(2004-12-29) [CMP Media LLC.] The use of biometric technology will move a step closer to being recognized as a viable security measure at airports worldwide next week. The French Civil Aviation Authority, or Direction Générale de l'Aviation Civile (DGAC), on Monday begins a six-month analysis of fingerprint, iris, and facial-recognition biometric data collected since October at airports in Bordeaux, Lille, Lyon, Nice, Paris, and Toulouse.
"The objective is to decide which biometric technology is most reliable, then let each airport choose its own," says Laurent Wagneur, director of French IT service provider Euxia SA, which is working with Belgian biometric systems integrator BioWise NV on the project. The European Aviation Safety Agency, which regulates aviation safety across the European Union, has mandated that airports across the EU test biometrics to see if this technology can improve security.
[source: Security Pipeline]
(2004-12-30) [CMP Media LLC.] The online auction site eBay announced Wednesday that it will soon drop support for Microsoft's Passport for log-in to the site and discontinuing alerts sent via Microsoft's .Net alerts. Microsoft responded by saying that it will stop marketing Passport to sites outside its own stable.
As of late January, eBay will no longer display the Passport button on sign-in pages nor allow users to log in using their Passport accounts. Instead, members must log-in directly through eBay.
eBay was one of the first to jump on the Passport bandwagon in 2001, but is only the latest site to leap off. Job search site Monster.com, for instance, dropped Passport in October.
[source: Security Pipeline]
(2004-12-18) [CMP Media LLC.] Microsoft disclosed plans Thursday to offer frustrated users of its Windows software new tools within 30 days to remove spyware programs secretly running on computers. But it might cost extra in coming months.
Spyware is a category of irritating programs that secretly monitor the online activities of Internet users and can cause sluggish computer performance or popup ads.
In a shift from past practice, the world's largest software manufacturer said it may charge consumers for future versions of the new protective technology, which Microsoft acquired by buying a small New York software company. Terms of the sale of Giant Company Software Inc. weren't disclosed. Microsoft, whose Windows operating systems have often been criticized for lax security, traditionally has given consumers--at no charge--separate programs to improve security. It also has increasingly built other protective tools, such as firewall software, into Windows to repel hackers.
[source: Security Pipeline]
(2004-12-28) [Computerworld] Two new versions of a computer virus that affects mobile phones were discovered yesterday, with new features that allow them to spread more quickly among vulnerable devices, an antivirus company reported.
Cabir.H and Cabir.I are the latest versions of a worm that was first identified in June and affect Symbian Ltd. mobile phones. There are no reported infections from the new worms.
Like the original Cabir worm, dubbed Cabir.A, the new Cabir variants spread among mobile phones using a specially formatted Symbian operating system distribution (or SIS) file disguised as a security management utility. When the infected file is launched, the mobile phone's screen displays the word Caribe, and the worm modifies the Symbian operating system so that Cabir is started each time the phone is turned on.
[source: Computerworld Viruses and Worms]
(2004-12-27) [Computerworld] A year after the U.S. Congress passed the first federal antispam law, observers see no evidence that it has cut the amount of unwanted commercial e-mail arriving in people's in-boxes.
Some antispam activists assert that the law has aided spammers because CAN-SPAM requires recipients to opt out of unwanted commercial e-mail by contacting each sender, instead of forcing senders to get opt-in permission. The federal law also hurt spam-fighting efforts by preempting parts of some tougher state laws, including a California opt-in requirement, said Laura Atkins, president of the SpamCon Foundation.
[source: Computerworld Email/Groupware]
(2004-12-30) [Computerworld] Dutch authorities have issued their first fines for spam originating in the Netherlands. Telecommunications regulator OPTA, which is responsible for regulating spam in the Netherlands, imposed three separate fines on Tuesday, the first since the Dutch government agreed in May to a ban on unsolicited e-mail to consumers.
In a move to coordinate cross-border efforts to fight spam in Europe, OPTA has initiated an information-sharing program for regulators and other government bodies. The program aims to establish an exchange of information about spammers across the European Union. So far, eight countries have signed up, according to the OPTA spokesman. The goal is to have all 25 EU member states on board.
[source: Computerworld Email/Groupware]
(2004-12-24) [EPIC] EPIC has obtained documents under the Freedom of Information Act showing that the US Postal Service's new self-service postage machines take and retain portrait-style photographs of customers.
The Automated Postal Center kiosks allow people to mail letters or packages, buy stamps, and look up information. One document obtained by EPIC states that "[i]n order to augment security, a digital photograph will be necessary for some transactions." Another document reads, "[c]amera required by FAA. Privacy Office is requiring a notice for customers, advising that photograph may be taken during the transaction."
[source: EPIC Alert vol 11 no 24]
(2004-12-24) [EPIC] On December 6 EPIC held the Africa Electronic Privacy and Public Voice Symposium in Cape Town, South Africa, which took place in conjunction with the first meeting of the Internet Corporation for Assigned Names and Numbers (ICANN). The symposium featured panel discussions on data protection and freedom of expression in Africa, Internet policy in Africa, and African perspectives on global Internet governance.
Find presentations and other information at the symposium web site.
[source: EPIC Alert vol 11 no 24]
(2004-12-30) "Open workshop on the foundation of an EU Human Rights Agency" will take place on January 25, 2005 (Brussels, Belgium).
See calendar entry.
(2004-12-23) [SAITS] [Swedish] En nationell workshop om personlig integritet - "Personlig integritet - nutid och framtid" - äger rum den 24 februari 2005 i Stockholm. Denna halvdags workshop, som är en uppföljning av 2003 år workshop, är ett arrangemang som belyser ett antal aktuella problemställningar inom området personlig integritet.
Ett antal presentationer kommer att ges, som belyser olika nya utmaningar, och ger olika perspektiv på såväl aktuella som kommande problem och möjligheter. I en programlagd öppen debatt kan andra aspekter och fenomen lyftas fram, och olika aktörer få utrymme att ge kompletterande synpunkter. Dessutom ingår ett inslag om ett planerat forum för erfarenhets- och kunskapsutbyte om personlig integritet. Ett sådant forum kan ge nationella intressenter en plats för såväl diskussion som andra typer av gemensamma aktiviteter. Läs mer på workshopens hemsida.
[source: Nyheter]
(2004-11-15) [Center for Democracy and Technology] In response to a US federal court of appeals announcement that it would reconsider its earlier decision that the wiretap laws do not apply to real-time interception of email, Center for Democracy and Technology and 6 other public interest organizations filed an amicus brief arguing that the court's initial decision had misconstrued the wiretap statute.
Senator Patrick Leahy, who was deeply involved in extending the wiretap law to email in 1986, also filed an amicus brief in the case. November 15, 2004.
[source: Web News]
(2004-11-01) [Network World] In a conference room overlooking the site of the World Trade Center, early adopters of biometrics technology [end October] stressed the importance of determining someone's true identity. Attendees of the Fall 2004 Biometrics Summit heard about the challenges and benefits seen by those who would implement biometrics both before and after the Sept. 11 attacks that put a greater focus on security.
They also heard about why some companies still aren't ready for biometrics, technology that uses personal characteristics of users to identify them. Acknowledging that most of the Sept. 11 attackers used drivers' licenses to board the airplanes they used as weapons, one presenter said biometrics should be a key tool in conjunction with better verification of identity-proving documents, in the process of obtaining drivers' licenses.
(2004-12-13) [IDG] According to the results of a survey conducted by Gartner Inc., online consumers are growing frustrated with the lack of security provided by banks and online retailers and feel that passwords are no longer sufficient to secure their online transactions.
In the survey of 5,000 adult Internet users, almost 60% said they are concerned or very concerned about online security, said Gartner analyst Avivah Litan. Even more important for online retailers: More than 80% of those surveyed said they would buy more from an online vendor that offered them more than just a username and password to protect their accounts, she said.
[source: ComputerWorld Security]
(2004-12-13) [Computerworld] A group of financial services firms, IT companies and law enforcement agencies announced the formation of Digital PhishNet, a consortium that will share information about phishing attacks and try to make it easier for the government to track down the perpetrators.
[source: Computerworld Security News]
(2004-12-23) [Datainspektionen] [Swedish] I det nya numret av magazin DIrekt tar vi upp det nya gisslet på Internet: "Phishing", en ovanligt lömsk metod att lura av dig kontonummer, koder och lösenord. Hur kan du skyddar dig mot phishing, som f.ö. finns i ett par olika varianter? Och varför stavas det med "ph"?
Du kan hämta numret som pdf.
[source: Nyheter]
(2004-12-23) "[Swedish] Nationell workshop om personlig integritet - 2005" will take place on February 24, 2005 (Stockholm, Sweden).
See calendar entry.
(2004-12-23) "ETHICOMP 2005" will take place on September 12 -- 15, 2005 (Linköping, Sweden).
See calendar entry.
(2004-12-23) "SEAA 2005 - Digital Rights Management" will take place on March 31, 2005 (Porto, Portugal).
See calendar entry.
(2004-12-15) [EDRI] The Article 29 Working Party of data protection authorities in the EU has developed an interesting and useful model for a standard EU privacy notice, consisting of a short, a condensed and a full legal notice.
The Working Party concludes from several Eurobarometer surveys that a minority of businesses complies with privacy legislation and only 42% of European citizens is aware they should be informed about the identity and purpose of data collection. To help further acceptance, the WP now gives 3 concrete models and examples for the most common processing tasks carried out both on-line and of-line.
(2004-12-15) [EDRI] The European Commission has adopted, on 7 December 2004, its annual report on the implementation of the EU electronic communications regulatory package. The report states that 20 of the EU's present 25 Member States have notified the Commission that they have adopted primary legislation transposing the package, which became law in 2002.
The Commission has launched infringement proceedings against Belgium, the Czech Republic, Estonia, Greece, and Luxembourg, who have so far failed to notify transposition. All of these countries have failed to transpose the 2002 e-Privacy Directive, which is part of the package.
(2004-12-15) [EDRI] Research by Forrester, commissioned by the Business Software Alliance, shows an incredibly high number of Europeans that use spam to buy computer software, clothes/jewellery and travel/leisure products.
In France, Germany and the UK, 1 in every 5 internet users said they had bought one of these things via spam. The poll was simultaneously conducted in Brazil, Canada and the US, under 1.000 online respondents per country. Brazil tops the chart of purchases in every category.
(2004-12-15) [EDRI] The draft Framework Decision on the retention of traffic data resulting from electronic communication has been sent to the European Parliament at the beginning of December. This started the public part of the lawmaking process. But the Council of the European Union has still failed to declassify the very document that the Parliament is supposed to vote on next spring.
(2004-12-23) [EDRI] Extensive research commissioned by BITKOM, the German industry association for information technology, telecommunications and new media, into the current practices in the telecom sector shows that there are no grounds for the proposed regime of mandatory traffic data retention.
The study compares the legal obligations and practices in Austria, France, Italy, the Netherlands, Sweden, Spain, the UK and the US. The main two conclusions are that the EU proposal to store all traffic data for a period of at least 12 months is disproportional, and that there is no evidence that law enforcement needs data older than 3 months.
(2004-12-15) [privacy.org] Although Secure Flight does not apply to foreign airlines, it may involve privacy violation of European citizens traveling on US airlines. This was one of the observations of Peter Schaar, a European data commissioners.
Commissioner Schaar said that no one knows how Secure Flight is going to work and whether it will not include or exclude Eurpoean Union citizens. He said that the EC Data Protection Commissioners had "huge" concerns about this proposed travel security program.
[source: News]
(2004-12-23) [Statewatch] The European Parliament was due to adopt its report on the proposed Regulation on a uniform format for visas and residence permits for third country nationals at its plenary session on 13-16 December in Strasbourg. A secret report sent to the Council (the 25 governments) dated 11 November 2004 with the opinion of the committee looking at the technical implementation of the new visas concluded that the proposal has several problems.
The technical report to Council saying that the scheme will not work (doc no: 14534/04, 11.11.04) concluded that:
[source: News]
(2004-11-18) [RFID Gazette] The Spring Independent School District in Spring, Texas, located just north of Houston, is using RFID badges to monitor the movements of 28,000 schoolchildren. Good luck ditching class now.
According to the New York Times: 'When the district unanimously approved the $180,000 system, neither teachers nor parents objected, said the president of the board. Rather, parents appear to be applauding. "I'm sure we're being overprotective, but you hear about all this violence," said Elisa Temple-Harvey, 34, the parent of a fourth grader.' Read more: In Texas, 28,000 Students Test an Electronic Eye.
[source: RFID News]
(2004-12-21) [The Guardian] The UK Government and Opposition have joined forces to back the world's most far-reaching and comprehensive identity measures. The Identity Cards Bill passed its Second Reading in the lower house on 20 December despite widespread and passionate opposition from almost 100 rebel MP's.
A national campaign www.no2id.net chaired by Privacy International's director has vowed to stop the plans. The legislation must pass through the House of Lords before it becomes law. Political observers believe the proposals will meet stiff opposition there.
See the Privacy International ID card page for coverage of ID cards around the world and in the United Kingdom.
[source: GuardianUnlimited]
(2004-12-17) [InfoWorld] Latest security flaw lets attackers create fake Web site that looks identical to a genuine site. A newly reported security problem in Microsoft's (Profile, Products, Articles) Internet Explorer (IE) Web browser allows attackers to create a fake Web site that looks exactly like a genuine site.
The vulnerability lets an attacker display any Web site while the address bar in IE will display a trusted Web address, for example https://www.paypal.com/, and even show the icon indicating SSL (Secure Socket Layer) security, security researchers warned on Thursday.
Microsoft is investigating the report, a company spokeswoman said Friday. "We have not been made aware of any attacks attempting to use the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports," she said. (Excerpt from article by Joris Evers)
[source: News]
(2004-12-23) [CMP Media LLC.] Attention to cybersecurity has gone from one extreme to the other. Soon after 9/11, the news media was filled with shrieking and arm-waving about "cyberterrorism." Eventually, sensible people ralized that the notion of cyberterrorism is just plain silly. Terrorists are interested in being terrifying, they want to set off bombs and send bodies flying and blood flowing.
Congress last week passed a streamlined version of the Intelligence Reform Act that cut a provision that would have create a high-profile assistant secretary of cybersecurity within the Department of Homeland Security. The department has been without a permanent cybersecurity director since October, when Amit Yoran resigned. Sources close to Yoran said he was growing increasingly frustrated with the position's lack of authority and budget.
[source: Security Pipeline]
(2004-12-13) [CMP Media LLC.] Compliance with the CAN-SPAM Act hit a new record in November, according to analysis done by message security firm MX Logic, with a whopping six percent of all junk mail toeing the federal law's line.
The number represents a doubling of October's compliance rate and the highest monthly figure since CAN-SPAM went into effect January 2004. November's slightly rosier picture notwithstanding, CAN-SPAM's poor showing means that users are getting more spam, not less, as was the intention. "Nearly a year after President Bush signed the CAN-SPAM Act, compliance remains marginal, while the overall [spam] volume has increased steadily," said Scott Chasin, MX Logic's chief technology officer, in a statement.
[source: Security Pipeline]
(2004-12-14) [CMP Media LLC.] Huge increase in November portends a bigger Christmas season for spamming marketeers. FrontBridge Technologies said today that spam volumes topped 93 percent in November which sets a new record since FrontBridge started recording business-email spam volumes four years ago. Based on the increase in volume, the company's analytics team predicts a grim outlook through the remainder of the holiday season.
Spam is expected to increase until the New Year, but then volumes should taper of at least a little bit as spammers return to "normal" operations in the early part of 2005. "Spammers are using new delivery methods to ensure this holiday season is as profitable for them as it is for legitimate retailers," said Dan Nadir, vice president of product management, FrontBridge Technologies.
[source: Security Pipeline]
(2004-12-13) [Datainspektionen] [Swedish] Datainspektionen ger under 2005 ett antal utbildningstillfällen.
"Under 2005 fortsätter vi att anordna utbildningar för dig som är anmäld som personuppgiftsombud. Kommunjurister, bolagsjurister och liknande är också välkomna. Vår målsättning med utbildningarna är att ge dig handfasta tips och råd om vad som förväntas av dig som är personuppgiftsombud."
[source: Nyheter]
(2004-12-04) [Privacilla.org] In an address to the American Legislative Exchange Council’s Trade and Transportation Task Force, Jim Harper presented his opinion on national ID issues.
See the transcription of the speech.
[source: Web]
(2004-12-09) [PRC] Web sites registered in your name that defraud consumers! 'Phishing' occurs when a consumer receives a legitimate looking email from what appears to be a reputable online vendor such as eBay, PayPal or a bank. The PRC has learned that not only can providing this kind of information leave consumers at risk for identity theft, but phishing victims have later learned that their personal information was used to register web site domains. And if they also provided a legitimate credit card number, it may have been used to pay for the web site registration, too.
For more information about this scam and tips you can take if you are a phishing victim with a web site registered to your name, see the PRC's Alert: Phishing Emails Can Lead to Domain Registration for Scam Web Sites.
(2004-12-13) "3rd International Human.Society@Internet Conference" will take place on July 27 -- 29, 2005 (Tokyo, Japan).
See calendar entry.
(2004-12-13) "3rd International Conference of Information Commissioners" will take place on February 20 -- 23, 2005 (Cancun, Mexico).
See calendar entry.
(2004-12-13) "Meeting of the Information Security and Privacy Advisory Board" will take place on December 14 -- 15, 2004 (Washington, DC., US).
See calendar entry.
(2004-12-08) [EPIC] EPIC joined a coalition of privacy officials, non-governmental organizations, and individuals in sending an open letter to urge the European Parliament to reject a proposed regulation that would require biometric identification of all European citizens and residents by taking their fingerprints and digital photographs and storing them in police databases.
The fingerprint biometric for all citizens and residents is unprecedented. While the the Council of the European Union is calling for the use of two biometrics, the United States and the International Civil Aviation Organization only require one, and the U.S. government does not plan to implement fingerprints in its citizens' passports.
[source: EPIC Alert vol 11 no 23]
(2004-12-08) [EPIC] The United Kingdom government is going forward with its plans for a mandatory national ID card in its Identity Cards Bill, recently announced in the Queen's Speech, which sets out the government's legislative program for the coming year. The bill was introduced in the House of Commons several days ago.
Since 1952, the issue of national ID cards has come up every few years in Great Britain and has been soundly rejected due to public opposition. Shortly after September 11, 2001, Home Secretary David Blunkett again proposed the card but was forced to back away after it was severely criticized. It has subsequently been promoted as a means to prevent illegal immigration, improve public services and to prevent terrorism.
[source: EPIC Alert vol 11 no 23]
(2004-12-08) [EPIC] Documents recently obtained by EPIC under the Freedom of Information Act reveal details about a joint effort between the CIA and the National Science Foundation to fund a program that, among other things, is researching ways to monitor online chat rooms for terrorist activities.
The documents came to light just a month after former recipients of the Norbert Wiener Award, awarded annually by Computer Professionals for Social Responsibility, expressed "concern about the significant redirection in science funding toward the development of systems of mass surveillance." The award winners said, "It is our view that this research priority could pose a fundamental risk to political freedom, privacy, and Constitutional liberty."
[source: EPIC Alert vol 11 no 23]
(2004-10-25) [useit.com] Internet scams cannot be thwarted by placing the burden on users to defend themselves at all times. Beleaguered users need protection, and the technology must change to provide this. Whenever the press covers a new outrage, you'll surely see quotes from security experts lamenting users' stupidity and advising companies to better educate users about appropriate security precautions. However, user education should not be the main approach to countering security problems for three reasons. First, and most importantly, *it doesn't work*.
Second, user education *puts the burden on the wrong shoulders*. Third, as long as we keep the burden on users rather than fix the technology, we'll *never realize the Internet's full benefits*. Nielsen sketches an approach to making it easier for users to increase security in their environments. See experts on user stupidity.
[source: Jacob Nielsen's Alertbox]
(2004-12-07) [Datainspektionen] [Swedish] EU vill att teleoperatörerna ska tvingas spara uppgifter om vart du ringer, mejlar, SMS:ar och surfar på nätet. Polisen ska använda trafikdata för att lösa och förebygga brott, är det meningen. EU:s dataskyddschefer är mycket kritiska, man anser att förslaget strider mot Europarådets konvention om de mänskliga rättigheterna.
[Swedish] EU vill att teleoperatörerna ska tvingas spara uppgifter om vart du ringer, mejlar, SMS:ar och surfar på nätet. Polisen ska använda trafikdata för att lösa och förebygga brott, är det meningen. EU:s dataskyddschefer är mycket kritiska, man anser att förslaget strider mot Europarådets konvention om de mänskliga rättigheterna.
[source: Nyheter]
(2004-10-21) [European Commission] European Court of Justice strengthens Consumers´ rights in two rulings EU data privacy rules need not prevent telephone operators from providing telephone bills that list individual calls, and there need not be any extra charge for this service, said the European Court of Justice in a judgment given on 14 September.
The Court upheld the European Commission's case that Austria had failed to ensure that bills for using the fixed public telephone network were itemized in sufficient detail to allow users to check individual calls. Standard itemized bills could provide a higher level of detail, at no extra cost to subscribers, it noted. The Court rejected Austria's argument that because the itemized billing provisions of Directive 98/10/EC/ are subject to data privacy protection, no additional levels of detail could be offered to subscribers at reasonable tariffs. Finally, the Court found that Austria had failed to provide detailed arguments supporting its assertion that bills more detailed than those currently required in Austria would infringe data protection legislation.
[source: Press Room]
(2004-12-13) "RSA Conference Europe 2004" will take place on November 3 -- 5, 2004 (Barcelona, Spain).
See calendar entry.
(2004-12-13) "Cyprus Infosec 2004" will take place on October 18 -- 22, 2004 (Nicosia, Cyprus).
See calendar entry.
(2004-11-30) [Masons] UK citizens who refuse to register for the forthcoming identity cards scheme will be fined £2,500, according to the Identity Cards Bill, which was published yesterday. Individuals who do not amend the register when they change address will be fined £1,000.
The scheme, according to the Government, will provide a simple and secure 'gold standard' for proving identity, protecting people from identity fraud and theft and providing them with a convenient means of verifying their identity in everyday transactions.
[source: OUT-LAW.COM]
(2004-12-02) [Masons] Phishing attackers have long used e-mail as bait for victims. But a security software provider has identified a growing trend: fraudsters create fake retail sites, optimised for search engines, in the hope that victims will stumble upon them.
Most phishing attacks of the past 12 months involved sending e-mail that purports to come from a major company - usually a financial services firm, e-tailer or other service provider. Victims follow links in the e-mail to "re-confirm" their security details - and these details are quickly exploited for profit. With the new scam, unwitting surfers arrive at a site by searching the internet for items they want to buy. The point does not appear to take the value of any attempted purchase; instead, when a product image is clicked, according to CyberGuard, this downloads a Trojan to the user's PC. The Trojans can then redirect links to legitimate financial institutions to fraudulent web sites, allowing the fraudsters to harvest the user's credentials - and attempt to empty their accounts.
[source: OUT-LAW.COM]
(2004-12-13) [RFID Privacy Workshop] Those who are interested in the RFID issue, may have a look at the RFID Privacy Workshop held at MIT Media Lab on November 15, 2003.
On the workshop web site you can slides from the presentations as well as video recordings.
[source: Web Site]
(2004-11-25) [The Register] US boffins are developing mobile phones which learn user's daily habits so that they can become "mobile digital secretaries". Going beyond the calendar feature common in many current mobiles, the "smarter smartphone" learns about people's preferences by logging calls and noting when application like cameras are used. Location-based functions allow the phone to keep record where you work and socialise. The phone also makes note of Bluetooth pairing bonds, in theory allowing it to build a profile of who you socialise with. This information would be sent to a server which processes data and returns suggestions or reminders.
The New Scientist reports that the software has been installed on 100 of Nokia 6600 smartphones in a trial involving MIT students. Data is downloaded onto a server at MIT and processed using pattern recognition software. Boffins reckon the phone can help students work out how long they have spent partying and working in a week or how long it is since they last saw a friend. It might even be able to work out the strength of a friendship. Results from the trial could be useful to researchers investigating how social networks build as well as technologists, New Scientist reports. Related stories: Nokia guns for PDA, home surveillance rivals, Fujitsu and Nokia team up for mobile services and gNokia 6600 smart phone. (Excerpt from article by John Leyden)
[source: theregister.co.uk]
(2004-12-02) [EDRI] The Dutch EU Presidency of the EU had published a rather thin paper on spam. The Presidency 'sees spam as a priority issue' and is looking for 'short-term practical measures and quick wins'. The paper will be on the agenda of the Telecommunications Council on 9 December 2004.
Read EU Presidency paper on spam (24.11.2004).
[source: EDRI-gram - Number 2.23, 2 December 2004]
(2004-12-02) [EDRI] Three top officials in Finland's Security Police (SUPO) and the former head of the security unit of the telecommunications service provider Sonera are to be charged in a case involving suspected illegal telecommunications surveillance, according to the Finnish journal Helsingin Sanomat.
The case dates back to November 2000, when Juha E. Miettinen, the head of Sonera's security unit, handed over the traffic data records of 5 mobile phone customers to the SUPO without just cause. The illegal hand-over was brought to light in yet another painful incident compromising the privacy of Sonera staff and customers. Miettinen had personally led an operation to collect telephone records of Sonera employees and outsiders in 2000 and 2001, to investigate which employee had possibly leaked information about internal company affairs to the press.
[source: EDRI-gram - Number 2.23, 2 December 2004]
(2004-12-02) [EDRI] During the Big Brother Awards ceremony in Budapest, Hungary on 25 November 2004, the People's Award was presented to the Data Protection Commissioner, Attila Péterfalvi. He was chosen with a large majority of 917 votes (39,8%) from 2.342 valid votes.
He was given the negative price for making official statements that could erode the Hungarian privacy culture, including a statement that it was right from a legal point of view to install CCTVs in fitting rooms. Acting like a good sport, Péterfalvi joined the ceremony and received the award. But earlier, he had sent an official letter from the Hungarian Data Protection Agency warning the Hungarian organisers that he would ask Privacy International to erase them from the list of official Big Brother Award organisers.
[source: EDRI-gram - Number 2.23, 2 December 2004]
(2004-12-02) [EDRI] On 24 November 2005 in Denmark a hearing was held on RFID and pervasive computing. During the hearing, a first draft of an industry code of conduct (drafted by Danish Industry, The Danish Consumer Council and the Danish Trade and Service Association) was presented, together with a report on the technical and legal challenges and lacunas.
The debate at the conference focussed at concerns for the optimistic (read privacy naive) approach towards privacy implications of RFID, especially with regard to new means of extensive storing, profiling and exchanging personal data. Representatives from the Danish Industry and others stressed that as long as chips are de-activated upon shop exit, the public should not be overly worried. Representatives from the Consumer council and The Danish Institute for Human Rights stressed the extensive and invasive individual mapping this could lead to. Read more about it: Extracts from the report (in English), Report about the hearing (in Danish).
[source: EDRI-gram - Number 2.23, 2 December 2004]
(2004-12-02) [EDRI] The European Commission is preparing a Framework Decision on 'Access to information by law enforcement agencies'. Commission services have authored a Communication on enhancing such access, which was sent to the Council and the European Parliament in June 2004.
The issue is closely linked to discussions currently under way on the introduction of data protection rules for issues that are dealt with under the Third Pillar of EU Legislation, which is mainly about police and judicial co-operation. At present, this whole topical area is exempt from EU Data Protection legislation, including the EU Data Protection Directive 95/46.
[source: EDRI-gram - Number 2.23, 2 December 2004]
(2004-12-02) [EDRI] The UK government is pushing ahead with plans for a compulsory national ID card. The Identity Cards Bill was announced in the Queen's Speech, which sets out the government's legislative programme for the coming year, and introduced in the House of Commons on 29 November.
The Bill is virtually unchanged from a draft published for consultation earlier this year. Citizens will be issued with a card as they renew passports, but can also be ordered to attend an interview to be biometrically scanned and given a card.
[source: EDRI-gram - Number 2.23, 2 December 2004]
(2004-12-02) [EDRI] The European Council of ministers of Justice and Home Affairs will meet on 2 and 3 December 2004. Telecommunication data retention is an important item on the agenda. The Dutch EU Presidency tried to force the Council to reach a quick unanimous decision on the proposed framework decision, but has now changed course.
According to an explanation given by minister Donner of Justice on 1 December 2004 to the judicial committee of the Dutch Lower House, a large majority of EU Member States is now in favour of an extended obligation. Supposedly lead by France, most countries now insist on a large set of data that should be collected and stored by telecom and internet providers, in stead of limiting the retention to data that are already collected for business purposes.
[source: EDRI-gram - Number 2.23, 2 December 2004]
(2004-12-02) [EDRI] It is likely that the Council of European Justice and Home Affairs ministers will adopt a regulation, on 3 December 2004, to fingerprint all EU citizens and residents, to take digital photographs of their faces and to store these data in a gigantic database of 450 million EU citizens. This will be the last step of a procedure that has exploited the democratic deficit of the European Union to an unheard extreme.
The European Parliament has adopted the proposal but introduced a large number of limitations. MEPs voted to clearly limit the kinds of information to be stored on the passports, they voted against the storage of the data in a central database and in favour of giving Data Protection Authorities oversight over the whole process.
[source: EDRI-gram - Number 2.23, 2 December 2004]
(2004-11-22) [Yahoo] Next time you make a printout from your color laser printer, shine an LED flashlight beam on it and examine it closely with a magnifying glass. You might be able to see the small, scattered yellow dots printer there that could be used to trace the document back to you.
According to experts, several printer companies quietly encode the serial number and the manufacturing code of their color laser printers and color copiers on every document those machines produce. Governments, including the United States, already use the hidden markings to track counterfeiters. (Extract from article by Jason Tuohey)
[source: News]
(2004-11-22) [IDG] A U.S. computer security expert is suing the Japanese government for violation of his freedom of speech, alleging that officals censored him at a recent computer security conference. The lawsuit is the first of its kind in Japan, according to his lawyer.
The petition was filed following a claim by Nuwere that officials of Japan's Ministry of Internal Affairs and Communications (MIC) forced him to abandon a presentation he was to have given on Nov. 12 on security issues related to Japan's online citizen registry network, called Juki Net.
Juki Net is a national network of databases that contain the names and personal details of nearly every person residing in Japan. It has been surrounded by controversy, particularly over its security. During a security audit conducted last year, Nuwere and Japanese experts managed to compromise servers in part of the system maintained by one of Japan's prefectural governments. It was about these experiences that Nuwere had intended to talk. (Extract from article by Paul Kallender)
[source: ComputerWorld]
(2004-11-19) [IDG] An enormous challenge for organizations is striking an appropriate balance between a need to verify identity and the ability to provide quick and easy access to systems and confidential information. A lack of balance can have serious consequences. A leading Web merchant may lose business because the identity management procedures fail to authenticate a legitimate customer. Or even worse, individuals may become victims of identity theft because an online business fails to use proper identity management safeguards.
To find out the types of identity management technology consumers prefer and the expectations they have about how organizations use it, the International Association of Privacy Professionals, Electronic Data Systems Corp. and Ponemon Institute recently conducted a Web-based survey of almost 1,200 adults throughout the U.S.
The pieces of personal information individuals are most willing to share with organizations to establish their identities are: name (88%), home telephone (88%), address (84%) and customer account numbers (82%). The pieces of information individuals are least willing to share are: racial or ethnic origin (8%), Social Security numbers (12%), debit card numbers (16%), nationality (18%) and driver's license numbers (18%). How much is too much? According to 65% of the respondents, three or more separate pieces of personal data to identify them is too much. (Excerpt from article by Larry Ponemon)
[source: ComputerWorld]
(2004-11-19) [IDG] The goal: Help e-commerce and financial services firms act quicker. Five online security software and service providers have formed the Anti-Fraud Alliance to help e-commerce and financial services firms fight online fraudulent activities such as phishing and identity theft.
"The reason the alliance was formed is very simple: Online fraud is accelerating substantially, particularly with ... respect to phishing," said Kim Legelis, director of industry solutions at Symantec Corp., one of the alliance's founding companies. "It's widely recognized by those who are involved in the problem ... that there is not a single solution or single vendor that's able to mitigate the multiple aspects of a phishing attack, such as the planning stages, the setup of fraudulent Web sites, the actual attack itself, often delivered by e-mail, the collection of information and the use of stolen credentials for the purpose of fraud. (Extract from article by Linda Rosencrance)
[source: ComputerWorld]
(2004-11-22) [IDG] In its sixth annual e-commerce fraud survey, CyberSource Corp. forecast that businesses will lose $2.6 billion to online fraud in 2004, a 37% increase over $1.9 billion last year.
In addition, merchants are rejecting 28% more orders than they did last year because of suspicion of fraud, said CyberSource, which specializes in electronic payment and risk management services for retailers. Retailers have had some success limiting losses. This year, fraudulent orders account for 1.8% of online sales, which is statistically level with 2003's 1.7%, according to CyberSource.
[source: ComputerWorld]
(2004-11-19) [CMP Media LLC.] A study by researchers at the University of California, Berkeley, has found that irregularities associated with electronic voting in this month's election may have awarded as much as 260,000 votes to President Bush in three Florida counties.
Depending on the method used in counting the votes, the researchers found that e-voting in the three counties gave Bush either a 130,000- or 260,000-vote advantage. Bush, the Republican incumbent, beat Kerry by more than 377,000 votes in Florida.
In essence, the researchers are saying that Bush got more votes than they would have expected, based on the study's projections, and attributed the discrepancy to "irregularities" associated with electronic voting machines. (Extract from article by Antone Gonsalves)
[source: Security Pipeline ]
(2004-11-18) [CMP Media LLC.] One of the four biggest banks in the United Kingdom has taken the unusual step of suspending some features in its online banking service in reaction to a phishing attack.
On Wednesday, NatWest, which is part of the Royal Bank of Scotland Group and one of Britain's big four, shut off features to its million-plus online customers. When users logged on to the NatWest online banking site, they saw a message that read, "We have temporarily suspended the ability to create or amend Third Party Payment mandates and create Standing Order mandates."
"Once I thought that maybe phishing was a fad, and after a while it would be replaced by some other scam, like keyloggers. But it's not a fad. It's going to get worse, and it's not going to slow down." (Extract from article by Gregg Keizer)
[source: Security Pipeline ]
(2004-11-29) [CMP Media LLC.] Computer firms are slow to respond to online customer inquiries, and more than one in three share customer data with business partners or affiliates without permission, a study released Monday showed.
In a fourth-quarter study of the largest U.S. computer products and services companies, The Customer Respect Group found that, on a scale of 0 to 10, the firms scored highest in providing open, honest online policies, 7.3; and lowest in responsiveness, 3.6. More than half of companies didn't response to all inquiries, the study found.
"Privacy is already the number 1 issue among consumers, and its becoming the paramount concern," Terry Golesworthy, president of the CRG, says. (Extract from article by Antone Gonsalves)
[source: Security Pipeline ]
(2004-11-29) [CMP Media LLC.] Once, only the paranoid believed that the government and big corporations were watching them. Now, it's a simple observation of fact. Step outside your front door, and you'll see surveillance cameras sprinkled all over the landscape of cities and suburbs. Your employer-issued smart badge tracks your movements inside the office building. Automatic toll-taking mechanisms like the New York metropolitan area's EZPass note your movements as you drive around. The credit-card companies keep a record of every item you purchase, and where and when you bought them.
Even if you're at home with the curtains drawn, you're being tracked. The phone company lists your incoming and outgoing phone calls; that's been going on for decades. If you have a TiVo, it sends information on what you're watching back to the home office. TiVo swears it only uses the information in the aggregate, that it doesn't keep a database of individual usage, but how can we be sure? And of course every time you log onto the Internet you leave a trail of records.
Bruce Schneier, chief technology officer of Counterpane Internet Security, expresses his opinion on these issues. (Extract from article by Mitch Wagner)
[source: Security Pipeline ]
(2004-11-29) [CMP Media LLC.] Banks and their customers are facing new threats of phishing attacks, making it more difficult than ever to protect customers from identity theft and fraud. The increasing sophistication of phishing scams makes it harder for consumers to discern the difference between a legitimate bank e-mail message and a fraudulent one, according to industry experts.
