The National Institute of Standards and Technology has published formatting specifications for the biometric credentials that federal agencies must include on personal identity verification (PIV) cards issued to federal employees and contractors after Oct. 27. The new document, Special Publication 800-76, offers technical information for implementing Federal Information Processing Standard (FIPS) 201, a now-mandatory standard for smart cards that will replace most current federal employee badges. SP 800-76 describes the procedures and formats for storing fingerprints and facial images required for compliance with the FIPS 201 standard. [Source] [Source]

WW – New Internet Tool Scans Fingerprint to Log on or Pay

Pay By Touch is expected to announce a new service that will let consumers use a fingerprint to log onto Web sites and buy items with a device or chip installed in their PC or laptop. The use of biometrics is increasingly being touted as a way to help thwart identity theft. [Source]

BC – Student Fingerprinting Sets Off Alarms in BC

A joint probe by three of Canada’s privacy commissioners is investigating the practice of requiring would-be lawyers to record their thumbprint before taking the all-important Law School Admission Test. Acting on a complaint by University of Victoria Prof. Eike Kluge, B.C. Privacy Commissioner David Loukidelis and his Alberta and federal counterparts are asking whether a less-intrusive method can be used to protect the validity of the standardized test known as an LSAT. Kluge said that because the test is administered by a U.S. firm, he fears U.S. officials might seize the thumbprints under the sweeping Patriot Law. Andrew Petter, UVic’s dean of law, said he believes the thumbprint is unnecessary. “I think it’s excessive,” said Petter, a former B.C. cabinet minister. “I assume it’s to provide a level of security and to act as a deterrent to someone who’s considering having someone else write the test for them. Given that we tend to think of fingerprinting in a criminal context ... there should be other alternatives.” Mary Carlson, the director of the B.C. Office of the Information and Privacy Commissioner, said the investigation is the first time such a joint effort has been made. [Source]

BC – Hydroponics Bylaw on Hold in Chilliwack Pending Loukidelis Report

City council in Chilliwack, B.C., has suspended plans to enact a controversial bylaw that would require customers of hydroponic stores to provide photo ID and personal information that would be entered into an RCMP database. Mayor Clint Hames confirmed that the city will wait for a report from provincial Privacy Commissioner David Loukidelis before it decides what to do with the bylaw. Mr. Loukidelis said yesterday that he was pleased the municipality has responded to concerns about the bylaw. His report, which is scheduled to be released within a month, will examine the privacy implications of a growing number of bylaws enacted by B.C. municipalities that require certain businesses to obtain personal information from their customers. [Source]

BC – Privacy Watchdog Welcomes Decision to Abandon Costco Customer Info

The British Columbia government has decided not to press for the names and addresses of consumers who crossed the provincial boundary to shop at Costco in Alberta to avoid paying a B.C. sales tax. The B.C. privacy commissioner said he was pleased with the province’s decision. [Source] [Source] [Source]

AB – Pawnbrokers ‘Positive’ After Chat with Cops

Alberta pawnshop owners could finally reach a truce with police over collecting information on their customers. Following a meeting on Jan. 26 between members of the Edmonton Police Service and the Alberta Pawnbrokers and Second Hand Dealers Association, both parties said an understanding was reached over a new reporting law. [Source]

US – Consumer Reports: Electronic Medical Records Have Potential for Misuse

An investigation in the March 2006 issue of Consumer Reports magazine contends that a national system of Electronic Health Records (EHRs) being developed by the federal government, states, HMOs, and PPOs to link the medical records of every American has potential for abuse. Consumer Reports claims that while such electronic medical records systems could save lives and billions of dollars in health-care spending, it may also jeopardize the privacy and security of personal health care information. [Source]

WW – Corporations Have an Unsubscribe Problem

Can you trust a major corporation to keep your e-mail address out of spammers’ hands after you fill out the company’s unsubscribe form? Not always, according to a service that tracks what happens when addresses are submitted to unsubscribe mechanisms on the Web. A service called Lashback LLC has tested some 170,000 different “remove me” procedures that it’s found on the Internet. This small antispam firm says it’s already caught some big fish in its net. [Source]

