(2007-01-01) [System Administration and Network Engineering Conference] Using data expiration principles to protect data.
This talk describes a design that provides data storage with high availability, protection against unauthorized disclosure, and the ability to expunge the data in a way that makes it unrecoverable. See Perlman's slide presentation.
[source: SANE]
(2007-01-24) [CIPPIC] CIPPIC filed a formal complaint today with the Privacy Commissioner, requesting a formal investigation into the widely-reported security breach suffered by the Winners group of companies and affecting consumers who shop at any Winners or HomeSense store in Canada.
CIPPIC is concerned that Winners/HomeSense may be collecting customer information that they don't need, storing it for longer than they need to, and sharing it with other companies for secondary marketing purposes without the customers' full and informed consent.
[source: News]
(2007-01-01) [CIPPIC] CIPPIC filed a submission today with the House of Commons Standing Committee on Access to Information, Privacy and Ethics on its review of the Personal Information Protection and Electronic Documents Act (PIPEDA).
Referring to the results of its study of business compliance with PIPEDA released earlier this year, CIPPIC is calling for a number of reforms designed to produce greater corporate compliance by clarifying substantive obligations and creating incentives for organizations to respect the law.
[source: News]
(2007-01-01) [Ontario Bar Association] In the spring of 2006, four of Canada's privacy commissioners wrote to the Minister of Canadian Heritage and Status of Women, Bev Oda, and the Industry Minister, Maxime Bernier, addressing the subject of copyright reform. The commissioners' letters coincided with the release of a similar open letter and background paper signed by members of Canada's privacy community. In truth, the letters had little to do with copyright. The object of attention, in each case, was to give digital rights management technology ("DRM") statutory protection.
Jennifer Stoddart, the Privacy Commissioner of Canada, neatly summarized the commissioners' concerns that DRM's "potential impact on privacy is not insignificant" and that she has "concerns about the pervasive threat of surveillance that these new technologies present." Commissioner David Loukidelis of British Columbia noted that "DRM can be used in a manner that invades the reasonable privacy expectations of Canadians," and suggested that the goal of government policy should be "to ensure that DRM and associated legal protections do not negatively affect Canadians' reasonable privacy expectations." (Excerpt from article by By David Fewer)
[source: OBA Privacy Law Review]
(2007-01-01) [CIPPIC] A report released by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) provides the results of the first Canadian survey assessing the compliance of retailers with data protection laws. The results show widespread non-compliance with federal laws requiring openness, accountability, consent, and individual access to personal data.
"We were very disappointed with what we found", said Philippa Lawson, Executive Director of CIPPIC and co-author of the report, entitled Compliance with Canadian Data Protection Laws: Are Retailers Measuring Up?. "A surprising number of companies in our sample failed to comply with some basic legal requirements respecting consumer privacy. Far too many companies are unclear about how they use customer data, whether they disclose it to third parties, and how the customer can stop unnecessary uses and disclosures", she said. Read the report Compliance with Canadian Data Protection Laws.
[source: News]
(2007-01-01) [CIPPIC] In a report entitled "On the Data Trail: How Detailed Information About You Gets Into The Hands Of Organizations With Whom You Have No Relationship", CIPPIC exposes the many ways in which consumer information is gathered and traded in the marketplace.
That study found, among other things, that detailed personal information about individual consumers is collected from a variety of sources including product warranty/registration cards, rebate and special offer responses, contest entry forms, online registration forms, payment processing centers, and surveys that consumers are often enticed to complete in exchange for coupons or other benefits. It is then compiled into lists that are rented or sold to marketers. Detailed demographic information about geographically defined groups, available from Statistics Canada as well as private sources such as credit bureaus and market research companies, is also widely used for target marketing purposes Read the report On the Data Trail: .
[source: News]
(2007-01-08) [PRWeb] IBG's Biometrics Market and Industry Report 2007-2012 is the most in-depth and authoritative report on global biometric market opportunities, trends, and growth drivers. The Report helps investors, strategic planners, systems integrators, technology developers, and government organizations understand and capitalize on opportunities in the biometric industry.
The Report forecasts that fingerprint will gain 38.1% of the non-AFIS biometrics market in 2012, followed by face recognition at 19.0% and iris recognition at 7.7%. Vein recognition is expected to play a larger role in access control applications, eventually comprising over 10% of this market.
[source: eMediaWire]
(2007-01-01) [Datatilsynet] Georg Apenes, direktør i Datatilsynet, er positiv til regjeringa si plan om å opprette ein personvernkommisjon.
Ønsket om meir offentleg debatt om personvern er bakgrunnen når regjeringa no vil opprette denne kommisjonen. Kommisjonen er eitt av tiltaka i IKT-meldinga "Eit informasjonssamfunn for alle" som vart lansert i dag.
[source: Nyhet]
(2007-01-01) [IT Conversations] Phil Windley interviews Dan Solove, and talks about Dan's book "The Digital Person".
Daniel Solove, Associate Professor of Law at George Washington University doesn't use the familiar metaphor of "Big Brother" when he discusses privacy, rather he uses Kafka's play "The Trial." Dan says we're not as much in danger of having our privacy violated by someone with evil intent as we are of having our lives turned upside down from the interactions of unapproachable and faceless corporations and bureaucracies. Listen to the podcast (audio length 00:57:50)
[source: Podcasts]
(2007-01-24) [Wired] The issue of digital-era privacy did not make it to the top of Sen. Hillary Rodham Clinton's legislative to-do list at the Saturday launch of her presidential campaign. But for those who look, the New York Democrat has clearly staked out her positions on the esoteric subject, and they're sending electronic civil libertarians' hearts a twitter.
Clinton, the presidential front-runner among Democrats in way-early polling, addressed electronic privacy issues at a constitutional law conference in Washington, D.C. last June. There she unveiled a proposed "Privacy Bill of Rights" that would, among other things, give Americans the right to know what's being done with their personal information, and offer consumers an unprecedented level of control over how that data is used. (Excerpt from news story by Sarah Lai Stirland)
[source: News]
(2007-01-23) [Wired] New Jersey residents have a constitutional right to privacy that far exceeds federal laws when it comes to computer data held by a third-party, according to a New Jersey appeals court ruling make public Monday that overturned a subpoena directed at a hacker.
In fact, according to the ruling, New Jersey residents have informational privacy rights in the little known "ISP address." 27B couldn't make this stuff up if we tried.
[source: Blogs]
(2007-01-31) [EDRI] A new normative act regarding the competence of the Prosecutors dealing with terrorism and organized crime adopted by the Romanian Government in the last days of 2006 created rumours among the press and civil society that accused the Ministry of Justice of breaching the citizens privacy.
According to the press and civil society groups, the new law would allow prosecutors to monitor banking accounts and IT systems without warrant, which may lead to a whole lot of abuses. Georgiana Iorgulescu, head of the Juridical Resource Center, commented on this: "I don't think it is normal for such a normative document to pass as emergency ordinance, because it actually restricts the right to private life."
[source: EDRI-gram, Number 5.2]
(2007-01-31) [EDRI] The Dutch Data Protection Authority (DPA) has made a strong case against the Dutch draft law regarding the implementation of the data retention directive. In its advice of 22 January 2007 the DPA comes to the conclusion that the draft disregards the requirements of article 8 of the European Convention on Human Rights, which protects the fundamental right to respect for one's private life.
The draft introduces a retention period of 18 months, both for telephone and Internet traffic data. The arguments for this almost maximal retention period are mostly borrowed from a report of the Dutch Erasmus University of 22 June 2005, about which EDRI-gram previously reported.
[source: EDRI-gram, Number 5.2]
(2007-01-31) [EDRI] A grass-roots campaign in Serbia successfully pressed the Serbian government to back off on a plan to make biometric data compulsory in the country's new ID cards. The decision followed a pitched battle prior to the 21 January 2007 election as opponents criticized the accompanying plan for a centralized database of citizen information and the taking of fingerprints.
But the law on ID cards was adopted by the Serbian Parliament on 14 July 2006. The Interior Ministry suggested that "such ID cards were already widely used in the European Union" and that the biometric ID would ease the introduction of government electronic services. Large public outcry developed over the way the law was passed -- without prior public debate -- and a scandal inside the Interior Ministry itself arose from the purchase of equipment for more than $100 million outside of regular procurement procedures and a full three years before the law itself came before the Parliament.
[source: EDRI-gram, Number 5.2]
(2007-01-31) [EDRI] The winner of the State award was Jacques Lebrot, "security" sub-prefect of Seine-St-Denis for having deprived of jobs several thousand of people with police records created just on the basis of suspicion and discrimination, violating their right to the presumption of innocence.
Sony-BMG company took the enterprise award for its "rootkit", a spy software installed in the sold CDs in order to control the usage of the CD, ironically, by those who had became the rightful owners by buying the respective CD.
[source: EDRI-gram, Number 5.2]
(2007-01-30) [ComputerWorld] OK -- so maybe this isn't the worst idea in the world -- but it's pretty bad. Let me explain.
