Privacy News Highlights
20—26 January
2006
Contents:
US
– TSA Announces Key Elements of Registered Traveler Program.. 2
US
– Iris Scanning for New Jersey Grade Schools. 2
CA
– Survey: Consumers Select IBM and Bell Canada as Most Trusted Companies. 2
CA
– Ontario Police Using ‘Production Order’ to Access Reporter’s Notes. 2
AB
– Alberta Privacy Commissioner Scold Staples in Computer Privacy Case. 2
US
– ID Theft Complaints Top 2005 Consumer Complaints List 3
WW
– Consumer Study: Loss of Personal Data is #1 Fear 3
US
– Poll: Most Say Google Should Not Respond to Subpoena. 3
UK
– Resident First to Win Legal Case Against Spam.. 3
US
– U.S. Computers Responsible for Most Spam, Company Says. 3
US
– Washington State Sues Over Spam, Spyware. 4
UK
– Police Stop and Search 100 People a Day Under New Anti-Terror Laws. 4
WW
– OECD Report: Use of Authentication Across Borders in OECD Countries. 4
WW
– Do Web Filters Protect Your Child?. 4
UK
– Study: Consumers To Blame For Not Preventing Online Fraud. 4
US
– EPIC Sues Justice Department for Release of Domestic Surveillance
Documents. 5
UK
– Government Defends Recording 24,000 Childrens’ DNA Profiles. 5
US
– Privacy Concerns With CDC’s New HIV Data Reporting System.. 5
US
– Stolen Ameriprise Laptop Had Data on 230,000 People. 5
US
– Thief Steals Briefcase Containing Personal Information of Officers. 5
US
– University of Notre Dame Probing Electronic Break-In. 6
UK
– Study: Poor Call-Centre Security Poses ID Theft Risk. 6
UK
– UK Info Commissioner to Probe Tax
Credit ID Theft of 8,800 Identities. 6
US
– CDT Files Complaints Against Major Adware Distributor 6
WW
– DMA Bans Members From Pushing Spyware. 6
WW
– Internet Coalition Sets Up Anti-’Badware’ Site. 6
US
– FBI Says Computer Crime Costs $67 Billion Annually. 7
US
– U.S. Obtains Internet Users’ Search Records from Yahoo, MSN, AOL, Others. 7
WW
– Google Battles Federal Subpoena For Search Data. 7
WW
– Survey: 77% of Google Users Don’t Know it Records Personal Data. 7
US
– Judge Orders Web Site Operator to Disclose Authors’ Identities. 7
US
– Internet Users Lack Privacy in Subscriber Info, Judge Says. 8
WW
– More People Interested in Having Anonymity Online. 8
UK
– Blair Under Fire On ID Cards. 8
US
– Congressman Seeks Surveillance Info from Internet Companies. 8
US
– T-Mobile Seeks Injunction Against Online Data Brokers. 8
US
– New Hampshire Reps Approve RFID ‘Tracking Device’ Bill 8
US
– Coalition Objects to RFID chips for Driver’s Licenses. 9
US
– FTC Levies Highest-Ever Civil Fine Against ChoicePoint 9
WW
– OECD Promotes Culture of Security for Information Systems and Networks. 9
US
– Army Mandates PKI Log-on for Access to NIPRnet 10
US
– Poll Finds Majority Want Warrants for Wiretapping. 10
CA
– CIPPIC: Privacy Laws Not Protecting Phone Records. 10
US
– Missouri Targets Cell Phone Data Companies. 10
US
– GAO Study: Stronger Protections Needed When Contractors Have Access to
SSNs. 10
US
– Patriot Act Renewal Negotiations Reach Stalemate 11
US
– Shafer, Wiles Introduce Legislation Banning Sale of Cell Phone Calling
History. 11
US
– West Virginia Miners to Get Electronic Tracking Devices. 11
The Transportation Security
Administration (TSA) last week announced several parameters for a nationwide
private sector Registered Traveler (RT) program, including the biometrics to be
used on Smart Cards for identification purposes and the redress process for
individuals who are denied access to the program. Airline
passengers who buy a pre-approved security pass could have their credit
histories and property records examined as part of the
When a parent arrives to pick up their child at one of 3
grade schools in the
The Ponemon Institute’s
2nd annual online survey found that IBM and
It’s the first time police
have used a new Criminal Code provision called a production order to obtain
information from the media. Police want a Hamilton Spectator reporter to turn
over all records of his interviews with a convicted drug dealer between 2001 and
2005. The Spectator Editor-In-Chief is concerned production orders will become a
tool of choice for prosecutors and police intent on getting at reporters’ work.
