(2007-10-31) [EPIC] Lillie Coney reviews "Privacy Law and Society" (by Anita Allen, West Group, 2007).
Quote: "Professor Anita L. Allen and Henry R. Silverman have written a new privacy law textbook geared to American law schools. The textbook also has the advantage of being versatile enough to be used by instructors of a wide range of topics from undergraduate Constitutional Law to Personal Decision Making, Information Society, Surveillance Society, and Journalism and First Amendment. Professor Allen offers instructors who use the textbook additional resources in the form of model syllabi for courses and a Teacher's Manual. Whether you are looking for a great resource for an academic course on privacy law, a straightforward discussion of privacy from a real world context, or a good practitioner's desk reference on privacy law cases in the United States, I highly recommend this textbook.
[source: EPIC Alert, Volume 14.22]
(2007-10-31) [EPIC] The National Committee On Vital And Health Statistics has submitted a draft report to the Secretary of the U.S. Department of Health and Human Services on the topic of "secondary uses" of electronically collected and transmitted health data. In its report, the Committee recommends extending the applicability of the federal rules that protect the privacy of individuals' medical records.
Specifically, the report recommends that the Health Insurance Portability and Accountability Act of 1996 apply to all users of health data. Currently, HIPAA's coverage is limited to certain groups, primarily insurers and health care providers. The committee will receive public comments on the document in a telephone conference on October 31, 2007 and in written form until November 6, 2007. The Committee will then consider revisions, and will deliver final recommendations to Health and Human Services later this year.
[source: EPIC Alert, Volume 14.22]
(2007-10-31) [EPIC] The European Network and Information Security Agency (ENISA) has issued a position paper on Security Issues And Recommendations for Social Networks. The paper concludes that social networks are a clear benefit to society; however, the study warns of the danger that new face recognition or other new technologies pose in a world were there may be a false sense of intimacy created by social networks.
The agency grouped security threats into 4 categories: privacy, traditional network, identity and social threats. The paper recommends government and corporate policy changes, technical and research recommendation, such as increasing transparency of data handling practices, and encouraging social networking education rather than the banning of social networking sites in schools.
[source: EPIC Alert, Volume 14.22]
(2007-10-31) [EPIC] Privacy International filed a complaint with the Ontario Information and Privacy Commissioner's Office regarding plans to deploy 12,000 cameras across Toronto's transportation network of buses, streetcars, and subways at a cost of $18 million. According to Privacy International, the Toronto Transit Commission has repeatedly argued that Closed Circuit Television (CCTV) acts as a deterrent despite international criminological evidence proving otherwise.
In its complaint, Privacy International argues that the collection principles in the relevant legislation are not being sufficiently attended to in that the collection is not necessary, that the scheme is being deployed without consideration to privacy and associated protocols, and with insufficient consideration regarding access powers.
[source: EPIC Alert, Volume 14.22]
(2007-10-31) [EPIC] In a letter to the Subcommittee on Financial Services and General Government of the U.S. House Committee on Appropriations, EPIC urged oversight of the Federal Trade Commission's review of the proposed Google-DoubleClick merger. The Subcommittee is responsible for the annual appropriation for the Federal Trade Commission.
In recent complaints to the Federal Trade Commission, EPIC, the Center for Digital Democracy and US PIRG have detailed the reasons why the FTC needs to establish substantial privacy safeguards as a condition of the merger. The filings include proposals for a range of steps the Commission could take by means of a consent order to safeguard consumer privacy.
[source: EPIC Alert, Volume 14.22]
(2007-10-31) [EPIC] In a letter to the Board of the Internet Corporation for Assigned Names and Numbers (ICANN), EPIC expressed its support for changes to Whois services that would protect the privacy of individuals, specifically the removal of registrants' contact information from the publicly accessible Whois database. As explained in Privacy and Human Rights 2006, concealing actual identity may be critical for political, artistic, and religious expression on the Internet.
The ICANN Whois Task Force completed its final report on Whois Services in March 2007. In that report, a majority of members endorsed a proposal called the "Operational Point of Contact" (OPoC). Under OPoC, every registrant would identify a new operational point of contact and the registrant's postal address, city, and postal code would no longer be displayed. The operational point of contact's name and contact information would be displayed instead, and it would replace the administrative and technical contacts. A Whois Working Group, convened to examine some of the implementation details of the OPoC, published its report in August 2007. A public comment period on the report received submissions until October 30, 2007. ICANN members are likely to vote on the issue on October 31, 2007 during the Los Angeles ICANN meeting.
[source: EPIC Alert, Volume 14.22]
(2007-10-31) [CDT] CDT joined with a coalition of privacy advocates on Wednesday to recommend an ambitious set of proposals intended to give consumers greater control over their personal data and to offset the impact of pervasive behavioral tracking. Included in the recommendations is a call to create a national "Do Not Track List" that would provide consumers with a simple tool for opting out of behavioral tracking.
CDT joined with Consumer Action, the Consumer Federation of America, the Electronic Frontier Foundation, Privacy Activism, Public Information Research, Privacy Journal, Privacy Rights Clearinghouse, and the World Privacy Forum in crafting the proposal, which is timed to coincide with the start Thursday of a two-day Federal Trade Commission workshop on behavioral targeting.
[source: News]
(2007-10-30) [Davis Wright Tremaine LLP] An article about the upcoming AFI Festival in last Friday's Los Angeles Times focused on a [privacy] controversy around one of the film festival's productions by Adam Rifkin titled "LOOK."