Over the weekend, I was listening to a radio program that mentioned a new site called StolenIDSearch.com. This site is apparently legit and has even received a write-up in CNET and a video news report from San Jose's NBC affiliate. The site's purported function is to provide a service that allows consumers to find out if their personally identifiable information has been compromised. Here's where, in my opinion, it gets bad... (Excerpt from post by Perry Carpenter)
[source: Blogs]
(2007-01-30) [ComputerWorld] The Vermont Agency of Human Services (AHS) today started sending letters to about 70,000 individuals in the state warning them of a computer compromise that may have exposed their Social Security numbers and other personal data.
The breach was discovered on Dec. 8 and involved a computer running an application that is used for collecting delinquent child support payments from noncustodial parents in the state. The "bank match" application is used to run quarterly matches of names with nine financial institutions in the state to establish whether delinquent parents have assets that can be used to pay off their child support obligations. (Excerpt from news story by Jaikumar Vijayan)
[source: Security]
(2007-01-29) [ComputerWorld] Whenever I've mentioned to chief privacy officers the idea of having a single set of privacy rules for their companies to abide by worldwide, their response has been unanimous: Bring it on. Why? The legal and technical costs of complying with an expanding patchwork of state, federal and foreign privacy laws are mounting for multinationals. Having one set of rules would improve the bottom line.
Data-protection commissioners from many world governments are singing the same tune. At a November conference in London, they issued a communique urging the United Nations to launch an international privacy convention toward this end. (Excerpt from opinion by Jay Cline)
[source: Security]
(2007-01-29) [EFF] The Real ID Act took a blow last week, when Maine became the first state to formally declare its opposition. The Maine legislature voted overwhelmingly to refuse to comply with the act's mandates, and requested that Congress repeal the law.
The Real ID Act essentially forces states to create a national ID. Under the law, state drivers licenses will only be accepted for "federal purposes" -- like accessing planes, trains, national parks, and court houses -- if they conform to certain uniform standards. The law also requires a vast national database linking all of the ID records together. Estimated costs of $12 billion or more will be passed on to the states and, ultimately, average citizens in the form of increased DMV fees or taxes.
[source: News]
(2007-01-28) [Michael Geist's Blog] With Microsoft's Vista set to hit stores tomorrow, my weekly Law Bytes column (Toronto Star version, homepage version) looks at the legal and technical fine print behind the operating system upgrade. The article notes that in the name of shielding consumers from computer viruses and protecting copyright owners from potential infringement, Vista seemingly wrestles control of the "user experience" from the user.
Vista's legal fine print includes extensive provisions granting Microsoft the right to regularly check the legitimacy of the software and holds the prospect of deleting certain programs without the user's knowledge. During the installation process, users "activate" Vista by associating it with a particular computer or device and transmitting certain hardware information directly to Microsoft.
[source: Blog entry]
(2007-01-20) [Pittsburgh Tribune Review] In the name of tracking down child pornographers, the Department of Justice wants to keep track of how every American uses the Internet. Attorney General Alberto Gonzales continues to press for access to the records of Web traffic from Internet service providers. It's to protect the children, we are told.
Mr. Gonzales says that the availability of evidence that ISP companies would have could be critical when investigating and prosecuting child predators. That might be a seductive argument to those willing to quibble about how much privacy the government should grant the individual. Debating the details means accepting the premise. But the Gonzales premise is unacceptable. (Excerpt from editorial by Dimitri Vassilaros)
[source: Editorial]
(2007-01-19) [Los Angeles Times] The Bush administration's abrupt acknowledgment that it can, after all, track suspected terrorists without shredding the privacy rights of Americans inspires mixed reactions -- relief that the rule of law has triumphed, suspicion that the administration's concession isn't all that it's cracked up to be and, most of all, anger at the president and his surrogates for suggesting that any criticism of their tactics was tantamount to treason.
After the New York Times revealed in December 2005 that the National Security Agency had been eavesdropping on Americans without the court order required by the Foreign Intelligence Surveillance Act, the administration insisted that the privacy protections of FISA -- about which it had raised no public alarm -- had been rendered obsolete by the war on terror.
[source: latimes.com]
(2007-01-19) [Toronto Star] Canadian consumers should be "outraged" that a major retailer has been collecting and storing information about their credit and debit card transactions, a leading consumer lobby group says.
A computer security breach involving customers of Winners and HomeSense stores has exposed millions of credit and debit cardholders to fraud, their U.S. parent company TJX Cos. Ltd. revealed earlier this week. (Excerpt from news story by Dana Flavelle)
[source: thestar.com]
(2007-01-19) [Media Inc] With privacy concerns heightened after incidents of stolen laptop computers and information breaches in 2006, the newly appointed chairman of the House information policy subcommittee plans to delve into the problems surrounding technology and privacy.
Rep. William Lacy Clay (D-Mo.) heads the House Oversight and Government Reform Committee's Information Policy, Census and National Archives Subcommittee, whose jurisdiction covers public information and records laws such as the Freedom of Information Act, the Presidential Records Act and the Federal Advisory Committee Act; the Census Bureau; and the National Archives and Records Administration. (Excerpt from news story by Matthew Weigelt)
[source: FCW.com]
(2007-01-01) [US Senate] Hillary Clinton wants to introduce an EU-style data protection bill and suggests that dragnet surveillance might be conducted in an "anonymized" way.
"At all levels, the privacy protections for ordinary citizens are broken, inadequate and out of date."
[source: Speeches and Columns]
(2007-01-01) [Security Document World] This white paper written by Safe ID Solutions is written for governments looking at rolling out passport issuance systems and processes.
It aims to inform and encourage debate on the issues affecting personalization (the process by which a blank document is accurately and securely linked to an individual).
[source: News]
(2007-01-25) [CNet] IBM has developed software designed to let people keep personal information secret when doing business online and donated it to the Higgins open-source project.
The software, called "Identity Mixer," was developed by IBM researchers. The idea is that people provide encrypted digital credentials issued by trusted parties like a bank or government agency when transacting online, instead of sharing credit card or other details in plain text, Anthony Nadalin, IBM's chief security architect, said in an interview. (Excerpt from news story by Joris Evers)
[source: News.com]
(2007-01-24) [EPIC] The Cato Institute held a book forum on Thursday, January 18, at which Jim Harper, the Director of Information Policy Studies at Cato discussed his new book "Identity Crisis: How Identification Is Overused and Misunderstood".
The noontime forum featured author Jim Harper, Director of Information Policy Studies, Cato Institute; with comments by James Lewis, Director and Senior Fellow, Technology and Public Policy Program Center for Strategic and International Studies; and Jay Stanley, Public Education Director, Technology and Liberty Project American Civil Liberties Union.
[source: EPIC Alert, Volume 14.02]
(2007-01-24) [EPIC] A New Jersey appeals court has held that Internet subscribers have a reasonable expectation of "informational privacy", which the court defined as "the ability to control the acquisition or release of information about oneself" or "to control the terms under which personal information is acquired, disclosed, and used".
The decision was grounded on the New Jersey Constitution's implied right of privacy and on precedents the court termed "highly protective" of that right, even as to data in third parties' hands. The recognition of the right to privacy in this case will allow a challenge to a subpoena that led to an indictment for computer-related theft.
[source: EPIC Alert, Volume 14.02]
(2007-01-24) [EPIC] Australia's hosting of 2007 Asia-Pacific Economic Cooperation (APEC) events began with a series of Senior Officials Meetings in Canberra this month. The protection of transborder flows of personal data received considerable attention as an issue that is important for the ongoing economic health and development of the Asia-Pacific.
On January 22, the APEC Electronic Commerce Steering Group held a Data Privacy Seminar on the International Implementation of the APEC Privacy Framework. The seminar focused on the development of Cross-Border Privacy Rules that would satisfy the nine privacy principles articulated in APEC's Privacy Framework.
[source: EPIC Alert, Volume 14.02]
(2007-01-24) [EPIC] The Department of Homeland Security recently announced that it will launch the Traveler Redress Inquiry Program on February 20, 2007. DHS described the program as "a central gateway to address watch list misidentification issues, situations where individuals believe they have faced screening problems at immigration points of entry, or have been unfairly or incorrectly delayed, denied boarding or identified for additional screening at our nation's transportation hubs."
There are significant problems with the current redress process for travelers mistakenly matched to watch lists, but EPIC's Spotlight on Surveillance report explains that this system does not solve them.
[source: EPIC Alert, Volume 14.02]
(2007-01-24) [EPIC] In comments to the Federal Identity Theft Task Force, EPIC said that addressing the problem of identity theft requires strong preventative measures and meaningful privacy rights for individuals.
Identity theft is a major threat to consumers, costing the economy 50 billion dollars a year. The President created the Identity Theft Task Force in 2006 to develop recommendations on the federal government's activities in the areas of identity theft awareness, prevention, detection, and prosecution.
[source: EPIC Alert, Volume 14.02]
(2007-01-22) [ComputerWorld] Google Inc. has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web, the Mountain View, California, company said Monday.
