UK – U.K. Passport Agency: ‘Iris Recognition Needs Work’

The U.K. Passport Service (UKPS) claims that iris recognition is still not an accurate enough method of biometric identification for mainstream deployment, following extensive trials of the technology. Speaking at a Biometrics conference in London this week, Rob Bowley, director of ID Projects with the UKPS, said the current technology needs to be improved to carry out more efficient biometric scanning. “We’ve got a lot of work to do—the technology has got to work in all environments.” The UKPS carried out the first large scale UK trial of the three main biometric techniques in the UK between 14 April, 2004 and 24 December, 2004. Around 10,000 participants were involved and researchers from the UKPS measured the amount of time taken to process each individual and how customers reacted to the technology. Participants in the trial were used to test three biometric devices, including facial-, iris- and fingerprint-scanning technologies. Attempted enrolments took eight minutes and 15 seconds on average. [Source]

UK – Doubts Over Biometric Passports

Biometric passports alone will not be enough to counter terrorism threats, a leading expert has warned. Barry Kefauver of the International Civil Aviation Organisation (ICAO) told a conference in London that new so-called e-passports need to be linked to databases held by police and other agencies. He added that countries must take measures to ensure criminals and terrorists cannot get hold of fake travel documents. The UK Passport Service plans to introduce biometric passports, which contain chips with data from a facial scan, in early 2006. [Source]

CA – Yukon Computer Rules are Privacy Breach, Union Boss Believes

A new set of computer-use guidelines put forth by the Yukon Territorial Government (YTG) will enable the government to tap into employees’ home computers and is an invasion of privacy. That’s the opinion of Laurie Butterworth, the newly-elected Yukon Employees Union president. He says the guidelines were done without consultation and are a major concern to union members. “The Yukon government put forward these recommendations without consultation,” he said in an interview this morning. “We’re telling our people not to work from home,” he said. “It’s a privacy issue and it directly relates to IT (information technology) people,” Butterworth said. He said people who log onto the government’s server from home could make information on workers’ home computers accessible to the government. [Source]

CA – Federal Government Caves in to Lobbyists on Do-Not-Call Lists

Michael Geist reports that “Last week, committee members engaged in a sad display of self-congratulation as a two-hour House of Commons debate on the bill became an opportunity for several Members of Parliament to highlight their work in limiting the bill’s effectiveness with multiple exceptions for polling companies, political parties, charities, and businesses and the prospect for more exceptions for non-profits and newspapers. [Source] [Source]

WW – Survey: Net Surfers Cut Back Amid ID Theft Fears

A new study from Consumer Reports WebWatch finds some computer users are cutting back on time spent surfing the Internet because of identity theft fears. Some have also stopped buying altogether on the Web. The report, Leap of Faith: Using the Internet Despite the Dangers, is based on a poll surveying a nationally representative sample of 1,501 Web users in the United States age 18 and over.

o 30% have reduced their overall use of the Internet.

o 53% have stopped giving out personal information on the Internet.

o 25% have stopped buying things online.

o 54% of those who shop online report they have become more likely to read a site’s privacy policy
or user agreement before buying.

o 29% of those who shop online say they have cut back on how often they buy on the Internet.

[Source] [Study]

WW – Report: Confidence in E-Commerce Affected by Phishing

According to a report by security firm Gartner, consumer confidence in the security of online transactions has declined because of a rise in phishing-related fraud and identity theft. Gartner estimates that 73 million consumers received a phishing email between May 2004 and May 2005. Furthermore, it was reported that 2.4 million online shoppers have lost money as a direct result of a phishing email. In a recent survey, a third of consumers reported buying fewer items online than they would typically purchase because of security concerns. [Source]

US – Fears About ID Theft an Obstacle to Online Banking

The penetration rate among Internet users for online banking is less than 63 percent for online consumers, according to a new report. The report, “Online Banking Customers: Attitude and Activities,” indicates that consumer anxiety about ID theft and Internet fraud have prevented online banking from reaching its potential. The report’s author, eMarketer senior analyst David Hallerman, recommends that banks offer a comprehensive security guarantee, including reimbursement of customers for any stolen funds. [Source]

CA – Study: Canada Leads in Internet Banking

Canadians lead the world in on-line banking a new report says, with 40% of the country visiting on-line banking sites. In September, says the report from market research company comScore Media Metrix Canada, more than 13.3-million Canadians visited on-line banking sites, representing 68.9% of all Internet users in the country. The average banking visitor spends almost 55 minutes a month banking, and looks at an average of 141 pages of content, the report said. The growth in banking since last year saw significant increases among many of the institutions. Increased traffic is a strong sign of consumer confidence and usage of on-line banking tools, the report said. [Source]

