Payment Card Industry Data Security Standard) Compliance survey, commissioned by Imperva and conducted by the Ponemon Institute, approximately 70% of entities that handle payment card transactions view compliance as a box checking exercise rather than as central to their operations. Companies that implement PCI DSS as part of their strategic approach are less likely to experience breaches. Nearly 80% of those surveyed said their organizations had experienced a data security breach. 55% of responding organizations said they protected payment card data but not other customer data, like SSNs, driver’s license numbers and financial account information. Of the small businesses (501 to 1,000 employees), 28% are PCI DSS compliant; of large businesses (75,000 or more employees), 70% are PCI DSS compliant. The top reason for non-compliance is the cost associated with implementing new security programs. [Source] [Source] [Source] [Source] [Source] [recommendations]
FOI
EPIC celebrated International Right to Know Day, established to raise awareness of every individual's right of access to government-held information. EPIC is speaking at American University's Third Annual International Right-To-Know Day Celebration concerning opportunities to restore U.S. leadership in government transparency. Recently, the Obama Administration announced revisions to the "state secrets" privilege and increased access to White House visitor records. Both initiatives aim to expand disclosure of information. Last week, EPIC filed papers to force the Department of Homeland Security to comply with federal open government law, citing the President's commitment to transparency. [Source]
On Sept 4 the White House announced a new policy to release the records of White House visitors, an initiative that is intended to promote open government. Under the policy, the White House will release information on all individuals who come for an appointment, a tour, or to conduct official business, with certain exceptions for confidential or particularly sensitive meetings. For example, the White House will not release access records that implicate national security or records from meetings with prospective Supreme Court nominees. It will also withhold the records from purely personal guests of the first or second families. The White House also promised not to release visitors’ personal information or information that implicates law enforcement concerns. The personal information that the policy will protect includes such data as dates of birth, social security numbers, and contact phone numbers. Law enforcement concerns will prevent the White House from releasing records that may implicate the personal safety of the staff of the Executive Office of the President, such as their daily arrivals and departures. [White House Transparency Policy] [White House Press Release on Transparency Policy]
Genetics
Britain’s General Medical Council (GMC) released updated guidance on confidentiality yesterday that obligates physicians to notify the relatives of those who have been diagnosed with a genetic disease. The idea is to ensure family members are notified of their own genetic risks. “A patient might refuse to consent to the disclosure of information that would benefit others,” the guidance states. “In these circumstances, disclosure might still be justified in the public interest.” The document impacts all 150,000 physicians in Britain. It also provides guidance on reporting certain conditions to the Driver and Vehicle Licensing Agency when an individual is unfit to drive for health reasons. [Source]
Health / Medical
In 2007, a resident surgeon snapped a picture of a patient’s tattoo – the words Hot Rod on his penis – and shared it with colleagues, making international news when the story was leaked to the press. At least the resident didn’t post the picture on the Internet. A new survey suggests that with the rise of blogging and sites like Facebook, Twitter, and YouTube, such a thing could happen. In fact, 60% of medical schools have had students post inappropriate or unprofessional information on the Web, according to a study in the September 23/30 issue of the Journal of the American Medical Association. Most of the time, the information was related to the student’s own behavior, including drunken, drug-related, or sexually suggestive images or comments, as well as the use of profanity or discriminatory language. But six schools, or 13%, reported incidents in the past year that involved content that violated patient privacy. For example, some students blogged about their experiences with enough detail to identify patients, and one student posted patient details on Facebook. Most of the time other trainees told the dean about the indiscretions, but in two cases, patients or their families blew the whistle. Health.com: Medical mistakes: More common than you think. Less than half of schools currently have policies in place to police or punish such behavior. [Source] [Source]
Florida’s Agency for Health Care Administration, which runs the state’s Medicaid program, has launched a Web site that focuses on privacy and security laws as they relate to electronic health records and health information exchanges. The agency’s Crosswalk Tool lets users search for information on federal and Florida state laws and regulations. It will also cover federal rule-making and guidance documents regarding the HITECH Act’s privacy provisions, an agency spokeswoman said. The tool aims to serve as an educational resource for providers and consumers, helping them determine which law applies to the sharing of particular information, according to the agency. \ [Source] [Crosswalk Tool]