One new type of phishing attack is particularly hard to identify. The technique can result in stolen personal data even if the recipient of the fraudulent e-mail is not fooled by it. When a bank customer simply opens the e-mail, a program attached to the e-mail by the phisher silently runs a script - even if the customer deletes the message without clicking on any embedded links. When that customer attempts to visit his or her bank's legitimate Web site - during that session or a future session - the malicious code redirects the person being phished to a fraudulent Web site. (Extract from article by Cynthia Ramsaran)
[source: Security Pipeline ]
(2004-11-29) [CMP Media LLC.] The Bush administration opposed security measures for new microchip-equipped passports that privacy advocates contended were needed to prevent identity theft, government snooping or a terror attack, according to State Department documents released Friday.
The passports, scheduled to be issued by the end of 2005, could be read electronically from as far away as 30 feet, according to the American Civil Liberties Union, which obtained the documents under a Freedom of Information Act request.
The ability to read remotely, or "skim," personal data raises the possibility that passport holders would be vulnerable to identity theft, the ACLU said. It also would allow government agents to find out covertly who was attending a political meeting or make it easier for terrorists to target Americans traveling abroad, the ACLU said.
[source: Security Pipeline ]
(2004-11-26) [CMP Media LLC.] As spyware continues to plague consumers and enterprise networks, security vendors are moving to incorporate antispyware capabilities into their integrated gateway appliances. Just last week TippingPoint Technologies launched spyware protection for its UnityOne intrusion- prevention systems. Earlier in the month, Check Point Software Technologies unveiled similar antispyware capabilities for its VPN-1 device.
This trend did not develop without warning. Across the industry, spyware has risen steadily since January -- a recent study co-sponsored by America Online and the National Cyber Security Alliance indicated that eight out of 10 computers are infected by some form of spyware. Then came innovation in the form of point solutions. Earlier this month, Computer Associates International and McAfee each released spyware-specific solutions for enterprises and consumers. (Extract from article by Matt Villano)
[source: Security Pipeline ]
(2004-11-24) [CMP Media LLC.] Phishing fraudsters dramatically anted up last month by using automated tools and networks of hacked computers to double the number of sites that illegally collect financial information, the Anti-Phishing Working Group (APWG) said Wednesday.
A massive spike in the number of phishing sites in October lead the group's analysts to conclude that criminals are getting more sophisticated in their attack techniques and technologies. From September to October, phishing sites increased more than 100 percent. "Some automation had to be involved, with a bot network to either send more e-mails and/or host more sites," said Dan Hubbard, the senior director of security at Websense, one of the two investigators who analyzed the phishing data for the group. (Extract from article by Gregg Keizer)
[source: Security Pipeline ]
(2004-12-13) "Afternoon seminar on trans-border data flows and the safe harbour case" will take place on December 6, 2004 (Namur, Belgium).
See calendar entry.
(2004-11-17) [EDRI] Privacy International is calling on all manufacturers of phone camera's to equip the devices with a default flash, to alert people that their picture is taken.
PI believes this measure is necessary to avoid endemic privacy abuse. Camera phones are increasingly used to take intimate and private images without consent, often resulting in embarrassment and harm to relationships. Such images can also be used as material for blackmail, revenge and harassment.
Numerous countries have pursued restrictive measures. Only Saudi Arabia created a complete ban on the devices, other countries such as Australia, Taiwan, the United States, the UK and Canada have adopted specific rules to prevent the use in specific places such as changing rooms, swimming pools and schools. The Ministry of Information and Communication of Korea decided last year to oblige the manufacturers to make sure the devices give a mandatory beep of at least 65 decibel whenever a picture is taken.
(2004-11-17) [EDRI] A large group of UK-based rights organisations, including EDRI-member FIPR and Privacy International, has launched a formal e-petition against governmental plans to introduce ID-cards.
The petition says: "We believe the proposals constitute an attack on individual rights and freedoms. We believe they will lead to institutional discrimination and to unfair and unlawful denial of benefits and services. We believe the proposals will lead to an increase in state control and surveillance over the individual, and that they will create an unacceptable imposition on every citizen."
(2004-11-17) [EDRI] The European Working Party of data protection authorities has finally released an opinion on the proposed retention of communication traffic data. The Working Party concludes the proposal is not acceptable within the legal framework set by Article 8 of the European Convention on Human Rights.
According to the Working Party data retention deserves the same level of protection as interception. They cite jurisprudence from the European Court of Human Rights that decrees that all interception of telecommunications data must fulfil three fundamental criteria; a legal basis, the need for the measure in a democratic society and conformity with a legitimate and listed aim.
(2004-11-18) [EPIC] Drug manufacturers will soon add radio frequency identification (RFID) tags to bottles of prescription pills. This move comes after the Food and Drug Administration (FDA) issued voluntary guidelines lifting restrictions on labeling that may have discouraged companies from testing out the technology. The RFID tags will be used to combat the small but growing problem of prescription drug counterfeiting by allowing tracking of wholesale drug products from manufacturers to pharmacies.
In a position statement issued in November 2003 on RFID technology, almost 50 consumer privacy and civil liberties organizations around the world found the use of RFID tags for tracking pharmaceuticals acceptable as long as the tags help ensure the drugs are not counterfeit, are handled properly and dispensed appropriately, and the tags contained on or in the pharmaceutical containers are physically removed or permanently disabled before being sold to consumers.
For more information about radio frequency identification technology, see EPIC's RFID Page.
[source: EPIC Alert vol 11 no 22]
(2004-11-18) [EPIC] EPIC joined five civil liberties groups to file a "friend of the court" brief encouraging the First Circuit Court of Appeals to overturn a controversial ruling on email privacy.
In June, a three-judge panel held in United States v. Councilman that an email service provider did not violate criminal wiretap laws by acquiring users' incoming emails without their knowledge or consent to gain a commercial advantage over a competitor. Because the emails were not actually in wires or cables between computers when accessed, but were instead temporarily stored on the service provider's computer system, the panel found the emails could not have been "intercepted" in violation of wiretap law. The civil liberties groups' brief argued that the panel's decision creates serious constitutional questions under the Fourth Amendment guarantee against unreasonable search and seizure.
[source: EPIC Alert vol 11 no 22]
(2004-11-18) [EPIC] The Electronic Privacy Information Center and Privacy International released the seventh annual Privacy & Human Rights survey on November 17.
This report reviews the state of privacy in more than sixty countries around the world. It outlines legal protections for privacy and new challenges, and summarizes important issues and events relating to privacy and surveillance.
[source: EPIC Alert vol 11 no 22]
(2004-11-15) [CMP Media LLC.] In an interview with Paul Horn, senior VP of research at IBM, mentions some advantages of the use of RFID i retail industry.
InformationWeek: Is there a similar application for the retail industry?
Horn: We have an Emerging Business Opportunity [unit] in the company for retail, and research is working closely with them. This is focused on the in-store experience and they look at how handheld devices can change the [retail] experience and [whether it makes sense to establish] network platforms within the store to closely collaborate with supply chains and minimize inventory.
Another example is a screen attached to a shopping cart that you plug in your choices. The screen would tell you where to go [to find items in the store] and the specials available in the store. A big piece of what we do is in self checkout and standard checkout, and then connecting that information back to the inventory systems, so the store knows there were three bags of Fritos sold at [a specific] register and how many Fritos bags are left on the shelf. IBM provides the hardware for the checkout and the middleware within the store.
We've also done prototypes with companies interested in shopping patterns. They had video cameras, and we provided software [on the back-end] that captures a person [on the video camera] and track the person's walking pattern through the store. The software picks several people at once and follows them from camera to camera throughout the store. The application works on image recognition. This [application] allowed the store to optimize the floor plan and determine where they should put the merchandise. We've also been talking with security companies about the same software for airports.
[source: RFIDinsight]
(2004-11-16) [CMP Media LLC.] Think about bank robbery, and you think of a dashing outlaw of the 1920s perched on the running-board of a roadster, speeding along a dusty Oklahoma highway, with a lead-spitting Tommy gun on one arm, and a gorgeous moll on the other. Alas, today's bank robbers are a less romantic lot. They're likely to have pallid computer tans and rounded shoulders. Why go to all the trouble of leaving your house and getting shot at when you can steal money from the bank from the comfort of your own PC?
InformationWeek's Steve Marlin describes the threat posed to customer data by hackers and phishers, looking to steal credit card numbers and other customer data from banks and other financial institutions. (Excerpt from article by Mitch Wagner)
[source: Security Pipeline ]
(2004-11-17) [CMP Media LLC.] A British privacy advocacy group Wednesday called on mobile phone makers to take steps to prevent the use of cameraphones to invade privacy. Privacy International claimed that cameraphones should be set to flash every time a picture is taken. That, in turn, would prevent what it termed covert photography taken without the subject's consent.
The group said that such photos can embarrass the subject of the image, hurt relationships and even be used for blackmail and harassment. It noted a significant increase in complaints about such invasions of privacy and noted that some governments, including the U.S. Congress, are considering reforms.
[source: Security Pipeline ]
(2004-11-17) [CMP Media LLC.] Security vendor expects spam and phishing to increase during the season, offers simple advice to all e-mail users. FrontBridge Technologies' spam and virus analysts are forecasting a rise in e-mail spam and phishing scams during the coming Holiday Season.
"The holidays are notoriously busy for spammers," said Dan Nadir, FrontBridge's vice president of product management at. "As the holiday shopping season kicks into high gear and more consumers are using the Internet and email to buy and send gifts, spammers will likely kick into high gear, and we anticipate an equally big increase in e-mail scams."
[source: smallbizpipeline]
(2004-11-03) [MIT's Technology Review] With all of the excitement last month about the Food and Drug Administration approving an implantable radio frequency identification device (RFID), it"s easy to forget that the first place that many Americans will encounter RFID is not in their arms, but at the gas pump, on their key chains, and at major retailers like Wal-Mart. While the FDA and healthcare establishment have been noodling around on the medical and ethical implications of implanting chips into people, other industries have been moving full-speed ahead.
The problem of voluntary, industry-approved privacy standards is that they're voluntary - companies don't need to comply with them. And the very real danger facing the RFID industry is that a suspicious public will push for regulation of this technology. Although the industry has successfully killed legislation proposed earlier this year in California and Massachusetts, high-handed actions on the part of RFID-advocates will likely empower consumer activists and their legislative allies to pass some truly stifling legislation. (Excerpt from article by Simson Garfinkel)
[source: MIT's Technology Review]
(2004-10-28) [CMP Media LLC.] Business Objects joined forces with Velosel, a maker of software for managing product information, to introduce an application that the vendors claim will help companies analyze the massive data flows anticipated from radio frequency identification (RFID) deployments.
The firms integrated elements of Business Objects' business intelligence platform with Velosel5 collaborative product information management (CPIM) software. The combined tool will let retail and consumer packaged goods companies manage product information internally and synchronize product data with partners. It also will let companies analyze product information and business process performance, the vendors said. (Excerpt from article by Ted Kemp)
[source: RFID Insights]
(2004-10-25) [MIT's Technology Review] Internet users at home are not nearly as safe online as they believe, according to a nationwide inspection by researchers. They found most consumers have no firewall protection, outdated antivirus software and dozens of spyware programs secretly running on their computers.
One beleaguered home user in the government-backed study had more than 1,000 spyware programs running on his sluggish computer when researchers examined it. (Excerpt from article by Ted Bridis)
[source: MIT's Technology Review Friday Update ]
(2004-10-01) [BBC] Businesses are being held to ransom by tech-savvy criminals who have stolen important data, say police. The thieves exploit lax security to nab customer lists and then extort cash from victims for their safe return.
The UK's National Hi-Tech Crime Unit said criminals were moving on from targeting gambling sites to firms because they were easier targets. Telecoms supplier Energis said some of its customers had reported attacks by thieves looking for important data.
[source: News]
(2004-10-21) [IDG] Microsoft Corp. is recasting ambitions for its .Net Passport identification system, saying the service will now be limited to its own online offerings and those of close partners. Microsoft no longer sees Passport as a single-sign-on system for the Web at large, a spokeswoman said.
Microsoft's repositioning of Passport comes as careers Web site Monster.com said it's dropping support of the authentication service. New York-based Monster Worldwide Inc. was one of Microsoft's banner Passport users. (Excerpt from articleby Joris Evers)
[source: ComputerWorld]
(2004-10-25) [IDG] A survey conducted by Internet service provider America Online Inc. found that 20% of home computers were infected by a virus or worm and that various forms of snooping programs such as spyware and adware are on a whopping 80% of systems. Even so, more than two-thirds of home users think they are safe from online threats.
The survey reveals a gap between users' perceptions and the prevalence of threats on the Internet. That gap causes many home computer users to forgo security precautions such as antivirus and firewall software, and could pose a threat to the integrity of sensitive personal and financial information, which survey respondents said they are increasingly using their computer to manage, according to a statement from AOL. (Excerpt from article by Paul Roberts)
[source: ComputerWorld]
(2004-09-09) [Jupitermedia Corp] Most people would find banner ads less annoying if they were more relevant to their interests or needs, according to a study released today by the Ponemon Institute.
The 2004 Survey on Internet Ads revealed that 66 percent of those surveyed would find relevant ads less annoying, and that 52 percent would be more likely to respond to a relevant banner ad. (Excerpt from article by Kevin Newcomb)
[source: ClickZ News]
(2004-12-01) [MIT's Technology Review] Lost your hotel key card? No problem: an eyeball will do. Boston luxury lodge Nine Zero has become the world"s first hotel to restrict room access using iris-scanning technology. Guests in the hotel"s exclusive Cloud Nine suite have their irises photographed when they arrive, then peer into a reader outside the suite to unlock the door.
The same technology is being tested at Boston"s Logan Airport and other airports as a way to speed travelers through security lines.
[source: Infotech Briefs]
(2004-11-18) [MIT's Technology Review] An electronic database implanted under the skin can assure speedy and proper medical care - but is it worth it? You can almost see the ads now: Imagine a bright future with a chip in your arm! Went to the supermarket, but left the wallet at home? No problem! Flex your bicep and the smiling cashier passes a scanner over your arm. Voila - identification chip recognized! Problem solved. Your credit is good with us!
After decades as the stuff of sci-fi novels and anime movies, the age of chipped humans is finally a reality. Last month, following two years of review, the Food and Drug Administration approved the use of an implantable chip for medical applications. Each Verichip is the size of a grain of rice and contains a unique, 16-digit radio frequency ID. Linked to a database, that ID tag can call up a variety of information - from medical records to financial information. (Excerpt from article by David Kushner)
[source: MIT's Technology Review Friday Update ]
(2004-11-26) [Bloor Research] Anyone who has been hit by a computer virus will be doubly wary of unexpected e-mails in the future that may contain viruses. So why do people still keep clicking on attachments? How ever much security technology a company deploys, human nature will always be the weakest link in the chain.
Technology is not enough. For security technologies to be effective, users must be trained as to what the dangers are and what standard of behaviour is expected from them. For example, strict sanctions should be applied to individuals who bypass security controls by plugging their computer modems directly into a network connection or to those who store their account names and passwords in clear text on their computer or on a note left next to the computer. (Excerpt from article by Fran Howarth)
[source: IT-Director]
(2004-11-22) [Bloor Research] Over here in Europe, we may think that we are inundated by spam, but spam is estimated to account for just 20% to 30% of the e-mails that we receive. Some may counter that this is still too much, but it pales in significance compared to the 90% of e-mail traffic that is estimated to be spam in the US today. Part of the reason for this is that spam is still largely an English language problem.
But the volume of spam in other European languages is growing rapidly and US-based security vendors are warning Europeans not to be complacent - without systems to adequately deal with spam, it is only a matter of time until we face the same deluge as is currently affecting US firms and consumers.
[source: IT-Director]
(2004-11-26) [silicon.com] File-sharing app labelled as the net's biggest spyware threat. Peer-to-peer program Kazaa is the number one spyware threat on the internet, according to Computer Associates.
According to the company's Pest Patrol research, Kazaa created a greater threat than other programs in its top five spyware list because of its widespread popularity. Kazaa claims that its sofware has been downloaded 214 million times. CA gave Kazaa a high 'clot factor', its measure of how much a program slows a machine by adding uncessary registry entries and directories. However, classifying a popular application like Kazaa as spyware is a delicate matter, and CA admits this create difficulties in labelling them. (Excerpt from article by Dan Ilett)
[source: silicon.com]
(2004-11-19) [Masons] Petco Animal Supplies has settled charges brought by the US Federal Trade Commission (FTC) over security flaws in its web site that exposed customer data, including credit card numbers, despite assuring users that their details would be protected.
In a settlement announced on Wednesday, the FTC has required Petco to establish and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. The deal includes auditing obligations that will apply to Petco for the next 20 years.
[source: OUT-LAW.COM]
(2004-11-15) [Crypto-Gram Newsletter] In the aftermath of the U.S.'s 2004 election, electronic voting machines are again in the news. Computerized machines lost votes, subtracted votes instead of adding them, and doubled votes. Because many of these machines have no paper audit trails, a large number of votes will never be counted. And while it is unlikely that deliberate voting-machine fraud changed the result of the presidential election, the Internet is buzzing with rumors and allegations of fraud in a number of different jurisdictions and races.
Bruce Schneier has some strong opinions on this technology.
[source: Crypto-Gram Newsletter]
(2004-11-22) [Information Technology Toolbox, Inc] The United States hasn't issued any microchip-equipped passports yet, but as the Department of State tests different prototypes, the international standards for the passports are under fire from privacy advocates who worry the technology won't protect travelers from identity thieves.
The American Civil Liberties union has raised alarms and even an executive at one of the companies developing a prototype for the State Department calls the international standards woefully inadequate. (Excerpt from article by Ellen Simon)
[source: IT Toolbox]
(2004-11-19) [MIT's Technology Review] Do you like fast-forwarding through commercials on a television program you've recorded? How much do you like it? Enough to go to jail if you're caught doing it? If a new copyright and intellectual property omnibus bill sitting on Congress's desk passes, that may be the choice you'll face.
Language that makes fast-forwarding through commercials illegal - no doubt inserted at the behest of lobbyists for the advertising industry - was inserted into a bill that would allow people to fast forward past objectionable sections of a recorded movie. That's but one, albeit scary, scenario that may come to pass if the Intellectual Property Protection Act is enacted into law. Deliberations on this legislation will be one of the tasks for the lame-duck Congress that commenced this week. (Excerpt from article by Eric Hellweg)
[source: MIT's Technology Review ]
(2004-10-22) [silicon.com] While retailers are just focusing on money... RFID may be in the tentative stages of adoption in the business world but it seems consumers are fast coming up to speed on the technology.
According to the quarterly RFID Consumer Buzz survey from BigResearch, around one in four US adults are aware of what the tracking technology is and can explain it to their peers. The survey also found that people were afraid of the technology, with two-thirds of who were aware of RFID saying they had fears the chips would lead to privacy abuses. (Excerpt from article by Jo Best)
[source: silicon.com]
(2004-11-15) [Masons] An Australian internet libel case, which culminated in the landmark decision that an article posted on the internet is considered as published at the point where it is downloaded and read, has settled, according to reports.
The case centred on an article posted onto the Barron's Online magazine, which is published by Dow Jones. Gutnick claimed the article, published in October 2000, defamed him, and he sued Dow Jones in Victoria, where his business is headquartered. He argued that the case should be heard in Australia, because he was only interested to re-establish his allegedly damaged reputation there.
Australian businessman Joseph Gutnick received an apology, read out to him in court by lawyers for his opponent, the US publishing group Dow Jones & Company. Gutnick will also receive a payment of $180,000 and $400,000 in legal expenses, according to ABC News Online.
[source: OUT-LAW.COM]
(2004-09-23) [MIT's Technology Review] The US Transportation Security Administration cancelled its CAPPS II passenger screening program earlier this year due to criticism from privacy advocates and disclosures that contractors secretly got data from major U.S. airlines. Now Homeland Security has announced it will order all U.S. airlines to turn over all passenger itineraries from June 2004 to the government for testing of CAPPS II's successor, Secure Flight.
TSA claims that privacy is a "key element" in the new approach and released a privacy impact assessment (pdf) that outlines how testing of the program will go forward and how passengers can contest the accuracy of the information being used. Whether such a program will actually increase the security of U.S. airlines--and the extent to which passenger privacy will be safeguarded--are sure to vigorously debated. Keep your eyes peeled. (Excerpt from article by Erika Jonietz)
[source: blog]
(2004-11-29) "French Big Brother Awards" will take place on January 21, 2005 (Paris, France).
See calendar entry.
(2004-11-29) "DIMACS Workshop on Security of Web Services and E-Commerce" will take place on May 5 -- 6, 2005 (Piscataway, NJ, USA).
See calendar entry.
(2004-11-29) "SOUPS2005 Symposium on Usable Privacy and Security" will take place on July 6 -- 8, 2005 (Pittsburgh, PA, USA).
See calendar entry.
(2004-11-29) "CSFW 18 - 18th IEEE Computer Security Foundations Workshop" will take place on June 20 -- 22, 2005 (Aix-en-Provence, France).
See calendar entry.
(2004-11-29) "TSPUC2005 International Workshop on Trust, Security and Privacy for Ubiquitous Computing" will take place on June 13, 2005 (Taormina, Sicily, Italy).
See calendar entry.
(2004-11-04) [Krisberedskapsmyndigheten] [Swedish] Utredningen "Operation Firewall" som inleddes av U.S Secret Service 2003 har gett utdelning. De har avslöjat ett internationellt brottssyndikat som specialiserat sig på bland annat identitetsstölder, data och kreditkortsbedrägerier.
Detta nätverk bestod av medlemmar från Sverige, Bulgarien, Vitryssland, Polen, Holland och Ukraina. Nätverket använde sig av olika webbsidor för att sälja kreditkortsinformation och även information om hur man begår kreditkortsbedrägerier.
[source: Delete nr 47]
(2004-11-04) [Krisberedskapsmyndigheten] [Swedish] Roger Cumming, chefen för Engelska NISCC (National Infrastructure Security Co-ordination Centre), har gjort ett uttalande i vilket han pekar på säkerhetsriskerna med bredband. Han menar att man måste höja användarnas medvetenhet när det gäller säkerhetsaspekten.
Cumming anser att det är staten och Internetleverantörernas ansvar att utbilda användarna. Det Cumming ser som den största faran är att hackare använder sig av trojaner/virus mot hemanvändarnas datorer och skapar ett nätverk av infekterade datorer så kallade botnets.
[source: Delete nr 47]
(2004-11-04) [Krisberedskapsmyndigheten] [Swedish] Användning av mjuka certifikat vid bankärenden har ökat de senast åren, i synnerhet i Sverige. Riskerna med mjuka certifikat är dels att informationen lagras på hårddisken, dels att tekniken inte tillåter en begränsning av antalet ogiltiga inloggningsförsök vilket är möjligt när det gäller bankkort.
Rikskriminalpolisen (RKP) har märkt en ökning av brott som är relaterade till användning av mjuka certifikat, ett 10-tal fall har upptäckts men för närvarande finns ingen statistik på området då mörkertalet kan vara stort.
[source: Delete nr 47]
(2004-11-12) [silicon.com] Kevin Warwick, professor of cybernetics at Reading University and a man who has wired up his nervous system to a computer and put an RFID chip in his arm, is looking forward to becoming a cyborg once again - but warned the day will come when computer viruses can infect humans as well as PCs.
Networking a human brain would mean an almost "infinite knowledge base", he said, adding it would be akin to "upgrading humans... giving us abilities we don't already have". Warwick says the security problems that dog modern computing won't be much different from those that could plague the cyborgs of the future. If humans were networked, the implications of being hacked would be far more serious and attitudes towards hackers would be radically changed, he added. (excerpt from article by Jo Best)
[source: silicon.com]
(2004-11-15) [Masons] The [UK] Office of Fair Trading on Friday lost a test case brought to decide the question of whether or not consumer safeguards on credit card purchases apply to purchases made abroad, in person or on-line, as they do in the UK.
The credit card issuer and the supplier are jointly liable if the consumer has a valid claim for misrepresentation and/or breach of contract by the supplier but only if the cash price of an item is over £100 but less than £30,000, and the credit limit is no more than £25,000. But until now there has been a question mark over whether this protection applies to goods purchased overseas.
The High Court issued a ruling on Friday that domestic transactions - whether from a shop, by mail order, by telephone or over the internet - are protected, but overseas transactions are, in general, not protected at all.
[source: OUT-LAW.COM]
(2004-11-18) [Masons] With the EU Council of Ministers due to discuss proposals for an EU-wide system of data retention tomorrow, the EU Data Protection Working Party has published an Opinion describing the current proposals as "not acceptable".
In April, the UK, France, Ireland and Sweden published a draft Framework Decision setting out provisions for the creation of an EU-wide system of retaining communications data. Such data identify the caller and the means of communication (e.g. subscriber details, billing data, e-mail logs, personal details of customers and records showing the location where mobile phone calls were made) but not the content of the communications.
The existing proposals do not, according to the Working Party, conform with the requirements of the European Convention on Human Rights as they do not fulfil three basic criteria: "a legal basis, the need for the measure in a democratic society and conformity with one of the legitimate aims listed in the Convention".
[source: OUT-LAW.COM]
(2004-11-16) [Datainspektionen] [Swedish] Datainspektionens avdelning "Frågor & svar om personuppgifter" har utökats. Där finns bland annat fem nya svar på vanliga frågor om Internet.
Läs mer på frågo-och-svar sidan.
[source: Nyheter]
(2004-11-16) [Datainspektionen] [Swedish] I två motioner till riksdagen föreslås att Datainspektionen ska överta tillsynsansvaret för övervakningskamerorna. Idag delar 21 länsstyrelser på ansvaret.
Dokumentation om motioner och betänkande finns tillgängligt.
[source: Nyheter]
(2004-11-15) [MIT's Technology Review] As one of the world's most prolific spammers, Jeremy Jaynes pumped out at least 10 million e-mails a day with the help of 16 high-speed lines, the kind of Internet capacity a 1,000-employee company would need.
Jaynes' business was remarkably lucrative; prosecutors say he grossed up to $750,000 per month. If you have an e-mail account, chances are Jaynes tried to get your attention, pitching software, pornography and work-at-home schemes.
[source: MIT's Technology Review Friday Update ]
(2004-11-13) [MIT Technology Review, Inc.] JUKI net is Japan's national ID system. Ejovi Nuwere performed a security audit of the system for Nagano Prefecture one year ago. Recently Ejovi was invited to speak at the PacSec security conference about JUKI net. Soumushou, the Japanese government agency that maintains JUKI net, prevented his talk by threatening the Japanese event sponsors who currently are seeking contracts from the government.
See documentation.
[source: blog]
(2004-10-25) [Bloor Research] A survey released this week by Entrust, a vendor of security technology, has highlighted consumer concerns about use of the internet. The results of the survey show that security concerns have not been eased by efforts that companies have taken to ensure the security of transactions made over their web sites.
However, where consumers used to be primarily concerned about hackers stealing their credit card details, security concerns have become even more personal. Today, the survey commissioned by Entrust shows that a full 80% of respondents that are existing internet users are concerned that someone will steal their identity were they to perform banking functions online. Whilst previously this was a problem that was largely confined to the US, it has become a growing problem worldwide over the past couple of years. In the UK, identity theft is the fastest growing form of fraud and the Home Office estimates that it is costing the UK alone £1.3 billion per year. (Excerpt from article by Fran Howarth)
[source: IT-Director.com]
(2004-11-29) [Privacilla.org] The modern automobile has so many advanced technologies built into it that it could be considered a computer with an engine and wheels. Many people are interested in the data developed by this computer, but they do not seem so interested in asking car-owners for permission to collect and use it.
The National Highway Traffic Safety Administration may soon require all automobiles to have Event Data Recorders (EDRs) or "Black Boxes" similar to those found on commercial airliners. It is currently considering whether it should require collection of standardized data by EDRs that are going to be installed anyway.
The privacy-sensitive solution to this conundrum is to offer consumers the option of whether to allow EDRs on their automobiles. If black boxes are installed, car-owners should be able to decide when they run and what they do.
[source: Web article]
(2004-11-10) [IDG] Motivations of malware writers are shifting from fame and notoriety to money, according to research from antivirus firm TrendMicro. The company's research arm observed that 47% of malware detected in October were Trojan horses, compared with 30% the previous month .
Backdoor programs together with Trojans make up almost 65% of detected malware. Because these malware are the main vector for information theft, this data shows that the motivation of malware authors is shifting from the traditional goal of claiming fame and notoriety to the pursuit of profit and monetary rewards.
[source: ComputerWorld]
(2004-10-21) [CMP Media LLC.] Google's Desktop Search doesn't come with a warning label, but perhaps it should. "This isn't a great application for cybercafes or library terminals," says Marissa Mayer, director of consumer Web products at Google Inc.
Google introduced the application online last week. The software enables people to search their E-mail files, instant-messaging chats, Web-browsing history, and other local documents using Google's Web interface.
Mayer suggests thinking of the application as a photographic memory for a computer's activities. One thing that's necessary for memory, she says, is a history. Toward that end, the application indexes and stores versions of files and other computer activity. The company's stated goal is to make information easier to find. This presents a challenge to those who rely on security through obscurity. (Extract from artcile by Thomas Claburn)
[source: Security Pipeline ]
(2004-10-22) [CMP Media LLC.] Nearly all of the largest telecommunications companies share personal data provided by Web site visitors without first asking permission, a research group said Friday.
In a semiannual study of 27 of the largest telecom companies, the Boston-based Customer Respect Group found 85 percent used information provided online for purposes other than what the visitor intended. The companies that did not share data with internal marketing departments, affiliates, subsidiaries, or business partners included AT&T, Nextel Communications Inc., Sprint Corp., and Verizon Wireless. (Extract from article by Antone Gonsalves).
[source: Security Pipeline ]
(2004-02-01) [Teknologirådet] [Norwegian] Høsten 2003 gjennomførte Teknologirådet en fokusgruppe-undersøkelse om "vanlige brukeres" forhold til temaer som personvern, e-handel, elektroniske spor og lokasjonsbaserte tjenester.
Undersøkelsen er en del av Teknologirådets arbeidet med å kartlegge status for personvernet i en tid hvor vi etterlater oss stadig flere og mer innholdsrike elektroniske spor ved.
Se Holdninger til personvern (delrapport, februar 2004).
[source: News]
(2004-07-22) [Rådet for it-sikkerhed for flere oplysninger.] [Danish] Rådet for it-sikkerhed anerkender det tidligere IT-sikkerhedsråds udgivelse "Privatliv på internet - redegørelse med praktiske råd for den private internetbruger."
Du kan finde pjecen her..
[source: News]
(2004-11-22) [IDG] A new phone, called Mymo, belongs to a new breed of devices and services that let parents in Europe not only stay in touch with their children but, even more innovatively, pinpoint their whereabouts. Technology to track kids is sprouting up around the Continent as working parents show more concern about staying in touch with their youngsters.
Although the Mymo phone is targeted at kids between ages 4 and 8, some parents are buying the device for grandparents, too. "We've sold a good number of phones to couples who told us they want something really simple for their parents," Stephenson said. "The elderly market is one we will soon target with a new, very similar phone."
Despite their usefulness, however, new tracking technologies have given rise to some security and data privacy concerns. MobileLocate was forced to install new encryption technology and, more recently, the Children's Charities' Coalition on Internet Safety has urged the U.K. government to set strict controls on tracking services. So a word to the wise in these early days of location services: track carefully. (Exceprt from article by John Blau)
[source: Wireless.itworld.com]
(2004-11-09) [Obivision] Paper presented at the second annual conference on Privacy, Security, Trust (2004) is available online.
The paper Zero-knowledge Device Authentication: Privacy & Security Enhanced RFID preserving Business Value and Consumer Convenience (pdf) is by Engberg, Harning and Damsgaard Jensen. The associated slides (pdf) are also available. More information about the conference can be found at. PST'04 home page.
[source: News]
(2004-11-09) "[Swedish] Seminarium på temat arbetsplatsintegritet" will take place on December 10, 2004 (Stockholm, Sweden).
See calendar entry.
(2004-11-04) [Datainspektionen] [Swedish] Den som spelar in kundsamtal digitalt måste informera om det när man lämnar registerutdrag enligt PuL. Om kunden kräver det, ska inspelningen lämnas ut. När Datainspektionen undersökte bankernas rutiner visade det sig att bara varannan bank som spelade in samtal nämnde det i sina registerutdrag.
Det är ganska ovanligt att bankkunder utnyttjar rätten till utdrag. Mindre än hälften av de 30 bankerna hade över huvud taget fått in någon ansökan under det senaste året, bara fem banker hade fått in mer än 20 stycken. Hälften av bankerna gjorde digitala inspelningar av samtal med sina kunder. En sådan inspelning kan vara behandling av personuppgifter.
[source: Nyheter]
(2004-10-28) [Datainspektionen] [Swedish] I det nya numret av magazin DIrekt ger Datainspektionens nye generaldirektör Göran Gräslund följande programförklaring. "Vi arbetar idag väldigt mycket med reaktiva uppgifter, vi kommer in i bilden när det redan har gått snett eller för att någon annan har begärt det. Nu är det dags att ta fler egna initiativ, utveckla det proaktiva arbetet."
I tidningen kan du också läsa om: "Snuskiga pizzor fick hängas ut på nätet", "Så gör man i Norge", "Rapport från Norden", och "Patienter får vänta på journaler via Internet".
[source: Nyheter]
(2004-10-22) [Datainspektionen] [Swedish] Vad gäller när ny teknik ska användas för att behandla personuppgifter? Datainspektionens svar på en förfrågan kan användas som checklista. Datainspektionen fick en förfrågan från ett företag som tillverkar ett datasystem som analyserar röster. Datainspektionen gav ett skriftligt svar som ger vägledning i ett antal nyckelfrågor.
Datainspektionens skrivelse behandlar bl.a. frågor om vem som är ansvarig, när behandlingen är tillåten, krav på information till de registrerade, säkerhet m.m. Dokumentet kan ses som en checklista som kan användas även i andra fall när ny teknik används för att behandla data som kan vara personuppgifter.
[source: Nyheter]
(2004-11-07) "SEC2005: Security and Privacy in the Age of Ubiquitous Computing" will take place on May 30 -- June 1, 2005 (Chiba, Japan).
See calendar entry.
(2004-11-07) "The Concealed I: Anonymity, Identity, and the Prospect of Privacy" will take place on March 4 -- 5, 2005 (Ottawa, Canada).
See calendar entry.
(2004-11-07) "12th Annual Network and Distributed System Security Symposium" will take place on February 3 -- 4, 2005 (San Diego, CA, US).
See calendar entry.
(2004-11-07) "3rd Annual Digital Rights Management Conference 2005" will take place on January 13 -- 14, 2005 (Berlin, Germany).
See calendar entry.
(2004-11-07) "Africa Electronic Privacy and Public Voice Symposium" will take place on December 6, 2004 (Capetown, South Africa).
See calendar entry.
(2004-11-07) "Copyright and Privacy: Collision or Coexistence?" will take place on November 18, 2004 (Chicago, IL, US).
See calendar entry.
(2004-11-05) [EPIC] A recent survey by Artafact LLC and BIGresearch reveals that a majority of consumers who are aware of RFID technologies are "very or somewhat concerned about invasion of privacy issues." 88% of respondents concerned with privacy cited the government as the organization most likely to abuse consumer privacy information.
Previous surveys have shown similar consumer privacy concerns. See The Artafact LLC and BIGresearch study and The Auto-ID Center/Proctor & Gamble survey.
[source: EPIC Alert vol 11 no 21]
(2004-11-05) [EPIC] In a September 21 decision, the Court of Justice of the European Communities denied the European Parliament's request that the court quickly review a complaint on the Passenger Name Records (PNR) agreement passed last May between the Department of Homeland Security and the European Commission.
The European Parliament claimed last May that the PNR agreement should be annulled, arguing that it violates European data protection legislation, and that the European Parliament's assent is necessary for the agreement to enter into force.
[source: EPIC Alert vol 11 no 21]
(2004-11-05) [EPIC] Two Canadian privacy officials have released reports asserting that the war on terror is compromising the privacy of Canadians.
The report concluded that changes to privacy law and other measures are necessary to protect British Columbians' personal information against seizure under the controversial American law.