The log-in information was contained in 15 URLs (uniform resource locators) submitted through Google's Firefox toolbar, which lets users report Web pages they suspect to belong to phishing sites. Most of the URLs on the list didn't have log-in information. (Excerpt from news story by Juan Carlos Perez)
[source: Security]
(2007-01-22) [Center for Democracy and Technology] CDT today urged lawmakers to adopt an approach to Internet-related policymaking that protects fundamental civil liberties, reestablishes meaningful privacy protections and paves the way for the United States' continued leadership in technological innovation.
In its Congressional Agenda for the 110th Congress, CDT offers both a broad overview of the challenges associated with policymaking in the Internet space, as well as granular, issue-by-issue recommendations for lawmakers. CDT is distributing the recommendations to lawmakers and the press.
[source: Press Release]
(2007-01-19) [InfoWorld] Microsoft, Google, and two other technology companies will develop a code of conduct with a coalition of nongovernmental organizations (NGOs) to promote freedom of expression and privacy rights, they announced Friday.
The parties involved said that would a framework that would hold signatories accountable for their actions in the areas of freedom of expression and privacy rights. (Excerpt from news story by Steven Schwankert)
[source: News]
(2007-01-19) [ComputerWorld] Microsoft Corp., Google Inc. and two other technology companies said today that they will develop a code of conduct with a coalition of nongovernmental organizations to promote freedom of expression and privacy rights.
Microsoft and Google, along with Yahoo Inc. and Vodafone Group PLC, said the new guidelines are the result of talks with Business for Social Responsibility and the Berkman Center for Internet & Society at Harvard Law School. (Excerpt from news story by Steven Schwankert)
[source: Development]
(2007-01-18) [CNet] TJX, operator of discount chains including T.J. Maxx and Marshalls, on Wednesday said its computers were hacked, putting shoppers at risk of identity fraud.
Intruders accessed systems used to process and store customer transaction data, Framingham, Mass.-based TJX said in a statement. The retailer has identified some customer information that was taken, but the full extent of the data theft and number of affected customers is yet unknown, it said. (Excerpt from news story by Joris Evers)
[source: News.com]
(2007-01-17) [Security Document World] The UK government's Identity and Passport Service (IPS) has published a report on the three key IPS IT projects delivered in 2006.
The 'report on key projects implemented in 2006' covers the UK's ePassport scheme, the Electronic Passport Application 2 (EPA2) and the Personal Identity Process (PIP), and analyses the lessons learned as well as identifying areas which could be improved.
[source: News]
(2007-01-15) [Schneier.com] Automobile tires are now being outfitted with RFID transmitters: I'll bet anything you can track cars with them, just as you can track some joggers by their sneakers.
As I said before, the people who are designing these systems are putting "zero thought into security and privacy issues. Unless we enact some sort of broad law requiring companies to add security into these sorts of systems, companies will continue to produce devices that erode our privacy through new technologies. Not on purpose, not because they're evil -- just because it's easier to ignore the externality than to worry about it."
[source: CryptoGram]
(2007-01-15) [Schneier.com] In the information age, surveillance isn't just for the police. Marketers want to watch you, too: what you do, where you go, what you buy. Integrated Media Measurement, Inc. wants to know what you watch and what you listen to -- wherever you are.
They do this by turning traditional ratings collection on its head. Instead of a Nielsen-like system, which monitors individual televisions in an effort to figure out who's watching, IMMI measures individual people and tries to figure out what they're watching (or listening to). They do this through specially designed cell phones that automatically eavesdrop on what's going on in the room they're in:
[source: CryptoGram]
(2007-01-15) [Schneier.com] If you've traveled abroad recently, you've been investigated. You've been assigned a score indicating what kind of terrorist threat you pose. That score is used by the government to determine the treatment you receive when you return to the U.S. and for other purposes as well.
Curious about your score? You can't see it. Interested in what information was used? You can't know that. Want to clear your name if you've been wrongly categorized? You can't challenge it. Want to know what kind of rules the computer is using to judge you? That's secret, too. So is when and how the score will be used.
[source: CryptoGram]
(2007-01-14) [Wired] A couple of New York Times stories this weekend raise privacy flags. One notes the Pentagon and the CIA are quietly requisitioning private citizens' financial records in domestic spying, skirting regulations that deny them the authority to make such requests mandatory.
The other story notes a 10-word deletion in a new Army manual that may be used to assert the executive branch's authority to wiretap without a court order. (Excerpt from post by Beverly Hanly)
[source: Blogs]
(2007-01-11) [Security Document World] Eighty-two percent of Americans support the use of biometric identification on passports, according to a recent survey. Meanwhile, three-quarters of Americans support the addition of biometric information to driver's licences and nearly as many (72.6 percent) support adding it to social security cards.
The survey was conducted by TRUSTe, an online privacy certification and seal program, and market information group TNS.
[source: News]
(2007-01-01) [Security Document World] Within the next two years, citizens in more than 40 states around the world will begin to receive passports containing contactless smart card chips that electronically store and transmit passport details, a facial image, and an optional additional fingerprint or iris biometric.
Forward looking countries, argue ACI, StepNexus and Keycorp, should be looking to future-proof their investments by considering integrating a multi-application chip to allow for future changes and support new functions such as e-Visas.
[source: News]
(2007-01-01) [IT Conversations] In the Who Owns "You" panel at Supernova (available on IT Conversations) the question came up about eBay reputation. An eBay seller's reputation score is calculated from how other eBay users rate the seller.
Does that score belong to the seller, the eBay users who contributed to it, or eBay? Listen to the podcast (audio length 00:54:48).
[source: Podcasts]
(2007-01-28) "29th International Conference of Data Protection and Privacy Commissioners" will take place on September 25 -- 28, 2007 (Montreal, Canada).
See calendar entry.
(2007-01-28) "Annual Privacy Coalition meeting" will take place on January 26 -- 27, 2007 (The Privacy Coalition).
See calendar entry.
(2007-01-17) [CRM Today] "A different approach would be to learn from the private sector, and deliver service modernisation at a more local level, without driving a coach and horses through much needed privacy protection laws".
This week there were reports that the UK Government is planning a super database to hold details of private citizens. The creation of such a database has so far been prevented by the Data Protection Act (DPA). The UK Government is reportedly planning to ease the privacy protection law to make way for data sharing between departments. Meanwhile Tony Blair denies the super database idea, but is planning to share data at a national level anyway. Sarah Burnett, Senior Research Analyst with Europes leading independent IT Research and Advisory organization, Butler Group, says data sharing on a national scale is going to be very challenging. She points to the many data quality and integrity issues and barriers and is of the view that such an ambitious project is unlikely to succeed. Comment from Sarah Burnett follows below.
[source: News]
(2007-01-17) [Wired] My computer is my most private possession. I have other things that are more dear, but no one item could tell you more about me than this machine. Yet, a rash of recent court decisions says the Constitution may not be enough to protect my laptop from arbitrary, suspicionless and warrantless examination by the police.
At issue is the Fourth Amendment, which protects individuals from unreasonable searches and seizures by government agents. As a primary safeguard against arbitrary and capricious searches, property seizures and arrests, the founding fathers required the government to first seek a warrant from a judge or magistrate. The warrant has to specifically describe the place to be searched and the items to be seized. Computers pose special Fourth Amendment search problems because they pack so much information in such a small, monolithic physical form. As a result, courts are grappling with how to protect privacy rights during searches of computers. (Excerpt from story by Jennifer Granick)
[source: News]
(2007-01-20) [The Times] Take the photographing of children, for example, a matter taken so gravely that, if my sons are appearing in an activity that may end up in the South London Press or even on the school website, I must give written consent. And yet go to the website www.flickr.com and type in the words "naked baby" and up pop 2,652 photos of totally nude tots cavorting on the beach or in the bath. These images are put there, mostly, by their own parents.
The private and public domains have blurred as never before. If individuals get such pleasure from revealing so much of their lives, what right do they have to squeal when someone tugs off one extra veil? This week the page three stunna Keeley Hazel went legal after a video of her having sex with an ex-boyfriend turned up online. "It's a disgraceful invasion of my privacy," said the woman who poses topless for men's magazines. "Now I feel I have no dignity left." (Excerpt from Op-Ed piece by Janice Turner)
[source: TimesOnLine]
(2007-01-20) [DailyIndia.com] India is reported to be moving to strengthen the protection of personal information after Australia's Attorney-General Philip Ruddock raised his government's strong concerns about data privacy during a visit here.
Ruddock told select media here that India's peak industry body for information technology, the National Association of Software and Service Companies (NASSCOM), had assured him that legal and administrative measures designed to protect such were being strengthened.
[source: DailyIndia.com]
(2007-01-19) [CNet Networks Inc] Security experts are hugely nervous about the government's latest database plans, and have pointed out numerous grave security concerns over two of its proposed schemes.
The Home Office announced in December that the National Identity Register -- the planned database behind the controversial ID cards scheme -- would comprise three existing databases. The Department of Work and Pensions (DWP), the Identity and Passport Service (IPS) and the Immigration and Nationality Directorate (IND) databases would be combined to store people's biometric and biographic information. This plan, which negates the need to build a single new database, has sparked alarm in the security space. (Excerpt from news story by Tom Espiner)
[source: ZDNet.co.uk]
(2007-01-19) [Mistaken Goal: Where Student Affairs & Technology Meet] The Minnesota Daily has conducted a survey of University of Minnesota students in which they asked students about Internet Use, Social Networking Websites and Associated Privacy Issues, Internet Identity, Internet Safety and Data Privacy, and The Internet and Participation.
