By Spring 2006 only employees who have passed a security clearance will be able to access restricted areas protected by biometric technology at most Canadian airports – unless they’re accompanied by an escort. Mark Duncan, chief operating officer for the Canadian Air Transport Safety Authority (CATSA), said Tuesday at the Conference Board of Canada’s Business and Technology Opportunities in National Security and Public Safety event the biometrics pilot project phase is now over. Duncan said CATSA decided to go with both fingerprint and iris scanning technology because some people have problems with the fingerprint scanning process. “Also, because the technology is relatively new, there are still arguments on both sides so we chose to embed both.” The Restricted Area Identification Card system is now fully operational in five airports, and by April, he said, all airport employees, including pilots, fuelling operators, security staff, concessionaires and airport workers, will be allowed into restricted areas only if they’ve been issued a card which holds their fingerprints and iris scans. “Obviously, if you’ve got a criminal background you’re not going to make it through,” he said. Duncan said Canada’s 150,000 airport workers will all have to apply for the security card through Transport Canada, who co-ordinates a security clearance through the RCMP and CSIS. [Source] [Source]

ON – Thousands of Ontario Drivers' Permits go Missing

The system for licensing drivers and vehicles in Ontario has been so sloppily managed that fake driver's licences have been created, thousands of blank stickers and permits have gone missing and customer credit-card information has been misused, the provincial Auditor-General said in his latest annual report released this week. Over the past four years, more than 56,000 licence plates, vehicle stickers and permits have been reported either missing or stolen and could have been used for fraudulent purposes. The report documents numerous instances of fraud by the private-sector operators that provide licensing services under government contract. Charges have been laid and a ministry analysis concluded that it is easy for staff to manipulate the current system to produce false documents. Four employees at various offices had criminal records. Six offices accounted for 70% of the missing items. Auditor-General Jim McCarter said his report provides a litany of examples of where the government has not provided adequate oversight once it has delegated a service to the private sector. [Source]

CA – Industry Canada Clarifies PIPEDA Carve-Out for Investigative Bodies

On November 19, 2005, Industry Canada published a notice in the Canada Gazette Part I, with a 30 day period for public comments, to amend the Regulations Specifying Investigative Bodies pursuant to section 26(1)(a.01) of the Personal Information Protection and Electronic Documents Act by adding additional organizations. PIPEDA requires an organization, which is disclosing personal information, to obtain the individual’s consent in most circumstances. An exception to this rule is found in paragraphs 7(3)(d) and (h.2) of the Act which permit the disclosure of personal information to and by a private investigative body, without the knowledge or consent of the individual, if the investigative body is specified by the Investigative Bodies Regulations. The purpose of the amendment is to name additional investigative bodies, essentially, various associations that regulate their members. Industry Canada has also clarified the obligations on those granted investigative body status. [Source]

US – The CDC Seeks Access to Airline Passenger Lists

Airlines are concerned about the privacy and cost issues related to a Center for Disease Control plan that would require the companies to submit passenger lists upon request. The CDC wants access to the information to allow the agency to notify passengers promptly in the event of epidemics. The CDC estimates that the price tag of complying with the regulations would cost the airline industry between $108 million and $386 million a year to compile and maintain the database. [Source]

UK – ID Thieves Try to Steal Millions from U.K. Taxman

HM Revenue & Customs (HMRC) has shut its high profile and strategically important Tax Credits website as a result of serious fraud. It’s a major blow to trust in the Departments e-Government services, following on from supplier EDS agreeing to compensate the government £71 million for its work on Tax Credits IT problems. A criminal investigation is also being undertaken into the apparent false use of a number of DWP staff identities in fraudulent tax credit claims. The fraud relates to internal information held about staff and not the external records DWP holds. Reports say that a number of DWP staff identities were being falsely used to make illegal claims. [Source] [Source]