ON – Interview with Ontario’s New CCIO

Ron McKerlie, who was appointed Ontario’s new corporate chief information and information technology officer at the end of October, came to the Ontario public service from Rogers Communications, where he was vice-president of e-business. McKerlie was recently interviewed about the move and the changes he plans to make... [Source]

WW – E-mail Charging Plan to Beat Spam

AOL and Yahoo plan to charge fees of up to one cent per message to those that sign up for the service. Paying the fees means that messages will not go through spam filters, are guaranteed to arrive and will bear a stamp of authenticity. [Source] [Anti-spam groups reject email payment plan] [Spamhous Hits Back at Paid-Delivery Plan] [Source] [Source] [Source] [Source] [Source]

UK – Tighten Up Smartcard Access to Protect Patient Data, Warn GPs

Whitehall officials are facing a series of new disclosures over the NHS IT programme as they try to rebuild confidence in the multibillion-pound scheme. They had to deal last week with criticisms over IT security and the lack of confidentiality of patient information, and with a failure of the data spine “backbone” after doctors were told the service was back to normal. It has also emerged that a planned reorganisation of the NHS by the government is likely to lead to significant changes in contracts and plans of the national programme for IT. Last week staff in GP surgeries were able to use their smartcards to read the personal details of patients who were not under their care. The central “Choose and Book” system imposed no block on how much information staff could see, whatever their roles. [Source]

EU – EU’s Data Protection Supervisor Outlines His Goals

Peter Hustinx, whose term expires in January 2009, says he has some goals that he hopes will be the hallmarks of his tenure. Hustinx said he hopes to see compliance with data protection principles regarded as a “natural element of good EU administration.” Hustinx also would like involvement on all issues that affect data protection. He also seeks to work closely with colleagues in member states. [Source]

UK – British ISP Blocks 35,000 Child Porn Requests Daily

British Telecom provides access to about one-third of Britain’s home-based Internet users. The company said the number of attempts to bypass its Cleanfeed screening technology to access child pornography has tripled in the last 18 months alone. [Source]

US – Equifax Promotes Hollywood Film Role

Equifax helped to shape the plot of the upcoming movie, “Firewall,” which features Harrison Ford as a bank security officer who learns from the credit reporting agency that his identity has been stolen. The company is using its role in the film to promote its credit monitoring service. [Source]

US – White House Wants States to Track Drugs

White House drug czar John Walters wants more states to track people who get multiple prescriptions of frequently abused drugs, a report this week said. The national anti-drug strategy Walters announced would prod 20 states and the District of Columbia to set up databases to track drugs such as OxyContin and Vicodin, USA Today reported. President George Bush’s proposed fiscal 2007 budget includes $9.9 million to help establish state drug registries, already adopted in 28 states. States likely to consider registries include Florida, Louisiana, Maryland, Minnesota, Missouri, New Jersey, New Hampshire, South Carolina, Vermont and Washington, said an aide to Walters. Critics expressed concern about patients’ privacy and medical care interference. [Source]

US – Confidential Patient Data Sent To Wrong Fax Number … for 15 Months

Confidential patient data related to more than 1,000 insurance claims have been faxed to the wrong company for 15 months – despite efforts to stop the sensitive faxes from reaching a Lockport, Manitoba-based distributor of herbal remedies. The medical records, which includes Social Security numbers, bank details and healthcare information, belongs to patients with Prudential Financial Inc.’s insurance group. The incident has caused some finger-pointing on liability, with Prudential arguing that it cannot be held liable for third parties that send the information to the wrong fax number. [Source] [Source]

US – Honeywell Blames ex-Employee in Data Leak

Honeywell International says a former employee has disclosed sensitive information relating to 19,000 of the company’s U.S. employees. Honeywell discovered the information being published on the Web on Jan. 20 and immediately had the Web site in question pulled down, said a company spokesman. In court filings dated Jan. 30, the company accused former employee Howard Nugent of Arizona of accessing the information on a Honeywell computer and then causing “the transmission of that information.” [Source]

US – Boston Hospital Releases Confidential Medical Records

Brigham and Women’s Hospital mistakenly has faxed confidential patient information to a Boston investment bank. The information on new mothers, including their Social Security numbers, birth dates and other sensitive health and personal information, was faxed to the bank, which repeatedly called the hospital to ask them to stop sending the information. The hospital said it is conducting an internal investigation, has rectified the mistake and plans to notify the affected patients. [Source]