LOOK pieces together [CCTV] information, finding several provocative, interwoven storylines amid the noise of life in a random city." To drive home the point, a photo that accompanies the description depicts two scantly clad young women in a department store dressing room. The photo is not as shocking as the premise that someone could make an entire film 'peeping' through the lens of a surveillance camera. There appears to be a disconnect between what the public generally perceives as 'private' and what is in fact private. The movie makers apparently make this point by violating the average person's notion of personal privacy. (Excerpt from blog post by Tom Jeffry)
[source: Privacy and Security Law Blog]
(2007-10-29) [Datatilsynet] Forslaget til forskrift til den nye offentleglova pålegger en rekke organer og etater å gjøre den elektroniske postjournalen tilgjengelig på Internett.
"Dette medfører behov for klare regler om hva som kan publiseres og kontrollrutiner for å forhindre menneskelige feil og systemsvikt", skriver Datatilsynet i sin høringsuttalelse. Datatilsynet peker spesielt på fire behov: 1) Skjerming av flere opplysningstyper, som trivielle personopplysninger, fødselsnumre og elevlister. 2) Begrensinger med hensyn til hvilke søk man kan foreta. 3) Begrensninger i muligheten til å høste journaler og dokumenter i store mengder. 4) Sanksjonsmuligheter.
[source: Nyhet]
(2007-10-29) [MIT Technology Review] Mark Williams reviews "The Future of Reputation: Gossip, Rumor, and Privacy" (by Daniel J. Solove, Yale University Press, 2007; ISBN 9780300124989).
Quote: "The book isn't much concerned with privacy advocates' usual bete noir, the surveillance state. Instead, Solove focuses on a more down-to-earth set of concerns. ... The current state of the Internet allows townsfolk to be nearly lethal. ... Solove sees an expanded role for law here, but he disapproves of authoritarian legislation that attempts to ban specific kinds of speech or activity. ... Solove's proposals in The Future of Reputation, if tried, might work or fail. They have the virtue, at least, of giving us something to think about beyond the old binary view of privacy, which is too blunt and dysfunctional to address privacy in the Internet era." (Excerpt from story by Mark Williams)
[source: News]
(2007-10-29) [Dow Jones & Company, Inc.] In May 2002, Las Vegas resident Adam Gregory went on a business trip to Phoenix. He stayed at the Ritz-Carlton and charged the $1,082 bill to his American Express card -- or so financial records show.
In fact, Mr. Gregory didn't live in Las Vegas, never held a job and wasn't even a real person. Rather, Mr. Gregory was a "synthetic" identity -- a person who appears real on paper but is actually a fraudster's concoction designed to trick financial institutions into granting loans and issuing credit cards. In the case of Mr. Gregory, the man behind the mask was James Rose, a 46-year-old former credit-bureau operator. (Excerpt from news story by Christopher Conkey)
[source: Wall Street Journal]
(2007-10-29) [Wired] From the company that brought you the C programming language comes Hancock, a C variant developed by AT&T researchers to mine gigabytes of the company's telephone and internet records for surveillance purposes.
An AT&T research paper published in 2001 and unearthed today by Andrew Appel at Freedom to Tinker shows how the phone company uses Hancock-coded software to crunch through tens of millions of long distance phone records a night to draw up what AT&T calls "communities of interest" -- i.e., calling circles that show who is talking to whom. The system was built in the late 1990s to develop marketing leads, and as a security tool to see if new customers called the same numbers as previously cut-off fraudsters -- something the paper refers to as "guilt by association." (Excerpt from news story by Ryan Singel)
[source: Blogs]
(2007-10-22) [The Register] A school in Doncaster is piloting a monitoring system designed to keep tabs on pupils by tracking radio chips in their uniforms.
According to the Doncaster Free Press, Hungerhill School is testing RFID tracking and data collection on 10 pupils within the school. It's been developed by local company Darnbro Ltd, which says it is ready to launch the product into the £300m school uniform market. Boss Trevor Darnborough said: "The Department for Education and Skills is keen to promote use of electronic registration in schools because of its benefits in efficiently monitoring pupils' attendance and the speedy retrieval and analysis of data. (Excerpt from news story by Chris Williams)
[source: News]
(2007-10-22) [Mercury News] Identity thieves are typically young, work solo and rely on the Internet for fewer than one-fifth of their crimes, according to a new study of Secret Service cases.
The Center for Identity Management and Information Protection also found that "insider" employees were the offenders in just one-third of the cases. Employees who stole identity information often worked in the retail industry, the report found. "There are some common perceptions we have that identity theft involves a person sitting at a computer hacking into corporate or individual computers. ... Certainly it is happening, but it is a crime that is happening in a multitude of ways, some of it as simple as stealing mail out of a mailbox," said Gary Gordon, a professor of economic crime programs who founded and heads the center at Utica College. The Department of Justice-funded study, which was to be released Monday at a news conference in Washington, D.C., differs from previous studies because it focused on identity thieves and their methods, rather than victims, said Michael Stenger, Assistant Director of Investigations for the Secret Service, which agreed to open its case files to the center.
[source: siliconvalley.com]
(2007-10-18) [Datainspektionen] Ett utökat utbyte av personuppgifter mellan myndigheter kan hota den enskildes integritet och innebära att uppgifter sprids på ett felaktigt sätt. Därför behövs tekniska åtgärder för att begränsa urvalet av uppgifter. Det är Datainspektionens remissvar på förslaget om elektroniskt informationsutbyte.
Enligt Informationsutbytesutredningens förslag ska olika myndigheter få fler möjligheter att komma åt varandras register. Genom att uppgifter hämtas direkt från andra myndigheter istället för att den enskilde lämnar dem kan handläggningen bli effektivare och risken för felaktiga bidrag minskar. Men förslaget har brister när det gäller skyddet för den personliga integriteten, anser Datainspektionen.
[source: Nyheter]
(2007-10-24) [EDRI] Two recent stories have confirmed that security measures in Irish government databases are inadequate.