US – DMA Makes Move to Fight Spam

A marketing trade group is requiring members to adopt an anti-spam technology to increase the effectiveness of legitimate pitches. The Direct Marketing Association approved the requirement this week, but the group did not specify which anti-spam technology companies should use. [Source]

EU – EU Privacy Watchdog Warns of ‘Fuzzy’ Data Sharing Plans

The European Data Protection Supervisor (EDPS) has called for better privacy protection in the European Commission’s plans for revising a system that enables authorities to share information about the movement of people across the EU. The EDPS is Peter Hustinx, the person responsible for monitoring the processing of personal data by the Community institutions and bodies. His 26-page opinion on three proposals related to the Second Generation Schengen Information System, known as SIS II, was published today. [Source] [Opinion]

WW – Visa and MasterCard Combine Security Standards

Visa and MasterCard have launched free, self-assessment tools for merchants to test and validate the security of their e-commerce connections. In an effort to combat credit card fraud, both credit card giants have developed a set of standards for transaction security - called the Payment Card Industry Data Security Standard - plus access to a free security assessment tool provided by ScanAlert. “The silver bullet is the prohibition of storing magnetic stripe authentication data because if there is nothing to steal, nothing can be stolen - that is the key message.” [Source]

US – Banks to Blacklist Crooked Workers in Fraud Fight

Major U.S. financial institutions are working to set up a new defense against insider fraud: a database of employees who are known to be scam risks. The new database, announced this week, will list information on employees at financial institutions who were fired because they compromised customer data or knowingly caused financial losses, the group said. Reports of insiders attacking financial services systems are on the increase. In a 2004 Deloitte survey of IT security in the industry, 35% of companies said they had come under an attack from an internal source. That’s up from 14% in 2003. [Source] [Source]

US – Commission Supports Plan to Put Victim Data out of Public View

A criminal justice commission is supporting a plan putting victims’ personal information and details about crimes out of public view on police reports. This week’s decision came despite objections by members of the press that the public has the right to know the whole story about a crime. The Criminal Justice Information Center Commission voted to present the proposed changes to the incident report forms for public comment and agreed to hold a vote on approving the changes January 18th. [Source]

US – Health IT Commission Recommends Patient ID Standard

The Federal Advisory Commission on Systemic Interoperability is recommending in its final report that the government “develop a national standard for determining patient authentication and identity.” The 250-page report, released this week, also calls for a uniform federal health information privacy standard that would overrule state laws that limit or prevent information sharing among authorized individuals and institutions. The commission is composed mostly of information technology-savvy health care leaders, including physicians, hospital administrators and insurance executives. They wrestled with the issue of establishing a national identification number, which the Department of Health and Human Services would issue, to all patients whose records medical professionals would share across a future National Health Information Network. Instead, the 11-member body unanimously issued general recommendations for standardizing the diverse systems that identify patients and assemble records. A national ID number would be one way to standardize, the report states. “The crucial element is uniformity in how patients are linked to their data,” said the commission’s chairman. To hasten adoption of health IT, the commission also recommends that the government, employers and other payers such as insurance companies offer “financial and other incentives for participation in a standards-based health care information network.” The report, “Ending the Document Game: Connecting and Transforming Your Healthcare through Information Technology,” lists recommendations from 20 comparable reports dating back to 1973. Asked how this report differed from its predecessors, the chairman said it focuses on consumers and the benefits they would get from widespread health IT implementation. [Source] [Report]

US – Georgia Notifies 465,000 People of Potential Identity Theft

Georgia officials began notifying 465,000 people that they might be at risk of identity theft because of a government security breach detected in April. Joyce Goldberg, spokeswoman for the Georgia Technology Authority, emphasized that officials had no evidence that any personal data had been used for fraudulent purposes. [Source]

US – Software Glitch Reveals Private Data for Thousands of State’s Students

The personal information of tens of thousands of California children – including their names, state achievement test scores, identification numbers and status in gifted or special-needs programs – is open to public view through a security loophole in dozens of school districts statewide that use a popular education software system. Teacher names and employee identification numbers are also visible to anyone logging onto the system, which is used locally by school districts including San Francisco, San Jose and Hayward. The problem occurs when the districts issue a generic password to teachers using the system. Until the teacher changes to a unique password, anyone can type in a teacher’s user name and generic password and gain access to information about students that is supposed to be guarded as closely as the gold in Fort Knox. [Source]