[source: EPIC Alert vol 11 no 21]
(2004-11-05) [EPIC] Concluding that Secure Flight passenger prescreening proposal is, like CAPPS II, "exactly the sort of system that Congress sought to prohibit when it enacted the Privacy Act of 1974," EPIC has called for the test phase of Secure Flight to be postponed until the Transportation Security Administration addresses the program's significant privacy issues.
EPIC's recommendations were made in response to notices published by the agency in September outlining plans for the test phase of Secure Flight. As described by the TSA, Secure Flight will compare Passenger Name Records (PNRs) against information compiled by the Terrorist Screening Center, which will include expanded "selectee" and "no fly" lists.
[source: EPIC Alert vol 11 no 21]
(2004-11-03) [EDRI] The OpenNet Initiative has published a report on the diversity of filtering programs and their impact on international law, communications, and policy. The initiative is an ongoing research partnership by the Advanced Network Research Group of the University of Cambridge, the Citizen Lab at the University of Toronto, and the Berkman Center to monitor international Internet censorship
Read the OpenNet report.
[source: EDRI-gram - Number 2.21, 3 November 2004]
(2004-11-03) [EDRI] Privacy International has expressed grave concerns about new Dutch legislation for extended compulsory identification. From 1 January 2005 every Dutchman (and tourist) 14 years and older will have to wear ID, and can be fined up to 2.250 euro for not immediately showing ID when asked to do so by any police official, or related officials, such as foresters and custom officials.
A new government advertising campaign, launched this week, is targeted at children between 14 and 18, to make sure they buy an identity card in time. Officially the Netherlands only have an obligation to show ID when asked, but in the campaign children are told flat-out they have to always wear ID.
[source: EDRI-gram - Number 2.21, 3 November 2004]
(2004-11-03) [EDRI] Six months after cancelling the use of electronic voting machines for the European elections Ireland has reached a deal with the Dutch manufacturer of the machines. The Irish government will hire a private firm, acceptable to both sides, to review the complete source code of the voting machines. Nedap, the Dutch company that manufactured the machine, will provide the code under a non-disclosure agreement. The source code will not be made public.
In March 2004 the Irish government set up the Independent Commission on Electronic Voting to review the secrecy and accuracy of the Nedap system. It is unknown if the review and possible problems found in the code will be made public. The expert Joe McCarthy has warned that Irish government will still be under pressure to introduce a paper trail element to the system. Nedap has argued that the system does not need a paper trail and that it is trustworthy without one.
[source: EDRI-gram - Number 2.21, 3 November 2004]
(2004-11-03) [EDRI] Printer-manufacturer Canon is secretly adding a unique code to every print-out made on household printing equipment. But this seems to be a very wide-spread practice. Many laser printers seem to print-out a unique number on every print-out, invisible to the bare eye, measuring only 0,1 millimetre.
The Dutch police has admitted to e-zine Webwereld that they have used these marks to detect the sources of print-outs, tracing individual printers through the vendor chain. "We are familiar with this research method," said Ed Kraszewski of the Dutch national police agency KLPD. "We are using it in our research and it has proven to be successful in the past."
Although modern printers are sold under many different brand names, the insides are very similar. Inside every machine is a print engine with a unique and traceable identity. These engines are produced by a handful companies, such as Toshiba Corp., Canon Inc. and Ricoh Co. Ltd.
[source: EDRI-gram - Number 2.21, 3 November 2004]
(2004-11-03) [EDRI] According to a new Council proposal, member states have to include, in EU passports, digitalised fingerprints and a face scan on the RFID chip embedded in the travel documents. Face scans will have to be included in travel documents 18 months after the Council regulations enter into force (Germany will already start issuing biometric passports at the end of 2005), fingerprints will follow 18 months later.
Fingerprints as an additional identifier will subject 450 million EU citizens to a procedure presently reserved for crime suspects. The initiative for the proposal was taken by Germany, Greece, France, Italy, Lithuania, Malta, Poland, Slovenia and Spain. It was opposed only by Estonia, Finland, Latvia and Sweden, while Germany and the United Kingdom are said to back an even more extreme proposal that would require iris scans as a third biometric identifier in travel documents.
[source: EDRI-gram - Number 2.21, 3 November 2004]
(2004-10-25) [ComputerWorld, Inc] A survey conducted by Internet service provider America Online Inc. found that 20% of home computers were infected by a virus or worm and that various forms of snooping programs such as spyware and adware are on a whopping 80% of systems. Even so, more than two-thirds of home users think they are safe from online threats.
The survey reveals a gap between users' perceptions and the prevalence of threats on the Internet. That gap causes many home computer users to forgo security precautions such as antivirus and firewall software, and could pose a threat to the integrity of sensitive personal and financial information, which survey respondents said they are increasingly using their computer to manage, according to a statement from AOL. (Excerpt from article by Paul Roberts)
See also MIT Technology Review article: Internet Users Not as Safe Online as They Believe, Researchers Report
[source: ComputerWorld]
(2004-10-21) [ComputerWorld Inc] Microsoft Corp. is recasting ambitions for its .Net Passport identification system, saying the service will now be limited to its own online offerings and those of close partners. Microsoft no longer sees Passport as a single-sign-on system for the Web at large, a spokeswoman said.
Passport was once a key part of its hosted services strategy, but Microsoft has been silent about it in the past few years and hasn't done any significant development work on the system. Instead, the company has been quietly scaling back several of Passport's components. A directory of sites that support the service was removed this year, and in March 2003, a payments feature was axed. (Excerpt from article by Joris Evers)
[source: ComputerWorld]
(2004-10-01) [BBC] Businesses are being held to ransom by tech-savvy criminals who have stolen important data, say UK police. The thieves exploit lax security to nab customer lists and then extort cash from victims for their safe return.
Criminals are now moving on to target firms that are not doing enough to protect important data. "It's a problem," [the head of the UK's National Hi-Tech Crime Unit] told BBC News Online. "This is financially-motivated hacking whereas a few years ago they would have been doing it for mischief or notoriety." "Any company that's engaged in e-commerce has to be very careful as their data is very valuable," he said.
"The cases we have had reported have tended to be thefts of personal information," he said. "They want people's details, credit card numbers, for obvious reasons." In some cases the groups want cash to return an entire customer database, in others firms are being asked to pay a bounty for each entry in that contact list. Mr Deats said the criminals also make money selling the contact list on to spammers and phishing groups keen to get hold of live e-mail addresses.
[source: News Online]
(2004-10-20) [CMP Media LLC.] A small handful of miscreants are responsible for the vast majority of phishing attacks, a message-security firm's research revealed Wednesday, giving hope to authorities going after such criminals. CipherTrust, an Atlanta-based security vendor, analyzed the mail traffic processed through its IronMail appliance during the first two weeks of October, and discovered that just five bot networks generate virtually all the world's phishing scams.
It comes as no surprise that the bulk of the compromised computers used by the phishers connect to the Internet via broadband cable or DSL, said Alperovitch, nor that PCs in the U.S. make up 32 percent of the pool, with South Korea in second at 16 percent. "These machines are simply fantastic for [phishing] purposes," he added. (Excerpt from article by Gregg Keizer)
[source: Security Pipeline ]
(2004-10-19) [CMP Media LLC.] People who use public or workplace computers for e-mail, instant messaging and Web searching have a new security risk to worry about: Google's free new tool that indexes a PC's contents for quickly locating data. If it's installed on computers at libraries and Internet cafes, users could unwittingly allow people who follow them on the PCs, for example, to see sensitive information in e-mails they've exchanged. That could mean revealed passwords, conversations with doctors, or viewed Web pages detailing online purchases.
"It's clearly a very powerful tool for locating information on the computer," said Richard M. Smith, a privacy and security consultant in Cambridge, Mass. "On the flip side of things, it's a perfect spy program." (Excerpt from article by Anick Jesdanun)
[source: Security Pipeline ]
(2004-10-21) [EPIC] The architect of controversial government data mining programs has taken his ideas to a private, offshore company, the Washington Post has reported. Ben H. Bell III, the former director of the Office of National Risk Assessment, helped design the now-defunct Computer Assisted Passenger Pre-Screening program (CAPPS II), and is now using similar concepts and technology with his new employer, Bahama-based Global Information Group Ltd.
Global Information intends to privatize this "terrorist risk identity assessment," as well as perform checks on cargo ship crews, foreign job candidates, and those who wish to open U.S. bank accounts. By basing its operations in the Bahamas, the private company is able to avoid U.S. regulatory standards and oversight of its handling of sensitive personal data.
[source: EPIC Alert vol 11 no 20]
(2004-10-21) [EPIC] The Food and Drug Administration has approved the use of an implantable computer chip for health care information applications. VeriChip is a radio frequency identification (RFID) device about the size of a grain of rice. Each chip contains a unique verification number that is revealed by passing a scanner over the chip.
Although no regulation currently exists in the United States to restrict potential abuses of the chip, the European Union and a few other countries around the world already have rules or guidelines in place that apply basic data protection principles to any collection and use of information through the use of RFID technology.
[source: EPIC Alert vol 11 no 20]
(2004-10-21) [EPIC] EPIC Executive Director Marc Rotenberg joined other recipients of the Norbert Wiener Award for Professional and Social Responsibility in calling on Congress and others to examine the redirection of science funding toward systems of mass surveillance. In an open letter dated October 16, fourteen Wiener Award winners cautioned that this shift in research priorities "could pose a fundamental risk to political freedom, privacy, and Constitutional liberty."
The letter concluded, "[t]he American public has repeatedly made clear that it does not support the establishment of vast systems of public surveillance. Yet our science agencies and many of our top researches are now pursuing precisely this mission. We believe this must change."
[source: EPIC Alert vol 11 no 20]
(2004-11-07) "14th Annual RSA Conference" will take place on February 14 -- 18, 2005 (SanFrancisco, CA, US).
See calendar entry.
(2004-11-07) "2004 Big Brother Awards Hungary" will take place on November 25, 2004 (Budapest,Hungary).
See calendar entry.
(2004-11-07) "Sunshine on Public Data: Conference on Freedom of Electronic Information" will take place on October 26, 2004 (Budapest, Hungary).
See calendar entry.
(2004-11-04) [Masons] Commercial sellers on eBay's German site are subject to the rules imposed by an EU Directive on Distance Selling - including the customer's right to return goods without reason within two weeks, a German court ruled yesterday.
According to reports, the case concerned an unnamed jeweller who sold a diamond bracelet through eBay's German store, only to find that his customer rejected the goods and refused to pay on the grounds that he was entitled to cancel the contract under EU consumer protection rules. The ruling does not apply to sales between businesses, or between private sellers and private purchasers
[source: OUT-LAW.COM]
(2004-11-04) [Masons] A new phishing technique can capture on-line banking details without requiring users to click on a web site link. They simply have to open an e-mail, according to a warning from e-mail security provider MessageLabs.
Towards the end of October, the company intercepted a number of e-mails which, when opened, silently run a script that attempts to rewrite the host files of targeted machines. This means that the next time the user attempts to legitimately access on-line banking he will be automatically redirected to a fraudulent web site, enabling his log in details to be stolen.
[source: OUT-LAW.COM]
(2004-11-01) [Masons] An EU report looking into the implementation of an Agreement between the US and the EU that allows the safe transfer of personal data from the EU has highlighted a few concerns with US compliance.
The transfer of personal data outside the UK or other EU countries is severely limited by the Data Protection Directive of 1995 that prevents transfers to countries without adequate data protection laws. This includes the US, which has no equivalent legislation and instead largely relies on a self-regulatory system. The report assessed three main issues:
[source: OUT-LAW.COM]
(2004-11-01) [CMP Media LLC.] How well do spyware combat tools succeed in cleaning an infected machine? Perhaps not as well as one would hope. A personal experience indicates that one should not expect that ones machine will be pure and healthy after running ant-spyware tools.
Read the story. (Article by Matthew Fordahl)
[source: Security Pipeline ]
(2004-10-31) [CMP Media LLC.] Tagalong software, generally known as spyware, is an especially tricky security threat because user carelessness is nearly always to blame. Legally, spyware providers protect themselves through voluminous licence agreements. But major industrial players experience negative impacts of spyware.
Users should read licensing agreements that come with free software. Many will name programs that tag along. For more details on what such programs do, try typing their names into a search engine or a spyware database like SpywareGuide.com's.
Some PC repair shops blame spyware for more than half the trouble they're seeing. At Dell Inc., spyware accounts for 15 percent of service calls, up from 2 percent in August 2003. Dell Inc. and the nonprofit Internet Education Foundation recently launched a spyware education campaign. Video tutorials and other tips are available at getnetwise.org.
[source: Security Pipeline ]
(2004-10-15) [The Practical Nomad] Contrary to [what one could believe], the identification and biometric (digital photograph) data on RFID passports in the USA will not be encrypted. I think I didn't grasp this, even when I read the draft ICAO specifications, because it was, and is, so astonishingly, over-the-top, unsafe and vulnerable to criminal abuse that I couldn't believe it. But this is the way it is planned.
It also becomes clear on rereading the proposed ICAO standards and the USA government contract proposal (RFP), that the signature -- the one thing other than the photograph actually used to authenticate someone using a passport, particularly for financial purposes like cashing a check, sending or receiving money, or opening a bank account -- will be the one major element of the passport not digitally encoded at all (and thus not amenable to authentication through the hash or its digital signature).
[source: Edward Hasbrouk's blog]
(2004-10-04) [Bruce Schneier] Future U.S. passports, currently being tested, will include an embedded computer chip. This chip will allow the passport to contain much more information than a simple machine-readable character font, and will allow passport officials to quickly and easily read that information. The administration is advocating radio frequency identification (RFID) chips for both US and foreign passports, and that's a very bad thing.
RFID chips are like smart cards, but they can be read from a distance. A receiving device can "talk" to the chip remotely, without any need for physical contact, and get whatever information is on it. Passport officials envision being able to download the information on the chip simply by bringing it within a few centimeters of a reader.
Unfortunately, RFID chips can be read by any reader, not just the ones at passport control. The upshot of this is that anyone carrying around an RFID passport is broadcasting his identity. ... It means that a passport holder is continuously broadcasting his name, nationality, age, address, and whatever else is on the RFID chip. It means that anyone with a reader can learn that information, without the passport holder's knowledge or consent.
[source: Blog]
(2004-10-08) [EPIC] The Council of Europe is actively urging countries to sign in to law the Council of Europe Convention on Cybercrime. The Convention was signed in 2001 by 30 countries, but has since been ratified by only eight.
Governments are wary of potentially being required to make data on their citizens available to other governments. The Council of Europe recently participated in the United Nations Consultation on the Working Group on Internet Governance, suggesting the Convention on Cybercrime is a model law that other countries should adopt nationally.
[source: EPIC Alert vol 11 no 19]
(2004-10-08) [EPIC] On September 30, the United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program began screening travelers entering and leaving the United States through the Visa Waiver Program, affecting an estimated 13 million citizens from 27 nations.
A result of a policy change the U.S. government will collect biometrics from about 33,000 more travelers every day.
[source: EPIC Alert vol 11 no 19]
(2004-10-08) [EPIC] The 2003-2004 California legislative sessions were marked by the passage of several significant privacy laws. California continues to be the leading state in developing new protections for privacy. The protections tend to be strong, giving individuals substantive rights to limit exploitation of personal information.
California is taking strong steps against "list brokerage," the compilation of personal information from business transactions, warranty cards, or sweepstakes entries for resale to telemarketers, spammers, and junk mailers.
[source: EPIC Alert vol 11 no 19]
(2004-10-08) [EPIC] The U.S. Court of Appeals for the First Circuit has voted to rehear its recent decision that that a company did not violate federal wiretap law when it accessed its customers' e-mail to view messages sent to them by a rival company.
This case involved an online literary clearinghouse that paired rare and used book dealers with book buyers. A clearinghouse employee wrote a revision to the mail processing code to intercept, copy, and store all incoming messages from Amazon.com before they were delivered to and read by the intended recipients. Clearinghouse employees accessed thousands of e-mails this way to gain a commercial advantage.
The court found that when the clearinghouse obtained the e-mails, the messages were in temporary storage in a computer system. Because no "intercept" occurred, the panel held that the Wiretap Act could not have been violated.
[source: EPIC Alert vol 11 no 19]
(2004-10-01) [SecurityPark] The joy of email, and the reason for its success, is that it is so simple. You type a message, you press send, it appears in the addressee’s inbox - perfect. But behind this user friendly front lurk legal traps, and regulatory pitfalls, waiting to ensnare the unwary manager responsible for maintaining corporate communications.
Complying to the UK Regulation of Investigatory Powers Act 2000 (RIPA), and the Data Protection Act (DPA) is not entirely straightforward. When it comes to Europe and the United States it gets even more complicated, and anyone responsible for multi-national corporate networks, and sharing data across borders, needs to appreciate the differences.
[source: News]
(2004-10-201) [privacy.org] A new feature that Google is offering allows the indexing of Word, Excel and PowerPoint files on personal computers also poses privacy concerns. It is reported that the tool may allow shadowing of users while they surf the net, or provide access to passwords or e-commerce transactions.
A new feature that Google is offering allows the indexing of Word, Excel and PowerPoint files on personal computers also poses privacy concerns. It is reported that the tool may allow shadowing of users while they surf the net, or provide access to passwords or e-commerce transactions.
[source: News]
(2004-10-14) [New York Times] The US Food and Drug Administration has cleared the way for a Florida company to market implantable chips that would provide easy access to individual medical records.
In Applied Digital's vision, patients implanted with the chips could receive more effective care because doctors, other emergency-room personnel and ambulance crews equipped with Applied's handheld radio scanners would be able to read a unique 16-digit number on the chip. The chip does not contain any records, but with the number, the care provider would be able to retrieve medical information about blood type, drug histories and other critical data stored in computers. The records could be easily updated. (Excerpt from article by Barnaby J. Feder and Tom Zeller Jr.)
[source: Technology News]
(2004-09-27) [silicon.com] The concerns of shoppers, civil liberties groups and privacy advocates over the implications of RFID seem to have finally registered with some tech vendors. While most RFID watchers say that it will be cost not privacy worries that will slow down adoption of the technology, SAP is hoping to soothe the doubters with a series of talking shops.
SAP will be attempting to bring vendors, political groups, industry figures and civil libertarians together at CeBIT 2005 and other trade shows to try and get the two sides to find common ground.
[source: Web]
(2004-10-08) [MSN] We've always been told that trying to "opt-out" from spam messages is probably a bad idea. Spam filtering firm MessageLabs now says there's a new reason not to click -- spammers are starting to sneak special code into that opt-out link which turns the spam recipient into an unwitting accomplice. The link is really a clever trick designed to turn the victim's computer into a zombie that can be used to send out more spam.
For years, experts have debated the real-life effect of clicking on unsubscribe links usually found at the bottom of spam. The links are now required by federal law, but conventional wisdom suggests "opting out" often has the opposite effect, because it announces to the spammer that the e-mail address is accurate and active.
[source: MSNBS News]
(2004-08-16) [IDG] In an article on commercial use of personalization, some statistics about customer preferences were mentioned. This does of course indicate consumer preferences w.r.t. the kinds of services they would like to see. What price are they willing to pay for such services? Do they care? Do they know?
One reading of the numbers are that customers do want personalised content.
U.S. Internet users interested in personalized content
U.S. Internet users who are willing to provide demographic data in exchange for personalized content
Base: 673 respondents surveyed in May 2004 (Excerpts from article by Kym Gilhooly)
[source: ComputerWorld]
(2004-10-20) [EDRI] The Safer Internet programme 1999 - 2004 (funded by the European Commission) has set up a European network of hotlines, encouraged self-regulation and codes of conduct, supported development of filtering and rating systems and stimulated awareness actions. A hearing on the proposed Safer Internet Plus programme (50 million euro, 2005-2008) was held on October 11, 2004, concerning the efficacy of the proposed measures, privacy implications, etc.
See Safer Internet Plus programme 2005-2008 and Commission ex-ante evaluation.
[source: EDRI-gram - Number 2.20, 20 October 2004]
(2004-10-20) [EDRI] The Dutch presidency of the European union drafted a revised proposal for the mandatory storing of telecommunication data. The new proposal seems to let the members states free in choosing the time period and raises many questions with regard to its scope.
The new, revised proposal sets the retention period to 12 months. But no member state will be bound by this limit: "Member States may have longer periods for retention of data dependent upon national criteria when such retention constitutes a necessary, appropriate and proportionate measure within a democratic society". Where the original proposal puts the maximum limit at 36 months for law enforcement purposes, the new draft has no limit at all. The new draft also allows the retention of certain data (especially internet traffic data) for a shorter period.
[source: EDRI-gram - Number 2.20, 20 October 2004]
(2004-10-08) "EU Commission open workshop on spam" will take place on November 15, 2004 (Brussels, Belgium).
See calendar entry.
(2004-10-08) "Dutch Big Brother Awards" will take place on October 24, 2004 (Amsterdam, The Netherlands).
See calendar entry.
(2004-10-06) [EDRI] The RFID workshop organised during the FIfF anniversary conference (Berlin, 30 September - 3 October 2004) offered an excellent overview of the technical issues and privacy questions.
Robert Gehring talked about the history and technology of RFID. Andreas Krisch explained the Electronic Product Code. Sarah Spiekermann spoke about the privacy issues surrounding RFID
[source: EDRI-gram - Number 2.19, 6 October 2004]
(2004-10-06) [EDRI] The Europarl Committee on Civil Liberties, Justice and Home Affairs (LIBE) today organised a hearing with experts on biometrics. In his opening remarks the MEP Carlos Coelho (Conservative, Portugal) said he generally agreed with the objective of securing people's identities, but has some doubts about adding biometric identifiers to travel documents.
After listening to what four experts had to tell him, Mr. Coelho's closing remarks sounded somewhat more critical: "Technological solutions seem handy sometimes, but may hide the new problems they may be causing. While the contrary can also apply - technology being blocked because measures to work around the problem don't come to the surface - we must make sure that there is a fair balance between the values of security and of freedom. None of the two may be sacrificed for the other."
[source: EDRI-gram - Number 2.19, 6 October 2004]
(2004-09-30) [Masons] A new report suggests that 2% of internet users across the US have experienced a direct monetary loss resulting from a phishing attack, putting the nation's total monetary loss to victims of these incidents at approximately $500 million.
The report reveals that 76% of consumers are experiencing an increase in spoofing and phishing incidents and that 35% receive fake e-mails at least once a week. It is based on a national sample of 1,335 internet users across the US.
[source: OUT-LAW.COM]
(2004-09-22) [Masons] The Government in its public consultation documents has stated that the central database which supports the UK's national ID card scheme will not include any sensitive personal data such as data on ethnic origin or health. But analysis by privacy experts suggests otherwise.
[source: OUT-LAW.COM]
(2004-09-16) [Masons] A former employee of a US credit software company has pled guilty in what is reported to be the biggest identity theft case in US history, involving the credit reports of over 30,000 people and an estimated loss of $50 million, according to media reports.
In the three-year period over which the fraud operated, the employee of Teledata Communications (a maker of credit report accessing software) allegedly downloaded tens of thousands of credit reports from all major credit reporting agencies and then sold them, for $60 each, to a ring of 20 people in the Bronx and Brooklyn.
[source: OUT-LAW.COM]
(2004-09-14) [Masons] Ireland's Data Protection Commissioner has published Guidelines for the content and use of privacy statements on web sites to help businesses comply with the country's rules on data protection. It appears that Irish sites may find compliance easier than UK sites.
See also Ireland's Guidelines document.
[source: OUT-LAW.COM]
(2004-10-08) "Phishing Conference" will take place on November 23, 2004 (Edinburgh, UK).
See calendar entry.
(2004-09-15) [CMP Media LLC] "When I started covering radio-frequency identification technology, I have to admit I was inclined to sympathize with those voicing reservations about the technology. ... The difficulty I see with the way businesses are approaching the RFID debate is that they don't see consumer concerns as anything more than a public-relations issue."
"RFID is not the issue. Data protection is, because there isn't much of it." (Excerpts from article by Thomas Claburn)
[source: Information Week/RFIDinsights]
(2004-09-15) [CMP Media LLC ] Is RFID a powerful spark to business innovation, or a high-tech vermin that should be obliterated, Bob Evans asks. An article by Bob Evans argues for a debate based on facts and insights regarding RFID and its uses.
The final paragraph reads: "So this RFID thing: What's it gonna be? Is it a powerful and potentially wonderful new technology that can help spark business innovation and success? Or is it an insidious qand intrusive high-tech vermin that should be obliterated?"
[source: TechWeb Security Pipeline]
(2004-09-23) [CMP Media LLC] The Internet Engineering Task Force has disbanded its working group tackling spam, saying it was deadlocked, in part, over troubles related to Microsoft Corp.'s Sender ID proposal.
The decision, announced in an e-mail this week to the MADRID group by co-area director Ted Hardie, left in limbo industry efforts to develop a single standard for authenticating senders of e-mail, a process that would make it more difficult for spammers to disguise the origin of their inbox-clogging, annoying messages.
See also Sender ID Anti-Spam Effort Killed By Patent Fight .
[source: Security Pipeline]
(2004-09-30) [CMP Media LLC] Columnist Wayne Rash says without laws like HIPAA and Sarbanes-Oxley, health and finance companies wouldn't take security seriously.
"[T]he companies I dealt with have made security of my information mandatory, whether I liked it or not. They're doing this because they're required to by a federal law referred to by its acronym HIPAA. ... [T]here are a couple of laws that put some teeth into requiring security, and it's working. Yes, the laws are inconvenient, costly and time consuming. But without them, security in the affected industries would be an afterthought. Maybe we need a few more ways to prod companies into acting on security."
[source: Security Pipeline]
(2004-09-29) [CMP Media LLC] More than 15 percent of users told researchers that they had been successfully phished, providing a credit card number, checking account information, social security number or some other personal ID.
As a result of the increase in criminal activity, consumers have become more skeptical about email and web sites, the organizations said. Nearly two-thirds of the respondents said it was unacceptable for companies to do nothing about the criminal activity, and 96 percent want them to consider new technologies to help authenticate email and online sites.
[source: Security Pipeline]
(2004-09-02) [Datainspektionen] En utredning har föreslagit lättnader i PuL. Personuppgifter som inte är strukturerade ska undantas från de flesta hanteringsreglerna. Men det kan bli så svårt att bedöma när undantagen gäller, att det är mycket tveksamt om den vardagliga hanteringen av personuppgifter kommer att förenklas. Det skriver Datainspektionen i sitt yttrande över förslaget.
PuL reglerar hur personuppgifter får hanteras. Nu har en utredning lämnat förslag på hur lagen ska inriktas på missbruk av personuppgifter. Behandling som inte medför integritetsrisker ska undantas från hanteringsreglerna i PuL och det är bra, skriver Datainspektionen i sitt yttrande över förslaget. Men de nya reglerna är komplexa och den som ska tillämpa dem får svårt att avgöra om PuL ska tillämpas eller ej. Det är mycket tveksamt om den vardagliga hanteringen av personuppgifter blir enklare.
[source: Nyheter]
(2004-09-22) [EDRI] Telephone traffic data are only necessary to solve crimes in a minority of police investigations. Most cases can be solved without access to traffic data, with the exception of large fraud investigations.
These are the conclusions of a Dutch police report produced at the request of the Dutch ministry of Justice. The report was recently obtained by the Dutch civil liberties organisation Bits of Freedom through a public access request.
The report undermines the Dutch government's support to the EU draft framework decision on data retention.
(2004-09-22) [EDRI] "This is not something industry wants", a representative from the Danish IT-industry Association stated at a meeting on data retention in Copenhagen on 21 September 2004. The meeting was arranged in response to the massive criticism raised by the industry, cooperative housing associations, civil liberty groups and others earlier this year.
When circulated for comments in May 2004, the draft was heavily criticized for being disproportional and inconsistent, e.g. by letting private entities store huge amounts of personal information while at the same time being easy to evade, since e.g. smaller ISPs, libraries and universities are not included.
(2004-09-22) [EDRI] The consultation from the European Commission on new EU plans for mandatory retention of telecom traffic data resulted in 65 answers, most of them negative about any regime of mandatory data retention.
Two thirds of the answers came from industry (telephony and internet providers, both individual companies and associations) and almost one third from civil society, including the one from Privacy International and European Digital Rights.
See Full workshop report.
(2004-09-24) [EPIC] EPIC Senior Policy Analyst Lillie Coney testified before the Election Assistance Commission's Technical Guidelines Development Committee on September 22 on the importance of voter privacy. Coney noted that the delicate balance between the state's right to ensure that intimidation and election fraud are not present in public elections and the voter's right to privacy have resulted in the development of the secret ballot and restricted zones around voting compartments.
See EPIC's testimony on voting and privacy.
[source: EPIC Alert vol 11 no 18]
(2004-09-24) [EPIC] The Public Voice hosted "Privacy in a New Era: Challenges, Opportunities, and Partnerships" on September 13 in Wroclaw, Poland. The conference provided an opportunity for civil society leaders and academic experts to meet with European data protection authorities and explore emerging challenges to the protection of personal privacy.
The conference was held in conjunction with the annual meeting of the International Data Protection and Privacy Commissioners. The event was organized by EPIC, Privacy International, and the European Digital Rights Initiative.
See also conference website.
[source: EPIC Alert vol 11 no 18]
(2004-09-15) [Privacy International] Over 90 non-governmental organizations and 80 companies have endorsed Privacy International's call on the European Commission to abandon on a proposed retention regime across Europe of between 1 and 3 years for all communications traffic data. In this response, PI argues that data retention is invasive, illusory in its gains, illegal in its goals, and that the policy process surrounding retention is illegimate.
The response text is archived at http://www.privacyinternational.org/issues/terrorism/rpt/responsetoretention.html.
[source: Article]
(2004-06-21) [CEI] A report on Radio Frequencey IDentification -- "RFID Tags and Privacy: How Bar-Codes-On-Steroids Are Really a 98-Lb. Weakling" -- has recently been published by Competitive Enterprise Institute.
The executive summary ends with the following paragraph:
An unlikely threat to privacy, RFID technology will help producers, marketers, and retailers take major steps toward better understanding—and therefore better serving—the entire mix of consumer interests. Legislation to restrict the technology would be premature given the social forces that will shepherd RFID’s comfortable assimilation into commercial and consumer society. Prompt deployment of, and experimentation with, RFID would best serve the interests of the public and the economy.
[source: report]
(2004-09-02) [IDA] The Swedish Government will start issuing its citizens with biometric passports in 2005. The new document will be consistent with the facial recognition standard adopted by the International Civil Aviation Organization (ICAO) and will fulfil the US visa waiver programme's requirements.
Finnish smart card and security printing company Setec – which currently supplies passports to Finland, Sweden, Norway and Lithuania – announced on 31/08/2004 that it had won an order from the Swedish Government to provide 5 million biometric passports over the next 5 years.
[source: News flash]
(2004-09-03) [IDA] The future French e-ID card announced by the Government in September 2003 will include a second biometric identifier – probably scanned fingerprints – in addition to the facial image of the holder.
Procurement for the INES project is expected to begin before end 2004. The card and related database should be developed and tested during 2005, and French citizens should start using e-IDs from 2006.
See French e-ID card: Fact Sheet.
[source: News flash]
(2004-09-29) [Statewatch] A EU Security research programme is to look at creating "smart" biometric documents which will "locate,identify and follow the movement of persons" through "automatic chips with positioning". Statewatch highlights some implications of statements about this programme.
For instance, the statement that "Demonstration of the appropriateness and acceptability of tagging, tracking and tracing devices by static and mobile multiple sensors that improve the capability to locate, identify and follow the movement of mobile assets, goods and persons, including smart documentation (e.g. biometrics, automatic chips with positioning) and data analysis techniques (remote control and access)." could be interpreted to set as an objective that people should be tracked.
[source: Document]
(2004-09-07) [BBC] Some spammers are getting their messages through using techniques designed to spot and stop them. A survey shows that spammers are the biggest users of a technique designed to find out if e-mail comes from the net address it says it does.
The system was developed to stop mail senders faking the address in e-mail messages to give them an aura of authenticity and fool spam filters. However, the system is proving good at stopping spoofing and phishing attacks.
[source: BBC News]
(2004-09-08) [CNET Networks, Inc] Microsoft is set to introduce a new line of keyboards and mice Wednesday, including models with built-in fingerprint readers. Unlike most current implementations of biometrics, the new keyboard, mouse and standalone fingerprint reader use the technology not for security but convenience.
The accompanying software memorizes the passwords Web surfers have to remember to get around the Web and automatically supplies the right password, once the fingerprint reader verifies who's there. (Excerpt from article by David Becker)
[source: cnet news.com]
(2004-09-09) [London Free Press] According to a study by Atlanta-based Earthlink Inc., an Internet service provider with more than five million customers, the average PC is infected with 28 spyware programs.
Yet a study by TheInfoPro Inc. for Secure Computing of San Jose, Calif., found many employers don't see spyware as a significant threat. Only 25 per cent of the study's respondents recognized spyware as a major problem.
Given the potential for your computer to operate like a server sending out information about you and your computing habits to people or entities you don't know, perhaps you would want to give more consideration to your own privacy practices and assess your computer's level of infection by spyware programs. (Excerpt from an article by John Millar)
[source: The London Free Press Business]
(2004-09-29) [MailFrontier] How easy is it to recognize phishing when you see it? Or, conversely, how skilled are the "phishers" at creating a trustful impression? The company MailFrontier has published a simple test, where you can check how accurate you can regognize phishing.
The test is available at the Phishing IQ test page.
[source: onTheWeb]
(2004-09-07) [NSF] A project named "Surveillance, Analysis and Modeling of Chatroom Communities" has been awarded an NSF grant. As chat rooms are visited by individuals, and very diverse topics are being discussed -- sometimes of a personal nature -- these kinds of projects raise interesting questions about privacy.
From the published abstract: "The aim of this proposal is to develop new techniques for information gathering, analysis and modeling of chatroom communications. First, the investigator and his colleague consider graph-less models to capture the structure of chatroom communications. In particular, the investigators study how to develop a multidimensional singular value decomposition approach for component analysis of chatroom communication data. Second, the investigators develop new visualisation techniques to display the structural information found in the first step."
[source: Web Announcement]
(2004-09-09) [EDRI] A conference on E-government and the protection of personal data took place in the Danish Parliament on Tuesday 7 September 2004.
The debate at the conference showed some concern for the current development, and several of the debaters were sceptical towards the official optimism about the wonders of digital administration. The Danish Human Rights Institute proposed that the whole e-government thinking be turned up-side down, to give the individual control of his or her own data, and to have the legal architecture depart from human rights principles such as proportionality, dignity and self-autonomy.
(2004-09-09) [EDRI] The Article 29 Working Party (all the EU Data Protection Authorities) has released an opinion on the inclusion of biometrics in visa and residence permits for third country nationals. The EU is planning to introduce biometric identifiers in visa and residence permits and to establish a information system on visas (VIS).
The Working Party expresses great reservations towards the plans, especially with regard to proportionality issues. The Working Party considers the use of biometrics to establish a more reliable link between visas or residence permits and their holders as legitimate. But a plan to store the biometric identifiers not only in the chip but also in a central database causes major difficulties. See http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2004/wp96_en.pdf.
(2004-09-09) [EDRI] On 27 and 28 August 2004, the OSCE Representative on Freedom of the Media, Mr Miklos Haraszti, organised a conference on 'freedom of the media online' in the Amsterdam city hall.
Two panels focussed on the problematic definition of harmful content and self-regulation. Conference website with papers from speakers (27/28-08-2004): http://www.osce.org/events/conferences/fom/2004amsterdam/.
(2004-09-10) [EPIC] The Public Voice, a project of the Electronic Privacy Information Center, has launched a monthly newsletter called The Megaphone.
EPIC established the Public Voice project in order to promote the voice of Non-Governmental Organizations (NGOs) in decisions affecting the future of the Internet. The project facilitates NGO participation in policy making on issues ranging from privacy and free expression to consumer protection and Internet governance, and policy processes such as the World Summit on the Information Society (WSIS).
[source: EPIC Alert vol 11 no 17]
(2004-09-10) [EPIC] EPIC joined three other civil liberties groups in filing an amicus brief on September 2, encouraging the First Circuit Court of Appeals to overturn the controversial ruling that an e-mail provider that allegedly read messages intended for its users did not break federal wiretapping laws.
