Privacy News Highlights
19–31 December 2008
Contents:
US – DHS to Expand US-VISIT Biometric Collection
WW – Survey by Biometrics Vendor Finds Biometric ID Verification Gaining Approval
JP – Million Dollar Border Security Machines Fooled with Ten Cent Tape
CA – Judge Orders CSIS to Stop Listening to Calls Between Suspects and Lawyers
CA – Radwanski Verdict Delayed
US – Security Breach Found in NY Child Abuse Records
EU – Irish Spammers Will Face Fines Up to €250,000
US – Healthcare Compliance Gets Boost From National HHS Privacy Framework
WW – Web Browser Flaw Could Put E-Commerce Security at Risk
WW – Researchers Show “MD5 Secure” Sites May Not Be Safe
EU – New Mandates for EDPS: Peter Hustinx Reappointed as Supervisor
EU – Sloppy Data Protection Practices Expose Naughty, Nice
EU – Official Raises Doubts Over Data Privacy in Germany
EU – Google Privacy Chief Joins E.U. Commission Privacy Advisory Body
EU – European Union Voices Concern Over Inadequacy of Privacy Bill
UK – Government Departments Losing A Computer Every Day
EU – Dutch DPA Approves Transit Card
AU – Mandatory Internet Filtering In Australia Slammed
US – Wall Street Bailout Spawns Subsidy Database
US – U.S. Set to Expand DNA Collections
US – Bush and Lawmakers Sneak a National Baby DNA Databank into Existence
US – Washington State to Consider DNA Law
US – RBS WorldPay Breach: 1.5 Million Individuals Affected
US – Top 10 Security Breaches of 2008
CA – Alberta Privacy Commissioner Gives Advice on Returning Gifts
UK – UK’s Database Plan Condemned by Europe
US – Georgia Sex Offenders Must Hand Over Online Passwords
WW – Browser Privacy Tools May Be Less than Effective
JP – Google StreetView Privacy Protest in Japan
UK – Google Street View Set for Spring Launch in U.K.
CH – Man, Website Fined In 1st Chinese Online Harassment Case
ES – Estonia: Debt Collector to Publish Debtors on Outdoor Posters
US – Napolitano, Obama’s DHS Pick, Not Friendly to Privacy
US – Coalition Letter to President-elect Obama on the Future of Privacy
US – Cops Hopeful for Tech Support from Obama Admin
US – Facebook Privacy Chief Eyes California Auditor-General Office
US – Wisconsin Court: Nude People Still Have Privacy Rights
US – With Lawsuit Settled, Hackers Now Working With MBTA
WW – Hundreds of Stolen Data Dumps Found: Study
CA – High-Tech Credit Cards Latest Crime-Fighting Tool
US – NSA Patents a Way to Spot Network Snoops
CA – Winnipeg New On-Board Cameras Ensure Safer Trips for Transit Commuters
UK – CCTV Used to ‘Spy’ On Pupils in Schools
US – Pennsylvania City Council’s Cell Phones Not Public Record, Court Rules
US – PIA for DHS State, Local, and Regional Fusion Center Initiative Released
US – DHS CPO: Fusion Centers Put Citizen Privacy at Risk
US – Fee-Paying Air Travelers Turning Security Lines Into Moneymakers
US – NY Post Office Reopens Santa Program With Privacy Controls
CA – P.E.I. Government Falsified Worker’s Job Record: Privacy Commissioner
WW – IT Security and the Insider Threat Issue
US – Hawaii Attempts Random Drug Tests of Teachers
Biometrics
Starting next month, the
Department of Homeland Security (DHS) will expand its collection of biometric
data through the US-VISIT (Visitor and Immigrant Status Indicator Technology)
program. DHS will capture the digital fingerprints and photographs of lawful
permanent residents, immigrant visa applicants, those seeking asylum and some
Canadian citizens, among others traveling to and from the
Consumers are willing to undergo biometric testing in order to help combat identity verification fraud, according to a survey by Unisys. 2/3 of consumers who took part in the survey said that they were happy to have their fingerprints scanned for ID authentication purposes. The most trusted identity verification measure was personal password protection, with 68% preferring this form of ID authentication. “Fears about fraud and ID theft clearly aren’t going away. Adoption of biometric ID verification is one solution where we see widespread consumer support, although many organisations have yet to embrace this technology as an effective way to protect data and identities,” said the VP of Unisys global identity and credentialing practice. Research commissioned for National Identity Fraud Prevention Week, which took place in October, found that 75% of workers are not confident that their workplace does enough to protect sensitive identity verification data from falling into the wrong hands. [Source]
A South Korean woman managed
to fool a million-dollar fingerprint reading machine in Japanese border
controls using a simple piece of tape stuck to her fingers. It happened at
A Federal Court judge issued
an order to
A verdict in the trial of former privacy commissioner George Radwanski and his former chief of staff Arthur Lamarche won’t come until February. Radwanski and Lamarche face charges of fraud and breach of trust. A verdict was expected Friday, but instead, Justice Hugh L. Fraser of the Ontario Court of Justice announced that the trial will be delayed until February 13, 2009. [Source]
