Starting next month, the Department of Homeland Security (DHS) will expand its collection of biometric data through the US-VISIT (Visitor and Immigrant Status Indicator Technology) program. DHS will capture the digital fingerprints and photographs of lawful permanent residents, immigrant visa applicants, those seeking asylum and some Canadian citizens, among others traveling to and from the U.S. The data will be used for security screening purposes. The president of the American Immigration Lawyers Association says the expanded collection program “borders on the absurd.” [Source] See: [Sagem Morpho Biometric Face Recognition System Leads to First Arrest] and [NO Exit: Trouble fielding a system to track foreign visitors’ departures illustrates the complicated policy picture homeland security has become]

WW – Survey by Biometrics Vendor Finds Biometric ID Verification Gaining Approval

Consumers are willing to undergo biometric testing in order to help combat identity verification fraud, according to a survey by Unisys. 2/3 of consumers who took part in the survey said that they were happy to have their fingerprints scanned for ID authentication purposes. The most trusted identity verification measure was personal password protection, with 68% preferring this form of ID authentication. “Fears about fraud and ID theft clearly aren’t going away. Adoption of biometric ID verification is one solution where we see widespread consumer support, although many organisations have yet to embrace this technology as an effective way to protect data and identities,” said the VP of Unisys global identity and credentialing practice. Research commissioned for National Identity Fraud Prevention Week, which took place in October, found that 75% of workers are not confident that their workplace does enough to protect sensitive identity verification data from falling into the wrong hands. [Source]

JP – Million Dollar Border Security Machines Fooled with Ten Cent Tape

A South Korean woman managed to fool a million-dollar fingerprint reading machine in Japanese border controls using a simple piece of tape stuck to her fingers. It happened at Tokyo airport. The woman has repeatedly entered Japan using the same trick without anybody noticing. Japanese officials say that they suspect many others have been doing the same things, demonstrating that the biometric systems they installed in 30 airports in 2007—to the tune of $45 million—are completely useless. The woman was deported in July 2007 for illegally staying in Japan as a bar hostess in Nagano, but she entered again with the system, using the tape and a fake passport allegedly provided by a South Korean broker. [Source]

Canada

CA – Judge Orders CSIS to Stop Listening to Calls Between Suspects and Lawyers

A Federal Court judge issued an order to Canada’s spy agency to cease intercepting telephone conversations between terrorism suspects and their defence lawyers, and delete any conversations its agents inadvertently record. Carolyn Layden-Stevenson’s order came after documents she released in a Toronto court earlier in the day revealed that the Canadian Security Intelligence Service had been monitoring the calls to ensure the suspects don’t breach stringent bail conditions. Lawyers defending terrorism suspects expressed outrage at the spy service’s actions.[Source] See also: [Geist: The Year in Canadian Technology Law and Policy]

CA – Radwanski Verdict Delayed

A verdict in the trial of former privacy commissioner George Radwanski and his former chief of staff Arthur Lamarche won’t come until February. Radwanski and Lamarche face charges of fraud and breach of trust. A verdict was expected Friday, but instead, Justice Hugh L. Fraser of the Ontario Court of Justice announced that the trial will be delayed until February 13, 2009. [Source]

E-Government

US – Security Breach Found in NY Child Abuse Records

New York State Inspector General Joseph Fisch says he’s uncovered serious deficiencies at the Statewide Central Register of Child Abuse and Maltreatment (Register) and is recommending legislative and departmental changes to improve confidentiality. The Register is overseen by the New York State Office of Children and Family Services (OCFS). In a 33-page report, Fisch revealed several findings related to a breach of the Register’s confidentiality. Also known as the “Hotline,” the Register receives calls reporting alleged child abuse. Such reports are confidential under state law. [Source] [Report] See also: [Lack of coordination a stumbling block to e-Governance]

E-Mail

EU – Irish Spammers Will Face Fines Up to €250,000

The Irish government has passed legislation aimed at reducing spam and other unsolicited emails. Spam complaints in Ireland have increased eight-fold since 2005; last year the data protection commissioner’s office fielded 538 complaints. Under the new regulations, sending unsolicited mail for direct marketing purposes will be an indictable offence and violators will face fines up to €250,000 or 10 percent of a company’s turnover. Data Protection Commissioner Billy Hawkes will enforce the new rules. “Such communication is a serious invasion of our privacy,” said Minister for Communications Eamon Ryan. “Spam is spam and it has no future.” [Source]

