Privacy News Highlights
10—15 February
2006
Contents:
CA
– University Of Ottawa Issues Privacy Warning to (Law) Students. 3
CA
– Canada Privacy Commissioner Denies Complaint on Port 25 Blocking. 3
AB
– Alberta Privacy Commissioner Rules Pharmacists Can Demand Personal Info. 3
CA
– Peter Cullen of Microsoft Pitches Privacy as a Valuable Customer Asset 3
WW
– Online Dating Service Boosts Subscriptions With Privacy Tool 3
US
– Verizon Wireless Sues Telemarketers. 3
US
– Lawsuit Challenges Law Against “Annoying” E-mail Messages. 4
UK
– U.K. Spam Watchdog Calls for More Powers. 4
US
– Patient Prescription Drug Records Going Digital 4
US
– Health IT Privacy Efforts to Launch in April 4
US
– Judge: Firm Not Negligent in Failure to Encrypt Data. 4
GR
– Communications Privacy Protection Authority Investigates Phone-Tapping
Case. 4
EU
– EU Data Protection Supervisor Gives Opinion on VIS. 5
FR
– French Big Brother Awards 2006. 5
WW
– Ponemon Survey: Banks Among the Most Trusted in Nation. 5
CA
– Scaling the Firewall of Digital Censorship. 6
US
– Security Breach Prompts Bank of American to Cancel Cards. 6
EU
– Report: Worldwide Overview of Freedom of Information Laws. 6
EU
– Introduction to Openness and Access to Information. 6
US
– Utah House OKs Limits on Records Access. 6
US
– Bush Signs DNA Fingerprint Act of 2005 Into Law. 6
UK
– Innocent People’s DNA ‘Should be Kept on File’ 7
CA
– Health-Care Experts Call for Patient Record Check-up. 7
UK
– Government Sells Patient Data. 7
US
– Probe Continues in Debit Card Theft Case. 7
UK
– UK Votes for Compulsory ID Cards for UK Citizens Within Five Years. 8
WW
– Gates Unveils InfoCard: “We’ll Be Your Wallet, Again” 8
WW
– SanDisk and VeriSign Partner to Extend Consumer Authentication
Capabilities. 8
WW
– New Google Search Feature Allows Multi-PC Search, Invasion of Privacy. 8
EU
– European Commission Launches IPv6 Consultation. 8
EU
– EU Grapples With Freedom of the Press and Personal Privacy. 9
US
– Protesters Say Police Invading Privacy. 9
US
– Missouri Police Say Loosen HIPAA Patient Privacy Rules. 9
US
– New Firm Sells Vehicle-Tracking Devices. 9
WW
– Outsourcing Vendor Standards Released. 9
US
– FTC Plans Hearings on How to Address Online Risks, Hi-Tech Security. 10
UK
– Spyware Warriors Call for Action. 10
US
– Police Examining Social Websites in Numerous Crimes. 10
JP
– Court Rejects Privacy Lawsuit Challenging National Resident Registry. 10
US
– Stanford University Signs R&D Pact for Data Privacy. 10
US
– Nigerian National Sentenced To 10 Years In ChoicePoint ID Theft Case. 11
WW
– IBM and the Future of Privacy. 11
WW
– Verichip RFID Implant Chips Cloned. 11
US
– Workers Have RFID Chips Implanted for Access Control 11
AU
– Australian Minister Provides Details of e-Passport 11
US
– Gates, Mcnealy: Simplify Security. 11
WW
– Smart Cards to Tighten Security on Internet Sales. 12
CH
– New ID Card Ensures Privacy in Shenzhen. 12
US
– Congressional Probe of NSA Spying Is in Doubt 12
US
– EPIC Seeks Spy Documents in Federal Court 12
US
– Federal Budget Pumps Money Into Surveillance Projects. 12
JP
– Privacy Law Hampering Cancer Research. 13
US
– Feingold, Kennedy Ask AT&T and Others if They’re in Bed with NSA. 13
US
– FCC Grants EPIC Petition on Protecting Telephone Records. 13
US
– Phone Privacy Bid May Fail, Firms Warn. 13
WW
– How Secure is VoIP, Skype?. 13
US
– Secure Flight Placed on Standby. 13
US
– Report: 325,000 Names on U.S. Terror Suspect List 14
US
– Patriot Act Compromise Clears Way for U.S. Senate Vote. 14
US
– Arizona Senate Rejects ID Theft Bill 14
US
– Colorado Lawmakers Seek Passage of ID Theft Law. 14
The University of Ottawa is
concerned that the Law School admission test administered by a U.S. company that
requires students to provide a thumbprint before taking the exam is violating
the test-takers’ privacy. The legal experts are concerned that the USA Patriot
Act could lead to the release of the personal information collected by the
company that administers the Law School Admission Test. [Source]
Peter Cullen, Microsoft’s
Chief Privacy Strategist, spoke in
A new report by Jupiter
Research has found that fewer people are subscribing to online dating
services, but Private Date
Finders is bucking that trend with proprietary technology that responds to
needs identified from research showing that 35% of people using dating sites are
married or in a relationship. Many of those people were reluctant to pay for
subscriptions because they feared being caught – either because they were in a
relationship or because they browse on work time. The site uses a proprietary
service called EverPrivate. A Web-based anonymous browser and a Web-based eraser
promise to erase all traces of user activity, including: cookies, cache,
history, temporary Internet files and transactions without installation or
downloads. The site also provides private log-ins and a “virtual” MasterCard, a