US – Social Security Numbers Exposed On Mailing Labels

The Social Security numbers of more than 600 members of Blue Cross and Blue Shield of North Carolina were printed mistakenly on the labels affixed to envelopes used to send information on a new insurance plan. The company notified the affected members on Feb. 1. [Source] [Human Error Blamed]

US – FedEx Fixing Data Leak

FedEx Freight West officials were scrambling last week to recall W-2s sent to as many as 8,500 employees after learning that some of the forms also included other workers’ tax information. Up to 1,100 workers in the L.A.-Orange County area could be affected. The company learned about the problem Tuesday when employees started reporting that one segment of their W-2s included another worker’s W-2, including Social Security number, pay and tax information. The company is unsure how it happened, although it thinks its internal processing center, which was responsible for printing and mailing the W-2s, may have misaligned the forms so that they didn’t cut off at the right place. Davenport said it was unclear how many employees got someone else’s information. [Source]

EU – Hackers Access Greek Government Cell Phones

The Greek government announced that unknown eavesdroppers tapped the cell phones of Greek Prime Minister Costas Karamanlis, five cabinet members, and dozens of top officials for about a year. Illegal software installed at Greece’s second biggest mobile phone operator, Vodafone Greece, allowed calls to and from about 100 phones to be recorded. [Source] [Update: Ministers at odds over taps] [Update: Gov’t insists it ‘followed the rules’ in phone-tap affair]

US – Missouri AG Offers Online Complaint Forms for ID Theft, Other Consumer Fraud

Missouri Attorney General Jay Nixon is kicking off National Consumer Protection Week by offering consumers the option of filing complaints online. In the past six months, the AG’s Office has received nearly 300 ID theft complaints. [Source]

AU – Attorney General’s Identity System Now Live

The document verification service pilot project being conducted through the Attorney General’s Department went live yesterday as part of Government’s national identity security strategy. Attorney General Philip Ruddock told Parliament the pilot system would initially use 50,000 passport applications and citizenship applications. “The prototype DVS provides a mechanism for achieving rigorous identification and verification of identity documents and will be integral in the strengthening of proof-of-identity processes,” Mr Ruddock said. “When people present documents, officials will be able to check online the authenticity of that proof of identity document with the issuing agency.” He said while the number of agencies using the prototype system was limited, a full-scale system could potentially include a large number of federal, state and private sector organizations. [Source]

US – Two-factor Authentication Token Marketed Directly to Consumers

“Don’t wait for your bank to protect you.” That is the message of a new two-factor authentication token (USB smart card) called the ID Vault. The USB smart card will be sold direct to consumers for about $50 at major electronics retailers. The ID Vault authentication system is based on smart card technology, plugs into any Windows PC USB port, and works with thousands of financial institutions. ID Vault is easy to use and portable and can also be used with any non-financial web site that requires a sign-in, such as online newspapers, email, etc. [Source]

US – Victims May Not Know When Their SSN is Used to Support a Secret Life

A victim of SSN-only ID theft, a California woman spent years trying to find out the identity of an imposter who was using her Social Security number to obtain credit. Despite her efforts, the woman was unable to resolve the issue because the man was paying his bills on time and the use of her Social Security number had not adversely affected her credit. The woman was unable to find out any information about the man using her Social Security number because the bank told her it would violate his privacy. Experts say this type of ID theft is on the rise. [Source]

CA – Sony Hit with Another Canadian Class Action Lawsuit

Sony has been hit with another Canadian class action lawsuit. This suit claims that Sony delayed recalling CDs in Canada and that affected CDs are still available in stores. The claim focuses on privacy and consumer protection concerns. [Source]

WW – Survey Reveals Search Engine Policies

CNET News.com asked America Online, Google, Microsoft and Yahoo the same seven questions about what information the companies collect and keep about heir users. The companies also are queried about the requests for records they have received from civil lawyers and prosecutors. [Source]