The June decision of a three-judge panel held that former Interloc vice president Bradley Councilman did not violate the Wiretap Act because the e-mails were intercepted while temporarily stored on the hard drive of the company's server -- for as little as a fraction of a second -- rather than while in transit.
[source: EPIC Alert vol 11 no 17]
(2004-09-10) [EPIC] The Social Security Administration recently issued public notice announcing that it will institute a new routine use for the Social Security Number (SSN), which will allow the agency to verify the name, date of birth and last four digits of the SSN for state voter registration purposes under the Social Security Act.
In its comments, EPIC objected to the new routine use on the grounds that it may lead to demands that voters produce their Social Security cards as proof of identity on Election Day. EPIC noted that the SSN was not created for this purpose, and argued that the expanded use will expose more users to identity theft or voter fraud.
[source: EPIC Alert vol 11 no 17]
(2004-09-09) [EDRI] Privacy International and European Digital Rights have published their joint answer to the consultation on mandatory data retention. The Directorate Generals on Information Society and on Justice and Home Affairs from the European Commission asked for public comments on a proposed retention regime across Europe between 12 and 36 months for all traffic data generated by using telephony (fixed and mobile) and internet.
The retention of personal data resulting from communications, or of traffic data, is necessarily an invasive act. ..... PI and EDRI not only object to this invasiveness, but also argue that general and systematical retention is illegal.
(2004-07-29) [New York Times] Two Columbia University scientists have come up with a computer-based way to extract detailed information from the fleeting images of the world mirrored on the curved surface of the eye.
The system can automatically recover wide-angle views of what people are looking at, including panoramic details to the left, right and even slightly behind them. It can also calculate where people are gazing - for instance, at a single smiling face in a crowd. Because the algorithms can track exactly where a person is looking, the system may one day find use in surveillance cameras that spot suspicious behavior or in interfaces for quadriplegics who use their gaze to operate a computer. (Excerpts from article by Anne Eisenberg)
[source: Technology Web]
(2004-08-09) [CMP Media LLC] Building a data map will help your company deal with the challenges of tracking information that comes into your business.
One of the biggest challenges faced by privacy or compliance professionals is tracking information that comes into the company--how it's used, for what purposes, and who has access to that information. Without that knowledge, no one can be sure the company is in compliance with contracts, applicable law, or its risk-management plans. Building a data map will help your company deal with this challenge.
To determine what information is collected and stored by the company, a "data inventory" or "data audit" must be conducted. Once the information and access points and use are determined, a flow chart is created mapping information flow. This is generally called a data map and is crucial to compliance and strategic planning. (Excerpts from article by Parry Aftab)
[source: InformationWeek]
(2004-07-28) [CNET.com] Privacy advocates may not be the only people taking issue with the current crop of radio-frequency identification tags--merchants will likely have problems with a lack of security as well, a German technology consultant said Wednesday.
Low-cost RFID tags--many of which are smaller than a nickel and cost less too--are already being added to packaging by retailers to keep track of inventory, but could be abused by hackers and tech-savvy shoplifters, said Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH. While the technology mostly threatens consumer privacy, the it could allow thieves to fool merchants by changing the identity of goods, he said. (Excerpt from article by Robert Lemos )
[source: Tech News]
(2004-09-03) [InfoWorld] The amount of spyware programs on your machine may be huge - maybe in the thousands. This was the result of a quick investigation of an innocent-looking machine.
"We downloaded a couple of freeware programs, Ad-Aware SE Personal and Spybot Search and Destroy. We fired off Ad-Aware first and after a while (it's a slow computer, after all), we found slightly more than 1,400 spyware programs [on my 14-year-old daughter's PC]. We then ran Spybot and found another 50."
"Once we'd removed all of those, I told my daughter that she had to run ZoneAlarm, not just have it sitting around somewhere. After that, her computer ran just fine, and -- in a sort of mixed blessing -- she could also get to the Internet again."
"[B]ecause it's hard to control the Web sites and pop-up ads that deliver much of the spyware, you could find this a continuing problem. You can control it by having a personal firewall such as ZoneAlarm that prevents anything from sending information out to the Internet without your approval. You can also control it by frequently scanning computers in your organization."
(Excerpts from article by Wayne Rash)
[source: Security Adviser]
(2004-09-06) [Masons] The US Department of Justice and civil liberties groups are both seeking the appeal of a ruling that it was not a violation of criminal wiretap laws for the provider of an e-mail service to monitor the content of users' incoming messages without their consent.
According to commentators, unless overturned, the landmark ruling will have a serious effect on e-mail privacy in the US. The case was brought by the Justice Department against Bradford Councilman, a seller of rare and used books. His company, Interloc, of which he was vice-president, provided an e-mail service to certain book dealer customers. However, Councilman had configured the mail processing software so that all incoming e-mail sent to dealers from Interloc's biggest competitor, Amazon.com, was copied and sent to Councilman's mailbox as well as to the intended recipient's.
[source: OUT-LAW.COM]
(2004-09-03) [Masons] EBay's German domain was taken over by hijackers for a short time last weekend, in what is suspected to have been an attack by phishers on the look out for the personal and financial details of eBay users.
In effect, the hijackers managed to transfer the administration of the domain to a different ISP, on which they had set up their own web site. According to a report by The Register, the hijackers also attempted to take control over the Google.com, Web.de and Amazon.com domains, but were unsuccessful.
[source: OUT-LAW.COM]
(2004-08-23) [CNET Networks] Advocates of technologies like radio frequency identification tags say their potentially life-saving benefits far outweigh any Orwellian concerns about privacy. RFID tags sewn into clothing or even embedded under people's skin could curb identity theft, help identify disaster victims and improve medical care, they say.
Critics, however, say such technologies would make it easier for government agencies to track a person's every movement and allow widespread invasion of privacy. Abuse could take countless other forms, including corporations surreptitiously identifying shoppers for relentless sales pitches. Critics also speculate about a day when people's possessions will be tagged--allowing nosy subway riders with the right technology to examine the contents of nearby purses and backpacks. Implanting RFID chips could vastly increase the potential for police surveillance of ordinary citizens. Conceivably, every wall socket could become an RFID reader that feeds into a government database. (Excerpt from article by Michael Kanellos)
[source: cnet news.com]
(2004-08-25) [Washington Post] People are registering fingerprint and eye scans to become members of the new Transportation Security Administration Trusted Traveler Program.
The program has little to do with security and a lot to do with keeping routine air travelers happy by making their waits for boarding airplanes much shorter. No assurances about what additional uses may be found for the information being collected or whether someone may remove himself or herself from the program. (Excerpt from article by Sara Kehaulani Goo)
[source: washingtonpost.com]
(2004-09-07) [Ziff Davis Publishing] On the heels of the latest flap over Google's plans to scan the e-mail messages of its Gmail users, more news is afoot on the message-snooping front. E-mail privacy rights were called into question by a recent federal ruling stipulating that the federal Wiretap Act does not cover e-mail stored on a mail provider's server.
he court upheld the dismissal of a federal wiretapping indictment against Bradford Councilman, former vice president of Interloc, a now-defunct listing company for rare and used books that offered e-mail accounts to its members. "This undermines what everyone's thought for twenty years— that you have to have a wiretap order to access e-mail." (Excerpt from article by Molly K. McLaughlin)
[source: PC Magazine]
(2004-09-03) [NYT] For two months, Jacob Sevlie's insurance company tagged along whenever he slid behind the wheel of his Honda Accord. An electronic monitor closely tracked Sevlie's driving time and behavior. If he had a heavy foot or was a sudden braker, the recorder would betray him.
Although privacy advocates say the gadget smacks of Big Brother, Sevlie signed up and sent monthly data in hopes of saving money on his insurance bill. In return, he got a $25 stipend and the promise of a 15 percent rate cut when the program is launched.
[source: boston.com Business]
(2004-09-06) [vu.net] Trust and security in IT and the internet is one of the critical areas for debate on emerging science and technology, according to the UK Department of Trade and Industry (DTI).
Lord Sainsbury, minister for science and innovation, has launched a £1.2m grant scheme to increase debate on six key areas by funding projects that help the public and scientists to work together. Sainsbury says new technologies have ethical, safety, wealth and environmental complications that need to be considered before they come to the market. 'New technologies create new exciting opportunities but can also raise concerns and fears,' he said. (Excerpt from article by Bryan Glick)
[source: Web News]
(2004-08-31) [IDG] New technology for identifying the sender of e-mail messages hasn't been widely adopted, despite backing from software giant Microsoft Corp., and it may not be effective at stopping spam, according to a survey by e-mail security company CipherTrust Inc.
Sender ID is fast becoming the de facto e-mail authentication standard, as Microsoft rallies support from e-mail providers, Internet service providers and e-mail software vendors. But the survey casts doubt on whether Sender ID or its predecessor, SPF, can put an end to spam, Paul Judge, chief technology officer at the Alpharetta, said. "The idea that SPF would point to legitimate e-mail because spam would fail SPF checks is not true, because spammers have rolled out [SPF] records, too," he said. "In fact, three times more spam passes SPF checks [than] fails it, so passing or failing an SPF check is not a strong indicator that messages are spam." The problem is that spammers have been faster to adopt the technology than legitimate e-mail senders. (Excerpt from article by Paul Roberts)
[source: ComputerWorld]
(2004-08-17) [Datainspektionen] Nu kan du anmäla dig till konferensen "Biometri, kommunerna och PuL". Under förmiddagen handlar det om biometri och eftermiddagen ägnas åt hantering av personuppgifter i kommunerna. Om du endast är intresserad av biometri kan du välja att endast delta i förmiddagens program (till reducerat pris!). Konferensen hålls i Stockholm tisdag den 26 oktober.
Anmäl dig och läs mer på Datainspektionens webbplats.
[source: DI web]
(2004-07-07) [eNorge] En rekke sektorer og virksomheter står i dag overfor utfordringer når det gjelder datautveksling mellom ulike etater. Problemstillingene er bl.a. omtalt i Strategi for elektronisk innhold, eNorge 2005 og IKT-strategi for offentlig sektor.
daVinci Consulting AS' har på oppdrag fra Nærings- og handelsdepartementet utredet utvekslingen av persondata i Norge.
[source: Nyheter]
(2004-08-17) [Ministeriet for Videnskab, Teknologi og Udvikling] Den danske regering kom i sidste uge med deres "Fokus på fremtiden. Informations- og kommunikationsteknologi - resultat af faglig dialog" (Ministeriet for Videnskab, Teknologi og Udvikling, August 2004). Her fremhæves Sikkerhed/"Privacy" som et vigtigt fokusområde hvor Danmark allerede har styrker.
"En satsning på forskning og innovation inden for IKT-området har gode muligheder for at udløse samfundsmæssige gevinster i form af øget beskæftigelse og eksport for dansk erhvervsliv. Samtidig kan satsningen skabe en bedre hverdag, hvor mennesket er i centrum." Se dokumentet.
[source: Nyheter]
(2004-08-20) [Teknologirådet] Der er lagt op til store forandringer i den offentlige forvaltning i de kommende år, når der for alvor kommer skub i Digital Forvaltning i Danmark. Teknologirådet m.fl. arrangerer en konference, der sætter fokus på, om strukturreformen og regeringens planer om en voldsom udvidelse af anvendelsen af it-teknologien i forvaltningerne, vil medføre, at datasikkerheden og beskyttelsen af den enkelte borgers personoplysninger går fløjten.
Kommunikationen mellem borgere og forvaltning skal digitaliseres for at øge effektiviteten, give borgerne mulighed for selvbetjening og opnå økonomiske besparelser. Men bliver prisen for strukturændringer og digital forvaltning et farvel til beskyttelse af personoplysninger? I samarbejde med PROSA, Retspolitisk Forening og Institut for Menneskerettigheder arrangerer Teknologirådet en konference der ser på konsekvenserne af den kommende strukturreform og den igangværende indførelse af digital forvaltning. Data: Tirsdag den 7. september 2004 kl. 9.30 - 16.00 på Christiansborg Landstingssalen, København K. Sidste tilmeldingsfrist er fredag den 27. august kl. 9:00.
[source: Web]
(2004-08-04) [Teknologirådet] Projekt om privatlivets fred: Der er lagt op til store ændringer i den offentlige forvaltning i de kommende år, når der for alvor kommer skub i Digital Forvaltning i Danmark. Kommunikationen mellem borgere og forvaltning skal digitaliseres.
Formålet er bl.a. at øge effektiviteten og borgernes selvbetjening, og dermed opnå økonomiske besparelser. Samtidig skal samspillet mellem den enkelte borger og forvaltningen forbedres, bl.a. ved at organisere den digitale forvaltning sådan, at man kun skal henvende sig og afgive sine data ét sted. En ambition om at skabe gennemsigtighed i forvaltningen ved at give borgerne adgang til at se egne data har også været på tale.
[source: Web]
(2004-08-27) [EPIC] Google founders Larry Page and Sergey Brin discussed Gmail, an advertising-supported web mail system that engages in "content extraction" in order to target ads to subscribers, in an interview with Playboy Magazine.
Page and Brin clumsily avoided pointed questions raised by Playboy regarding the privacy implications of the system.
[source: EPIC Alert vol 11 no 16]
(2004-09-03) [EPIC] In formal comments, EPIC urged the National Highway Transportation Security Administration (NHTSA) to create privacy protections for "Event Data Recorders," (EDRs) black boxes in vehicles that record crash data. The comments were made in response to a federal rulemaking calling for standardization of EDR data.
EPIC argued that with standardization of data collection, the agency has a duty to create meaningful privacy protections. The agency's current plan to protect privacy by putting a short disclosure in the owner's manual falls fall short of this duty.
[source: EPIC Alert vol 11 no 16]
(2004-08-25) [EDRI] The deadline is nearing for two important consultation rounds from the European Commission, on mandatory data retention and on copyright.
European Digital Rights is working hard on a thorough answer on the EU plans for mandatory retention of all internet and telephony traffic data. The document will be made publicly available on the EDRI website, and EDRI will participate in the public hearing following the consultation on 21 September 2004.
[source: EDRI-gram - Number 2.16, 25 August 2004]
(2004-08-25) [EDRI] In an interview with The Times newspaper on 16 August, the UK Information Commissioner, Richard Thomas, has warned against the danger of 'sleepwalking into a surveillance society', as a result of ID cards and other plans. Mr Thomas said he was also uneasy about plans for a population register and a database of every child. He used General Franco's Spain as an example of what can happen when a state knows too much about its citizens.
Thomas said, although he is not for or against an ID card scheme itself, he was concerned about the government's failure to spell out their exact purpose. "The government has changed its line over the last two or three years as to what the card is intended for. You have to have clarity. Is it for the fight against terrorism? Is it to promote immigration control? Is it to provide access to public benefits and services?"
[source: EDRI-gram - Number 2.16, 25 August 2004]
(2004-08-25) [EDRI] The European Commission has decided today, 25 August 2004, to examine in depth the joint acquisition by Microsoft and TimeWarner of ContentGuard. This company, formerly owned by Xerox, is a world market leader in so-called Digital Rights Management technology. It has developed the Extensible Rights Markup Language (XrML).
Microsoft has eyed the company for a long time and made considerable investments before announcing last April to couple up with Media Company TimeWarner in order to buy the remainder of the company.
[source: EDRI-gram - Number 2.16, 25 August 2004]
(2004-07-30) [Masons] A new privacy law came into force on 1st July, demanding that all commercial web sites that collect "personally identifiable information" from users in California must now have a conspicuous privacy policy on their web sites – even if based overseas.
The California Online Privacy Protection Act (OPPA) appears to affect every business in the world that has a web site collecting information on-line, even just e-mail addresses for newsletters , because a Californian resident could sign up at any time. The Act, passed last year but only in force this month, applies to any person or entity "that collects personally identifiable information from California residents through an internet web site or on-line service for commercial purposes". In the UK, a fair processing notice - or data protection notice – must be displayed on a web site before personal data is "processed." A link to this notice is insufficient, although an additional "privacy policy," available from a link on each page, is also recommended as good practice. In California, the requirements for displaying the privacy policy are more relaxed than the UK's requirement for displaying a data protection notice.
[source: OOT-LAW.COM]
(2004-08-09) [MIT Technology Review, Inc.] Despite warnings that facial-recognition technology is prone to a high rate of error, the U.S. State Department is moving ahead with plans to embed microchips that will allow computer matching of facial characteristics in U.S. passports. Federal researchers, academics, and industry experts say the government should use more-reliable fingerprints instead, according to the Washington Post.
See Washington Post arcticle. (post by Erika Jonietz)
[source: blog]
(2004-08-12) [MIT's Technology Review] Stuffing something in a public locker usually isn't a memorable experience. You drop a coin, take the key and move on. But at the Statue of Liberty, recently reopened after a two-year closure, stashing a package offers a glimpse into the future. To rent, close and reopen lockers, visitors touch an electronic reader that scans fingerprints.
"It's easy," Taiwanese visitor Yu-Sheng Lee, 26, said after stowing a bag. "I think it's good. I don't have to worry about a key or something like that." Like nearly every other tourist at the statue that day, this was Lee's first experience with biometrics -- the identification of an individual based on personal characteristics like fingerprints, facial features or iris patterns. While the technology is not new, having seen use for years to restrict access in corporate and military settings, it is only now creeping into everyday life. Over the next few years, people currently unfamiliar with the technology will be asked to use it in everything from travel settings to financial transactions. (Excerpt from article by Brian Bergstein)
[source: TRWeb]
(2004-06-01) [MSN] In perilous online world, complex passwords needed! To access her bank account online, Marie Jubran opens a Web browser and types in her Swedish national ID number along with a four-digit password. For additional security, she then pulls out a card that has 50 scratch-off codes. Jubran uses the codes, one by one, each time she logs on or performs a transaction. Her bank, Nordea PLC, automatically sends a new card when she's about to run out.
As more Web sites demand passwords, scammers are getting more clever about stealing them. Hence the need for such "passwords-plus" systems. Scandinavia countries are among the leaders as many online businesses abandon static passwords in favor of so-called two-factor authentication. People will pay more attention to security as they keep more of their lives online, said Robert Chesnut, eBay's vice president for rules, trust and safety. He offered this analogy: "The more stuff you have in your house, the better the deadbolt lock you have."
[source: Breaking News]
(2004-08-06) [InfoWorld] Once a crime aimed at individuals, phishing can hurt your enterprise. What's unsettling is the rate at which phishing is growing. According to a report just released by the APWG, phishing increased 52 percent in June since May of this year. What's also alarming is that the practice is apparently working well enough that new phishing schemes and new fraudulent Web sites are increasing dramatically.
Worse, phishers have gained a great deal of sophistication. For example, the bogus Web sites they use to entrap their victims may exist for only a few days before they're harvested and moved.
[source: Security Advisor]
(2004-08-06) [IDG] Public, security experts' e-voting views differ sharply. Security experts are substantially more skeptical about e-voting than the public, but their greatest worry is system and programming errors, not malicious hacker attacks, according to a survey released this week by the Ponemon Institute.
The study, conducted in July and early August, aimed to measure public opinion about electronic voting systems and then compare the results with those of security experts -- both IT pros and hackers. (Excerpt from article by Sharon Machlis)
[source: ComputerWorld]
(2004-08-20) [IDG] Your face vs. your fingerprints: A computer-matching technology to identify facial characteristics will be implemented by the State Department on new passports next Spring despite warnings that the technology has a high error rate, The Washington Post reports.
Researchers and biometrics experts quoted in the article and even a privacy advocate said that fingerprints are far more reliable for the State Department's purposes of proving identity, preventing forgery and ultimately thwarting terrorism. The facial technology has an error rate of as high as 50% depending on whether proper lighting is used, the experts said. But the State Department chose the technology because "travelers are accustomed to submitting photographs and would find giving fingerprints to be intrusive." The technology uses "a chip woven into the cover of the passport that contains a digital photograph of the traveler's face. That photo could then be compared with an image of the traveler taken at the passport control station, and also matched against photos of people on government watch lists."
[source: ComputerWorld Security Highlights]
(2004-08-18) [NewsFactor Networks] There is a far greater degree of collaboration between spammers -- at least, the shadier ones -- and virus writers -- now than in the past. Many Internet threats have been co-opted by the criminal element and few can be attributed to script kiddies causing mischief.
Increasingly, the antivirus community has been noticing a disconcerting trend: the teamwork between virus writers and mercenary-minded spammers. (Excerpt from article by Erika Morphy)
[source: NewsFactor Top Tech News]
(2004-08-17) [CMP Media LLC] Password usage keeps growing, yet widely ignored best-practices mean they're less secure now than ever. Evidently, men are password pigs.
According to a research group investigating image-based passwords, men tended to pick images of attractive female models. That was predictable--and not just because men are. Predictability itself, in many forms, is one of the biggest password challenges. That's been true since the earliest days of computing, and is no less so today, despite plenty of readily available, solid password advice. Yet most of us still make our passwords the old-fashioned way--creating one password per identification-required account, probably using a recognizable word or number sequence. Worse yet, but even more predictable, many of us keep that same password for extended periods of time. How many of us have had the same password for the same account for months? Years? (Excerpt from article by Keith Ferrell, TechWeb)
[source: Security Pipeline ]
(2004-08-17) [CMP Media LLC] Before year's end, all E-mail messages will be spam. At least that's the way things appear to be headed, according to a report released Tuesday by MessageLabs, an international provider of managed E-mail services.
The company's E-mail Security Intelligence Report, covering January through June and based on a sample of some 5 billion messages, says 86.3% of E-mail in the month of June was spam. During the first four months of the year, the figure ranged from 53% to 67%. Compare that to the first six months of 2002, when the company identified a scant 1.5% of E-mail as spam. "We thought it couldn't go much higher when it was at 50%," says Brian Czarny, VP of marketing at MessageLabs. (Excerpt from article by Thomas Claburn, InformationWeek)
[source: Security Pipeline ]
(2004-08-05) [CMP Media Press] The numbers don't lie: CAN-SPAM is a bust. Compliance with CAN-SPAM has fallen to a new low, according to recent data collected by MX Logic.
In July, compliance fell for the first time under one percent to a measly 0.54 percent of all unsolicited commercial mail the company sampled during the month. The Denver-based firm has been tracking compliance with CAN-SPAM since the federal law went on the books in January. (Excerpt from article by gregg Keizer, TechWeb.com)
[source: TechWeb]
(2004-08-06) [CMP Media LLC] Federal prosecutors in Charlotte, N.C. said Thursday that three men had pleaded guilty in a case that is likely the first criminal conviction of "wardriving," the hacker tactic of cruising for unsecured wireless networks.
The three Michigan men all filed guilty pleas for charges that they penetrated the computer network of home improvement retailer Lowe's through an unprotected Wi-Fi access point in a parking lot of a Lowe's in suburban Detroit. (Excerpt from article by Gregg Keizer -Courtesy of TechWeb News)
[source: Security Pipeline]
(2004-08-09) [CMP Media LLC] Chances are, your users' machines are swarming with spyware and adware. Learn about the most-effective strategies that InformationWeek.com readers are using to combat spyware.
Seeking to get a better handle on the spyware problem, InformationWeek.com asked readers to rate its impact today in an online poll. Their feedback was clear--spyware is a growing problem in the enterprise. The results from 941 responses to this online, nonscientific poll:
Although antidotes do exist, spyware/adware is a fast-moving target and a tough challenge for IT departments to deal with. Walk through this InformationWeek.com Special Report to learn all about spyware, including the favored strategies and tools of InformationWeek.com readers for defending against it. (Excerpt from article by Richard Karpinski, InformationWeek)
[source: Security Pipeline]
(2004-08-03) [CMP Media LLC] Social networking based on IT raises questions about ownership of personal information. There are online services that help you keep track of your contacts, the ones with whom you communicate. There is one central issue. Who really owns your contact information? When you parse your address list and upload it to the server, who else gets to view these names?
Tim O'Reilly, the Internet publisher and peer-to-peer guru, had this to say about social networks at his conference this week: "We have to Napsterize the address book and the calendar so that we own the data about our social network but we are able to query our friends about who they know. We also need to re-think e-mail and Instant Messages as social software." The trouble is, once we make all of our address books peers, it becomes awfully hard to control the quality of the information. Imagine someone uploading Madonna's contact information, it could be the next Trojan. (Excerpt from article by David Strom, InternetWeek)
[source: Security Pipeline ]
(2004-08-30) [CMP Media LLC] Online banking customers should be wary of a new series of Trojan horses out to filch financial information, said a security firm Monday.
The Tolger line of Trojan horses, said U.K.-based Sophos, target online users of a slew of British-based banks, including users Barclays, HSBC, Lloyds, and Nationwide. Unlike phishing attacks, which come in singly as individual e-mails, one the Tolger Trojan infects a system, it sits invisibly in the background, monitors which Web sites are put on the browser, and if it recognizes one as an online banking site it ambushes the user by capturing keystrokes and snapping screen shots. (Excerpt from article by TechWeb News)
[source: Security Pipeline ]
(2004-09-01) [CMP Media LLC] The spam flood is rising, contributing to a reduction in the usefulness of e-mail, a market research firm said Wednesday.
Unsolicited e-mail from con artists, virus writers and advertisers accounts for 38 percent of the 31 billion e-mails sent each day in North America this year, up from 24 percent in 2002, International Data Corp., said in a report on web mail and spam. In addition, Internet service providers and makers of anti-spam products report that spam represents from 50 percent to 95 percent of all inbound Internet e-mail, IDC said. That's triple the 15 percent to 30 percent levels reported two years ago. (Excerpt from article by Antone Gonsalves, TechWeb.com)
[source: Security Pipeline]
(2004-08-26) [CMP Media LLC] The feds are cracking down on cybercrime. Amid rumors that cyberterrorists planned to disrupt the Internet on Thursday, the Justice Department revealed major enforcement actions against identity thieves and spammers.
The day before, DOJ officials said at a press conference that federal agents had served six warrants in New York, Texas, and Wisconsin against five residences and one Internet service provider as part of an investigation of illegal file trading over peer-to-peer networks. (Excerpt from article by Thomas Claburn, InformationWeek)
[source: Security Pipeline]
(2004-08-27) [CMP Media LLC] China's parliament has legalized electronic signatures in an effort to boost its small but growing online commerce industry.
The law gives such signatures the legal status of handwritten signatures and allows the creation of companies to verify the identity of participants in an online transaction, the official Xinhua News Agency reported. Chinese lawmakers have been working since April, 2003 on the electronic signature measure, which they passed on Saturday, Xinhua said. Electronic signatures became legally binding in the United States in 2000. (Excerpt from article by The Associated Press)
(2004-08-30) [CMP Media LLC] It would be pretty funny . . . if it weren't so terrifying. The Department of Homeland Security's first test of e-passports, documents that include embedded contactless chips (think RFID) for storing data, didn't go too well, according to an article from EETimes headlined e-Passports Using Contactless Chips Show Security Flaws.
The readers designed to work with the chips didn't perform very well. Some could not detect the presence of e-passport chips, others could detect the chips but could not read data from them and still others couldn't display the data they read correctly.
Read more in the article e-Passports Using Contactless Chips Show Security Flaws by Junko Yoshida ( EETimes August 30, 2004). (Excerpt from article by David DeJean)
[source: Security Pipeline]
(2004-09-01) [CMP Media LLC.] A service introduced Wednesday can send misleading information to phones that display Caller ID information, which is used to identify who is placing a call before the called party answers the phone.
The service will only be sold to collection agencies, private investigators, and law-enforcement personnel, says Jason Jepson, founder and CEO of Star38. "This is not for public use," he says. "We just opened today and we've gotten 600 inquiries so far." (Excerpt from article by Paul Travis, InformationWeek)
[source: Security Pipeline ]
(2004-07-15) [Masons] The European Commission has called upon the UK Government to justify its approach to data protection law – because it fears that it does not comply with the European Data Protection Directive.
The concerns are believed to focus on a court's definition of what constitutes "personal data" in Michael Durant's landmark case against the UK's Financial Services Authority and subsequent guidance on the case from the UK's Information Commissioner. But "personal data" is not the only problem.
Ultimately, the European Commission could take the UK Government to court in Luxembourg.
[source: OUT-LAW.COM]
(2004-08-03) [InfoWorld Media Group] All those upset about the recent court decision that said Northwest Airlines' privacy policy doesn't count, raise your hand. And, while your hand is up there, use it to slap yourself upside the head. What, you thought vendors' privacy policies gave you even a little bit of protection?
Although it's been almost two months, there still seems to be considerable consternation over a U.S. district court ruling that said it was OK for Northwest to violate its posted privacy policy in giving passenger records to NASA. As much as the case has upset people, though, it really isn't saying anything we didn't already know (Excerpt from weblog by Ed Foster)
[source: InforWorld - Gripe Line Weblog]
(2004-06-30) [Datainspektionen] I senaste numret av Datainspektionens tidskrift "DIrekt" finns bl.a. "Tummen ner för biometri i matkön" ,"passagerardata lämnas ut till USA", "så gör man i Danmark", och annat.
Länk till en digital version återfinns på sidan för DIrekt 2/04.
[source: DI web]
(2004-07-19) [MIT Technology Review, Inc.] Online swindles have generated plenty of headlines, and so did the Federal Trade Commission last month when it struck back at the scammers. On June 17, FTC officials trumpeted a joint effort with Visa International, the Better Business Bureau, and others to warn of the perils online identity theft.
The same day, the agency announced its first law-enforcement settlement for "phishing"--that is, online scammers who pose as representatives of legitimate businesses and persuade e-mail users to divulge personal financial details. But consumer advocates say that phishing has become such an insidious scam that the most meaningful measures to protect the public will need to come from broad-based coalitions. And actions to date, they say, are falling short.
[source: technologyreview.com]
(2004-07-16) [MIT's Technology Review] If you still have any illusions that your e-mail is protected from the prying eyes of investigators or police, you can drop them now: a federal court has ruled that e-mail stored on the servers of Internet service providers is not protected by the rules that restrict government wiretaps on telephone lines.
Reading stored e-mail is not the same as “intercepting“ an electronic communication, the 1st Circuit Court of Appeals in Boston ruled in the case of USA v. Bradford Councilman -- at least not in the sense intended by Congress in the 1968 Omnibus Crime Control and Safe Streets Act, which placed limits on phone wiretapping.
[source: MIT's Technology Review Friday Update ]
(2004-08-04) [EDRI] The Swiss data protection authorities and several political parties have used a governmental consultation round to protest against a proposal to introduce a new sectoral ID number for persons, the SPIN law.
According to the privacy authorities, the proposed law violates both constitutional and data protection principles. The new personal identification number would be sectoral and based on a central server within the federal justice department. But the sectors are not clearly defined or even analysed, thus violating the principle of proportionality. To make it worse, the responsibilities for access, for security, transmission and usage of the PIN are not sufficiently clear.
[source: EDRI-gram - Number 2.15, 4 August 2004]
(2004-08-04) [EDRI] On 24 March 2004 the Danish Ministry of Justice released a draft Administrative Order and a set of guidelines for mandatory retention of telecommunication traffic data. It is a follow-up to the 'anti-terror package' from 6 June 2002 (Act no. 378), that extended the minimum time for data retention to a year and allowed police and intelligence agents to look at such material with court permission where serious crimes were involved and to install on ISP servers software similar to the US Carnivore system to intercept e-mail.
When circulated for comments in May 2004, the draft was heavily criticised by both Internet Service Providers, co-operative housing associations and non-governmental organisations for being disproportional and inconsistent, e.g. by letting private entities store huge amounts of personal information while at the same time leaving ample loopholes, since for example libraries and universities are not included.
[source: EDRI-gram - Number 2.15, 4 August 2004]
(2004-08-04) [EDRI] On 29 July 2004 the French Constitutional Council decided that the proposed new data protection act is not unconstitutional, except for one provision (article 9.3), which has been suppressed from the law. The law is an adoption of the European privacy directive of 1995 (1995/46/EC), and was accepted by the French Senate on 15 July 2004.
The proposal to examine the law was submitted on 20 July by members of the French parliamentary opposition. They objected particularly against the powers granted in the new paragraph 9.4 to collecting societies and similar representatives of intellectual property rights to create files with telecommunication traffic data of supposed copyright infringers to 'mutualise the battle against the piracy of works'.
[source: EDRI-gram - Number 2.15, 4 August 2004]
(2004-08-04) [EDRI] The UK telephone and internetprovider BT is blocking the access for its customers to an unknown number of websites since 21 June 2004, allegedly containing images of child pornography. So far, BT has not disclosed any information about the banned sites and the precise technical way in which the filtering is deployed, raising serious questions about large scale private censorship on the internet.
According to Richard Nash from Euro ISPA it is irresponsible for providers to block websites for their users. In stead of trying to make child pornography invisible, the responsible thing would be to deal with the production of the content. In stead of private decisions about what is 'decent' and what is not, providers should develop a thorough and balanced notice and takedown procedure, and governments should collaborate more closely in chasing down the production sources internationally.
[source: EDRI-gram - Number 2.15, 4 August 2004]
(2004-08-04) [EDRI] The Dutch government is 'in principle positive' about the proposal to store the telecommunication traffic data of all 450 million EU citizens for a period of 12 to 36 months. This point of view is expressed in a letter to the Dutch parliament about the proposal. As president of the EU, the Netherlands wish to press ahead with the proposal: "The Netherlands have a vested interest that the proposal takes priority."
The proposal was made by the UK, Ireland, France and Sweden on 28 April 2004, and followed by a questionnaire to the 25 EU member states about their current and intended data retention laws. Answers to the questionnaire had to be given by 29 July 2004, but the results will probably only become available at or after the next meeting of the working party on co-operation in criminal matters on 27 and 28 September 2004.
[source: EDRI-gram - Number 2.15, 4 August 2004]
(2004-08-04) [EDRI] By verdict of 24 June 2004 the Appeals Court of Amsterdam in the Netherlands has to a large extent limited the freedom of internet users to express their opinion anonimously. The main issue in this principal case was whether internet provider Lycos was required to hand over the personal data of one of its subscribers to a third party. This third party, the Dutch lawyer and stamp trader Pessers, claimed this subscriber had treated him unlawfully. The appeal verdict largely confirms an ealier verdict by a judge at the District Court of Haarlem on 11 September 2003, against which Lycos appealed.
"The consequence of this ruling is that ISPs will be less cautious about providing third parties with personal details. After all, the provider can be held liable," said internet lawyer Christiaan Alberdingk Thijm. Perhaps even more disturbing, this ruling also increases the possibilities for civil rightsholders, such as the music industry to demand personal data from music-file downloaders.
(2004-07-15) [EDRI] The Article 29 Working Party that oversees the implementation of the EU privacy directive has released its opinion on the current state of affairs regarding the transfer of passenger data from EU airlines to the U.S. Department of Homeland Security.
The Working Party notes that the Commission failed to take into account previous demands by the Working Party before authorizing its transfer to the U.S., particularly on the scope of the data, the retention period, and the ways in which the data is used. As the European Parliament is pursuing this case in the Courts, the Working Party is calling for some immediate 'essential' changes to the current practices to minimize the encroachments on passengers' rights.
(2004-08-04) [EPIC] Congress is poised to loosen federal regulations protecting individuals from unsolicited commercial fax messages, known as "junk faxes." The House has already passed legislation eliminating a Federal Communications Commission regulation that would require junk faxers to obtain written consent before transmitting messages.
[source: EPIC Alert vol 11 no 15]
(2004-08-04) [EPIC] Privacy International recently held its sixth annual United Kingdom Big Brother Awards ceremony, honoring the year's most egregious violators of privacy in the UK. Privacy International accepted nominations from the public in five categories: Worst Public Servant, Most Invasive Company, Most Appalling Project, Most Heinous Government Organisation, and Lifetime Menace Award.
The Lifetime Menace Award went to the United States Visitor and Immigrant Status Indicator Technology (US-VISIT) because of its offensive and invasive plan to fingerprint all visitors to the United States beginning in September 2004.
[source: EPIC Alert vol 11 no 15]
(2004-08-04) [EPIC] Rep. Jay Inslee (D-WA) has introduced the E-mail Privacy Act of 2004, H.R. 4956, which would address two weaknesses in the Electronic Communications Privacy Act that were recently highlighted in a controversial First Circuit case. In United States v. Councilman, the court found that an ISP's real-time, continuous acquisition of subscriber e-mail did not violate federal wiretap law. The new bill would fix this misinterpretation of the Wiretap Act as well as close a long-standing loophole in the law governing stored communications that allows an Internet Service Provider (or any electronic communication service provider) to read its subscribers' communications.