Debit card issued online and replenished at retail stores. [Source]
Verizon Wireless has sued two
telemarketing firms that allegedly used autodialers and prerecorded messages
that directed wireless customers to call a toll-free number to claim their
prize. The suits allege that the companies violated the federal Telephone
Consumer Protection Act, as well as state fraud and privacy laws. [Source]
A new law targeting “annoying”
e-mail messages and Web posts is being challenged in federal court. The
plaintiff, a Web site that lets people send anonymous e-mail for a fee, said the
suit was necessary because the law is so broad it makes providing the service a
crime. [Source]
According to reports in the
Doctors in some
The privacy element of the Health and Human Services
Department’s health IT efforts will launch in late April with the award of
contracts to study the variations in state privacy and security policies and
regulations that may hinder electronic exchange of information. The Research
Triangle Institute International of Durham, N.C., which is leading HHS’ privacy
effort under a contract it won in October, will announce
subcontracts to organizations in up to 40 states April 28 designed to identify barriers
to electronic exchange of medical information. [Source]
A federal court has thrown out
a lawsuit that accused a student-loan provider of negligence in failing to
encrypt a customer database that was subsequently stolen. A customer of Brazos
Higher Education Service, sued the corporation on the grounds that encryption
should be used as a routine security precaution. But a U.S. District Judge in
Vodafone managing director
Giorgos Koronias and other company officials testified before the Greek
Communications Privacy Protection Authority on the mobile phone-tapping case.
Over a 100 phone numbers of Greek Government officials were illegally wiretapped
for 11 months, during and after the 2004 Olympic games. The illegal wiretaps
were discovered in March 2005 during a routine control at Vodafone, one of the
main mobile providers in
Peter Hustinx, the European
Data Protection Supervisor has issued an opinion
on the proposal for a Council decision on access to the
·
The conditions for access must
be read cumulatively and access should only be granted if it would
'substantially' contribute in a specific case;
·
Equivalent data protection
must be granted if an authority of a member state that does not apply the
·
The 'purpose of travel' and
the photograph of the visa holder or applicant should only be made available as
supplementary information;
·
Data protection requirements
should be supervised in a coordinated way and self-auditing provisions should be
introduced. [Source]
[Opinion]
The 6th French Big
Brother Awards took place on 3 February. The Orwell Award for State official
winner was the Director of the Electronically Secured National Identity card
project, (card will include two biometric identifiers on a RFID chip) which
created a direct link to the Ministry of Interior Affairs ignoring the
separation between population statistics and police administration. The local
Orwell Award went to a college director who enforced a rule to obtain
fingerprints of all students, to put student grades online, and for implementing
a SMS system to inform students they were late for classes. The award of
lifetime achievement was unanimously awarded to minister Nicolas Sarkozy for
having created an environment of fear, for having weakened the justice’s power
while increasing that of the police, for having violated the information law and
freedom with the spam for UMP, for having extended video-surveillance and
cyber-surveillance and police access to administrative files with his third
anti-terrorist law, for asking for the expel of people with no papers including
minors, for having encouraged the fear of police forces. Press
Release Big Brother Awards France
For the 4th year
straight, California-based Ponemon Institute surveyed more than 7,700 people in
a study, which came out last week and found that out of the 25 largest
A University of
Toronto-designed computer program, called Psiphon, is preparing to break through
what activists call the great firewall of
A security breach involving an
undisclosed company has prompted Bank of America to cancel the debit cards of
numerous customers, a spokesman for the country’s largest bank said. Bank of
America refused to release the name of the company involved, the exact number of
customers affected or whether the company in question was online or a
traditional brick-and-mortar establishment. [Source]
Roger Vleugels, an independent
Netherlands-based legal consultant, with help from the Freedom of Information
Advocates Network (FOIA Network), has published a very comprehensive
overview of the situation of freedom of information laws all over the world.