US – ‘Car-Chase Capital’ Deploys New Weapon: GPS Gum Balls

The car chase capital of the world is going high-tech to end dangerous pursuits across Southern California. Police Chief William Bratton unveiled a strange new weapon in the police department’s strategy to halt high-speed pursuits – adhesive darts with a global positioning system that are fired at fleeing cars by police. Once fired from a patrol car, the GPS dart is designed to stick to a fleeing car, allowing squad cars to back off the chase. “Instead of us pushing them doing 70 or 80 miles an hour,” Bratton said, “this device allows us not to have to pursue after the car. It allows us to start vectoring where the car is.” [Source]

WW – Google’s New Desktop Search Raises New Privacy Concerns

Internet search giant Google, which raised eyebrows when it fought the Department of Justice’s attempts to monitor personal search queries, unveils a new desktop search tool that accesses more private records than ever – of those who choose to use it. Google Desktop 3, the latest version of software that helps users find files on personal computers, has a new feature that can track data from multiple PCs. [Source]

WW – Spyware is a Booming Business

According to the State of Spyware Report from webroot, 2005 was the biggest year yet for spyware. They have stated that with the rise in Data Breaches and the increase in the amount of sophistication they are using, this has resulted in record infection rates for the worst types of spyware. [Source]

EU – Stealth Keylogger Used in Bank Heist

Russians have reportedly used a keylogging virus to steal more than €1m from French bank accounts

A gang of Russians and Ukrainians have been arrested for allegedly stealing more than €1m (£700,000). The gang is accused of stealing from French bank accounts by installing a stealth keylogging program on users’ PCs. The Trojan would infect machines through email attachments or when users visited certain Web sites. [Source]

US – Proposed Bill Offers Code-Enforcement Officers Privacy Protection

Cities across Arizona are supporting a state bill that would block public access to code-enforcement officers’ home addresses and telephone numbers to protect them from disgruntled residents. The bill could be heard by the House as early as next week. It would give the nearly 500 code officers in Arizona the same protection state law gives peace officers, judges, justices, commissioners, public defenders and prosecutors. Code inspectors are on the front lines of neighborhood preservation, making sure homeowners comply with city codes aimed at keeping properties free of blight, such as overgrown weeds and grass, junk cars or litter. City officials say some residents are using public records to track down information on the code officers, showing up to their homes and confronting them and their families. There have been at least 12 such incidents in recent years. [Source]

US – Survey: 80% of U.S. Voters to Use E-Voting Equipment in 2006

According to a survey by Election Data Services, fewer U.S. voters will cast their ballots by punching a card or pulling a lever in this November’s elections as the country continues to turn to newer, electronic machines. The changes have created new controversies, especially with accusations that touch screen-style machines are vulnerable to manipulation. In response, 25 states have passed laws requiring election administrators to use machines that allow voters to verify their vote has been accurately counted, and that create paper receipts for a recount. [Source]

WW – Experts Suggest RFID Technology Surges Ahead Of Policy

As advocates of RFID technology try to bring acceptance to the practice of implanting chips in humans, some experts are concerned that the technology is advancing before policy on its use. Concerns continue to swirl around the technology over privacy and security safeguards as companies move to develop uses in medicine and travel identification. [Source]

WW – Experts Predict the Top Security Threats In 2006

At the Infosecurity Europe 2006 Press Conference a panel of speakers from MessageLabs, Centennial Software, (ISC)2, Black Spider, Juniper Networks and Insight Consulting debated the most dangerous security threats we can expect in 2006. Everyone agreed that mobile security issues, viruses and phishing are the top candidates for difficult situations that will cause a headache for security professionals this year. Internal security threats are coming together into the spotlight again. The immense challenge that organizations face when combating threats is education. It is the foundation on which the security architecture has to be built upon. [Source]

WW – Microsoft to Unveil Paid Security Service

A new security service from Microsoft Corp. will charge users $49.95 per year to better protect its Windows operating system from spyware, viruses and other Internet attacks. Called Windows OneCare Live, the subscription service will compete with security products made by traditional Microsoft partners, including Symantec Corp. and McAfee Inc. — although the software giant insists that its aim is not to run those companies out of business. [Source]

US – NIST Issues Guidelines for Removing Data from Storage Devices

The National Institute of Standards and Technology (NIST) has released draft guidelines for safely removing data from storage devices. Special Publication 800-88, “Guidelines for Media Sanitization” addresses three strategies for removing data from various storage devices: clearing, which can involve overwriting data or deleting data and performing a manufacturer’s hard reset; purging, which involves degaussing the storage device; and destroying the device. The report also addresses how to apply each of the strategies to different types of storage media. [Source] [Source]