E-Government
New York State Inspector General Joseph Fisch says he’s uncovered serious deficiencies at the Statewide Central Register of Child Abuse and Maltreatment (Register) and is recommending legislative and departmental changes to improve confidentiality. The Register is overseen by the New York State Office of Children and Family Services (OCFS). In a 33-page report, Fisch revealed several findings related to a breach of the Register’s confidentiality. Also known as the “Hotline,” the Register receives calls reporting alleged child abuse. Such reports are confidential under state law. [Source] [Report] See also: [Lack of coordination a stumbling block to e-Governance]
The Irish government has
passed legislation aimed at reducing spam and other unsolicited emails. Spam
complaints in
Electronic Records
New Medicare provisions for digital prescriptions and expanded HIPAA influence, quietly put forth in a Health and Human Services framework earlier in December, mean more organizations will need to grapple with healthcare compliance issues protecting patient information in 2009. The e-prescription program will include incentives in 2009 and begin including disincentives for continued paper use in 2012. The Health Insurance Portability and Accountability Act (HIPAA) may soon cover not just healthcare organizations but also providers of electronic personal health records (EPHRs), which belong to the patient rather than the medical establishment and are hosted by a number of commercial services, such as Microsoft’s HealthVault and Google Health. This New Year’s Day, Medicare will launch an “e-prescribing incentive plan,” offering doctors bonus payments for prescribing medicine electronically. And starting in 2012, Medicare will penalize doctors who continue to write prescriptions on paper. The program, defined by Section 132 of the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA), and MIPPA itself mean challenges for CIOs. In an effort to provide guidance, the HHS released on Dec. 15 the National Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information.HHS intends the new framework to provide guidance to both medical and IT professionals addressing privacy and security concerns related to EPHRs exchanged in a network, regardless of the specific healthcare compliance requirements applicable to a particular organization. The framework provides policy guidelines and a set of principles but does not enshrine them in a legal directive. Congress may adopt the principles in a codified form if proposed e-health legislation from President-elect Barack Obama’s incoming administration passes. [Source]
Encryption
A key piece of Internet
technology that banks, e-commerce sites, and financial institutions rely on to
keep transactions safe suffers from a serious security vulnerability, an
international team of researchers have announced. They demonstrated how to
forge security certificates used by secure Web sites, a process that would
allow a sufficiently sophisticated criminal to fool the built-in verification
methods used by all modern Web browsers--without the user being alerted that
anything was amiss. The problem is unlikely to affect most Internet users in
the near future because taking advantage of the vulnerability requires
discovering some techniques that are not expected to be made public as well as
overcoming engineering hurdles: performing the initial digital forgery consumed
approximately two weeks of computing time on a cluster of 200 PlayStation 3
consoles. In addition, a criminal needs to find a way to reroute traffic from a
legitimate Web site to his own, perhaps through techniques that have become well-known in the last
few years. Yet if one group can do it today, others eventually will. “We have a
proof-of-concept that allows us to impersonate any supposedly secure Web site
on the Internet,” said David Molnar, a doctoral student in computer science at
the
EU Developments
The European Parliament and the Council have reappointed Peter Hustinx as European Data Protection Supervisor (EDPS). Hustinx will begin serving his second five-year term early next year. Giovanni Buttarelli was appointed assistant supervisor for the same term. Buttarelli has served as secretary general of the Italian Data Protection Authority since 1997. [Source]
Father Christmas has been
arrested and arraigned on a contravention of the
A number of privacy breaches
and scandals affecting
Google’s privacy law expert
has been appointed to a committee which will advise the European Commission on
data protection policy. Google has previously clashed with EU privacy watchdogs
on data protection issues. Google’s global privacy counsel Peter Fleischer is