The new Criminal Code provision came into force in September 2004 and allows a
judge to compel a person not under investigation to turn over documents or data
relevant to the commission of an offence. Not complying is punishable by a fine
up to $250,000 or up to six months in jail, or both. While there may be
compelling reasons on occasion to seek such orders, “a free press cannot be
willy-nilly turned into a tool of the police,” said the Editor. [Source] [CAJ
Press Release]
Alberta’s privacy commissioner
handed down a heavy ruling against an office supply store after it re-sold a
computer containing a customer’s personal information to a third party. The
commissioner lambasted Staples Business Depot for re-selling a computer that
held a woman’s resume, tax return data, social insurance number, as well as
family photos and contact information, said Office of the Information and
Privacy Commissioner director Elizabeth Denham. “There needs to be more due
diligence around reselling and recycling computers that may contain personal
information,” she said. [Source]
In 2005, consumers filed more
than 255,000 ID theft complaints, according to the FTC. Internet-related
complaints were responsible for 46 percent of all fraud reports. However,
studies have indicated that most ID theft does not involve the Internet. The
highest per capita rates of ID theft occurred in the metro regions of
Visa International reveals in
a new global survey that the theft or loss of personal and financial information
is the No. 1 concern of consumers worldwide. Most striking, the theft or loss of
personal and financial information ranks as the top concern of consumers
worldwide (64%), surpassing environmental degradation (62%), terrorism (58%),
job loss (57%) and disease or epidemics (55%), among other major issues. In the
research, consumers report changes in behavior, particularly when shopping
online:
• 63%
of consumers say they are more careful when disposing of financial
statements;
• 50%
look at the privacy policies of companies with which they do
business;
• 62%
of online shoppers are more discriminate about the sites at which they make
purchases; and
• 24%
report shopping less online and 26% less via the
telephone.
Actual e-commerce figures for
Visa show global sales growth of 27% in 2005 over 2004. [Source]
A poll finds that a majority
of those surveyed believe Google should not release information to the
government about its users’ search habits, and more than a third said they would
even stop using the world’s most popular search engine if the company did so.
The survey results, released by the Ponemon Institute, a think tank that studies
privacy in businesses and government, also indicate that a vast majority of
respondents do not believe that Google collects information that can personally
identify who they are. [Source]
[Source]
[Source]
Nigel Roberts used the
European Union’s E-Privacy Directive law to win £300 (US$500) in compensation
from Media Logistics (UK) Ltd., becoming the first person in the country to use
European legislation to defeat spammers. Roberts had originally complained to
the company after receiving unsolicited e-mail advertising from a contract car
firm and fax broadcasting business. He also used Section 7 of the Directive to
force the company to reveal how it obtained his contact details without his
consent. After receiving an apology, Media Logistics refused to pay him
compensation, resulting in Roberts making a claim for damages to the Small
Almost
a quarter of the world’s spam in the last three months of 2005 was sent from
computers in the
The
Washington state attorney general’s office has sued a New York company and
individuals in New York, New Hampshire, Oregon and India under state and federal
anti-spam and spyware laws, saying they induced computer users to download
software that weakened their computers’ security. [Source]
Charles Clarke, the U.K. Home
Secretary, is facing an onslaught over the Government’s anti-terror laws after
figures showed nearly 36,000 people were stopped and searched under the
emergency powers last year. The number of people stopped and searched each year
has soared since the Act came into force in 2001, when 10,200 people were
stopped. It rose to 33,800 in 2003-04. Despite the high number of people
stopped, only 455 were arrested. Campaigners will mount a legal challenge in the
House of Lords this week, as they attempt to limit the laws giving police
sweeping powers to stop people even if they have no grounds to suspect them of a
crime. [Source]
The
purpose of this survey was to:
• Identify examples of current offerings and
actual implementation of authentication across borders.