Electronic Records

US – Healthcare Compliance Gets Boost From National HHS Privacy Framework

New Medicare provisions for digital prescriptions and expanded HIPAA influence, quietly put forth in a Health and Human Services framework earlier in December, mean more organizations will need to grapple with healthcare compliance issues protecting patient information in 2009. The e-prescription program will include incentives in 2009 and begin including disincentives for continued paper use in 2012. The Health Insurance Portability and Accountability Act (HIPAA) may soon cover not just healthcare organizations but also providers of electronic personal health records (EPHRs), which belong to the patient rather than the medical establishment and are hosted by a number of commercial services, such as Microsoft’s HealthVault and Google Health. This New Year’s Day, Medicare will launch an “e-prescribing incentive plan,” offering doctors bonus payments for prescribing medicine electronically. And starting in 2012, Medicare will penalize doctors who continue to write prescriptions on paper. The program, defined by Section 132 of the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA), and MIPPA itself mean challenges for CIOs. In an effort to provide guidance, the HHS released on Dec. 15 the National Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information.HHS intends the new framework to provide guidance to both medical and IT professionals addressing privacy and security concerns related to EPHRs exchanged in a network, regardless of the specific healthcare compliance requirements applicable to a particular organization. The framework provides policy guidelines and a set of principles but does not enshrine them in a legal directive. Congress may adopt the principles in a codified form if proposed e-health legislation from President-elect Barack Obama’s incoming administration passes. [Source]

Encryption

WW – Web Browser Flaw Could Put E-Commerce Security at Risk

A key piece of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability, an international team of researchers have announced. They demonstrated how to forge security certificates used by secure Web sites, a process that would allow a sufficiently sophisticated criminal to fool the built-in verification methods used by all modern Web browsers--without the user being alerted that anything was amiss. The problem is unlikely to affect most Internet users in the near future because taking advantage of the vulnerability requires discovering some techniques that are not expected to be made public as well as overcoming engineering hurdles: performing the initial digital forgery consumed approximately two weeks of computing time on a cluster of 200 PlayStation 3 consoles. In addition, a criminal needs to find a way to reroute traffic from a legitimate Web site to his own, perhaps through techniques that have become well-known in the last few years. Yet if one group can do it today, others eventually will. “We have a proof-of-concept that allows us to impersonate any supposedly secure Web site on the Internet,” said David Molnar, a doctoral student in computer science at the University of California at Berkeley. [Source] [Source]

WW – Researchers Show “MD5 Secure” Sites May Not Be Safe

U.S. and European researchers have demonstrated that digital certificates using the MD5 algorithm can be faked. While some https sites are moving away from MD5, virtually all browsers still accept those “secure” certificates. The researchers used a cluster of Sony PlayStation 3s to create certificates in three days instead of an estimated 30 years. [Source]

EU Developments

EU – New Mandates for EDPS: Peter Hustinx Reappointed as Supervisor

The European Parliament and the Council have reappointed Peter Hustinx as European Data Protection Supervisor (EDPS). Hustinx will begin serving his second five-year term early next year. Giovanni Buttarelli was appointed assistant supervisor for the same term. Buttarelli has served as secretary general of the Italian Data Protection Authority since 1997. [Source]

EU – Sloppy Data Protection Practices Expose Naughty, Nice

Father Christmas has been arrested and arraigned on a contravention of the UK Data Protection Act. Investigators discovered a list of the world’s children categorised by who is “naughty” and who is “nice.” It appears the list was compiled without the consent of the children. “This is a clear breach of the 1988 Data Protection Act,” said Detective Inspector Phil Inne. The list is described as a “gold mine” of consumer information, including the addresses and wishes of children worldwide. Computerised records are new for Santa, who previously stored the information on less accessible reindeer hides. [Source] See also: [He sees you when you’re sleeping, he knows when you’re awake]

EU – Official Raises Doubts Over Data Privacy in Germany

A number of privacy breaches and scandals affecting Germany and its citizens has prompted that country’s commissioner for data protection, Peter Schaar, to voice his concerns over the way companies treat personal data and national state of privacy protection. News site Schaar recently told news agency DDP, “Every day, huge masses of data about us is saved--when we make phone calls, when we use the internet, on video cameras. I think it’s quite disturbing that big companies don’t take data protection seriously at all.” [Source]

EU – Google Privacy Chief Joins E.U. Commission Privacy Advisory Body

Google’s privacy law expert has been appointed to a committee which will advise the European Commission on data protection policy. Google has previously clashed with EU privacy watchdogs on data protection issues. Google’s global privacy counsel Peter Fleischer is one of five members of the Data Protection Expert Group (DPEG), which the Commission said was a temporary and informal expert group. Fleischer will be joined by a German and a Belgian lawyer, the chairman of the Dutch data protection authority and chip maker Intel’s director of security policy, David Hoffman. The appointments mean that two of the five expert group members will be senior US executives. The group intends to meet five times next year and will inform the Commission of any issues it sees emerging which might have implications for data protection policy. The group’s mandate is to assist in the preparation of legislation in the data protection area, and to help it in the definition of its policy. [Source]

EU – European Union Voices Concern Over Inadequacy of Privacy Bill

The European Union has criticized a bill on the protection of private data, a piece of legislation that has been given priority in the country’s efforts for greater harmonization with EU legislation, saying that the scope of exceptions mentioned in the bill is so vast and ambiguous that that it will be insufficient to prevent abuse. EU Counterterrorism Coordinator Gilles de Kerchove recently paid a visit to the parliamentary EU Harmonization Commission and stated that in order for Turkey to aid international counterterrorism efforts, it should pass the bill in the shortest time possible. He noted, however, that the bill has numerous ambiguous exceptions and that they have concerns that this may lead to racial discrimination. [Source]