They have published at least one news story about the survey as well as some of the methodological details of the survey. While they don't appear to have published the survey instrument, the published methodology seems to be relatively sound (as it should be since they contracted with the university's Department of Survey Research). The "report" seems to be missing some details and sections; there are multiple versions of the report on their website, each longer than the last, so maybe they are publishing drafts of the report as they become available...?
[source: Blog]
(2007-01-19) [CNet] The Bush administration plans to approach Congress again this year about the possibility of new rules requiring ISPs to retain information about their subscribers for a certain period of time.
US attorney general Alberto Gonzales said he is continuing to explore such legislation, pertaining not to "data retained by government but [to] data retained by ISPs that could be accessed with a court order", and told a hearing convened by the Senate Judiciary Committee: "I would like to have a discussion with the Congress about that." (Excerpt from news story by Anne Broache)
[source: silicon.com]
(2007-01-19) [Korea Times] Under the Ethics Law enacted in 1981, high-ranking officials and official candidates must register their assets and the government has to open the information to the public. This exposure has resulted in harm to public servants.
The law is designed to prevent bureaucrats from making illicit increases in wealth and to boost the transparency of performance. Many civil servants are concerned over infringement of privacy and even threat of life as all their private information is available to anyone on the Internet. The Supreme Court said that the government should devise ways to protect judges, who are vulnerable outside of the court, during a meeting a day after the assault. (Excerpt from news story by Kim Sue-young)
[source: The Korea Times]
(2007-01-18) [PinsentMasons] Identity fraud can net criminals £85,000 for each identity stolen, research has found. That is the average amount which criminals can expect to gain from impersonating a person in the UK according to anti-ID theft company Garlik.
Garlik was founded by Tom Ilube and Mike Harris, who founded internet bank Egg, and it commissioned research from consultancy 1871 Ltd which uncovered the value of a single fake identity. It also discovered that lawyers are a main target of ID fraudsters.
[source: Out-law.com]
(2007-01-18) [PinsentMasons] The Home Office has extended the powers of the UK Government to share information on citizens between departments and agencies and with the private sector. The measures are contained in the just-published Serious Crime Bill.
Opponents to the plans argue that it will permit massive snooping exercises by Government which are not the result of specific suspicions or inquiries.
[source: Out-law.com]
(2007-01-18) [The Thicket at State Legislatures] Today's podcast on privacy issues focuses on public concerns over identity theft, the loss of personal information through private and public incidents of neglect, adults destroying the credit rating of children, protecting minors using the Internet and even "black boxes" that may be a part of your new car.
Listen to the podcast (audio length 9:13). (By Gene Rose)
[source: Blog]
(2007-01-18) [CNet] As government once again considers building a 'super database' linking all our personal details, Simon Moores explains why, though he doesn't oppose the idea in theory, he's uneasy about it in practice.
[W]hile we have an Office of Constitutional Affairs, we don't yet have a Combined State Political Directorate. That's where I fear the idea for a huge Whitehall 'super-database' of people's personal details might best sit, regardless of the noises surrounding its true objective of improving public services. At the forthcoming e-Crime Congress in March, this is a subject which will be examined by Cambridge University professor Ross Anderson and information commissioner Richard Thomas, who has already warned the UK may be "sleepwalking into a surveillance society". (Excerpt from story by Simon Moores)
[source: silicon.com]
(2007-01-17) [Simplex Knowledge Company] Risk to Life and Health, Altered Medical Records and Loss of Confidentiality Rank Among Top Fears Related to Medical Identity Theft
A robust 98 percent of consumers believe that healthcare organizations have a responsibility to protect patient medical records however, only 40 percent of consumers feel confident that their healthcare providers are able to secure their medical records. This is according to a survey report released today by EpicTide, a leading provider of security solutions for the healthcare industry. (Excerpt from news stry by Kurt Long)
[source: Sarabanes-Oxley Compliance Journal]
(2007-01-17) [FairfaxDigital] Some valid concerns remain about the Government's new social services card. Early next year, Australians will be able to apply for the Federal Government's new access card, intended to make it easier to claim health or social service benefits. Printed on the card will be the individual's name, photograph and signature, and the card's number and expiry date -- information that will also be included on an encrypted microchip, along with other data, including address, date of birth and details of dependants, if any.
The Government stresses that it is not an ID card and no one will be forced to carry it. It has also said, somewhat disingenuously, that the card is voluntary -- as it is until 2010, when it will become the only way to claim benefits, including Medicare.
[source: theage.com.au]
(2007-01-17) [PinsentMasons] People who gather personal data without issuing a valid data protection notice in the course of their business could, at least in theory, face up to 10 years in jail under the UK's new Fraud Act which came into force on Monday.
The Act was passed by the House of Commons in November but only came into force this week. Though legal experts say that a 10 year jail sentence seems extremely unlikely for an improperly-worded data protection notice or the absence of one, the law does make such a term possible.
[source: Out-law.com]
(2007-01-17) [EDRI] The initial plan of the UK Government regarding the national ID scheme was meant to use photographs, fingerprints and iris scans in a National Identity Register. The Home Office's Strategic Action Plan for the National Identity Scheme considers now that the iris scans is just an option and only the ten fingerprints will be taken for each new applicant.
According to Home Office officials, the iris scan was dropped due to the high costs of this process. They also claimed the decision was also related "with international obligations, most international countries are using facial and fingerprint recognition so it is to come in line with that." However, a return to iris scanning in the future could still be possible.
[source: EDRI-gram, Number 5.1]
(2007-01-17) [EDRI] During an operation carried out by the German police, prosecuting authorities and State Office of Criminal Investigation (LKA) of the federal state of Saxony-Anhalt millions of credit card transactions were scrutinized in September 2006.
A spokesman from LKA stated that indeed a large amount of credit cards were verified although he could not confirm the number of 22 millions for 2006. But he stated that approx. 22 million credit cards were scrutinized in 2005.
[source: EDRI-gram, Number 5.1]
(2007-01-17) [EDRI] New controversial issues appear in the case of Passanger Name Record (PNR) deal with US that show the level of privacy from the US authorities is very far from the European standards. As Statewatch revealed, the EU Council Presidency admitted that the Council of the European Union and the European Commission had known about the US's "Automated Targeting System" (ATS) profiling all visitors.
The issue has become critical after the Homeland Security Department (DHS) posted a Notice on the Federal Register in November 2006 showing that PNR data on travellers from the EU are included in the ATS used by DHS Customs and Border Protection (CBP) branch.
[source: EDRI-gram, Number 5.1]
(2007-01-17) [FairfaxDigital] Victoria accounts for 2.8 million Medicare cards, making them one of the most commonly held pieces of plastic in the average wallet. The Medicare card has served people well over the past 23 years, but it's also a card that is in need of an upgrade -- to prevent identity theft.
The Australia Federal Police estimates that Medicare cards play some role in more than half of identity fraud cases. They are cheap -- a good, fake Medicare card costs $150, compared with $750 for a fraudulent driver's licence -- and easy to produce. (Excerpt from news story by Joe Hockey.)
[source: theage.com.au]
(2007-01-17) [Freep.com] In the age of the Internet, we have all but surrendered the privilege of privacy. The good news? If you feel a burning need to check out someone's driving record, job status or just about anything else, you can do it online. The bad news? People can find out just about anything about you.
"Privacy has been an illusion for some time now," said Peter Vogel, a Dallas trial lawyer and law professor whose specialty is computer technology. "Most of the information that people assume is private is easily attainable on the Internet." (Excerpt from news story by Cynthia Hubert)
[source: News]
(2007-01-16) [Washington Post] The tracking of Kitty Bernard begins shortly after she wakes up. All through the 56-year-old real estate agent's day, from walking in her building's lobby to e-mailing friends and shopping and working, the watchful eye of technology records her movements and preferences. Welcome to the 21st century.
Like many Americans, Bernard uses modern gadgets to make life easier, and along the way creates a data trail that others can access and preserve, sometimes permanently. Every Internet search resides on a computer somewhere. Comings and goings are monitored by security cameras. Phone calls are logged by telecommunications companies. This explosion in data collection has been embraced by many Americans as a trade-off for convenience and discounts. But it also has raised questions about personal privacy at a time when the government is increasingly tapping into these reservoirs of telling details to fight crime and terrorism. (Excerpt from news story by Ellen Nakashima)
[source: washingtonpost.com]
(2007-01-16) [Policy Dialogue International] Overzealous data sharing rules may be an obstacle to improving public services, the PM's policy reviews suggests. Laws and procedures that prevent different public services from sharing their customers' personal details should be reviewed to bring customer care in the public sector up to the best private sector standards.