one of five members of the Data Protection Expert Group (DPEG), which the
Commission said was a temporary and informal expert group. Fleischer will be
joined by a German and a Belgian lawyer, the chairman of the Dutch data
protection authority and chip maker Intel’s director of security policy, David
Hoffman. The appointments mean that two of the five expert group members will
be senior
The European Union has
criticized a bill on the protection of private data, a piece of legislation
that has been given priority in the country’s efforts for greater harmonization
with EU legislation, saying that the scope of exceptions mentioned in the bill
is so vast and ambiguous that that it will be insufficient to prevent abuse. EU
Counterterrorism Coordinator Gilles de Kerchove recently paid a visit to the
parliamentary EU Harmonization Commission and stated that in order for
Facts & Stats
More than 2,800 computers
belonging to
After three years of denials,
the
Filtering
Plans for a mandatory internet filter to protect Australians from child pornography have been slammed by civil liberties groups as draconian, misleading and a possible invasion of privacy. Communications Minister Stephen Conroy had originally flagged a test of a filter that would block a list of banned websites. But plans to trial technology that will block file-sharing the primary means for sharing video, pictures and audio over the internet have provoked outrage. It is understood that a technique known as ‘‘packet inspection’’ would be used to monitor and filter file-sharing networks, sparking fears that individual user privacy would be breached. Hundreds of comments critical of the filtering plan were posted on a blog run by Senator Conroy’s department. Civil Liberties Australia director Lance Williamson said a packet inspection could be a possible invasion of privacy. ‘‘What you are really talking about [with file sharing] is akin to Australia Post opening our mail,’’ he said. [Source]
FOI
The Pew Charitable Trusts launched Subsidyscope, an effort to aggregate information on federal subsidies from multiple sources into a comprehensive, searchable, open-source database. Government transparency group Sunlight Foundation joins Pew as its technology partner responsible for constructing the technical infrastructure, compiling data and building Subsidyscope’s database. When Congress approved the $700 billion Emergency Economic Stabilization Act in October to bail out Wall Street, it marked a major expansion of the government’s role in the markets. Unfortunately, as taxpayers have already discovered, just who got what out of the bailout is still unknown, even to members of Congress. The Pew Charitable Trusts hopes to change all that, announcing Dec. 15 it plans to develop a publicly accessible database called Subsidyscope to focus public and policymaker attention on the size and scope of all federal subsidies. Pew said it would release regular reports, aggregating and analyzing subsidies to various industry sectors. Pew has engaged the Sunlight Foundation, a government transparency group, to construct the technical infrastructure, compiling data and building Subsidyscope’s database. Among Sunlight’s other projects are PublicMarkup.org, which seeks to open legislation to online and public review; Earmark Watch, an open review of Washington spending; and OpenCongress, a government transparency effort with news and blogging about Capitol Hill. “This project represents an exciting opportunity to shine a light on various ways that increasingly scarce federal resources are being spent,” Ellen Miller, co-founder and executive director of the Sunlight Foundation, said in a statement. “While we don’t know precisely what the project will find, as Supreme Court Justice Louis Brandeis famously said, ‘Sunlight is the best disinfectant.’” [Source]
Genetics
The
The bill states that the federal government should “continue to carry out, coordinate, and expand research in newborn screening” and “maintain a central clearinghouse of current information on newborn screening... ensuring that the clearinghouse is available on the Internet and is updated at least quarterly.” Sections of the bill also make it clear that DNA may be used in laboratory experiments and tests. While most Americans were bombarded with news coverage regarding the presidential race without end, President George W. Bush almost silently signed a senate bill that would change America forever. S.1858 allows the federal government to screen the DNA of all newborn babies in the United States. According to the legislation, the new law must be implemented within 6 months of Bush’s bill signing in April 2008. According to police experts, this infant DNA collection is now being carried out by individual states and sample DNA is being submitted to the feds. Congressman Ron Paul states that this bill is the first step towards the establishment of a national DNA database. [Source]