The document offers a complete image of the adoption of FOI laws in the world
and is structured into 5 lists of countries. [Source]
The Danish Human Rights
Institute has launched in cooperation with a number of national and
international partners a new Handbook: Introduction to Openness and Access to
Information. The Handbook elaborates on four different areas of access to
information: the public administration, Ombudsman and National Human Rights
Institutions, the judiciary and NGOs. The book is meant to serve as a basis for
debate and dialogue and as background material for training and education. [Handbook]
Utah House members approved
legislation that would limit public access to Utahns’ addresses and phone
numbers on government documents – unless the record is classified as public,
such as voter registration forms. It also would allow government records
managers to refuse to compile or format records for the public and let them send
requestors elsewhere to get information. Sponsors insists the bill is meant to
keep government efficient and to protect the public’s right to privacy. Critics
are worried the bill would give government workers the excuse they need to turn
records requests away. [Source]
The DNA
Fingerprint Act of 2005 was signed by President Bush into law on January 5,
2006. The legislation expands federal DNA collection efforts to
include some legal and illegal immigrants, and allows states to contribute DNA
collected for any reason listed under state laws to the federal DNA database. See also the summary here. This post discusses (1) how the media
missed this issue, (2) related state and international developments, (3) the
large role individual states’ policies will have on deciding just how ‘invasive’
this database is, and (4) some current ‘DNA criminology’ shortcomings that this
bill may make even worse. [Source]
A Scottish MSP said that the
DNA of innocent people should be kept on a police database, and has tabled an
amendment to legislation in the Scottish Parliament this week to give additional
powers to the police. The MSP wants to replicate what already happens in
A B.C.-based physician and IT
consultant is calling on the vendor community and the health-care industry in
general to put the patient at the centre of e-health record development. Dr.
Jonathan Burns, an emergency physician at
The
An investigation into
thousands of compromised debit cards appears to involve two of the largest
retailers in the
More than a dozen U.S. IT
companies, such as EDS Corp., Iridian Technologies Inc. and Unisys Corp., are
interested in bidding on the
Bill Gates has showed off new
software aimed at being a virtual wallet to store information, picking up where
its Passport service left off. As part of that effort, the virtual personal
information wallet, code-named “InfoCard,” would allow consumers to manage their
identities online. It seeks to provide better security by reducing reliance on
usernames and passwords which are often the target of computer criminals.
Microsoft first offered identification and authentication with its Passport
service, but that technology failed to win wide acceptance because consumers did
not embrace the idea of having the software maker manage their information.
