US – DHS Chief Eyes ID Cards with Biometric Data

Homeland Security Secretary Chertoff said this week that he intends to spend money to develop technology that will allow identification cards to serve several purposes, but stopped short of advocating a national identification card. Chertoff told reporters at a media briefing that he believes it is critical to develop a technological platform for ID cards that is efficient and versatile. He said the department ought to be working toward the creation of a single, secure card embedded with biometric information and capable of working across jurisdictions. Chertoff said a multi-functional ID card could satisfy the conditions and simultaneously serve other security initiatives, such as the Registered Traveler program for moving pre-approved airline passengers through screening more quickly. [Source]

US – Passport of the Future to Be Tested in San Francisco

This week the U.S. Department of Homeland Security (DHS) began live testing at the San Francisco International Airport of the ePassport, which is a passport with an embedded microchip containing biometric identifiers of its owner. This marks the first occasion that citizens will act as participants in ePassport testing, but the second time overall that the U.S. has tested the technology. The first testing phase for the ePassport, conducted as a “blind” test of three different ePassport readers, was designed to support efforts to develop and implement passport compliance, and was limited to select airline crew members. This next round of assessments will be a collaborative three-month trial run by US-VISIT, a DHS program, and will examine the operational impact of Basic Access Control (BAC) software in ePassport readers. BAC is an integrated security feature intended to prevent unauthorized reading of passport information. [Source]

ON – Ontario Improves Driver’s Licence Security

The McGuinty government has announced that it is strengthening the security of Ontario driver’s licences by limiting the types of personal identity documents that can be used to apply for a licence. This enhancement fulfills a recommendation of the Auditor General of Ontario whose 2005 report suggested limiting the number of identification documents accepted by the ministry. As of January 23, 2006, personal identification documents must be valid when presented before getting a driver’s licence. Acceptable identification documents include: • Passport (Canadian or Foreign) • Canadian Citizenship Card with photo • Permanent immigration documents • Temporary immigration documents • Birth Certificate (Canadian and US) • Canadian Certificate of Indian Status • Driver’s Licence (Canadian and US) •. Identity Card (Canadian and US, valid) Government issued or Student Card • Ontario Health Card (if voluntarily presented) • Marriage Certificate (Canadian or Foreign) Government issued • Change of Name Certificate • Court Order • Sworn Affidavit with supporting documents to be accompanied with appropriate immigration documents (e.g. certified copies of school records, employment records) [Source]

CA – CIPPIC Challenges Privacy Commissioner Decision

In December, 2005, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) filed an application for judicial review in the Federal Court of Canada challenging the Privacy Commissioner’s determination that she lacks jurisdiction to investigate a U.S.-based data-broker. [Source] [Application] [OPC letter on Juridiction]

CA – Nova Scotia A-G Worried Information Could Fall into Wrong Hands

Nova Scotia Auditor General Roy Salmon is worried Nova Scotians' privacy may be jeopardized by the U.S. Patriot Act. Mr. Salmon, who tabled his 2005 report in the legislature this week, is concerned everything from patient information to a person's income and marital status could be accessed by the American government. Mr. Salmon said Justice Minister Michael Baker received a report assessing the risks to privacy from the Patriot Act but would only give the auditor general's office a heavily edited version. Mr. Baker said the excluded sections contained legal advice obtained by the province. The minister said as a result of that advice, his government plans to introduce legislation in the spring session of the House dealing with privacy and the Patriot Act. [Source]

CA – B.C. Government Wants Names of Alberta-Shopping Costco

Costco is fighting a request from the B.C. government to turn over the names of all its B.C. members who have avoided sales tax by shopping at its Alberta stores. [Source]

WW – Apples ITunes Raises Privacy Concerns

A new version of Apple Computer’s popular iTunes software is drawing criticism from privacy advocates for sending information about computer users’ playlists back to Apple. The new music software includes a “MiniStore” window, which provides recommended links to Apple’s music download service when a listener actively clicks on a song in their personal playlist, including songs that have not been purchased from the iTunes store. [Source] Follow-up: Apple Denies Retaining Info About Music Libraries: Apple has responded to a small uproar over privacy concerns regarding its latest version of iTunes, announcing that it does not keep information about a person's purchases. The company also offered a way to turn off the new MiniStore feature, which tracks the music and video individuals listen to and watch, and offers suggestions that may match a person's tastes. [Source]