US – New Jersey University Compromises Students' Information

According to a report released by Montclair State University (MSU), an unprotected Web server has left more than 9,000 students vulnerable to identity theft. The school was notified of the security problem when a student was able to access his Social Security number and other personal information stored on the server by using the Internet search engine Google. All the affected students have been notified of the incident. The employee responsible for protecting the information believed that the files were secure or unsearchable because they were not linked to the university's Web site. [Source]

UK – Commissioner Critical of ID Cards Bill

The UK Information Commissioner believes the measures set out in the National Identify Cards Bill go “well beyond” the requirements to set up a secure, reliable and trustworthy ID card system. In a statement published on the organization’s website Richard Thomas expressed several issues of concern relating to privacy and data protection of personal information of an individual. The document says that while the government is looking to develop a ‘gold standard’ for identity verification for the ID card that requires the recording and collecting of biometric and other data, once this process is completed and the standard established there is “little justification for retention of all such details in a central National Identity Register.” It goes further by calling the holding of this data as “unwarranted and intrusive” and “not easily reconciled with fundamental data protection safeguards.” In addition, the extensive nature of this data means the onus on the individual to ensure records are kept current is “excessive and disproportionate.” The development of the Register and its operation is considered by Mr. Thomas as another step towards a “surveillance society” that may lead to “unwarranted intrusion into individual’s lives by government and other public bodies.” He also expressed concern over potential future use of the system as outlined in the bill, which allows for potential function creep into “unforeseen and perhaps unacceptable areas of private life.” [Source] [Statement]

UK – Lords Call for Independent Identity Commissioner

The proposed national identity scheme commissioner should be independent of government, with the power to investigate complaints and report directly to Parliament, say the House of Lords. A report on the government’s Identity Cards Bill from the all-party House of Lords Constitution Committee says the identity card scheme will “fundamentally change” the relationship between citizen and state, recording more info about a person than ever attempted before. “The Committee firmly reject Government claims that, in respect of privacy, ID cards are comparable to driving licenses and passports. If Parliament decides identity cards are needed, it must urgently consider amendments to introduce proper safeguards.” As well as an independent commissioner, the Committee called for an independent body to be the custodian of the National Identity Registrar, with proper safeguards to prevent improper access to data, by public servants and others in place. The Bill’s scope, the report adds, should be limited to a “voluntary phase”. “If the scheme is extended compulsorily to the entire population, then new legislation should be required,” the report says. [Source]

UK – Identity Cards Bill Passed by Reduced Majority

Despite concerns over way personal information will be used, the Government’s controversial identity cards bill is on its way to the Lords following a final reading in the House of Commons last week. The bill was passed by 309 votes to 284 after 25 Labour backbenchers joined forces with the Tories and Liberal Democrats to vote against the bill. An amendment allowing people to apply for a passport without having to submit personal details to the national identity database was defeated by 32 votes. A second amendment, making the scheme free of charge, was defeated by 33 votes. Liberal Democrat MP David Heath said the bill raised a number of concerns. He pointed to the Cabinet Office’s draft information technology strategy which notes that “identity management is a subject whose time has now arrived” and says the Government will use identity cards as part of a “suite of identity management solutions” with data sharing to increase in order to enable public and private sectors to provide cost-effective electronic services. [Source] [Source]

WW – Study: Old Software Weakening Net’s Backbone

Many Domain Name System servers are wrongly configured or running out-of-date software, leaving them vulnerable to malicious attacks, according to a study published this week. DNS servers, which translate domain names such as “yoursite.com” into IP addresses, underpin the workings of the Internet. In its survey, Internet performance company The Measurement Factory found that the software used for domain-name resolution is out-of-date on 20% of DNS servers, “opening the door” to pharming attacks—a kind of phishing attempt—through DNS cache poisoning. DNS cache poisoning involves hacking into DNS servers and replacing the numeric IP addresses of legitimate Web sites with those of malicious sites. Internet users are then redirected to fake Web pages where they may be asked for information such as bank account details or unwittingly have spyware installed on their PCs. [Source]

US – Universities Challenge Computer Security Rules

The US government, vastly extending the reach of an 11-year-old law, is requiring hundreds of universities, online communications companies, and cities to overhaul their Internet computer networks to make it easier for law enforcement authorities to monitor e-mail and other online communications. The action, which the government says is intended to help catch terrorists and other criminals, has unleashed protests and the threat of lawsuits from universities, which argue that it will cost them at least $7 billion while doing little to apprehend lawbreakers. [Source]