[source: EPIC Alert vol 11 no 15]
(2004-07-22) [EPIC] Scott Levine, a high-level employee of Internet advertising company Snipermail.com, has been charged in a 144-count indictment with hacking into a database owned and operated by Acxiom, one of the country's largest data aggregators, and stealing 8.2 gigabytes of personal data between April 2002 and August 2003.
The data, acquired through 137 separate intrusions, was allegedly used by Snipermail.com to conduct spamming campaigns.
[source: EPIC Alert vol 11 no 14]
(2004-07-22) [EPIC] President Bush has signed into law the Identify Theft Penalty Enhancement Act, adding two years to prison sentences for people convicted of using stolen credit card numbers, social security numbers, and other personal information to commit crimes.
The new law creates two categories of aggravated identity theft. The first imposes a five-year sentence for identity theft carried out in connection with "terrorist offenses," and the second requires a two-year sentence for identity theft committed in connection with other felonies. The extensive list of crimes that require the sentence increase when combined with identity theft includes mail, bank, or wire fraud, theft from employee benefit plans, and immigration law violations.
[source: EPIC Alert vol 11 no 14]
(2004-07-22) [EPIC] EPIC Policy Counsel Cédric Laurant recently testified before the House Committee on Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection, in a hearing on radio frequency identification (RFID) technology. RFID facilitates the electronic tagging of physical objects for a wide range of applications. Although the use of RFID is likely to increase efficiency in the supply chain and improve management of inventory in retail stores, its use in individual consumer products poses serious privacy implications.
EPIC recommended that Congress, in keeping with its tradition of extending privacy rights to new forms of technology, draft legislation targeting the use of RFID in the retail sector. This legislation, based upon guidelines EPIC recently presented at a Federal Trade Commission workshop on RFID, should require clear labeling and easy removal of all RFID tags on consumer-level products. Further, legislation should require users of RFID systems to refrain from linking personally identifiable to RFID tag data whenever possible and only with the individual's written consent. Legislation should also prohibit the tracking or profiling of individuals via RFID in the retail environment.
[source: EPIC Alert vol 11 no 14]
(2004-07-22) [EPIC] Department of Homeland Security Secretary Tom Ridge recently indicated that the controversial second generation Computer Assisted Passenger Prescreening System, more commonly known as CAPPS II, has been discontinued. Asked by a reporter whether the program could be considered dead, Ridge mimed driving a stake through its heart and said, "yes."
CAPPS II would have relied upon private-sector database companies to identify passengers and perform risk assessments using government databases. Each passenger would have been assigned a risk score that might subject him to heightened security screening or detention. The system would have scanned not only for suspected terrorists, but also for individuals wanted for violent crimes. The government spent more than $100 million to develop the program before its discontinuation.
Questions remain about TSA's plans for passenger prescreening in the wake of CAPPS II's demise. Ridge indicated a new program with a different name would likely be developed to take the system's place.
[source: EPIC Alert vol 11 no 14]
(2004-07-12) [EPIC] The Anonymity Project has launched a web site that provides a description of research areas, interviews with project members, and other project information. Although the project is cross-disciplinary, it is based at the University of Ottawa, Faculty of Law.
The project consists of three broad research streams -- the nature and value of identity, anonymity and authentication; the constitutional and legal aspects of anonymity; and technologies that identify, anonymize and authenticate. Research results will be made publicly available on the web site.
Visit "On the Identity Trail: Understanding the Importance of Anonymity and Authentication in a Networked Society" at: http://www.anonequity.org.
[source: EPIC Alert vol 11 no 13]
(2004-07-12) [EPIC] The House Energy and Commerce Committee has voted 45-4 in favor of an anti-spyware bill, setting the stage for its consideration by the full House. The bill, termed the SPY ACT (Securely Protect Yourself Against Cyber Trespass Act), was passed after several changes were made to the original draft sent up by the House Subcommittee on Commerce, Trade, and Consumer Protection.
The original draft of the bill prohibited deceptive practices related to spyware such as hijacking a computer's functions, changing homepages without authorization, and surreptitious keystroke logging. It also regulated "information collection programs" by mandating express consent before installation, the provision of an uncomplicated disabling function, and the disclosure of the type and purpose of collected information.
[source: EPIC Alert vol 11 no 13]
(2004-07-12) [EPIC] European Parliament President Pat Cox has announced his decision to ask the European Union Court of Justice to annul the Council of Europe's agreement between the European Community and the United States, allowing for transfer of Passenger Name Record (PNR) data on EU citizens to the U.S. Department of Homeland Security Bureau of Customs and Border Protection.
Cox will also appeal the European Council's finding that the Bureau ensures adequate protection of transferred PNR data, satisfying the EU's Data Protection Directive (EU Directive 95/46/EC). Mr. Cox said the request "reflects the concern felt by a large majority in the European Parliament on the need to defend European citizens' fundamental rights and freedoms ... [B]oth the EU and the U.S. must guard against a new form of creeping extra-territoriality."
[source: EPIC Alert vol 11 no 13]
(2004-07-12) [EPIC] The Federal Trade Commission has charged Gateway Learning Corp., maker of Hooked on Phonics products, with violating federal law by renting out personally identifiable consumer information collected through its web site to direct marketers in violation of the company's privacy policy.
The company had changed its privacy policy to allow sale of personal information, and attempted to apply the new policy retroactively without first obtaining customers' consent for data exploitation. The Commission noted that the disclosure included information provided directly to the company by consumers who bought Hooked on Phonics, including names, addresses, phone numbers, and age ranges and gender of the consumers' children.
[source: EPIC Alert vol 11 no 13]
(2004-07-12) [EPIC] The U.S. Court of Appeals for the First Circuit has ruled that a company did not violate federal wiretap law when it used the e-mail service it provided to its subscribers to access their e-mail so it could review messages sent to them by a rival company. The issue in United States v. Councilman was whether an "intercept" of a communication occurred within the meaning of the Wiretap Act. In a 2-1 ruling, the court held that electronic communications are not "intercepted" if the communication is accessed while it is in temporary storage.
This case involved the conduct of Interloc, an online literary clearinghouse that sought to pair its subscribers -- rare and used book dealers -- with book buyers. Bradford C. Councilman, former executive of the company, directed Interloc employees to write computer code to intercept and copy all incoming communications from Amazon.com to the subscriber book dealers, whom had been provided e-mail service by Interloc.
[source: EPIC Alert vol 11 no 13]
(2004-07-12) [EPIC] In formal comments to the Transportation Security Administration (TSA), EPIC has urged the agency not to deploy the final phase of the Registered Traveler program until it conducts a full evaluation of the program's privacy implications. EPIC argued that the agency should revise its information collection and maintenance practices to comply fully with the intent of the Privacy Act.
EPIC made its recommendation in response to the agency's publication of a notice describing its plans to launch the pilot phase of Registered Traveler. The program asks individuals to volunteer to undergo invasive background checks and provide biometric information in exchange for the assurance that they will not be subjected to random secondary screening at airports.
[source: EPIC Alert vol 11 no 13]
(2004-06-29) [Datainspektionen] [Swedish] Hur ska personuppgifter behandlas vid biobankerna? Datainspektionen gjorde en kartläggning som visade att det finns ett stort behov av en enkel handledning.
[source: Datainspektionen pressmeddelande]
(2004-06-11) [Krisberedskapsmyndigheten] [Swedish] It-politiska strategigruppen har låtit översätta OECD:s riktlinjer för informationssäkerhet till svenska.
Se OECD:s riktlinjer för säkerhet i informationssystem och nät - I RIKTNING MOT EN SÄKERHETSKULTUR, som är en auktoriserad översättning av OECD Guidelines for the Security of Information Systems and Networks - TOWARDS A CULTURE OF SECURITY.
[source: Krisberedskapsnytt 12/04]
(2004-06-21) [Datainspektionen] [Swedish] En tredjedel av de kommunala socialnämnderna saknar skriftliga rutiner för att hantera sekretessmarkerade personuppgifter. Det är en av flera brister som Datainspektionen fann vid en granskning av 119 social- och miljönämnder. Rapporten presenteras idag.
[source: Datainspektionen pressmeddelande]
(2004-06-10) [EPIC] On May 28, United States and European Union officials signed an agreement providing for a legal framework to govern the disclosure of European airline passenger data to the Department of Homeland Security's Bureau of Customs and Border Protection.
European Commission officials defend the agreement, arguing that it formalizes privacy protections for PNR data and reflects negotiated concessions limiting the scope and use of such information. They contend that the alternative would have included fewer concessions to data use and greater legal and practical uncertainty about the ongoing data transfers.
However, the European Parliament, Article 29 Data Protection Working Party, data protection authorities around the world and privacy experts have expressed deep reservations about the agreement and its effects on Europeans' privacy rights, voting against its approval even though the European Commission considered such disapproval not binding in this case. The European Court of Justice could still invalidate the agreement if requested by the Parliament to review the compatibility of the agreement with the Treaty of the EU and to determine whether the Parliament should have had veto power.
The European Parliament's resolution disapproving the agreement: http://www.epic.org/redirect/ep_resolution.html.
[source: EPIC Alert vol 11 no 11]
(2004-06-24) [EPIC] In testimony to the Federal Trade Commission on radio frequency identification (RFID) technologies, EPIC Policy Counsel Cedric Laurant urged the agency to adopt strong privacy guidelines to protect consumers against potential abuses of the tracking technology.
Over the past year there has been increased activity worldwide to draft guidelines, principles and legislation governing the use of RFID in order to protect privacy. Last November, a joint position statement on RFID use, signed by more than twenty consumer privacy and civil liberties organizations including EPIC, called for a voluntary moratorium on item-level RFID tagging until a formal technology assessment process involving all stakeholders, including consumers, can take place. Also in November, a resolution on RFID was adopted at the International Conference of Data Protection and Privacy Commissioners in Sydney. Country-level guidelines have been drafted in Europe and Asia, and several bills have been introduced into state legislatures in the United States.
EPIC's survey of the RFID industry: http://www.epic.org/privacy/rfid/survey.html.
[source: EPIC Alert vol 11 no 12]
(2004-06-16) [EDRI] The Legal Affairs Committee of the European Parliament (JURI) decided today to take the European Commission as well as the Council to court over the final agreement to transfer PNR data to the US without adequate guarantees for data protection.
The committee, which met today (16 June 2004) for an extraordinary meeting during the Parliament's present recession, voted to call upon the Luxembourg Court to defer the Commission's so-called adequacy finding. This finding claims that the data will find the same level of protection in the U.S. as in the EU. The committee also voted to take the international agreement to court that was signed by the EU Council with the U.S. Department of Homeland Security on 28 May 2004 (see EDRi-gram 2.11). Today's vote was taken with a two-thirds majority concerning the adequacy finding and 19 to 14 votes concerning the international agreement. This is an even clearer majority than in former votes on the same issue.
(2004-06-16) [EDRI] On 13 June 2004 the French Constitutional Council published a decision on the Digital economy law (Loi pour la confiance dans l'economie numerique or LEN). Among the 3 provisions challenged by the parliamentary opposition, only one has been found unconstitutional and one was slightly modified.
None of the 7 further provisions challenged by EDRI-member IRIS and the French Human Rights League (LDH), has even been examined, while some of them are indeed limiting the constitutional freedom of communication, to the benefit of private interests (see EDRI-gram Number 2.11, 2 June 2004).
(2004-06-30) [EDRI] The working party on co-operation in criminal matters (Justice ministry officials) has issued a new questionnaire about data retention to all member states. Answers have to be given by 29 July 2004, the results will be debated in the next meeting of the working party on 27 and 28 September 2004.
The answers to the 2002 questionnaire showed 10 out of 15 member states had some sort of legal obligation to store traffic data, or were finalising new legislation. Only Austria, Finland, Germany, the Netherlands and Sweden did and do not have any such obligation, while in the UK providers were pressured to voluntarily collaborate.
(2004-06-30) [EDRI] The data protection commissioners of 14 of Germany's 15 states (Laender) as well as the National commissioner, Peter Scharf, have severely criticised the EU plan for mandatory traffic data retention and called upon the German government to vote against the proposal in the EU council of ministers.
"There are good reasons why the national legislator has just denied to introduce mandatory data retention", the official data protectors declared: "The confidentiality of telecommunications, which is guaranteed under the German constitution, only allows for the storage of data on the use of public telecommunication networks - and in particular of the internet - in cases of tangible evidence of a severe crime."
(2004-06-30) [EDRI] On his last day as President of the European Parliament, Pat Cox finally decided to give in to the demands from the Legal Affairs committee and the majority of political group leaders. The European Parliament has now asked the European Court of Justice to annul the recently signed EU-U.S. agreement on transfer of airline Passenger Name Record (PNR) data to U.S. government agencies.
European Digital Rights has signed a resolution against the PNR-transfer from the Trans Atlantic Consumer Dialogue [TACD], a coalition of more than 60 consumer organisations in the U.S. and Europe. It calls upon the EU and U.S. governments to suspend the agreement until much stronger privacy safeguards are adopted. The letter was submitted to EU and U.S. government representatives at the EU-U.S. Summit in Dublin on 25 June 2004.
(2004-06-30) [EDRI] The European Commission has funded a new project to make Digital Rights Management more acceptable to consumers. INDICARE (the Informed Dialogue about Consumer Acceptability of DRM Solutions in Europe) is distributing its first e-mail newsletter this week. The newsletter includes links to articles on the INDICARE website that are conceived as the starting point for online discussions. Under the E-Content programme 2003-2004 1 million euro is allocated for 'accompanying measures' like community building.
(2004-06-30) [EDRI] The European Court has condemned the kingdom of the Netherlands for a faulty implementation of the Privacy directive of 1997, also known as the ISDN-directive. In the Dutch telecommunication law of 1998 the obligation to erase or anonymise traffic data after termination of the call was not made specific enough, leaving ample room to the telecom operators to store sensitive data about their subscribers.
Instead of just literally translating Article 6 of the directive, the Dutch inserted a reference to a decree that would specify which data had to be erased. The decree was never produced, and in October 2002, after plenty of warnings, the European Commission decided to take the issue to the European Court in Luxembourg.
(2004-06-30) [EDRI] The French data protection authority CNIL has declared the new U.S. mail-service 'Did they read it?' illegal. Through this service, launched in May 2004 by Rampell Software, subscribers get a report about the exact time their e-mail was opened, for how long, on what kind of operating system and if the mail was forwarded to other people.
To use this service, subscribers simply forward their mail to Rampell, after which a one-pixel gif is added that allows for this kind of tracking. Rampell carefully avoids explaining the technology, and just promises that e-mails are being kept confidential.
(2004-06-30) [EDRI] The OECD Privacy Online report is focused on the implementation of the OECD Privacy Guidelines online and "reflects the OECD ministerial high-level objective to build bridges between different national approaches in order to ensure the effective protection of privacy and personal data as well as the continued transborder flow of personal data on global networks".
The reader shouldn't feel intimidated by the volume of the report as the actual practical guide only consists of 5 out of the 390 pages. See Privacy Online: OECD guidance on policy and practice.
(2004-03-17) [spiked] The combined forces of technological innovation, and a culture that blurs the boundaries between the public and the private, seem to make any discussion about privacy redundant. Looking at the relationship between technology and privacy in the twenty-first century, you could be forgiven for thinking Sun Microsystems CEO Scott McNealy had a point, when he said of consumer privacy: 'You have zero privacy anyway. Get over it.'
The legal theorist Amitai Etzioni, author of /The Limits of Privacy/, has pointed out the way pundits and policymakers can exaggerate the level of concern that the public feel about privacy. Etzioni debunks shock figures, such as '88 per cent of Americans are "concerned about general threats to their privacy today"'. He cites experienced survey analysts who describe these questions as 'cost free', akin to asking people whether they would like more beauty or freedom. A better test of people's concerns comes when they are asked to give up something for greater privacy. Etzioni points out that 'when asked about the acceptability of programmes that provide some freebies in exchange for requiring the person to divulge personal information, only a minority (on average 26 per cent) rejected this tradeoff' (see Amitai Etzioni: The Hyper-hyping of Privacy, Tech Central Station, October 2000)
Paradoxically, privacy is undervalued today, while data protection is overvalued. There is personal data of mine that I really do not mind sharing - particularly if it can be used in my interest. I am not concerned that my loyalty card enables credit card companies and supermarkets to analyse my buying habits. They may come up with a useful new product, or they may just try and improve their advertising, to sell me existing products that I have no need for. As a rational adult, I am then free to make choices about what to buy and what not to buy. Likewise, if websites can use cookie data to improve their offerings, to the extent that I can actually find what I'm looking for, then that is all for the good.
The privacy debate will take new forms as technology throws up new challenges and new opportunities - biometrics, radio frequency ID tags, intelligent agents, online identity management, even the end of passwords! If, however, we are to have any clarity in the discussion, the underlying questions 'what is privacy?' and 'how must it be defended?' need to be addressed, rather than us simply accepting the no-brainer response that greater regulation is required. (Excerpts from article by Jason Burton)
[source: skiked-online.com]
(2004-04-01) [spiked] In an age where new technologies allow personal information to be collected, analysed and rapidly disseminated, concerns are raised about who is using this information and for what purpose. A /spiked/-seminar called 'Big Brother and Me' on 18 March, sponsored by Hill and Knowlton and In the Box Media, explored the question of privacy and information technology (IT).
As a 'pro-technology libertarian', Jason Burton said that he grapples with two seemingly opposite ideas: that 'privacy is fundamental'; and that technology undermines consumer privacy. The contradiction can be bridged, he argued, by guiding technology according to social aims - 'technology is really there to serve our ends'. People should utilise the best technology to improve their lives, he said, while also protecting the value of privacy. Privacy is important, said Burton, as 'a space for a personal life and personal relations'; it is 'the liberty to live my life as I see fit'.
Geoff Kidder of the Institute of Ideas asserted that 92 percent of people are in favor of CCTV for security on trains, and asked: 'What does that say about our society - looking to technology to protect us instead of being vigilant ourselves?'
Jason Burton attempted to put fears of commercial intrusions into privacy into perspective. When a commercial agency looks at personal data, he said, they are just interested in collating figures, rather than intruding on individuals: 'People are just data and numbers.' He also questioned whether more state regulation in information gathering was necessarily the best solution. To conclude, he suggested why the issue of privacy tended to be seen in terms of data, rather than in terms of private space: because we lead the lives of 'isolated consumers'.
(Excerpts from article by Maggie Smith)
[source: spiked-online.com]
(2004-04-29) [Computerworld, Inc] U.S. lawmakers vowed today to pass legislation to stop deceptive software even though regulators advised against any new laws. Both Republicans and Democrats on the House Energy and Commerce Committee said new laws were needed to stop the proliferation of so-called spyware, which hides in users' computers and secretly monitors their activities.
"There is no more pernicious, intrusive activity going on on the Internet today," said Rep. Joe Barton (R-Texas), chairman of the House Energy and Commerce Committee. "We really intend to do something about this."
(Excerpt from article by Peter Kaplan)
[source: computerworld.com]
(2004-05-10) [Computerworld, Inc] IT security researchers said they have uncovered significant vulnerabilities in the electronic voting systems that nearly 30% of all registered voters will use in this November's presidential election.
In testimony before the U.S. Election Assistance Commission last week, security researchers said that without voter-verifiable paper receipts, the 50 million Americans who will use electronic voting machines this fall will have no way of knowing if their votes were subject to electronic tampering. Moreover, the code base powering the systems is so large and complex that there's no efficient way for election officials to be sure that it's free of malicious code designed to manipulate election results.
Avi Rubin, a professor at the Johns Hopkins University Information Security Institute in Baltimore, said his biggest concern is the threat of individuals who have access to the code base rigging the election. "And it's virtually undetectable," he said.
(Excerpt from article by Dan Verton)
[source: computerworld.com]
(2004-05-17) [Computerworld, Inc] The European Union plans to invest $13 million during the next four years to develop a secure communication system based on quantum cryptography, using physical laws governing the universe on the smallest scale to create and distribute unbreakable encryption keys, project coordinators said today.
If successful, the project will produce the cryptographer's Holy Grail -- absolutely unbreakable code -- and thwart the eavesdropping efforts of espionage systems such as Echelon, which intercepts electronic messages on behalf of the intelligence services of the U.S., Britain, Canada, New Zealand and Australia.
"The aim is to produce a communication system that cannot be intercepted by anyone, and that includes Echelon," said Sergio Cova, a professor from the electronics department of Milan Polytechnic and one of the project's coordinators. "We are talking about a system that requires significant technological innovations. We have to prove that it is workable, which is not the case at the moment."
(Excerpt from article by Philip Willan)
[source: computerworld.com]
(2004-05-31) [Computerworld, Inc] I always read e-mail-monitoring stories with a squeamish surge of discomfort at the very idea of it all. Although, as a manager, I understand the corporate motivation behind the escalating spread of technologies used to track employee activities online. In fact, in this week's "Information Highway Patrol" story [QuickLink 45790], we've covered many of them.
There's a professional football team worrying about protecting its brand from "inappropriate" online behaviors. There's a fitness center hoping to boost employee productivity by restricting Web use to certain health-related sites. There's a medical facility intent on conserving network resources by monitoring every e-mail, instant message, chat session and keystroke.
Yet the practice of e-mail monitoring evokes in me a feeling akin to that classic anxiety dream where you're at the prom wearing only your underwear but desperately pretending nobody else notices. Just act normal, you tell yourself.
(Excerpt from article by Maryfran Johnson )
[source: computerworld.com]
(2004-06-04) [Computerworld, Inc] Here's an interesting paper on passwords found via Slashdot. The study from the Cambridge University Computer Laboratory debunks some of the conventional wisdom about passwords. For example, it found that random passwords are no better than those based on mnemonic phrases.
The study found that each appeared to be as strong as the other. It also offered suggestions on creating passwords that are harder to crack. One idea: Write a simple sentence of eight words and then use the first letter or last letter from each word as the password. Making some of the letters uppercase helps too.
See the paper
Abstract:
There are many things that are `well known' about pass- words, such as that uers can't remember strong passwords and that the passwords they can remember are easy to guess. However, there seems to be a distinct lack of research on the subject that would pass muster by the standards of applied psychology.
Here we report a controlled trial in which, of four sample groups of about 100 First-year students, three were recruited to a formal experiment and of these two were given specific advice about password selection. The incidence of weak passwords was determined by cracking the password file, and the number of password resets was measured from system logs. We observed a number of phenomena which run counter to the estab- lished wisdom. For example, passwords based on mnemonic phrases are just as hard to crack as random passwords yet just as easy to remember as naive user selections.
[source: computerworld.com]
(2004-06-04) [Computerworld, Inc] Online crime cost companies about $666 million in 2003, according to a new survey released by our sister publication CSO. The survey of more than 500 corporate executives also found that 30% of respondents reported no online crime or intrusions in the same period.
The survey was conducted by CSO in conjunction with the U.S. Secret Service and the CERT Coordination Center. The survey also found that of those reporting online crime, 71% said the incidents came from outside the organization, while 29% said the incidents were the result of insiders. Thirty percent said they didn't know.
[source: computerworld.com]
(2004-05-27) [Infoworld] A New York man convicted of using the network of Internet service provider EarthLink Inc. to send out hundreds of millions of unsolicited commercial (spam) e-mail was sentenced to between three-and-a -half and seven years in prison Thursday, according to Brad Maione, a spokesman for New York State Attorney General Eliot Spitzer.
Howard Carmack of Buffalo, New York, also known as the "Buffalo Spammer," was sentenced by senior Erie County Judge Michael D'Amico in Buffalo. The sentence is the first obtained following a conviction using the state's identity theft law, Maione said.
Carmack was found guilty in April by a jury in Erie County, New York, on 14 counts, including charges that he stole the identity of two Buffalo-area residents, which he then used to send out more than 800 million spam messages, the attorney general's office said.
(Excerpt from article by Paul Roberts)
[source: infoworld.com]
(2004-05-11) [CNET Networks] In real life, you can instantly identify people you know. But not so online. Until we can improve this capability, says Martin Brampton, your best defence against malicious users is parnoia.
Take, for instance, this fact: The average person can accurately identify a friend, seen from a distance at an awkward angle and in a poor light.
Turn to the internet, and it is all different. How do you know who you are talking to? There are plenty of cases to demonstrate how easily we can be fooled. And the solutions proffered remain unconvincing, despite government enthusiasm. Part of the issue is that large sections of IT seem to view the issues through rose-tinted spectacles.
(Article by Martin Brampton)
[source: silicon.com]
(2004-05-13) [The Register] Browser hijacking programs can redirect users to pornographic websites. But could these malicious programs also lead to false accusations of possession of child pornography?
Malware such as CoolWebSearch (AKA CWS) can change browser start-up and search pages and generate pop-up pages - often punting illegal pornographic websites - on infected PCs. The program exploits IE vulnerabilities to slither onto unpatched PCs. Users would normally have to visit dodgy websites to get infected but it's easy to see how xxx rated spam email received and auto-executed through unpatched versions of Outlook could result in unwitting infection.
(Article by John Leyden)
[source: theregister.co.uk]
(2004-06-10) [IDG] Governments and corporations increasingly see biometrics as the primary way they'll identify people in the future. In an age of terrorism and fraud, they hope fingerprint and eye scanning will become the cheapest and most reliable means of verifying that people are who they say they are. But are we ready for this convergence of computers with our flesh and bones?
I don't think so. This significant intrusion into our personal space needs a heightened level of privacy protection that most organizations have only just started to envision.
The terrorist attacks on the U.S. prompted governments around the world to start seeking better ways of monitoring the flow of people across their borders. All eyes quickly turned to biometric authentication as the solution. Now, more than 20 countries are building digital fingerprints and facial patterns into their new passports and driver's licenses
Businesses are jumping on the government's biometric bandwagon. Private industry has long sought a better way than passwords to authenticate return customers. This is because passwords are costly to reset, and users often choose weak, crackable passwords. As a result, IMS Research predicts that the biometrics market will grow 68% per year through 2010. The dawn of the age of biometrics seems to be upon us.
(Article by Jay Cline)
[source: Computer World]
(2004-06-10) [Jupitermedia Corporation] The drive to place RFID tags on consumer products is relentless, but IT leaders say public policy on how to use and secure the information they'll provide is lagging behind.
Where does consumer privacy fit into a world where every product has a unique IP address? It's a question that consumer goods companies and Federal regulators are only beginning to tackle. The issue was discussed Thursday during "Privacy Futures," a conference sponsored by the International Association of Privacy Professionals and online security software company, TRUSTe.
EPCglobal, a not-for-profit industry organization that is building a global network to track RFID tagged products, formed a public policy committee in March to examine how to balance privacy concerns with industry practices, but its work has just begun. The Federal Trade Commission will hold its first public workshop on RFID and privacy later this month.
(Article by Susan Kuchinskas)
[source: internetnews.com]
(2004-06-10) [CNET Networks, Inc] The Federal Trade Commission plans to make consumer privacy rights a higher priority, according to a top official. The FTC's director of consumer protection, Howard Beales, said that his outfit is gearing up to bring more privacy-related cases against Internet operators, with one expected in the coming weeks.
"Watch the space," he said to an audience of privacy officers and executives attending the three-day Privacy Futures conference here.
(Article by Stefanie Olsen)
[source: ZDNET]
(2004-06-10) [CNET Networks] Canadian software company Zero-Knowledge Systems this week sued IBM in a Canadian court, claiming $5.1 million for alleged copyright infringement. The claim relates to work carried out by both companies in the creation of a privacy software standard.
Zero-Knowledge Systems (ZKS) sued on behalf of its spin-off data management company, Synomos (formerly known as ZKS's Enterprise Privacy Unit), which worked with IBM between June 2001 and February 2002 to create an XML-based language standard for writing enterprise privacy policies.
(Article by Stefanie Olsen)
See also http://www.out-law.com/php/page.php?page_id=ibmsuedoverxmlba1086955649.
[source: ZDNet]
(2004-06-11) [Pearson Education] Most major companies (Novell, IBM, Oracle, HP, Microsoft, and so on) have very similar privacy statements. Zubair Alexander takes a closer look at the fine print in these statements: what type of data or personal information may be collected from you, and who it's shared with. What's in the fine print may surprise you.
Whether it's a privacy statement from your cable TV provider or a business web site, if you take time to read the fine print you might be in for a few surprises. Obviously, the companies provide these statements to meet legal requirements and to protect themselves from lawsuits. You can't blame them for that. They hire lawyers to make sure that every conceivable area is covered and nothing is left out. But I wonder how many people actually take the time to read one of these privacy statements and see what's inside. Let's face it; whether it's a privacy statement or a licensing agreement, most people don't take time to read all the boring details of legal mumbo-jumbo drafted by some attorney. (Article by Zubair Alexander)
[source: InformIT]
(2004-06-14) [ZDNet] To some, personalization signals a new era of search, in which people can quickly navigate through the Web's vast reaches. To others, it is an ominous harbinger of encroachment on consumers' 1right to online privacy. No doubt the personalization of search results has emerged as one of the most promising weapons in the search market business. But are consumers being asked to give up too much personal information in exchange for more relevant search results?
(From article by Steve Johnson)
[source: ZDNN]
(2004-06-15) [Electric News Ltd] On Monday, Martin Walshe, the chairman of the European Biometrics Forum, told the inaugural EU Presidency Summit on Biometrics that the emerging technology can enhance the lives of citizens. He acknowledged, however, European concerns about data protection and privacyq. Speaking to ElectricNews.net, Walshe pointed to the increased convenience that is brought about by biometrics.
Travellers can progress through border checkpoints much more quickly than others without recorded biometric information, he said, and data protection on computers using biometrics makes it more difficult to transfer passwords.
(From article by Craig Liddell)
[source: electricnes.net]
(2004-04-01) [Masons] Alan Ralsky, one of the world's most prolific senders of junk email, has been interviewed, and has given some interesting information about what spamming is all about.
Of course, if nobody bought the junk that spam promotes, there would be no spam. Another interview with Ralsky, with the Detroit Free Press in 2002, revealed more details of the business that has made him a millionaire. He claimed to have a database of around 250 million e-mail addresses which typically yields a 0.25% success rate. Companies pay him a commission on sales of their weight loss products, casinos and loans or a flat fee of up to $22,000 for a single mailing to his entire database. "When you're sending out 250 million e-mails," he boasted, "even a blind squirrel will find a nut." Surely the nuts have to take some of the blame.
(2004-06-21) [IDG] Searching for the elusive competitive advantage increasingly means parsing, correlating and analyzing mountains of data into refined molehills of business intelligence, which raises the risk of exposing private information.
Better tools and more sophisticated analysis are bringing more granular analysis of operational and transactional data, according to Keith Gile, a business intelligence analyst at Forrester Research Inc. in Cambridge, Mass. "Greater granularity is valuable. However, it increases the risk of exposing too much information," he said, resulting in situations where crucial, identifiable information "must be stripped off" business intelligence analysis performed by a user community beyond the scrutiny of privacy officers. "IT must be prepared to deal with BI and privacy and security because there is an issue with privacy in terms of data being released through BI technologies," Gile said. (Excerpt from article by Mark Willoughby)
[source: Computerworld.com]
(2004-03-05) [Washington Post] The Washington Post has a disturbing article for customers of online businesses. Some companies, worried about liability if their computer systems are hacked, are warning customers that if their personal information is stolen, tough luck. These companies are saying they won't be legally responsible and are requiring customers to agree to waive any right to sue the companies if the businesses are hacked.
The waivers are included in those long terms-of-use agreements that users click on. And how many of us ready them closely? Consumer advocates say the companies are wrong. "If companies are willing to derive the benefit of information collection, but not the responsibility to secure it . . . it won't be difficult for consumer attorneys to invalidate these provisions as being unfair," said Chris Jay Hoofnagle, associate director of the Electronic Privacy Information Center. (Article by Jonathan Krim)
[source: washingtonpost.com]
(2004-06-02) [EDRI] The EU Network of Independent Experts on Fundamental Rights published their 2003 report. The network has been set up by the European Commission, upon request of the European Parliament. Since 2002, it monitors the situation of fundamental rights in the Member and in the Union, on the basis of the Charter of Fundamental Rights. The report covers a wide range of fundamental rights and raises for example concern about the use of biometric identifiers and the transmission of Passenger Names Records.
It also criticises control over state media in Italy and Poland. The section on freedom of expression however, lacks reference to the internet and notice-and-takedown procedures.
See Report on the situation of fundamental rights in the European Union in 2003 (01.2004), and Synthesis report: conclusions and recommendations on the situation of fundamental rights in the European Union and its member states in 2003 (04.02.2004).
[source: EDRI-gram - Number 2.11, 2 June 2004]
(2004-06-02) [EDRI] Revising the Polish Telecommunication Act to implement the EU e-communication directives, the Polish Ministry of Infrastructure introduced a new obligation for mandatory identification of buyers of pre-paid GSM-cards. The proposal is brought as an anti-terrorism measure.
State officials immediately acknowledged that the ID-demand would not make pre-paid cards totally anonymous, referring to the vivid trade in stolen phones, but said it was necessary to make it more difficult to use GSMs for illegal purposes.
[source: EDRI-gram - Number 2.11, 2 June 2004]
(2004-06-02) [EDRI] According to the German e-zine Heise there is a new proposal for mandatory data retention in Germany. Just a few weeks ago, a final compromise was reached on the new Telecommunications Act, without any obligations for systematic data retention. But the Minister of the Interior, Otto Schily, is now said to work on a law that would oblige telecom and service providers to store information about everybody's calling and internet behaviour for at least 1 year.
The German Multimedia Federation (DMMV), with 1.000 members one of the largest professional digital economy associations in Europe, criticised the proposal. The proposal is not yet public, but according to their sources close to the Minister, Schily wants to introduce the law to facilitate the pursuit of criminal offences as well as the monitoring of persons suspected of terrorism.
[source: EDRI-gram - Number 2.11, 2 June 2004]
(2004-06-02) [EDRI] Advocates, politicians and lawyers from across the political spectrum met in London on 19 May 2004 to debate UK ID card legislation. EDRi members Privacy International and FIPR organised the meeting, which heard resounding criticism of the government's ID card plans.
Highlights included the Shadow Home Secretary asking "how on earth can ID cards prevent terrorism if foreign visitors can wander around the streets for three months", alongside the Assistant Information Commissioner's concerns that "a whole identity system is being proposed for the UK". The meeting also saw the launch of the No2ID campaign. Privacy International, FIPR, Liberty, Stand, the Liberal Democratic party, the 1990 Trust and Statewatch are co-ordinating their opposition to the ID card plans, and are planning to derail the government's legislation when it is introduced later this year.
[source: EDRI-gram - Number 2.11, 2 June 2004]
(2004-06-02) [EDRI] An international agreement was signed on 28 May between the European Union and the United States that makes it possible to transfer air passenger data to the US, under certain conditions. It entered into force immediately. This agreement goes hand-in-hand with the Decision adopted two weeks ago by the European Commission, establishing the adequacy of US Bureau of Customs and Border Protection's personal data protection.
Under the agreement, Washington is allowed to collect 34 types of data from passengers' records flying to the US, which include name, address, phone number, credit cards and the identity of their travelling companions. See EU press release (28.05.2004).
[source: EDRI-gram - Number 2.11, 2 June 2004]
(2004-05-29) [EPIC] A weakened version of SB 1822, a bill that originally required consent of both senders and recipients before a company could scan the contents of an e-mail for marketing purposes, passed the California Senate by a 25-8 vote this week. The bill, introduced by Senator Liz Figueroa (D-Fremont), will allow service providers to review e-mail for automated, contemporaneous display of advertisements.
Providers cannot retain any personal information derived from the e-mail or allow natural persons to view the messages. The bill also requires providers to delete messages permanently so that they are irretrievable.
[source: EPIC Alert vol 11 no 10]
(2004-05-29) [EPIC] In a landmark decision, Iceland's Supreme Court has ruled that the Health Database Act of 1998 does not comply with the country's constitutional privacy protections. The Act authorized the creation and operation of a centralized database of non-personally identifiable health data, with the aim of increasing knowledge and improving health and health services.