WW – Study: Email Accounts at Risk

A study shows half of all Australian e-mail account users do not adopt appropriate password security and could be at risk of “user identity theft”. The findings come from a survey of about 900 university students, which revealed little concern for password security. [Source]

US – U.S. Bans Anonymous Annoying E-Mails

President Bush last week approved a new law that creates a federal offence out of sending an anonymous email or posting anonymous comments with the intention of annoying the recipient. It carries a maximum punishment of two years in prison and a fine. [Source]

WW – Study: Consumers Increasingly Hitting “This Is Spam” Button

Rather than unsubscribing from the lists of e-mailers from whom they no longer want to hear, consumers say they have dramatically increased their use of the “this is spam” button, according to a recent survey. Almost 34% of consumers in a postholiday survey said they dealt with increased volume in their inboxes by reporting e-mail they no longer want as spam to their Internet service providers. This is up from 23.4% the previous year. “This is not good news for marketers,” said the survey sponsor. “It’s really easy to report somebody as junk or spam, so the bar is higher for marketers to be really relevant.” Being reported as spam increases the likelihood that a company’s e-mail will be filtered, whether it is permission-based or not. Seven complaints per 1,000 e-mails can get a sender blocked from AOL’s servers. [Source]

CA – Standard Introduced to Establish Electronic Records as Evidence

After more than three years of development, the Canadian General Standards Board Thursday released a standard that outlines how to ensure records generated from electronic information systems are reliable, authentic and trustworthy. The CGSB standard on electronic records as documentary evidence was created to help public and private organizations maximize the admissibility of electronic documents in a courtroom setting. To guide companies, the standard outlines policies, procedures, practices and documentation required to establish the integrity and authenticity of electronic records. [Source]

US – OMB to Enforce Records Management

U.S. Federal officials have expanded the federal enterprise architecture program by adding a large-scale records management initiative. Their aim is to harmonize records management practices agencywide and governmentwide. Officials intend for the enterprise architecture program to prescribe standard practices for handling federal records. Officials released a records management profile last month. Profiles combine guidance and best practices in a basic methodology that agencies can use. [Source]

WW – Anonymity on a Disk

To many privacy geeks, it’s the holy grail -- a totally anonymous and secure computer so easy to use you can hand it to your grandmother and send her off on her own to the local Starbucks. That was the guiding principle for the members of kaos.theory security research when they set out to put a secure crypto-heavy operating systems on a bootable CD: a disk that would offer the masses the same level of privacy available to security professionals, but with an easy user interface. [Source]

US – Studies: Teens’ Use of Text Messages Up Sharply

In June 2005, wireless users sent 7.3 billion text messages - that’s up 154% from June 2004, according to a survey by the Cellular Telecommunications & Internet Association. As for teenagers, 64% of teens who own a cell phone have sent a text message, according to the Pew Internet and American Life Project. Many parents of teenagers underestimate the need for a plan that includes text messaging, which can make opening the monthly cell phone bill a jaw-dropping experience. [Source]

CA – Business Use of Instant-Messaging Tools Gain Popularity

By the end of 2006, more than half of Canadian businesses will be using instant-messaging tools to remain competitive, a market-research company says. Instant messaging, which has a history of being primarily a tool for teens, is becoming more attractive to businesses, which are growing aware of the limitations of e-mail, says a study by IDC Canada released last week. Businesses, the study says, can no longer afford to have staff wait for e-mail responses, or sift through replies to the same question from many people. [Source]

US – Texas Law Requires Retailers to Conceal Most of Credit, Debit Card Numbers

A new Texas law intended to combat ID theft took effect Dec. 31 that requires retailers to print no more than the last four numbers of a debit or credit card. The attorney general’s office has urged consumers with receipts dated after Dec. 31 that do not comply with the new law to file consumer complaints. The law carries a civil penalty of up to $500 for each calendar month of violations. [Source]