UK – Confidential Child Data Found on Computer Hard Drives in Nigeria

Members of an environmental group who purchased computer hardware at a Nigerian marketplace say they found confidential data from Wisconsin’s child protective services agency still saved on the hard drive. State officials are trying to figure out how and why the sensitive information – including children’s full names and locations – would remain on hard drives that had been reformatted to eliminate the information before being sent for recycling or disposal. On Monday the Seattle-based Basel Action Network posted on its Web site a copy of a 2001 spreadsheet that listed personal information of 45 children and their guardians in the state program. All names were blacked out. BAN coordinator Jim Puckett said his group purchased the hard drive for about $20 from a marketplace in Lagos, Nigeria, as part of an effort to track the hazardous disposal of computer and electronic refuse overseas. “There are two reasons we gather hard drives – one, to find out where they’re coming from, and two, to show liability beyond environmental liability: the protection of private data,” Puckett said. [Source]

AU – Terror Laws Spark Data Fears in Australia

Civil libertarians in Australia say new anti-terror laws could ease police access to business customer records without adequate checks and balances. Under the draft laws, banks, airlines, phone and power companies could be forced to provide information about customers suspected of terrorist offences to federal police and ASIO agents. [Source]

US – FBI Intelligence Violations

Documents obtained by EPIC demonstrate a number of FBI intelligence surveillance violations: The FBI has conducted clandestine surveillance on some U.S. residents for as long as 18 months at a time without proper paperwork or oversight, according to previously classified documents to be released today. Records turned over as part of a Freedom of Information Act lawsuit also indicate that the FBI has investigated hundreds of potential violations related to its use of secret surveillance operations, which have been stepped up dramatically since 9/11 but are largely hidden from public view. [Source] [Coverage]

IN – India's First Chief Information Commissioner Sworn In

New Delhi: Senior bureaucrat Wajahat Habibullah was Wednesday sworn in as India's first chief information commissioner by President A.P.J. Abdul Kalam at the Rashtrapati Bhawan. Habibullah, a retired Indian Administrative Officer (IAS), will be responsible for the smooth implementation of the Right to Information Act 2005 in all the states except Jammu and Kashmir. The law came into force Oct 12 and gives people the right to seek information about government departments and their work. [Source]

US – Broad Coalition Opposes Joint Marketing, Recruiting Database

EPIC was joined by more than 100 local, state, and national organizations in urging Secretary of Defense Donald Rumsfeld to end the Joint Advertising and Market Research Studies recruiting database. The groups cited the broad exemptions to federal privacy laws that would allow the Defense Department to disclose personal information to others without an individual’s consent or knowledge. The proposed uses include disclosures to law enforcement, state and local tax authorities, employment queries from other agencies, and foreign authorities. The database first drew public attention earlier this year when the DOD placed a request for comments on the project in the Federal Register. Following the submission of comments on the system of records by privacy groups, the DOD admitted in a media roundtable that it had in fact already created the system of records. Several privacy advocacy groups expressed dissatisfaction with the DOD for providing such late notice on the existence of the project. The DOD acknowledged that the database would include the names, dates of birth, genders, addresses, telephone numbers, e-mail addresses, Social Security Numbers, ethnicities, high schools, education levels, colleges, and intended fields of study for more than 30 million Americans who are 16-25 years old. This system of records would even go so far as to record parents’ attitudes about military recruitment. [Coalition Letter] [EPIC Background on DoD Recruiting Database]

US – U.S. Passports to Receive RFID Electronic Identification Chips

The State Department yesterday issued final rules for implanting electronic identification chips into all U.S. passports, despite continuing controversy over the security of the system and its impact on personal privacy. The regulations mean that as of October 2006, all new and renewed U.S. passports will contain radio frequency identification chips that will include a digital photo and all other information currently printed in passports. [Source] [Source] [Source]

CA – Staples’ Canadian Unit Launches RFID Trial

Staples’ Canadian unit, comprised of 240 stores, is planning an RFID trial with three of its suppliers and a logistics provider. The group is designing software that will be used in the trial. The first phase of the trial will involve tagging selected cases and pallets of goods headed for a Staples Business Depot store or a Staples distribution center outfitted with RFID in the Toronto area. The goal of the trial is to gauge how disruptive the RFID tagging operation is to present business operations. Based on the outcome, the trial will allow the project’s leaders to suggest improvements that would enhance the RFID system. [Source]

