(2007-05-24) [1105 Media, Inc] The National Institute of Standards and Technology hasn't sufficiently evaluated a set of technologies about to be used in border-crossing identification cards, charges a smart card industry group.
The group, the Smart Card Alliance, believes that NIST certified the Generation 2 Radio Frequency Identification card architecture for the People Access Security Services (PASS) Card without using "the appropriate standards and best practices relevant to human identity applications," wrote Smart Card Alliance Executive Director Randy Vanderhoof in a May 17 letter to NIST Director William Jeffrey. The alliance is a trade association representing companies that make identification cards and related systems. (Excerpt from news story by Alice Lipowicz) See Bruce Schneier commentaries on this issue: DHS Privacy Committee Recommends Against RFID Cards (November 01, 2006) and RFID in People Access Security Services (PASS) Cards (May 30, 2007).
[source: Government Computer News]
(2007-05-07) [Department of Homeland Security] The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security has issued a report on REAL ID.
See Notice of Propose Rulemaking for Implementation of the REAL ID Act.
[source: Privacy Office announcements]
(2007-05-31) [CIPPIC] In her 2006 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal Privacy Commissioner expressed concerns about private sector treatment of personal data, noting recent high profile data breaches.
She also released the results of a survey of Canadian businesses, which suggests high rates of non-compliance with PIPEDA.
[source: News]
(2007-05-18) [Security Document World] ICAO has issued Volume 2, Number 1 of the MRTD Report. The issue focuses on two subjects relating to the ICAO Biometric Blueprint: the use of the face the primary biometric for interoperability of ePassports, and the launch of the ICAO Public Key Directory (PKD).
The ICAO PKD is the main global distribution point for public signing key certificates from all issuers of ePassports who are required to validate and authenticate such documents. The idea is for inspectors of ePassports throughout the world to be able to access the PKD and use the public signing keys to validate ePassports with confidence. As of middle of March this year the States participating in the PKD were: Australia, Canada, New Zealand, Singapore and the United Kingdom.
[source: News]
(2007-05-31) [Network World, Inc.] Security and privacy are bad words with bad histories, evoking bad connotations with most enterprise stakeholders. For companies to succeed at safeguarding their data, these words must go away. Here's why.
Information security and privacy protections as we know them today are a response to the ills that have befallen enterprises over time. Enterprises experience a problem or incident and don't want it to happen again, so they find the most practical way to eliminate it or mitigate against it. As a result, security and privacy practices tend to be restrictive. Furthermore, there seems to be no natural home for security or privacy in the corporate hierarchy. Every organization uniquely figures out where best to place them-so long as the chief executive doesn't have to be too bothered. (Excerpt from news story by John C. Reece)
[source: Network World]
(2007-05-31) [Susan Crawford blog] Back in March 2004, the FCC issued a remarkable piece of paper -- an "IP-Enabled Services" notice of proposed rulemaking. Someone sidled up to me and said, "it's all over! This is Computer Four! The FCC is in charge!"
In a nutshell, the March 2004 notice suggested that the FCC believed it had jurisdiction over "IP-enabled services" (that is, anything using the Internet Protocol) under its "ancillary" powers in Title I of the 1996 Act. (Translation: even though the statute giving the FCC its power doesn't say anything about the internet, the FCC believes that it has authority to make rules about "services" that use IP. It gets this authority, it believes, from a little line in the first, general Title of the Act that gives it "necessary and proper" internal housekeeping rulemaking authority. So we're into a standardless, undefined area -- all the other Titles are quite specific. So far no one is stopping the FCC and the Supreme Court BrandX opinion defers to the FCC's interpretation of its authority. But I digress). (Excerpt from news story by Susan Crawford)
[source: Blog post]
(2007-05-30) [CNet] Kevin Bankston, staff attorney at the Electronic Frontier Foundation, was surprised to see his face in a street-level image on a now defunct online map a few years ago.
Worse, he was photographed smoking outside the EFF offices in San Francisco, and he had been trying to hide his habit from his family. That's a relatively benign incident, but it illustrates how easy it is for the technology to threaten an individual's privacy, Bankston said at the Where 2.0 conference here, where Google on Tuesday announced its new street-level map view. Google's feature allows users viewing San Francisco to zoom in close enough to read street signs and even see inside front windows. (Excerpt from news story by Elinor Mills)
[source: News.com]
(2007-05-24) [IEEE TC Security & Privacy] Richard Austin reviews "Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI" (by D. Herrmann; Auerbach: Boca Raton 2007; ISBN 978-0-8493-5402-1).
Quote: "In summary, this is not a book that you'll be likely to read from cover to cover, but when faced with the necessity of developing a metrics program to measure the effectiveness of some aspect of your security efforts, this rather imposing tome is one I would heartily recommend as a way to jumpstart your efforts. The master table in the introduction provides a quick guide to the particular section most relevant to the reader's needs but I earnestly recommend that the first two chapters ("Introduction" and "The Whats and Whys of Metrics") be reviewed before diving immediately into the details."
[source: Cipher]
(2007-05-25) [Datainspektionen] Om du säger "Ubicomp" är det många som småskrattar och tänker på intelligenta kylskåp. Men företeelsen ska inte underskattas. I flera år har IT-industrin i USA, EU och Japan lagt ner astronomiska belopp på utvecklingen. Människor och apparater ska bindas samman i ett gigantiskt trådlöst nätverk är det tänkt, och det kan innebära det hittills största hotet mot integriteten. Datainspektionen har tagit fram en rapport om fenomenet.
Ubicomp, eller Ubiquitous Computing, alltså datakraft som på ett självklart sätt är allestädes närvarande utan att man tänker på det -- ungefär som elektriciteten är idag -- betraktas av IT-industrin som framtidens kassako: en lätt tillgänglig, trådlös infrastruktur för information och kommunikation.
Läs rapporten Ubiquitous Computing -- en vision som kan bli verklighet.
[source: Nyheter]
(2007-05-31) [EPIC] Guilherme Roschke reviews "Understanding Surveillance Technologies: Spy Devices, Privacy, History & Applications", Second Edition (by J. K. Petersen; Auerbach Publications, 2007, ISBN 978-0849383199).
Quote: "The book serves best as a professional or student reference. It should be consulted before one begins a new venture analyzing an area of surveillance. It quickly allows the reader to gain a basic knowledge in the scientific workings of a technology, its history, legal regime, main privacy implications and resources."
[source: EPIC Alert, Volume 14.11]
(2007-05-31) [EPIC] Social Networking service Facebook.com introduced a new feature last week that allows third party websites to access user data. Using an Application Programming Interface, third party websites can offer services to Facebook users based on personal information in the Facebook database.
Facebook users can configure their privacy settings to stop their information from leaving Facebook, but Facebook has configured the Application Programming Interface so that users are opted-in by default.
[source: EPIC Alert, Volume 14.11]
(2007-05-31) [EPIC] The US Government Accountability Office (GAO) issued a report on the Department of Homeland Security's Privacy Office this week. The GAO found that the DHS Privacy Office has made significant progress by establishing a compliance framework for conducting Privacy Impact Assessments, which are required by the E-Government Act of 2002.
The GAO also commended the DHS Privacy Office for integrating privacy considerations into the DHS decision-making process, by establishing an advisory committee, holding public workshops, and participating in policy development. However, the GAO found that limited progress has been made in updating public notices required by the Privacy Act for systems of records that were in existence prior to the creation of DHS. The report recommends appointing privacy officers in key DHS components, implementing a process for reviewing Privacy Act notices, and establishing a schedule for timely issuance of Privacy Office reports.
[source: EPIC Alert, Volume 14.11]
(2007-05-31) [EPIC] The Social Security Administration (SSA) has revised its privacy and disclosure rules for the first time since 1980. The revisions, which came into effect on May 29, 2007, describe the existing responsibilities and functions of the Privacy Officer, establish a new senior agency official for privacy as required by the Office of Management and Budget, and explain the SSA's new Privacy Impact Assessment process in accordance with the E-Government Act of 2002.
Further, the revisions state that the SSA cannot process electronic requests via the Internet if the requester's identity cannot be confirmed. Another revision gives individuals more direct access to their medical records.
[source: EPIC Alert, Volume 14.11]
(2007-05-31) [EPIC] The European Union's Article 29 Data Protection Working Party has launched an investigation into Google's privacy practices. In a letter to Google, chair of the Article 29 Working Party, Peter Schaar asked whether the company has "fulfilled all the necessary requirements" to abide by EU privacy rules.
Mr. Schaar explained, "As you are aware, server logs are information that can be linked to an identified or identifiable natural person and can, therefore, be considered personal data in the meaning of Data Protection Directive 95/46/EC. For that reason, their collection and storage must respect data protection rules." EU Directive 95/46/EC states that individuals' personal information can only be collected for "specified, explicit and legitimate purposes." Information that is collected can only be kept in identifiable form for as long as is "necessary for the purposes for which the data were collected or for which they are further processed."