Facts & Stats

UK – Government Departments Losing A Computer Every Day

More than 2,800 computers belonging to Whitehall departments have been mislaid or stolen since 2002, the equivalent of more than 7 per week, new figures disclosed. The total included 1,774 laptops and 1,035 desktop systems. The figures also showed that 676 mobile phones have been lost or stolen over the past seven years. Meanwhile, 202 hard drives and 195 memory sticks also went missing. The Ministry of Defence were the most careless with its computers, the figures showed. About three computers were stolen every week from the department, including more than 1,000 laptops and 164 desktop systems. The Department for Work and Pensions was also shown to have lost almost 1,100 computers. The figures were uncovered by Paul Holmes, the Liberal Democrat home affairs spokesman. Mr Holmes told The Sun: “Everyone understands things go astray, but it’s truly staggering that over seven years a laptop has been lost every working day. It demonstrates a culture of carelessness that ministers have done nothing to curtail.” He added that the figures were evidence that the Government “can’t be trusted with our personal information”. [Source]

EU – Dutch DPA Approves Transit Card

After three years of denials, the Netherlands’ Data Protection Authority has given approval to a digital transit smart card for use by Rotterdam Metro. The DPA, which had previously expressed concern that the OV-chipkaart did not provide enough privacy protections, said it is now satisfied that the card cannot be used to pinpoint the location of travelers and that users’ personally identifiable information will not be put at risk by the card. Use of the cards will become compulsory on January 29, 2009. [Source]

Filtering

AU – Mandatory Internet Filtering In Australia Slammed

Plans for a mandatory internet filter to protect Australians from child pornography have been slammed by civil liberties groups as draconian, misleading and a possible invasion of privacy. Communications Minister Stephen Conroy had originally flagged a test of a filter that would block a list of banned websites. But plans to trial technology that will block file-sharing the primary means for sharing video, pictures and audio over the internet have provoked outrage. It is understood that a technique known as ‘‘packet inspection’’ would be used to monitor and filter file-sharing networks, sparking fears that individual user privacy would be breached. Hundreds of comments critical of the filtering plan were posted on a blog run by Senator Conroy’s department. Civil Liberties Australia director Lance Williamson said a packet inspection could be a possible invasion of privacy. ‘‘What you are really talking about [with file sharing] is akin to Australia Post opening our mail,’’ he said. [Source]

FOI

US – Wall Street Bailout Spawns Subsidy Database

The Pew Charitable Trusts launched Subsidyscope, an effort to aggregate information on federal subsidies from multiple sources into a comprehensive, searchable, open-source database. Government transparency group Sunlight Foundation joins Pew as its technology partner responsible for constructing the technical infrastructure, compiling data and building Subsidyscope’s database. When Congress approved the $700 billion Emergency Economic Stabilization Act in October to bail out Wall Street, it marked a major expansion of the government’s role in the markets. Unfortunately, as taxpayers have already discovered, just who got what out of the bailout is still unknown, even to members of Congress. The Pew Charitable Trusts hopes to change all that, announcing Dec. 15 it plans to develop a publicly accessible database called Subsidyscope to focus public and policymaker attention on the size and scope of all federal subsidies. Pew said it would release regular reports, aggregating and analyzing subsidies to various industry sectors. Pew has engaged the Sunlight Foundation, a government transparency group, to construct the technical infrastructure, compiling data and building Subsidyscope’s database. Among Sunlight’s other projects are PublicMarkup.org, which seeks to open legislation to online and public review; Earmark Watch, an open review of Washington spending; and OpenCongress, a government transparency effort with news and blogging about Capitol Hill. “This project represents an exciting opportunity to shine a light on various ways that increasingly scarce federal resources are being spent,” Ellen Miller, co-founder and executive director of the Sunlight Foundation, said in a statement. “While we don’t know precisely what the project will find, as Supreme Court Justice Louis Brandeis famously said, ‘Sunlight is the best disinfectant.’” [Source]

Genetics

US – U.S. Set to Expand DNA Collections

The U.S. government plans to expand its collection of DNA samples to include persons who have not been convicted of crimes. Beginning next month, those arrested on federal charges and illegal immigrants will be subject to DNA collection, the report states. The genetic samplings will be stored in the National DNA Index System database. Civil rights advocates argue that the new policy will subject innocent people to privacy invasions. But the Justice Department says it is necessary in order to investigate crimes and prevent terrorism. A Justice Department spokesperson said the samples “are subject to stringent privacy protections...” [Source] See also: [We need better guidelines for collecting DNA samples] and [DNA archiving could incriminate the innocent]