ON – Standard Approach Sought in Health Data Management

The Ontario government is augmenting its plan to establish regionalized health authorities by creating councils to standardize the way data is collected, managed and stored at hospitals and community care access centres. Called local data partnerships, the idea is to gather physicians, technical experts and other stakeholders into councils to discuss issues around clinical, financial and eventually primary care information. The first council, devoted to problems in physician documentation, has already been set up. The Ministry of Health and Long-Term Care is planning to hire four data management coordinators that will support these councils, which will represent the 14 new local health integration networks (LHINs) Ontario is creating. The province introduced legislation late last week that, if passed, will see management of local services devolved to the LHINs. While the local data partnerships may be used to facilitate best practices and collaboration among professions in the LHINs, front-line staff are speaking out about the regionalization plan itself. On Friday the Ontario Nurses Association, the Service Employees International Union Local, the Canadian Union of Public Employees and the Ontario Public Service Employees Union all announced plans to picket local MPPs over concerns there hasn’t been enough consultation about creating LHINs. [Source]

EU – EU Reaches Compromise on Phone Records

European justice ministers have sealed a compromise deal on controversial anti-terror measures that increase police access to phone and Internet records. The deal, clinched by Britain as EU president, lays out the kinds of data that can be retained, for how long, under what conditions and the types of crime that would allow Europe’s authorities to access it. [Source] [Source]

US – ID Analytics Study: Fears Over Identity Theft Overblown

A new study suggests consumers whose credit cards are lost or stolen or whose personal information is accidentally compromised face little risk of becoming victims of identity theft. The analysis, released late on Wednesday, also found that even in the most dangerous data breaches – where thieves access social security numbers and other sensitive information on consumers they have deliberately targeted – only about 1 in 1,000 victims had their identities stolen. ID Analytics, the San Diego, California-based fraud detection company that performed the analysis, said it looked at four recent data breaches involving a total of 500,000 consumers. It declined to provide the names of the companies involved in the breaches except to say that one of them was a top five U.S. bank. After six months of study, comparing compromised information against credit applications, ID Analytics said it discovered something counterintuitive: The smaller the breach, the greater the likelihood the information was subsequently used by fraudsters to hijack the identity of victims. [Source]

US – IRS Proposes Stronger Data Protections

The Internal Revenue Service proposed regulations Wednesday that would increase privacy protections for financial information that people share with their tax preparers. The revised rules say tax preparers must get prior, written consent before sending a customer’s information abroad to an offshore tax preparer. Tax preparers also must notify contractors, including those who work on computers and data files, that they must abide by privacy restrictions. The proposed changes also require a tax preparer to obtain a taxpayer’s informed consent before the preparer uses any information learned during tax return preparation for other uses, such as offering other financial products. [Source].

CA – Recent Remarks by Information Commissioner John Reid

John Reid’s speech at the Nov 22 conference of the Canadian Access and Privacy Association (CAPA) has been posted. He said: “I am frankly troubled by the profound pressures placed on coordinators by their superiors to administer the access law as part of the departmental communications function and to avoid, at all costs, embarrassing the minister. I am troubled by the absence of a comprehensive, mandatory training strategy for ATIP offices, senior officials and exempt staff. I sense we are witnessing the birth pangs of a new profession in the public service and CAPA needs to be a true midwife in this process. So far, CAPA’s potential has not been fulfilled. It is my view that CAPA’s influence in the system is waning. So, I’d like to issue a challenge to you, the members of CAPA. I’d like to challenge you to lead the way towards the creation of a new information rights professional in Canada. To do that, an important first step, it seems to me, is for CAPA to form an alliance with the Canadian Association of Professional Access and Privacy Administrators (CAPAPA) an organization incorporated under Alberta legislation but which is national in scope and very proactive in promoting uniform education, training and certification programs. An alliance with CAPAPA will assist CAPA in establishing the credibility of independence - in a way similar to that which has been accomplished by the federal Association of Professional Executives of the Public Service.” [Source]

US – Pataki Orders DNA Criminal Database Expanded

New York State Gov. George Pataki this week ordered an expansion of the state’s DNA database to include all felonies and misdemeanors, a move expected to add DNA samples from as many as 40,000 more criminals to the system. The state Commission on Forensic Science still has to approve the plan and will vote on the measure next week. More than half of the people convicted of felonies in New York state aren’t required under current law to provide DNA samples for inclusion in the database, which now includes about 153,000 profiles, according to Pataki’s office. Less than one-third of all criminal offenses are designated for the mandatory collection of DNA. [Source]