[source: EPIC Alert, Volume 14.11]
(2007-05-31) [BBC] Elements of Google's privacy policy are "vague" and need to be made more precise, the firm's global privacy counsel has told BBC News.
Peter Fleischer said the company "could do better" with policy statements that explained why user information was sometimes shared with third parties. Mr Fleischer said Google would never give "identifiable personal data" to third parties, including advertisers. Google's privacy policy has come under scrutiny in recent weeks. (Excerpt from news story by Darren Waters)
[source: News]
(2007-05-31) [InterGovWorld.com] Ontario's privacy chief has reported record-breaking numbers of privacy complaints against health-care and public sector organizations last year. But at least one Canadian analyst is not ready to cast the first stone against these institutions.
Ontario Privacy Commissioner Ann Cavoukian has disclosed in her Annual Report that the number of privacy complaints filed under public sector privacy laws has reached 170 in 2006, the highest in the past nine years. Similarly, privacy-related complaints under the Personal Health Information Protection Act reached 183 in 2006, also a record high. (Excerpt from news story by Mari-Len De Guzman)
[source: InterGovWorld.com]
(2007-05-30) [PinsentMasons] A letter from an influential group of privacy experts in Europe saying that Google's new privacy policies appear to breach the requirements of the EU's data protection regime was published today.
Previously, Google operated a policy of retaining search queries and identifying information, such as Internet Protecol (IP) addresses, for as long as it thought useful. In March, Google's global privacy counsel, Peter Fleischer, announced a new policy. He said that the company will keep its server log data but will make that data "much more anonymous, so that it can no longer be identified with individual users, after 18 -- 24 months."
[source: Out-law.com]
(2007-05-30) [The Washington Post] Google Chairman Eric Schmidt said Wednesday that U.S. regulatory approval of his company's proposed acquisition of DoubleClick will not be hindered by concerns over privacy.
Analysts tend to agree. "We're quite convinced that the proposed merger meets all of the appropriate U.S. laws and is ultimately very good for consumers and for advertisers and publishers," Schmidt said at a news conference. Several analysts said the deal would likely win regulatory approval despite advocacy groups' complaints about the two companies' privacy policies and efforts by rivals such as Microsoft Corp. to raise antitrust concerns. (Excerpt from news story by Kelly Olsen)
[source: washingtonpost.com]
(2007-05-30) [CDT] A model privacy notice created by a group of government agencies to give consumers clearer information about their financial institutions' privacy practices is a big step in the right direction.
In comments filed this week with the agencies responsible for the "Interagency Proposal for Model Privacy Form under the Gramm-Leach-Bliley Act," CDT praised the clarity of the model form and offered minor suggestions to make the proposed notice even more useful for consumers. The form is intended to make the ubiquitous financial privacy statements issued by banks and other financial institutions more understandable for consumers.
[source: News]
(2007-05-30) [Wired] The few souls that attempt to read and understand website privacy policies know they are almost universally unintelligible and shot through with clever loopholes. But one of the most important policies to know is your internet service provider's -- the company that ferries all your traffic to and from the internet, from search queries to BitTorrent uploads, flirty IMs to porn.
Wired News, with help from some readers, attempted to get real answers from the largest United States-based ISPs about what information they gather on their customers' use of the internet, and how long they retain records like IP addresses, e-mail and real-time browsing activity. Most importantly, we asked what they require from law-enforcement agencies before coughing up the data, and whether they sell your data to marketers. (Excerpt from news story by Ryan Singel)
[source: News]
(2007-05-29) [McAfee, Inc.] Long story short, until it was fixed, the online logged-in browsing habits of users who have uploaded content on YouTube got leaked to the whole world when those videos were viewed via Orkut.
I have seen some explicit/implicit loss of privacy via Web 2.0isms like collaborative filtering (a la Amazon/Delicious) or interestingness (a la Flickr), but this approach seems unprecedented. Crazy huh! (Excerpt from blog post by Vinay Mahadik)
[source: Blog]
(2007-05-29) [MediLexicon International Ltd] In a digitized world where massive amounts of patient data can be compromised by a single lost laptop or an individual's identity can be swiped by an online "phishing" expedition, the need for information security is vital. But what is security worth to individuals and companies and what are they willing to pay for it?
Those questions will be the focus of the 2007 Workshop on the Economics of Information Security, a convergence of economists, computer scientists, lawyers and psychologist/behavioral economists June 7-8 at Carnegie Mellon University.
[source: Medical News Today]
(2007-05-29) [Network World, Inc.] California is again taking the lead on privacy issues (see "Knitting legal patchwork quilts"). The state's approach with one use of RFID is a good one, but unfortunately it is only looking at a very small part of the problem. Other stories on this topic
California's attention to privacy issues begins with its constitution in Article 1, Section 1. California politicians pay attention, at least some of the time. Also, the state's Office of Privacy Protection lists hundreds of laws and pending legislation dealing with privacy. This focus on privacy is quite different from that of the U.S. Congress. Too many legislators forget about the rights of people who voted for them or decide that it's more important to keep those providing money for the next campaign happy. Either way, Congress has not passed any meaningful privacy laws since the dawn of the Web. (Excerpt from news story by Scott Bradner)
[source: Network World]
(2007-05-29) [ComputerWorld] The number of phishing Web URLs nearly tripled from March to April, a security group said, as cybercriminals returned to a late-2006 tactic designed to do an end run around browser-based antiphishing filters.
In one month, the number of unique sites soared 166%, from 20,871 in March to 55,643 in April, said the Anti-Phishing Working Group (APWG), an association of more than 1,600 companies and government agencies. "They're trying to overwhelm the filtering mechanisms" in browsers and antiphishing toolbars, said Peter Cassidy, the secretary general of the APWG, "by using many, many URLs, some which may resolve to the very same phishing site." (Excerpt from news story by Gregg Keizer)
[source: Security]
(2007-05-29) [CNet] A European Commission advisory group has raised concerns about how Google uses and manages users' search data.
A privacy advisory group composed of representatives from all of the European Union countries sent Google a letter expressing concern over the search giant's new privacy policy announced in March. The issue surrounds Google's policy of anonymising its server logs after 18 to 24 months. According to a Commission source, the advisory group is concerned with how the information is managed, rather than the length of time it is stored. (Excerpt from news story by Dawn Kawamoto )
[source: silicon.com]
(2007-05-28) [PinsentMasons] The French data protection authority has fined a subsidiary of US firm Tyco Healthcare over the transfer of employee information across borders and inadequate data safeguards. Tyco Healthcare France was fined Euro 30,000.
It is believed to be the first time that a US-based multinational has been fined for unauthorised overseas transfers of personal data.
[source: Out-law.com]
(2007-05-28) [The SANS Technology Institute] The private sector, as a whole, has not always been responsible stewards of the non-public personal information that is entrusted to them by the public. It is axiomatic that when the private sector fails to act responsibly, the public sector will enact regulations to mandate changes in behavior. The volume of highly publicized data breaches and the accompanying public outcry are at least partially responsible for the stampede of data privacy laws passed in recent years.
The issue is that a certain amount of data sharing is important. Businesses routinely send personal financial information about all of us to the credit bureaus (Experian -- Equifax -- TransUnion). The bureaus assign us our credit scores, and companies use that information in deciding whether or not to lend us money for major purchases such as cars, homes, etc. Here's the problem; there is such a thing as too much data privacy. A certain amount of responsible data sharing is important to reduce fraud, combat terrorism and to fight crime. (Excerpt from news story by Philip Alexander)
[source: News]
(2007-05-28) [CanWest MediaWorks Publications Inc.] Canadians will inevitably have to carry travel documents with their DNA, biometrics or other biological identifiers embedded into them in order to travel to the United States, according to a new white paper to be revealed to government officials in Ottawa today.
While many travellers and governments are frantically trying to comply with current border regulations that require passports for air travel, the report warns that's just one step in the movement toward more secure borders. In order to adequately confirm an individual's identity and speed up the process of screening passengers, governments will surely move to enhanced identity documents that use biological information to identity travellers, the paper says. (Excerpt from news story by Carly Weeks)
[source: Edmonton Journal]
(2007-05-26) [Times Newspapers Ltd] Big Brother really is watching you. Of course, there's nothing sinister about this because it's all being done to make life easier. But for whom? Rhys Blakely
How would you feel if your supermarket knew that you were getting married before you did? Or if your DNA was trawled by drugs companies that then could offer preventative treatments for illnesses likely to strike you in the future, but also share their findings with the lender debating whether to give you a mortgage? Welcome to Big Brother Britain, version 2.0, a surveillance society where every imaginable piece of digital data -- web-browsing histories, e-mails, even genetic records -- is gathered and processed by organisations determined to know you better than you know yourself.
[source: TimesOnLine]
(2007-05-26) [The Washington Times, LLC] Law lags technology. Moral questions take a back seat. Just because you can do something doesn't mean that it's a good idea. These are three laws of advancing technology.