A Washington State legislator has announced plans to introduce legislation that would permit Washington law enforcement agencies to begin collecting DNA samples from individuals arrested on felony charges. Washington currently allows DNA samples to be collected from individuals convicted of a crime. Rep. Mark Miloscia’s proposed bill would mirror a new federal law taking effect on January 9, 2009. A similar bill filed by Miloscia failed this year over cost and civil liberty concerns. “We take their fingerprints, their pictures and their address when they are arrested,” Miloscia said. “What’s wrong with taking their DNA?” [Source]
Horror Stories
Electronic payment processing service, RBS WorldPay, last week disclosed a data breach affecting 1.5 million cardholders. Atlanta-based RBS WorldPay processes electronic payments, such as debit, credit and ATM transactions. It also processes gift card and payroll card transactions. An unauthorized user accessed the company’s computer system, and personal information of 1.5 million gift card and payroll cardholders may have been compromised, a company spokesman told SCMagazineUS.com on Monday. Personal information of payroll cardholders - including names, addresses, dates of birth, Social Security numbers - may have been accessed. The compromised data includes the Social Security numbers of as many as 1.1 million users, the company said in a statement on its website. [Source]
1. TJX Case Winds Up, Arrests Made
2. Bank of New York Mellon
3. Hannaford Data Breach
4. Countrywide Insider Theft
5. GE Money Backup Tape Goes AWOL
6. RSA Report: Half-Million Banking ID’s Stolen
7. Compass Bank Hard Drive Stolen, 1 Million Accounts Taken
8. Ski Resort Okemo Suffers Hannaford-Like Data Breach
9. Retailer Montgomery Ward
10. More Than $5 Million Taken By ATM Capers [Source]
Identity Issues
For the hundreds of thousands of Albertans out bargain hunting and returning presents this week, the province’s Information and Privacy Commissioner has a warning ... be careful about giving stores your driver’s licence. Commissioner Frank Work says more and more companies are writing down customers’ drivers licence numbers and sometimes even photo-copying the licence. Work says retailers are usually just trying to prevent fraud, but they could actually be exposing their customers to potential identity theft. He says most companies do not need to record this information and could actually be breaking Alberta’s privacy laws. [Source]
Internet / WWW
Britain must rethink plans for a database holding details of every email, mobile phone and internet visit, Europe’s human rights commissioner has said in an outspoken attack on the growth of surveillance societies. Thomas Hammarberg said that UK proposals for sweeping powers to collect and store data will increase the risk of the “violation of an individual’s privacy”. Plans for the database of emails, phone calls and internet visits are to be published by the Home Office in January. These proposals have already been described by the Government’s own terrorism-law watchdog as “awful” and attacked by civil liberty groups for laying the basis of a Big Brother state. Chris Huhne, the Liberal Democrat spokesman on home affairs, supported Mr Hammarberg’s criticism, saying: “A major database for email, mobile phone calls and the internet would be an astonishing and Orwellian step. 1984 was supposed to be a warning, not a blueprint.” [Source] See also: [UK: Private firm may track all email and calls]
Online Privacy
Privacy advocates are questioning an aggressive Georgia law set to take effect that would require sex offenders to hand over Internet passwords, screen names and e-mail addresses. Georgia joins a small band of states complying with guidelines in a 2006 federal law requiring authorities to track Internet addresses of sex offenders, but it is among the first to take the extra step of forcing its 16,000 offenders to turn in their passwords as well. A federal judge ruled in September that a similar law in Utah violated the privacy rights of an offender who challenged it, though the narrow ruling only applied to one offender who had a military conviction on sex offenses but was never in Utah’s court or prison system. No one in Georgia has challenged the law yet, but critics say it threatens the privacy of sex offenders and burdens cash-strapped law enforcement officials. “There’s certainly a privacy concern,” said Sara Totonchi of the Atlanta-based Southern Center for Human Rights. “This essentially will give law enforcement the ability to read e-mails between family members, between employers.” [Source]