US – Bush and Lawmakers Sneak a National Baby DNA Databank into Existence

The bill states that the federal government should “continue to carry out, coordinate, and expand research in newborn screening” and “maintain a central clearinghouse of current information on newborn screening... ensuring that the clearinghouse is available on the Internet and is updated at least quarterly.” Sections of the bill also make it clear that DNA may be used in laboratory experiments and tests. While most Americans were bombarded with news coverage regarding the presidential race without end, President George W. Bush almost silently signed a senate bill that would change America forever. S.1858 allows the federal government to screen the DNA of all newborn babies in the United States. According to the legislation, the new law must be implemented within 6 months of Bush’s bill signing in April 2008. According to police experts, this infant DNA collection is now being carried out by individual states and sample DNA is being submitted to the feds. Congressman Ron Paul states that this bill is the first step towards the establishment of a national DNA database. [Source]

US – Washington State to Consider DNA Law

A Washington State legislator has announced plans to introduce legislation that would permit Washington law enforcement agencies to begin collecting DNA samples from individuals arrested on felony charges. Washington currently allows DNA samples to be collected from individuals convicted of a crime. Rep. Mark Miloscia’s proposed bill would mirror a new federal law taking effect on January 9, 2009. A similar bill filed by Miloscia failed this year over cost and civil liberty concerns. “We take their fingerprints, their pictures and their address when they are arrested,” Miloscia said. “What’s wrong with taking their DNA?” [Source]

Horror Stories

US – RBS WorldPay Breach: 1.5 Million Individuals Affected

Electronic payment processing service, RBS WorldPay, last week disclosed a data breach affecting 1.5 million cardholders. Atlanta-based RBS WorldPay processes electronic payments, such as debit, credit and ATM transactions. It also processes gift card and payroll card transactions. An unauthorized user accessed the company’s computer system, and personal information of 1.5 million gift card and payroll cardholders may have been compromised, a company spokesman told SCMagazineUS.com on Monday. Personal information of payroll cardholders - including names, addresses, dates of birth, Social Security numbers - may have been accessed. The compromised data includes the Social Security numbers of as many as 1.1 million users, the company said in a statement on its website. [Source]

US – Top 10 Security Breaches of 2008

1. TJX Case Winds Up, Arrests Made

2. Bank of New York Mellon

3. Hannaford Data Breach

4. Countrywide Insider Theft

5. GE Money Backup Tape Goes AWOL

6. RSA Report: Half-Million Banking ID’s Stolen

7. Compass Bank Hard Drive Stolen, 1 Million Accounts Taken

8. Ski Resort Okemo Suffers Hannaford-Like Data Breach

9. Retailer Montgomery Ward

10. More Than $5 Million Taken By ATM Capers [Source]

Identity Issues

CA – Alberta Privacy Commissioner Gives Advice on Returning Gifts

For the hundreds of thousands of Albertans out bargain hunting and returning presents this week, the province’s Information and Privacy Commissioner has a warning ... be careful about giving stores your driver’s licence. Commissioner Frank Work says more and more companies are writing down customers’ drivers licence numbers and sometimes even photo-copying the licence. Work says retailers are usually just trying to prevent fraud, but they could actually be exposing their customers to potential identity theft. He says most companies do not need to record this information and could actually be breaking Alberta’s privacy laws. [Source]

Internet / WWW

UK – UK’s Database Plan Condemned by Europe

Britain must rethink plans for a database holding details of every email, mobile phone and internet visit, Europe’s human rights commissioner has said in an outspoken attack on the growth of surveillance societies. Thomas Hammarberg said that UK proposals for sweeping powers to collect and store data will increase the risk of the “violation of an individual’s privacy”. Plans for the database of emails, phone calls and internet visits are to be published by the Home Office in January. These proposals have already been described by the Government’s own terrorism-law watchdog as “awful” and attacked by civil liberty groups for laying the basis of a Big Brother state. Chris Huhne, the Liberal Democrat spokesman on home affairs, supported Mr Hammarberg’s criticism, saying: “A major database for email, mobile phone calls and the internet would be an astonishing and Orwellian step. 1984 was supposed to be a warning, not a blueprint.” [Source] See also: [UK: Private firm may track all email and calls]

Online Privacy

US – Georgia Sex Offenders Must Hand Over Online Passwords

Privacy advocates are questioning an aggressive Georgia law set to take effect that would require sex offenders to hand over Internet passwords, screen names and e-mail addresses. Georgia joins a small band of states complying with guidelines in a 2006 federal law requiring authorities to track Internet addresses of sex offenders, but it is among the first to take the extra step of forcing its 16,000 offenders to turn in their passwords as well. A federal judge ruled in September that a similar law in Utah violated the privacy rights of an offender who challenged it, though the narrow ruling only applied to one offender who had a military conviction on sex offenses but was never in Utah’s court or prison system. No one in Georgia has challenged the law yet, but critics say it threatens the privacy of sex offenders and burdens cash-strapped law enforcement officials. “There’s certainly a privacy concern,” said Sara Totonchi of the Atlanta-based Southern Center for Human Rights. “This essentially will give law enforcement the ability to read e-mails between family members, between employers.” [Source]