Members of a citizens' panel will be asked whether they would be in favour of relaxing current privacy procedures so they don't have to repeat personal information to several different public bodies, particularly at times of great stress such as the death of a loved one.
[source: eGov Monitor]
(2007-01-16) [The Washington Post] The tracking of Kitty Bernard begins shortly after she wakes up. All through the 56-year-old real estate agent's day, from walking in her building's lobby to e-mailing friends and shopping and working, the watchful eye of technology records her movements and preferences. Welcome to the 21st century.
Like many Americans, Bernard uses modern gadgets to make life easier, and along the way creates a data trail that others can access and preserve, sometimes permanently. Every Internet search resides on a computer somewhere. Comings and goings are monitored by security cameras. Phone calls are logged by telecommunications companies. (Excerpt from news story by Ellen Nakashima)
[source: washingtonpost.com]
(2007-01-16) [CCN Matthews] Data Survey of 26,000 Subscribers to Innovative Identity Scoring Engine Yields Shocking Results
MyPublicInfo, Inc. (www.MyPublicInfo.com), the leading expert in identity scoring and an innovative provider of identity theft protection services and monitoring solutions for consumers, today released data on potential identity theft threats. Subscribers of IdentitySweep, MyPublicInfo's cutting-edge identity protection and identity scoring technology, found many instances of their personal information openly available on the Web, such as home addresses, phone numbers, and personal e-mail accounts. Many subscribers were horrified to find their entire credit card numbers and Social Security numbers viewable online. MyPublicInfo, Inc. conducted research on data from 26,000 subscribers. A staggering 72% had their full address disclosed online, while 49% found their name and phone number on the Internet. 30% of IdentitySweep subscribers found their e-mail addresses in one or several locations online. 1.5% discovered that their credit card number was exposed, and 9% of the surveyed groups were horrified to find their Social Security number had some evidence of possible manipulation or misuse.
[source: Market Wire]
(2007-01-16) [ComputerWorld] Officials in the United Kingdom want to relax data protection laws so they can share people's personal data across different government agencies, but critics are decrying the proposal as another move toward a "big brother" state.
Under the proposal, citizens would be asked to give their permission before their data is shared. In most instances, U.K. government agencies by law can't share people's personal information. The goal is to improve government services and avoid citizens having to give the same personal information to multiple agencies. (Excerpt from news story by Jeremy Kirk)
[source: Security]
(2007-01-16) [LifeHacker] The internet has become an inextricable part of contemporary life, both in terms of how we get things done at work and how we get things done in our everyday lives. The problem is, sometimes our personal use of the internet conflicts with what the bossman has in mind.
As a firm believer that you can do your job well while getting in a little personal time with Sweet Lady Internet, this week I'm going to highlight a few methods for adding a layer of privacy and freedom to your work browsing. (Excerpt from story by Adam Pash)
[source: Blog]
(2007-01-15) [The Washington Times LLC] I was impressed when the September 11 commission included in its list of recommendations to the Bush administration an actual watchdog operation to keep checking on what's been happening to our civil liberties since September 11. But then I found out the resultant Privacy and Civil Liberties Board, set up in 2004, is so closely tied to the administration that it has to get permission from the Attorney General for any documents it wants, and without subpoena powers, its lack of independence is further enforced.
It took two more years for this phantom board to hold its first public hearing last Dec. 5. There its sole Democratic member, attorney Lanny Davis -- previously known for his fairness -- said in answer to criticisms of the board's lack of independence: "Congress put us in the office of the president, we didn't. Had Congress wanted us to be an incensement agency, it would have made us independent." (Excerpt from OpEd piece by Nat Hentoff)
[source: The Washington Times]
(2007-01-15) [vnu Business Publications] Prime Minister Tony Blair will announce plans today to shake up the rules governing data protection within government departments.
The plans are expected to change the restrictions on government departments sharing personal data on UK citizens in an effort to improve public services, according to Minister for Works and Pensions John Hutton. (Excerpt from news story by Iain Thomson)
[source: What PC?]
(2007-01-15) [EUobserver] European interior ministers have informally agreed to share personal data such as DNA as part of the fight against crime and terrorism, representing an important move in the sensitive policy area.
At an informal gathering in Dresden, Germany together with the European Commission succeeded in rallying all 27 member states behind a plan to grant mutual access to vehicle registration data, DNA files and stored fingerprints. (Excerpt from news story by Mark Beunderman)
[source: euobserver.com]
(2007-01-15) [Ars Technica LLC] Recent technological advancements necessitate careful examination of the growing dichotomy between surveillance and privacy rights in a technologically advanced world.
As new technologies redefine the scope of conventional law enforcement investigation techniques, governments will have to establish new guidelines to limit abuse and preserve basic civil liberties. A recent article in Reason Magazine addresses the legal ambiguity of pinpoint search technology vis a vis basic privacy rights. (Excerpt from news story by Ryan Paul)
[source: ars technica]
(2007-01-15) [ComputerWorld] The Blaster worm hit McCormick and Co. hard and fast. It entered the famous spice company through a service provider connection and ripped across plants and offices in a matter of hours. What was most vexing, however, was that the virus kept coming back on disinfected network segments.
Upon further investigation, it turned out that Blaster, as well as some instances of the Sasser worm, were trying to repropagate from infected network printers. (Excerpt from news story by Deb Radcliff)
[source: Security]
(2007-01-15) [Integrated mar.com] A new white paper from McAfee Inc's Avert Labs highlights the latest computer and online identity theft trends, and features major increases in keyloggers and phishing scams.
Entitled "Identity Theft," the report notes that keyloggers (malicious software code that tracks typing activity to capture passwords and other private information) increased by 250 percent between January 2004 and May 2006 while phishing alerts tracked by the Anti-Phishing Working Group multiplied 100-fold over the same period of time. (Excerpt from news story by Vanessa Ho)
[source: ConnectIT]
(2007-01-15) [The District Chronicles] According to a recent Pew Internet and American Life Project Research Study, 81 percent of parents believe teenagers aren't careful when volunteering personal information online and 79 percent of teens agree. Online social networking is the process of communicating with friends, business colleagues, classmates and others through the Internet. An online social network creates a virtual community for others to join and feel connected to each other such as MySpace, Friendster and Xanga.
The potential risks lie in the amount of personal information members -- especially young members -- may divulge about themselves through videos, photos or written communication. Teen identity theft victim Zach Friesen's identity was stolen when he was seven years old. At age 17, he learned he was the victim of identity theft and that thieves used his name for purchases totaling $40,000.
[source: News]
(2007-01-15) [Media General] Protecting our privacy, it's a major concern for most people these days, even Governor Tim Kaine. "Who has data about me, what are they doing with it," Kaine asked.
So much so, Kaine is proposing two new initiatives that could help you. First he wants the state to look at a Do Not Sell List. It's similar to the Do Not Call List that has worked so well. Except in this case it would block companies or agencies from selling personal information about you. Companies routinely sell lists of their customers with information about their buying habits, addresses, incomes, donations, etc. And from that you start getting direct mail from politicians, charities or other companies. (Excerpt from news story by Jay Warren)
[source: WSLS]
(2007-01-14) [BBC] A giant database of people's personal details could be created at Whitehall under government plans which ministers say will help improve public services.
Tony Blair is expected to unveil the proposal in Downing Street on Monday. Strict regulations currently prevent one part of government sharing personal information it holds with another. (Excerpt from news story by Mark Easton)
[source: News]
(2007-01-13) [Toronto Star] It seems there's no danger of your spare change spying on you after all.
A U.S. government defence agency has suddenly retracted its claim that Canadian coins containing tiny transmitters were planted on at least three American contractors who visited Canada. It's the latest twist in an intriguing cash caper. (Excerpt from news story by Jim Bronskill)
[source: Toronto Star]
(2007-01-13) [Associated Newspapers Limited] Confidential details sent to MI5 by thousands of individuals and businesses have ended up with an American company specialising in supermarket mailshots.
The security service's new email early warning system was designed to reassure the public in the wake of the July 7 bombings and the disclosure of a string of failed terror plots. It was launched by the Home Office last week. The Government said it was part of a long-planned programme to keep the public better informed about the terrorist threat. People signing up for the alerts were asked to type their name and email details into the MI5 website alongside an assurance their personal information would be protected by the Data Protection Act and the Security Services Act. But The Mail on Sunday can reveal the service is not being run by MI5. Instead it has been paying Whatcounts Inc, a US computer firm based in Seattle, to store the details and send terror alerts.
[source: thisislondon.co.uk]
(2007-01-13) [CMP] It seems that every time a company or government entity proposes a new way to collect, disseminate, or act on data, whether it's to fight terrorism or track inventory, a small yet seemingly ubiquitous pack of self-proclaimed do-gooders links arms, threatens lawsuits, and warns about the end of the world as we know it.