The Act was challenged in court by Ragnhildur Gudmundsdottir, who wanted to prevent the transfer of her deceased father's medical records into the database. The Court ruled that Ms. Gudmundsdottir could not opt out of the database on behalf of her father.
[source: EPIC Alert vol 11 no 10]
(2004-05-29) [EPIC] Italian Privacy Commission official Giovanni Buttarelli delivered a keynote address entitled "Promoting Freedom and Democracy: a European perspective" at "Freedom 2.0: Distributed Democracy." First speaking about some of the differences between the U.S. and EU data protection regimes, Buttarelli explained that the right to data protection in the EU is becoming a statutory requirement, as several EU member states' laws as well as the European Charter of fundamental rights have made it an autonomous right and have committed its safeguard to autonomous and independent authorities, the privacy commissioners.
He urged law enforcement authorities to pay greater attention than in the past to how huge databases have to be proportionate to the purposes police and security agencies seek them for, to limit the amount of data collected, the period of data retention, and to determine the entities that can access those data.
Giovanni Buttarelli's speech is available here .
[source: EPIC Alert vol 11 no 10]
(2004-05-07) [Datainspektionen] Datainspektionen har etablerat en ny webbsida om biometri, en sida som kommer att kompletteras fortlöpande.
Sidan återfinnes här .
[source: datainspektionen.se]
(2004-06-09) [Evening Standard] David Blunkett was today embroiled in a new row over the Government's plan for ID cards. The Home Secretary's official spokesman attacked a privacy watchdog for "grandstanding" criticism of the proposal. Information Commissioner Richard Thomas yesterday said he felt "increasing alarm" at the Home Office's plans to force everyone to pay 40 GBP for a high-tech card.
He told the Home Affairs Select Committee he was surprised at the ID card Bill published recently, warning that as currently drafted it could seriously undermine individual liberty and privacy. But, in what critics called an extraordinary personal attack on the Commissioner, the Home Secretary's spokesman claimed Mr Thomas had failed to tell Mr Blunkett directly of his concerns, and had engaged in "a bit of grandstanding" in front of MPs. (Excerpt from article by Paul Waugh And Joe Murphy)
[source: This Is London]
(2004-06-08) [The Register] A senior European Union official has berated the anti-spam industry for failure to agree a common strategy. Philippe Gerard said that lack of co-operation was handicapping the fight to hold back the junk mail tsunami.
"We see different initiatives going in all different directions and the effectiveness is maybe not there," Gerard, an official with the EC's Information Society directorate, told an anti-spam meeting in London. The BBC reports that Gerard said that spam was affecting consumer confidence. (Excerpt from article by John Leyden)
[source: theregister.co.uk]
(2004-06-07) [The Register] A customer database and the current access codes to the supposedly secure Intranet of one of Europe's largest financial services group was left on a hard disk offered for sale on eBay. The disc was subsequently purchased for just £5 by mobile security outfit Pointsec Mobile Technologies. According to Pointsec, one of the hard discs contained "highly sensitive information from one of Europe's largest financial services groups with pension plans, customer databases, financial information, payroll records, personnel details, login codes, and admin passwords for their secure Intranet site. There were 77 Microsoft Excel documents of customers email addresses, dates of birth, their home addresses, telephone numbers and other highly confidential information, which if exposed publicly could cause irrevocable damage to the company." Pointsec isn't prepared to name the careless company.
The incident recalls the episode four years where Sir Paul McCartney's banking details were discovered on a second-hand computer discarded by merchant bankers Morgan Grenfell Asset Management. The PC was released into the second-user market without first being wiped clean of data, a precaution that the majority of sellers still fail to take.
In Sweden the first laptop Pointsec purchased at auction, contained sensitive information from a large food manufacturer. When the hard disc was analysed they found four Microsoft Access databases containing company and customer related information and 15 Microsoft PowerPoint presentations containing highly sensitive company information. (Excerpt from article by John Leyden)
[source: theregister.co.uk]
(2004-06-04) [silicon.com] If RFID vendors want to start shifting some chips, they could do worse than focus their efforts on supermarkets and grocery chains, according to new research, which found the food sector just can't wait to get its hands on the technology. According to research from grocery think tank IGD, 68 per cent of food and grocery retailers think the technology will deliver benefits to the industry – including better tracking and greater efficiency in the supply chain - and only two per cent of them are in the dark about RFID.
The research shows that the grocers are enthusiastic about the technology because they believe it will mean cost savings across the industry. However, more than half said that currently the costs outweigh the benefits. Adoption seems just a matter of time for the retailers, however – 65 per cent reckon the technology will be widespread in three to five years' time and 35 per cent plan to implement it themselves. Supermarkets are certainly leading from the front in RFID adoption. The world's biggest supermarket chain, Wal-Mart, has mandated that all its suppliers have the technology in place by next year; Tesco is trialling the chips and Germany's Metro chain has an entire store researching uses of the tags. (Excerpt from article by Jo Best)
[source: silicon.com]
(2004-06-03) [International Herald Tribune] European Union measures to fight terrorism may inconvenience people but have not eroded their civil rights, Justice and Home Affairs Commissioner Antonio Vitorino said Wednesday. Vitorino, a contender to succeed Romano Prodi as president of the European Commission when he steps down in November, dismissed charges by advocacy groups that the EU was trading rights for security.
"I do not accept that criticism," he said. "We have never given up any of the fundamental principles of the rule of law or the full respect for fundamental rights." Assessing efforts to fight crime and terrorism and build a common asylum and immigration policy, he said some measures like extra security and passport checks at airports had made travel harder but did not limit people's rights. "We have not created emergency legislation; we did not create special courts; we did not create special regimes of detention," he said. "Those are the areas where real, serious limitations to civil liberties might arise." He said at a news conference that the commission, the EU's executive body, would present proposals for common EU rules for greater protection of the privacy of personal data used to fight crime and terrorism.
[source: The IHT OnLine]
(2004-06-03) [IDG Communications] An unchecked lust for IT security, surveillance and identity management by enterprises and governments could create bigger headaches than the ones they solve, former Privacy Commissioner Malcolm Crompton warned delegates at the 2004 AusCert Conference. Crompton said assurances from big business and governments that the myriad technologies that harvest data about "customers"– ranging from biometrics to data mining to CRM – should just not be trusted.
"All these things [may well be] good in themselves…but how do you not connect the dots? We are seeing all these products and all these desires of governments coming together. Even if business and government say they won't connect the dots, eventually they will. Governments [typically] use the mantra of changed circumstances [to justify rolling back privacy and civil rights]," Crompton said. While governments could legislate their way around privacy in the name of security (and were sometimes answerable to voters), Crompton said enterprises faced a very real danger of consumer backlash if they failed to ensure customer privacy. This could stem from failing to provide anonymity between transactional systems and RFID devices, a trend with real if unintended social consequences.
[source: Computer World]
(2004-06-03) [The Resgister] Security certification and training body (ISC)2 has apologised for a serious security breach which saw the personal details of thousands of respondents to a survey posted onto an insecure server.
Phone numbers, email and contact addresses for many of the estimated 20,000 respondents to (ISC)2 Constituent Survey were easily available on the site because of lax security for a short time towards the end of last week. The data was unencrypted and left open to harvesting through simple URL manipulation despite a promise from (ISC)2 to survey participants that "your answers and feedback will be kept strictly confidential and will not be associated with you, your organization, or your employer". It was also possible to modify the information filled in, according to a Register reader, who sent us a sample of data (home and work addresses and phone numbers) to back up his concerns. (Excerpt from article by John Leyden)
[source: theregister.co.uk]
(2004-06-02) [Washington Post] The Department of Homeland Security yesterday awarded a contract worth up to $10 billion to Accenture LLP to oversee and expand a massive U.S. program to track millions of foreign visitors as they cross American borders.
The project, called U.S. Visit, collects and stores information about foreigners entering and exiting the country on visas through airports and seaports. The data, including digital photographs and fingerprints, are stored in an electronic database and shared among some government agencies to ensure that visitors do not overstay their visas and to help authorities capture suspected terrorists and criminals. The program debuted at U.S. airports and seaports in January and has processed more than 4.5 million people. Homeland Security officials said they have used U.S. Visit to deny entry to suspected terrorists and to arrest more than 500 wanted or suspected criminals. Now the program will expand to track all foreign visitors entering and exiting the country, including those who don't need visas and those who arrive by land. (Excerpt from article by Anitha Reddy and Sara kehaulani goo)
[source: washingtonpost.com]
(2004-06-02) [Indian Express Newspapers] ‘BioVisa’ containing fingerprints of an applicant will start getting issued at all US consulates in India next month onwards, ahead of its introduction in Pakistan. As US consular general William Bartlett put it, even India’s external affairs minister will be required to get fingerprinting done at the US Embassy if the visit is not official. Even corporate czars would have to undergo the process.
Around mid-July, US consular sections across the country will introduce the latest security measure (collection of fingerprints) in both non-immigrant and immigrant visa categories. This is certainly not an India-specific measure. “We are already collecting fingerprints in the vast majority of our consular sections, and all sections will be doing so by October 26,” according to embassy officials.
[source: The Financial Express]
(2004-06-02) [Ligt Reading] TeliaSonera Denmark's centrally placed virus and spam-filter programme is a big hit with the company's broadband customers. At a cost of only DKK 10 per month, TeliaSonera Denmark is the only Internet provider in the market that scans customers' mails with a virus and spam-filter programme, thus eliminating the need for far more expensive antivirus programmes.
More than 15,000 of 113,000 TeliaSonera Denmark broadband customers already use the company's integrated virus and spam-filter programme. Launched six months ago, the solution saves broadband customers time, money and unnecessary worry in connection with viruses and spam mails.
[source: lightreading.com]
(2004-06-05) [New Scientist] Typing your password or credit card number into a computer is a moment's work. But if you think your personal details disappear as soon as you hit the Return key, think again: they can sit on the computer's hard disc for years waiting for a hacker to rip them off. This alarming assessment comes from researchers who have created a way to track sensitive information through computer memory. They hope their results will convince programmers to work harder at making computers more secure. As people spend more time on the web and hackers become more sophisticated, the dangers of storing personal information on computers are growing by the day, security experts say. There are some obvious safeguards, such as never allowing your computer to store your passwords.
In a paper to be presented in August at the USENIX Security Conference in San Diego, they conclude that the programs took virtually no measures to limit the length of time the information is retained. Some of the tested software even copied the sensitive information, apparently without restraint. This is the first time anyone has tried to measure the extent of this problem, says Rebecca Wright, a security expert at Stevens Institute of Technology in Hoboken, New Jersey. Garfinkel hopes the results will galvanise software developers into action. "The way we are building our systems today is making the impact of an attack much greater than it needs to be," he says.
[source: newscientist.com]
(2004-06-09) [pspt] The First Workshop on Pervasive Security, Privacy and Trust (PSPT) will be held in Boston, Mass, USA on August 26, 2004.
On the workshop homepage you will find all information you need. Please note the submission deadline: June 30, 2004.
[source: pspt on the web]
(2004-05-03) [Network World] Parents worried about losing a kid at Legoland in Carlsbad, Calif., can stop by guest services for a "lost parents" sticker. If a sticker-wearing child gets lost in the park, someone helpful can call the parent's cell phone and report the child's location. That's one way to do it. Another way is what the amusement park's Denmark counterpart, Legoland Billund, is doing. Legoland Billund has taken lost-kid technology a giant step further. At its season opening day in March, the park launched a new child-tracking system that relies on a combination of radio frequency identification (RFID) and wireless LAN technology.
Legoland's child-tracking system differs from traditional applications in that it combines RFID and 802.11 wireless technologies.
[source: Network World Fusion]
(2004-05-11) [SearchSecurity] Listen to this: Eavesdroppers can decipher what is typed by simply listening to the sound of a keystroke, according to a scientist at this week's IEEE Symposium of Security and Privacy in Oakland, Calif. Each key on computer keyboards, telephones and even ATM machines makes a unique sound as each key is depressed and released, according to a paper entitled "Keyboard Acoustic Emanations" presented Monday by IBM research scientist Dmitri Asonov.
All that is needed is about $200 worth of microphones and sound processing and PC neural networking software. Today's keyboard, telephone keypads, ATM machines and even door locks have a rubber membrane underneath the keys. "This membrane acts like a drum, and each key hits the drum in a different location and produces a unique frequency or sound that the neural networking software can decipher," said Asonov. (Excerpt from article by Niall McKay)
[source: SearchSecurity.com]
(2004-05-19) [BBC] The government could face a public backlash to its proposals on ID cards a new survey has found. Up to 5 million people (28%) would demonstrate against ID cards the survey conducted by online research firm YouGov found.
Privacy International is hosting a debate about the implications of the government's ID scheme in London on Wednesday 19 May. Home Office representatives have declined to take part in the debate, a signal that the government is not prepared to compromise on its decision to introduce ID cards says Mr Davies.
[source: BBC News]
(2004-05-12) [The Register] Grass-roots consumer group Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN), which is fighting retail surveillance schemes, says that Wal-Mart's decision to tag individual items on its store floor using radio frequency identification or RFID violates a call for a moratorium issued last November by 40 privacy and civil liberties organisations.
Wal-Mart began item-level RFID tagging of consumer goods last week as part of a trial in Texas. Shoppers at seven Dallas-Fort Worth area Wal-Mart stores can walk into the consumer electronics department and find Hewlett-Packard products for sale with RFID tags attached. Wal-Mart says that RFID tags in its stores are harmless since they contain nothing more than identification numbers. "While technically that's true, Wal-Mart fails to explain what it means for items to carry remote-readable unique ID numbers," says Katherine Albrecht, founder and director of CASPIAN. "It's like saying someone's social security number is 'only' a number, so sharing it with perfect strangers should be of no concern."
See also moratorium.
(Excerpt from article by Jan Libbenga)
[source: The Register OnLine]
(2004-05-18) [Expatica] The European Commission has given the green light to a transatlantic deal forcing European airlines to provide personal details of passengers to US authorities as the "war on terror" continues unabated.
Objections by human rights groups and the European Parliament in Strasbourg — which claims the deal violates the privacy of airline passengers — were pushed aside, Dutch news agency nu.nl reported.
[source: Expatica News]
(2004-05-18) [IEEE Computer Society, TC on Security and Privacy] A selected commentary on the 2004 Security and Privacy Symposium, by Hilarie Orman, containing personal impressions on "Session on Attacks and Defenses", "Panel on Electronic Voting", "Panel on Grand Challenges in Computer Security Research", "Session on Denial of Service", and "Session on Network Security".
[source: IEEE Cipher Newsletter no. 60]
(2004-05-17) [Datainspektionen] Under hösten 2004 anordnar Datainspektionen nio utbildningstillfällen för personuppgiftsombud - fem Steg 1 (grundutbildning) och fyra Steg 2 (fördjupningsutbildning). Utbildningarna kommer att hållas i Stockholm, Göteborg och Malmö. Kommunjurister, bolagsjurister och liknande är också välkomna.
Läs mer och anmäl dig på http://www.datainspektionen.se.
[source: DI-Webbnyheter]
(2004-05-19) [EDRI] The OECD working party on information security and privacy have published a very informative but dry report about biometrics. The report analyses theory and practice of the following major biometric-based technologies: finger-scanning, hand geometry, facial recognition, iris scanning, retinal scanning, finger geometry, voice recognition and dynamic signature verification. A brief description of other, more obscure biometric-based technologies such as ear geometry, body odour measurement, keystroke dynamics and 'gait' recognition (specific perambulatory movement) is also provided.
Avoiding any grand statements about the desirability of some of these techniques, the report concludes: "The extent to which we are willing to incorporate statutory and policy and technological controls into these systems and technologies will determine the extent to which they will improve our quality of life; providing convenience and security or conversely, the extent to which they threaten our liberty and freedom via actual or potential surveillance and control."
See OECD Working Party on information security and privacy: Biometric-based technologies (28.04.2004).
[source: EDRI-gram - Number 2.10, 19 May 2004]
(2004-05-19) [EDRI] On 11 May 2004 the Ukrainian Parliament (Verkhovna Rada) adopted the new wording of a draft law amending several legislative acts concerning the protection of state secrets. This draft law was initially approved in July 2003, but was subsequently vetoed by the President due to several technical inaccuracies (incorrect numeration of articles, repeating several similar provisions, etc.).
After the law had been adopted in July 2003, it was strongly opposed by EU representatives, OSCE, IFJ, domestic NGOs, and the Parliamentary Committee on freedom of speech and information. In an open address, a number of NGO representatives and politicians appealed to the President not to promulgate the law as far as its provisions contradict the Constitution of Ukraine and global freedom of information standards.
[source: EDRI-gram - Number 2.10, 19 May 2004]
(2004-05-19) [EDRI] On Wednesday 5 May, the Mediation Committee, a common organ of the two German legislative bodies, adopted a compromise regarding the new German Telecommunications Act. It brought back a number of privacy restrictions that were already contained in the Government's draft act, but had been rejected by the Deutsche Bundestag, the German parliament.
The exemption from the mandatory identification of customers that was granted with regard to pre-paid phone cards has been abolished. This means everybody who's selling prepaid cards, will probably have to ask for ID, to collect name, address and date of birth of each customer.
[source: EDRI-gram - Number 2.10, 19 May 2004]
(2004-05-19) [EDRI] With the approval on 17 May 2004 of the transfer of airline passenger's personal data to the U.S., the Commission and the Council of the European Union have bluntly bypassed the European Parliament and Court of Justice.
Daniel Cohn-Bendit, head of the Green/EFA Group in the European Parliament, said the decision was "ignoring the declared will of the Parliament in an unprecedented way". Commission and Council agreed on Monday to hand over up to 34 personal data items from the Passenger Name Record (PNR) for every passenger flying to the United States from an EU country. The Council, composed of the EU's 25 Foreign Affairs ministers, adopted the agreement without debate, only a few hours after the Commission had officially passed a so-called adequacy finding, claiming that the data would find sufficient protection once it has been transferred to the U.S. The agreement will be signed next week in Washington.
[source: EDRI-gram - Number 2.10, 19 May 2004]
(2004-05-13) [EPIC] Privacy International, in association with Liberty, Statewatch, Stand.org.uk and the Foundation for Information Policy Research, will host an event on May 19 entitled "Mistaken Identity: A Public Meeting on the Government's Proposed National Identity Card."
Key figures in the fields of law, politics, security, technology and human rights will discuss the UK government's proposed identity card, which is likely to have far-reaching implications for everyone residing in the UK.
[source: EPIC Alert vol 11 no 9]
(2004-05-13) [EPIC] The Canadian government recently broke the second step of a three-phase agreement with the Canadian arm of United States-based corporation Lockheed Martin under which the company would have provided services for a 2006 national survey and mini-census.
The government will not be penalized for breaking the final phase of the contract, which actually involved software for the 2006 national census. Numerous organizations had lobbied the government to drop the deal because of concerns about how individuals' private information could be used by a company closely linked to United States defense interests. The director of the 2006 census confirmed that the contract was terminated due to confidentiality and privacy concerns.
[source: EPIC Alert vol 11 no 9]
(2004-05-13) [EPIC] California Secretary of State Kevin Shelley recently announced that the state has banned the use of any voting system that does not provide a paper ballot. Specifically, California has banned the use of touchscreen voting systems for use in state elections until security measures are in place to safeguard the November vote.
The California March 2, 2004 primary election presented a host of problems to voters and election day workers, resulting in approximately 7,000 voters in Orange County receiving incorrect computer access codes to cast ballots. Poll workers unfamiliar with how the district's electronic voting technology worked made the error that resulted in voters receiving the wrong ballots to cast their votes. This experience closely followed the California Governor's recall election in October 2003, during which electronic voting machines supplied by Diebold were reported to have used uncertified changes to software.
[source: EPIC Alert vol 11 no 9]
(2004-05-13) [EPIC] On May 5 the U.S. Election Assistance Commission held its first public hearing on the use, security, and reliability of electronic voting systems. The Commission heard from witnesses representing technology, vendor, election administration, research/human interaction factors, and advocacy organizations who related their interests and concerns about the use of electronic voting technology.
During the hearing, Chairman DeForest B. Soaries, Jr., stated that the Commission would probably not recommend requiring paper receipts when it makes preliminary recommendations, which may be made public within the next week. Further, he said that states would be allowed to set their priorities pertaining to the use of voting technology in the election year. It is estimated that about 20 states are considering legislation that would require a paper record of each vote cast on direct recording electronic voting machines, also known as touchscreen voting machines.
[source: EPIC Alert vol 11 no 9]
(2004-05-13) [EPIC] In comments to the Federal Communications Commission, EPIC argued for strong protections against "mobile service commercial messages" (MSCMs), or spam that is sent to wireless devices.
The agency is considering enhanced protections for MSCMs as a result of language in the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, which preempted stronger state spam laws but called upon the Commission to develop heightened protections against MSCMs. EPIC emphasized that opt-in protections are necessary against MSCMs because wireless phones are considered personal by their users, because individuals often are charged for the bandwidth or on a per message basis for receiving wireless spam, and because adoption of wireless devices could be hampered if they become targets of relentless commercial interruption.
[source: EPIC Alert vol 11 no 9]
(2004-05-13) [EPIC] EPIC, Privacy Rights Clearinghouse, and the World Privacy Forum called upon the California Attorney General to investigate Google's Gmail service for violation of wiretapping laws. Gmail is a free webmail service that includes a gigabyte of storage for each subscriber. In order to offset the cost of this amount of storage, Gmail displays contextual marketing to the subscriber that is based on the actual content of the e-mail communication.
The groups alleged that this targeting, based on the content of the communication, violates California's Invasion of Privacy Act, which requires the consent of all parties to a communication before it can be intercepted.
The groups argued that Google fails to obtain the consent of all parties to e-mail communications when the company scans the content for marketing. In fact, there is no way that individuals can even know that directing e-mail to the gmail.com domain would result in the company extracting content from the messages.
[source: EPIC Alert vol 11 no 9]
(2004-05-13) [EPIC] EPIC has received new information about Northwest Airlines' disclosure of passenger information to the government through Freedom of Information Act litigation in the U.S. District Court for the Northern District of California. Most significantly, one document revealed that the Federal Bureau of Investigation obtained one full year's worth of passenger data from Northwest after 9/11.
The document reveals that the amount of personal data was so vast that the airline provided the data to the FBI on 6000 CDs. In an article based upon this new information, the New York Times confirmed that the Bureau acquired passenger data not only from Northwest, but from other U.S. air carriers, as well.
[source: EPIC Alert vol 11 no 9]
(2004-05-05) [ePolitix.com] A Conservative government would legislate to prevent the courts developing a right to privacy for British citizens, Michael Howard has said. Speaking to the London Press Club on Wednesday, the Tory leader said such a move could interfere with the freedom of the press.
He also pledged to respond to any proof that the Communications Act or Human Rights Act interfered with newspaper reporting. Howard said the "tough and flexible" system of press self-regulation should be allowed to continue.
[source: epolitix.com]
(2004-04-30) [BizReport] Wal-Mart Stores Inc. on Friday launched its first live test of new merchandise-tracking technology and tried to quell concerns that the devices could pose a consumer privacy risk.
Wal-Mart said a distribution center and seven stores in the Dallas, Texas, area would begin testing radio frequency identification -- or RFID -- tags, which use radio frequencies to send such information as where the item came from and when perishable items expire. Wal-Mart, the world's biggest retailer, thinks RFID will speed up distribution, cut costs and help it keep shelves better stocked, and it has aggressively pushed for the technology to become the industry standard. RFID proponents say it will some day replace bar codes, reduce theft and speed up distribution. But critics contend that it is too pricey and may compromise privacy if consumers take home active tags that could conceivably transmit information back to retailers. (Excerpt from article by Emily Kaiser)
[source: bizreport.com]
(2004-04-29) [Kentycky.com] "Privacy is gone," says Michael J. Weber in his latest book, Invasion of Privacy. "What little personal information is still private, you'd better protect it. People are targets. This book points out not what they can do to prevent that -- because there's nothing they can do -- but how they are being targeted and the options to minimize the leaking of their secrets and their personal information."
Weber has written for several TV series, including Cagney & Lacey, Starsky & Hutch and Sheriff Lobo. "At least when you write a book, the author is you," Weber said. "When you write for Hollywood, it gets meddled with." (Excerpt from article by Michele Dargan)
[source: Lexington Herald-leader]
(2004-04-29) [The Heartland Institute] An examination of the privacy debate reveals a number of myths that need to be challenged and dispelled by informed consumers, nonprofits, and legislators. Those myths include: (1) Profits are at odds with consumer privacy preferences. (2) Information-sharing harms consumers. (3) Everyone wants an extremely high level of privacy despite cultural differences and free-speech concerns. (4) New technology mainly harms, rather than protects, privacy. (5) Privacy laws will have a positive or benign effect.
Many technologies are available to protect individual privacy, and new ones are being developed all the time. Technology is better than legislation at protecting privacy because it is proactive, not reactive. Government must be careful not to discourage the creation of privacy-protecting tools by passing laws diminishing consumer demand. The best way to provide for consumer empowerment and choice is to leave the Internet free of broad privacy regulations, allowing consumers to determine--through contracts, market pressure, and new technologies--what level of privacy they will have. This policy is also best for e-commerce--the energy fueling our economy. Strict privacy regulations would restrict the free flow of information, harming businesses and consumers. If government ties up firms in red tape, not allowing them to freely exchange information, everyone will suffer the costs in terms of prices and lost choice. (Excerpt from article by Sonia Arrison)
[source: heartland.org]
(2004-04-29) [ZDNet Australia] A leading IBM executive has described critics of radio-frequency identification technologies as confused and described their push against the technology as masking an "anti-retail" thrust. Dr Cheryl Shearer, Big Blue's global leader, business development for emerging markets, told ZDNet Australia in an interview this week that "I think the RFID privacy movement is primarily an anti-retail movement, because no one is discussing this at all in manufacturing process control or its use in libraries".
Shearer added that much of the confusion was generated because individuals mistook the capabilities of RFID for those of location-based services. "The crux of the argument about privacy is that it's all very well to have an item marked and to be able to read it but it's quite another thing to be able to do some push-based marketing on the basis of it," said Shearer, arguing "that's what people are afraid of, location-based services, but that's not RFID." RFID systems combine microchips and wireless gadgetry to provide tiny tracking devices for products, with the resulting set-ups expected to streamline supply chains and help retailers keep better records of their inventory. (Excerpt from article by Abby Dinham)
[source: zdnet.co.uk]
(2004-04-28) [The Register] Consumers in Malaysia will soon be able to pay for their shopping with contactless, EMV standard (http://www.thales-esecurity.com/Solutions/EMV_smartcard.shtml) smart cards, as Visa does away with the need for a signature with the launch of its new system, Visa Wave.
The idea is to make all personal information (including sensitive data like income) available for easy analysis in one commonly accessible data system. Since 1996 at least 18 different government databases have been developed for voting, taxation, social security, medical, military service and other purposes. These databases are not connected with each other. With the new ID system the Russian government hopes to achieve progress in three main spheres: social and pension insurance, taxation and investigation of crimes. It is not clear yet whether all information is to be accumulated in one huge database or connected trough existing bases.
[source: theregister.com]
(2004-04-28) [BBC] European laws on spam are "meaningless" finds a study by Dutch academics. Researchers at the University of Amsterdam said the laws will provide no safeguard against spam because most of it originates outside the EU's borders.
Only a co-ordinated international effort will make a difference to the amount of spam being sent they warn. The authors of the study say the European laws also lack key clauses that would make them more useful to end users. Without similar anti-spam rules being adopted across the globe, the EU directives are not going to stop spam sent to European e-mail users from beyond the region.
The researchers said the EU laws have other weaknesses such as no clear way for users to complain if net providers are not doing enough to stop spam. They also found that eight EU member nations have yet to implement the directive despite the deadline for compliance falling more than six months ago. The rogue nations - Belgium, Germany, Greece, France, Luxembourg, the Netherlands, Portugal and Finland - have been threatened with legal action.
[source: bbc.com]
(2004-04-30) [Krisberedskapsmyndigheten] Regeringen har i ett tilläggsdirektiv gett Infosäkutredningen i uppdrag att genomföra den utvärdering som regeringen anmälde till riksdagen i propositionen "Samhällets säkerhet och beredskap" (2001/02:158). Utvärderingen åsyftar de fyra informationssäkerhetsverksamheter som inrättades till följd av regeringens proposition "Fortsatt förnyelse av totalförsvaret" (2001/02:10): Sammanhållande myndighetsansvar och omvärldsanalys inom KBM, IT-incidenthantering inom PTS, Teknikkompetens inom FRA och Ett system för evaluering och certifiering inom FMV.
InfoSäkutredningen har anlitat FOI för att stödja och lämna underlag till utvärderingen. FOI ska slutredovisa uppdraget senast i september i år. Utvärderingen kommer slutligen att redovisas i samband med InfoSäkutredningens slutrapport senast den 6 maj år 2005.
Källa: Kommittédirektiv 2004:46
[source: Delete nr 42]
(2004-05-06) [Datainspektionen] Några skolor i Stockholm använder fingeravläsning vid elevenas inloggning i skolans datorer. Nu måste de inhämta samtycke från barnens vårdnadshavare. Det är innebörden av två beslut i Datainspektionens styrelse i går.
Det är Kvarnbyskolan i Rinkeby och flera skolor i Spånga-Tensta stadsdelsnämnd som använder fingeravläsning vid inloggning på skolans datorer. Datainspektionen har granskat om registreringen följer personuppgiftslagen (PuL). Nu slår Datainspektionens styrelse fast att fingeravläsningen kräver samtycke från barnens vårdnadshavare. Besluten fattades vid styrelsens sammanträde i går.
[source: Pressmeddelande]
(2004-05-05) [EDRI] The Council of ministers of justice and interior affairs (JHA) accepted on 29 April 2004 the Spanish proposal to oblige European air carriers to transfer passenger data about non-EU passengers entering the EU. "At the request of the authorities responsible for carrying out checks on persons at external borders, carriers will be obliged to transmit, by the end of the check-in, information concerning the passengers they will carry to an authorised border crossing point through which these persons will enter the territory of a member state."
The European Parliament criticised the Spanish initiative severely for not taking data protection issues into account. Euractiv writes: "MEPs have done everything they could to make this initiative fall. Under rules set in the Amsterdam Treaty, the Council had until 1 May to adopt Member States' initiatives, after having consulted the Parliament. MEPs refused to deliver a formal opinion - despite being urgently requested by the Council to do so - in the hope that this would stop the Council from adopting the directive."
[source: EDRI-gram - Number 2.9, 5 May 2004]
(2004-05-05) [EDRI] Eight Member States were referred by the Commission in December 2003 to the Court of Justice for failure to transpose the Copyright Directive (2001/29/EC) into national law. The deadline for implementation was 22 December 2002, but was only met by Greece and Denmark. Italy, Austria, Germany and the UK transposed the Directive into national law in 2003, while Ireland and Luxembourg implemented the Directive in 2004.
The remaining seven original states - Belgium, Spain, France, the Netherlands, Portugal, Finland and Sweden - have all published draft legislation. Controversy over the Directive has ensured a rocky ride for these laws, most of which have now been rewritten at least once after negative comment on the initial drafts. Implementation continues in the 10 new member states.
EDRi members FIPR and AEL have further information about the EUCD implementations on their websites. FIPR is organising a workshop on the future direction of European copyright law on 13 June in Berlin, directly following the Wizards of OS conference.
[source: EDRI-gram - Number 2.9, 5 May 2004]
(2004-05-05) [EDRI] EDRi member Privacy International has published an Interim Report on the link between identity cards and the prevention of terrorism. The report, the first of its kind, was initiated following attempts by the UK and Canadian governments to introduce biometric ID cards.
The report analysed the 25 countries that have been most affected by terrorism since 1986 and concluded that the presence of an ID card appears to have made no significant impact on prevention of these attacks. The report notes that while a link between identity cards and anti-terrorism is frequently suggested, the connection appears to be largely intuitive. Almost no empirical research has been undertaken to clearly establish how identity tokens can be used as a means of preventing terrorism.
[source: EDRI-gram - Number 2.9, 5 May 2004]
(2004-05-05) [EDRI] Ireland has cancelled the use of electronic voting machines for the upcoming European elections in June after an independent commission said the secrecy and accuracy of the voting could not be guaranteed. The Irish government has spent 40 million euros on voting machines from the Dutch manufacturer Nedap. The Irish opposition demands the resignation of the responsible minister for the Environment and Local Government, Martin Cullen.
There has been a fierce public debate in Ireland about the introduction of e-voting after technical experts raised concerns on the reliability of the voting machines and its software. In 2002 the Irish security firm Zerflow reviewed the Nedap machines and concluded that manipulation of the voting process was possible. Experts and civil society groups have since then pushed for an independent review of the source code and the implementation of a paper trail (Voter Verified Audit Trail). The paper trail should make it possible for voters to see the result of their voting on paper as they can't see what happens inside voting machines. The machine might display one vote to the voter and record something else internally. The paper ballot can also be used for a manual re-count if desired. The Nedap machines do not provide such a paper trail.
[source: EDRI-gram - Number 2.9, 5 May 2004]
(2004-05-05) [EDRI] A last effort of the EU Council to reach agreement with the European Parliament about the transfer of airliner passenger's personal data (Passenger Name Record; PNR) to the U.S. failed on Tuesday 4 May. With a 343 to 301 majority, Parliament decided not to vote on the Council's proposal to treat the matter as an 'urgency procedure'. Having lost already two votes in the Parliament on the transfer, the Council had hoped it could make use of the singular historic situation where 162 non-elected observers to the Parliament from the new member states had gained member status for one single session, extending the plenary session to 788 members.
By bringing forward the urgency request, the Council tried to turn over the former votes. They hoped they could convince the presumedly inexperienced MEPs from the new member states that the transfer was necessary to ensure transatlantic travel, and that it was protected by sufficient safeguards.
[source: EDRI-gram - Number 2.9, 5 May 2004]
(2004-05-05) [EDRI] France, Ireland, the UK and Sweden have made a joint proposal to the Council of the European Union to store the telecommunication data of all 450 million EU citizens for a period of 12 to 36 months, for law enforcement purposes. If the ministers of the member states accept the proposal for a framework decision, all traces of telephony of internet usage of all EU citizens will be stored for a long time. These so-called traffic data reveal who has been calling and e-mailing whom, which websites they have visited, and even where people were with their mobile phones.
The draft framework decision addresses providers of telephony and internet, both networks and services. They will have to store the traffic data of all their users, not just those of suspects. Since there are only few people in Europe without a telephone, gsm or internet, in the newly enlarged Europe this decision would affect the privacy and freedom of expression of 450 million citizens.
The traffic data will be accessible for law enforcement authorities and intelligence services, not just nationally, but across all EU-borders. The member states decide themselves on the powers they grant to obtain access nationally.
Privacy and civil rights groups reject mandatory data retention of all citizens. By storing everybody's communication data, the principle is violated of being considered innocent until proven guilty. Companies are forced to store large amounts of highly sensitive personal data, even if there is not a single valid business purpose. Market parties thus become an extended arm of the law. With this proposal, Europe sets out a fundamental new course in law enforcement; from specific investigations to general surveillance of all citizens.
[source: EDRI-gram - Number 2.9, 5 May 2004]
(2004-05-07) [MIT Technology Review] The state of California is moving ahead with a ban on electronic voting machines that don't provide a verifiable paper trail. Even though the disabled, the visually impaired, and many election officials love the machines' easy interfaces, independent studies have shown that the systems are easy to tamper with once the votes are in.
Current polls showing Kerry and Bush nearly tied, meaning that November 2004 could look a lot like November 2000 -only without any possibility for a recount. Unless California's ban catches on, the numerous localities that use electronic voting machines made by Diebold Election Systems will have to accept the initially reported results as final. It doesn't help matters any that Diebold Inc. CEO Walden O'Dell is a generous GOP contributor who said in a fund-raising letter that he was "committed to helping Ohio deliver its electoral votes to the president" in 2004. Voter confidence was also shaken when activists publicized internal Diebold documents that showed machines used in Florida contributed to "minus votes" for Al Gore in 2000. The president of Diebold Election Systems, Bob Urosevich, recently admitted that machines used in California's presidential primary were flawed.