Consider the company Spectorsoft, which makes software for spying on people -- your kids, your employees, whomever. "Automatically record everything they do on the Internet," says the banner on the Web site. Spectorsoft has several packages for sale. Here is the pitch for one of them: "Install EBlaster on the computer you wish to monitor and start receiving copies of every e-mail sent and received on that PC, plus receive complete transcripts of all chat conversations and instant messages that take place on the monitored PC, all sent to your e-mail address." (Excerpt from news story by Fred Reed)
[source: washingtontimes.com]
(2007-05-25) [PinsentMasons] Local authorities should conduct a risk assessment before sharing personal data with other public bodies. Sharing can be legitimate, but only when the benefits and risks have been weighed up, the Information Commissioner has said.
The Information Commissioner's Office (ICO) has produced guidelines for local authorities to follow when they want to share data with other agencies or authorities or even between departments of the same authority.
[source: Out-law.com]
(2007-05-24) [EFF] Today, a landmark bill that would require tough privacy and security safeguards for Radio Frequency Identification tags in state-issued IDs sailed through the California Senate on a 33-2 bipartisan vote.
Without proper protections, RFIDs in IDs can broadcast your private information to anyone and leave you vulnerable to tracking and identity theft. That's why EFF, the ACLU, the Privacy Rights Clearinghouse, and other groups have been working hard to get the Identity Information Protection Act (SB 30) passed.
[source: News]
(2007-05-23) [ComputerWorld] Specifications for a new e-mail authentication tool to help fight against phishing and spam were published yesterday by the Internet Engineering Task Force (IETF), opening the way for software vendors and e-mail service providers to find better ways to protect e-mail recipients.
The specifications were announced for DomainKeys Identified Mail (DKIM), a new technology that combines several existing antiphishing and antispam methods to create an improved way to sort and identify legitimate e-mail. The specifications provide details that independent software vendors and e-mail service providers can use to build the protections into their products and services immediately. (Excerpt from news story by Todd R. Weiss and Robert McMillan)
[source: Security]
(2007-05-22) [ComputerWorld] A proposal in President Bush's 2008 budget that would require some Internet businesses to collect Social Security numbers on their customers and share it with the Internal Revenue Service has prompted concern from Rep. Tom Davis (R-Va.).
In a letter to Treasury Secretary Henry Paulson today, Davis called for a staff briefing to discuss a range of issues related to the IRS proposal, including whether Internet firms would be able to securely store such personal information and what impact the proposal might have on e-commerce. Davis is the ranking minority member on the House Committee on Oversight and Government Reform. "As this proposal moves forward, I hope the personal information of millions of individuals conducting business online will be protected," Davis said in his letter. (Excerpt from news story by Jaikumar Vijayan)
[source: Government]
(2007-05-10) [Harvard Law Review] When with close friends, people seldom present the same face they show to the rest of the world. But what if even the unguarded -- and perhaps indiscreet -- moments between friends were captured in pictures and instantly available across the world in digital form? And what if a computer in some distant room could identify the faces in each picture to create a searchable database -- a fully indexed catalog of life, captured in still frames? That technology is here.
New facial recognition systems, however, are making it possible for computers to tag photos with names even if the uploader and the subject are complete strangers. One of these facial recognition search engines is Polar Rose;13 it searches the entire Web for photos, matches faces in the photo with previously tagged photos, tags the new photo, and makes its database completely searchable
[source: Article]
(2007-05-24) [Ralf Bendrath] My new working paper is just out. I have looked at the changes in the regulation (or "governance") of data protection, with a special focus on the different forms of new governance mechanisms. Building on Lawrence Lessig's work on "Code and Law" and also on previous research on the governance of privacy done by Colin Bennett and Charles Raab, I distinguish between social codes (contracts, self-regulatory schemes etc.) and technical codes (privacy-enhancing technologies).
This is the abstract: "Privacy Self-Regulation and the Changing Role of the State. From Public Law to Social and Technical Mechanisms of Governance". This paper provides a structured overview of different self-governance mechanisms for privacy and data protection in the corporate world, with a special focus on Internet privacy. It also looks at the role of the state, and how it has related to privacy self-governance over time. While early data protection started out as law-based regulation by nation-states, transnational self-governance mechanisms have become more important due to the rise of global telecommunications and the Internet. Reach, scope, precision and enforcement of these industry codes of conduct vary a lot. The more binding they are, the more limited is their reach, though they -- like the state-based instruments for privacy protection -- are becoming more harmonised and global in reach nowadays. These "social codes" of conduct are developed by the private sector with limited participation of official data protection commissioners, public interest groups, or international organisations. Software tools - "technical codes" - for online privacy protection can give back some control over their data to individual users and customers, but only have limited reach and applications. The privacy-enhancing design of network infrastructures and database architectures is still mainly developed autonomously by the computer and software industry. Here, we can recently find a stronger, but new role of the state. Instead of regulating data processors directly, governments and oversight agencies now focus more on the intermediaries -- standards developers, large software companies, or industry associations. And instead of prescribing and penalising, they now rely more on incentive-structures like certifications or public funding for social and technical self-governance instruments of privacy protection. The use of technology as an instrument and object of regulation is thereby becoming more popular, but the success of this approach still depends on the social codes and the underlying norms which technology is supposed to embed.
Read the paper. (Excerpt from blog post by Ralf Bendrath)
[source: Blog]
(2007-05-25) [The Advisory Board Company] American Public Media's "Future Tense" on Thursday included a discussion about medical privacy laws and accidental disclosure of electronic health records.
Janlori Goldman, director of the Health Privacy Project at Georgetown University, said federal medical privacy laws provide strong protections but have not been adequately enforced.
[source: iHealth]
(2007-05-25) [Wired] An independent European Union panel is investigating whether Google Inc.'s Internet search engine abides by European privacy rules, which tend to be stricter than those in the United States.
EU spokesman Pietro Petrucci said Friday that the 28-member panel, which advises the European Commission and EU governments on data protection issues, wants Google to address concerns about the company's practice of storing and retaining user information for up to two years. (Excerpt from news story by Constant Brand)
[source: news]
(2007-05-25) [Cable News Network.] Google will tell Brussels it needs to hold on to users' search data for up to two years for security and commercial reasons after being warned it could be violating European privacy laws by doing so.
The world's top Internet search engine on Friday said it would respond by June 19 to a letter from a European Union data protection advisory group expressing concern it was keeping information on users' searches for too long. "The concern of EU law is that a company that collects data on its customers should keep it as long as it is necessary, but not longer," Peter Fleischer, Google's global privacy counsel, told Reuters in a telephone interview.
[source: CNN Technology]
(2007-05-25) [BBC] Wireless tracking systems could be used to protect patients in hospitals and students on campuses, backers of the technology said.
The combination of Radio Frequency Identification (RFID) tags and wi-fi allows real-time tracking of objects or people inside a wireless network. Angelo Lamme, from Motorola, said tracking students on a campus could help during a fire or an emergency. "You would know where your people are at any given moment," he said.
[source: News]
(2007-05-25) [etvMEDIA, Inc.] A spoeksman for EU justice commissioner Franco Frattini confirmed that a letter has been sent to Google Inc by The Article 29 working party requesting clarification on the company's personal data storage policy.
The spokesman said: "Commissioner Frattini saw the letter this morning and thinks the questions raised are appropriate and legitimate." He would not comment on the content of the letter and stressed that it was an initiative of the working group, not the commission.
[source: ForexTV]
(2007-05-25) [Datatilsynet] EUs personverndirektiv forbyr lagring av overskuddsinformasjon om personer. Nå ber artikkel 29-gruppen Google om å forklare hvorfor søkemotorgiganten lagrer så mye data over så lang tid.
Artikkel 29-gruppen er en rådgivende EU-gruppe med spesielt ansvar for å overvåke etterlevelsen av personverndirektivet. Datatilsynet startet en tilsynsrunde hos søkemotorer i oktober 2006. Lagringstiden ble et tema. Tilsynet omfattet to norske og én internasjonal aktør. Google ble valgt ut på bakgrunn av at de benytter .no-domenet, og at de også henvender seg til brukerne på norsk. Da det norske Datatilsynet startet dialogen, hadde ikke Google noen maksimal lagringstid for opplysninger om søk og søker. Søkegiganten kom underveis med forslag til ny politikk på området, anonymisering av serverlogger eldre enn 18 til 24 måneder.
[source: Nyhet]
(2007-05-24) [CNet] Europe is stepping up the fight against cyber crime, outlining plans to create more meaningful legislation and promote greater, cross-border co-operation.
The European Commission said legislation and law enforcement - especially across borders - needs to keep pace with new and evolving opportunities for criminals. It said cyber crime comes in three forms: established crimes such as fraud, publication of illegal content, and crimes unique to the internet - such as denial of service attacks and hacking. (Excerpt from news story by Tim Ferguson)
[source: silicon.com]
(2007-05-24) [The Washington Post] Some of the Web's most prolific organized online criminals are starting to step up the frequency and sophistication of phishing attacks, targeting commercial banks, job hunting sites and data brokers, Security Fix has learned.