Advocacy groups have become influential voices on some of the biggest tech policy issues. There's homeland security, where the likes of the Center for Democracy and Technology and the American Civil Liberties Union helped stall the Transportation Security Administration's Secure Flight airline passenger-screening program by raising concerns about privacy. There's the Electronic Frontier Foundation's ongoing litigation against AT&T, alleging improper cooperation with government surveillance efforts, and its support of efforts to give Web-based e-mail the same protection from warrantless searches it won in the early 1990s for e-mail on a hard drive. There's the Electronic Privacy Information Center's call for legislation to stipulate how radio frequency identification can and can't be used in passports and retail stores. (Excerpt from news story by Larry Greenemeier, J. Nicholas Hoover)
[source: InformationWeek]
(2007-01-13) [Radio New Zealand] The National Party says some schools are using the Privacy Act as an excuse to withhold school reports from parents.
It is not clear how widespread the practice is, but in response to a written parliamentary question the Minister of Education says it has prompted a number of enquiries.
[source: News]
(2007-01-12) [ComputerWorld] Analysts applauded the intentions of a bill introduced in Congress this week seeking to place greater checks and balances on the government's use of data mining programs to combat terrorism. But they said it will have to be well crafted to be truly effective.
U.S. Sen. Patrick Leahy (D-Vt.), the new chairman of the Senate Judiciary Committee, and two of his colleagues proposed the Federal Agency Data Mining Reporting Act on Wednesday during a committee hearing on the privacy implications of data mining by federal agencies. (Excerpt from news story by Jaikumar Vijayan)
[source: Government]
(2007-01-12) [CNet] FBI officials are warning users of a new phishing scam that plays off a recent round of bogus extortion threats.
The initial e-mails phishing for personal information were sent around last month, purportedly from a would-be hit man demanding users pay an extortion fee of thousands of dollars, or face death, according to an FBI advisory. (Excerpt from news story by Dawn Kawamoto)
[source: News.com]
(2007-01-12) [MediaPost Communications] FTC hearings late last year re-energized discussions over privacy and consumer choice in online data collection. As the model du jour, behavioral targeting is getting its share of scrutiny, while the BT networks enlarge and major players like MSN launch new targeting products.
And so, in the coming weeks, BI will poll the industry by interviewing executives at the top BT firms to flesh out their stand on privacy policies, consumer education, and industry-wide standards for implementing BT opt-out. Roy Shkedi, CEO of post-search BT network AlmondNet, recently proposed a common practice whereby every ad served by a BT network offers the opportunity to opt-out of behavioral tracking. Shkedi thinks the process could be an opportunity to assuage consumer worries about privacy, but at the same time educate them about the real benefits of opting in (Excerpt from news story by Steve Smith)
[source: MediaPost]
(2007-01-12) [Associated Press] President Bush on Friday signed a bill into law that would make it a crime to lie to obtain the telephone records of private citizens.
The legislation outlaws the practice of getting confidential phone records by "making false or fraudulent statements" to a phone company employee, by "obtaining false or fraudulent documents to access accounts" or by "accessing customer accounts through the Internet" without authorization.
[source: WTOP]
(2007-01-12) [Government of Canada] The Privacy Commissioner of Canada, Jennifer Stoddart, announced today the renewal of funding for privacy research through her Office's 2007-2008 Contributions Program.
"It is with great enthusiasm that I announce the launch of this program early in 2007, so that privacy experts and researchers can contribute to enriching the program of the 29th International Conference of Data Protection and Privacy Commissioners, which I am proud to be hosting in September 2007, in Montreal. The event is an excellent opportunity to showcase the wealth of knowledge and expertise we have here in Canada in the field of privacy protection. The conference will also help crystallize Canada's leadership in this area."
[source: News]
(2007-01-01) [Wired] There's been a long-standing and typically European bureaucratic battle between the United States and the European Union over having airline passenger records sent from flights originating in E.U. countries that are headed to the United States. It's mostly crap that revolves around the Europeans having a stricter data protection law that they never enforce, but like to pretend is better than U.S. rules.
But they did strike a deal that gives E.U. citizens some measures of protection and limitations that U.S. citizens do not enjoy when it comes to the Automated Targeting System. (I won't bore you with the details of the negotiations, but the most recent agreement simply continues the original 2004 agreement.
[source: News]
(2007-01-15) [FiarfaxDigital] PRIVACY, as Victorian Privacy Commissioner Paul Chadwick recently observed, is a freedom most noticed in its absence. Sadly, we only seem to appreciate what we had once it's gone.
The value of privacy is only grasped when we recognise that even if the surveyors do nothing with the information they gather about cell occupants — neither recording nor relaying it — it is their power to observe us if and when they choose that causes harm. (Excerpt from story by Leslie Cannold)
[source: theage.com.au]
(2007-01-13) [Science Service] Tiny behavioral differences can reveal your identity online. People tap out their electronic secrets. Internet users have characteristic patterns of how they time their keystrokes, browse Web sites, and write messages for posting on online bulletin boards. Scientists are learning to use these typeprints, clickprints, and writeprints, respectively, as digital forms of fingerprints.
While the aims of this research are to strengthen password security, reduce online fraud, identify online pornographers, and catch terrorists, the technology is raising some troubling possibilities. "It's a bit scary," says Jaideep Srivastava, a Web researcher at the University of Minnesota in Minneapolis. "The privacy implications are huge." This technology might make it impossible for a person to use the Web anonymously. (Excerpt from news story by Julie J. Rehmeyer)
[source: Science News, Vol. 171, No. 2, p. 26]
(2007-01-12) [Davis Wright Tremaine LLP] The Automated Targeting System (ATS) passenger screening program, formally announced by the Department of Homeland Security (DHS) in November, assigns a risk score to international air travelers bound for the U.S. that is intended to show the degree to which each traveler poses a terrorist risk. The scores can be kept for up to 40 years and DHS may share the information widely among federal, state, and international agencies.
Although everyone except terrorists and their supporters wants DHS to stop terrorists from boarding planes bound for the U.S., the ATS has been widely criticized. EPIC’s website includes a useful summary and links. The attacks on the ATS fall into three categories. (Excerpt from post by Randy Gainer)
[source: Privacy and Security Law Blog]
(2007-01-12) [EPIC] The Council of Europe, with the support of the European Commission, will be celebrating Data Protection Day on January 28, 2007. The aim of Data Protection Day is to give European citizens the chance to understand what personal data is collected and processed about them and why, and what their rights are with respect to this processing.
The day also aims to educate individuals on the risks associated with the illegal mishandling and unfair processing of their personal data. Each interested member state, international and national body is organizing events at a local level, such as panel discussions, media campaigns and education programs.
[source: EPIC Alert, Volume 14.01]
(2007-01-12) [EPIC] On December 28, 2006, the Federal Identity Theft Task Force announced it "is seeking public comment on ways to improve the effectiveness and efficiency of federal government efforts to reduce identity theft".
The Identity Theft Task Force is responsible for developing a strategic plan to better prevent identity theft, coordinate prosecution, and ensure recovery for victims. Comments must be filed on or before January 19, 2007. EPIC is in the process of drafting a response to the Identify Theft Task Force.
[source: EPIC Alert, Volume 14.01]
(2007-01-12) [EPIC] Over the past year and a half, the Justice Department has been assembling a database of millions of case files in order to facilitate information-sharing between law enforcement officials.
The OneDOJ database already provides uniform access to over 1 million case records from Justice's five main agencies: FBI; Bureau of Alcohol, Tobacco, Firearms and Explosives; Drug Enforcement Administration; U.S. Marshals Service and the Federal Bureau of Prisons. Currently, OneDOJ is allowing local and state law enforcement regional access to Justice's records, but plans to expand to allow local and state law enforcement to exchange data nationally.
[source: EPIC Alert, Volume 14.01]
(2007-01-12) [EPIC] The Supreme Court on Monday, January 8th, refused to hear a challenge to secret Transportation Security Administration (TSA) rules on passenger identification. The case, Gilmore v. Gonzales, was filed after David Gilmore was refused the ability to board a plane without showing ID.
The TSA also refused to reveal the "secret" regulations governing passenger identification. Gilmore sued, claiming his right to travel anonymously and a due process right to know the regulations he was expected to follow.
[source: EPIC Alert, Volume 14.01]
(2007-01-12) [EPIC] This week the Senate Judiciary Committee, now under new leadership, turned its attention to government data mining efforts. Senator Leahy, the committee chair, announced the introduction of the Federal Agency Data Mining Reporting Act of 2007 -- previous versions were introduced in 2003 and 2005.
Concerned that data mining is practically ineffective and represents data collection on millions of Americans, the bill aims to provide some oversight over the practice. Agencies will have to report their uses of data mining to Congress.
[source: EPIC Alert, Volume 14.01]
(2007-01-12) [EPIC] A report from the privacy office of the Department of Homeland Security has found that information provided by DHS about the airline screening system was misleading and incomplete. The privacy office report follows a Government Accountability Office report and testimony earlier this year that the Transportation Security Administration approved Secure Flight to become operational in September, despite inconclusive risk assessments and 144 known security vulnerabilities. Congress suspended the Secure Flight program earlier this year.
Secure Flight was introduced as a successor to the now-abandoned second generation Computer Assisted Passenger Prescreening System (CAPPS II). Many of the problems with CAPPS II that led to its demise continued to plague Secure Flight in its test phase. The controversial program has been the focus of two government investigations. On February 9, the Government Accountability Office testified that "TSA may not have proper controls in place to protect sensitive information", and that the documents underlying the program "contained contradictory and missing information".