Microsoft said because InfoCard would run isolated from other programs on the
desktop, it would be harder for hackers to install malicious software on the
system. [Source]
VeriSign, a provider of
intelligent infrastructure services for Internet and telecommunications
networks, and SanDisk Corp. have announced a strategic partnership that calls
for the two companies to collaborate on providing a “non-intrusive”, “easy to
use” solution to protect consumers against online identity theft. SanDisk will
embed VeriSign Identity Protection (VIP) Service capability and Open
Authentication (OATH) compliant One-Time-Password (OTP) algorithms into their
main suite of USB flash device products. The combination will enable
consumer-friendly two-factor authentication for end users who purchase SanDisk
mass-storage devices at retail outlets and then use them at VIP-enabled web
sites. With VeriSign Identity Protection (VIP), the same authentication device
will work across any network member sites, leveraging a shared infrastructure
and enabling everyday devices in consumer hands to become authentication
devices. [Source]
Google is offering a new tool
that will automatically transfer information from one personal computer to
another. However, anyone wanting that convenience must authorize the Internet
search leader to store the material for up to 30 days. The company says it will
not peruse any of the transferred information. [Source]
Update: The EFF is warning consumers about a new feature in Google Desktop 3
that allows people to search for documents across multiple computers, saying it
poses privacy risks and should not be used. The threat is underscored by the
recent Justice Department request to Google, Microsoft, Yahoo and America Online
for random Web search records. [Source]
The current generation of the
internet will “run out of space” because of its lack of addresses. IPv6 –the
sixth version of the Internet Protocol– will provide a wider range of addresses
and services, underpinning the convergence process between fixed and mobile, as
well as between data, voice and video. With IPv6, addresses can be assigned to a
new breed of internet-capable devices –mobile phones, car navigation systems,
home appliances, industrial equipment and much more. All of these devices can be
linked together, constantly communicating wirelessly. The first IPv6 deployments
are happening in
The EU is having difficulty
sorting out which law and jurisdiction should handle disputes arising from media
coverage that generates claims of privacy invasions. The EU Commission has
suggested that cases be heard where the person claimed that harm resulted from
damage to his or her reputation, But media companies oppose that approach
because they would then have to recognize privacy laws in all EU countries.
Uncertainty will remain until a compromise can be reached. [Source]
The police videotaped the
protesters. The protesters photographed the police. During a protest last week
of what participants called the Greensboro Police Department’s “domestic
spying,” it almost seemed that everyone was watching – and filming – everyone
else. The event followed the arrest of seven protesters last week at a rally
demanding that President Bush step down. The arrests took place after a
confrontation with a plainclothes detective who was videotaping license plates
near where protesters had gathered. This week’s rally was designed as both a
show of support for those who were arrested and a protest of the department’s
videotaping tactic. Some protesters said the practice amounts to intimidation
and serves to dampen free speech. [Source]
When
A
A consortium of financial
institutions and auditors has released “standards for assessing the security
practices of outsourcing vendors that work with financial services firms.” The
standards were created with the goal of having consistent expectations for
“evaluating the controls that outsourcing vendors use to protect sensitive
data.” The standards, dubbed the Financial Institution Shared Assessments
Program, were tested on five vendors before being released. [Source]
[Source]
The Internet industry needs to
create “self-regulatory regimes” and come up with new technologies to battle
online dangers such as spyware, said the chairwoman of the U.S. Federal Trade
Commission, who also called for “appropriate” law enforcement actions and better
consumer education efforts to deal with online risks. [Source]
[Source]
[Source]
Computer users whose machines
have been hijacked by potentially dangerous software are being asked to add
their tales of woe to an online campaign. Security experts say that growing
numbers are being conned into paying for fake anti-spyware programs. Now
grassroots online security activists in the
Police across the country are
examining social websites, including 55-million-member MySpace, in
investigations of crimes ranging from statutory rape and molestation to murder.
Their concern: Teens who have been warned all their lives to beware of strangers
online are now regularly posting their cellphone numbers, school names and other
personal information, as well as sexy pictures of themselves, on these sites.
[Source]
The Osaka District Court has
rejected the arguments of 153 residents who claimed that the Juki Net national
resident registry network violates their privacy. The plaintiffs wanted their
personal information removed from the controversial database, which went online
in Aug/03, and compensation from the government and other parties. Opponents
also have argued that the system’s security is inadequate. [Source]
A 42-year-old man who pleaded
guilty to ID theft charges related to consumer data taken from ChoicePoint Inc.