Typically, phishing scams involve phony e-mails and counterfeit bank Web sites that try to lure unsuspecting users into disclosing user names and passwords. Lately, however, some of the more technically advanced phishing groups have started shifting their sights to higher-dollar targets. The source of this latest twist in phishing is known as "Rock Phish." These attacks generally involve techniques to avoid new anti-phishing measures. Both the Firefox and Internet Explorer Web browsers include features that alert users if they try to visit a site that has been flagged by security experts. Rock Phish attacks are designed to thwart this "blacklisting" approach by generating multiple, unique Web addresses for each attack, thus making it easier for them to evade phish filters. (Excerpt from blog post by Brian Krebs)
[source: washingtonpost.com]
(2007-05-24) [PinsentMasons] The European Commission is considering new legislation against identity theft. The proposal is contained in a just-published policy on EU-wide plans to fight cybercrime.
The European Commission's policy on fighting cybercrime in Europe is the product of many years of consultation and focuses on greater co-operation between European police forces. Though the Commission said that it did not believe that new legislation would be useful at this stage in stopping the fast growth of cybercrime, it said it will consider anti-ID theft laws later this year.
[source: Out-law.com]
(2007-05-24) [The Hartford Courant] Wherever you go, it's safe to assume, a camera or microphone lurks. And, again for the sake of safety, assume that its operator has no sense of discretion - even if it's your friends and family.In this age of no privacy, David Hasselhoff, Lindsay Lohan and Alec Baldwin have all learned the hard way: Don't trust anyone.
We know of their bad behavior - being drunk in a hotel room (Hasselhoff), allegedly doing cocaine in a bathroom (Lohan) and berating his daughter on the telephone (Baldwin) - thanks to those closest to them. (Excerpt from news story by William Weir)
[source: courant.com]
(2007-05-24) [ALM Properties, Inc] Ours is an interconnected world. And thanks to the explosive growth of virtual communities and social networking sites like MySpace, we are seeing a seismic shift in the way we work, play and socialize.
To enhance productivity, companies like Entellium are redesigning business software using interactive game techniques. Customer relationship management software users, for example, can build a dossier of clients and sales prospects that include photographs and lists of likes, dislikes and buying interests like character descriptions in popular role-playing games. (Excerpt from news story by Harry A. Valetk)
[source: Law.Com]
(2007-05-24) [Heise Zeitschriften Verlag] Politicians from both the SPD and CDU/CSU are planning to amend the German constitution to take modern communications into account. According to a report in the German daily Tagesspiegel of Berlin, a basic right for freedom on the Internet is to be established.
The SPD's home affairs spokesperson Dieter Wiefelspütz and his colleague Ralf Göbel of the CDU reportedly hoped to have a draft completed by the end of this session of parliament. "The Internet is a new space, a fourth dimension, a world where people live, love, and do business," Wiefelspütz explained the need for such action. He said that freedom in this virtual world would also have to be guaranteed in the constitution. It is not yet clear, however, how such a law would be formulated.
[source: heise on-line]
(2007-05-24) [The Register] Ryanair's online check-in service fails to ensure users submit confidential details across a secure connection. As a result, travellers are invited to send confidential data across an unencrypted link.
"I checked every step when checking into a recent flight from Luton to Dublin to attend a funeral. At no point is SSL used, including when you're transmitting your name, passport details, or when they send you back your boarding pass," notes Register reader Jim H, who was the first to warn us of the issue. (Excerpt from news story by John Leyden)
[source: Channel Register]
(2007-05-24) [Twitter] The Guardian Technology Blog posted incorrect information about Twitter this morning. The Twitter API respects protected updates and does not have a privacy 'glitch.'
So what the heck are they talking about? Some Twitter users willingly provided their usernames and passwords to a mash-up project called Twittervision (a service unaffiliated with Twitter except that it accesses our API). They did this so they could be part of the fun and access more Twittervision features. However, Twittervision was not checking to see if any of these folks had marked their updates as "protected." Starting today David Troy, the creator of Twittervision, tells us he'll make sure to check for this.
[source: Blog]
(2007-05-24) [Guardian] Twitter, the popular messaging site which has gained traction among the technorati, has come in for plenty of criticism for downtime, bugs and trouble keeping up with the volume of users signing up.
But its latest problem takes things beyond the merely irritating and into the realm of dangerous - by undermining user privacy. (Excerpt from blog post by Bobbie Johnson)
[source: Technology Blogs]
(2007-05-24) [WORLD PRIVACY FORUM] The World Privacy Forum believes that the capability of identifying individuals from subsets of genetic information will expand greatly in the future.
In public comments filed with the National Institutes of Health on pharmacogenomics (PGx) research, or research using genetic information to create highly personalized medicine, the World Privacy Forum recommended that all research activities that involve any type of patient-specific genetic information be required to have certificates of confidentiality, whether that information appears identifiable or not.
[source: News]
(2007-05-24) [American Public Media] Today, part two of our report on medical records privacy.
Guests are Janlori Goldman (Health Privacy Project) and Susan McAndrew (HHS Office of Civil Rights). Listen to the podcast (length 04:33).
[source: Future Tense]
(2007-05-23) [On The Identity Trail] The IDTrail Team produced two short films exploring the "reasonable expectations of privacy". They were used at the Computers, Freedom, and Privacy (CFP) 2007 conference in Montreal, Canada.
The short films were produced and directed by Max Binnie, Katie Black and Jeremy Hessing-Lewis with contributions from Daniel Albahary, Ian Kerr, and Jane Bailey. They are available for download under a Creative Commons Attribution 2.5 license after the jump. Movies: "Download Tessling-Just the Facts" (length 04:22), and "Public Interest Perspectives" (length 25:52). (Excerpt from blog post by Jeremy Hessing-Lewis)
[source: Blog]
(2007-05-23) [EDRI] Google has filed a patent in Europe and in US on a profiling technology planning to create psychological profiles of web users based on their behaviour at playing on-line games. The company thinks it can gather up information to shape the personality of web users according to the way they react and take decisions while playing online and then sell these psychological profiles to advertisers.
The patent says: "User dialogue (e.g. from role playing games, simulation games, etc) may be used to characterize the user (e.g. literate, profane, blunt or polite, quiet etc). Also, user play may be used to characterize the user (e.g. cautious, risk-taker, aggressive, non-confrontational, stealthy, honest, cooperative, uncooperative, etc)."
[source: EDRI-gram, Number 5.10]
(2007-05-23) [EDRI] The UK Home Office is presently implementing the Data Retention Directive that will oblige telephony and internet service providers to keep data for 12 months. The decision was taken without any debate by simple "affirmative" votes in the parliament and the Directive is to be implemented by 15 September 2007 for fixed and mobile telephones and 18 months later for internet services (including VOIP telephony).
The Home Office intents to implement the Directive by a Regulation that will replace the current "voluntary" Code and does not seem to have taken into consideration any risk related to the privacy of personal data.
[source: EDRI-gram, Number 5.10]
(2007-05-23) [EDRI] As the negotiations of the PNR (Passenger Name Records) issue continue between the US Government and the European Parliament, during his visit to Brussels on 14 May, US Homeland Security Secretary Michael Chertoff asked for more relaxed restrictions on the personal data transfer from the airline companies.
The interim agreement on PNR between EU and US expires in July 2007 and unless a common agreement is reached by then, airlines are in a difficult position, facing either being sued in Europe for providing these data in the US or in the US for not sharing the information.
[source: EDRI-gram, Number 5.10]
(2007-05-23) [PinsentMasons] Newspaper regulator the Press Complaints Comission (PCC) has issued new guidelines on privacy and data protection for newspapers conducting investigations which involve subterfuge.
The new rules are a reaction to the recent jailing of a News of the World reporter and a private investigator. Clive Goodman and Glenn Mulcaire tapped the phone messages of Royal Family employees to source stories. The PCC, which is the industry's self-regulatory body and which publishes a Code of Practice for newspapers and magazines, conducted an investigation both of the News of the World and of the newspaper industry to discover the industry's practices in relation to subterfuge and newsgathering.
[source: Out-law.com]
(2007-05-23) [Independent News and Media Limited] There may never have been a simple answer to the question: what is the law of privacy? But a recent spate of cases has added to the dense jungle of rulings and legal principles through which even experienced judges are finding it difficult to navigate.
Perhaps the most confusing case of all, to the public at least, was the attempt by Mr Justice Eady this month to explain why he had allowed the media to publish accounts of a relationship between Lord Browne of Madingley, the former chief executive of BP, and his gay lover. (Excerpt from news story by Robert Verkaik)
[source: The Independent]
(2007-05-23) [News Limited] Drug companies trying to improve their market share have put patient privacy at risk by demanding pharmacists allow them to insert memory sticks in pharmacy computers.
The Pharmacy Guild has asked members to ban the practice because it could breach patient privacy - drug companies allowed to use the memory sticks could find out what drugs individual patients were taking. "This is just not on," Pharmacy Guild president Kos Sclavos told The Daily Telegraph. (Excerpt from news story by Sue Dunlevy)
[source: Daily Telegraph]
(2007-05-22) [Politics.co.uk] Home Office minister Liam Byrne has responded to questions posed by the joint committee on human rights (JCHR) and defended the government's ID card programme.