With the election less than a year away, Americans need reassurance that they - not faulty machines - will be picking the president.
(A note by Alyssa Danigelis)
[source: technologyreview.com]
(2004-04-23) [silicon.com] After having failed to convince the EC to back-pedal on the agreement allowing the US to harvest the personal data of travellers heading into the country, MEPs are making a last ditch attempt to stop the accord. The Euro MPs don't intend to let themselves be stopped short by Brussels on the sensitive issues of passenger data. On 21 April, they decided to take the matter before the European Court of Justice. It's a measure that just squeaked in with a small majority – 276 votes for, 260 against and 13 abstentions.
Three weeks ago, the parliamentarians asked the Commission to re-examine the accord negotiated with the US authorities in December 2003, which green-lighted the transfer of data on reservations by Europeans flying to the US. The US administration, however, demanded such information (name, credit card number, telephone number and even dietary preferences) be included in the passenger name records (PNR) from March 2003 – well before the agreement was reached. According to Washington, such information could help to identify terrorists before they landed on American soil. The European Court of Justice must now determine if, in signing the agreement with the US, the Commission has overstepped its powers and acted in violation of European data-protection legislation. (Excerpt from article by Estelle Dumout)
See also: Terrorist or traveller? Software will decide.
[source: silicon.com]
(2004-04-22) [Computerworld Inc.] Reports of worsening identity theft are pressuring companies to adopt stronger methods of making sure they know the identity of their customers. Most customers will find this additional layer of security comforting. But the more invasive authentication methods—biometrics, especially—have people worried that they'll lose their privacy in the process. How can businesses authenticate their customers without scaring them away? By putting the consumer in control throughout the authentication process.
Since 9/11, companies have been re-examining how they confirm that their customers are who they say they are before giving them access to systems and accounts. The 9/11 hijackers showed how easy it was for deadly criminals to pass through society making important transactions using unchecked credentials. The next time you call your Internet service provider, for example, you'll probably have to pass through two or three filters before you can change your service. The ISP will check its caller ID to verify your phone number and then ask you to verify your name and address, and it may ask for one more piece of information.
So how do companies strike the right balance? How can they simultaneously provide the levels of privacy and security that customers want? ...... (Excerpt from article by Jay Cline )
[source: computerworld.com]
(2004-04-21) [Guardian Newspapers] Transatlantic travellers may in future have to check in five hours early for their flights to answer detailed security questions, the travel industry warned yesterday. Mounting anxiety among British tour operators about US plans to obtain advance information has prompted the Association of British Travel Agents (Abta) to signal that it could lead to chaos at big British airports.
Abta believes the Advanced Passenger Information System (Apis), which the US wants to introduce would be unworkable and result in lengthy queues. It would deter many of the 4 million Britons who fly to the US every year, many tour operators claim. The US homeland security department has not announced when it will introduce the scheme, which is supposed to identify terror suspects, nor has it decided how much information it will require.
The dispute in Brussels is over the amount of information about passengers already being sent by European airlines to the US. Suggestions that the information might be transferred to third countries has inflamed concerns about breaches of civil liberties and data protection regulations.
(Excerpt from article by Owen Bowcott)
[source: Guardian Unlimited]
(2004-05-03) [Bruce Schneier] CAPPS, the Computer-Assisted Passenger Profiling System, is a profiling system deployed by the US Federal Aviation Authority since 1999 to identify high-risk individuals for increased security attention. (The current version is CAPPS-II.) CAPPS rates all passengers using approximately forty pieces of data. The details are secret -- the Deaprtment of Justice insists that ethnicity is not one of the criteria -- but are believed to be based on: the traveller's address; credit history; police and tax records; flight origin or destination; whther the ticket was purchased by cash, check, or credit card; whether the ticket is one way or round trip; whether the traveller is alone or with a large group; how frequently the traveler flies; and how long before departure the ticket was purchased.
But CAPPS is a brittle security system. Its effectiveness is partly a result of the secrecy of the CAPPS profiling criteria.
[A] smart terrorist can bypass this system pretty easily. Assume a terrorist gets a fake ID and a credit card issued in that name. He buys a ticket using that card; for extra verisimilitude he can buy a first-class ticket and wera a suit. The only metric the CAPPS system can use to pick him out of the crowd is that he's a first-time flier.
(excerpt from book by Bruce Schneier: Beyond fear (Copernicus Books, 2003), p. 164.
[source: www.schneier.com]
(2004-04-23) [Bloor Research] Cyber crime spawns technology battles. There are battles between virus writers and anti-virus vendors, between digital intruders and intrusion detection technology and between illegal spam distributors and spam filtering technology. And as time goes on the criminals get more sophisticated and the counter technology improves in order to neutralize them. A technology battle that has, so far, received less attention than it deserves is the battle between organized fraud and the technology to prevent it. This is a battle that has escalated in the past few years, with the fraud opportunities of the Internet attracting organized criminal gangs who are both inventive and technically sophisticated in their activities.
The problem of Internet fraud is unlikely to go away any time soon. I was told by a security consultant that the average successful bank robbery in the US carried out with a gun netted about $7000, while the average bank robbery carried out with a PC netted about $100,000 - with a much higher chance of success and a much lower chance of getting caught. (Excerpt from article by Robin Bloor)
[source: IT-Director.com]
(2004-04-21) [Bloor Research] A survey by the FBI and CSI that concluded that insider abuse of network access was the most common security threat faced by companies, mentioned by 80% of respondents. Now, the UK's Department of Trade and Industry is just about to publish another survey that shows that not only are employee security vulnerabilities on the rise, but companies are doing very little about it. According to the survey, internet access is nearly ubiquitous in large companies in the UK, with 98% of employees being given access. Even in companies of all sizes, 89% now have access to the internet, compared to 69% in 2002.
Security vulnerabilities caused by unacceptable behaviour by employees are more than merely annoying - they could cost a great deal of money in terms of fines, or even a spell in jail for serious offences. Companies need to tighten their internal controls and reverse the trends that the DTI's survey show are clearly putting businesses at risk. (Excerpt from article by Fran Howarth)
[source: IT-Director.com]
(2004-04-20) [Bloor Research] Electronic data misuse is fact of life in both Public and Commercial Enterprises, in spite of the operational processes and procedures to prevent and to detect it. "To err is human..." sanctions and disciplinary measures are normally taken against those who transgress. Anecdotal evidence would suggest most of the abuse relates to using services for private use: shopping, auctions, pornography, communicating with friends and similar peccadilloes.
Statistics on abuse of data by Governmental Organisations should be made available under the Freedom of Information Act. It may be but would have to be collated across all Government organisations to form meaningful statistics. (Excertp from article by Bob McDowall)
[source: IT-Director.com ]
(2004-04-26) [MIT Technology Review, Inc.] Over the past few months, major players in the world of e-mail have proposed schemes for combating the rising tide of spam. In December, for example, Yahoo! proposed an approach called DomainKeys for validating which messages come from which e-mail servers. In January, speaking to journalists at the World Economic Forum in Davos, Switzerland, Microsoft chairman Bill Gates suggested using a sender-pays system, with money-based e-mail stamps. And at the RSA security conference in February, Gates touted as a spam solution Microsoft’s Caller ID—a variation on the Sender Policy Framework (SPF), which is an anti-spoofing technique that reduces the ability to falsify "From" addresses in e-mail messages.
Unfortunately, upon close examination these techniques turn out to be unworkable or ineffective. They represent centralized solutions that serve the needs of large Internet service providers and, less directly, of large advertisers. Such ideas would be only marginally effective against spam. Worse, they would break services users count on. (Excerpt from article by Eric S. Johansson and Keith Dawson)
[source: technologyreview.com]
(2004-04-26) [Computer World] The U.K. Passport Service (UKPS) today launched its six-month trial of biometric technology involving 10,000 volunteers, the same day that the U.K. government introduced a draft bill that could mandate compulsory biometric identity cards and a central database of all of its citizens.
As proposed by U.K. Secretary of State for the Home Department David Blunkett in November , the ID cards would carry biometric identifiers in an embedded chip, which would be linked to a secure national database called the National Identity Register. The database would be created by 2010, and by 2013 ministers would decide if the ID cards would become compulsory for all U.K. citizens through the use of biometric passports or driver's licenses. Though citizens would have to own and pay for the ID cards, they most likely wouldn't be forced to carry them at all times. (excerpt from article by Laura Rohde)
[source: computerworld.com]
(2004-04-29) [EPIC] EPIC has published a new web page discussing the ethical and privacy implications of nanotechnology. The page was authored by University of Pennsylvania law student Eva Gutierrez. It traces the history of nanotechnology, funding for the field, the ethical implications of the technology, and privacy issues raised. Nanotechnology has profound potential for addressing environmental, health, and many other issues; it also raises new environmental, health, and privacy risks. Ms. Gutierrez's previous work for EPIC focused on firearms privacy, and her research highlighted the strong substantive and procedural protections for privacy of gun owners.
Further information: EPIC's Nanotechnology Privacy Page and EPIC's Firearms Privacy Page.
[source: EPIC Alert vol 11 no 8]
(2004-04-29) [EPIC] American Airlines recently became the third commercial airline to admit turning over passenger information to the United States government or its contractors without the knowledge or consent of affected passengers. American announced that Airline Automation, a vendor working for the airline, gave 1.2 million passenger records in June 2002 to four companies that were competing for contracts with the Transportation Security Administration.
The airline conceded that it had authorized the records to be disclosed to the agency, but not the contractors. Airline Automation disputed American's version of events, contending that the airline merely said that it would receive instructions from the Transportation Security Administration, which then asked that the data be transferred directly to the contractors "testing aviation security systems" for the agency.
[source: EPIC Alert vol 11 no 8]
(2004-04-29) [EPIC] Today, EPIC filed Freedom of Information requests with federal law enforcement and intelligence agencies seeking records concerning "use of Google search technology for law enforcement and intelligence purposes, and particularly the possible use of Google's Gmail service for law enforcement and intelligence investigations."
The requests note that Google's Gmail is capable of performing functions for law enforcement and intelligence agencies that have been the subject of Congressional action and widespread public debate. Gmail is capable of storing a vast amount of personal communications data for link analysis, creating a honey pot for law enforcement requests to pervert the system for surveillance.
The groups raised a series of risks to privacy posed by the service. First, the scanning of the actual content of e-mail messages for placement of advertising is an unprecedented invasion into the sanctity of communications. It is likely to reduce expectation of privacy in e-mail, and provide justifications for communications scanning for other purposes. Federal law sets forth some of the strongest protections for the content of communications, often referred to collectively as the "Title III warrant," which require probable cause, can only be triggered by the commission of serious criminal acts, and have accountability provisions including reporting and the ability to sue individuals who eavesdrop without justification. Gmail's defenders have claimed that scanning for ad placement is similar to scanning for spam, and that it can occur lawfully under an exception under wiretapping laws for maintenance of communications network. But this is a an improper invocation of the exemption -- it was created to ensure quality and integrity of the network, not to provide an "anything goes" exemption to wiretapping laws. For instance, telephone companies use the exemption to listen to calls to test audio quality; if the companies started actually extracting content from these conversations, the exemption would eviscerate the protections of the law and violate the expectations of telephone users.
[source: EPIC Alert vol 11 no 8]
(2004-04-04) [Los Angeles Times] Some vehicles are 'bugged' without the driver's knowledge. A California bill would require notification. If you care about your privacy or your pocketbook, ask whether your rental car has electronic tracking equipment and what it's used for. The answers may surprise you — if you can get them.
More rental cars have been fitted with such systems, which can instantly relay information on your car's speed, route and position to the rental company. This is done by wireless devices and Global Positioning System (GPS) receivers that pinpoint location. Rental companies say they use the devices mainly to track stolen vehicles. A flurry of lawsuits two years ago accused a Budget Rent a Car licensee in Tucson of using such a system to covertly track renters who took cars out of state and to fine them thousands of dollars. Earlier, another rental company in New Haven, Conn., allegedly tracked renters who drove faster than 79 mph and fined them. (Excerpt from article by Jane Engle)
[source: latimes.com]
(2004-04-06) [Axis of Logic] Europe and America are worlds apart when it comes to privacy laws. Privacy is a constitutional right in all European Union countries, which zealously safeguard personal information about their citizens. Each has its own data protection commissioner, a privacy watchdog roughly equivalent to the chairman of the Federal Trade Commission in the United States.
Europe's privacy concerns come straight out of the region's horrific experiences in World War II. "You had Germans marching into France and using the National Census to round up the Jews," said Simon Davies, director of Privacy International, a watchdog group in London. "That changed the sensitivity of the entire region." The European Convention on Human Rights, written in the 1950s, explicitly guarantees citizens the right of privacy.
Europeans take a more cynical view of why the United States has fewer privacy restrictions. "There's a sense here of American corporations that they will do anything to achieve the bottom line," Davies said. "Many companies have a quite reprehensible, I think, attitude, the sense that they own this data and they're going to make a buck out of it." Another factor in privacy protection is the Social Security number. A thief who knows someone's Social Security number and birth date can spin that information into fake identities and piggy-back credit. Europe does not use a numerical identification system such as a Social Security number. Europe's tight privacy controls mean that identity theft (called "identity fraud" in Britain) is relatively rare. In Britain, ID theft and credit card fraud cases combined number in the tens of thousands, annually involving about 1.3 billion pounds ($2 billion). In the United States, $53 billion a year slips away in 9.9 million cases.
[source: Axis on the web]
(2004-04-14) [The Australian] YOU may have thought that sending a text message or photo to a friend's mobile meant it was for their eyes only, but that only applies if you are not a Telstra mobile customer. Telstra has been storing millions of its customers' personal text messages and mobile phone photographs on its computers for up to 28 days.
The Telstra revelation has been made public in the wake of publication of text messages allegedly sent by David Beckham to Rebecca Loos and Perth-based Sarah Marbeck. When quizzed about the practice yesterday morning, Telstra insisted the messages were only stored "for the sake of resending failed messages and customer bill reconciliation". "They are kept in order to sort out billing disputes," a Telstra spokeswoman said. Vodafone and Optus confirmed they do not keep messages for that length of time. A spokesman for the Federal Privacy Commissioner said it no longer had any issues with Telstra now that the telco had agreed not to store messages for almost a month.
[source: news interactive]
(2004-04-12) [The Scotsman] HARRY Potter author JK Rowling is in a row with her neighbours over plans to install CCTV cameras around her Edinburgh property. The owners of neighbouring properties to her home in north Morningside have lodged formal objections to her erecting five surveillance cameras around her house to protect her from potential stalkers and intruders, on the grounds that the cameras would invade their privacy.
Rowling was stalked by obsessive American fan Melissa Kumsuk Cho who repeatedly turned up at her house and made scores of nuisance telephone calls before being dealt with by police in 2002. Cho, 44, was charged with harassment and committing a breach of the peace before being deported. Rowling and her husband, Dr Neil Murray, submitted a planning application for the cameras last December and permission was eventually granted for them by council planning officers in February this year. (Excerpts from article by Craig Brown)
[source: news.scotsman.com]
(2004-04-09) [Star Publications (Malaysia)] Implementing a hospital information system (HIS) means facing a host of problems, but while most can be resolved, the potential project-killer could be a lack of data privacy. "Poor project management, miscommunication with the system's endusers, and software and technologies not meeting requirements -- all these occur more frequently but can be easily remedied," said Dr Chow Yuen Ho, director of Singapore General Hospital's Department of Medical Informatics.
[S]ome countries have laws which prevent the transfer of certain highly-confidential information about the patient. "For instance, Singapore’s privacy protection laws forbid hospitals from including confidential details like a patient's past record of sexual assault, psychiatric illnesses, AIDS and so on, in medical records transferred between hospitals and clinics," said Dr Chow.
[source: The Star Online]
(2004-04-08) [The Yomiuri Shimbun.] Fukushima Commerce and Industrial (Kenshin) Bank introduced a new identification system Monday that digitally records a photograph of a customer and the personal seal in his or her bankbook as a way to ensure money can be withdrawn only by the account holder.
When a bank employee enters the customer's bank account number on a special computer terminal, the photograph of the customer's face and his or her seal are displayed on the screen, allowing the staffer to verify whether the person at the counter is the account holder. This is the first time a domestic financial institution has introduced such an identification system. Kenshin decided to implement the system in response to a spate of fraud cases across the nation in which forged personal seals, made using the seal imprint contained in stolen bankbooks, were used to withdraw cash.
(Excerpts from article by Yomiuri Shimbun)
[source: Daily Yomiuri On-Line]
(2004-04-14) [The Privacy Manager] Googles recent offer of email accounts has raised a storm of objections.
A set of links to recent published texts on this can be found in Focus: Google Gmail.
[source: PM Archives - April 14, 2004]
(2004-04-10) [Telegraph Group Ltd] Air travellers and airlines are becoming increasingly concerned by the transfer of ever more detailed passenger information to authorities in the United States, which is expected to bring increased costs, delays and challenges to privacy violations. Ever since the terrorist attacks of September 11, 2001, the US has demanded extensive information about visitors to the country, including home and email addresses, telephone numbers, credit and debit card numbers and even dietary preferences.
At present, airlines must comply with two passenger- data systems operated by US authorities — Passenger Name Record (PNR), the information stored on airline computers at the time of booking, and the Advanced Passenger Information System (APIS). Following the September 11 attacks, the APIS scheme, which involves questions at check-in, became compulsory, with fines of up to £50,000 being imposed on airlines that failed to transfer accurate information within 15 minutes of the departure of a US-bound flight. (excerpt from article by Charles Starmer-Smith)
[source: travel.telegraph]
(2004-04-12) [Computerworld, Inc] Do you know where your customers' data is tonight? And what you're doing with it? Data privacy woes are rampant. Every week, we hear about another debacle or encroachment on what should be a private sphere. And regular folks are getting angrier by the day. IT, albeit reluctantly, is at the heart of the problem. But IT must also insist on being part of the solution.
Missteps are increasingly easier to make. One reason is the offshoring trend. Last year, for example, a medical transcriptionist in Pakistan threatened to release U.S. patients' data if his demands for higher payments weren't met. The U.S.-based company that farmed out the work later told the San Francisco Chronicle that its business had been hit hard by fallout from the disclosure -- perhaps a fitting outcome. Although it's not clear how much private data is now being sent overseas, there's no doubt that the amount is growing. And companies that don't exert the strongest controls over the information they send offshore are opening themselves up not just to financial trouble but also to a massive and well-deserved backlash. IT departments can't control a transcriptionist making demands halfway around the world. But they can avoid preventable stupidity. (Excerpt from article by Dan Gillmor)
[source: ComputerWorld Web]
(2004-04-01) [European Commission] The Commission has taken the second step in infringement proceedings against eight Member States for failing to notify it of measures transposing the Directive on Privacy and Electronic Communications (e-Privacy Directive) into their national laws. The Directive governs areas like "spam" e-mail and identifier "cookies". These proceedings were opened against nine Member States in November 2003 (see IP/03/1663), but Sweden has since notified the Commission of new spam legislation. The second stage in infringement proceedings involves sending reasoned opinions to Belgium, Germany, Greece, France, Luxembourg, the Netherlands, Portugal and Finland. They now have two months in which to respond and could face action before the European Court of Justice if they fail to comply.
Enterprise and Information Society Commissioner Erkki Liikanen said: "We are determined to keep up the pressure on those Member States that have yet to implement the legislation they signed up in 2002. This Directive is vital to ensure that privacy and data protection are assured in an on-line world. It shows effective action can be taken and enforced at a national level in the fight against spam. These rules set common conditions across the Union, so users know what to expect and industry and Member States know what they must do."
[source: Press Release]
(2004-04-22) [Datainspektionen] Nu finns en uppdaterad version av Datainspektionens efterfrågade skrift ”Personregistrering i Sverige”. Den innehåller en aktuell förteckning över de största och vanligaste persondatabaserna som är i drift i Sverige. En vanlig svensk finns i dag med i ett hundratal register och databaser. De flesta uppgifterna är harmlösa men en grundregel är att ett register inte får innehålla mer information än vad som behövs för registrets ändamål.
I skriften finns ett exempel på hur du kan skriva för att begära information. Förteckningen över de vanligaste persondatabaserna är uppdelade på myndighetsregister och register inom den privata sektorn. Skriften finns på PDF-form: Personregistrering i Sverige .
[source: DI web]
(2004-04-14) [Datainspektionen] En konfirmandledare som publicerade uppgifter om sina arbetskamrater på Internet slipper straff. Hon har visserligen brutit mot bestämmelserna i PuL men brottet anses vara ringa och då ska inte straff utdömas. Därmed slipper hon de böter som tidigare dömts ut. Det är innebörden av en dom från Göta Hovrätt.
Nu har alltså Göta Hovrätt funnit att kvinnan av oaktsamhet har brutit mot bestämmelser i personuppgiftslagen, men att brottet ska anses som ett ringa fall och att det därmed ligger utanför det straffbara området. Inför hovrättens dom har dock åklagaren tagit tillbaka åtalet i den del som gäller om kvinnan hade överfört uppgifter till tredje land genom att publicera dem på Internet. Hovrättens dom gäller därför bara delvis samma frågor som var aktuella i tingsrätten och EG-domstolen.
[source: DI web]
(2004-04-07) [CNET Networks, Inc ] A United Nations task force recently held a two-day workshop on the question of who governs the Internet. U.N. Secretary General Kofi Annan challenged those of us present to ensure that the Internet and the World Wide Web support "the cause of human development."
There are a few governments that would like to pervert Internet architecture into a system that squelches, rather than frees expression. While we must be on our guard against all of these dangers, now is the time for the Internet community to face the fact that the entire world has an interest in the way that the Net is designed and how it operates.
For example, today companies that build the Internet's hardware and software are developing technology to facilitate government interception of Internet traffic. What can we do to ensure these technologies respect basic privacy rights and security needs if they are not developed in the light of day, the way that all basic Internet technology has grown? Before governments force hardware engineers to build this functionality into products, we should make sure these issues are addressed. This is no longer a job for engineers alone and no longer simply a question of making the packets flow to their appointed destinations. Our basic human rights and basic economic needs are determined by the current technical infrastructure.
(Excerpt from article by Daniel J. Weitzner)
[source: ZDNet ]
(2004-04-21) [EDRI] LogicaCMG has published a study on the adoption of RFID in six European countries. The report gives an outline of the technology and issues behind RFID such as costs, standardisation and software integration. The focus of the study is returnable transport items, such as pallets, crates and roll containers.
The report does not cover the use of RFID in consumer products. And although consumer privacy is not directly an issue with RFID on returnable transport items the report advises companies to develop a privacy policy and communicate this to their consumers.
See report Making Waves: RFID Adoption in Returnable Packaging.
[source: EDRI-gram - Number 2.8, 21 April 2004]
(2004-04-21) [EDRI] The organising committee of the Big Brother Awards Switzerland has published a map of more than 70 video surveillance cameras in a city district of Zurich (Switzerland). The map was presented on the occasion of a public camera-spotting walk on 10 April 2004, that was organised as part of the annual 'Spring surveillance' events.
Most of the cameras are installed by private entities, some of them are dummies. The cameras are categorised by a special typology. The map can also be downloaded as a PDF file. Previously, in Belgium, Germany and the Netherlands, several cities were mapped.
See online surveillance map Zurich.
[source: EDRI-gram - Number 2.8, 21 April 2004]
(2004-04-21) [EDRI] On 29 April 2004 the French National Assembly will examine in second reading the draft law implementing the 1995 Directive on the protection of privacy and personal data. The transposition process started in July 2001 under the previous government. France is the last EU country where the implementation has not been completed, far beyond the deadline of October 1998.
French people have been however among the first EU citizens to enjoy a law on personal data protection, with the 'Computing and Freedom Law' (Loi informatique et libertes) adopted in January 1978. But this law only deals with protection against government activities, and the transposition is needed to reinforce protection against private and commercial activities. The long awaited implementation of the Directive is also supposed to empower the French Data Protection Authority (Commission nationale de l'informatique et des libertes or CNIL), giving it the power to impose financial sanctions on companies when they infringe the law.
[source: EDRI-gram - Number 2.8, 21 April 2004]
(2004-04-21) [EDRI] The European Commission considers it to be part of the Lisbon Strategy - and therefore a top priority - 'to have smart dust and tag everything' with Radio Frequency Identification (RFID). The point was made by Rosalie Zobel, Director of the Information Society Technologies (IST) programme at the Commission, in her opening speech of a one-day workshop on 'wireless tags research needs' in Brussels on 20 April 2004. Mrs Zobel thinks this aim can be achieved and dreams of it being "the source of a new set of business models and creator of high quality tech jobs".
The workshop was part of a consultation process in relation to Work Programme 2005-06, which covers the second half of the EU's Sixth Research Framework Programme (FP6). The Work Programme will be officially published at the end of October, and is likely to contain three calls for projects that may be funded by the EU in the field of RFID technology with a total of 180 Million Euro.
Privacy issues in connection with RFID technology were brought up repeatedly, and the last panel consisted of three privacy experts warning against the industry's tendency to eliminate privacy-protective measures such as disabling options or encryption, in order to cut costs for the still-too-expensive technology.
See Workshop website (20.04.2004).
[source: EDRI-gram - Number 2.8, 21 April 2004]
(2004-04-21) [EDRI] According to a press article published on 15 April 2004 in the Belgian daily boulevard paper 'La Derniere Heure', the ministry of interior in Belgium will test new telecom interception hardware and software on the fiberlink used by ADSL broadband users in Belgium. The test will be done by the CTIF (under the federal control of the ministry of interior) during a non determined period (starting Sunday 25 April) on the fiberlink in Brussels. The main purpose seems to test the viability of the technical solution.
This kind of wiretapping is quite different from regular phone (or internet) interception. Those wiretaps require identifying a specific caller line or identity. The Belgian 'black box' will monitor all the traffic transmitted on the fiberlink. If we take the analogy of 'classical' phone interception, it's like monitoring all the in/out phone traffic of an entire city in the hope to find a specific call.
[source: EDRI-gram - Number 2.8, 21 April 2004]
(2004-04-21) [EDRI] EDRI-member Privacy International has filed complaints about Google's proposed new Gmail service with privacy and data protection regulators in 17 countries in Europe, Canada and Australia. The complaint identifies a large number of possible breaches of EU law. These include: stability of the contract, security of data, interception and disclosure of content, subject control over data, searching of e-mail content, indefinite retention, confidentiality, third party issues, offshore processing of data, consent issues and the treatment of sensitive data.
Privacy International points out a few disturbing articles in the Gmail privacy policy and terms of use. Google lets the user agree that they "will not copy, reproduce, alter, modify, or create derivative works from the Service". This means that users are not allowed to copy or extract their own e-mail. This would violate EU data protection principles that ensure that individuals have the ability to control their own data.
"Google may monitor, edit or disclose your personal information, including the content of your e-mails, if required to do so in order to comply with any valid legal process or governmental request". The term request remain undefined.
See also: about Gmail.
[source: EDRI-gram - Number 2.8, 21 April 2004]
(2004-04-21) [EDRI] Today, 21 April 2004, the European Parliament has voted to take the European Commission to court over the agreement with the United States Department of Homeland Security on the transfer of air passenger's personal data (PNR) to U.S. authorities. The Strasbourg Court is now to examine whether the Commission, when making the deal, exceeded its powers and acted in disrespect of EU Data Protection legislation.
After a major controversy, the project for a recommendation to ask the opinion of the European Court of Justice was adopted with a small majority of only 276 votes against 260. The Parliament's biggest Group - the centre-right wing PPE/DE, counting 232 of the House's 626 members -, opposed the recommendation, as well as the 29-strong delegation of the UK Labour Party and presumably a handful of German Social Democrats.
[source: EDRI-gram - Number 2.8, 21 April 2004]
(2004-03-15) [Krisberedskapsmyndigheten] Europarådets konvention om cyberbrottslighet ”The Convention on Cybercrime” träder i kraft den 1 juli nästa år. Förutsättningen för att den ska träda i kraft är att fem stater har ratificerat konventionen, vilket nu är uppfyllt genom att Kroatien, Albanien, Estland, Ungern och Litauen har signerat konventionen.
[source: Delete nr 41]
(2004-03-25) [Regeringskansliet] Regeringen har i dag beslutat att utse kansliråd Fredrik Sand (Näringsdepartementet) till Sveriges ledamot i styrelsen för Europeiska nät- och informationssäkerhetsbyrån (Enisa). Till suppleant har regeringen utsett rättschef Charlotte Ingvar-Nilsson (Post- och telestyrelsen).
Se Förordningen om Enisa på svenska.
[source: Pressmeddelande]
(2004-03-15) [Krisberedskapsmyndigheten] Krisberedskapsmyndighetens nya IT-säkerhetsguide finns nu tillgänglig att ladda ner från KBM:s webbsida för informationssäkerhet, se adress nedan. Säkerhetsguiden är ett analysverktyg som består av en vidareutveckling och modifiering av ÖCB:s (Överstyrelsen för Civil Beredskap) tidigare ITsäkerhetsguide FA22.
[source: Delete Nr 41]
(2004-04-16) [Krisberedskapsmyndigheten] KBM:s IT-säkerhetsguide är framtagen för att vara ett stöd i och underlätta arbetet med IT-säkerheten på den egna myndigheten.
[source: Krisberedskapsnytt 8/04]
(2004-04-05) [EU IPR Helpdesk] Eight Member States have failed to transpose the Directive on Privacy and Electronic Communications ("e-privacy Directive") The European Commission has sent a reasoned opinion to eight Member States, namely Belgium, Germany, Greece, France, Luxembourg, the Netherlands, Portugal and Finland, for failing to notify it of national measures transposing Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in electronic communications ("e-privacy Directive").
The e-privacy Directive deals with issues such as spam, cookies, and the confidentiality of communications. It was to be transposed into national law by 31 October 2003. Sending such reasoned opinions constitutes the second step in the infringement proceedings the Commission launched in November 2003. If the eight concerned Member States fail to comply with it, the matter might then be brought before the European Court of Justice.
See EU press release on the subject.
[source: IPR Helpdesk]
(2004-04-16) [New York times] The Bush administration plans to begin testing techniques next month for improving passenger rail security at a station in suburban Maryland that is served by Amtrak and commuter trains running between Washington and Baltimore, government officials said.
Passenger screening at the New Carrollton, Md., station will be conducted by the Transportation Security Administration, but will not be as invasive as airport searches. "No one at New Carrollton will be asked to remove their belt or shoes," said Dan Stessel, an Amtrak spokesman. The focus of the new program, called the Transit and Rail Inspection Pilot, or Trip, is not guns or knives, but bombs, officials said. Mark O. Hatfield Jr., a spokesman for the Transportation Security Administration, said the issue was "a different threat, and different protocols." Trains cannot be hijacked or crashed into buildings, officials pointed out. (Excerpt from article by Matthew L. Wald)
[source: NYT web]
(2004-04-12) [MIT Technology Review] Motoko Rich in the New York Times House & Home Section has an article about “a growing problem“ for renters --- computerized databases of people who have been taken to court by their landlords and successfully defended themselves. These databases, Rich writes, effectively punish renters for exercising their constitutional rights. One of the biggest offenders is the California-based U. D. Registry, but there is also a national company called Registry SafeRent.
It’s a serious problem, and it’s good to see The Times covering it. But its also an old problem: back in 1988, I wrote my Masters’ Thesis on the same topic. And David Burnham wrote about the problem in his 1984 book The Rise of the Computer State. The UD Registry has been around since the early 1970s. (From Simson Garfinkel's blog)
[source: MIT TR blogs/Garfinkel]
(2004-04-01) [Datainspektionen] Elektronisk skräppost är ett av ämnena i årets första nummer av magazin DIrekt.
Ladda ner från http://www.datainspektionen.se/nyhetsarkiv/nyheter/2004/april/2004-04-01.shtml.
[source: på webben]
(2004-03-17) [Datainspektionen] I den nya skriften "Vi skyddar ditt privatliv i IT-samhället" presenterar Datainspektionen sig och sin verksamhet. Där finns korta sammanfattningar av de tre viktigaste lagarna som Datainspektionen har tillsyn över: PuL, inkassolagen och kreditupplysningslagen. Personuppgiftsombuden är väsentliga och presenteras under egen rubrik, liksom de viktigaste verksamheterna: information, inspektion, regelgivning och internationellt.
Ladda ner från http://www.datainspektionen.se/pdf/ovrigt/presentation_svensk.pdf.
[source: på webben]
(2004-03-23) [Government Computer News] Government agencies and IT companies must work together to identify and prevent ethical violations and threats to privacy as the use of new technologies grows in the federal sector, a panel of public-policy professionals said today.
The panel was hosted by the Association for Federal Information Resources Management (AFFIRM), at FOSE 2004 in Washington. AFFIRM will take the debate a step further by publishing a white paper on the subject in a few months. (Excerpt from article by Roseanne Gerin and Wilson P. Dizard III)
[source: GCN.com]
(2004-03-22) [Computer Weekly] Growing support for radio frequency identification tagging is convenient for consumers but could threaten their privacy. This was the consensus among a panel of experts at a debates at the Cebit trade show.
"I can't really see the positive aspects of RFID for consumers and citizens," said Rena Tangens, founder and board member of the German privacy group FoeBuD e.V. Philip Calderon, The ePC Group vice president in Europe, downplayed Tangens' concerns. "There are more myths in RFID than there are in Greek mythology," he said. (Excerpt from article by: Scarlett Pruitt)
[source: computerweekly.com]
(2004-03-21) [The Plain Dealer] Participants in Cuyahoga Community College's faculty symposium Saturday "Perspectives on Privacy: Who's Watching Whom?" received a close-up view of the evolving and often contentious debate. Much of the discussion focused on the USA Patriot Act, the controversial 2001 federal legislation that increased law enforcement powers to pursue terrorists using secret searches and wiretaps, the detention of suspects without rapid judicial review, and the exchange of information between criminal- justice and intelligence agencies, which had been tightly restricted.
(Excerpt from article by: John Mangels)
[source: onTheWeb]
(2004-03-23) [Bell Globemedia] In the physical world, you may try hard to separate aspects of your life. You avoid preaching to your co-workers or talking shop at your church meeting. And you remain discreet with both groups about a date you had last weekend. On the Internet, those separate lives merge, thanks to Google.
"Google kind of makes it easy to connect all the dots together," said Richard M. Smith, former chief technology officer at the Privacy Foundation. "I think Google is the biggest privacy invader on the planet, no doubt about it." But whether Google ought to obscure information in the name of privacy is a policy issue Google would rather not tackle directly. ( Associated Press ).
[source: globeandmail.com]
(2004-04-07) [EDRI] The Article 29 Data Protection Working Party has adopted a working document on genetic data. The technical progress which science has made over recent years in the field of genetic research has given rise to new data protection questions and concerns in relation to the significance and impact of genetic tests and the processing of genetic data.
See: Working Document on Genetic Data (17.03.2004).
[source: EDRI-gram - Number 2.7, 7 April 2004]
(2004-04-07) [EDRI] On 1 March 2004 the EU launched a new 4-year project on privacy and identity management. Its objective is the research and development of solutions to empower individuals in managing their privacy in cyberspace. The Commission contributes a budget of 10 million euro.
See: PRIME project.
[source: EDRI-gram - Number 2.7, 7 April 2004]
(2004-04-07) [EDRI] On 8 April the French Senate will vote about a controversial new law to translate the E-Commerce Directive (2000/31/EC). The law known as LEN ('Loi sur la confiance dans l'economie numerique'), has been heavily opposed by EDRI-member IRIS, Reporters without Borders, several trade unions, internet user groups and the association of internet providers for undermining the rights of internet users and introducing private justice by internet providers.
If the Senate doesn't change the LEN, internet users will be able to demand the immediate withdrawal of content they consider unlawful. Website hosts will be forced to censor any content likely to be deemed unlawful for fear of being found criminally liable, with penalties of up to a year in prison and a fine of 75,000 euros for the manager of a service provider.
[source: EDRI-gram - Number 2.7, 7 April 2004]
(2004-04-07) [EDRI] The Dutch spammer Martijn Bevelander has to pay 25.000 US Dollar to the US Federal Trade Commission, for unfair and deceptive acts of commerce. Bevelander and his company Maps Holding BV were accused by the FTC for misrepresenting the subject line, 'spoofing' (faking) the sender) and creating untrue opt-out possibilities in large amounts of unsolicited commercial mail.