New research by iSec Partners in San Francisco suggests that some browser privacy tools may not be that effective in helping users protect their privacy online, according to the New York Times’ Bits blog. Researcher Kate McKinley ran a number of the applications through their paces and, in a paper published this week, wrote that Apple’s Safari browser had a number of problems when run with the Mac OS X operating system, and offered no privacy protection when run on Microsoft Windows XP. McKinely also reported that none of the four browsers tested offered privacy protection for users of Adobe’s popular Flash media plug-in. [Source]
Other Jurisdictions
A group of Japanese lawyers and professors say Google’s Street View violates basic privacy rights, and wants the service shut down. The Kanshi Shakai o Kyohisuru Kai (Campaign Against Surveillance Society), a group of Japanese lawyers and professors led by Sophia University constitutional law professor Yasuhiko Tajima, have asked Internet giant Google to shut down Google Street View on the grounds that it violates basic privacy rights. Tajima wants Google Street View shut down and all its images deleted on the basis they violate the privacy of anyone whose photograph appears in the service. Street View has sparked its share of privacy complaints, as some people claim they were photographed by Google and can be identified; well-known cases include sunbathers and an individual seen exiting a strip club in San Francisco. Similar complaints about the service have been made in the United States and Europe. Google takes some care to anonymize individuals appearing in Street View photos, blurring faces, license plates, and other sensitive information in the photos available to the public. Nonetheless, it would still be possible for a knowledgeable person to recognize vehicles, individuals, and activities shown in many Google Street View images; in some cases it even possible to determine the date and time Google snapped its photos. Google has not responded publicly to the complaints. [Source]
Google’s controversial “Street View” service, which provides a 360-degree street level view of cities around the globe, is set to launch in the U.K. this coming spring when London, Edinburgh, Manchester and Birmingham are added to the list. British privacy watchdog group Privacy International is already on the record as believing that Street View operates in violation of data protection laws and is likely to file a complaint with the Information Commissioner’s office. Street View already offers visual tours of cities in the U.S., France, Italy, Japan and Spain. [Source]
A man and a website were fined by a Beijing court for their involvement in the country’s first online harassment lawsuit. The fines were for invading privacy and tarnishing his reputation through online activities that included displaying his personal information for public viewing and abuse. The defendant and the website were also ordered to immediately delete contents they had posted online that invaded privacy and harmed his reputation, as well as publish apologies for their actions online. [Source]
Estonian debt collection agency CKE Inkasso has adopted a new approach in reclaiming debt by publishing names of debtors on large outdoor posters. The company’s board member Raul Reinsalu told Postimees that the first 35-square-metre poster will be unveiled on a building wall at a large traffic junction in Tallinn on January 5. The poster will have the names of ten companies and their executives Reinsalu added that the company was going to hang out only the names of these debtors that were arrogant or refused to cooperate. According to the debt collection agency, Data Protection Inspectorate has informed them that they are not against publishing the names of debtors in public since the information is taken from a public source such as a commercial registry. [Source]
Privacy (US)
Gov. Janet Napolitano - President-elect Barack Obama’s pick to run the Homeland Security Department - has strongly advocated using advanced security technology as a law enforcement tool, drawing praise from police and raising concern among civil liberties groups that warn about privacy invasion. As Arizona’s Democratic governor since 2003, Napolitano has:
§ Pushed state police to use cameras that scan license plates of moving cars to find vehicles that are stolen or linked to a criminal suspect.
§ Promoted “face-identification” technology that could help surveillance cameras find wanted people by comparing someone’s face with a photo database of suspects.
§ Signed a 2007 bill making Arizona one of 12 states that collect and store DNA samples of people accused but not convicted of certain crimes, including murder, burglary, sexual assault and prostitution.
§ Proposed an optional state ID for legal citizens only that features a radio-frequency chip to allow authorities to read the card. State lawmakers blocked the effort this year.