In the first case an official in the Department of Family and Social Affairs was found by police to have leaked personal and financial information to his brother, a serious criminal, which was then used to target victims for burglary and blackmail. The second case involved another official in the same department who examined files on Irish celebrities and systematically leaked that information to the media.
[source: EDRI-gram, Number 5.20]
(2007-10-24) [EDRI] With its final vote on 23 October 2007, the French Parliament confirmed the introduction of DNA testing in the new immigration law to prove family links for foreign candidates applying for a more than 3 months visa on family regrouping grounds. The only recourse could now be a decision from the French Constitutional Council to remove this provision from the law, since the Parliamentary opposition (Socialists, Communists and Greens), together with some centrist members of Parliament, announced that it would challenge the adopted law before the Constitutional judge.
The final vote occurred after a Parliamentary Commission agreed on the harmonisation of the draft texts resulting from both the National Assembly and the Senate. With respect to DNA testing provision as initially adopted by the National Assembly, some modifications occurred in order to answer to some of the criticisms. Main changes are: the DNA tests will be paid by the French government and not anymore made at the expenses of the visa applicant; the biological family links would be checked against the mother's DNA to avoid unexpected, possibly dramatic revelations in the family; the need for the test should be authorised by a civil court; informed consent from concerned persons should be expressly collected; the whole provision is now declared as experimental, and will be revised after the end of year 2009.
[source: EDRI-gram, Number 5.20]
(2007-10-24) [EDRI] On 1 November 2007, registration offices throughout Germany will begin collecting fingerprints from all citizens wishing to travel. Two years after the storage of a facial image on an RFID chip has been introduced, the project of full biometric registration of the whole population continues. Germany's Chaos Computer Club (CCC) points out once more that the ePassport has risks and side-effects, which particularly affect senior citizens.
Many older people will have problems giving fingerprints. Experience as well as international and German studies show that considerably more than 10% of all senior citizens must expect to have no recordable fingerprints. This will inevitably expose them to discrimination through tightened inspections and longer delays. People working intensely with their hands will face the same disadvantages.
[source: EDRI-gram, Number 5.20]
(2007-10-24) [EDRI] All Nedap/Groenendaal voting machines were decertified on 1 October 2007 by District Court of Alkmaar in the Netherland, following the 'Voting with confidence' advice issued on 27 September by Korthals Altes Committee (created with the purpose to verify the validity of the systems), and the announcement of the Secretary for the Interior that the 'Regulations for approval of voting machines 1997' would be withdrawn.
The action is the result of an administrative law procedure started by 'We do not trust voting computers' foundation in March 2007. The foundation had issued a report in October 2006 that had examined the Nedap/Groenendaal ES3B in operation in 8 out of the 9 poling stations in the Netherlands. The report was showing that the systems were highly insecure, leaving room for fraud at a large scale. The Korthals Altes Committee report came to confirm the results of the foundation.
[source: EDRI-gram, Number 5.20]
(2007-10-24) [EDRI] Austrian authorities have announced that the police will start from 2008 to use online searches as an investigation tool in order to keep up with the use of new technologies for terrorist and serious crimes. Austria is joining in this way Germany and Switzerland that are working in the same direction, despite serious privacy concerns.
In an interview to the radio station ?Ö1, Austrian Minister of Internal Affairs, G?ünther Platte, and the Minister of Justice, Maria Berger, announced this new measure that was proposed to be discussed in the Government meeting. The two politicians explained that the measure will be used only in connection with terrorist cases or other serious crimes, where a punishment of at least 10 years imprisonment is foreseen.
[source: EDRI-gram, Number 5.20]
(2007-10-20) [Times Newspapers Ltd] Children are being tracked by micro-chips embedded in their uniforms in a trial at a secondary school.
The devices are used to monitor pupils' movements and register their arrival in class on the teacher's computer. Supply teachers can also be alerted if a student is likely to misbehave. The chip connects with teachers' computers to show a photograph of the pupil, data about academic performance and whether he or she is in the correct classroom. It can also restrict access to areas of the school. The radio frequency identification system is being tested at Hungerhill School in Doncaster, South Yorkshire. Ten pupils began wearing a chip sewn into their uniforms eight months ago. The scheme has drawn criticism from human rights campaigners. "Tagging is what we do to criminals we let out of prison early," said David Cleater, from Leave Them Kids Alone, which campaigns against the finger-printing of pupils. "It is appalling." (Excerpt from news story by Nicola Woolcock)
[source: TimesOnLine]
(2007-10-19) [EPIC] The governments of Canada and the U.S. are negotiating proposed requirements under the U.S. Secure Flight program, a passenger prescreening program. Canada is objecting to the proposal to require all airlines to send all passenger lists and detailed personal data for travelers on flights that do not land in the U.S. but merely cross U.S. airspace en route to countries such as Mexico.
Canada states that this requirement would violate its privacy laws. Secure Flight was revamped and reintroduced in August after being suspended for more than year because of privacy and security vulnerabilities, but the program remains riddled with such problems. Comments on the proposed Secure Flight requirements are due October 22.
[source: EPIC Alert, Volume 14.21]
(2007-10-19) [EPIC] The Transportation Security Administration is expanding the use of "backscatter X-ray" systems to screen passengers before boarding airplanes to more airports, including New York's Kennedy and Los Angeles International. The $100,000 refrigerator-size machines use "backscatter" technology, which bounces low-radiation X-rays off of a passenger to produce photo-quality images of metal, plastic and organic materials underneath clothes.
These devices reveal not only prohibited items but also medical details such as prosthetic devices. TSA states that the machines will use software that blurs images of passengers, so screeners will see weapons but only fuzzy images of people's bodies. However, backscatter X-ray machines are designed to record and store naked pictures of U.S. travelers. TSA states that operators would delete the raw images, but there the machines do not prevent them from saving the detailed images. Until there is such a prohibition, funding for the program should be canceled.