UK – Electronic Health Records Cause Concern

Many health campaigners fear that the introduction of electronic patient records will result in a loss of privacy and confidentiality, according to U.K. research issued on November 30, 2005. A survey of health campaigning organisations based in the U.K. and overseas finds that although the switch to e-records is generally welcome, over 60% are worried that data could get into the “wrong hands” and that privacy and confidentiality could become compromised. Over half (56%) of campaigners report that the majority, or all, of their constituency welcome the introduction of electronic records, says the research carried out by PatientView. However, 29% say that the people they represent are “somewhat or very worried” by e-records and 6% do not support their introduction at all. Meanwhile, only 28% say they are aware of any government efforts to engage patients with the issue of electronic records – almost half (45%) say that no consultation has taken place in their country. [Source]

US – Consumers Worry That Employers Will Use Their Medical Data Against Them

The National Consumer Health Privacy Survey 2005 found that 67% of Americans are concerned about the privacy of their health information. Of the Americans most concerned about an employer misusing their information, 61% were from a racial/ethnic minority and 55% had been diagnosed with a disease. The survey found that a majority of survey respondents would share their personal health information if it meant their treatment was better coordinated, their benefits were enhanced and it facilitated access to experimental treatments. [Source]

US – Massachusetts State House Approves Genetic Privacy Bill

Shortly before the conclusion of the Massachusetts state legislature’s formal session Nov. 15, lawmakers unanimously approved a bill that would indefinitely extend privacy protections for those who undergo genetic testing. The bill would extend provisions of the Genetic Privacy Act, set to expire in January 2006, prohibiting life insurance companies from discriminating on the basis of or requiring genetic testing. Unlike in previous years, the insurance industry did not oppose the changes. Currently, 41 states prohibit discrimination by insurers on the basis of genetic test results, and 32 states prohibit discrimination by employers. [Source]

ON – Staff Blamed for Stolen Drivers’ Licences

Ontario’s drivers’ licensing system is rife with crime as rogue employees steal plates and permits and issue phony licences, the provincial auditor general has found. In his annual report to the Legislature, Auditor General Jim McCarter slammed the Liberals because some transportation ministry staff and private contractors allowed 56,000 documents and licence plates to be stolen and lost. “We noted instances where staff had criminal records yet no action was taken, and in 25% of the new-hire files we reviewed, the required criminal check had not been done,” McCarter said in his 406-page report. [Source]

US – Secret ID Law to Get Hearing

Although John Gilmore lives just five blocks from San Francisco’s Department of Motor Vehicles, his driver’s license is expired. On purpose. The outspoken, techno-hippie, wealthy civil libertarian doesn’t want to give his Social Security number to the DMV. Find local technology jobs. Neither will he show his driver’s license at airports, or submit to routine security searches. This refusal to obey the rules led him to file suit against the Bush administration (Gilmore v. Gonzales) after being rebuffed at two different airports on July 4, 2002, when he tried to fly without showing identification. One airline offered to let Gilmore fly without showing ID, but only if he underwent more intensive security screening, which he declined. On Thursday, Gilmore and his lawyers will get 20 minutes in front of the 9th U.S. Circuit Court of Appeals to make their argument against identification requirements and government secrecy, in a case that time and shifting public opinion has transformed from a quirky millionaire’s indignant protest into a closely watched test of the limitations of executive branch power. “The nexus of the case has always been the right to travel,” Gilmore said. “Can the government prevent Americans from moving around in their own country by slapping any silly rules on them – you have to show ID, you have to submit to searches, you have to wear a yarmulke?” [Source]