WW – Browser Privacy Tools May Be Less than Effective

New research by iSec Partners in San Francisco suggests that some browser privacy tools may not be that effective in helping users protect their privacy online, according to the New York Times’ Bits blog. Researcher Kate McKinley ran a number of the applications through their paces and, in a paper published this week, wrote that Apple’s Safari browser had a number of problems when run with the Mac OS X operating system, and offered no privacy protection when run on Microsoft Windows XP. McKinely also reported that none of the four browsers tested offered privacy protection for users of Adobe’s popular Flash media plug-in. [Source]

Other Jurisdictions

JP – Google StreetView Privacy Protest in Japan

A group of Japanese lawyers and professors say Google’s Street View violates basic privacy rights, and wants the service shut down. The Kanshi Shakai o Kyohisuru Kai (Campaign Against Surveillance Society), a group of Japanese lawyers and professors led by Sophia University constitutional law professor Yasuhiko Tajima, have asked Internet giant Google to shut down Google Street View on the grounds that it violates basic privacy rights. Tajima wants Google Street View shut down and all its images deleted on the basis they violate the privacy of anyone whose photograph appears in the service. Street View has sparked its share of privacy complaints, as some people claim they were photographed by Google and can be identified; well-known cases include sunbathers and an individual seen exiting a strip club in San Francisco. Similar complaints about the service have been made in the United States and Europe. Google takes some care to anonymize individuals appearing in Street View photos, blurring faces, license plates, and other sensitive information in the photos available to the public. Nonetheless, it would still be possible for a knowledgeable person to recognize vehicles, individuals, and activities shown in many Google Street View images; in some cases it even possible to determine the date and time Google snapped its photos. Google has not responded publicly to the complaints. [Source]

UK – Google Street View Set for Spring Launch in U.K.

Google’s controversial “Street View” service, which provides a 360-degree street level view of cities around the globe, is set to launch in the U.K. this coming spring when London, Edinburgh, Manchester and Birmingham are added to the list. British privacy watchdog group Privacy International is already on the record as believing that Street View operates in violation of data protection laws and is likely to file a complaint with the Information Commissioner’s office. Street View already offers visual tours of cities in the U.S., France, Italy, Japan and Spain. [Source]

CH – Man, Website Fined In 1st Chinese Online Harassment Case

A man and a website were fined by a Beijing court for their involvement in the country’s first online harassment lawsuit. The fines were for invading privacy and tarnishing his reputation through online activities that included displaying his personal information for public viewing and abuse. The defendant and the website were also ordered to immediately delete contents they had posted online that invaded privacy and harmed his reputation, as well as publish apologies for their actions online. [Source]

ES – Estonia: Debt Collector to Publish Debtors on Outdoor Posters

Estonian debt collection agency CKE Inkasso has adopted a new approach in reclaiming debt by publishing names of debtors on large outdoor posters. The company’s board member Raul Reinsalu told Postimees that the first 35-square-metre poster will be unveiled on a building wall at a large traffic junction in Tallinn on January 5. The poster will have the names of ten companies and their executives Reinsalu added that the company was going to hang out only the names of these debtors that were arrogant or refused to cooperate. According to the debt collection agency, Data Protection Inspectorate has informed them that they are not against publishing the names of debtors in public since the information is taken from a public source such as a commercial registry. [Source]

Privacy (US)

US – Napolitano, Obama’s DHS Pick, Not Friendly to Privacy

Gov. Janet Napolitano - President-elect Barack Obama’s pick to run the Homeland Security Department - has strongly advocated using advanced security technology as a law enforcement tool, drawing praise from police and raising concern among civil liberties groups that warn about privacy invasion. As Arizona’s Democratic governor since 2003, Napolitano has:

§ Pushed state police to use cameras that scan license plates of moving cars to find vehicles that are stolen or linked to a criminal suspect.

§ Promoted “face-identification” technology that could help surveillance cameras find wanted people by comparing someone’s face with a photo database of suspects.

§ Signed a 2007 bill making Arizona one of 12 states that collect and store DNA samples of people accused but not convicted of certain crimes, including murder, burglary, sexual assault and prostitution.

§ Proposed an optional state ID for legal citizens only that features a radio-frequency chip to allow authorities to read the card. State lawmakers blocked the effort this year.