[source: EPIC Alert, Volume 14.21]
(2007-10-19) [EPIC] This summer's Protect America Act (PAA) temporarily authorized warrantless surveillance of communications that Americans have with individuals abroad. The use of this authority will require the deployment of new interception technologies. These new technologies raise several significant security risks.
The report identified the three most serious security risks. The experts pointed to the danger that the system could be exploited by unauthorized users. A Greek wiretapping system was exploited by an as yet unknown party to listen in on government conversations. FBI documents of the DCS 3000 telephone wiretap system revealed several problems in the system's implementation. This risk turns a surveillance system on its head.
[source: EPIC Alert, Volume 14.21]
(2007-10-19) [EPIC] Last week, thousands of French citizens attended a concert organized by SOS Racisme to protest a new proposed law authorizing DNA tests for immigrants. The law authorizes the use of DNA testing to determine whether foreigners applying for visas are actually related to family members they seek to join in France. Critics of the proposal claim it infringes basic human rights.
The main argument against the amendment is that the notion of family in French law is not based on blood, but on recognition of a child as one's own. DNA testing would set up a double standard - one for the French, another for immigrants. The testing could also prejudice the immigration status of stepchildren and adopted children. Another recent amendment to the proposal has limited the testing only to maternity, leaving aside the "potentially embarrassing" question of paternity. The new legislation also stirs up memories of the collaborationist Vichy government during the Nazi occupation of France.
[source: EPIC Alert, Volume 14.21]
(2007-10-19) [Davis Wright Tremaine LLP] Significance of the Law: Nevada has enacted the first data security law that mandates encryption for the transmission of customer personal information. (NRS 597.970) The law goes into effect on October 1, 2008. While there are several laws that direct organizations in certain industries to consider using encryption and laws that make encryption a factor in decisions regarding breach notifications, no law required the encryption of personal information prior to this Nevada law.
Summary of the Law: The law is brief and provides that "A business in this State shall not transfer any personal information[1] of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption[2] to ensure the security of electronic transmission." (Excerpt from news story by Charlene Brownlee)
[source: Privacy and Security Law Blog]
(2007-10-19) [Help Net Security] CustomizeGoogle is a Firefox extension I haven been using for quite some time now. It offers some valuable settings that are aimed to Google users. Some of them include URL previews, Google search suggest words, customizing search result pages and much more.
The extension also contains a number of security enhancements that could make your online life much easier and more private. This is an overview of these security functions in CustomizeGoogle. (Excerpt from news story by James Hicks)
[source: News]
(2007-10-19) [1105 Media, Inc] The federal government is producing a variety of identification documents for its own employees, critical infrastructure workers and international travelers. But some lawmakers are concerned about the cost of the overlapping programs and the threat to privacy posed by the technology they use.
During a hearing yesterday on Capitol Hill, Rep. Edolphus Towns (D-N.Y.), chairman of the House Government Reform and Oversight subcommittee on Government Management, Organization and Procurement, questioned the need for multiple formats and technologies for IDs. He noted that the Homeland Security Department alone has three different programs issuing cards to frequent border crossers. In addition to the Trusted Worker Identification Credential for workers in secure areas of sea and airports, there also is the Personal Identity Verification card mandated in Homeland Security Presidential Directive 12 for federal workers and new smart driver's licenses mandated by the Real ID Act. (Excerpt from news story by William Jackson)
[source: Government Computer News]
(2007-10-18) [Davis Wright Tremaine LLP] California Governor Arnold Schwarzenegger vetoed AB 779 -- legislation that would have amended California's data security breach legislation to impose stronger data protection requirements than the Payment Card Industry Data Security Standard
AB 779 would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards (and debit cards or other payment devices) from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. Further, the bill would have made such businesses liable to the owner or licensee of the information for the reimbursement of costs of: (i) providing notice to consumers as required by existing data breach notification law; and (ii) card replacement as a result of the breach. (Excerpt from news story by Charlene Brownlee)
[source: Privacy and Security Law Blog]
(2007-10-12) [EFF] The Electronic Frontier Foundation (EFF) told a congressional committee today that the government's illegal dragnet electronic surveillance opens the door to even more privacy violations for ordinary Americans.
The sheer volume of personal information collected and the databases in which that information is stored create a giant target for attackers who want to steal or expose Americans' personal data. In a response to questions asked of EFF by the House Committee on Energy and Commerce, EFF Legal Director Cindy Cohn explained in comments submitted Friday that an increase in the number of databases introduces more points of vulnerability into the system, putting sensitive personal information from millions of people at risk. "We have all heard about security problems with government databases. A report from the Department of Homeland Security found 477 breaches in 2006 alone," said Cohn. "The warrantless domestic surveillance going on now isn't just illegal -- it could expose your personal information to thieves and criminals."
[source: News]
(2007-10-10) [EDRI] More than 600 persons from 50 countries gathered in Montreal to participate to the 29th International Conference of Data Protection and Privacy Commissioners, on 25-28 September 2007, making this year venue attended by a record number of interested parties.
The theme of the conference, 'Privacy Horizons: Terra Incognita', certainly played a role in this attraction. The audience has not been disappointed by presentations and panels indeed exploring currently challenging issues in the field of privacy and data protection, such as nanotechnology, ubiquitous computing, the body as data..., not to mention already well known, but continuously concerning issues like globalization, public safety and the interpenetration between law an technology.
[source: EDRI-gram, Number 5.19]
(2007-10-10) [EDRI] The controversial Part 3 of the Regulation of Investigatory Powers Act (RIPA) in UK is in force starting with 1 October 2007. This new regulation gives the power to police forces to ask for the disclosure of encryption keys, or force suspects to decrypt encrypted data.