WW – On-line Shoppers Protected by Free Security Tool

VE Networks Inc. of Saint John, N.B., has announced that on Dec. 19 it will launch its free internet security service TrustMe-Live. This first version of TrustMe-Live is a simple system to protect users from falling victim to on-line fraud and identity-theft schemes. Consumers can download the tool free of charge from TrustMe-Live. Once registered, users select an icon and tune which will be associated with their TrustMe on-line account. TrustMe-Live detects when the Internet browser has opened a retail or banking Web page and if the site is authentic, a small window will pop up from the system tray and display the user’s unique icon and tune indicating the trustworthiness of the site. [Source]

US – Study: Prevalence of False Contact Information for Registered Domain Names

An estimated 2.31 million, or 8% of, internet domain names have been registered with “patently false” data, a US congressional report has concluded. The report by the Government Accountability Office (GAO) suggested that a large number of internet sites may have been created by people seeking to hide their identities, possibly to avoid detection by law enforcement. Based on test results, GAO estimated that 2.31 million domain names, or 5.14% of the overall total, were registered with data “that appeared obviously and intentionally false without verification against any reference data” in one or more contact information fields. GAO also found that 1.64 million domain names or 3.65% were registered with incomplete data. [Source] [Source]

CA – House Searches in Dismemberment Case Spark Privacy Concerns

House-to-house searches have some residents of a Toronto neighbourhood on edge as police hunt for clues in the case of a woman whose body was found dismembered in a laneway. A team of 20 officers is asking residents in the west-end neighbourhood of Parkdale to sign a consent form allowing a search of closets, basements and freezers. Police are looking for evidence linked to the discovery of the victim’s dismembered torso in an alleyway last month. The woman’s legs were discovered Nov. 11 at a garbage sorting station in North York, while her torso was discovered hours later in Parkdale. [Source]

WW – Researchers Developing Technology to Protect Children’s Online Privacy

Parents concerned about safeguarding their children’s online privacy can look forward to better and user-friendlier technology for doing this. New technology being developed by a Virginia Tech team of business and engineering researchers has won a $450,000 award from the National Science Foundation’s Cyber Trust program. The team has developed a concept for technology to obtain verifiable parental consent that is reliable, easy to use, and cost effective and would serve the needs of children, parents, and website operators. The concept is called POCKET – Parental Online Consent for Kids’ Electronic Transactions. POCKET is designed to enable the parent to protect the child’s personal information during an online transaction without the parent’s direct supervision. In addition to the parent and the web operator or merchant, POCKET uses the services of a trusted third party server. The concept offers three major advantages over current technologies. For starters, a parent can establish a customized, “fine-grained” disclosure policy to protect the child’s information – “flexibility that exceeds what is currently available in other technologies.” The system also enforces the accountability of the merchant in handling the child’s information through the contract and log files that are generated during the transaction. “While the law requiring parental consent applies whether or not there is a contract. A contract is an additional reassurance.” [Source]

US – Study Finds 81% of Home PCs Don't Have Basic Security Software

While most Internet users think they are safe online, they're not, according to a new study released Wednesday by America Online and the National Cyber Security Alliance. In fact, about 80% are exposed to common Internet threats, the study found. More than half of the participants either had no anti-virus protection or had not updated it within the last week, researchers found. About half did not have a properly-configured firewall, and four in ten didn't have spyware protection. Taken collectively, more than 4 in five consumers lacked at least one of the three types of basic protection. Still, 83% told researchers they were "safe from online threats," the study found. [Source]

NZ – Data Matching at Privacy Commissioner’s Office

According to the New Zealand Privacy commissioner Marie Shroff, data matching agreements are growing ‘exponentially’. The Privacy commissioner has created a technology team to help tackle problems arising from the rapid growth in data matching. Last year 21.4 million personal records were officially disclosed by one government agency to another, compared with 10.8 million three years ago. Shroff says that there are now 36 data matching programmes operating, compared with 16 three years ago. [Source]