[source: EPIC Alert, Volume 14.01]
(2007-01-12) [EPIC] In comments to the State Department, EPIC warned that a proposed People Access Security Service (PASS) card for travel between the United States, Canada, Mexico, and the Caribbean would jeopardize the privacy and security of US travelers. EPIC urged the State Department to reject the use of "vicinity read" (long-range) radio frequency identification (RFID) technology, because it contains substantial privacy and security risks, such as "skimming" and "eavesdropping", and it does not contain Basic Access Control.
The data on the PASS card would include the personal information currently displayed in passports, "bearer's facial image, full name, date and place of birth, passport card number, dates of validity and issuing authority." The card will use RFID technology to "store and transmit" a unique reference number to the border official so that she may access the traveler's information in a large federal database, "which could include additional information, for example, information about the bearer's membership in one of [Customs and Border Protection's] international trusted traveler programs," according to the State Department.
[source: EPIC Alert, Volume 14.01]
(2007-01-12) [EPIC] On November 24, 2006, the Internet Corporation for Assigned Names and Numbers (ICANN) invited public comments on its Preliminary Task Force Report on WHOIS services. The report highlights two different approaches to limitations on the public availability of WHOIS data.
The first proposal, supported by the Registrar, Registry, and Non-Commercial Users Constituencies, removes registrants' mailing addresses, phone and fax numbers and email addresses from the Whois database, and requires the use of an "operational point of contact," an intermediary who would contact the registrant in the case of an issue with the domain name. WHOIS would continue to publish the registrant's name and country.
[source: EPIC Alert, Volume 14.01]
(2007-01-10) [ComputerWorld] Dozens of government data-mining programs collect private data about U.S. residents with few civil liberties safeguards, and some violate U.S. law, Democratic members of the Senate Judiciary Committee said Wednesday.
Democratic senators pledged to provide more congressional scrutiny for data-mining programs authorized by President George Bush's administration. "All I want is the administration is follow the law," Senator Patrick Leahy, a Vermont Democrat, said during the Judiciary Committee's first hearing since Democrats took over the majority in Congress this month. "They want us to follow the law -- they should follow the law." (Excerpt from news story by Grant Gross)
[source: Security]
(2007-01-10) [CBC] They say money talks, and a new report suggests Canadian currency is indeed chatting, at least electronically, on behalf of shadowy spies.
Canadian coins containing tiny transmitters have mysteriously turned up in the pockets of at least three American contractors who visited Canada, says a branch of the U.S. Department of Defence.
[source: CBC News]
(2007-01-10) [Center for Democracy and Technology] Included in the 9/11 Commission recommendations approved by the House of Representatives Tuesday night was a provision that would clarify the investigative authorities and provide independence to the privacy officer of the Department of Homeland Security.
Originally introduced in 2005 by Rep. Bennie Thompson (D-Miss.), the POWER Act aimed to give the DHS privacy officer the authority necessary to ensure that DHS agencies are protecting privacy and following current law and policy. The legislation also contains a provision that requires privacy officers be employed by many major entities within the intelligence community, including the Attorney General, Secretary of Defense and Director of the CIA. CDT supports the measure.
[source: Headlines]
(2007-01-10) [Center for Democracy and Technology] CDT Executive Director Leslie Harris today told lawmakers that any government "data mining" program must be built on a policy framework that includes meaningful safeguards for privacy and security.
Testifying before the Senate Judiciary Committee, Harris urged lawmakers also to demand that no data-mining program be implemented until its efficacy as an anti-terrorism tool can be demonstrated. Harris also noted that the existing legal framework protecting Americans' privacy has been rendered ineffective by the march of technology, and suggested that core laws like the Privacy Act have become inadequate.
[source: Headlines]
(2007-01-10) [ComputerWorld] Despite some misgivings, an overwhelming number of Americans favor the use of biometric identifiers in passports, driver's licenses and Social Security cards, according to a new survey by Truste, a non-profit online privacy certification organization based in San Francisco.
The same is true when it comes to the use of biometric IDs in credit and debit cards, although most of those who responded to the survey appear to be reluctant to share biometric data with retailers because of privacy concerns. (Excerpt from news story by Jaikumar Vijayan)
[source: Security]
(2007-01-09) [Penton Media, Inc.] RFID tag security and data privacy was a popular topic in 2006, so I am beginning 2007 with a review of the issues and a look ahead at some anticipated
As we have seen from the growth of the Internet, anywhere a security hole exists, some hacker will find and exploit it for fun, profit, or both. The security problems summarized above are real and require real solutions. The RFID industry is working on technqical solutions to all of the security problems noted above. Look for additional progress in security standards in 2007, coupled with increased RFID industry outreach to the general public in the form of press releases and advertising about security features. I can also confidently predict an increase in alarmist newspaper articles about RFID tags as the market presence of RFID increases. It should be a fun year! (Excerpt from news story by Paul Faber)
[source: IndustryWeek]
(2007-01-08) [CNET Networks, Inc.] It was a routine weekend ceremony. President Bush was signing a postal reform bill into law on December 20th; a bill which, among other things, reinforced protections of first-class mail from searches without a court's approval. However he added an addendum (technically a "signing statement"), one that was not discussed by the legislature or anyone else. The addendum said that it was ok to open and read the mail in "exigent circumstances".
A valid question we should ask ourselves is this: Is privacy important? Or is it a quaint idea that is no longer meaningful? (Excerpt from post by Ed Burnette)
[source: ZDNet Blogs]
(2007-01-08) [ComputerWorld] The U.S. Department of Justice is pushing the FBI and its other operating units to speed up and expand their efforts to share a wide array of crime information with outside law enforcement agencies via a centralized database called OneDOJ.
In a Dec. 21 memo, Deputy Attorney General Paul J. McNulty also directed CIO Vance Hitch to work with all of the DOJ's component agencies to develop "an aggressive but practical plan" for increasing their information-sharing capabilities. The plans, which must be submitted to McNulty's office by Feb. 9, will include steps that can be taken within the next 180 days to enable the units to participate more fully in seven ongoing data-sharing initiatives. (Excerpt from news story by Todd R. Weiss)
[source: Government]
(2007-01-08) [Center for Democracy and Technology] A proposed ID card that could be used in place of a passport by Americans who make frequent trips to Canada, Mexico and the Caribbean lacks adequate privacy protections and needs to be rethought.
In comments submitted to the State Department on Sunday, CDT highlighted concerns with the proposed PASS (People Access Security Service) Card, which would use non-secure radio frequency identification (RFID) technology to transmit information about citizens crossing borders. In the comments, CDT urges the State and Homeland Security Departments to reconsider whether the PASS Card program is really necessary; and if they do move forward to use a technology that will allow for better privacy and security safeguards.
[source: Headlines]
(2007-01-08) [PinsentMasons] Iris scans will not form part of the UK Government's planned identity card system the National Identity Register (NIR). The only biometric information to be held on ID cards will now be fingerprints, in contrast to previously stated plans.
The Home Office's Strategic Action Plan for the National Identity Scheme, published in December, said that iris scans were now just an option, and only fingerprints will be taken from those enrolling in the scheme.
[source: Out-law.com]
(2007-01-07) [ComputerWorld] Researchers at the University of Cambridge in the U.K. have demonstrated how a chip-and-PIN terminal used to authenticate credit and debit card transactions in that country can be compromised to steal sensitive data.
For the proof-of-concept hack, the researchers opened up one of the supposedly tamper-proof terminals, replaced its internal hardware with their own, put it back together without any external evidence of tampering and then got the machine to play Tetris. (Excerpt from news story by Jaikumar Vijayan)
[source: Security]
(2007-01-05) [Forbes] Amid the obituaries of former President Gerald Ford last month, you did not read about his intense involvement in privacy-protection policy. Privacy was the issue that most involved Ford in his nine months as vice president, and he maintained his interest when he brought decency and decisiveness into the presidency.
As President Richard Nixon was fighting the impeachment movement in Congress, aides suggested that in his next State of the Union message he should stand foursquare for privacy. Illegal wiretapping, break-ins, and snooping into personal records, after all, were at the center of the violations of Constitutional rights attributed to the beleaguered President. (Excerpt from news story by Robert Ellis Smith)
[source: Forbes.com]
(2007-01-05) [National Geographic] A new type of search engine using facial recognition technology could soon be able to pinpoint images of a person among the billions of photos posted online—even if their name does not appear.
A Swedish company named Polar Rose plans to launch its service for facial searches tied to the photo-sharing site Flickr within a couple weeks. (Excerpt from news story by Mason Inman)
[source: News]
(2007-01-04) [EPIC] Here are the Top Ten Privacy Stories of 2006 and Ten Privacy Issues to Watch in 2007 from the Electronic Privacy Information Center (EPIC).