Horror Stories
The University of North Carolina at Chapel Hill (UNC) is notifying 163,000 women whose personal information was exposed in a computer security breach. The compromised server at the UNC School of Medicine contains data collected as part of a mammography research project, and received data from 31 sites across the state. The breach was discovered over the summer, but may have occurred as long ago as 2007. Once the breach was detected, the server was taken offline. [Source] [Source] [Source]
Doctors in three Tennessee cities have been sending sensitive patient information to the fax machine of an Indiana businessman for three years. “This is a total breach of privacy,” said the recipient of the faxes, Bill Keith. Despite repeated attempts to correct the problem, including calls, faxes and e-mails to state officials and the doctors’ offices, Keith says his office continues to receive about five faxes each week that contain patients’ data, including medical histories and SSNs. A Department of Human Services spokesperson described the situation as “troubling.” [Source]
Intellectual Property
The French National Assembly voted Tuesday to adopt, by 258 votes to 131, the so-called “three strikes” law criminalizing file-sharing. Those caught infringing copyright online could face the suspension of their Internet access, a fine or even prison. The Senate approved the same text on Monday. With the two houses of parliament in agreement, the text now requires only the signature of President Nicolas Sarkozy to become law, although the possibility of another appeal being lodged with the Constitutional Council cannot yet be ruled out. [PC World]
Law Enforcement
The Royal Canadian Mounted Police (RCMP) shared its list of Canadian gun owners with an outside research firm hired to conduct a poll. The list contained gun owners’ names, addresses and phone numbers, and some have complained that their personal data was shared. The RCMP says it did not violate privacy rules since the research firm was contracted, cleared by and working as an extension of the agency. But Canada’s privacy commissioner is looking into the matter nonetheless. Public Safety Minister Peter Van Loan called the RCMP move “offensive and inappropriate.” [Source]
A U.S. District Court Judge in California has ordered Google to deactivate the Gmail account of a user who was accidentally sent confidential bank information. An employee of Wyoming-based Rocky Mountain Bank sent the data to the account in error; the data include names, SSNs and loan information of more than 1,300 bank customers. Upon recognizing the mistake, the bank sent another email to the same address, requesting that the recipient destroy the previous email and contact Rocky Mountain Bank. After receiving no reply, the bank asked Google for information about the account holder. Google said that it would not surrender any information without a court order. The judge’s order is controversial because it appears to violate the account holder’s First Amendment rights. Additionally, deactivating an individual’s Gmail account could have far-reaching effects. [Source] [Source]
Online Privacy
A privacy researcher is urging Netflix to cancel its next research contest, before it results in potentially millions of dollars in damages for invasion of its customers’ privacy. “Netflix should cancel this new, irresponsible contest,” Paul Ohm wrote in a blog affiliated with Princeton University’s Center for Information Technology Policy. On Monday, the company awarded $1 million to the winners of its first competition, aimed at developing technology to improve its ability to predict what movies its customers will like. Ohm worries the information the company is about to release as test data for the second contest isn’t as anonymous as Netflix may think. According to the New York Times: “The new contest is going to present the contestants with demographic and behavioral data, and they will be asked to model individuals’ “taste profiles,” the company said. The data set of more than 100 million entries will include information about renters’ ages, gender, ZIP codes, genre ratings and previously chosen movies.” Ohm said that even if it is not revealing information tied to a single person, Netflix “is revealing information tied to so few that we should consider this a privacy breach. I have no doubt that researchers will be able to use the [existing reidentification] techniques, together with databases revealing sex, zip code, and age, to tie many people directly to these supposedly anonymized new records.” Ohm urges the company to kill the new competition before it starts and makes a compelling case for doing so. His point appears valid and Netflix should consider his views seriously. [Source] [Source] [Commentary by and exchange with Khaled El Imam]
Privacy (US)
As of March 2010, businesses and organizations that have access to personally identifiable information of Massachusetts residents will have to undertake “comprehensive measures to protect” that information. And according to Massachusetts law, such measures include express contract provisions with service providers that they, too, have systems and processes in place to protect that information. Even though the compliance deadline is still months away, the new requirements have already proven costly according to a survey of members of the International Association of Privacy Professionals. Conducted in conjunction with the law firm of Goodwin Procter, the IAPP survey found that 76% of those responding said they have access to personal information of Massachusetts residents, and roughly one-third of them have already spent at least $50,000 to comply with the regulations. In terms of time spent, 44% of respondents said they have spent more than 100 hours on compliance efforts. The survey also revealed that 30% of respondents work with 100 or more vendors. [Source]
