EU – Biometric Passport Cracked: Face and Fingerprints Swiped

Chip-based passports can be forced to reveal all their content after just a couple of hours of number crunching, despite standards governing their introduction specifying strong counter measures, according to the findings of a Dutch smart card security firm. According to the company, the problem of potential eavesdropping attacks will still exist when the Netherlands’ passport is rolled out this August, unless measures are taken to prevent this relatively simple, yet cunning attack. High-quality antennas are able to intercept the signal between an authorised passport reader and a passport chip from distances up to 20-30m, and that these communications can be deciphered to reveal the sensitive data inside. Swiss and German passports, among others, could also suffer from the same vulnerabilities. Current passport standards require information transferred between passport and reader to be encrypted. However, any encryption technique needs a secret key and so, to keep things straightforward, the key is actually made up from certain information found on the data page of a person’s passport – expiry date, date of birth and the passport number. This technique is called Basic Access Control. The problem is that the key can be cracked in two to three hours when certain conditions apply. [Source] [Source] [See also ID Cards Will be “Snooper’s Paradise” Say Critics: Source]

WW – Mapping Veins as a Human ‘Bar Code’

A small medical supply company called Luminetx has developed a new method of palm-reading that it hopes will rival fingerprinting or retinal scans as a way to perfectly identify individuals. The technology is based on an infrared scan of the blood cells running through veins, which is then analyzed by a computer. Luminetx originally developed the technique as a way to help doctors and nurses find veins in patients needing injections. But now, the company is marketing it to banks, credit card companies and even homeland-security officials as a high-tech biometric identification tool. “Our vein structures are completely different, especially when you look at the palm,” said Luminetx Chief Executive Officer. “In a way, it’s like looking at a bar code. We convert your veins to a bar code.” [Source]

BC – Chilliwack Proposes Controversial Bylaw to Report Shoppers to Police

Chilliwack wants to know who’s buying products that could be used to grow marijuana. The name, address and date of birth of anyone who shops at a hydroponic store in Chilliwack, even if only to buy some fertilizer for a home garden, may soon be entered in a police database if a controversial bylaw is passed. The bylaw is aimed at helping police shut down marijuana-growing operations. [Source]

ON – Privacy Commissioner Concerned by Oshawa Bylaw

A controversial Oshawa bylaw has caught the eye of the Province’s information and privacy commissioner, who said this week law-abiding citizens should not be forced to provide personal information in order to sell used goods. Commissioner Ann Cavoukian sent a letter to Oshawa Mayor John Gray last week, raising concerns about updates to the city’s second-hand goods bylaw, which now requires store owners to enter a client’s personal information into a database, accessible to police across the country. “The public is not expected to routinely turn over personal information to the police when they’ve done nothing wrong,” she said. “If you want to sell a used toaster or microwave or some furniture from your house... you would now be required to turn over that personal information. That puts on its head the normal expectations in a free society.” [Source]

WW – Survey: Online Consumers Participate In Surveys, Promotions

A Forrester Research survey of 5,257 consumers in the U.S. and Canada found that while consumers are more concerned about sharing personal information, they have few misgivings about participating in online surveys or entering sweepstakes. In 2005, 9% of consumers said they would provide personal information for more relevant advertising, down from 18% the previous year. [Source]

US – House Chair Calls for Empowered Federal CIO

Karen Evans, the Office of Management and Budget’s administrator for E-government and IT, is doing “a good job” as the de facto federal CIO, but she doesn’t have the power that a designated federal CIO might wield when implementing government wide IT policy, according to House Government Reform Committee chairman Tom Davis (R-Va.). Davis yesterday reiterated his longstanding support for the creation of a federal CIO position. He made his remarks during a question-and-answer session with public-sector CIOs at a Microsoft summit. “A federal CIO talking to the president is one way you could get [things] done, and I don’t think we have a mechanism right now where OMB really has the enforcement mechanisms to enforce [IT] procurements, particularly ones between agencies and the like on information-sharing,” Davis said. [Source]

UK – ASA Slams Anonymous ‘Tell a Friend’ E-Mail

Viral marketing is open to abuse. So when a website that emulates Friends Reunited offered a ‘tell a friend’ service, the UK’s advertising watchdog decided it was too great a risk to allow emails to be sent to strangers without naming the friend. [Source]