US – Tens of Thousands Mistakenly Matched to Terrorist Watch Lists

About 30,000 airline passengers have discovered since last November that their names were mistakenly matched with those appearing on federal watch lists, a transportation security official said Tuesday. Jim Kennedy, director of the Transportation Security Administration’s redress office, revealed the errors at a quarterly meeting convened here by the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee. Kennedy said that travelers have had to ask the TSA to clear their identities from watch lists by submitting a “Passenger Identity Verification Form“ and three notarized copies of identification documents. On average, he said, it takes officials 45 to 60 days to evaluate the request and make any necessary changes. Travelers have been instructed to file the forms only after experiencing “repeated” travel delays, he said, because additional screening can occur for multiple reasons, including fitting a certain profile, flying on a one-way ticket or being selected randomly by a computer. [Source] [Source]

US – Advisory Committee Recommends Narrowing Passenger Pre-Screening Program

The Data Privacy and Integrity Advisory Committee recommends that the Homeland Security Department “narrowly focus” the Secure Flight pre-screening program. The Committee suggested that DHS require a passenger’s name and birth date. Airlines, meanwhile, should verify a person’s identity through two government databases. The DHS’s acting chief privacy officer, Maureen Cooney, said the privacy office would issue final guidelines in the coming year for the government’s use of data, among other office goals. [Source]

US – EPIC Uncovers Government Documents that Reveal Passport Problems

[Source]

US – EPIC Urges Governments to Abandon RFID in e-Passports

[Source]

WW – International Survey: Retailers Should Provide Better Data Security

A survey by Retail Systems Alert Group and sponsored by 3Com Corp. and Ingrian Networks shows that most retailers use internal control audits to ensure the security and confidentiality of consumer data. Most retailers do not encrypt customer-specific data and 43% of the retailers surveyed do not have an incident-response plan. The survey also showed that 60% of retailers are collecting customer-specific data, yet most are not using that information to offer personalized store promotions. Customers, meanwhile, have little control over how their data is used. [Source]

WW – Study: One in Four Internet Users Receive Phony Emails

About one in four Internet users is hit with e-mail scams every month that try to lure sensitive personal information from unsuspecting consumers, a study says. Of those receiving the phony e-mails, most thought they might be from legitimate companies — seven in 10, or 70%, were fooled by the e-mails, said the report. The study released Wednesday by America Online and the National Cyber Security Alliance looked at Internet security and “phishing scams.” [Source] [Source]

US – Hackers Use Digital Cameras to Steal Sensitive Data

IT managers are watching for a new security threat – the use of a digital camera to steal confidential data. Hackers are plugging the devices into a computer’s USB. Many companies use digital cameras in the workplace. It can be difficult to determine if workers are using the cameras for legitimate work purposes, or for hacking. [Source]

CA – Schools Use Smart Cards to Track Students’ Purchases, Tardiness:

Schools in British Columbia are signing up for a software program that uses student cards to let parents track what their children are buying at the cafeteria and whether they arrived at school late or left early. The program, called FirstStudent™ Solution will have four components, said the Vancouver-based software developer that created the program. The first component will enable students to use their student cards as debit cards in the cafeteria. The second is an asset management program that tracks school equipment, such as textbooks or musical instruments, that have been loaned to the student. The third lets parents pay online for school fees, such as field trips. And the fourth tracks a student’s attendance, including tardiness and skipping classes. All the information will be kept in a database that is accessible by parents via the Internet. [Source]

US – Security Breach Enforcement: DSW Reaches Settlement with FTC

Discount shoe retailer Designer Shoe Warehouse has agreed to adopt a comprehensive security program and undergo independent audits every other year for 20 years under a settlement with the Federal Trade Commission. In March, the company discovered that hackers broke into its database and stole information on 1.5 million customers. [Source]

UK – CCTV Staff ‘Spied on Naked Woman’

Two council workers used CCTV cameras to spy on a woman as she undressed for a bath, a court has heard. The men were themselves caught on a camera monitoring Sefton Council’s CCTV control room, a jury at Liverpool Crown Court was told. [Source]