“She sees technology as the panacea of all our law enforcement problems and immigration issues,” said Alessandra Soler Meetze, head of Arizona’s American Civil Liberties Union chapter. “It’s like she’s embracing these technologies without taking the time to appreciate the privacy implications.” [Source]

US – Coalition Letter to President-elect Obama on the Future of Privacy

Thirty privacy, consumer, and civil liberties organizations sent a letter to President-elect Barack Obama on the importance of protecting privacy in the next administration. The organizations support the incoming president’s expressed on privacy, consumer rights, and civil liberties. President-elect Obama stated support for strengthening of privacy protection by harnessing the power of technology to hold government and businesses accountable for violations of personal privacy. The coalition said that “[t]here is a clear need to address the spiraling problems of identity theft, security breaches, and the commercialization of personal information.” [Source]

US – Cops Hopeful for Tech Support from Obama Admin

Police groups are hopeful that they will find increased support for the use of security technologies, including DNA databases, under Barack Obama’s presidency. Police groups point to the record of Department of Homeland Security secretary nominee Janet Napolitano, who has supported broader use of surveillance and other security technologies while serving as governor of Arizona, as the reason for their optimism. The ACLU is less positive over Napolitano’s prospects, stating “It’s like she’s embracing these technologies without taking the time to appreciate the privacy implications.” [Source]

US – Facebook Privacy Chief Eyes California Auditor-General Office

Facebook Chief Privacy Officer Chris Kelly, is eyeing the California attorney general seat. He is expected to declare his candidacy for the 2010 general election soon. According to the report, Kelly will leave Facebook in June in order to campaign. [Source]

US – Wisconsin Court: Nude People Still Have Privacy Rights

A state appeals court ruled Tuesday that a person who is voluntarily nude in the presence of another still has privacy rights against being secretly videotaped, in a decision that bolsters Wisconsin’s video voyeur law. The ruling upholds the felony guilty plea of Mark Jahnke, who videotaped his girlfriend while she was naked and while they were having sex. He argued in his appeal that because the woman agreed to be naked around him, she had no reasonable expectation of privacy. The state Department of Justice argued that shared intimacy does not give a person the right to film another unknowingly. [Source]

RFID

US – With Lawsuit Settled, Hackers Now Working With MBTA

Three Massachusetts Institute of Technology students who were sued earlier this year by the Massachusetts Bay Transit Authority (MBTA) said that they are now working to make the Boston transit system more secure. The announcement brings to a close a high profile case that pitted the rights of security researchers to freely discuss their findings against the concerns of one of the country’s largest transit systems, which worried that this type of information could lead to widespread ticket fraud. Zack Anderson, along with Russell “RJ” Ryan and Alessandro Chiesa, was prevented from giving a talk entitled “The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems” at the Defcon hacker conference last August. The students had planned to show that they had reverse engineered the MBTA’s CharlieTicket magnetic stripe tickets and CharlieCard smartcards. The CharlieCard uses the same Mifare Classic RFID technology that was cracked earlier this year by security researchers. The MBTA had argued that the presentation could have caused “significant damage” to the transit system, but the students had said that they had no intention of releasing key pieces of information that would have allowed people to hack the system. [Source]

Security

WW – Hundreds of Stolen Data Dumps Found: Study

A comprehensive new study that peers into huge troves of financial data stolen by cyber thieves confirms what experts have surmised from looking at much smaller, isolated caches of digital loot: That criminals can make hundreds, even thousands, of dollars a day selling data stolen with the help of widely available software toolkits. Recent reports by security firms have shown that stolen identities, bank accounts and credit card numbers are sold in bulk every day in shadowy online forums, often for pennies on the dollar. In its analysis, Symantec found in 2007 that the going rate for the keys to assuming someone else’s identity was between $14 and $18 per victim. Those reports either presented conclusions based on examining a single cache of stolen data, or by observations based on watching transactions between cyber thieves. But a report released by researchers at the University of Mannheim, Germany, offers a disturbing glimpse at the sheer abundance of this stolen data. The researchers used “honeynets,” or distributed network of dummy computers that were set up to be hacked, so that they could gather intelligence about the attack patterns and methods used by cyber criminals. Their findings, which drew from stolen data harvested from 300 drop zones between April and October 2008, were staggering: 33 gigabytes worth of purloined data from more than 170,000 victims. Included in those troves were more than 10,700 online bank account credentials, 149,000 stolen e-mail credentials, 5,682 credit card numbers, and 5,712 sets of eBay credentials. Using figures from Symantec’s 2007 study on the prices that these credentials can fetch at e-crime bazaars, the researchers estimate that a single cyber crook using one of these kits could make a tidy daily income. “We found that criminals can easily make a few hundred to a few thousand bucks a day from selling this stuff,” said the founder of the Germany Honeynet Project. “We weren’t able to access 230 of the drop sites we found, so the real number of victims and stolen credentials is probably many times what we were able to see.” [Source] [Report] See also: [IT security resellers faced new kinds of threats in 2008] and [How to improve cybersecurity: Ask hackers]

Smart Cards

CA – High-Tech Credit Cards Latest Crime-Fighting Tool

Holders of CIBC, Royal Bank Visa and BMO Mastercard credit cards are the first to receive the latest in crime-fighting technology – new cards with a computer chip embedded in them. The chip is replacing the 30-year-old magnetic stripe technology. Hundreds of millions of dollars are being spent to replace “mag stripes,” which are outdated and all-too-susceptible to card skimmers, who can copy the stripe’s data and make duplicate cards, often right under their victims’ noses. This kind of fraud costs financial institutions about $100 million a year. Chip cards, which essentially have a small computer in them, use lengthy encryption keys that are unique to each card. Issuers say the keys can be enlarged as time goes on, to make them even more difficult for fraudsters to crack. Visa Canada said “a couple million” chip cards have been sent out across Canada thus far, but that number is expected to increase by more than seven-fold a year from now. The difference from the old technology is consumers will no longer have to hand over their card to a merchant to be swiped. Instead, they’ll insert it in a card reader for the duration of their transaction, punch in a personal identification number, or PIN – just like with their debit card – and pull it out once it’s approved. No signature is required. [Source]