"The government recognises that taking biometric or other information from a person, and storing that information and requiring a BID [biometric immigration document] to be used for specific immigration purposes may be an interference in the right to respect for private life," he admitted. "However, we have considered, and remain of the view, that if there were any interference, we would ensure that this was necessary and proportionate."
[source: politics.co.uk]
(2007-05-22) [Datatilsynet] Hausten 2006 såg Datatilsynet nærmare på bruken av personprofilar i 21 norske verksemder. Halvparten nytta profilar, men berre ei verksemd informerte godt nok.
Tilsynsprosjektet viste tydeleg at få kjenner reglane for bruk av personprofilar. "Eg oppmodar marknadsførarar og andre som skreddarsyr tilbod til kundar å lese den nye rettleiaren Datatilsynet no har laga", fastslår Katrine Berg, fagansvarleg for marknadsføringsfeltet i Datatilsynet.
[source: Nyhet]
(2007-05-22) [Datainspektionen] Dator och mobiltelefon är de viktigaste prylarna i unga människors liv. Men hur är deras inställning till integritet? Är övervakning okej? Vad är känsligt att hänga ut? Kärleken, politiken eller ekonomin? På uppdrag av Datainspektionen har ett forskningsföretag frågat 500 ungdomar vad de tycker.
Att sitta framför datorn och kommunicera över Internet är en viktig del av ungdomars vardag. Över 80 procent surfar dagligen och de flesta har lagt ut bilder på sig själva på nätet. Undersökningen visar att unga människor i regel är väldigt öppna på Internet och inte begränsar sin användning av integritetsskäl. Hälften av dem som svarat har någon gång skrivit på en blogg och har en webbkamera som skickar bilder när de chattar.
[source: Nyheter]
(2007-05-22) [TPM Media LLC] Either James Comey was talking about a new, secret surveillance program in his testimony last week, or Alberto Gonzales lied to Congress in 2006 about the NSA's warrantless wiretapping program.
In the initial coverage of Comey's testimony, almost all reports treated it as a given that the clandestine program at the heart of the now-infamous late-night race to Ashcroft's bedside was the NSA's warrantless wiretapping program -- what the White House insists on calling the 'Terrorist Surveillance Program'. But that may not be the case. After the New York Times uncovered how the NSA was tapping calls between the U.S. and foreign countries, Gonzales testified before Congress that there were no objections to the program's legality in the Justice Department. (Excerpt from news story by Laura McGann)
[source: Blog]
(2007-05-22) [The Financial Times Ltd] Google's ambition to maximise the personal information it holds on users is so great that the search engine envisages a day when it can tell people what jobs to take and how they might spend their days off.
Eric Schmidt, Google's chief executive, said gathering more personal data was a key way for Google to expand and the company believes that is the logical extension of its stated mission to organise the world's information. The Information Commissioner's Office in the UK said it was not concerned about the personalisation developments. (Excerpt from news story by Caroline Daniel and Maija Palmer)
[source: ft.com]
(2007-05-22) [American Public Media] As medical records are created and transmitted electronically more and more, the chance of private information falling into the wrong hands is growing. Sometimes records are stolen by hackers, other times just improperly secured. Compromised records can lead to a range of problems, from loss of employment to identity theft to plain old embarrassment.
Future Tense has discovered that detailed, personally identifiable medical records of thousands of Colorado residents were viewable on a publicly accessible Internet site for an uncertain period of time through at least last Friday, May 18. The data included patient records from at least 10 Colorado clinics and hospitals, and one hospital in Peoria, Illinois. It's unclear how many people may have seen the records. Listen to the podcast (length: 5:13).
[source: Future Tense]
(2007-05-21) [EFF] Can the government keep track of your whereabouts through your cell phone? Do they need a warrant or not? Location tracking by law enforcement is already becoming routine, and EFF has been fighting to make sure your privacy is protected.
This week, EFF Staff Attorney Kevin Bankston will be addressing these and other issues in a free online course offered through the State of Play Academy (SOPA), a virtual space for conversations about law and technology located in the virtual community There.com.
[source: News]
(2007-05-21) [eRepublic, Inc.] At the Government Technology Conference's Security Summit last week, Keynote speaker Joanne McNabb, California's chief privacy officer, asked a poignant question: why does privacy matter?
For many reasons, it turns out. For a start, it is a law. In California, privacy is a right defended by the state's constitution. "All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy." [emphasis added]. There are nine other states in the Union which have constitutional rights to privacy. (Excerpt from news story by Gina M. Scott)
[source: Government Technology]
(2007-05-21) [CNN] Civil rights and privacy rights groups have opposed radio frequency identification, or RFID, for years. But now, researchers in the field and some lawmakers are beginning to voice concerns about the security of the technology.
In the past year, twenty-two states have introduced legislation regarding RFID technology, which uses tiny radio transmitter chips, or "tags," that can be inserted in a pallet full of goods, a pair of jeans, or a passport. (Excerpt from news story by Chris Zappone)
[source: Money.com]
(2007-05-21) [Datatilsynet] Pressens mulighet til å få utlevert den komplette, elektroniske skattelisten blir hastebehandlet i forbindelse med revidert nasjonalbudsjett. Datatilsynet undrer på hvilke forhold som gjør dette nødvendig:
- Hvilke medier har møtt problemer med å få tak i skatteopplysninger når de skulle skape seriøs debatt om skattesystemet? spør Georg Apenes, direktør i Datatilsynet. Skattelistene har vært tilgjengelige til offentlig gjennomsyn i en kortere periode hvert år. I 2004 ble utleveringen av fullstendige, elektroniske lister strammet inn, begrunnet med hensynet til personvernet. Videreformidlingen av disse listene hadde blitt svært omfattende. Svært mange medier valgte å legge ut egne databaser som ga samtlige likningstall, flere av disse ga likningstall for flere år tilbake.
[source: Nyhet]
(2007-05-21) [ComputerWorld] A common format to electronically report fraudulent activities will be fully operational by July 2007.
Anti-Phishing Working Group (APWG) secretary general, Peter Cassidy, said a structured data model is necessary to improve incident reporting, share information and allow forensic searches and investigations. Cassidy said the first base specification was submitted in June 2005 and the Incident Object Description Exchange Format (IODEF) XML Schema with e-crime relevant extensions will be a recognized IETF standard in about six weeks. (Excerpt from news story by Sandra Rossi)
[source: Security]
(2007-05-20) [Littler Mendelson, P.C.] In what may foreshadow a new era of more aggressive enforcement, France's data protection authority - La Commission Nationale de L'informatique et des Libertés (CNIL) - recently fined Tyco Healthcare France (THF), the local subsidiary of a U.S. multinational organization, Euro 30,000 (approximately $41,000) for, among other things, improperly transferring employee information to Tyco's U.S. headquarters.
The fine appears to be the first imposed on a U.S.-based company accused of unlawful cross-border transfers of human resources data. The French government's enforcement action coincides with recent public declarations by other European data protection authorities, calling for more aggressive enforcement of the European Union's strict data protection regime. (Excerpt from news story by Philip L. Gordon and Timothy A. Rybacki)
[source: News]
(2007-05-18) [CDT] The Federal Communications Commission should conduct further research and seek public comment before it adopts any rule requiring computers and other Internet access devices to include location tracking capabilities, CDT urged in comments filed May 17.
The FCC has been considering how to ensure that voice services using the Internet can call 911 and report the user's location in emergencies. CDT supports that goal, but notes to the Commission that how it is achieved has major implications for privacy, security and innovation.
[source: News]
(2007-05-18) [Security Document World] ICAO has issued Volume 2, Number 1 of the MRTD Report. The issue focuses on two subjects relating to the ICAO Biometric Blueprint: the use of the face the primary biometric for interoperability of ePassports, and the launch of the ICAO Public Key Directory (PKD).
The ICAO PKD is the main global distribution point for public signing key certificates from all issuers of ePassports who are required to validate and authenticate such documents. The idea is for inspectors of ePassports throughout the world to be able to access the PKD and use the public signing keys to validate ePassports with confidence.
[source: News]
(2007-05-18) [EPIC] Customs and Border Protection is violating privacy laws in its data collection practices, the Government Accountability Office reported Wednesday. The GAO said that the current passenger prescreening process does not comply with the Privacy Act of 1974 and the E-Government Act of 2002.
Customs "has not fully disclosed or assessed the privacy impacts of its use of personal information during international passenger prescreening as required by law," the GAO said. EPIC has repeatedly urged that the federal privacy laws be fully applied to all passenger prescreening programs. "The lack of enforcement of Privacy Act obligations means that individuals are not given the opportunity to inspect, correct or limit the dissemination of inaccurate information," and this lack of transparency leads to security resources being wasted on innocent travelers who are misidentified as criminal suspects, EPIC said.