EPIC filed a complaint with the Federal Trade Commission against Echometrix, the developers of parental control software that monitors children’s online activity. Echometrix analyzes the information collected from children and sells the data to third parties for market-intelligence research. The EPIC complaint alleges that Echometrix engages in unfair and deceptive trade practices by representing that the software protects children online while simultaneously collecting and disclosing information about children's online activity. The complaint further alleges that Echometrix’s practices violate the Children’s Online Privacy Protection Act by collecting and disclosing information from children under the age of 13. The EPIC complaint asks the FTC to stop these practices, seek compensation for victims, and ensure that Echometrix’s collection and disclosure practices comply with COPPA. [EPIC complaint]
Privacy Enhancing Technologies (PETs)
Russian oligarch Roman Abramovich appears to have come up with a novel solution to protect his privacy at sea. “In a move that could eventually be copied by all discerning billionaires, Abramovich has installed an anti-paparazzi shield on his newest vessel, the world’s biggest and most expensive private yacht. The high-tech system on Eclipse, a mega-yacht measuring up to 557 feet, relies on lasers to block any digital camera lenses nearby. “... Infrared lasers detect the electronic light sensors in nearby cameras, known as charge-coupled devices. When the system detects such a device, it fires a focused beam of light at the camera, disrupting its ability to record a digital image. The beams can also be activated manually by security guards if they spot a photographer loitering.” [Source]
In less than two months after a group of University of Washington computer researchers proposed a novel system for making electronic messages “disappear” after a certain period of time, a rival group of researchers based at the University of Texas at Austin, Princeton, and the University of Michigan, has claimed to have undermined the scheme. The Vanish attackers have created a demonstration system they call “Unvanish“ and they said they had undone the Vanish model for gradually eroding encryption keys by subverting the peer-to-peer file sharing system. Their insight was to use a single computer to masquerade as a large number of members of a file sharing network. That rogue machine would simply need to capture and store anything that looked like a Vanish key fragment. The researchers said that this was simple, as the Vanish fragments are identifiable because of their size. Later it would be possible to reconstruct a Vanish message by simply consulting the Unvanish archive. “In our experiments with Unvanish, we have shown that it is possible to make Vanish messages ‘reappear’ long after they should have ‘disappeared’ nearly 100% of the time,” the researchers wrote on a Web site that describes their experiment. The Vanish researchers responded that they had now modified their initial prototype to use multiple file sharing networks, complicating the task of an attacker. [Source] [NYT]
RFID
The Center for Digital Technology is leading an effort supported by the largest investors in radio frequency identification technology that include Microsoft, Intel, Cisco Systems, Proctor & Gamble, Eli Lilly and Co., American Library Association, National Consumers League, aQuantive, VeriSign and Visa to pave the way for broad adoption. Levi Strauss Company is experimenting with tagging jeans with the devices which allow remote tracking of items. Manufacturers and retailers find the technology helpful with managing inventory. Privacy issues arise when the devices remain active once they are purchased. [Source]
Philippino Government plans to install radio frequency identification (RFID) technology in vehicles has some calling for more consultation. Under Land Transportation Office plans, motorists would have to install RFID as a condition of vehicle registration. The secretary general of the transport group Piston says tagging all vehicles could open up motorists to government intrusion and violations of privacy. George San Mateo said there was no consultation or hearing on the plans; therefore, Piston will not tag its vehicles unless the government issues an order. He urged House and Senate committees to “delve into the matter.” [Source]
Security
A survey of more than 600 Canadian IT security professionals has revealed a jump in the number and cost of security breaches. TELUS and the University of Toronto’s Rotman School of Management released the findings this week. The number of IT security breaches reported by organizations nearly quadrupled over the past year to an average of 11.3 per organization. The cost of IT breaches for the average Canadian organization nearly doubled to $834,149. Employee-induced breaches also nearly doubled to 36%. The increases are attributed in part to the financial downturn, better data monitoring by organizations and increases in organizational breach reporting. [Source] [80-page Report] [Benchmarking Tool] Coverage: [IT security breaches soar in 2009: Employees fastest-growing threat]