US – EPIC Urges Center for Disease Control to Limit Passenger Data Collection

EPIC said in comments to the Center for Disease Control and Prevention that it should limit a proposed rule that would require airline and shipping industries to gather passenger information, maintain it electronically for at least 60 days, and release it to the CDC within 12 hours of a request. EPIC urged the CDC to narrow the scope of data collected to that which is necessary and set strict security standards to keep passenger data secure from unauthorized access and misuse. The CDC also should require the clear and open disclosure that travelers can refuse to submit their information without facing penalties. [source]

US – Acxiom Proposed Massive Web Monitoring Plan

Documents (pdf) obtained by EPIC under the Freedom of Information Act show that commercial data broker Acxiom proposed a system to automatically scan the Internet and identify websites “belonging to advocates of extremist views and actions...” The plan proposed to extract personal information from websites and use it for “cross-reference analysis to establish possible connections between extremist groups” and to collect data for an “Identity Verification System to be used by airlines, rental car agencies, and other business and government agencies.” [Source]

EU – EU Privacy Chief Wants Tweaks to Anti-Terror Database Plan

The European Data Protection Supervisor has welcomed the inclusion of data protection requirements in EU proposals to improve access to a forthcoming EU-wide database known as VIS. He also suggested possible improvements. The VIS, also known as the Visa Information System, is intended to be a system for the exchange of visa data between Member States and is primarily an instrument to support the common visa policy. It will also facilitate checks at the external borders and within the Member States, assisting the exchange of data between Member States on applications and on the decisions in respect of those applications. [Source]

EU – Industry Groups Concerned About Divergent Retention Requirements

The new Data Retention Directive will allow governments of individual member states to impose longer retention periods. Under the terms of the new directive, service providers can be ordered to retain data between six and 24 months. Industry groups are concerned that member states will adopt different retention periods, which will make compliance difficult. [Source]

EU – Commission Refuses to do Impact Assessment on the Data Retention Directive

In a public answer to a written question by an MEP on timeframe of the impact assessment of the Data Retention Directive, the European Commission has stated that such an assessment will not take place because “it will not provide any added value”. The Commission considers that “an impact assessment cannot, at this stage, have an influence on the content of the legal instrument, given the fact that an agreement on the Directive has just been reached between the Council and the Parliament. This means that the legislative process at the European level is completed, and that an additional assessment of the impact of the instrument at the European level will not provide new elements.” However, the Commission is considering the set-up of a working group on this matter. [Source] [Background] [Background] [Background]

US – DNA Bill Clears Tough Committee Hurdle

A New Mexican bill (SB216) that would require anyone arrested on a felony charge to submit DNA samples squeaked through a state Senate Committee after a three hour hearing this week. The Senate Judiciary Committee was considered the biggest legislative hurdle for what has been dubbed “Katie’s Law.” The name comes from Katie Sepich, a New Mexico State University student who was raped and murdered in 2003. Senate Majority Leader Michael Sanchez called the DNA proposal one more example of the government chipping away at personal privacy. [Source]

US – Survey: Americans Value Health Privacy, Have Security Concerns

Survey results released on January 17 indicate that Americans are deeply concerned about the vulnerability of their medical records online. A third of all respondents indicated that the fear of their medical information being revealed on the Internet was a reason they felt less comfortable sharing information with primary care physicians. Nearly half (47%) who felt uncomfortable sharing information with their primary care doctors wanted control over who accesses their information. These results reinforce the need for privacy to be built into any health information technology system, such as the proposed national health IT network. EPIC and Patient Privacy Rights are asking concerned citizens to sign an electronic petition demanding that privacy rights be put back into healthcare law. [“I Want My Medical Privacy” Petition] [Patient Privacy Rights] [EPIC’s Medical Privacy Page]

US – NYC Diabetes Program Faces Privacy Criticisms

The New York City Board of Health’s program to monitor blood sugar levels is under way without patients’ knowledge and informed consent, according to some critics. Other complaints about the program include the unavailability of an opt-out for patients. At the time their blood is drawn, patients are not told that the results will be sent and stored in a NYC Department of Health database. [Source]