RIPA was adopted in 2000, but Part 3 was not in force until last year when the UK government has started a public consultation on its enforcement. Despite the negative comments received from the security experts and the major concerns that the adoption of such a measure will push businesses outside UK, the authorities decided to uphold their initial position and to apply the law starting with 1 October 2007.
[source: EDRI-gram, Number 5.19]
(2007-10-10) [EDRI] The European Commission (EC) is concerned about the way the UK has implemented the provisions for protecting personal data, according to information revealed by out-law.com following freedom of information requests.
An investigation has been initiated by the EC three years ago regarding the way the UK legislation has implemented 11 articles of the 34-article European data protection directive. This investigation has been kept secret by the UK authorities, that have concluded through the Ministry of Justice that UK "has implemented the Directive fully."
[source: EDRI-gram, Number 5.19]
(2007-10-10) [EDRI] The lack of adequate independence of the Austrian Data Protection Authority (Datenschutzkommission) is an issue the European Commission deals with since a complaint was filed by the data protection association Arge Daten back in October 2003.
In July 2005 the Commission started infringement procedures against Austria for a faulty implementation of Article 28 (1) second sentence of the data protection directive (95/46/EG) which requires that data protection authorities shall exercise their functions with complete independence. The Austrian Data Protection Commission is, in terms of organisation and staff, integrated in the Federal Chancellery.
[source: EDRI-gram, Number 5.19]
(2007-10-10) [EDRI] The Association of the French ISPs (AFA) agreed to propose concrete solutions to stop illegal downloading, following the discussion on 3 October 2007 with the Commission fighting Internet piracy led by Denis Olivennes. The solutions included the introduction of a system to detect the Internet users that illegally post copyrighted contents on the Internet.
On 5 September 2007, this French Commission received its formal mission from the French government to find ways of combating illegal downloads on the Internet and thus support the legal cinema and music offer. By taking the decision to create this mission, the French government wanted to show its determination to take initiatives against online piracy and support the cultural industry. "The idea that everything is possible must come to an end. We cannot let the idea that culture must be free of charge and that creation (...) has no price, therefore no value" stated Christine Albanel, Minister of Culture. On that occasion she also suggested to offer Internet users an alternative like that of the offer of limited music downloading made by Neuf Cegetel in partnership with Universal. Denis Olivennes, President-Director General of FNAC, the largest French retailer of cultural and consumer electronics products, was appointed president of this Commission (called Olivennes mission).
[source: EDRI-gram, Number 5.19]
(2007-10-10) [EDRI] Today EDRI issued a statement to express its serious concerns over a new Council of Europe Recommendation on 'promoting freedom of expression and information in the new information and communications environment'.
According to EDRI, the newly adopted instrument promotes opaque "self-regulation" and other soft law instruments driven by private interests and implemented through technical mechanisms. EDRI considers this Recommendation to be damaging and a retrograde step for freedom of expression and freedom of the press in the online world. EDRI is deeply concerned that such instruments will be used to legitimize subtle means of censorship, through privatised censorship and measures to protect against so-called harmful content.
[source: EDRI-gram, Number 5.19]
(2007-10-25) "23. Jahrestagung des FIfF "Datensammelwut"" will take place on October 13 -- 14, 2007 (Bielefeld, Germany).
See calendar entry.
(2007-10-25) "Reinventing data protection" will take place on October 12 -- 13, 2007 (Brussles, Belgium).
See calendar entry.
(2007-10-15) [The Register] Payments processing body SWIFT will stop processing European banking transactions in the US in 2009. It is planning a restructuring of its network and the building of a new operations centre in Switzerland.
SWIFT has been heavily criticised for allowing US authorities access to records of banking transactions involving European citizens. It was revealed by The New York Times last year that US intelligence agencies were allowed to view Europeans' transactions. SWIFT argued that it was obliged to comply with US orders because it carried out hosting and processing of information in the US. European data protection officials have condemned the release of the information. European, Swiss, and Belgian data protection authorities all ruled that SWIFT had broken data protection laws in supplying the information without informing bank customers of the US surveillance.
[source: News]
(2007-10-15) [Ziff Davis Enterprise Inc.] Schwarzenegger claims the proposed data breach security law would have driven up costs for small businesses.
California Gov. Arnold Schwarzenegger on Oct. 13 vetoed -- and effectively killed -- one of the nation's most stringent proposed e-tail data breach security laws, saying that the bill would have "driven up the costs of compliance, particularly for small businesses." The proposed California law -- AB 779 -- would have required retailers to protect data in a manner more demanding than the current PCI DSS (Payment Card Industry Data Security Standard) requires. (Excerpt from news story by Evan Schuman)
[source: eWeek.com]
(2007-10-15) [PinsentMasons] The set of rules which Google proposed as the foundation for a global privacy standard are inadequate, a privacy law expert has said. The rules are not specific enough to operate as a global standard, said the expert.
Last month Google's Global Privacy Counsel Peter Fleischer endorsed the Privacy Framework published by the Asia-Pacific Economic Community (APEC) in 2005, describing it as "the most promising foundation on which to build." "Surely, if privacy principles can be agreed upon within the 21 APEC member economies, a similar set of principles could be applied on a global scale," wrote Peter Fleischer in the search giant's Public Policy Blog
[source: Out-law.com]
(2007-10-15) [CMP] A California state senator criticized the RFID industry for being AWOL on the issue and says it should have supported the legislation.