UK – Appraising the Freedom of Information Act, One Year On

The Freedom of Information Act came into force 12 months ago and most public authorities say it is helping to create a culture of greater openness. But the Act’s regulator has had over 2,300 complaints about the public sector improperly refusing to release information. According to the Information Commissioner’s Office, over 1,000 of these complaints have been resolved either by negotiation, informal resolution or by formal decision notice. Only 135 such notices have been issued so far. [Source]

CA – P.E.I. Government Announces Partnership to Develop Electronic Health Record

The Department of Health has signed a contract with Cerner Corporation to develop and implement a Clinical Information System, paving the way for the development of an Electronic Health Record (EHR) on P.E.I. The EHR will allow health care providers in P.E.I. hospitals and family health centers to have electronic access to a patient’s complete medical record including information such as medical test results and medication history. The EHR project is funded by Canada Health Infoway and six Island hospital foundations. [Press Release]

UK – Life-Saving Research Is Blocked by Overzealous Data Privacy

Tens of thousands of Britons are dying needlessly each year because red tape is denying researchers access to essential patient data, senior medical scientists said this week. Overzealous interpretation of data protection laws is blocking critical studies into conditions such as cancer, stroke and diabetes, a report from the Academy of Medical Sciences (AMS) has found. The academy said that excessive regulation not required by law was making it impossible to conduct the large studies involving tens of thousands of people that were necessary to investigate the causes and treatment of many diseases. The restrictions had become so severe that groundbreaking research such as the studies that linked smoking to lung cancer could not have been carried out under the present climate. [Source] [Source] [Source]

US – 50,000 Resort Customers Face ID Theft

The identities of more than 50,000 customers of major Bahamas resort Atlantis have been exposed to possible identity fraud following the theft of personal information from the hotel. Kerzner International, owner of the luxury 2,300-room Atlantis resort on Paradise Island, revealed details of the data theft in a document filed with the Bahamas Securities and Exchange Commission. [Source]

US – Bank’s Computer Tape with 90,000 Customers’ Data Lost

A computer tape from a Connecticut bank containing personal data on 90,000 customers was lost in transit recently, the bank reported. The tape contains information such as names, addresses, Social Security numbers and checking account numbers. [Source]

UK – Government Loses ID Card Vote in Lords

The government has been defeated in the House of Lords over identity cards as peers voted for their full costs to be revealed. The Lords voted to force ministers to set out the full cost of their identity cards plan before any scheme can come into effect. Voting was 237 to 156, a majority of 81, during the Identity Cards Bill’s report stage. The move by Tories and Liberal Democrats means the measure will not come into effect until Home Secretary Charles Clarke has laid a report before Parliament, for approval by MPs, containing a detailed account of the revenue and capital costs arising from the legislation with a statement of expected benefits. Ministers will now have to consider whether to seek to reverse the defeat when the Bill returns to the Commons. The debate centred on a London School of Economics report which claimed the scheme would cost up to £19 billion - more than three times the Government’s estimates - and that the cost of an individual ID card could be high as £300. Opposition peers rejected Government claims that details of the financial implications could not be discussed openly because of the need for confidentiality, saying: “The Government say the annual costs are £584 million. “The London School of Economics report put the figures over ten years at around £10 billion to £19 billion.” And “This amendment is about transparency and openness in Government, and [we] do not believe that the Government have demonstrated those qualities in connection with this Bill.” [Source] [Source] [Source]

US – U.S. Border-Crossing Cards Could Eventually Be Used As Other ID

Planned border-crossing cards for Americans re-entering the U.S. from Canada or Mexico may someday also carry drivers' licences and other identification information, U.S. Homeland Security Secretary Michael Chertoff said, denying that he was proposing a national identification card. "It seems to me that we ought to try to be building toward an architecture where one card can do a number of different things for somebody so you don't have to carry 10 cards," Chertoff said. At issue is a wallet-sized biometric card called "PASS," for People Access Security Service, which officials hope to start issuing by the end of 2006 but will not be required for another year. The card is being offered as an alternative to requirements that stemmed from the Sept. 11, 2001, terror attacks for U.S. residents to show their passports on re-entry from Canada and Mexico by the end of 2007. Most Americans do not routinely obtain passports. Currently, border-crossers need only to show a driver's licence or birth certificate that proves nationality to enter the U.S. from Mexico and Canada. [Source]