• Identify actual or
potential barriers to the current cross-border use of digital signatures from
the supplier/user perspective (taking into account input from other stakeholders
as well).
• Explore the extent to which the cross-border offerings of
authentication meet transaction needs.
The questionnaire was addressed to
governments and to the private sector. The survey is part of the ongoing work of
the Working Party on Information Security and Privacy on authentication that is
aimed at:
• Assessing the need to develop mechanisms to “bridge” varying
legislative/legal/policy frameworks to provide for cross-jurisdictional
authentication and for legal effect of electronic signatures.
• Promoting
the use of authentication as an integral element of a safer, more secure
Internet.
• Developing linkages so as to use the authentication work as an
element for addressing other issues such as online identity theft, management of
digital identities, spam, travel security, biometrics etc. [Source]
Millions of parents rely on
Web filtering software to shield their children from the nasty side of the
Internet—porn, predators and other unseemly phenomena. But according to the U.S.
Justice Department, Web filters are not enough to protect minors. The agency
voiced its concern about the technology last week as it geared up to defend an
antiporn law that’s under attack from civil liberties advocates. The case, which
deals with the 1998 Child Online
Protection Act, grabbed attention last week after the department subpoenaed
Internet search companies, including Google and Yahoo, for millions of search
records. [Source]
Britain’s Financial Services
Authority presented research this week that shows that more than half of 1,508
customers surveyed were “extremely” or “very” concerned about the potential
fraud risks of online banking. The survey found that 95% of those surveyed
indicated that banks should take some of the responsibility for online security,
while 45% said banks should take all the responsibility for keeping customers
safe online. According to the report, the
blame for online banking insecurity is due as much to user ignorance as banking
inadequacy. According to the survey, if the banks attempted to move all
liability for online banking losses to customers, 77% say they would abandon
Internet banking completely. The authority’s report makes only veiled criticism
of banks themselves. [Source]
[Source]
Seeking to compel the
immediate disclosure of information concerning the Administration’s warrantless
domestic surveillance program, EPIC has filed a Freedom of Information Act lawsuit
against the U.S. Department of Justice. The suit asks the federal court in
The
government has defended storing the DNA profiles of about 24,000 children and
young people aged 10 to 18. The youngsters’ details are held on the
Some AIDS groups are objecting
to a new HIV data reporting system implemented by the federal Centers for
Disease Control and Prevention (CDC) that they charge is burdensome and intrudes
into the personal lives of clients. The CDC is requiring the 65 state or local
health departments and roughly 130 community-based AIDS groups that are directly
funded by the federal health agency to use its Program Evaluation and Monitoring
System (PEMS), a Web browser-based software application, to report on how they
are fulfilling their contracts. [Source]
Ameriprise Financial, the
investment advisory unit spun off from American Express, said this week that
lists containing the personal information of about 230,000 customers and
advisers had been compromised. A security breach occurred in late December,
Ameriprise said, after a company laptop was stolen from an employee’s parked
car. The laptop contained a list of reassigned customer accounts that was being
stored unencrypted, a violation of Ameriprise’s rules. The information on the
laptop included the names and Social Security numbers of about 70,000 current
and former financial advisers and the names and internal account numbers of
about 158,000 customers, about 6% of its 2.8 million clients. [Source]
A briefcase containing the
names, SSNs and birth dates of hundreds of National Guardsmen has fallen into
the wrong hands after someone broke into a car earlier this month in
US –
Two
computer-forensic companies are helping the University of Notre Dame investigate
an electronic break-in that may have exposed the personal and financial
information of school donors. The hackers may have made off with Social Security
numbers, credit card information and check images. [Source]
Poor security checks in
The
The Center for Democracy