US – Trial Continues Over Teenage Sexual Privacy

Without privacy, medical research shows that teens won’t quit having sex, they’ll just stop talking about it. The chairman of adolescence committee for the American Academy of Pediatrics told a federal judge today that studies indicate that teens won’t tell their doctors about their sex lives unless they trust them. But requiring Kansas doctors to report all sex by patients younger than 16 to Social Services won’t curb behavior. “If mandatory reporting of sexual activity is required, adolescents will be less likely to talk about it to their health-care providers.” Kansas Attorney General Phill Kline has said that doctors should be required to report that, a legal opinion being challenged this week in Wichita. The case is attracting national attention. [Source]

US – Credit Card Numbers Stolen From Rhode Island State Government Web Site

Rhode Island officials said they plan to notify affected credit card customers whose information was stolen from a government Web site. The site, which is run by a vendor, allows consumers to register their cars and buy state permits. No fraud related to the breach has surfaced. [Source]

US – 240,000 Newspaper Subscriber Credit Data Distributed by Mistake

Credit and bank card numbers of as many as 240,000 subscribers of The Boston Globe and Worcester Telegram & Gazette were inadvertently distributed with bundles of T&G newspapers, officials of the newspapers said. The confidential information was on the back of paper used in wrapping newspaper bundles for distribution to carriers and retailers. As many as 9,000 bundles of the T&G, wrapped in paper containing subscribers’ names and their confidential information, were distributed Sunday to 2,000 retailers and 390 carriers in the Worcester area, said a spokesman for the Globe. In addition, routing information for personal checks of 1,100 T&G subscribers also may have been inadvertently released. [Source]

US – Hackers Get Honeywell Worker Info, Post Online

Honeywell International vowed Tuesday to “aggressively pursue” the unidentified hackers who broke into the company’s computers and posted the Social Security numbers and bank account information of about 19,000 current and former employees on the Internet. [Source]

US – Faculty Info Potentially Exposed in Server Hack

The personal information of about 2,300 current and former California State University employees might have been breached during a suspected break-in of a computer server on campus. The roughly 700 faculty members and 1,600 staff whose information was contained on that file will receive letters this week warning that a hacker might have gained access to their Social Security numbers, pay-raise information, job reassignments and other data, said the university’s chief information security coordinator. [Source]

US – Northwest Hospital Chain Loses Data on 365,000 Patients

A laptop containing the medical and personal records of 365,000 patients of the Providence Health Care system was stolen from the van of an information services analyst who worked for Providence on Dec. 31st. The thief broke open the van window to steal the data, which contained names, addresses, Social Security numbers, and medical diagnoses for patients in Providence’s Home Care division. The data also contained information on 1,500 current and former Providence employees. The theft was not publicly disclosed until Jan. 25th. Taking home backup copies of patient data was an accepted practice for specific employees, according to Providence’s chief of operations in Oregon. The data was not encrypted or protected against misuse. Since the theft occurred, Providence has instituted a policy of encrypting all data on its laptops and storing offsite data in more secure locations. [Source]

AU – Survey: Most Support Australian ID Card Idea

A Majority of Australians now support a national identity card, two decades after the concept was dumped following a popular revolt in 1987. The ID card now under consideration by the Federal Government is supported by 53% of the electorate. A recent Newspoll found that 31% of voters were opposed to the ID card, compared with 57% against 19 years ago, when it could only muster the support of 39% of the electorate. Support for the card was strongest among those aged over 50, at 63%, and Coalition supporters, 60%. [Source]

US – Report: Incidences of ID Theft Down, Losses Up. Online Fraud Not Big Factor

U.S. consumers lost nearly $57 billion last year to criminals who stole their identities, but online fraud was the culprit in just one in 10 cases, according to a survey. The study by the Council of Better Business Bureaus and Javelin Strategy & Research showed that identity theft cost U.S. consumers 4% more in 2005 than the $54.4 billion it cost in 2004. The average fraud amount per victim rose to $6,383 last year from $5,885 in 2004. [Source] [Source] [Source] [Hispanics Hit Hardest]

UK – Identity Fraud is Costing the UK Economy over £1.7bn a year

According to official figures published this week, the Home Office figures show a marked increase in the cost of preventing and dealing with identity fraud since 2002, when the figure stood at £1.3bn a year. The figures include losses recorded by a number of bodies, including credit card providers, government departments and the police force, and the cost of fraud prevention to agencies such as the DVLA and UK Passport Service. Since the last figures were published, the level of fraud in some areas has fallen as new measures have been introduced to combat the problem. [Source] [See also ID fraud figures 'inflated to play on public fears']

US – Court Upholds Air Travel ID Requirement

The Ninth Circuit Court of Appeals recently ruled for the government in Gilmore v. Gonzales, a case that challenged an unpublished federal rule requiring passengers to show ID before boarding commercial airplanes. EPIC filed a “friend of the court” brief in the case, stating that secret law violates constitutional due process rights. [Source].