AU – Australia’s Top Lawmaker Backs National ID Card

Australia’s top lawmaker this week backed the introduction of a national identity card to help authorities crack down on identity fraud and fight the threat of terrorist attacks. Attorney-General Philip Ruddock said he wanted a full analysis of the costs and benefits of a national identity card, which could store a range of government information, saying “They (identity issues) are important in terms of broader national security questions. We have to know who it is you are dealing with, who comes and who goes.” [Source]

AU – Business Will Carry High Cost of National ID Card

The Australian Chamber of Commerce and Industry (ACCI) said a national identity card would cost the economy up to $15 billion and may do little to stop terrorists. The ACCI warned the cost of the card would be largely borne by the business sector, over and above the estimated $750 per person it would cost to introduce the system. The warning follows a proposal by Attorney General Philip Ruddock to have an inquiry into the introduction of a national identity card. Ruddock said the inquiry will examine what information the card should contain, what legislation was needed and how much it would cost to implement. He said privacy fears are misplaced as the Tax Office and Centrelink already hold large amounts of personal information. While the move has been supported by Prime Minister John Howard, many coalition MPs are sceptical. [Source]

US – 200,000 New Yorkers Told Under New Law of ID Security Breaches

More than 200,000 New York residents have already received potentially bad news under a new state law about the security of their personal information. The law that took effect Dec. 7 requires companies and government agencies to notify consumers whenever a report containing their telephone numbers, bank account information, income, medical records and other information is accidentally disseminated. In just five weeks, 200,541 state residents have gotten such notices from 10 companies and government offices, said a spokesman for Attorney General Eliot Spitzer. [Source]

WW – In Defence of Anonymity: Accountability is the Key

Bruce Schneier, an author and the CTO of Counterpane Internet Security, explores the impact of anonymity on online commerce. Despite recent criticism of the dangers of anonymity, Schneier argues problems arise when there is a lack of accountability. “If someone isn’t accountable, then knowing his name doesn’t help,” Schneier writes in Wired News. [Source]

WW – Anti-Spyware Coalition Releases “Risk Model Description”

The Anti-Spyware Coalition’s “risk model description” document details objective criteria that anti-spyware developers can use to judge whether certain software should be identified as spyware and deleted from a user’s system. The document, which was drawn up after the receipt of more than 100 comments from organizations and individuals, was released this week in Washington, D.C. and Ottawa. [Source]

US – GPS for Sex Offenders

At the state level in the U.S., among the legislative initiatives forecast for 2006 is the use of GPS for sex offenders. Nine states passed laws employing GPS for this purpose in 2005, Florida among them. After the abduction, assault and murders of 10-year-old Jessica Lunsford in February 2005, and 13-year-old Sarah Lunde in April 2005, Florida revamped its laws. [Source]

IN – India Aims to Fight Fraud with Worker Database

India's booming information technology and call center industry has launched a database for its work force that it hopes will boost data security after reports of theft surfaced last year. Companies in the sector vowed last year to better monitor their employees and raise privacy standards. [Source]

HK – Privacy Chief Says Privacy Commission Needs More Power

Privacy Commissioner for Personal Data Roderick Woo is vowing to ask lawmakers to grant more power to the Privacy Commission to investigate and prosecute privacy violations. Currently, the commission makes referrals to the police. The ordinance requires an affected party to initiate a complaint. Woo would like the commission empowered with the authority to take on matters with “great public interest” even if a victim has not filed a complaint. [Source]

US – Bush Administration Seeks Court Order for Google Data

The Bush administration this week asked a federal judge to order Google to turn over a broad range of material from its closely guarded databases. The move is part of a government effort to revive an Internet child protection law struck down two years ago by the U.S. Supreme Court. In court papers filed in U.S. District Court in San Jose, Justice Department lawyers revealed that Google has refused to comply with a subpoena issued last year for the records, which include a request for 1 million random Web addresses and records of all Google searches from any one-week period. [Source]

US – FTC Unveils Web Site to Help Consumers Fight CyberCrime

The FTC says it is trying to educate consumers about ID theft, phishing and spam, by making the information easily accessible. The new site includes a quiz that explains wrong answers. The site also provides information on how consumers can monitor their credit histories, create secure passwords and rebound from ID theft. [Source]