WW – Radar Reader Spots RFID Tag Location at a Distance

A South African company has invented a scanner that can read multiple RFID tags and pick them out from a crowd, allowing users to accurately locate objects among multiple targets. Trolley Scan, says its new RFID-radar based readers is able to read tens of tags at a distance, allowing food manufacturers to use cheaper equipment and at the same time speeding up the rate of processing. [Source]

WW – NATO Seeks To Reduce Casualties from Friendly Fire

Earlier this month, NATO tested a number of systems to prevent friendly fire casualties. One of the technologies uses RFID tags that are larger and stronger than tags retailers are using. The aircraft’s radar is used to illuminate the tags, which then transmits back location information. More work is needed to develop the system, including encryption and anti-tamper features. [Source]

US – Congress Designates October as National Cyber Security Awareness Month

The National Cyber Security Alliance will make a survey public next month that explores the extent of online security measures taken by Americans. Last year’s survey found that 67% of home computer users do not have current antivirus software; 15% said they did not have any protection at all. Congress this week passed a resolution designating October as National Cyber Security Awareness Month as a way to focus attention on U.S. computer security. [Source]

US – New Rules on Internet Wiretapping Challenged: Redesign Costs Are Cited

New federal wiretapping rules that would make it easier for law enforcement to monitor e-mails and Internet-based phone calls were challenged by privacy, high-tech and telecommunications groups in federal court this week. The groups argued that the rules would force broadband Internet service providers, including universities and libraries, to pay for redesigning their networks to make them more accessible to court-ordered wiretaps. The groups also said the FCC rules, scheduled to take effect in May 2007, could erode civil liberties and stifle Internet innovation by imposing technological demands on developers. “It’s simply a very bad idea for privacy and for free speech for the government to design any technology, much less the Internet, to be surveillance-friendly,” said Lee Tien, a senior staff lawyer with the Electronic Frontier Foundation, a nonprofit privacy rights group. [Source]

US – Missouri Undertakes Traffic Project by Tracking Cell Phones

Privacy advocates are uneasy about the statewide tracking of cell phones to analyze traffic flow and congestion to alert motorists about delays. In the largest project of its kind, Missouri transportation officials are finalizing a contract to monitor thousands of cell phones by tracking their movements to capture a real-time traffic snapshot on all 5,500 miles of the state’s major roads. Officials say the data will remain anonymous and cell phone users will not be tracked. In California, officials use roadside scanners, Web sites and call centers for its real-time traffic service. Officials decided not to use cell phone monitoring to avoid privacy objections. [Source] [Commentary]

US – Court Issues Surveillance Smack-Down to Justice Department

No Cell Phone Location Tracking Without Probable Cause. A federal judge forcefully rejected the government’s request to track the location of a mobile phone user without a warrant. Strongly reaffirming an earlier decision, Federal Magistrate James Orenstein in New York comprehensively smacked down all arguments made by the government in an extensive, 57-page opinion issued this week. Judge Orenstein decided that tracking cell phone users in real time required a showing of probable cause that a crime was being committed. Judge Orenstein’s opinion was decisive, and referred to government arguments variously as “unsupported,” “misleading,” “contrived,” and a “Hail Mary.” “This is a true victory for privacy in the digital age, where nearly any mobile communications device you use might be converted into a tracking device,” said EFF Staff Attorney Kevin Bankston. [Source] [Opinion]

US – Appeals Court Asked to Stop Internet Wiretapping Rules

New federal wiretapping rules forcing Internet service providers and universities to rewire their networks for FBI surveillance of e-mail and Web browsing are being challenged in court. Telecommunications firms, nonprofit organizations and educators are asking the U.S. Court of Appeals in Washington, D.C., to overturn the controversial rules, which dramatically extend the sweep of an 11-year-old surveillance law designed to guarantee police the ability to eavesdrop on telephone calls. [Source]

US – Homeland Security Implements Rule on Digitized Passport Photos

A Homeland Security Department rule that went into effect this week requires visitors from certain countries to carry passports with digital photos and punishes carriers that transport people to the United States without the new passports. Under the rule, the 27 countries that are part of the U.S. Visa Waiver Program must issue their citizens passports with digitized photographs, rather than photos that are glued or laminated onto the document. The requirement comes as part of U.S. efforts to crack down on the use of fraudulent passports and close a loophole that DHS officials say could be exploited by terrorists. [Source]

--------