US – Date Set for Google Court Appearance Over Search Privacy

A Feb. 27 court hearing has been scheduled for arguments over Google’s refusal to comply with the US Justice Department’s request for customer search data. Privacy advocates are supporting Google in the battle, but federal prosecutors contend they are not seeking information that would identify individual users. [Source] [UPDATE: Judge postpones Google subpoena hearing]

CA – Police Critic Finds 20 Queries on CPIC

The head of a police watchdog group is accusing Edmonton cops of abusing a criminal database to keep tabs on him. Marshall Deslauriers, chairman of Citizens for Police Oversight, found out through a Freedom of Information and Protection of Privacy Act request that city police have queried his name through the Canadian Police Information Centre (CPIC) 20 times since 1996. Deslauriers, 63, says he wants to know why no legitimate reasons were given for 12 of those searches. "Because I am a vocal police critic, I shouldn't be targeted by the Edmonton Police Service and that's what I think is happening." [Source]

US – Feds Say Cell Phone Tracking Won’t Breach Privacy

Federal prosecutors have contended that they want to know only the general location of a criminal suspect when they seek information about the whereabouts of the individual’s cell telephone. The federal government is not seeking information so specific that it would breach a person’s privacy rights, Assistant U.S. Attorney Martin Littlefield said in a hearing this week. Federal authorities are asking the court to approve an order allowing them to get information about which cell tower an individual’s telephone made contact with. They insist that they do not have to show there is probable cause that the suspect committed a crime — a legal threshold necessary for a search warrant, for instance. Authorities didn’t reveal the nature of the criminal probe at the hearing. [Source]

UK – Mobile Phone Tracking, Girlfriend Stalking and the Law

A service has launched in the UK which allows you to track any mobile phone around the globe and follow its movements from your own computer. The Guardian ran a feature on it yesterday called ‘How I stalked my girlfriend’. It painted a scary picture. [Source]

UK – ISPs Ordered to Reveal Software File-Sharers

The English High Court has ordered 10 ISPs, including BT, Tiscali and Telewest, to reveal the identities of 150 file-swappers accused by the Federation Against Software Theft (FAST) of illegally uploading software to networks like Kazaa. [Source]

AU – Australian Privacy Laws to be Reviewed

The Australian Federal Government has announced a review of the Privacy Act. Attorney-General Philip Ruddock says the Australian Law Reform Commission will look at existing laws and practices across the country and consider changes in technology since the Act was introduced in 1988. “What you see with areas like the Internet, it’s a form of technology in which people still have a need for their privacy to be protected,” he said. Mr Ruddock says the review is not linked to the separate issue of a national identity card. “Quite frankly the privacy issues operate quite separately from that,” he said. [Source]

US – ACLU Says President Ignored State of Civil Liberties in Address

“Bush Failed to Answer Questions on Patriot Act, NSA Spying.” The American Civil Liberties Union has strongly rebuked President Bush for failing to adequately address serious civil liberties concerns about his administration’s actions since 9/11 in his State of the Union address delivered Tuesday. Specifically, the president failed to answer questions raised - from all points of the political spectrum - on his warrantless domestic spying program conducted by the National Security Agency and the over intrusive powers in the Patriot Act. [Source] [See also Barr Responds to State of the Union Address]

US – CDT, Others Call for Delay of FCC Wiretapping Rules

CDT joined with a coalition of industry and public interest groups this week to urge the FCC to delay its controversial Internet wiretapping rules. In comments filed with the FCC, the groups requested that the commission push back the effective date of the rule requiring that that broadband Internet and interconnected voice-over Internet Protocol (VOIP) services be designed to make government wiretapping easier. CDT, which is also involved in a court challenge against the ruling, supports the delay because the FCC set a deadline for VoIP and broadband providers to modify their networks but failed to specify what modifications were required. [Source]