[source: EPIC Alert, Volume 14.10]
(2007-05-18) [EPIC] On May 2, the European Commission detailed plans to identify, develop, and promote Privacy Enhancing Technologies ("PETs"). Commission Vice-President Franco Frattini said the EC seeks to "ensure that breaches of the data protection rules and violations of individual's rights are not only something forbidden and subject to sanctions under the existing legal provisions, but also technically more difficult."
EPIC has urged the use of PETs in the U.S. and internationally. In its January comments to the President's Identity Theft Task Force, EPIC said, "PETs can allow authentication to occur without the need for identifying information to be disclosed. Such techniques enable commerce, communication, web browsing, and even voting without unnecessary privacy risks."
[source: EPIC Alert, Volume 14.10]
(2007-05-18) [EPIC] US Homeland Security Secretary Michael Chertoff addressed the European Parliament's Committee on Civil Liberties, Justice and Home Affairs last week regarding the passenger name records (PNR) agreement between the EU and the US.
The current interim deal expires in July, and the European Parliament wants a new agreement with better data protection standards. Parliament seeks to limit how much data is transferred, which agencies it is shared with, and how long the data is kept. Contrary to this position, Chertoff asked that restrictions on the use of data be made looser than what is in the current agreement, claiming that wider sharing amongst agencies is necessary to stop terrorist attacks.
[source: EPIC Alert, Volume 14.10]
(2007-05-18) [EPIC] The New York State Consumer Protection Board has sent a letter to the Federal Trade Commission (FTC) endorsing EPIC's recent complaint to the FTC regarding the privacy implications of the Google/DoubleClick merger.
On April 20, 2007, EPIC, the Center for Digital Democracy and the US Public Interest Research Group filed a complaint with the Federal Trade Commission, urging the Commission to open an investigation into Google's data retention policies, specifically in light of its recent proposed acquisition of DoubleClick. The complaint called on the Commission to force Google to comply with internationally recognized privacy guidelines such as the Organization for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which recognized that "the right of individuals to access and challenge personal data is generally regarded as perhaps the most important privacy protection safeguard."
[source: EPIC Alert, Volume 14.10]
(2007-05-18) [EPIC] Earlier this week, Lanny J. Davis, one of five members of the President's Privacy and Civil Liberties Oversight Board, resigned in protest of the Bush administration's changes to the Board's first annual report. The White House made more than 200 revisions to the report, including the deletion of a passage on anti-terrorism programs where intelligence officials said the programs had "potentially problematic" intrusions on civil liberties.
Another change was the deletion of the Board's plan to investigate the controversial Automated Targeting System, which was originally established to assess cargo that may pose a threat to the United States, but has expanded to creating terrorism risk profiles for millions of people. EPIC has criticized the system, explaining that the terrorist risk profiles will be secret, unreviewable, and maintained by the government for 40 years. EPIC, along with 29 organizations and 16 privacy and technology experts, filed comments last year highlighting privacy and security risks inherent in the system and urging the agency to suspend the program and to fully enforce Privacy Act obligations.
[source: EPIC Alert, Volume 14.10]
(2007-05-17) [ComputerWorld] Imagine you brought home a new baby girl today. And along with the standard package of well-baby materials came her electronic medical record. To your fascination, the electronic file was stored on an encrypted card backed up with the federal government in Washington. This file would follow her throughout life, enabling her doctors to detect diseases in their earliest stages.
For the sake of your child's health, you'd have a hard time saying no to that, right? Then imagine having the peace of mind that your daughter would probably never have an adverse reaction to prescription drugs, because the drugs would be designed specifically for her and the DNA she keeps on file with your preferred pharmaceutical companies. (Excerpt from op-ed piece by Jay Cline)
[source: Security]
(2007-05-08) [Datatilsynet] eCall er en planlagt alarmtjeneste for bilulykker i Europa. Tjenesten er tenkt å virke slik at en svart boks i bilen automatisk skal kunne ringe nødnummeret og oppgi bilens posisjon i tilfelle ulykker.
EU arbeider for å innføre en harmonisert paneuropeisk alarmtjeneste for kjøretøy ("eCall"), som bygger på det felleseuropeiske alarmnummeret 112. Alle biler som selges i EU-området fra 2010 skal være utstyrt med satellittposisjonering og kommunikasjon via mobiltelefonnettet som gjør at det sendes informasjon automatisk ved ulykker til nærmeste alarmsentral. Galileo, EUs nye system for satellittposisjonering, har her en sentral rolle. Datatilsynet ser at systemet kan ha visse positive sider, men finner det nødvendig å gjøre oppmerksom på at gjennomføringen av eCall vil kunne innebære problemer med hensyn til personvern og beskyttelse av privatlivets fred.
[source: Nyhet]
(2007-05-08) [Datatilsynet] Mange kaster seg rett ut i aktiv bruk av nettsamfunn uten å sette seg inn i hvordan det virkelig fungerer. Datatilsynet gir noen enkle råd som kan gjøre det enklere å ivareta ditt eget personvern, og respektere andres.
Selv om Facebook har lagt opp til et system som i utgangspunktet skal gi brukerne god kontroll over hva de vil dele med hvem, bør man tenke gjennom hvilke opplysninger som er private og hvilke man vil dele med andre.
[source: Nyhet]
(2007-05-07) [Datatilsynet] Dei aller fleste EU-borgarar ønskjer å få informasjon om det dersom deira eigne personopplysningar blir endra, mista eller stole. Dette går fram av ei fersk Eurobarometer-undersøking.
64 % av EU-borgarane vil ha informasjon også om dei ikkje risikerer økonomiske konsekvensar. 14 % seier at dei berre vil informerast dersom dei kan tape pengar på at personopplysningane er på avvegar. Berre 12% seier at dei uansett ikkje vil ha slik informasjon.
[source: Nyhet]
(2007-05-20) [New York Times] Rodney Monroe, the police chief in Richmond, Va., describes himself as a lifelong cop whose expertise is in fighting street crime, not in software. His own Web browsing, he says, mostly involves checking golf scores.
But shortly after he became chief in 2005, a crime analyst who had retired from the force convinced him to try some clever software. The programs cull through information that the department already collects, like "911" and police reports, but add new streams of data -- about neighborhood demographics and payday schedules, for example, or about weather, traffic patterns and sports events -- to try to predict where crimes might occur. (Excerpt from news story by Steve Lohr)
[source: News]
(2007-05-20) [The Jackson Sun.] Identity fraud is down by 12 percent according to The Javelin Strategy & Research "2007 Identity Fraud Survey Report." Reason to quit worrying about the issue, right? Wrong!
One of the reasons for the decrease is targeted specialization by the ID thieves, which simply narrows the field of victims. In a recent breach at discount chain TJ Maxx, the same people had broken into systems at other retailers in a well-orchestrated, concentrated attack. Gartner Research asserts these people are meticulously working at collecting information on millions of Americans. (Excerpt from news story by Jack Dunning)
[source: News]
(2007-05-18) [CDT] The Federal Communications Commission should conduct further research and seek public comment before it adopts any rule requiring computers and other Internet access devices to include location tracking capabilities, CDT urged in comments filed May 17.
The FCC has been considering how to ensure that voice services using the Internet can call 911 and report the user's location in emergencies. CDT supports that goal, but notes to the Commission that how it is achieved has major implications for privacy, security and innovation.
[source: News]
(2007-05-18) [The Register] Gatwick South has started using an iris recognition system - it is the ninth UK airport terminal to roll out the system.
Project IRIS(Iris Recognition Immigration System) is designed to give travellers resident in the UK, who have no black marks against their name on the immigration database, a means of avoiding normal immigration checks by having their eyes scanned instead. The project has suffered a couple of delays - it was originally due to go live in 2005 and then pushed back to December 2006. (Excerpt from news story by Mark Ballard)
[source: News]
(2007-05-18) [1105 Media, Inc] The FBI wants its new Next Generation Identification biometric information system to furnish faster and more high-quality links to other such repositories than its current methods provide, a senior bureau official said yesterday at a briefing attended by industry and government technologists.
"Dealing with other repositories has emerged as a major problem," said James A. "Jim" Loudermilk II, deputy assistant director at the bureau's Information Technology Operations Division, during the briefing. (Excerpt from news story by Wilson P. Dizard III)
[source: Government Computer News]
(2007-05-18) [Harvard Business School] What do consumers value and why? Researchers on privacy remain stumped by a "privacy paradox." Consumers declare that they value privacy highly, yet do not take steps to guard it during transactions. At the same time, consumers feel unable to enact their preferences on privacy.
Clearly, scholars need a more nuanced understanding of how consumers treat information privacy in complex situations. To test the hypothesis that there is a homo economicus behind privacy concerns, not just primal fear, Wathieu and Friedman conducted an experiment based on a real-world situation about the transmission of personal information in the context of car insurance. Their experiment was based on a previous case study about marketing processes that use membership databases of trusted associations (such as alumni associations) to channel targeted deals to members through a blend of direct mail and telemarketing. Luc Wathieu and Allan Friedman: "An Empirical Approach to Understanding Privacy Valuation"
[source: News]
(2007-05-18) [Cox Newspapers, L.P] Remember the big campaign issue during the 2000 presidential race? It wasn't terrorism, of course. Neither did it have anything to do with foreign wars or other international issues.