WW – Santa Claus Under Attack from Privacy Advocates

Father Christmas is under attack this week from privacy advocates concerned about the jolly old elf’s growing database of personal information. “He sees you when you’re sleeping. He knows when you’re awake. He knows if you’ve been bad or good,” said privacy advocate Ben Hodgkins. “He also knows the wants and wishes of every child on the planet.” He continued, “Santa has been a good steward of this information, but we’re uncomfortable with all this data being concentrated in one place. We’re not saying that we don’t trust Santa, but what about a rogue elf with a drug habit to support. Stealing the list and selling it to Toys R Us would be tempting.” Hodgkins also worries that Santa operates outside any government’s control in his sovereign North Pole region where Santa only answers to himself. “He doesn’t have a privacy policy. He often collects his information without the knowledge of the consumer. It’s a John Ashcroft fantasy scenario,” said Hodgkins. Santa’s information could be valuable to all sorts of retailers as well as government organizations. One Amazon official said, “The data mining we could do on Santa’s database gets me in the Christmas spirit. Every request of every child for hundreds of years, that information is priceless.” Amid growing concerns Santa beefed up computer security around “The List” last year, and continued his pledge to never share or sell the information he has on “all the happy boys and girls around the globe. Ho, ho, ho.” Neil Gruban a privacy expert from the Heritage Foundation isn’t convinced. “Santa’s all ‘ho, ho, ho’ on the outside, but running an operation like his takes a lot of cash. Where does that money come from? You’re living in a fantasy world if you think it’s all coming from licensing fees.” [Source]

US – FTC Approval of Application for Revised Safe Harbor Program

The Commission has approved an application submitted by the Entertainment Software Rating Board (ESRB) asking that it be allowed to revise its safe harbor program in accordance with the Children’s Online Privacy Protection Act (COPPA). Under COPPA and the FTC’s COPPA Rule, the Commission may approve self-regulatory guidelines that are substantially similar to those in the Rule and that ensure adequate monitoring and enforcement. An organization that is in compliance with such an FTC-approved “safe harbor” program is considered to be in compliance with the Rule. [Source]

US – Fed IDs May Get Faster, Safer

By the end of December, the federal government is expected to pick a new storage standard for fingerprint data on its new Personal Identity Verification (PIV) cards, a Homeland Security Department official said today. The cards are expected to use a mathematical template of fingerprint images of cardholders’ two index fingers, instead of compressed images of the prints themselves, said Kevin Crouch, portfolio manager for Homeland Security Presidential Directive 12 (HSPD-12) implementation at DHS’ Joint Office of Interoperable Communications. PIV cards are required under HSPD-12, a mandate from President Bush that all federal employees and contractors have secure credentials for physical and logical access to federal facilities. [Source]

US – PATRIOT ACT May be Renewed Without Reforms

Last-minute negotiations over the Patriot Act, conducted behind closed doors as a Dec. 31 expiration date nears, has reportedly yielded a four-year renewal of the law and no substantial reforms. Sen. Arlen Specter, the Pennsylvania Republican who has been a point person during this year's debate over the fate of the complex and controversial law, said Wednesday that he and his counterparts in the House of Representatives have agreed to a deal that could pave the way for reauthorization of the Patriot Act by next week. [Source]

US – New York Breach Notification Law Goes Into Effect

New York has joined the growing list of U.S. states requiring that companies notify their customers whenever private information has been compromised. On Wednesday, the state’s Information Security Breach and Notification Act went into effect, according to a spokeswoman for the state’s attorney general, Eliot Spitzer. The law, which is similar to California’s SB-1386 notification law , requires businesses and state agencies to inform New York residents “whose unencrpyted personal information may have been acquired by an unauthorized person,” according to the text of the legislation. [Source]

US – Illinois ID Theft Bill Takes Effect Next Month

A new bill in Illinois designed to help consumers fight ID theft takes effect Jan. 1. The bill allows victims of ID theft to place a security freeze on their credit. Critics say the bill falls short because it does not allow individuals to prevent ID theft before it happens. [Source]

US – Identity-Theft Protection Law Gives Court Clerks a Big Task

Florida Courts Face 2007 Deadline to Redact Public Documents. To prevent ID theft, Florida lawmakers passed a law that requires the offices of the clerk of courts to ensure that Social Security numbers and other financial information be redacted from public records. Under current law, a citizen must request that private information be redacted from the court records available to the public. [Source]

--------