A security policy specification that guarantees the reliability and availability of home networks has been developed by computer scientists at Kyungpook National University and the Electronics and Telecommunications Research Institute in Korea. “Whenever a new access to the home network is found, it should be able to authenticate and authorize it and enforce the security policy based on rules set by the home administrator,” the researchers say. The researchers developed the Home security Description Language (xHDL), which includes the necessary notation for consistently describing and specifying the security policy, and ultimately securing a home network. XHDL consists of a combining-rule element, authentication element, user element, object element, object-group element, role element, and rule elements. Each term could be used to run a browser-based control center. The domestic administrator would have simple control options for allowing access to the home network for specific devices and for controlling the packets of information that pass through the gateway to and from the Internet. XHDL would protect home networks from cyberattacks and ensure that it is available for use. [Source]
The amount of storage needed for increasing amounts of data will rise ten-fold in the next five years, yet only one in three users are actively backing up their files, data from a recent Western Digital study revealed recently. The study, conducted in August 2009, showed that only 33% of mainstream consumers backup their data to a safe central location. Of those users who have bought external hard drives for personal use, backup of files (56%) still trails behind extra storage (63%) as the main reason for their purchase. [Source]
According to an audit report from the US Defense Department (DOD) Inspector General, some organizations within the Department are still disposing of information technology equipment without first scrubbing the data it contains. In addition, the report notes that some DOD guidance for equipment disposal was so out of date that it could not deal with certain newer data storage technologies. [Source] [Source]
The US DOD plans to lift its ban on USB drives in a very restricted way. Only USB drives that have been both approved and procured by DOD will be permitted to be used on department computers. The ban was imposed late last year after a worm spread across DOD networks. “The days of using personally owned flash media or using flash media collected at conferences or trade shows is long gone,” according to the blog of Navy CIO Robert Carey.[Source] [Source]
Surveillance
Electronic Frontiers Australia (EFA) says its concerns with draft amendments to telecommunications interception legislation have been addressed in the bill as tabled. The new legislation - The Telecommunications (Interception and Access) Amendment Bill 2009 - is designed to give ISPs, telcos and the owners of corporate networks increased powers to monitor customer communications on their networks to enable them to better operate and manage those networks and enforce acceptable staff use policies. Writing on the EFA’s blog, chairman Nic Suzor, said: “I am happy to say that the Bill as introduced has removed the greatest majority of our concerns. It appears to be closely tailored to network security purposes, and the ability to monitor for whether a network is being ‘appropriately used’ is limited to Commonwealth agencies. There are additionally much stronger limitations as to when intercepted information can be disclosed.” The committee has called for submissions by 09 October and is due to report by 16 November. EFA is drafting a submission, collaboratively via its wiki. [Source] [Senate Legal and Constitutional Affairs Committee enquiry]
The Obama administration promised Congress this week to negotiate stronger privacy protections for Americans under terrorism surveillance but insisted on retaining current authority to track suspects and obtain records. Liberals on the House Judiciary Committee were left unsatisfied, clearly wanting the administration to go further and pledge to curb what they consider abuses of the Bush administration. They repeatedly insisted that the law be rewritten to require better justification for wiretaps and subpoenas, and Committee Chairman John Conyers, D-Mich., even compared the Obama administration’s position so far to that of the Bush administration. Congress is starting to consider changes in three expiring provisions of the USA Patriot Act, a counterterrorism law initially passed after the Sept. 11, 2001 attacks. These three provisions require the government to seek permission from a special foreign surveillance court for subpoenas and surveillance. The Bush administration, while using the court, also had the NSA - without warrants - eavesdrop on Americans and others inside the U.S. to search for terrorist activity. That program ended before Bush left office. [Source]