That was the race between the relatively unknown Texas Gov. George W. Bush and Vice President Al Gore, who was putting distance between himself and President Bill Clinton. According to a New York Times article during the 2000 presidential campaign by Richard L. Berke, both presidential political parties and their candidates believed that privacy would be one of the big hot-button issues during the general election. President Clinton's pollster, Mark Penn, said his research showed that privacy had "a pretty powerful groundswell.
[source: wacotrib.com]
(2007-05-18) [The Hill] I have been asked by many interested parties, congressional staff and others, to explain my reasons for resigning from the five-member President's Privacy and Civil Liberties Oversight Board (PCLOB). The best and most complete explanation is contained in two letters that I wrote on the date of my resignation last week -- one to my colleagues on the Board -- Carol Dinkins, the chair; Alan Raul, the vice-chair; and Theodore Olson and Francis Taylor, members; and the second to President Bush.
But regardless of my resignation, the most important issue remains and must now be addressed by Congress, which is considering changes in the present structure of the Board: Is there a role for a part-time civilian oversight board on executive-branch anti-terrorist programs that potentially might infringe on basic civil liberties and privacy rights in the Constitution and under U.S. laws -- or not?
[source: Pundit Blog]
(2007-05-17) [TPM Media LLC] Ever since James Comey's testimony Tuesday, there's been a renewed burst of speculation about just what secret domestic surveilance program(s) the administration has been running.
Marty Lederman over at Balkinization offers a great rundown of the best guesses about what the administration has been up to. But Comey's testimony and new details in The New York Times this morning mean that it's now possible to lay out a timeline of why all of this came to a head in March of 2004 when the program had been going on for more than two years at that point. (Excerpt from blog post by Paul Kiel)
[source: Blog]
(2007-05-17) [ComputerWorld] Imagine you brought home a new baby girl today. And along with the standard package of well-baby materials came her electronic medical record. To your fascination, the electronic file was stored on an encrypted card backed up with the federal government in Washington. This file would follow her throughout life, enabling her doctors to detect diseases in their earliest stages.
For the sake of your child's health, you'd have a hard time saying no to that, right? Then imagine having the peace of mind that your daughter would probably never have an adverse reaction to prescription drugs, because the drugs would be designed specifically for her and the DNA she keeps on file with your preferred pharmaceutical companies. (Excerpt from op-ed piece by Jay Cline)
[source: Security]
(2007-05-17) [Toronto Star] Hundreds of individuals represent a "serious" threat to Canada's security, the federal government says as it lays out new measures to keep those people from boarding a commercial jet.
It's the first time that Ottawa has given an indication of how many people could be secretly named on its new "no-fly list," set to take effect June 18. (Excerpt from news story by Bruce Campion-Smith)
[source: thestar.com]
(2007-05-17) [Spiegel Online] The post-Sept. 11 flight data sharing agreement between the US and EU expires in July. But a new agreement is nowhere in sight. The Americans want to know even more, and the Europeans want to tell them even less.
The US wants to know everything about who is on trans-Atlantic flights. Michael Chertoff's logic sounded convincing. Earlier this week, the US Secretary of Homeland Security provided the European Parliament with a succinct explanation as to how the Sept. 11, 2001 terrorist attacks could have been prevented. Had US authorities already been in possession of the so-called Passenger Name Record (PNR) -- which includes 34 items of data about every person travelling to the US -- before the attacks, Chertoff said, then 11 out of the 19 hijackers would have been denied entrance to the US. Consequently, Chertoff said, 9/11 would probably never have happened. (Excerpt from news story by Matthias Gebauer)
[source: News]
(2007-05-17) [PinsentMasons] The Identity and Passport Service has claimed its identity card scheme is not "out of control", as the London School of Economics claims, but is being built on "uncertain" sands.
In an argument for "common sense" criticism of complex government IT projects, the IPS claimed that its cost estimates were likely to change with time. But the department has failed to respond to the other significant criticism of the IPS report - that there was a lack of information and lack of transparency that was an affront to democratic control of such a large and controversial project. "With any cost estimates covering a ten year forward period there are uncertainties," said the IPS in a statement. (Excerpt from news story by Mark Ballard)
[source: Out-law.com]
(2007-05-17) [CNet] Iris recognition-based biometric technology has been rolled out at Gatwick Airport's South Terminal. The Iris Recognition Immigration System (Iris) lets registered passengers enter the UK without queuing to see an immigration officer at passport control.
Air travellers enrolled on the scheme can walk up to an automated barrier, look into a camera and, if the system recognises them, enter the UK. (Excerpt from news story by Gemma Simpson)
[source: silicon.com]
(2007-05-17) [Wired] U.S. News and World Report says THREAT LEVEL needs to take a chill pill on the issue of internet surveillance. "Nothing quite excites the blogosphere like a threat to its fiefdom," zings reporter Chris Wilson, who claims that last Monday's deadline for broadband providers to become wiretap friendly is mostly a nonevent, given how rare internet wiretaps are.
Bottom line: Making surveillance fast and simple invariably makes it more attractive to cops and spooks, who might otherwise have to run down leads and pursue investigations with shoe leather. Broadband CALEA will mean the internet is spied on more -- a lot more, we think. Whether that's a good thing or bad depends on your point of view.
[source: Blogs]
(2007-05-17) [CIPPIC] In a submission filed with the Senate Committee on Legal and Constitutional Affairs today on Bill C-31, CIPPIC objects to the expansion of personal information used for secondary purposes without the consent of electors.
Currently, Elections Canada is required to share names and addresses from the National Register of Electors with political parties for fundraising and other campaign purposes. Bill C-31 would add date of birth to the lists of electors shared for these purposes.
[source: News]
(2007-05-16) [CNet] The UK's identity cards scheme appears "out of control", according to a group of researchers at the London School of Economics (LSE), who are calling for an independent review of the project's figures.
Last week a government report revealed the ID cards scheme will cost more than £5.5bn to set up and run over the next 10 years. But the LSE's Identity Project group - long-term critics of the ID cards scheme - has warned the government's report reveals "not a project that is progressing well but rather one that appears to be getting out of control, despite the best efforts of the Identity and Passport Service to minimise the risks and costs of the scheme". (Excerpt from news story by Gemma Simpson)
[source: silicon.com]
(2007-05-16) [azcentral.com] The Homeland Security Department is breaking the law by not telling the public exactly how personal information is used to screen international travelers, including Americans, congressional investigators said Wednesday.
One of the screening programs at issue is a computer-based system called the Automated Targeting System that is used by the Customs and Border Protection agency to rate the risk posed by travelers coming to and from the United States.
[source: azcentral.com]
(2007-05-15) [Business Wire] Study Shows US Businesses Still Lack Adequate Security and Incident Response Plans to Protect Confidential Customer Information from a Potential Breach NASD's 16th Annual Spring Securities Conference
According to a new study commissioned by Scott & Scott, LLP (www.scottandscottllp.com) and conducted by privacy and information management research firm the Ponemon Institute (www.ponemon.org), 85% of businesses have experienced a data security breach. Despite the frequency of such security failures, 46% of businesses failed to implement encryption solutions even after suffering a data breach, and 82% did not seek legal counsel prior to responding to the incident despite having no prior response plan in place. The survey, entitled The Business Impact of Data Breach, examines the responses of more than 700 US-based C-level executives, managers, and IT security officers in mid-size to large businesses spanning all industries. Analysis of the results shows that businesses are struggling to implement the proper policies and controls required to prepare for and mitigate the legal, regulatory, and financial risks associated with a security failure. In addition, many businesses may be discounting the long-term threat to customer retention and corporate reputation.
[source: Business Wire]
(2007-05-15) [CIPPIC] CIPPIC testified today before the House of Commons Standing Committee on Access to Information, Privacy and Ethics ("ETHI" Committee) on Identity Theft.
CIPPIC's submission calls for a coordinated national strategy involving all stakeholders, which strategy should include amending PIPEDA to create meaningful incentives for compliance, mandating the FCAC to undertake a national public awareness campaign focused on common ID theft scams, establishing a national ID theft victim assistance bureau, and providing consumers with rights that improve their ability to detect, prevent, and mitigate the effects of ID theft.
[source: News]
(2007-05-15) [CNet] Amsterdam's Schiphol airport began using new body-scanning machines at security checkpoints on Tuesday, becoming the first major airport to use the technology to find metals and explosives hidden under clothing.
The "security scan" system, which uses harmless radio waves to display head-to-toe images of people, is also being used by other airports on a trial basis, but Schiphol is the only one to deploy the technology for regular use at its checkpoints. Going through the scanner takes about three seconds, allowing users to avoid metal detectors or body searches. For privacy, the digital images are viewed by security personnel in another room and deleted after they are seen.