faces a 10-year prison sentence. The judge also ordered the man to pay $6.5
million in restitution. Prosecutors allege that the man created a fake business
to set up a ChoicePoint account. [Source]
IBM Investor Relations offers
an audio series entitled “IBM and the Future of...” on key business and
technology topics that reflect thought leaders’ visions. The current topic deals
with the future of privacy: 19-min audio interview with Harriet Pearson, IBM
Chief Privacy Officer and Jeff Jonas, Distinguished IBM Engineer and Chief
Scientist for IBM Entity Analytics Solutions. [Source]
Programmer Jonathan Westhues
has recently proved that the Verichip implantable RFID chip can be easily
copied. Anybody capable of purchasing off the shelf electronics equipment and
reading the description below can now impersonate the bearer of the chip and
gain access to their medical records, among other things. As Verichip has
marketed their chip as a means of managing access control to buildings and
medical records, this represents a significant threat to their bearer’s privacy
and security. [Source] [Source]
RFID chips were embedded this
week into two workers who volunteered to help test the tagging technology at a
surveillance equipment company. Implanting them in the workers at
CityWatcher.com is believed to be the first use of the technology in living
humans in the
Information about the
implementation of chips in Australian ePassports has recently been provided by
the Aust. Minister for Foreign Affairs. It address concerns about
whether chips emit a random or fixed UID and whether in fact any chip
manufacturers implement random UIDs. The Aust. Minister has stated that the chip
in the ePassport emits a random UID and that the UID does not contain any data
that might allow identification of the issuing authority (Aust. Gov) or that the
chip is in an ePassport. Obviously that info only applies to the Aust. ePassport
- the
Software companies must make
it easier for everyone to use the security features in software, Microsoft’s
founder and chief software architect said this week at the RSA Conference 2006.
“If there’s an area where we absolutely have to do better, it’s this,” said
Gates. The current situation for users, IT managers and software developers is
too complex, he said. Security must be something that users can trust companies
to provide. Software providers must make it easier for IT professionals to
manage security enterprisewide and for software developers to write secure code.
“If we don’t do this right, we won’t get the result we need,” Gates said.
Simplifying security is part of Microsoft’s strategy to increase the public’s
trust in computing, Gates said. Another element is selling fundamentally secure
products that are built from the outset with security in mind. [Source] [McNealy
to tech firms: Clean up your security act] [Panel
Assesses ‘State Of Security’ During Conference]
Web companies including eBay
and Yahoo have joined a new initiative to reduce Internet fraud. Under the
plans, millions of Internet users will be sent battery-operated “smart cards”
which generate ever-changing pin numbers. Users will have to enter the current
pin number before a transaction is authorized. Motorola will incorporate the
technology into its mobile handsets, allowing payments to be made by phone.
VeriSign, which is setting up the scheme, says it gives online customers an
extra layer of protection. It is expected to roll out later this year.
[Source]
According to the Shenzhen
public security bureau, their next-generation ID card cannot be duplicated, and
decrypting its contents could take 10 million years. Such security ensures
against misuse of the cardholder’s information, even if the ID card is lost. The
new ID card, first launched in Shenzhen in early 2004, has adopted many new
technologies. It shows the citizen’s identification information on the card,
with the same information stored in an embedded chip. The embedded information
can only be read on a special card reader. So far many organizations in Shenzhen
have installed these readers, including the labor and social security bureau,
banks, telecom operators, customs, and the airport. [Source]
Congress appeared ready to
launch an investigation into the Bush administration’s warrantless domestic
surveillance program last week, but an all-out White House lobbying campaign has
dramatically slowed the effort and may kill it. The Senate intelligence
committee was scheduled to vote on a Democratic-sponsored motion to start an
inquiry into the recently revealed program in which the National Security Agency
eavesdrops on an undisclosed number of phone calls and e-mails involving
This week, the Senate
Judiciary Committee heard a full day of testimony from Attorney General Alberto
Gonzales on the NSA’s warrantless surveillance program. The A-G reiterated
earlier Administration arguments about the purported legality of the program,
but would not discuss operational details. Despite repeated requests, the
Administration has refused to provide Congress or the public with legal opinions
or other documents concerning the controversial program. The House Judiciary
Committee is scheduled to vote on resolutions that would direct the A-G to turn
over materials related to the program to the House of Representatives. [Source] [Source] [Source] [Source] [Source]
President Bush’s proposed
$2.77 trillion budget for FY2007 increases spending on surveillance projects
while making substantial cuts in education, housing, and farm programs. The
Department of Homeland Security has requested $42.7 billion, a 6% increase from
last year. Of this, the US-VISIT border program would receive $399.5 million, an
increase of $62.9 million. Most of the increase will go toward the expansion of
US-VISIT’s fingerprint system; it will now capture all 10 fingerprints instead
of two. DHS’s budget request also includes $3.96 million for the Office of
Screening Coordination and Operations. This amount is significantly lower than
its $847 million request last year, reflecting the decision not to combine eight
different screening programs under the office, instead funding each program
separately. The current budget request states that the money will be used to set
common standards for government screening as well as for Registered Traveler
screening programs run by private companies. Participants in the programs must
provide iris scans and fingerprints and pass a background check by the
Transportation Security Administration. It is unknown what percentage of TSA’s
$6.3 billion request would pay for these background checks, which each cost $30
to $50. EPIC’s Oct 2005 Spotlight on Surveillance report found that Registered
Traveler had significant security & privacy problems. [Source] [Source] [Source] [Source]
The Japanese regional cancer
registration system has hit a roadblock as medical institutions refuse to
provide information to local governments as they stick to the letter of the
privacy law. The Health, Labor and Welfare Ministry has told medical
institutions the Personal Information
Protection Law did not apply to the regional cancer registration system.