A five-year research programme, called Project Indect, aims to develop computer programmes which act as “agents” to monitor and process information from web sites, discussion forums, file servers, peer-to-peer networks and even individual computers. Its main objectives include the “automatic detection of threats and abnormal behaviour or violence”. Project Indect, which received nearly £10 million in funding from the European Union, involves the Police Service of Northern Ireland (PSNI) and computer scientists at York University, in addition to colleagues in nine other European countries. Shami Chakrabarti, the director of human rights group Liberty, said that “the EU lacks sufficient checks and balances and there is no evidence that anyone has ever asked ‘is this actually in the best interests of our citizens?’” and that “profiling whole populations instead of monitoring individual suspects is a sinister step in any society. It’s dangerous enough at national level, but on a Europe-wide scale the idea becomes positively chilling.” A separate EU-funded research project, called Adabts - the Automatic Detection of Abnormal Behaviour and Threats in crowded Spaces - has received nearly £3 million. It is based in Sweden but partners include the UK Home Office and BAE Systems. It is seeking to develop models of “suspicious behaviour” so these can be automatically detected using CCTV and other surveillance methods. The system would analyse the pitch of people’s voices, the way their bodies move and track individuals within crowds. [Source][Source]
A memorandum of understanding (MoU) obtained by the Irish Times outlines an agreement between state agencies and the telecommunications industry on the implementation of data retention legislation. The Times report says that “the agencies that want access to our call and Internet data are bypassing the Oireachtas,...the body that draws up and implements legislation.” A privacy advocate described the MoU as “legislation by decree.” Of greater concern, the report says, is that state agencies and industry are engaging in secretive cooperation to shape how legislation is interpreted. “With data retention, it appears that the tail is wagging the dog...” the report states. [Source]
Telecom / TV
Indian security officials are calling for a ban on international Internet telephony until they have the capability to trace calls on such systems. The move comes in response to the November 2008 attacks in Mumbai in which 166 people were killed. The attackers used satellite phones and Internet telephony to communicate with each other. [Source]
US Government Programs
Recently declassified documents show that the FBI’s National Security Branch Analysis Center (NSAC), a data-mining system that was proposed as a tool to track down terrorists, is being used in hacker and domestic criminal investigations. NSAC’s database now contains more than 1.5 billion government and private-sector records on U.S. citizens and foreigners, including tens of thousands of records from private databases, according to the declassified documents. Critics say the database is increasingly close to the Total Information Awareness system first proposed by the Pentagon following the Sept. 11, 2001 terrorist attacks. The FBI is currently looking to quadruple the staff of the NSAC program. However, the proposal has been heavily criticized by privacy groups as being both invasive and ineffective, and critics say the declassified documents show that the plan is being continued in private and without sufficient oversight. NSAC contains more than 55,000 entries on customers of the Cendant Hotel chain, with entries for hotel customers whose names match those on a list the FBI provided to the company. An additional 730 records are from the Avis rental car company, which were collected through a one-time search of Avis’ database matched against the State Department’s terrorist watch list, and 165 entries are from credit card transaction histories from the Sears department store chain. An analysis of the documents shows that the FBI has continuously expanded the NSAC system since 2004, and by 2008, NSAC had 103 full-time employees and contractors. The FBI wants to add 71 additional employees and is seeking $8 million for outside contractors to help analyze the data. [WIRED]
The Transportation Security Administration should deploy automated tools to test and monitor the effectiveness of privacy safeguards in its programs, according to a new report from Homeland Security Inspector General Richard Skinner. In a report issued Sept. 18, Skinner recommended that TSA’s Office of the Chief Information Officer implement such tools, and the agency’s officials agreed with the recommendation. Overall, TSA has made progress in implementing privacy protections but could do better if it used the automated tools, Skinner concluded. Although the CIO’s office is responsible for securing data, including personally identifiable information, the office is not providing automated tools for doing so, Skinner wrote. For enforcement, the agency’s Office for Privacy Policy Compliance (OPPC) checks TSA’s databases to see if sensitive data has been leaked. The office has indeed found some cases where data appears to have been exposed. Automated monitoring and reporting tools are also being applied in other areas of government. The Office of Management and Budget recently required federal agencies to submit compliance reports using such tools for the Federal Information Security Management Act. [Source] [TSA employees are well-informed on privacy issues]
The Department of Homeland Security Privacy Office released its annual privacy report to Congress. A spokesperson for the office said the 2008-2009 report is out six weeks earlier than that of last year. Earlier this week the Electronic Privacy Information Center (EPIC) sent a registered letter to the DHS Privacy Office requesting to know when it would be published and citing a delay in its completion. The report, which details the office’s activities, has been required since 2003. “There is no statutory deadline for the report,” the Privacy Office spokesperson said. [Source] [Report] [Source]