AU – Australian ID Card a Costly Solution That Won’t Stop Terrorism

Introduction of a national ID card could cost the economy up to $15 billion, according to the latest estimates from the Australian Chamber of Commerce and Industry (ACCI). This cost, the ACCI said, would be largely borne by the business sector, over and above the estimated $750 per person it would cost to introduce the system. While experts admit the introduction of such a card will do little to stop terrorism, the federal government is moving ahead with an identity card inquiry. [Source]

SK – South Korea Smart ID Cards to Be Ready by 2008

Electronic residential registration cards with integrated circuit chips will make their debut in 2008. The microchip will contain personal certification for online banking purposes, ID number, health insurance and information on any disabilities. It will also be recognized when electronic voting goes on trial the same year. The Home Affairs Ministry said the existing card will be replaced for stronger privacy protection and prevention of counterfeiting. The new card will also function as an online ID. The card will display holders’ names in Korean and English, photo, date of birth, gender and when and where the card was issued, but sensitive identification numbers will be contained on the IC chip. [Source]

US – Some Innocent E-mail Intercepted, Gonzales Says

Agents operating a controversial National Security Agency (N.S.A.) surveillance program may have inadvertently spied on the e-mails and phone calls of Americans with no ties to terrorists, Attorney General Alberto Gonzales said. Gonzales stressed that the program is “narrowly focused” and that adequate steps are taken to protect privacy, though he said he was unable to describe such procedures because of the program’s classified nature. [Source] [Coverage] [Coverage] [Coverage] [Coverage]

US – Republican Who Oversees N.S.A. Calls for Wiretap Inquiry

A House Republican whose subcommittee oversees the National Security Agency broke ranks with the White House on Tuesday and called for a full Congressional inquiry into the Bush administration’s domestic eavesdropping program. The lawmaker, chairwoman of the House Intelligence Subcommittee on Technical and Tactical Intelligence, said that she had “serious concerns” about the surveillance program. By withholding information about its operations from many lawmakers, she said, the administration has deepened her apprehension about whom the agency is monitoring and why. [Source] See also: [U.S. Secret Court Judges Warned About NSA Data: Report] [Senate Chairman Eyes Bill to Get Wiretap Bid to Court] [Bush faces Republican revolt over spying] [Ex-President Carter: Eavesdropping Illegal]

US – Telecoms, Internet Companies Drawn Into Debate About Domestic Surveillance

CNET News.com queried companies about whether they cooperated in a once-secret National Security Agency’s program to spy on Americans without warrants. Under federal law, people or companies that help “intercept any wire, oral or electronic communication” could face criminal charges unless the interception was specifically authorized by law. Last week, the Electronic Frontier Foundation sued AT&T after a report indicated that the company had shared its customer records database with the NSA. [Source]

US – Net Surveillance Yields Few Suspects

Intelligence officers who eavesdropped on thousands of Americans in overseas calls under authority from President Bush have dismissed nearly all of them as potential suspects after hearing nothing pertinent to a terrorist threat. The Bush administration refuses to say how many Americans in the past four years have had their conversations recorded or their e-mails read by intelligence analysts without court authority. Knowledgeable sources placed that number in the thousands, with one saying about 5,000. [Source]

US – House Committee Gets Tough With Data Brokers

The House Committee on Energy and Commerce is using its investigative and subpoena powers against online data brokers. The committee sent demand letters to the companies seeking information on how they obtain the personal telephone records they sell online. [Source]

US – Websites That Offer Cell Phone Records Shutting Down

Following a wave of negative publicity and pressure from the government, several Web sites that peddled people’s private phone records are calling it quits. “We are no longer accepting new orders” was the announcement posted on two such sites, locatecell.com and celltolls.com. [Source] [Source]