&Technology (CDT) has asked the FTC to put an end to the illegal and
deceptive practices of 180solutions Inc., one of the world’s largest developers
of Internet advertising software. In a detailed complaint, CDT outlines a
pattern whereby 180Solutions, through a complicated web of affiliate
relationships, deliberately and repeatedly attempted to dupe Internet users into
downloading intrusive advertising software. The complaint illustrates how
180solutions continued this pattern of practice even after being warned by
technology experts, privacy advocates and its own auditors that its practices
were unethical, and in several cases, illegal. [Source] [Source]
The Direct Marketing Association has set up its first
requirements governing members’ use of software distribution. The rules are
designed to curb unethical installation practices, the industry group said, as
well as to draw a line in the sand it hopes will preserve the legitimate uses of
downloaded software. Many online marketers have been experimenting with using
downloadable software as part of their marketing plans. The guidelines say
marketers “should not install, have installed, or use...software that initiates
deceptive practices or interferes with a user’s expectation of the functionality
of the computer and its programs.” They single out as unacceptable software that
relays spam, serves “endless loop pop-up advertising,” or deceptively modifies
security or browser settings. [Source]
A
group including Google and institutes at Harvard and Oxford universities plans
to unveil a campaign against spyware and other malicious computer programs that
can steal personal information, snoop on your Web surfing and bombard you with
pop-up ads. The coalition, which is receiving unpaid advice from Consumer
Reports WebWatch, is launching a Web site -- http://www.stopbadware.org/ -- to
catalogue programs that infect unsuspecting users and to let them check whether
something is dangerous before downloading it. The group also will spotlight
firms that make the software in an effort to shame them and will gather data
that could lay the groundwork for class-action lawsuits against them. [Source]
Dealing with viruses, spyware,
PC theft and other computer-related crimes costs
Federal investigators have
obtained potentially billions of Internet search requests made by users of major
websites run by Yahoo Inc., Microsoft Corp. and America Online Inc., raising
concerns about how the massive data trove will be used. The information turned
over to Justice Department lawyers reveals a week’s worth of online queries from
millions of Americans — the Internet Age equivalent of eavesdropping on their
inner monologues. The Internet companies said that the information did not
violate their users’ privacy because the data did not include names or computer
addresses. The disclosure nonetheless alarmed civil liberties advocates, who
fear that the government could seek more detailed information later. A Justice
Department spokesman said the government was not interested in ferreting out
names — only in search trends as part of its efforts to regulate online
pornography. But the search-engine subpoenas come amid broader concerns over how
much information the government collects and how the data are used. [Source]
[Source] [Source]
[DOJ
Submission]
The government’s battle with
Google to obtain search query records comes as federal officials are targeting
Internet evidence to bolster law enforcement investigations in several areas,
including domestic security and cybercrime. Justice Department officials contend
that it needs the Google records – not to investigate individuals – but to
defend the Child Online Protection
Act of 1998. The Justice Department argues the evidence would help
prosecutors determine how much users are searching for pornography and how well
filtering software works to block that content. [Source]
[Source]
[Source]
More than three quarters of
web surfers don’t realize Google records and stores information that may
identify them, results of a new opinion poll show. The phone poll, which sampled
over 1000 internet users, was conducted by the Ponemon Institute following the
DoJ
subpoenas last week. This suggests that the battle for internet privacy is
far from over. Google maintains a lifetime cookie that expires in 2038, and
records the user’s IP address. But more recently it has begun to integrate
services which record the user’s personal search history, email, shopping
habits, and social contacts. After first promising not to tie its email service
to its search service, Google went ahead and opted its users in anyway. It’s all