Both Bevelander and his US business partner Brian Westby have agreed to settle out of court. Westby pays 87.500 US dollar to the FTC.
[source: EDRI-gram - Number 2.7, 7 April 2004]
(2004-04-07) [EDRI] The proposed e-voting system in Ireland is under scrutiny due to concerns about fraud. An independent committee of 5 experts is commissioned to look into the alleged flaws of the system. The report is due out on 1 May.
The Irish government plans to introduce electronic voting machines from the Dutch company Nedap for the next European and regional elections in June. The system contains software by the Dutch firm Groenendaal and voting hardware made by Nedap. The same system has been used in the Netherlands for many years.
Civil liberty groups and the Labour Party have severely criticised the lack of an audit trail for the voter. After voting, the voter can not check if his or her vote is recorded correctly. The system does not provide a paper trail for possible recounts.
[source: EDRI-gram - Number 2.7, 7 April 2004]
(2004-04-07) [EDRI] On 26 and 27 March 2004 a conference was held on safe internet in Warsaw, Poland. The conference was organised by the Council of Europe in collaboration with Safeborders, a consortium funded by the European Commission. Focussed on children, the event was meant to 'step up efforts to create a pan-European safer Internet network.' Some 150 participants met in workshops, with many delegates from East Europe and republics of the former Soviet Union.
See: Safe internet conference website.
[source: EDRI-gram - Number 2.7, 7 April 2004]
(2004-04-07) [EDRI] Over forty non-governmental organisations from around the world signed an open letter to the International Civil Aviation Organization (ICAO) on 30 March 2004.
The ICAO proposes that all passports worldwide implement RFID chips to support face-scanning, and possibly other forms of biometric data, including fingerprinting and iris scanning. This information would be collected at the national level, but then compared to and possibly stored in international databases. Already the EU has proposed to build on the idea in order to create a central register of fingerprints of all EU passport and visa holders.
[source: EDRI-gram - Number 2.7, 7 April 2004]
(2004-03-24) [EDRI] The Belgian government has announced plans to give every inhabitant of Belgium a free e-mail address. That is, every Belgian can ask for a free e-mail alias that can only be used to communicate with the different governmental authorities. This address will be included in the national population database, alongside with everybodies street address, city and date of birth.
The deputy-minister for 'Government computerisation', Mr Vanvelthoven, wishes to promote government communications with this plan, while at the same time cutting costs and saving the environment.
[source: EDRI-gram - Number 2.6, 24 March 2004]
(2004-03-24) [EDRI] On 22 March, the European Union has signed the Council of Europe's Convention on information and legal co-operation concerning 'Information Society Services', without reservation as to ratification. The aim of this Convention, which was prepared in close co-operation between the Council of Europe and the European Commission, is to improve the exchange of information between all 45 countries in Europe about pending new legislation for the information society.
The Council of Europe will act as a clearing-house for draft legislation and provide a harmonised approach to the regulation of on-line services at the pan-European level.
[source: EDRI-gram - Number 2.6, 24 March 2004]
(2004-03-24) [EDRI] The Dutch Supreme Court has ruled that the Dutch internet provider XS4ALL is permitted to refuse spam on its network. It is the first time that a supreme court in Europe has ruled on the rights of spammers.
In the view of the Supreme Court, the fact "that XS4ALL has exclusive rights to its computer capacity, transmission capacity and customer base (its computer system)" outweighs the appeal made by AbFab for freedom of speech. Providers in the Netherlands have no conveyance obligation, not even if the spammer offers specific payment for the costs of relaying the spam (a spam-stamp).
[source: EDRI-gram - Number 2.6, 24 March 2004]
(2004-03-24) [EDRI] The German newspaper Frankfurter Allgemeine reports about plans from the governing Social-Democrats (SPD) to make spamming an offence in Germany. According to the SPD, merely introducing fines is not enough, and spamming should become an offence, with penalties or a prison sentence.
The working group on Telecommunication and Mail of the SPD did not yet decide on the length of the desired sentences. Germany will implement the anti-spam legislation in a specific law against unfair competition that also forbids unsolicited faxing, not in the simultaneous pending revision of the Telecommunication Law.
[source: EDRI-gram - Number 2.6, 24 March 2004]
(2004-03-24) [EDRI] The Italian government has issued a decree on Friday 12 March that puts a fine of 1.500 euro on the internet file-sharing of feature movies.
On top of the fine, computers and digital storage media can be seized. To complete the humiliation for the file-sharer, the sentence has to be published in 1 national daily newspaper and 1 specialised entertainment magazine. The Ministry of Culture Giuliano Urbani has mockingly declared this sanction 'symbolic'. Adding to that, in reference to peer-to-peer file sharing, Urbani said that 'multimedia piracy is a theft, and must be handled as such'.
[source: EDRI-gram - Number 2.6, 24 March 2004]
(2004-03-24) [EDRI] The Council of Europe's Convention on Cybercrime will enter into force on 1 July 2004, following its ratification by Lithuania. The convention requires at least 5 CoE members to ratify. Previously Albania, Croatia, Estonia and Hungary have done so.
The convention's aim is to develop a common criminal policy on cybercrime by promoting international co-operation and the adoption of appropriate legislation. Signatories will have to implement into their national law criminal code concerning computer crime and will also have to give their police new powers to conduct investigations regarding computers and the internet.
[source: EDRI-gram - Number 2.6, 24 March 2004]
(2004-03-24) [EDRI] EDRI has obtained secret documents in preparation of a Declaration against Terrorism that will be published during the Spring Summit of EU heads of state. The draft from the Irish presidency specifically mentions the need to prioritise mandatory data retention for GSM and internet providers.
The Commission input for the Summit, issued a few days earlier, does not mention data retention, but proposes many other measures that will have a chilling effect on the daily lives of European citizens and their freedom to travel and communicate.
[source: EDRI-gram - Number 2.6, 24 March 2004]
(2004-04-08) [EPIC] EPIC and a coalition of civil liberties organizations from a wide range of countries have sent a letter to the International Civil Aviation Organization regarding its plans to include biometric identifiers such as fingerprints and facial scans on all newly issued electronic passports.
ICAO met recently in Cairo to move forward on the implementation of international standards that will require the use of biometrics and radio frequency identification technology in all future passports. The organization is working quickly with little public outreach or consultation with privacy experts.
[source: EPIC Alert vol 11 no 7]
(2004-04-08) [EPIC] EPIC and a coalition of 27 consumer and privacy groups have called upon Google to suspend its plans to deploy Gmail, a webmail system that will scan users' communications in order to target advertisements. Targeting advertisements based on individuals' discussions is an unprecedented invasion into the privacy of communications.
Furthermore, the system retains communications for an extended period of time, causing users to have less privacy protection in their communications because e-mail stored over 180 days is subjected to lower protections under wiretapping laws.
[source: EPIC Alert vol 11 no 7]
(2004-04-08) [EPIC] In a landmark decision, a Canadian judge has ruled that sharing music through a peer-to-peer service over the Internet is legal under Canadian copyright law. The case arose in February when the Canadian Recording Industry Association requested that the court order several Internet service providers to turn over the identities of 29 "John and Jane Doe" subscribers accused of copyright infringement for making songs available for download.
In the United States, the Recording Industry Association of America has filed hundreds of lawsuits against Internet users who share music over the Internet. In December, the United States Court of Appeals for the DC Circuit ruled against the recording industry's attempts to compel Verizon to identify its subscribers.
[source: EPIC Alert vol 11 no 7]
(2004-04-08) [EPIC] The European Parliament has adopted a resolution criticizing the draft EU-U.S. agreement on the disclosure of passenger name records to the U.S. In calling for the withdrawal of the agreement, Parliament Members have urged the European Commission, the executive body of the EU, to come up with a new international agreement that offers genuine privacy guarantees for air passengers.
Pending conclusion of this new agreement, the EP's resolution calls upon European countries immediately to comply with European and domestic data protection laws.
[source: EPIC Alert vol 11 no 7]
(2004-04-08) [EPIC] The Department of Homeland Security has announced that it will fingerprint and photograph travelers entering the United States through the Visa Waiver Program beginning September 30, 2004. The announcement marks an expansion of the United States Visitor and Immigrant Status Indicator Technology (US-VISIT), a massive government-wide program that tracks the entry and exit of visitors to the United States.
The expansion will affect an estimated 13 million citizens from 27 nations -- including Japan, Australia, and many European countries -- who until now have been permitted to visit the United States for up to 90 days without a visa.
[source: EPIC Alert vol 11 no 7]
(2004-03-24) [EPIC] Argentina is organizing its first national census of private databases to comply with its recent Law for the Protection of Personal Data. Every holder of private databases containing individuals' personal data that are being disclosed to third parties must complete a registration form by April 30, 2004 indicating, among other things, which information they process, the purpose of processing, and how the data was obtained.
A recent ruling (February 2003) will also prohibit after August 2004 any transfer of personal data to third parties without the individual's written consent. The ruling will cover data transfers between Argentina and U.S.-based American companies. Experts believe that this census will give consumers better means with which to enforce the privacy rights the data protection law provides them.
[source: EPIC Alert vol 11 no 6]
(2004-03-24) [EPIC] New York and Wisconsin have left the Multi-state Anti-Terrorism Information Exchange (MATRIX) program. MATRIX is a prototype database system run by the State of Florida and Seisint, a private company. Built by a consortium of state law enforcement agencies, MATRIX combines public records and private record data from multiple databases with data analysis tools.
MATRIX is available to law enforcement agents in participating states, and provides a wealth of personal information in near-real time.
For more infortmation, see EPIC's amicus brief before the Supreme Court in Hiibel v. Nevada describing MATRIX:, and MATRIX program webpage.
[source: EPIC Alert vol 11 no 6]
(2004-03-09) [silicon.com] The EU's recently appointed data-protection controller, Peter Hustinx, says that the right to privacy is not absolute - but that it deserves respect. Hustinx, who took on the mantle of data guardian for the EU in January, cut his teeth with the Dutch data-protection authority and now looks after issues ranging from the transfer of passenger data between the EU and the US to ensuring that the governmental bodies across Europe are conforming to data-protection standards.
Hustinx maintains, however, that when it comes to protecting data, "it's wrong to say the right to privacy is absolute." But that doesn't mean it doesn't deserve to be respected. "There has been a lot of discussion about strengthening security and the investigation services' powers after 11 September… it's extremely important to find a good balance." (excerpt from article by Christine Tréguier and Jo Best)
[source: silicon.com]
(2004-03-05) [Seattle Post-Intelligencer] Sweden has belatedly adopted a European Union ban on unsolicited e-mail, a Parliament official said Thursday. Lawmakers approved the ban Wednesday after the EU issued a warning to Sweden and eight other countries that had not adopted the law last year, said Anders Norin, a parliamentary committee member.
It was passed by 253 votes to 49 in the 349-seat Riksdag, or parliament. Forty-seven lawmakers were absent. The law will take effect on April 1.
[source: seattlepi.com]
(2004-03-05) [InfoWorld] Just a week after Microsoft Corp.'s Chairman and Chief Software Architect Bill Gates unveiled his company's plan for securing e-mail communications, leading e-mail authorities, legal experts and at least one Internet service provider (ISP) are expressing concerns about the e-mail sender authentication plan, known as Caller ID.
Some experts agreed that the technology is promising. However, Microsoft's claim that it owns patents around Caller ID and its decision to license the technology to third parties, rather than submit it to an Internet standards body, have riled e-mail experts and domain owners, some of whom said they worry about a power grab by the Redmond, Washington, company and are wary of signing on to the new system.
Caller ID allows Internet domain owners to publish the IP (Internet Protocol) address of their outgoing e-mail servers in an XML (Extensible Markup Language) format e-mail "policy" in the DNS (Domain Name System) record for their domain. E-mail servers can query the DNS record and match the source IP address of incoming e-mail messages to the address of the approved sending servers, Microsoft said. The goal is to reduce spam for end-users. (excerpt from article by Paul Roberts)
[source: inforworld.com]
(2004-03-05) [vunet.com] How can firms balance the conflicting demands of respecting privacy and studying customer behaviour to develop better products? Data privacy is always grabbing the headlines these days, thanks to the sterling work of the government's information commissioner. As consumers, it is fair to say that we now all have a much keener sense of what organisations are permitted to know about us. So what would you say if there were a system so pervasive it knew absolutely everything about you? If it knew when you bought a cup of coffee, how much you paid on your mortgage, how much you spent on your kids' school fees, and where you enjoyed shopping?
The technology to offer consumers a better service exists. It is now a question of ensuring that the right marketing strategies are put in place to exploit personal information to benefit both the enterprise and the consumer. (excerpt from article by Mark Street )
[source: vunet.com]
(2004-03-09) [EPIC] Reeling from an onslaught of criticism by privacy groups, the German company Metro AG is scaling back its ambitious plans to start using radio frequency identification chips in various aspects of its Extra Future Store. The Extra Future Store is an initiative by a consortium of technology providers and the food giant. It was fashioned to test the latest technology in the retail environment. The supermarket had hoped to use the tracking system to verify ages of customers so that DVD trailers could be tailored accordingly.
More info: about Metro Group Future Store Initiative - http://www.future-store.org, about radio frequency identification systems - EPIC's RFID Page http://www.epic.org/privacy/rfid.
[source: EPIC Alert vol 11 no 5]
(2004-03-09) [EPIC] EPIC has joined an international coalition of civil liberties and consumer groups to oppose the European Union Intellectual Property Rights Enforcement Directive. The directive would create a new "Right of Information" that allows rightsholders to obtain personal information on users of P2P file-sharing software, possibly without judicial review.
The proposal would require Internet Service Providers, phone and cable companies, and other third party intermediaries to turn over personal information about their customers, even before there has been a finding of intellectual property infringement or an opportunity for the customer to be heard. The Directive has been rushed through public debate and was sent to the European Parliament without adequate opportunity for comments from the public and stakeholders.
[source: EPIC Alert vol 11 no 5]
(2004-03-09) [EPIC] US Federal government agencies are soliciting public comment on a number of important privacy issues. The Federal Trade Commission has announced a workshop on "Monitoring Software on Your PC: Spyware, Adware, and Other Software," to be held on April 19, 2004. Any member of the public may submit comments on these technologies by sending e-mail to spywareworkshop2004@ftc.gov by March 19, 2004. Separately, legislation to limit spyware has been introduced in the Senate by Senators Burns (R-MT), Wyden (D-OR) and Boxer (D-CA). In the House, Representatives Bono (D-CA) and Towns (D-NY) have been perfecting H.R. 2929, the Safeguard Against Privacy Invasions Act.
Several agencies are soliciting comments on "short privacy notices" under the Gramm-Leach-Bliley Act. These are alternative notices that seek to inform individuals of financial services institutions' privacy policies in plain language. The agencies are primarily considering whether to develop a model short notice for financial services institutions to use. Any member of the public may submit comments on proposed form or content of these short notices by sending e-mail to regs.comments@occ.treas.gov by March 29, 2004.
The Department of the Treasury is seeking public comment on the use of biometrics to combat identity theft. EPIC testified before Congress in July 2002 that biometrics would not solve the identity theft problem, and would pose new security and privacy risks. EPIC further commented that less invasive and costly policy alternatives, including limiting the use of the Social Security Number, could combat identity theft effectively. Any member of the public may submit comments by sending e-mail to factabiometricstudy@do.treas.gov by April 1, 2004.
[source: EPIC Alert vol 11 no 5]
(2004-03-09) [EPIC] Early post-March 2 primary election reports offered positive feedback on the functioning of electronic voting technology with only brief mentions of "glitches." However, later reports detailed problems with electronic voting technology including, but not limited to, malfunctions in booting up machines; system server card failures that resulted in hours of delays in getting final vote totals; problems in programming the smart cards used by voters to cast their ballots; and power fluctuations that caused mechanical malfunctions in electronic voting machines. The reports from Super Tuesday are consistent with reports on the use of electronic voting technology from the 2002 primary election season.
For more information about electronic voting, see EPIC's Voting Page: http://www.epic.org/privacy/voting/.
[source: EPIC Alert vol 11 no 5]
(2004-03-09) [EPIC] The near final version of privacy guidelines was discussed at a recent meeting of government representatives in the context of the Asia-Pacific Economic Cooperation (APEC). In 2003, the 21 countries composing APEC began drafting a privacy framework modeled after the 1980 Organization for Economic Cooperation and Development (OECD) Privacy Guidelines. The non-binding instrument is aimed at facilitating the flows of individuals' personal information among APEC member states while protecting individuals' privacy interests.
It acknowledges the importance of privacy guidelines as a tool to promote effective information privacy protection together with the free flow of information in the Asia Pacific Region in order to improve consumer confidence and ensure the growth of electronic commerce. Before the recent release, the process had been kept secret, limited to consultations with government agencies, and in a few countries (including the United States), with business, legal professional and privacy groups.
More consultations between governments and other stakeholders have to take place in the coming months on the final form of the Framework. The public is therefore invited to comment on the current draft of the APEC Privacy Framework. Any member of the public interested in having a copy of the latest draft of the APEC Privacy Framework and in making comments can do so by e-mailing Ms. Arrow Augerot at the Department of Commerce (arrow_augerot@ita.doc.gov).
[source: EPIC Alert vol 11 no 5]
(2004-03-11) [EDRI] On 9 March the European Parliament adopted a resolution on the implementation of the Data Protection Directive of 1995 (95/46/EC), based on an own-initiative report by the Italian radical Marco Cappato. The report is very critical about the lack of adequate privacy protection in Europe. The report centres on data protection within the third pillar (the area of justice and internal affairs). It urges the Commission to finally create the promised 'legal instrument' to protect privacy in the third pillar, especially concerning Europol, Eurojust and all other third-pillar organs.
Earlier, Cappato was the rapporteur for the Directive of 2002 on Privacy and electronic communications. After the possibility of general data retention was introduced last minute in an amendment on Article 15 of that directive, Cappato asked to have his name removed from the record as rapporteur. The resolution was passed by 439 votes in favour, 39 against and 28 abstentions.
[source: EDRI-gram - Number 2.5, 11 March 2004]
(2004-03-11) [EDRI] The European parliament's committee on Citizens' Freedoms and Rights, Justice and Home Affairs is preparing to vote on a proposal by MEP Johanna Boogerd-Quaak to reject the draft decision of the EU Commission under which airline passenger data are transferred to the US Bureau of Customs and Border Protection. The proposal calls upon EU Member States to require airlines and travel agencies to obtain passengers' consent for the transfer of data and asks the EU commission to withdraw the draft decision which is the current 'legal' basis for the transfer of data.
The proposal calls the draft decision "contradictory, since it fails to take into account the CAPPS II system (which involves the systematic assessment of all passengers by means including recourse to private information services) but at the same time it authorises the use of personal data for the test stage of the system, despite the withholding of funding by Congress, which expressed reservations which Parliament can only share." The proposal also criticizes the Commission's decision because it goes 'against the principles of proportionality and of data quality' and "does not grant all passengers the protection which is afforded to US citizens."
[source: EDRI-gram - Number 2.5, 11 March 2004]
(2004-03-11) [EDRI] On Friday 12 March the German Parliament (Bundestag) will discuss the proposal for a new Telecommunication Law in second and third reading. The government coalition (made up of Social Democrats and Greens) has softened many of the proposed new telecommunication surveillance powers.
There won't be mandatory general data retention and the costs of handing-over data about customers will be reimbursed on a case-by-case basis. Also, the idea - introduced in the draft of 15 October 2003 - to introduce mandatory identification for pre-paid phone-cards is gone. (See an earlier report in EDRI-gram 21)
[source: EDRI-gram - Number 2.5, 11 March 2004]
(2004-03-11) [EDRI] On 9 March the European Parliament finally adopted the Directive on the Enforcement of Intellectual Property Rights. The Strasbourg Plenary passed the text, which had previously been agreed behind closed doors by a handful of MEPs in no less than 11 informal meetings with the Council, without any amendment. Although majorities were much thinner than the rapporteur, French Conservative Janelly Fourtou, would have had them only 277 MEPs voted down the line for the so-called compromise of the rapporteur, while 240 wanted to amend it one way or another -, the Directive is now more than likely to pass in the First Reading procedure, which is foreseen for uncontroversial reports.
[source: EDRI-gram - Number 2.5, 11 March 2004]
(2004-03-15) [New York Times] Matrix, a controversial multistate program that hoped to find criminals or terrorists by sifting through databases of public and private information, has lost more than two-thirds of its member states and appears to be withering under its critics' attacks. The Matrix program - the name is derived from Multistate Anti-Terrorism Information Exchange - was originally developed for the state of Florida by Seisint, a Florida company, in response to the Sept. 11 terrorist attacks. At its peak, 16 states were members, and the program received pledges of $12 million from the federal Department of Homeland Security and the Department of Justice.
But opponents of the program say the ability of computer networks to combine and sift mountains of data greatly amplifies police surveillance power, putting innocent people at greater risk of being entangled in data dragnets. The problem is compounded, they say, in a world where many aspects of daily life leave online traces. In a recent report on the program, the A.C.L.U. called Matrix "a body blow to the core American principle that the government will leave people alone unless it has good reason to suspect them of wrongdoing." (Excerpt from article by John Schwartz)
[source: nytimes.com]
(2004-03-09) [TechWorld] The US government has just bought the world's biggest ever solid state disk from Texas Memory Systems. The 2.5TB system is "the largest SSD installation in the world by far, without question", the executive VP for TMS, Woody Hutsell, told Techworld. The previous biggest one was under 500GB, he told us. At 2.5TB, it is roughly 10,000 times the size of the RAM in your PC. The US government has just bought the world's biggest RAM drive in order to speed up cross-checking across several vast databases
The article strongly hints that the disk will be used for a Department of Homeland Security counter-terrorism project. But there is really no way to know for sure.
[source: techworld.com]
(2004-03-05) [MIT Technology Review] An important report on the dangers of fighting online piracy was released today by the Committee for Economic Development. Report authors Elliot Maxwell and Susan Crawford argue that new technologies that are being forced into home computers and digital televisions by Hollywood --- technology designed to prevent digital content from being transmitted online --- could backfire.
The report, Promoting Innovation and Economic Growth: The Special Problem of Digital Intellectual Property , was put out by the CED’s The Digital Connections Council, chaired by CED Trustee Paul M. Horn, IBM Senior Vice President of Research. See also summary. (note posted by Simon Garfunkel)
[source: technologyreview.com]
(2004-03-05) [inSourced] Germany's retail giant Metro Group is to withdraw its Radio Frequency Identification (RFID) customer loyalty cards following protests who said they cards could track customers as they shop. Metro issued 10,000 cards as part of an experiement in their Rheinberg store, near Dusseldorf.
The offending loyalty cards will be replaced by those with barcodes, according to Metro spokesman Albrecht von Truchses. "There are concerns about having customer cards with RFID chips," he said. "We have to take them seriously and discuss them. With such an emotional debate going on, we said it's just not worth it."
The company will, however, go ahead with its wireless inventory tracking system in November, involving about 100 of its top suppliers and 250 of its stores. RFID chips broadcast a signal with information about a product and have been embraced for inventory control by major retailers including Wal-Mart.
The technology offers the prospect of more accurate inventory control than traditional bar codes, and also could help with concerns such as food safety by making the tracking of perishables easier.
[source: in-sourced.com]
(2004-03-03) [MIT Technology Review] The latest anti-piracy move will prevent you from making high-quality copies of broadcast TV programs. And the new "broadcast flag" technology enables all manner of other restrictions. In the future, the Motion Picture Association of America will control your television set. Every TV sold in the United States will come equipped with an electronic circuit that will search incoming TV programs for a tiny electronic “flag.” The MPAA’s members will control this flag, putting it into broadcast movies and television shows as they see fit. If the flag is present, your TV will go into a special high-security mode and lock down its high-quality digital outputs.
If you want to record a flagged program, you’ll have to do so on analog tape or on a special low-resolution DVD. Any recording will be limited to analog-quality sound. This security measure is not designed to protect the television from viruses or computer hackers—it’s designed to protect TV programs from you. (Excerpt from article by Simson Garfinkel)
This future arrives on July 1, 2005.
[source: technologyreview.com]
(2004-02-20) [Datainspektionen] in Swedish Förra året fick Datainspektionen ta emot tre gånger så många klagomål på inkasso som under ett normalår. Hela ökningen gällde krav för påstådda besök på porrsidor på Internet. Av samma skäl kom också 3 000 frågor per telefon och e-post.
Under året inleddes 300 inspektioner enligt PuL, vilket är 50 fler än året innan. Nya personuppgiftsombud strömmar till. Nu har 5 300 verksamheter anmält ombud. Det är några verksamhetsresultat som Datainspektionen rapporterar i sin årsredovisning för 2003. Datainspektionens årsredovisning 2003
[source: Webbmeddelande]
(2004-03-03) [BBC] Half of UK businesses were damaged by computer viruses in 2003, despite most of them using anti-virus software. The findings were revealed in early results of a UK government survey that catalogues security breaches suffered by British businesses.
It revealed the new tactics virus writers use to spread their creations. "Anti-virus software alone is just not enough anymore," said Chris Potter, a PricewaterhouseCoopers security analyst who co-wrote the survey.
The Information Security Breaches survey is carried out by the Department of Trade and Industry every two years. The full results of the survey will be made public in late April at the Infosecurity Europe trade show.
[source: BBC News World Edition]
(2004-02-27) [Silicon] 4.5 million user details exposed - couple of alleged extortionists arrested The biggest data leak ever has officially hit the internet, with the details of more than 4.5 million bank customers exposed. E-mail to a friend Printer friendly Reader Comments Post your comment here
Japan's largest broadband service provider, Softbank BB, suffered the customer database leak last month. The company said that 4.52 million user details, including names, phone numbers, addresses and email IDs - but no passwords or credit-card details - were exposed, in what is thought to be part of an extortion attempt.
While it's not yet known if any of the past and present customers listed on the database have been affected as a result, one man who will be worse off is Softbank's CEO, Masayoshi Son, who will be taking a 50 per cent pay cut for six months as a result of the leak.
[source: silicon.com]
(2004-02-25) [Reuters] Online profiling in which consumers' names and addresses are connected to their Internet habits could be in the works as consumers begin to trust the Web more, Kevin Ryan, the chief executive of Internet advertiser DoubleClick, said on Wednesday. "There will be more targeting using this with customers having the ability to opt out," Ryan told the Reuters Technology Media and Telecommunications Summit in New York.
While DoubleClick has no immediate plans to link data on specific Internet users to their online behavior at this time, it may come down the road, he said. Ryan suggested that privacy concerns have eased over the years, similar to how many people have relaxed about using their credit cards online. While people don't think twice now about using their credit cards for online purchases, polls showed that Internet users in the late 1990s were more afraid of fraud, he said.
[source: reuters.com]
(2004-02-25) [ZDNet (UK)] Microsoft Chairman Bill Gates predicted the demise of the traditional password because it cannot "meet the challenge" of keeping critical information secure. Gates, speaking at the RSA Security conference here on Tuesday, said: "There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."
RSA is working with Microsoft to develop a SecurID technology specifically for Windows. Both companies agreed there is a need to remove the vulnerabilities associated with employees using weak passwords. SecurID is the best-known two-factor authentication system and is used by many large enterprises. It generates a constantly changing sequence of numbers that a user has to type in alongside their normal password or PIN. Creating a specific system for Windows could mean that rolling out strong authentication across an enterprise will be far easier and cheaper.
Microsoft also demonstrated "tamper resistant" biometric ID-card software, developed by its own research arm, that can be used by both small and large companies to create ID cards using a digital camera, an inkjet printer and a business-card scanner.
[source: zdnet.com]
(2004-02-27) [EDRI] The Dutch minister of Justice Donner has answered parliamentary questions about the introduction of a commercially available crypto-GSM. The Cryptophone was developed in the Netherlands and is sold through a German company. The device is a combined GSM and organiser running Windows Pocket PC. The Cryptophone uses open-source software that encrypts the call when connecting to another device of its kind. The phone should make it impossible for any third-party, including the phone company and police, to listen in to the call.
The Dutch Christian-Democrat Member of Parliament Haersma-Buma asked government to forbid the phones, since they can make it impossible for police to use the information from a wiretapped mobile phone call. Dutch police relies heavily on phone interception with an estimated 12.000 phone taps per year. This number is higher then in any other European country or even the US (not counting the unknown number of taps by any intelligence service).
[source: EDRI-gram - Number 2.4, 27 February 2004]
(2004-02-27) [EDRI] According to a new Communication on the research into security, the European Commission plans to fund research on "tagging, tracking and tracing devices ... that improve the capability to locate, identify and follow the movement of mobile assets, goods and persons".
The Commission announces the launch of a new funding program entitled 'Enhancement of the European industrial potential in the field of Security research 2004 - 2006'. The program is a so-called 'Preparatory Action'. It should set the agenda for advanced security research from 2007 onwards. The action is funded with 15 million Euro in 2004 and approx. 65 million Euro overall.
A call for proposals will be published 'toward the end of March 2004'.
[source: EDRI-gram - Number 2.4, 27 February 2004]
(2004-02-27) [EDRI] The European commercial interest in the development of spy-chips (RFIDs) is growing rapidly. Radio Frequency Identifiers are very small wireless chips that can be read without touching them.
Currently the cost-price of the chips, between 10 and 20 eurocent, still makes it too expensive to put them on all consumer products, but the price is expected to drop rapidly as more applications appear. Privacy experts warn about the possible dangers, such as the tracking and tracing of everybody's behaviour and movement through the 'network of things'. Products with RFID-tags should be labelled, the tags should be switched off permanently after paying for the product, and the tags should be put on the packaging material if possible, instead of melted into the product.
More information on RFIDwatch critical website with news, in German and English
[source: EDRI-gram - Number 2.4, 27 February 2004]
(2004-02-27) [EDRI] The UK Government has given a guarded welcome to a review of its data retention powers. The review came from the Newton Committee, which was set up by the Anti-Terrorism, Crime and Security Act 2001 that created these powers.
The Committee, even though empowered to revoke some powers, supports the principle of data retention for up to a year. The review recommends some changes to the form of the legislation, widening the scope from fighting terrorism to the more general area of serious crime.
[source: EDRI-gram - Number 2.4, 27 February 2004]
(2004-02-27) [EDRI] The European Commission has adopted a proposal for a Council Regulation that will set legally binding minimum standards for harmonised security features, including biometric identifiers, in all EU passports.
The Commission chooses facial images as a mandatory biometric identifier for passports. Fingerprints can be added as an option at the discretion of Member States. The proposal sets out the minimum standards and will not stop Member States that wish to go further.
[source: EDRI-gram - Number 2.4, 27 February 2004]
(2004-02-27) [EDRI] The European Union's disputed Directive on the Enforcement of Intellectual Property Rights is scheduled for a fast-track procedure that may lead to it being adopted by the European Council in little more than two weeks. At present, it is still under discussion in the Brussels Parliament. The Rapporteur, French Conservative Janelly Fourtou, and the Council both wish to pass this Directive in First Reading, before the enlargement of the European Union. Trying to avoid delay by too much discussion, they have each chosen the fastest procedure possible in their respective institutions.
The term "intellectual property rights" is not defined, creating the possibility of a large range of abuses. Because the enforcement is not limited to large-scale infringements, kids downloading songs from the internet risk the same kind of treatment as large-scale counterfeiters of trademark designer clothes.
The European Commission's initial proposal for a Directive: http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&numdoc=32001L0029&lg=EN
[source: EDRI-gram - Number 2.4, 27 February 2004]
(2004-02-09) [Information Week] Every year about this time famous astrologers and clairvoyants provide their forecasts for the coming year on everything ranging from celebrity marriages to the presidency to lottery winners. This year I thought we'd turn instead to the leading privacy experts from diverse industries and ask them what they see as the privacy issues we will be facing this year and over the near future.
Interestingly, there were no surprises. The same issues that we have been discussing on informationweek.com's boards are on the minds of the experts. They include outsourcing, global data-flow, new technologies, existing technologies used in new ways, balancing security and privacy, protecting ourselves from intrusions and cyberattacks, addressing business-to-business and business-to-consumer differences, finding the return on investment on privacy, and the implications of misstepping in a complicated field. (Excerpt from article by Parry Aftab )
[source: informationweek.com]
(2004-02-18) [ThinkBurst Media Inc] TRUSTe, the leading Internet privacy seal program, today announced the launch of its Wireless Privacy Principles and Implementation Guidelines which provide vendors serving the mobile market with actionable and practical guidelines for protecting consumer privacy. As part of this program, TRUSTe, along with leading partners AT&T Wireless and Microsoft, has formed the Wireless Advisory Committee whose function is to promote privacy standards to increase consumer use of advanced wireless features and applications.
As wireless innovation has grown, so have potential privacy issues impacting consumers. For example, Location Based Services, while limited in current availability, present a potential privacy challenge due to their ability to locate and market to consumers real-time via a wireless device, prior to receiving user consent. The Wireless Advisory Committee will work with companies providing wireless data and wireless web services, to ensure that specific standards regarding consumer notice and consumer consent are achieved. In the case of Location Based Services, vendors would be required to adhere to an "opt-in" only policy.
[source: geoCommunity]
(2004-02-17) [Business WIre] Two years ago, the intermingling of legitimate email newsletters and spam in users' email in-boxes thoroughly confounded and frustrated newsletter subscribers, as well as undermined the efforts of serious marketers. In a study released today, researchers at Nielsen Norman Group found that email newsletter subscribers now accept spam as a fact of life and have developed behaviors that enable them quickly to identify and benefit from legitimate newsletters. "Email Newsletter Usability, 2nd Edition," co-authored by usability expert Jakob Nielsen and user experience specialist Amy Stover of Nielsen Norman Group, presents new findings and design guidelines since the firm's initial study in 2002 on the same topic.
The new study focused on the user experience of receiving and reading email newsletters. Over a period of four weeks, Nielsen Norman Group researchers used a diary methodology that tested participants in 12 states across the United States as well as in Australia, Hong Kong, Japan, Sweden and the UK. In total, the study participants subscribed to 345 different newsletters, of which 101 were included in the study.
[source: businesswire.com]
(2004-02-13) [VNU Business Publications Limited] The [UK] government's information commissioner has published guidance to help organisations determine the data they need to release when faced with a "subject access request" under the Data Protection Act.
The guidance contained in the document The Durant Case and its Impact on the Interpretation of the Data Protection Act 1998 focuses on two issues - what makes data "personal" under the act, and what is meant by a "relevant filing system". (Article by David Neal)
[source: vnunet.com]
(2004-02-13) [Reuters] Spain will introduce pioneering electronic identity cards to help boost internet security by giving people unique digital signatures, Interior Minister Angel Acebes said on Friday.
The 150 million euro ($192 million) scheme, due to be rolled out from 2005 after a pilot version at the end of this year, will replace current identity cards with a version that looks similar but carries a small chip packed with extra information.
[source: Reuters.com]
(2004-02-12) [VNU Business] Passport and driving licence databases not up to the job, warns Information Commission. The UK government has scrapped plans to use passport and driving licence databases as the foundation for a proposed national identity card, pushing up the costs of introducing the scheme.
Data watchdog the Information Commission had warned the government that databases run by the Passport Agency and the Driver and Vehicle Licensing Agency were not sufficiently accurate to meet data protection requirements. Speaking to the Home Affairs Committee last week, Information Commissioner Richard Thomas indicated that using those databases would result in a "nightmare". (Article by Gareth Morgan)
[source: vunet.com]
(2004-02-13) [CNet Networks] A test of an iris-scanning system is set to begin Saturday at the Frankfurt, Germany, airport, as part of a project involving 18 European countries. Airline passengers will be required to stand in front of an identification device whose cameras will automatically capture images of their iris patterns, companies participating in the trial said Friday. The iris systems--seven of which have been installed at the airport--will then identify the passenger's iris and match that information with the passport data captured by a scanner. If successful, the iris system could replace conventional systems for checking identity at airport immigration counters.
Initially, residents of European Union countries and Switzerland who fly frequently with Lufthansa will be able to take part in the trial at the main Frankfurt airport, after getting their iris data registered. Full-scale service will be launched after the six-month trial, according to Byometric Systems and Oki Electric Industry, companies implementing the project. (Article by By Dinesh C. Sharma)
[source: CNetNews.com]