US – Senators Question Legality of U.S. Domestic Surveillance Program

Senator Chuck Hagel, a Republican member of the US Senate Intelligence Committee, Sunday questioned the legitimacy of the Bush administration’s domestic surveillance program, casting doubt on its legality in the absence of judicial or Congressional authority. Notwithstanding legal defenses of the intercepts by President Bush, Vice President Cheney, and the US Department of Justice, Hagel denied that the President was given broad “blank check” authority to conduct any kind of domestic spying, saying that “If in fact the president does believe that our current laws are restricting him because of new technologies...then he should come together with Congress and say we need to amend it.” The Senate Judiciary Committee will hold hearings on the program beginning February 6. The Senate Intelligence Committee will also hold similar closed-door hearings. [Source] [Source] See also: Statement of Senator Russ Feingold on the Attorney General’s Misleading Testimony Before the Senate Judiciary Committee [Source]

US – Negotiations Under Way On California’s RFID Bill

Industry concerns over a bill that would impose a three-year moratorium on chip-based wireless technology to allow for more study before it is used in government ID cards are having a significant impact on the bill’s revisions. The bill has undergone numerous amendments since it was delayed last August. [Source]

UK – ID Cards Will be “Snooper’s Paradise” Say Critics

ID card critics have slammed government plans to include RFID-style tracking tags on the controversial cards, saying they will be a “snooper’s paradise”. Home Office minister Andy Burnham told parliament just before Christmas that ID cards will not contain RFID chips but will contain radio frequency contactless chips. The paper-thin RFID-style chip is already set to be embedded in the new ePassports, in compliance with ICAO guidelines for international travel documents, and can be read by a scanner without the need for the document to be swiped through a reader. But a row has now broken out over how far chips need to be from scanners for their data to be read. ID card critics have dismissed Burnham’s claim that chips can only be read if they are a few inches away from scanners, arguing that signal boosters enable data to be accessed from much further away. Phil Booth, national co-ordinator for the No2ID campaign group, said in a statement: “The chips will broadcast actual personal details held on the card, not just a number. This technology will make the cards a snooper’s paradise.” [Source] [See also Dutch passport Cracked [Source] [Source]

CA – Survey Shows Private Data at Risk of Attack

The Fusepoint/Sun Microsystems/Leger Marketing survey has found that 55% of Canadian companies say their confidential and private data is at risk of an attack. However, 98% of the Canadian business leaders said that it is important for companies to safeguard private data. [Source]

US – Study: Data Theft Hits Many Universities

Since February 2005, the personal data of more than 52 million Americans has been compromised, in many cases through breaches of computer systems at colleges and universities, Privacy Rights Clearinghouse reported this week. Of 113 data breaches reported, 55 took place at colleges, universities and university-affiliated medical centers. Stolen data included Social Security numbers, account numbers and driver’s license numbers, according to the Privacy Rights Clearinghouse Web site. [Source]

WW – Computer Worm That Destroys Files Set to Attack

A computer worm that infiltrated hundreds of thousands of PCs last month is expected to awaken, destroying documents and files on infected machines and networks, Microsoft and computer security experts warn. The worm, variously named “Nyxem.D,” “MyWife.E,” “Blackmal.E,” and the “Kama Sutra worm” by different antivirus companies, is a ticking time bomb that on the third day of each month will seek out and delete a wide range of file types found on infected Windows computers, including any Adobe PDF files and Microsoft Word, Excel and Powerpoint documents, among others. [Source]

US – Creation of National ID Card Will Be a Nightmare, AAMVA Report Shows

State motor vehicle officials across the nation say it will be a nightmare to implement the REAL ID Act, a law passed in May that will turn driver’s licenses into national ID cards. A comprehensive survey concluded last August but recently obtained by the Associated Press revealed the costs of implementation have been vastly underestimated by the government, which initially put the total price at $100 million. According to the survey, Pennsylvania alone would spend $85 million on REAL ID. [AAMVA Report on the REAL ID Act]

US – Survey: Most Virginians Want Cars’ Black Boxes Kept Private

67% of Virginians believe no one should have access to data collected by their car’s computer without the owner’s permission, according to a poll by AAA Mid-Atlantic. Event data recorders, commonly referred to as the car’s “black box,” have become increasingly part of new vehicles’ performance, air bag deployment and occupant information systems. [Source]