California has enacted a law banning mandatory RFID implants for people. The bill, signed by Gov. Arnold Schwarzenegger, prohibits employers and others from requiring people to get radio frequency identification tags. It takes effect in January. Wisconsin and North Dakota also have banned forced RFID implantation in humans. "RFID technology is not in and of itself the issue," said California Sen. Joe Simitian, who introduced the bill. "RFID is a minor miracle, with all sorts of good uses. But we cannot and should not condone forced 'tagging' of humans. It's the ultimate invasion of privacy." In a statement, Simitian criticized the RFID industry, saying it should have supported the bill on the basis of "enlightened self-interest" and that its silence on the issue is "unforgettable and regrettable." (Excerpt from news story by K.C. Jones)
[source: InformationWeek]
(2007-10-15) [The Register] Hacking pranksters have caused a rumpus in Finland by posting the account and login details of thousands online.
The information - usernames, email addresses, some passwords and many more uncracked password hashes of almost 79,000 user accounts - are largely from different Finnish web forums. By itself that's bad enough, but the possibility that many on the list use the same password for more sensitive online banking accounts and the like creates an even more significant security risk. Matching the hashes corresponding to weaker passwords on list to their plain text values is straightforward enough using password dictionary tools and the like. So the 4.5MB list could serve up rich pickings for potential fraudsters. The motives for and methods used in the attack, much less its perps, remains unclear. (Excerpt from news story by John Leyden)
[source: News]
(2007-10-15) [ComputerWorld] Privacy concerns related to the use of radio frequency identification technology are reaching new heights, as legislators increasingly look to restrict RFID deployments and corporate employees criticize efforts to use it in identification badges.
At the same time, champions of the technology contend that not enough is being done to promote the value of RFID. For example, they say, it can be used to track tainted foods or counterfeit drugs or to reduce inventory-tracking costs. (Excerpt from news story by Matt Hamblen)
[source: Security]
(2007-10-15) [Heise Zeitschriften Verlag] Many within Central and Eastern Europe are unaware that Big Brother has not only put on a three-piece suit, but has also gone digital
At the end of September, thirty eight experts in computer security and data privacy issues from around the world converged on Budapest for the third annual ITBN. The ITBN, also known as the Information Technology Security Day, is an all-day conference devoted specifically to network security and data privacy issues. Although it's still a relatively new event, the ITBN has become one of the most visible and well-known information technology events in Central and Eastern Europe. The original purpose of the ITBN is to draw the attention of the general public to security issues - even for those who are not immediately aware of them. It's a forum geared for both business users and end users alike with experts exchanging their ideas on the latest technologies and methods to safeguard computer networks and data. (Excerpt from news story by John Horvath)
[source: heise on-line]
(2007-10-12) [1105 Media Inc..] Program managers need to apply privacy and security best practices early when they plan systems if they want to manage risk effectively, said Robert Wright, principal at Merrill and former chief of the plans and program management unit in the FBI's Cyber Division. Program management is about managing risk, he said.
To know what to implement, program managers should use as their reference guide laws such as the Privacy Act and requirements of the Office and Management and Budget that govern privacy and security, said Sally Wallace, associate deputy assistant secretary for privacy and records management at the Veterans Affairs Department. (Excerpt from news story by Mary Mosquera)
[source: fcw.com]
(2007-10-12) [SC Magazine] A gap has emerged between the views of consumers in the UK and continental Europe on data privacy and dependable IT, a new report suggests.
The research, published by Unisys, found that while 81 per cent of UK customers believe an organisation's ability to secure their data is a key trust-building attribute, just 42 per cent of French, 40 per cent of Belgians and a third of German consumers have the same view. "This research illustrates that there is still a distinct lack of awareness among consumers in many European countries about the value of having their personal data protected," said Rene Head, head of enterprise security in continental Europe at Unisys, in a statement. According to the report, three-quarters of British consumers believe dependable IT is fundamental in building their trust, compared with an average of 42 per cent of users in continental Europe. (Excerpt from news story by Fiona Raisbeck)
[source: News]
(2007-10-12) [McGraw-Hill Companies Inc.] Google (GOOG) wants new, international standards for the way consumer information is collected and used. The Web search provider issued the call on its Web site on Sept. 14, arguing that the existing confusion of international privacy law hampers the growth of Internet companies and doesn't really protect consumers.
Google hasn't said much about its ultimate strategy, but what little is known merits closer examination. On one hand, Google's call can be seen as shrewd, forward-thinking business planning. Google has no legal obligation (in the U.S. anyway) to do much of anything to protect user privacy. Yet it has been making efforts. The company voluntarily agreed to purge identifiable information from its databases after 18 months, for example. (Excerpt from news story by David H. Holtzman)
[source: Business Week]
(2007-10-11) [Harvard Business School] A paper by Aaron K. Chatterji and Michael W. Toffel about reactions to data disclouse.
From the Summary: As national governments lose the ability to regulate business activities, interest groups and concerned citizens are turning to private governance to monitor global supply chains, ensure product safety, and provide incentives for improved corporate environmental performance. Proponents hope that private governance incentives will encourage firms to act responsibly, but critics worry that these developments will merely forestall necessary government regulation. Social ratings provide one way to benchmark and compare firms' social performance. But are such ratings schemes effective? This paper investigates the effects of third-party environmental ratings, and finds that firms are particularly likely to respond to such ratings by improving their environmental performance when two circumstances arise simultaneously: (1) when the ratings threaten their legitimacy, and (2) when they face relatively low cost improvement opportunities. Key concepts include: Ratings provided by nongovernment organizations will be more influential on firm behavior if they do 2 things: highlight poor social issue management and performance while at the same time help firms identify low-cost improvement opportunities. The role of third-party monitoring will be increasingly important as private governance replaces government regulations around the world.
[source: Working Papers]
(2007-10-11) [Heise Zeitschriften Verlag] After the _hearing_ pertaining to the Constitutional Protection Act from the state of North Rhine/Westphalia (NRW), experts do not believe that the controversial regulation, which would allow IT systems to be searched online, stands much of a chance.