US – U.S. Plans Massive Data Sweep

The U.S. government is developing a massive computer system that can collect huge amounts of data and, by linking far-flung information from blogs and e-mail to government records and intelligence reports, search for patterns of terrorist activity. The core of this effort is a little-known system called Analysis, Dissemination, Visualization, Insight, and Semantic Enhancement (ADVISE). Only a few public documents mention it. ADVISE is a research and development program within the Department of Homeland Security (DHS), part of its three-year-old “Threat and Vulnerability, Testing and Assessment” portfolio. The TVTA received nearly $50 million in federal funding this year. A major part of ADVISE involves data-mining - or “dataveillance,” as some call it. It means sifting through data to look for patterns. If a supermarket finds that customers who buy cider also tend to buy fresh-baked bread, it might group the two together. To prevent fraud, credit-card issuers use data-mining to look for patterns of suspicious activity. What sets ADVISE apart is its scope. It would collect a vast array of corporate and public online information - from financial records to CNN news stories - and cross-reference it against US intelligence and law-enforcement records. [Source]

US – DC DMV Violates Federal Privacy Law

Washington, DC ignores law designed to protect motorists from identity theft. Although Washington, DC routinely capitalizes on the strictest interpretation of its own traffic laws, the federal city has found itself in violation of a federal law intended to protect drivers from identity theft. Since December it has been illegal to display Social Security numbers on driver’s licenses, yet the District Department of Motor Vehicles continues to offer this as an option. Over 40% of the capital’s licenses are not in compliance and officials say it will take until 2011 to replace them all. The District will charge $7 to any of the 190,000 motorists who want a compliant license before its expiration. [Source]

US – Registered Traveler Program Criticized as Unsafe, Ineffective

The federal government’s planned launch this year of a Registered Traveler program at U.S. airports hasn’t shown it can help passengers save time, avoid security-related hassles or prevent terrorism, according to the airlines and security experts. The shortcomings of Registered Traveler, set to debut in June, are surfacing as counterterrorism efforts try to shore up the weak links in commercial aviation security. A Senate Commerce, Science and Transportation Committee hearing in Washington this week will focus on the slow progress in improving passenger screening and streamlining intelligence-sharing programs between government agencies. [Source] [Privacy Swapped for Convenience in TSA Frequent Flier Program]

US – PATRIOT Act to Blame for Frozen Account – Nuns Ruffled

The nuns of the Holy Name Monastery say they have been swept into the net cast by the nation’s antiterrorism laws. The sisters say the monastery’s main bank account was frozen without explanation in November, creating financial headaches and making the Benedictine nuns hopping mad. They were told the Patriot Act was the cause. [Source]

US – Bill to Freeze Credit Reports Fails

Attorney General Rob McKenna had pushed a bill that would allow anyone to freeze their credit. State law allows ID theft victims to freeze their credit, but the bill McKenna sponsored would have allowed anyone to freeze their credit. Opponents argued that the bill would cause more problems than it would solve, such as taking nearly two weeks to unfreeze a credit report. [Source]

US – Bill Would Force Web Sites to Delete Personal Info

A bill announced in Congress would require every Web site operator to delete information about visitors, including e-mail addresses, if the data is no longer required for a “legitimate” business purpose. The proposal, introduced this week by Rep. Ed Markey, seeks to impose a broad data-deletion requirement. It would apply to every U.S. Web site, even ones run by individuals, bloggers or nonprofit groups and charities. Markey said the measure would help stop identity theft. “This warehoused personal information about consumers’ Internet use should not be needlessly stored to await compromise by data thieves or fraudsters, or disclosure through judicial fishing expeditions,” said the Massachusetts Democrat. It’s not clear that Markey’s proposal, called the Eliminate Warehousing of Consumer Internet Data Act of 2006, would have much effect on attorneys seeking search terms through a subpoena. It defines personal information as including name, home address, e-mail address, telephone number, and so on--but it doesn’t explicitly include search terms or Internet addresses. [Source]

AU – Massive Rise in Bosses Spying on Employees

There has been a massive rise in the number of workplaces choosing to spy on their employees, according to unions. Bosses were using hidden cameras, microphones and tracking devices to keep an eye on their employees. The Australian Workers Union national secretary Bill Shorten claimed workplace spying was spiralling out of control. “We’re not slaves if we’re workers, we’re not owned by our employers,” Bill said. He claimed 60% of employers were using covert surveillance in the workplace. However, he said legally there was little workers could do. “The employer at the moment has an almost unfettered right to spy on anything the worker does at work,” Bill said. “Technology has changed so quickly, the poor old legislators and the politicians, they can’t keep up.” [Source]

--------