The Department of Homeland Security Privacy Office issued its annual privacy report card last week. The report provides more details on the departments’ controversial warrantless border search policies for electronic devices. According to the report, searches of travelers’ laptops at the border might be less frequent than expected. Between October 2008 and May 2009, border agents searched 696 laptops among 144 million travelers. The department described 40 of those searches as “in depth.” The report also indicated the department’s concern about the government’s use of social networking tools and acknowledged a “heightened public interest” in the TSA’s use of certain imaging technologies for security purposes. [Source]
US Legislation
The House Energy and Commerce Committee is slated to vote this week on legislation that would require strong security policies from firms that collect and store individuals’ sensitive information and provide for nationwide notification in the event of a data breach. The bill was sponsored by House Energy and Commerce, Trade, and Consumer Protection Subcommittee Chairman Bobby Rush, D-Ill., and was tweaked to win his panel’s approval in June, but more revisions are expected. His manager’s amendment would let consumers ban the use of their information by data brokers for marketing purposes. That is in addition to language allowing individuals to access and correct profiles in marketing databases, according to a memo circulated to members. Breach victims could also sign up for credit monitoring or other related services instead of free credit reports. Rush’s proposal would clarify that persons subject to other relevant federal statutes’ security rules that are “substantially similar to or greater than” his bill’s requirements would be deemed in compliance. It would also make clear that the legislation applies only to commercial entities subject to FTC jurisdiction, and that the civil penalty cap for state enforcement may not exceed $5 million for each violation. Language concerning breaches of health information would be deleted from the bill, and a requirement that consumers receive a 60-day notice upon the discovery of a breach would be added, the memo stated. Additionally, Rush’s amendment would revise language pertaining to a breached firm’s presumption of identity theft risk to be more technology neutral and remain current as encryption and other security technologies evolve. [Source]
A US House subcommittee has approved legislation aimed at bolstering the Cybersecurity Research and Development Act. If the proposed law is enacted, federal agencies would be required to submit long term research and development plans that are “based on an assessment of cybersecurity risk.” The bill now goes to the House Committee on Science and Technology. [Source]
Mandatory vaccinations, home searches without a warrant and forced quarantine for those who resist. Critics of a pandemic preparedness bill pending in the Legislature say it would allow all those things and sets the stage for a medical police state where any response to an epidemic of flu or other illness has the potential to steamroll civil liberties. The bill’s supporters and its sponsor, Sen. Richard Moore, D-Uxbridge, have found themselves in recent weeks defending against attacks from talk show hosts and Internet critics with an anti-Big Government bent. In the category of unlikely bedfellows: the ACLU has joined the opposition. [Source]
Workplace Privacy
An eastern Ontario union executive has launched a lawsuit against the Canadian Union of Public Employees, accusing a colleague of violating her privacy by reading her emails. Katherine Thompson, of South Lancaster, Ont., who is currently president for the Air Canada component of CUPE, is seeking $250,000 in damages through a civil suit launched against CUPE, national president Paul Moist and Lesley Swann, former president of CUPE’s Air Canada component. Thompson alleges that in the fall of 2007, when she was secretary-treasurer and Swann was the component president, Swann blackmailed an IT consultant into providing access to Thompson’s emails, and then went through the correspondence to spy on her. Brian Shell, a Toronto lawyer representing Swann, said the email system is the exclusive property of CUPE’S Air Canada component, and Thompson had no reasonable expectation of privacy. Shell said Swann did read Thompson’s emails, but did so because she believed Thompson broke the union’s own bylaws. Thompson said she found out her emails were being read after an IT consultant told her he had been told to provide access to them, and that his job would’ve been on the line if he hadn’t complied with her request. She later defeated Swann in an election to become president of the CUPE’s Air Canada component. Thompson claims there is no CUPE policy that allows union officials to do what Swann did. Her lawyer Kris Klein said He and Thompson are also trying to find out whether it was legally allowed under Ontario law.” There is an expectation of privacy in the communications that happen at work,” he said, although he added that he and his client recognize that the right to privacy is not absolute. Klein said federal law only protects the electronic privacy of some employees and doesn’t apply to his client. However, Ontario currently has no specific legislation dealing with this type of circumstance, he added. “The employee is left without any understanding of … what circumstances will arise where their privacy will be invaded.” He hopes the case will bring more clarity to workplace privacy law in Ontario in general. [Source]
+++