In a number of critical questions, the Court's First Chamber indicated to the government of NRW that its Act was not clearly formulated, thus violating the requirement that regulations be clear. The Court's president Hans-Jürgen Papier also announced that a ruling would be handed down on the general constitutionality of covert online searches "far beyond" the current NRW case. He said that "basic issues of liberty and security" have to be weighed off against each other in light of the changing nature of recent terrorist threats.
[source: heise on-line]
(2007-10-09) [WAMU: The Kojo Nnamdi Show] ith the explosion of text messaging, instant messaging, social networking sites and other technologies, many parents have resigned themselves to their kids' high-tech habits. But all hope isn't lost for those who want to protect their kids from online threats.
Join Kojo for a Tech Tuesday look at how and when to monitor your kids on the web. Listen to the podcast (length 00:60:00)
[source: Tech Tuesday]
(2007-10-09) [CNET Networks, Inc] Gatwick airport is the latest UK airport to trial biometric fingerprinting technology to boost immigration security.
The BioDev pilot has been running in the airport's North Terminal since 18 September and is due to end in April next year. At present only arrivals from Sierra Leone who have been issued with biometric visas in the capital Freetown will be included in the trial. (Excerpt from news story by Tim Ferguson)
[source: silicon.com]
(2007-10-07) [Mutants LLC] Here's a one-hour video of a magnificent lecture from Ontario's Information and Privacy Commissioner, Dr Ann Cavoukian, to the University of Waterloo's Computer Science Club. The talk is called "Privacy by Design," and it charges technologists to build tools that minimize the collection and retention of personally identifying information, and to consider a complete, end-to-end, comprehensive framework for protecting user privacy.
As Mitch Kapor said when he founded EFF, "architecture is politics" -- when you design tools that have wiretappable elements, you invite wiretapping. When you design tools that retain user data, you invite identity thieves and overreaching subpoenas. (Excerpt from news story by Cory Doctorow)
[source: boingboing]
(2007-10-06) [EPIC] The Department of Homeland Security's files on travelers include data on their race, religion, personal items they carry (including their books), and with whom they stay or travel, according to documents disclosed to the Identity Project pursuant to a Freedom of Information Act request.
These detailed files are created under the Automated Targeting System, which creates secret, terrorist "risk assessments" on tens of millions of U.S. citizens and foreign visitors and keeps the data for 15 years. Last month, in comments to DHS, EPIC detailed significant security and privacy problems in ATS, and urged the agency to either suspend the system or to fully apply all Privacy Act safeguards to any individual subject to ATS.
[source: EPIC Alert, Volume 14.20]
(2007-10-06) [EPIC] Democratic members of the Homeland Security Committee asked the House Appropriations Subcommittee on Homeland Security to withhold funding for domestic satellite surveillance programs.
The National Applications Office, a new DHS component, plans to share intelligence satellite imagery inside the United States with non-intelligence state, local and federal agencies. Democrats urged that funding be withheld until written legal procedures for protecting privacy and civil liberties were prepared.
[source: EPIC Alert, Volume 14.20]
(2007-10-06) [EPIC] EPIC's Spotlight on Surveillance project is scrutinizing the Secure Flight traveler prescreening program run by the Department of Homeland Security's Transportation Security Administration. Spotlight details the problems in the system; these issues are also discussed in recent comments EPIC submitted to DHS about Secure Flight's proposed rulemaking.
The Department of Homeland Security's Fiscal Year 2008 budget request is an 8 percent increase over last year's request. Included in the $46.4 billion proposed budget for the agency is $38 million designated for Secure Flight, on top of the $144 million that has been spent on the program. Introduced in 2004, the Secure Flight has been roundly criticized.
[source: EPIC Alert, Volume 14.20]
(2007-10-06) [EPIC] The Electronic Privacy Information Center (EPIC) and Privacy International released the 9th "Privacy and Human Rights" report last week at the International Conference of Data Protection and Privacy Commissioners in Montreal. "Privacy and Human Rights: an international survey of privacy laws and developments" provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. It singles out a number of global trends, such as expansion of identification technologies, new data retention schemes, and intensified international data transfers, among others.
According to EPIC's Executive Director, Marc Rotenberg, "the report makes clear that what is needed today is the enforcement of privacy rights as fundamental human rights and not ever-weaker policy frameworks that allow governments and businesses to do whatever they wish with the personal information of individuals."
[source: EPIC Alert, Volume 14.20]
(2007-10-06) [EPIC] In testimony before the Senate Judiciary Committee on September 27 about the pending Google-DoubleClick merger, EPIC Executive Director Marc Rotenberg said that the Federal Trade Commission should establish privacy safeguards as a condition of the merger. EPIC filed a complaint before the Commission in April regarding the merger, similar to other complaints filed by EPIC in the DoubleClick-Abacus merger, the Microsoft Passport matter, and Choicepoint. Since the filing of the EPIC complaint, competition authorities around the world have opened investigations.
At the hearing, entitled, "An Examination of the Google-DoubleClick Merger and the Online Advertising Industry: What Are the Risks for Competition and Privacy?," Senator Herb Kohl agreed that privacy is an integral part of the antitrust review. "Some commentators believe that antitrust policymakers should not be concerned with these fundamental issues of privacy, and merely be content to limit their review to traditional questions of effects on advertising rates. We disagree," Sen. Kohl said. "The antitrust laws were written more than a century ago out of a concern with the effects of undue concentrations of economic power for our society as a whole, and not just merely their effects on consumers' pocketbooks. No one concerned with antitrust policy should stand idly by if industry consolidation jeopardizes the vital privacy interests of our citizens so essential to our democracy."