US – FCC Subpoenas 30 Phone Record Dealers

The Federal Communications Commission has subpoenaed more than 30 information brokers to learn how they obtain customers’ calling records from telephone companies, according to testimony Wednesday before Congress. In a hearing before the House Energy and Commerce Committee, the heads of the FCC and the Federal Trade Commission endorsed making the sale of phone records illegal. [Source]

US – Momentum Builds In Washington to Ban Sale of Private Telephone Records

The House and Senate will each hold hearings on the controversy over the online sale of private telephone records. In other developments, Sprint Nextel Corp. joined the list of companies suing data brokers that sell the records. The FTC also has determined that the practice of impersonating a customer to fraudulently obtain private records is illegal. [Source]

US – FCC Proposes Fines on AT&T, Alltel Over Privacy

U.S. communications regulators this week proposed fining AT&T and Alltel $100,000 each for failing to properly certify that they have safeguarded their customers’ personal call information. Amid concerns that data brokers may be selling subscriber call records, the Federal Communications Commission said it demanded several carriers submit their most recent certifications proving they had complied with federal regulations requiring them to protect customer data. [Source]

US – Sprint Nextel Files Lawsuit to Halt Fraudulent Pursuit of Confidential Customer Info

Sprint Nextel announced that it has filed a lawsuit against All Star Investigations Inc. (“ASI”), a company believed to own and/or operate several web sites that fraudulently obtain and sell wireless customer call detail records. Sprint Nextel states in its complaint that ASI unlawfully obtains customers’ wireless phone records through flagrant misrepresentation and deceitful practices. Sprint Nextel’s latest legal effort aimed at protecting customer privacy immediately follows its lawsuit filed against First Source Information Specialists Inc. announced on Jan. 27. Similar to the earlier suit, Sprint Nextel has requested both temporary and permanent injunctions against ASI. [Source] [See also Second Suit Filed]

US – EFF Sues AT&T for Helping NSA Spy Without Warrants

A civil liberties group sued AT&T Inc. for its alleged role in helping the National Security Agency spy on the phone calls and other communications of U.S. citizens without warrants. The Electronic Frontier Foundation claims the telecommunications company not only provided direct access to its network that carries voice and data but also to its massive databases of stored telephone and Internet records that are updated constantly. [Source] [Source] [Complaint]

US – FTC Offers New Content to Educate Consumers on ID Theft Prevention

The FTC is offering users new tools to help them learn more about ID theft prevention. An 8-question online quiz is available to raise awareness about ID theft. This spring, the FTC plans to add more information on ID theft to the new site at www.onguardonline.gov. [Source]

US – Congress Gives Patriot Act Another Month

The Patriot Act is set to be extended for another month while conservative Republicans and the White House work out changes they say would protect people from government intrusion without weakening the war on terror. A day after President Bush insisted that Congress renew 16 provisions set to expire Friday, the House was set to extend the act until March 10 to give negotiators more time to come up with a deal. The Senate was expected to follow before the deadline. [Source]

US – Attorney-General Rob McKenna Pushes Identity Theft Solutions

A consumer who fears imminent identity theft - possibly due to a stolen wallet - would be able to freeze his credit under a measure proposed by Attorney General Rob McKenna. A credit freeze prohibits credit from being issued in the consumer’s name and restricts access to a credit history. Under current law, the concerned consumer can’t freeze his credit until a thief actually uses the information to commit a crime, McKenna said. His proposal was offered a day after Providence Health System, a regional medical services provider, revealed that a thief had walked off with the medical records of 365,000 patients. Along with sensitive health information, those records contained names, addresses and SSNs. [Source]

US – Survey: Most Employers Monitor Employees’ Calls, Web Use

A 2005 survey done by ePolicy Institute in Ohio and the American Management Association found that nine out of 10 companies engage in workplace surveillance. The survey of 500 U.S. employers also found that 75% of the companies tracked employees’ Web site visits. The survey showed that only a small percentage of the employers checked out their employees’ personal blogs. [Source]

US – Employers Often Notify Workers About Monitoring

Workers using company computers and telephones have no reasonable expectation of privacy – especially if the company has warned employees in advance that they could be monitored. Connecticut and Delaware requires employers to inform workers they may snoop on them when they use email and the Internet. [Source]