However, 10 of the 35 prefectures and major cities that introduced the system
said medical institutions had refused to provide the cancer patients’ personal
data. [Source]
U.S.
Communications carriers face increasing scrutiny over their role in the NSA
wiretap scandal.
The letter
the two senators sent to AT&T, Sprint Nextel, and Verizon. Wall Street
Journal: More
Surveillance Puts Strain on Carriers: Third Parties Help Telecom, Internet Firms
Fill Law Enforcement’s Increasing Data Requests. See A survey of
telecommunications and Internet firms about NSA
participation:
On Feb. 10, the Federal
Communications Commission announced a formal rulemaking to create rules
strengthening the security of consumers’ phone records. This action grants
EPIC’s August 2005 petition, which was filed out of concerns that consumer
records were too easily being acquired and sold online. Data brokers are thought
to obtain the information either by taking advantage of lax authentication
methods (otherwise known as “pretexting”) or by bribing insiders for
information. [Source]
[Source] [Source]
Telephone companies said a
federal move to tighten safeguards over customers’ cell phone records may
backfire if it imposes rigid requirements on corporations such as Cingular
Wireless LLC and Verizon Wireless. The FCC chairman has said the agency doesn’t
know how many records have been exposed. There are 203 million
Like e-mail, calls via
Internet can be hacked, spammed, saved on servers. The allure of Internet phone
calling is understandable – dirt-cheap calls to anywhere in the world, sound
quality that’s at times superior to the traditional land-line and the ability to
take your phone number with you when you travel. But, buyer beware. These calls
are just like any other form of digital communication, like e-mail, which can be
hacked, spammed and saved on servers. While Internet calling programs from Skype
and Vonage to Google and Yahoo are getting more and more popular, security
experts warn that they’re not as secure as your traditional land-line.[Source]
TSA chief Kip Hawley told the
Senate Commerce Committee that Secure Flight has been suspended for a
comprehensive review of the program’s information security measures. After
nearly four years and $150 million, TSA had approved Secure Flight to become
operational in September, despite inconclusive risk assessments and 144 known
security vulnerabilities. The Secure Flight program was introduced a successor
to the now-abandoned second generation Computer Assisted Passenger Prescreening
System (CAPPS II). Many of the problems with CAPPS II that led to its demise
continued to plague Secure Flight in its test phase, notably problems with
checking the names of all airline passengers against government terrorist watch
lists. The controversial program has been criticized during its development by
civil libertarians, privacy advocates and government auditors who took the TSA
to task for secretly obtaining personal information about airline passengers.
There is no deadline for the completion of the current (internal) audit. [Source] [GAO Report on Secure Flight]
[Source]
[Source]
[Source]
[Source]
A government database of
alleged international terrorism suspects or associates includes 325,000 names,
four times more than when the central list was created in 2003, The Washington
Post reported this week, citing counterterrorism officials. The list maintained
by the
Efforts to extend the USA
Patriot Act cleared a major hurdle when the White House and key senators agreed
to revisions that are virtually certain to secure Senate passage and likely to
win House approval. Several Democrats said the compromise announced lacks
important civil liberties safeguards, and even the Republican negotiators said
they had to yield to the administration on several points. [Source]
Arizona Law enforcement
officials are backing a bill that called for mandatory jail time for defendants
convicted of ID theft. The Senate rejected the measure despite pleas by the
bill’s sponsor, who noted that the FTC has identified
A House Republican and
Democrat have teamed up to introduce legislation that would make it illegal in
--------