SA – South African Law Reform Commission Proposes Privacy Agency

A government agency to regulate the kind of privacy a person may enjoy would be set up if draft legislation by the SA Law Reform Commission (SALRC) is approved. The commission today invited interested persons to attend regional meetings on a discussion paper entitled the Protection of Personal Information Act, which it has published. The proposed agency would be called the Information Protection Commission. [Source] [Source]

US – Groups Sue Bush for “Seriously Compromising Free Speech and Privacy Rights”

Federal lawsuits were filed this week seeking to halt President Bush’s domestic eavesdropping program, calling it an “illegal and unconstitutional program” of electronic eavesdropping on American citizens.

The lawsuits accusing Bush of exceeding his constitutional powers were filed in federal court in New York by the Center for Constitutional Rights and in Detroit by the ACLU. [Source]

WW – Report: Cost, Privacy Imperil RFID

Research firm In-Stat/MDR is predicting explosive growth in the RFID market over the rest of the decade – if cost and privacy issues can be resolved, according to one of the authors of the report. [Source] [RFID Production To Increase 25-Fold In Four Years]

US – NIST Report on Personal ID Verification SmartCard Management Report

The U.S. National Institute for Standards and Technology (NIST) has released Interagency Report 7284, Personal Identity Verification Card Management Report, which provides an overview of card management systems, identifies generic card management requirements, and considers some technical approaches to filling the existing gaps in PIV card management. The purpose of the report is to offer higher level of consistency and testability for PIV card issuance processes, enhance ability to outsource various card management components and functions, and improve overall security for the Federal PIV framework. [Source]

AU – Childcare ‘Smartcard’ Probe

The Australian federal Government is investigating a childcare “smartcard” which sends attendance records to Centrelink. Family and Community Services Minister Kay Patterson revealed she had asked her department to investigate the national smartcard following a call by an MP for the Government to dismantle the childcare system. Ms Kelly called on the Government to channel childcare rebates through employers and give tax incentives to businesses to “buy” childcare for workers. [Source]

US – Congressional Agency Questions Legality of Bush Wiretaps

The Bush administration appears to have violated the National Security Act by limiting its briefings about a warrantless domestic eavesdropping program to congressional leaders, according to a memo from Congress's research arm released this week. The Congressional Research Service opinion said that the amended 1947 law requires President Bush to keep all members of the House and Senate intelligence committees "fully and currently informed" of such intelligence activities as the domestic surveillance effort. The memo from national security specialist Alfred Cumming is the second report this month from CRS to question the legality of aspects of Bush's domestic spying program. A Jan. 6 report concluded that the administration's justifications for the program conflicted with current law. [Source]

US – Spy Agency Data After Sept. 11 Led F.B.I. to Dead Ends

The New York Times reports that, in the months after the Sept. 11 attacks, the National Security Agency began sending a steady stream of telephone numbers, e-mail addresses and names to the F.B.I. in search of terrorists. The stream soon became a flood, requiring hundreds of agents to check out thousands of tips a month. But virtually all of them, current and former officials say, led to dead ends or innocent Americans. F.B.I. officials repeatedly complained to the spy agency that the unfiltered information was swamping investigators. The spy agency was collecting much of the data by eavesdropping on some Americans’ international communications and conducting computer searches of phone and Internet traffic. Some F.B.I. officials and prosecutors also thought the checks, which sometimes involved interviews by agents, were pointless intrusions on Americans’ privacy. [Source]

US – Polls Show Increasing Skepticism of Government Surveillance

Two polls show increased concern over privacy and surveillance in America. A Washington Post / ABC News poll showed that two out of three Americans believed that federal agencies are intruding on personal privacy in their anti-terrorism activities. About a third of Americans believe that it is more important for the federal government to not intrude on personal privacy than it is to investigate possible terrorist threats, up 11% from 2003 and up 14% from 2002. Members of both parties share concern over privacy rights, with both Republicans and Democrats fearing that privacy rights may be compromised by anti-terrorism policies. [Washington Post on Poll Results] A poll conducted by CNN, USA Today, and Gallup showed a similar increase in privacy worries. Since 2003, 10% more people feel that the Bush administration has gone too far in the campaign against terrorism, with 38% currently worried about restricted civil liberties. Though both polls show that respondents are evenly split in deciding whether the recently revealed domestic surveillance program was justified, it seems that most Americans are interested in the story, with 75% of the CNN poll and 66% of the Post poll saying they were following the story closely. [CNN on Poll Results]