[source: EPIC Alert, Volume 14.20]
(2007-10-04) [BBC] Every autumn the privacy world gather for the most important global privacy conference on the calendar. The International Data Protection and Privacy Commissioner's conference brings together hundreds of privacy commissioners, government regulators, business leaders, and privacy advocates who spend three days grappling with emerging issues.
The theme of this year's conference, held in Montreal, Canada, was "Terra Incognita," a reference to the unknown lands that typify the fear of the unknown in a world of rapidly changing technologies that challenge the core principles of privacy protection.
[source: News]
(2007-10-16) "ACI's 7th National Symposium on Privacy & Security of Consumer and Employee Information" will take place on January 23 -- 24, 2008 (Philadelphia, PA).
See calendar entry.
(2007-10-03) [CMP] A security company is urging Facebook to tighten its default privacy settings after a study showed that a large majority of users are offering up far too much personal information to keep them safe from cybercriminals.
Sophos researchers reported their recommendations Tuesday after they took a random snapshot of 200 users in the London Facebook network, which is the single largest geographic network on the site, with more than 1.2 million members. They said they found that 75% of the social network's users allow their profiles to be viewed by any other member, regardless of whether or not they have agreed to be "friends" It's not just a concern for individual users, either. Sophos researchers noted that 25% of Facebook users revealed information relating to their work on their profiles, offering up details that could be used by cybercriminals to commit corporate ID fraud or infiltrate company networks. (Excerpt from news story by Sharon Gaudin)
[source: InformationWeek]
(2007-10-02) [EFF] The Associated Press, the Washington Post and Wired's Threat Level are reporting on testimony by Jack Goldsmith, former head of the Justice Department's Office of Legal Counsel. Goldsmith testified that there were certain aspects of the warrantless surveillance program "that I could not find the legal support for," describing the basis as "a legal mess ... it was the biggest mess I encountered there."
Jack Goldsmith is testifying at a hearing of the Senate Judiciary Committee, headed by Senator Patrick Leahy. Leahy has been trying to investigate the warrantless surveillance program for months, but isn't getting anywhere working with the administration directly.
[source: News]
(2007-10-02) [Concurring Opinions] I'm very excited to announce that my new book, "The Future of Reputation: Gossip, Rumor, and Privacy", is now hot off the presses!
From the book jacket: "Teeming with chatrooms, online discussion groups, and blogs, the Internet offers previously unimagined opportunities for personal expression and communication. But there's a dark side to the story. A trail of information fragments about us is forever preserved on the Internet, instantly available in a Google search. A permanent chronicle of our private lives -- often of dubious reliability and sometimes totally false -- will follow us wherever we go, accessible to friends, strangers, dates, employers, neighbors, relatives, and anyone else who cares to look. This engrossing book, brimming with amazing examples of gossip, slander, and rumor on the Internet, explores the profound implications of the online collision between free speech and privacy." (Excerpt from blog post by Daniel J. Solove)
[source: Blog]
(2007-10-02) [Forbes] Is there a revival of interest among Americans in protecting personal privacy? I believe that there is, and you can see the signs everywhere.
This comes at a time when the President has nominated for attorney general a judge who seems to think that civil liberties protections can be ignored in difficult times, when we are rushing towards a de facto national ID card required of all Americans, and when the Bush administration continues to assert unprecedented claims to conduct secret collections of personal information and to monitor electronic communications with total disregard for existing laws. (Excerpt from news story by Robert Ellis Smith)
[source: Forbes.com]
(2007-10-02) [Heise Zeitschriften Verlag] In a ruling, dated March 27, 2007, which has only now been published and is likely to have legal ramifications, the local court of the Berlin district of Mitte has barred the Federal Ministry of Justice from retaining personal data acquired via its website beyond the periods associated with the specific instances of use of the site.
Thus IP addresses in particular may no longer be filed away. Given these Web markers "it is even today possible in most cases, without any elaborate effort being required, to identify Internet users by merging personal data with the help of third parties," the judges declared. The local court also opposed the view espoused by operators and some data privacy watchdogs that security reasons justify a recording regime that over short periods of time maps the behavior of all Net users and allows individual users to be picked out. (Excerpt from news story by Stefan Krempl)
[source: heise on-line]
(2007-10-02) [Reuters] The Canadian government plans to criminalize identity theft to give police the ability to stop such activity before any fraud has actually been carried out, Justice Minister Rob Nicholson said on Tuesday.
He said he would introduce legislation targeting the actual gathering and trafficking in credit card, banking and other personal data for the purposes of using it deceptively. Identity fraud is already a crime in Canada, but gathering and trafficking in identity information generally is not. "Our government will be giving police the tools to better protect Canadians by stopping identity theft activity before the damage is done," Nicholson said in a statement.
[source: Reuters News]
(2007-10-01) [Federal Times] Employee education must be part of every agency's privacy and information security program. So, how do you craft a privacy program that effectively educates your agency's work force from the chief executive to interns?
Annual computer security and privacy awareness training for all employees is a good start, but it is just the beginning. Planning an agencywide "privacy week" or similar event is an excellent way to put privacy center stage and demonstrate your agency's commitment to building a culture of privacy and security. The theme for the Federal Trade Commission's privacy week held this past March was "Info -- Handle With Care." Your privacy week can include events such as educational seminars on compliance issues, training sessions on technology resources that protect sensitive information, or an all-day privacy fair. Thought-provoking or "catchy" posters in high-traffic areas, brochures and contests and prizes help to generate enthusiasm for the week's activities and to communicate the message. Finally, to reinforce your agency's commitment -- in terms of resource investment and leadership buy-in -- have your agency head host an event or deliver a speech explaining why privacy and security are important. (Excerpt from news story by Marc Groman)
[source: FederalTimes.com]
(2007-10-04) "Datenschutztag 2007" will take place on October 12, 2007 (Bielefeld, Germany).
See calendar entry.