Surveillance

US – NSA Patents a Way to Spot Network Snoops

The U.S. National Security Agency has patented a technique for figuring out whether someone is tampering with network communication. The NSA’s software does this by measuring the amount of time the network takes to send different types of data from one computer to another and raising a red flag if something takes too long, according to the patent filing. Other researchers have looked into this problem in the past and proposed a technique called distance bounding, but the NSA patent takes a different tack, comparing different types of data travelling across the network. “The neat thing about this particular patent is that they look at the differences between the network layers,” said an assistant professor of computer science at the University of Washington. The NSA did not answer questions concerning the patent, except to say, via e-mail, that it does make some of its technology available through its Domestic Technology Transfer Program. The patent, granted Tuesday, was filed with the U.S. Patent and Trademark Office in 2005. It was first reported Thursday on the Cryptome Web site. [Source]

CA – Winnipeg New On-Board Cameras Ensure Safer Trips for Transit Commuters

Winnipeg has announced that a state-of-the-art audio/video surveillance system is being installed on 130 buses to assist Winnipeg Transit in providing a safer environment for their customers and employees. It is anticipated that the City’s entire fleet of 535 buses will have the cameras installed by the end of 2009. The audio/video surveillance system is expected to increase safety on buses by acting as a deterrent to anyone with criminal intentions. It will also aid in the investigation of incidents that may have taken place. Each bus will be equipped with up to five cameras and a digital recording device to continuously monitor on-board activities from a variety of angles. The system also has the capability to continuously record audio. Signage will be posted inside the buses to advise occupants their activities are under audio and video surveillance. The funding of $2.9 million for the installation of the audio/video surveillance system is made possible through a federal-provincial partnership. [Source] See also: [Toronto security camera project coming to an end] and also: [Video technology creates a few very-public lives: Broadcasting Your Life, and the Lives of Others]

UK – CCTV Used to ‘Spy’ On Pupils in Schools

Big Brother-style CCTV cameras and microphones are being used in schools to “spy” on children as young as four. The surveillance equipment is in use in around 85 primary and secondary schools and colleges across the country. Classwatch, the company behind the system, says it is being used as a way to monitor children who are disrupting lessons. The firm said the equipment, which is sold with evidence bags approved by the Crown Prosecution Service to store material for court cases, can be used to compile “proof” of wrongdoing. The system includes ceiling-mounted microphones and cameras and a hard drive recorder housed in a secure cabinet. Data protection watchdog the Information Commissioner has warned the surveillance may be illegal and demanded to know why schools are using it. Classwatch said the devices act as “impartial witnesses” which can provide evidence in disputes and curb bullying and unruly behaviour. They can also be used to protect teachers against false allegations of abuse and provide evidence acceptable in court, it said. Andrew Jenkins, the firm’s director, said: “The system can be turned on and turned off as they wish. [Source] See also: [Child-tracking devices raise privacy issues] and also: [Child Safety Marketing Births Privacy Fears]

Telecom / TV

US – Pennsylvania City Council’s Cell Phones Not Public Record, Court Rules

The Pennsylvania Supreme Court has ruled that cell phone bills of Pittsburgh City Council members are not public record. In an opinion published Thursday, the state’s highest court affirmed a Commonwealth Court ruling that the cell phone records of former council members Len Bodack and Barbara Burns are not available to the public under the state’s Right-to-Know Law. Seeking that the records be made public, the Tribune-Review newspaper filed suit in 2003 against Mr. Bodack, Ms. Burns and the City of Pittsburgh. Justice Seamus P. McCaffery, writing for the majority, said that revealing phone numbers of people who call or are called by council members could be a violation of privacy. Council members argued that constituents call them to report illegal activity, and revealing those people’s identities could invite retaliation. Those concerns, Justice McCaffery wrote, are not outweighed by the numbers’ potential benefit to the public. [Source]