UK – U.K. Will Be First to Monitor Every Car Journey

Britain is to become the first country in the world where the movements of all vehicles on the roads are recorded. A new national surveillance system will hold the records for at least two years. Using a network of cameras that can automatically read every passing number plate, the plan is to build a huge database of vehicle movements so that the police and security services can analyze any journey a driver has made over several years. The network will incorporate thousands of existing CCTV cameras which are being converted to read number plates automatically night and day to provide 24/7 coverage of all motorways and main roads, as well as towns, cities, ports and petrol-station forecourts. Senior police officers have described the surveillance network as possibly the biggest advance in the technology of crime detection and prevention since the introduction of DNA fingerprinting. But others concerned about civil liberties will be worried that the movements of millions of law-abiding people will soon be routinely recorded and kept on a central computer database for years. [Source]

CA – Rogers Cable Criticized for Posting Customer Data

Canadian Press reports that the Rogers Cable website has long allowed anyone with Internet access to find out which packages and specialty channels – including several adult services – the company’s customers enjoy. A spokesperson with the Privacy Commissioner of Canada described the ready availability of such personal information as “completely appalling and unacceptable.” [Source]

US – Poll: More Than 75% of U.S. Adults Listed on DNC Registry

A Harris poll has found support growing in the U.S. for the popular DNC list. In 2004, 57% of American adults said they were on the list, compared with 32% in 2003. The poll found that 61% of the 1,961 adults said they received “some, but far less (calls) than before,” compared with 53% in 2004. [Source]

US – Agencies Probing Sales of Cellphone Data

A U.S. Congressman said last week that federal agencies were looking into whether telephone companies were sufficiently protecting consumers’ records amid concerns that Internet sites were selling cellphone call information. Rep. Edward Markey, a Democrat from Massachusetts, said the chairman of the Federal Communications Commission (FCC) told him the agency was investigating whether phone companies were adequately protecting consumer records. He said in a statement “the FCC and the Federal Trade Commission were coordinating efforts to combat this rising fraud.” [Source]

US – Senators Introduce Bill to Enforce Privacy of Cell Phone Records

Three senators this week introduced legislation that would make it a crime for someone to obtain cell phone customer call records under false pretenses. Senators Charles Schumer (D-N.Y.), Arlen Specter (R-Pa.) and Bill Nelson (D-Fla.) introduced the bill. [Source] [Source]

US – DHS to Outsource Smart-Card Identification System for Federal Employees

Companies had a deadline this week to design a system that would satisfy a presidential directive to create new federal IDs to control access to federal buildings and computers. The plan would give a private company the job of collecting and storing employees’ personal information, digital photographs and fingerprints. Privacy advocates and some members of Congress are likely to object to a private company controlling a homeland security database that contains personal information. President Bush’s 2004 directive set an October deadline for the system. [Source]

US – Survey: U.S. Government May Not Meet 2006 Deadline on Data Security Standards

A Cisco survey shows that less than half of the federal IT officials believe they will be fully compliant with the 2002 Federal Information Security Management Act by the end of 2006. However, the government standards are more stringent than private-sector standards, according to Cisco. The survey revealed that respondents showed the most concern for security issues related to the “loss of privacy of employee and citizen data due to a security breach.” [Source]

US – Ohio Data Breach Law Takes Effect Next Month

Companies and state agencies that experience data breaches must notify consumers within 45 days, under a law that takes effect Feb. 17. Health-care and financial institutions mostly are exempt from the new law because they are subject to federal rules. [Source]

JP – Survey: Working At Home Horror Stories

Dutiful employees with intentions of finishing work at home have suffered the consequences of losing a computer with sensitive company data. Some employees have been the target of theft, which led to potential data leaks. The Japan Network Security Association found in a 2004 analysis of data leaks that 36.1% of the incidents were due to theft and 21.6% were attributed to lost items. [Survey]

--------