Stories 2006: (1) Millions of Military Records Go Missing, (2) Identity Theft Keeps Top Spot, (3) NSA Domestic Spying, (4) H-P Spy Scandal, (5) Choicepoint Gets Privacy Religion, (6) Passenger Profiling and Terrorist Scoring, (7) Digital Strip Searches, (8) Europeans Battle US Over Privacy, (9) Congress Passes Phone Pretexting Bill, (10) National ID Cards. Issues 2007: (1) Privacy Oversight and the New Congress, (2) REAL ID Not So Real?, (3) Renewed Interest in Medical Records Privacy, (4) EU-US Privacy Showdown, (5) "No-swipe" credit cards, (6) Cell Phone Tracking and Spim, (7) Privacy in Second Life, (8) Databanks of Children, (9) Sex Blogging, (10) Smarter Cameras, More Surveillance.
[source: EPIC Alert]
(2007-01-04) [ComputerWorld] Stories like US 'licence to snoop' on British air travellers make you seriously wonder how far governments will go. We are on a very thin tightrope between security of ourselves and countries and the security of the information about individuals.
It is reasonable to expect information such as passport info, date of birth and other information to be supplied. But other elements - email addresses, dietary requests - seem a step too far. (Excerpt from post by Martin MC Brown)
[source: Blogs]
(2007-01-04) [Datatilsynet] Personvernnemnda har omgjort Datatilsynets vedtak som ville hindret Tysvær kommune i å bruke fingeravtrykk som pålogging til sine datamaskiner.
Datatilsynets begrunnelse for vedtaket var at kommunen, etter Datatilsynets oppfatning, hadde gode alternativer til fingeravtrykk, for eksempel smartkort kombinert med passord. Synspunktet var basert på en tolkning av personopplysningslovens § 12 som krever at det både må foreligge et saklig behov for sikker identifisering, og at den valgte metoden må være nødvendig for å oppnå slik identifisering.
[source: Nyhet]
(2007-01-04) [The Economist] People do not have secret trolleys at the supermarket, so how can it be a violation of their privacy if a grocer sells their purchasing habits to a marketing firm? If they walk around in public view, what harm can cameras recording their movements cause? A company is paying them to do a job, so why should it not read their e-mails when they are at work?
How, what and why, indeed. Yet, in all these situations, most people feel a sense of unease. The technology for gathering, storing, manipulating and sharing information has become part of the scenery, but there is little guidance on how to resolve the conflicts created by all the personal data now washing around.
[source: News]
(2007-01-03) [Pinsent Masons] Email, phone, prize draw and web shopping scams are being targeted by a new coalition of European consumer groups for the first time. The bulk of the Consumer Protection Co-Operation (CPC) Regulation came into force across Europe on 29th December.
Designed to tackle cross-border schemes to defraud consumers, the CPC Regulation focuses on some emerging scams, such as those using email and phone calls to mislead consumers.
[source: Out-Law]
(2007-01-03) [EFF] Colorado-based Ciber, Inc., the largest laboratory that tests software used in U.S. voting systems, has been temporarily banned from approving new systems following problems discovered last summer by the Election Assistance Commission (EAC).
In July, EAC began a new oversight program that increased the level of scrutiny that independent testing authorities ("ITAs") must satisfy in order to be able to review candidate voting systems. The EAC found that Ciber was not following proper quality- control procedures and could not document that it was conducting all the required tests. Ciber's renewed petition for accreditation is currently under EAC review.
[source: EFF News]
(2007-01-02) [ComputerWorld] The debate over the security of electronic voting machines hasn't gone away after November's elections in the U.S.
In Florida, Christine Jennings, a Democratic candidate for U.S. House of Representatives, is pressing forward with a lawsuit asking for a revote. More than 18,000 people in Sarasota County, Florida, voted in other races on the ballot, but e-voting machines from Election Systems & Software Inc. didn't record a vote in Jennings' race, which she lost by 369 votes. (Excerpt from news story by Grant Gross)
[source: Security]
(2007-01-02) [ComputerWorld] A Florida judge has rejected a U.S. congressional candidate's request to examine the source code of electronic voting machines alleged to have miscounted votes in November's election.
Judge William Gary of Florida's Second Judicial Circuit rejected the request by Democratic candidate Christine Jennings, saying the source code for the Election Systems & Software Inc. (ES&S) e-voting machines used in the election is a trade secret. (Excerpt from news story by Grant Gross)
[source: Government]
(2007-01-02) [NPR] Teenagers and young adults put their private information on the Internet, seemingly with little thought about consequences for their personal and professional lives. How has the Web changed American ideas about privacy?
At the University of Southern California, students express their views about sharing their personal information with a virtual world of strangers. Listen to the podcast (length 8:59)
[source: Digital Culture]
(2007-01-01) [CNet] Security expert Bruce Schneier has highlighted privacy concerns around the Nike+iPod Sport Kit, a technology that lets people track time and other statistics while running.
He drew attention to a demonstration by researchers at the University of Washington of a surveillance system that automatically tracks people through the Nike+iPod Sport Kit, which consists of a wireless sensor that fits into Nike+ Air Zoom Moire sneakers and a small white receiver that plugs in to an iPod Nano. (Excerpt from news story by Tom Espiner)
[source: silicon.com]
(2007-01-01) [CMP] Links revealing the sensitive data were found on Digg.com. Google Notebook users are apparently making personal information, such as Social Security numbers and e-mail passwords, available through the online bookmark service.
Links to the sensitive information were posted in a comments section of Digg.com, a news site in which users contribute and vote on stories found on the Web. The popularity of items determines their placement on the site. (Excerpt from news story by Antone Gonsalves)
[source: InformationWeek]
(2007-01-01) [NPR] Nike offers new shoes that are designed to work in conjunction with iPods. But University of Washington researchers have found that radio frequencies from the shoes make them vulnerable to tracking and surveillance.
Listen to the podcast (length 4:18).
[source: Technology]
(2007-01-01) [MIT Technology Review] People who blog and use social-networking and video sites are realizing just how public those spaces can be. That realization, in turn, is causing many of them to reconsider what they post--or at the very least, to do more to protect their privacy.
When it comes to posting personal information online, predators and other criminals are, of course, always a concern. But it goes well beyond that as more adults--teachers, parents, university admissions counselors and prospective employers--become savvy about searching online spaces. Sometimes, personal information lives on in the archives of Google and other search engines, no matter how much people try to get rid of it.
[source: News]
(2007-01-01) [MIT Technology Review] A Swedish startup is combining software and humans to help make photos and other images more easily searchable online, raising privacy concerns as the technology eases the tracking of people across Web sites.
Polar Rose AB is bringing facial-recognition technology to the mix. Its software scans everyday images for about 90 different attributes. If the software finds a match with images in a database, it concludes the two photos are of the same person. The idea is to label every face, even ones in the background, whether posted on a Web journal, a photo-sharing site like Yahoo Inc.'s Flickr or a social-networking hangout like News Corp.'s MySpace. The service will not index images on personal computers or password-protected sites. But there is still a cost: privacy.
[source: News]
(2007-01-01) [EFF] Without informing the public, the Department of Homeland Security (DHS) has for years assigned "risk assessments" to millions of people as they enter or leave the country. The Automated Targeting System (ATS) is precisely the sort of system that Congress sought to prohibit with the Privacy Act of 1974.
Unfortunately, this isn't the first time that the government has failed to properly disclose an invasive travel screening program. According to a report recently released by the DHS Privacy Office, the Transportation Security Administration (TSA) misrepresented how it handled commercial data while testing the controversial Secure Flight program. The Privacy Office's report, which comes a year and a half after TSA's misdeeds became known, states: "However well-meaning, material changes in a federal program's design that have an impact on the collection, use, and maintenance of personally identifiable information of American citizens are required to be announced in Privacy Act system notices and privacy impact assessments."
[source: EFF News]
(2007-01-01) [InfoWorld] With our political process morphing into something resembling a perpetual campaign season, the Democratic leaders who captured both the U.S. House of Representatives and Senate in November will have to move darned quick if they want to make good on their campaign promises.
Already, Democrats are sending signals that they're ready to start moving on pressing issues for the tech sector that were put off by the outgoing Republican majority. Those issues include: "Privacy and Data-Breach Notification" -- Advocacy groups such as the Center for Democracy and Technology (CDT) have long called for comprehensive legislation to protect personal privacy, including rules for organizations handling personal data and limits on government surveillance. (Excerpt from news story by Grant Gross)
[source: News]
(2007-01-01) [Davis Wright Tremaine LLP] Are you flying for the holidays this year? Are you bringing id with you? What happens if you don't?
NPR reporter Martin Kaste reports on the practical implications of TSA's secret law which affects millions of travelers every day. The text of the federal law that requires travelers to show identification is a secret -- you cannot read it because the federal government insists the law itself is "Sensitive Security Information." TSA's spokesperson refused to even be interviewed on tape discussing this point with NPR. John Gilmore and others are asking the United States Supreme Court to hear his legal challenge to the secrecy aspect of this law.
[source: Privacy and Security Law Blog]
(2007-01-15) "Beyond a Physical Conception of the Fourth Amendment: Search and Seizure in the Digital Age" will take place on January 26, 2007 (Stanford, CA, US).
See calendar entry.