US Government Programs

US – PIA for DHS State, Local, and Regional Fusion Center Initiative Released

This PIA examines the privacy implications of the State, Local and Regional Fusion Center Initiative, established by the 9/11 Commission Act, as well as for DHS’ State and Local Program Management Office (SLPMO) which has managerial responsibility for the SLFC Program, and which predates the Act. It begins with a discussion of the specific authority for the Initiative provided within the Act. Then, since the Department’s interactions with fusion centers and the SLPMO existed before the Act passed, the PIA includes a background section, examining the underpinnings of the fusion center concept. Next, the PIA catalogs ongoing efforts to infuse privacy into the program including dissemination of fusion center guidelines respecting individual privacy; support for the Information Sharing Environment (ISE); participation in public outreach; providing privacy training to participants in the Initiative; and steps to imbed privacy into programs which are expected to interact with the fusion center Initiative. The PIA then examines how the program’s existing policies and procedures implement the Fair Information Practice Principles (FIPPs). Finally, the PIA examines specific privacy concerns raised by the creation and operation of the Initiative and steps participants have taken to mitigate those concerns. Wherever possible, the PIA includes recommendations the Department and individual fusion centers may take in order to further reduce their impact on the privacy of the American Public. [Source] [Full document] [DHS Privacy Policy Guidance memorandum 2008-01: Fair Information Practice Principles]

US – DHS CPO: Fusion Centers Put Citizen Privacy at Risk

The Department of Homeland Security’s (DHS) own Chief Privacy Officer says intelligence fusion centers, facilities that collect and process a wide range of information intended to help DHS officials identify terrorist threats, put citizen privacy at risk. According to a memo published online by DHS earlier this month, department CPO Hugo Teufel believes ambiguous authority and oversight, combined with a mix of law enforcement, military, and private participation, means there is a risk that the centers could put privacy at risk. Teufel points out that the risk is only hypothetical, and that no actual privacy abuses are known to have occurred since the centers were established after the 9-11 terror attacks. [Source]

US – Fee-Paying Air Travelers Turning Security Lines Into Moneymakers

The cost of bypassing long airport security lines has gotten higher, and airlines and airports have joined private registered traveler businesses in reaping the revenue. Frequent fliers enjoy the perk, but not everyone thinks paying to cut to the head of the line improves service or airport security. Last week, United Airlines announced that its customers can pay $25 per trip for the privilege of moving to the front of the line at the ticket counter, in the security line and at the gate at certain airports. This followed an announcement by Southwest Airlines in October that allowed business-fare passengers, who usually pay an extra $15 to $30 per ticket, to go to the front of the security line at select airports. “This is pay to play,” said Michael Boyd, president of Colorado-based Boyd Group International, an airline consulting firm. “In a sense, that’s almost a bribe, because they’re giving money to give people a shorter line for public security in a public security facility. None of it improves security whatsoever. All it does is now make the gateway to security a profit center, or a revenue center, for private companies. And I have a problem with that in a public facility.” [Source] See also: {Schneier: It’s Just “Security Theater“]

US – NY Post Office Reopens Santa Program With Privacy Controls

The United States Postal Service has resumed its century-old Operation Santa Claus program after making modifications to protect the privacy of those involved, reports the New York Times. The program receives Santa letters from needy children and citizen Secret Santas fulfill their wishes, mailing packages directly to them. The USPS shut down the program abruptly last week when a registered sex offender took one of the letters. Fifteen employees are now responsible for concealing letter-writers’ names and addresses with black ink, and now the post office delivers the gifts using a recipient control number. [Source]

Workplace Privacy

CA – P.E.I. Government Falsified Worker’s Job Record: Privacy Commissioner

The P.E.I. Department of Transportation has been ordered to apologize to a former employee after it provided incomplete records following an access to information request. The department must also provide training to all of its employees about the province’s Freedom of Information and Protection of Privacy Act. The strongly worded decision came out last week following the investigation of the department’s response to a request from a former employee for all records pertaining to her employment under the province’s freedom of information law. When she got the documents, she complained that a large amount of information seemed to be missing. [Source]

WW – IT Security and the Insider Threat Issue

The insider threat issue is undoubtedly creating a stir in the technology world, but do organisations actually take it seriously, and what are they doing to minimise the security risk from employees? The Computer Security Institute (CSI) has found that insider security incidents have now overtaken virus incidents in regards to how much they cost organisations, making it the IT security priority. Unfortunately, there is no single “miracle solution” to solve this problem. As many recent high-profile data leaks have been caused by employee error rather than malicious behaviour or criminal intent, staff training on company IT policies and practices is a good starting point. The other approach is technology, yet security spending is predominantly focused on perimeter solutions which will regrettably be of little use in protecting your organisation from internal data loss. [Source]

US – Hawaii Attempts Random Drug Tests of Teachers

Hawaii public school teachers signed off on first-in-the-nation statewide random drug testing in exchange for pay raises, but now the state claims the educators are trying to take the money and run. Since the teachers’ union approved the pact nearly two years ago, they’ve accepted the 11% boost in pay while fighting the random tests as an illegal violation of their privacy rights. No teacher has been tested. The union says it didn’t consent to truly random drug testing in the contract, which says the parties “agree to negotiate reasonable suspicion and random drug and alcohol testing procedures.” The union’s definition of “random” is limited to a pool of teachers who go on field trips, work with disabled children, are frequently absent or have criminal records. “Random testing isn’t going to suddenly increase test scores,” said Mike McCartney, executive director for the Hawaii State Teachers Association. “This is a huge distraction from how to make our schools better.” [Source]

+++