part of CEO Eric Schmidt’s promise to create a “Google that knows more about
you”. [Source]
Ruling on one of the most
important First Amendment issues of the day, a
Internet
users surrender any privacy rights they have to their subscriber information
when they sign up for online service, a New Haven Superior Court judge has ruled
in a matter of first impression in
Interest
in software that allows people to send e-mail messages that cannot be traced to
their source or to maintain anonymous blogs has quietly increased over the last
few years, say experts who monitor Internet security and privacy. “People in the
world are more interested in anonymity now than they were in the 1990’s,” when
the popularity of the Internet first surged, said Chris Palmer, technology
manager at the Electronic Frontier Foundation, a nonprofit group in San
Francisco dedicated to protecting issues like free speech on the Web. [Source]
Tony Blair’s plans for a
national identity card scheme could end up as being a “monument to the failure
of big government”, the opposition leader has warned. The Tory leader attacked
the proposed scheme as new research came to light suggesting it could cost more
than £14bn to run. [Source]
[IT
industry prepares for the worst over ID cards]
The ranking Democrat on the
House Judiciary Committee is seeking information from 20 phone, cable and
Internet company executives about whether they provided information to the
federal government for a secret domestic surveillance program.
T-Mobile is seeking an
injunction in
The New Hampshire House of
Representatives approved a bill, HB-203, that would require warning labels on
consumer goods and identity documents that contain RFID tags or other tracking
devices, regulate the use RFID or other technology for tracking individuals, and
establish a commission on the use of tracking devices in government and
business. The bill now
heads to the New Hampshire Senate, where it will be assigned a committee for
hearing. At least two industry groups, the American Electronics Association
(AeA) and the Retail Merchants Association of New Hampshire, oppose the bill,
claiming that despite amendments that soften the restrictions originally placed
on the use of tracking devices such as RFID, the bill remains too limiting of
the technology and places overly onerous requirements on companies that want to
use the technology. Despite the opposition, New Hampshire Representative Neal
Kurk (D, R), one of the bill’s supporters, stands behind the proposed law. “This
is a simple notification bill, which is something that industry groups keep
saying they support,” says Kurk, who was surprised to hear that industry groups
still object to the bill after numerous amendments. In addition to requiring
notice of tracking devices on consumer goods, HB203 would prohibit the state of
A coalition of conservative
groups and privacy advocates is urging the Homeland Security Department not to
include the use of radio frequency identification contactless chips in its
regulations for implementing the Real ID Act for state driver’s licenses. In a
letter
to Secretary Michael Chertoff, the groups assert that RFID costs a lot, lacks
standardized technology and poses potential dangers to privacy from unauthorized
reading of the chips. [Source]
ChoicePoint has agreed to pay
$15 million – a $10 million civil penalty and $5 million to consumers – to
settle charges that its security and record-handling procedures violated
consumers’ privacy rights and federal laws. The Federal Trade Commission (FTC)
said a data breach at the company involved the personal information of 163,000
consumers. ChoicePoint, which also has agreed to independent audits, did not
admit any wrongdoing. [Source]
[Source]
A recent OECD report is a
major information resource on governments’ effective efforts to foster a shift
in culture as called for in the 2002 OECD Guidelines for the Security of
Information Systems and Networks: Towards a Culture of Security. It includes a
detailed inventory of initiatives to implement the Guidelines in the following
18 OECD member countries, including
Complying with a recent
Defense mandate, the Army has announced it will require users to use a
public-key infrastructure to log on to the service’s unclassified network. The
Army is implementing the Common Access Card Cryptographic Logon, which requires
a smart card and a personal identification number to gain access to the
Non-Classified IP Router Network (NIPRnet). The Defense Department’s Joint Task
Force for Global Network Operations (JTF-GNO), headed by Air Force Lt. Gen.