“She sees technology as the panacea of all our law enforcement problems and immigration issues,” said Alessandra Soler Meetze, head of Arizona’s American Civil Liberties Union chapter. “It’s like she’s embracing these technologies without taking the time to appreciate the privacy implications.” [Source]
Thirty privacy, consumer, and civil liberties organizations sent a letter to President-elect Barack Obama on the importance of protecting privacy in the next administration. The organizations support the incoming president’s expressed on privacy, consumer rights, and civil liberties. President-elect Obama stated support for strengthening of privacy protection by harnessing the power of technology to hold government and businesses accountable for violations of personal privacy. The coalition said that “[t]here is a clear need to address the spiraling problems of identity theft, security breaches, and the commercialization of personal information.” [Source]
Police groups are hopeful that they will find increased support for the use of security technologies, including DNA databases, under Barack Obama’s presidency. Police groups point to the record of Department of Homeland Security secretary nominee Janet Napolitano, who has supported broader use of surveillance and other security technologies while serving as governor of Arizona, as the reason for their optimism. The ACLU is less positive over Napolitano’s prospects, stating “It’s like she’s embracing these technologies without taking the time to appreciate the privacy implications.” [Source]
Facebook Chief Privacy Officer Chris Kelly, is eyeing the California attorney general seat. He is expected to declare his candidacy for the 2010 general election soon. According to the report, Kelly will leave Facebook in June in order to campaign. [Source]
A state appeals court ruled Tuesday that a person who is voluntarily nude in the presence of another still has privacy rights against being secretly videotaped, in a decision that bolsters Wisconsin’s video voyeur law. The ruling upholds the felony guilty plea of Mark Jahnke, who videotaped his girlfriend while she was naked and while they were having sex. He argued in his appeal that because the woman agreed to be naked around him, she had no reasonable expectation of privacy. The state Department of Justice argued that shared intimacy does not give a person the right to film another unknowingly. [Source]
RFID
Three Massachusetts Institute of Technology students who were sued earlier this year by the Massachusetts Bay Transit Authority (MBTA) said that they are now working to make the Boston transit system more secure. The announcement brings to a close a high profile case that pitted the rights of security researchers to freely discuss their findings against the concerns of one of the country’s largest transit systems, which worried that this type of information could lead to widespread ticket fraud. Zack Anderson, along with Russell “RJ” Ryan and Alessandro Chiesa, was prevented from giving a talk entitled “The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems” at the Defcon hacker conference last August. The students had planned to show that they had reverse engineered the MBTA’s CharlieTicket magnetic stripe tickets and CharlieCard smartcards. The CharlieCard uses the same Mifare Classic RFID technology that was cracked earlier this year by security researchers. The MBTA had argued that the presentation could have caused “significant damage” to the transit system, but the students had said that they had no intention of releasing key pieces of information that would have allowed people to hack the system. [Source]
Security
A comprehensive new study that peers into huge troves of financial data stolen by cyber thieves confirms what experts have surmised from looking at much smaller, isolated caches of digital loot: That criminals can make hundreds, even thousands, of dollars a day selling data stolen with the help of widely available software toolkits. Recent reports by security firms have shown that stolen identities, bank accounts and credit card numbers are sold in bulk every day in shadowy online forums, often for pennies on the dollar. In its analysis, Symantec found in 2007 that the going rate for the keys to assuming someone else’s identity was between $14 and $18 per victim. Those reports either presented conclusions based on examining a single cache of stolen data, or by observations based on watching transactions between cyber thieves. But a report released by researchers at the University of Mannheim, Germany, offers a disturbing glimpse at the sheer abundance of this stolen data. The researchers used “honeynets,” or distributed network of dummy computers that were set up to be hacked, so that they could gather intelligence about the attack patterns and methods used by cyber criminals. Their findings, which drew from stolen data harvested from 300 drop zones between April and October 2008, were staggering: 33 gigabytes worth of purloined data from more than 170,000 victims. Included in those troves were more than 10,700 online bank account credentials, 149,000 stolen e-mail credentials, 5,682 credit card numbers, and 5,712 sets of eBay credentials. Using figures from Symantec’s 2007 study on the prices that these credentials can fetch at e-crime bazaars, the researchers estimate that a single cyber crook using one of these kits could make a tidy daily income. “We found that criminals can easily make a few hundred to a few thousand bucks a day from selling this stuff,” said the founder of the Germany Honeynet Project. “We weren’t able to access 230 of the drop sites we found, so the real number of victims and stolen credentials is probably many times what we were able to see.” [Source] [Report] See also: [IT security resellers faced new kinds of threats in 2008] and [How to improve cybersecurity: Ask hackers]
Smart Cards