Charles Croom, set a July 31 date for all of the services and agencies to fully
install a PKI to help ward off network intrusions. [Source] [Source]
A majority of Americans want
the Bush administration to get court approval before eavesdropping on people
inside the
Canadian privacy legislation
is powerless to protect cellphone records and other personal information that is
being obtained and sold by U.S.-based data brokers, the Canadian Internet Policy
and Public Interest Clinic charged last week. While the
Missouri
Attorney General Jay Nixon is on the case of the cell-phone data burglars. Nixon
filed a request in Cole County Circuit Court late last week for a temporary
restraining order against Data Find Solutions Inc. and 1st Source
Information Specialists. The companies, Nixon said, are thought to operate Web
sites such as http://www.locatecell.com/ that promote
the sale of personal phone records. [Source]
Extract: Recent data breaches
highlight how identity theft may occur when businesses share individuals’
personal information, including Social Security Numbers (SSNs), with
contractors. Because private sector entities are more likely to share consumers’
personal information via contractors, members of Congress raised concerns about
the protection of this information in contractual relationships. In response,
GAO examined (1) how entities within certain industries share SSNs with
contractors; (2) the safeguards and notable industry standards in place to
ensure the protection of SSNs when shared with contractors; and (3) how federal
agencies regulate and monitor the sharing and safeguarding of SSNs between
private entities and their contractors. Banks, securities firms,
telecommunication companies, and tax preparation companies share SSNs with
contractors for limited purposes. Firms GAO interviewed routinely obtain SSNs
from their customers for authentication and identification purposes, and
contract out various services, such as data processing and customer service
functions. Although these companies may share consumer information, such as
SSNs, with contractors, company officials said that they only share such
information with their contractors when it is necessary or unavoidable.
Companies in the four business sectors GAO studied primarily relied on accepted
industry practices and used the terms of their contracts to protect the personal
information shared with contractors. Most company officials stated that their
contracts had provisions for auditing and monitoring to assure contract
compliance. Some noted that their industry associations have also developed
general guidance for their members on sharing personal information with third
parties. Federal regulation and oversight of SSN sharing varied across the four
industries GAO reviewed, revealing gaps in federal law and agency oversight in
the four industries GAO reviewed that share SSNs with contractors. [Source]
Efforts to reach
an agreement on a long-term renewal of the USA
Patriot Act appear stalled as House Judiciary Committee Chairman Rep.
James Sensenbrenner, the House’s chief negotiator, has said his
chamber is finished negotiating. Sixteen
key provisions of the Patriot
Act were set to expire at the end of last year. Members of Congress
were unable
to reach an agreement on a long-term extension before Christmas, and
instead passed
a one-month extension set to expire February 3. Senate Democrats and
four Republican senators are pressing for more civil liberties protections to be
incorporated in the renewal legislation, but Sensenbrenner has said that the
proposal in December’s conference
report provides adequate
safeguards. Senate Judiciary Chairman Arlen
Specter said Tuesday that there are likely only two options at this
point: the conference report or another short-term extension. Republican Sen.
John Sununu, one of the four who have joined Senate Democrats in
opposition to the conference report, said however that discussions with the Bush
administration on possible changes are continuing. [Source]
Senators
David Shafer (R-Duluth) and John Wiles (R-Marietta) this week announced that
they have introduced legislation aimed at prohibiting the sale of cell phone
records without the consent of the consumer. Senate Bills 455 and 456 were filed
with the Secretary of the Senate’s office this week. SB 455, if passed, would
prohibit cell phone companies from selling or releasing cell phone records
without the consent of the customer. It also would ban information brokers from
obtaining and selling this information. Shafer’s bill would require cell phone
companies to implement measures to protect cell phone records from unauthorized
disclosure. SB 456, authored by Wiles, would provide for penalties for those
that engage in the sell and trade of cell phone records. Under Wiles’
legislation, those who are found guilty of illegally selling this information
could face felony charges and up to 10 years in prison and/or $100,000 fine. [Source]
--------