Holders of CIBC, Royal Bank Visa and BMO Mastercard credit cards are the first to receive the latest in crime-fighting technology – new cards with a computer chip embedded in them. The chip is replacing the 30-year-old magnetic stripe technology. Hundreds of millions of dollars are being spent to replace “mag stripes,” which are outdated and all-too-susceptible to card skimmers, who can copy the stripe’s data and make duplicate cards, often right under their victims’ noses. This kind of fraud costs financial institutions about $100 million a year. Chip cards, which essentially have a small computer in them, use lengthy encryption keys that are unique to each card. Issuers say the keys can be enlarged as time goes on, to make them even more difficult for fraudsters to crack. Visa Canada said “a couple million” chip cards have been sent out across Canada thus far, but that number is expected to increase by more than seven-fold a year from now. The difference from the old technology is consumers will no longer have to hand over their card to a merchant to be swiped. Instead, they’ll insert it in a card reader for the duration of their transaction, punch in a personal identification number, or PIN – just like with their debit card – and pull it out once it’s approved. No signature is required. [Source]
Surveillance
The U.S. National Security Agency has patented a technique for figuring out whether someone is tampering with network communication. The NSA’s software does this by measuring the amount of time the network takes to send different types of data from one computer to another and raising a red flag if something takes too long, according to the patent filing. Other researchers have looked into this problem in the past and proposed a technique called distance bounding, but the NSA patent takes a different tack, comparing different types of data travelling across the network. “The neat thing about this particular patent is that they look at the differences between the network layers,” said an assistant professor of computer science at the University of Washington. The NSA did not answer questions concerning the patent, except to say, via e-mail, that it does make some of its technology available through its Domestic Technology Transfer Program. The patent, granted Tuesday, was filed with the U.S. Patent and Trademark Office in 2005. It was first reported Thursday on the Cryptome Web site. [Source]
Winnipeg has announced that a state-of-the-art audio/video surveillance system is being installed on 130 buses to assist Winnipeg Transit in providing a safer environment for their customers and employees. It is anticipated that the City’s entire fleet of 535 buses will have the cameras installed by the end of 2009. The audio/video surveillance system is expected to increase safety on buses by acting as a deterrent to anyone with criminal intentions. It will also aid in the investigation of incidents that may have taken place. Each bus will be equipped with up to five cameras and a digital recording device to continuously monitor on-board activities from a variety of angles. The system also has the capability to continuously record audio. Signage will be posted inside the buses to advise occupants their activities are under audio and video surveillance. The funding of $2.9 million for the installation of the audio/video surveillance system is made possible through a federal-provincial partnership. [Source] See also: [Toronto security camera project coming to an end] and also: [Video technology creates a few very-public lives: Broadcasting Your Life, and the Lives of Others]
Big Brother-style CCTV cameras and microphones are being used in schools to “spy” on children as young as four. The surveillance equipment is in use in around 85 primary and secondary schools and colleges across the country. Classwatch, the company behind the system, says it is being used as a way to monitor children who are disrupting lessons. The firm said the equipment, which is sold with evidence bags approved by the Crown Prosecution Service to store material for court cases, can be used to compile “proof” of wrongdoing. The system includes ceiling-mounted microphones and cameras and a hard drive recorder housed in a secure cabinet. Data protection watchdog the Information Commissioner has warned the surveillance may be illegal and demanded to know why schools are using it. Classwatch said the devices act as “impartial witnesses” which can provide evidence in disputes and curb bullying and unruly behaviour. They can also be used to protect teachers against false allegations of abuse and provide evidence acceptable in court, it said. Andrew Jenkins, the firm’s director, said: “The system can be turned on and turned off as they wish. [Source] See also: [Child-tracking devices raise privacy issues] and also: [Child Safety Marketing Births Privacy Fears]
Telecom / TV
The Pennsylvania Supreme Court has ruled that cell phone bills of Pittsburgh City Council members are not public record. In an opinion published Thursday, the state’s highest court affirmed a Commonwealth Court ruling that the cell phone records of former council members Len Bodack and Barbara Burns are not available to the public under the state’s Right-to-Know Law. Seeking that the records be made public, the Tribune-Review newspaper filed suit in 2003 against Mr. Bodack, Ms. Burns and the City of Pittsburgh. Justice Seamus P. McCaffery, writing for the majority, said that revealing phone numbers of people who call or are called by council members could be a violation of privacy. Council members argued that constituents call them to report illegal activity, and revealing those people’s identities could invite retaliation. Those concerns, Justice McCaffery wrote, are not outweighed by the numbers’ potential benefit to the public. [Source]
US Government Programs
This PIA examines the privacy implications of the State, Local and Regional Fusion Center Initiative, established by the 9/11 Commission Act, as well as for DHS’ State and Local Program Management Office (SLPMO) which has managerial responsibility for the SLFC Program, and which predates the Act. It begins with a discussion of the specific authority for the Initiative provided within the Act. Then, since the Department’s interactions with fusion centers and the SLPMO existed before the Act passed, the PIA includes a background section, examining the underpinnings of the fusion center concept. Next, the PIA catalogs ongoing efforts to infuse privacy into the program including dissemination of fusion center guidelines respecting individual privacy; support for the Information Sharing Environment (ISE); participation in public outreach; providing privacy training to participants in the Initiative; and steps to imbed privacy into programs which are expected to interact with the fusion center Initiative. The PIA then examines how the program’s existing policies and procedures implement the Fair Information Practice Principles (FIPPs). Finally, the PIA examines specific privacy concerns raised by the creation and operation of the Initiative and steps participants have taken to mitigate those concerns. Wherever possible, the PIA includes recommendations the Department and individual fusion centers may take in order to further reduce their impact on the privacy of the American Public. [Source] [Full document] [DHS Privacy Policy Guidance memorandum 2008-01: Fair Information Practice Principles]
The Department of Homeland Security’s (DHS) own Chief Privacy Officer says intelligence fusion centers, facilities that collect and process a wide range of information intended to help DHS officials identify terrorist threats, put citizen privacy at risk. According to a memo published online by DHS earlier this month, department CPO Hugo Teufel believes ambiguous authority and oversight, combined with a mix of law enforcement, military, and private participation, means there is a risk that the centers could put privacy at risk. Teufel points out that the risk is only hypothetical, and that no actual privacy abuses are known to have occurred since the centers were established after the 9-11 terror attacks. [Source]
The cost of bypassing long airport security lines has gotten higher, and airlines and airports have joined private registered traveler businesses in reaping the revenue. Frequent fliers enjoy the perk, but not everyone thinks paying to cut to the head of the line improves service or airport security. Last week, United Airlines announced that its customers can pay $25 per trip for the privilege of moving to the front of the line at the ticket counter, in the security line and at the gate at certain airports. This followed an announcement by Southwest Airlines in October that allowed business-fare passengers, who usually pay an extra $15 to $30 per ticket, to go to the front of the security line at select airports. “This is pay to play,” said Michael Boyd, president of Colorado-based Boyd Group International, an airline consulting firm. “In a sense, that’s almost a bribe, because they’re giving money to give people a shorter line for public security in a public security facility. None of it improves security whatsoever. All it does is now make the gateway to security a profit center, or a revenue center, for private companies. And I have a problem with that in a public facility.” [Source] See also: {Schneier: It’s Just “Security Theater“]
The United States Postal Service has resumed its century-old Operation Santa Claus program after making modifications to protect the privacy of those involved, reports the New York Times. The program receives Santa letters from needy children and citizen Secret Santas fulfill their wishes, mailing packages directly to them. The USPS shut down the program abruptly last week when a registered sex offender took one of the letters. Fifteen employees are now responsible for concealing letter-writers’ names and addresses with black ink, and now the post office delivers the gifts using a recipient control number. [Source]
Workplace Privacy
The P.E.I. Department of Transportation has been ordered to apologize to a former employee after it provided incomplete records following an access to information request. The department must also provide training to all of its employees about the province’s Freedom of Information and Protection of Privacy Act. The strongly worded decision came out last week following the investigation of the department’s response to a request from a former employee for all records pertaining to her employment under the province’s freedom of information law. When she got the documents, she complained that a large amount of information seemed to be missing. [Source]
The insider threat issue is undoubtedly creating a stir in the technology world, but do organisations actually take it seriously, and what are they doing to minimise the security risk from employees? The Computer Security Institute (CSI) has found that insider security incidents have now overtaken virus incidents in regards to how much they cost organisations, making it the IT security priority. Unfortunately, there is no single “miracle solution” to solve this problem. As many recent high-profile data leaks have been caused by employee error rather than malicious behaviour or criminal intent, staff training on company IT policies and practices is a good starting point. The other approach is technology, yet security spending is predominantly focused on perimeter solutions which will regrettably be of little use in protecting your organisation from internal data loss. [Source]
Hawaii public school teachers signed off on first-in-the-nation statewide random drug testing in exchange for pay raises, but now the state claims the educators are trying to take the money and run. Since the teachers’ union approved the pact nearly two years ago, they’ve accepted the 11% boost in pay while fighting the random tests as an illegal violation of their privacy rights. No teacher has been tested. The union says it didn’t consent to truly random drug testing in the contract, which says the parties “agree to negotiate reasonable suspicion and random drug and alcohol testing procedures.” The union’s definition of “random” is limited to a pool of teachers who go on field trips, work with disabled children, are frequently absent or have criminal records. “Random testing isn’t going to suddenly increase test scores,” said Mike McCartney, executive director for the Hawaii State Teachers Association. “This is a huge distraction from how to make our schools better.” [Source]
+++