[source: News.com]
(2007-05-14) [ComputerWorld] European Commissioner for justice and home affairs Franco Frattini said Monday he is confident the European Union and the U.S. can reach an agreement on how to handle personal information about European citizens flying to America.
Airlines flying across the Atlantic to the U.S. must pass passenger information to American authorities under an interim agreement designed to bridge the gap between strict European data protection laws and U.S. antiterrorism intelligence gathering. Without such an agreement airlines would face either being sued in Europe for handing over the data or losing their landing slots in the U.S. if they don't share the information. (Excerpt from news story by Paul Meller)
[source: Security]
(2007-05-14) [IT Analysis Communications Ltd.] At each RSA show, I've noticed that the emphasis on biometric security was enlarging, and that the vendors of this type of security were in deadly earnestness about the usefulness and reliability of their products. They were right.
A consumer has happened along that values privacy and the security of that privacy to the extent that they put Army Intelligence, the CIA, and the NSA combined all to shame. This particular consumer would endure weeks of torture rather than reveal secrets. If the Mossad were to emulate this consumer, the security of Israel would be absolute. (Excerpt from blog post by Susan Dietz)
[source: it-director.com blogs]
(2007-05-14) [CIPPIC] The House of Commons Standing Committee on Access to Information, Privacy and Ethics ("ETHI committee") has launched a study into the types of and trends in identity theft, measures to increase consumer protection and to reduce and eliminate identity theft, and measures to increase public awareness of and provide better education with respect to identity theft.
This study is being conducted in light of an expected White Paper from Justice Canada focusing on the criminal justice aspects of identity theft.
[source: News]
(2007-05-14) [ComputerWorld] A Washington-based advocacy group has warned Internet auction businesses of a plan by the federal government that would require them to collect and maintain personal data from customers and share it with the Internal Revenue Service.
The Center for Democracy and Technology (CDT) suggested that such a requirement may force companies of all sizes to collect -- and keep secure -- massive amounts of personal data. (Excerpt from news story by Jaikumar Vijayan)
[source: Government]
(2007-05-11) [ComputerWorld] A privacy committee of the U.S. Department of Homeland Security (DHS) has joined a growing chorus of voices opposed to the controversial Real ID bill, which proposes to create a national standard for state driver's licenses and other forms of state-issued identification.
In comments submitted to the DHS earlier this week, the department's own Data Privacy and Integrity Advisory Committee called the Real ID Act "one of the largest identity management undertakings in history" and said it raises serious privacy, security and logistical concerns. (Excerpt from news story by Jaikumar Vijayan)
[source: Security]
(2007-05-03) [EFF] The Electronic Frontier Foundation (EFF) and the California First Amendment Coalition (CFAC) have asked a California appeals court to scrutinize a chemical company's attempt to strip the anonymity from a participant in an online message board.
The participant posted information that H.B. Fuller Co. claims could only have been obtained through a company "town hall meeting," in violation of an employee confidentiality agreement. However, the poster has submitted a declaration to the court swearing that he or she is not an employee and that the information posted on the message board could have been gleaned from any follower of Fuller's business practices.
[source: News]
(2007-05-13) [newsquest (sunday herald) limited] THE UK'S genetics watchdog is to launch an inquiry into the retention of DNA samples by police amid concerns over Britain holding the biggest database of this type in the world.
The records of more than three million people - equivalent to around 5% of the population - are held on the national DNA database, which was set up to help tackle crime. But there have been concerns about its impact on civil liberties, particularly in England and Wales, where officers now have the right to keep the DNA of innocent people, including children. (Excerpt from news story by Judith Duffy)
[source: sundayherald.com]
(2007-05-13) [FairfaxDigital] Internet giant Google has drawn up plans to compile psychological profiles of millions of web users by covertly monitoring the way they play online games.
The company thinks it can glean information about an individual's preferences and personality type by tracking their online behaviour, which could then be sold to advertisers. Details such as whether a person is more likely to be aggressive, hostile or dishonest could be obtained and stored for future use, it says. (Excerpt from news story by David Adam and Bobbie Johnson)
[source: theage.com.au]
(2007-05-12) [Tuscaloosa News] FOR advertisers, and in many ways for consumers, online advertising is a blessing. Customized messages rescue advertisers from the broad reach of traditional media. And consumers can learn about products and services that appeal directly to them.
But there are huge costs, and many dangers, warns Jennifer Granick, the executive director for the Stanford Law School Center for Internet and Society (wired.com). To approach individuals with customized advertising, you have to know who they are. Or at least, you have to gather enough personal information about them that their identity could be easily figured out. (Excerpt from news story by Dan Mitchell)
[source: TuscaloosaNews.com]
(2007-05-11) [Google] We recently announced a new policy to anonymize our server logs after 18 -- 24 months. We're the only leading search company to have taken this step publicly. We believe it's an important part of our commitment to respect user privacy while balancing a number of important factors.
In developing this policy, we spoke with various privacy advocates, regulators and others about how long they think the period should be. There is a wide spectrum of views on this -- some think data should be preserved for longer, others think it should be anonymized almost immediately. We spent a great deal of time sorting this out and thought we'd explain some of the things that prompted us to decide on 18-24 months. (Posted by Peter Fleischer)
[source: Official Blog]
(2007-05-10) [EU] While innovative information and communication services are constantly improving people's lives and generating growth throughout Europe's economy, they can also create new risks. Privacy Enhancing Technologies (PETs) can minimise them by helping people protect their privacy online. A dedicated webpage on PETs has now been launched on the Information Society portal.
As the Commission points out in Promoting Data Protection by Privacy Enhancing Technologies (May, 2007 press pack), risks such as identity theft, discriminatory profiling, continuous surveillance or fraud are on the rise because people cannot yet fully control or protect their privacy when using ICTs. As their name suggests, PETs aim to make it more difficult to breach people's privacy, and to help users detect such breaches. The overall goal is to increase consumer confidence and safety online, without losing all the benefits of the Information Society. Europe needs to both help European academics and industrialists develop the technologies, and help the industry overcome the obstacles to their wider deployment
[source: News]
(2007-05-10) [Forbes] The leaders of the Sept. 11 commission say a White House privacy board is not protecting civil liberties because it refuses to investigate allegations of illegal detention at Guantanamo Bay.
"We urge they revisit the definition of their mission to include issues relating to the treatment of detainees," former Rep. Lee Hamilton, D-Ind., said in a telephone interview Thursday. He and former New Jersey Gov. Tom Kean sent a pointed letter to the board this week outlining their concerns. "If they continue to hold to their position, we don't think they're doing their job," Hamilton said. (Excerpt from news story by Hope Yen)
[source: Forbes.com]
(2007-05-10) [Wired] PBS's investigative news arm, Frontline, has been looking into post 9/11 domestic surveillance and data-mining and will be running its findings - "Spying on the Home Front" on Tuesday, May 15. While there's not a whole lot new for dedicated watchers of the watchers, the piece made this reviewer wonder when Congress will get around to its long-promised oversight.
The piece focuses heavily on the government's sweeping in of data on 250,000 visitors to Las Vegas in the winter of 2003, when intelligence "chatter" indicated that terrorists might target New Year's Eve celebration in the city of decadence. Frontline also tackles predictive data mining and does a good close-reading of the careful way that Attorney General Alberto Gonzales parses his words to avoid answering Congressional questioning about the true extent of the Administration's warrantless surveillance of Americans.
[source: Blogs]
(2007-05-10) [CNet] The UK's identity cards scheme will cost more than £5.5bn to set up and run over the next 10 years, according to the government.
The cost of providing ePassports and ID cards to UK citizens for the period between April 2007 and April 2017 is estimated to be £5.55bn, according to the government's Identity Cards Scheme Cost Report May 2007. (Excerpt from news story by Gemma Simpson)
[source: silicon.com]
(2007-05-10) [Times Newspapers Ltd] Telecoms companies collect data on every telephone call that you make and e-mail you send. They identify you, the other party, the time and duration and - in the case of mobile calls - where you are.
The Home Office is currently implementing a controversial EC Directive on data retention that will force telephone and internet service providers to keep this data for 12 months. The legislation has been introduced to help in the fight against crime but it has a wider effect that the Home Office does not appear to have considered: personal data will become available to those who wish to use it as evidence in private civil legal disputes. This has created an extra burden for telecoms companies who could find themselves dragged into customers’ private legal arguments. (Excerpt from news story by Richard Taylor)
[source: TimesOnLine]
(2007-05-10) [The Register] Bank customers wanting to make international transactions are being asked to sign a waiver to allow their personal details and financial records to be scanned by US anti-terror investigators.
The waivers put customers in the same Catch-22 European data protection officials found themselves in after it emerged that the US had been snooping on the world's international financial transactions in the hope of picking up some transnational insurgents. (Excerpt from news story by Mark Ballard)
[source: News]
(2007-05-09) [EDRI] A first draft law for the implementation of the data retention directive was presented at the end of April 2007 by the Romanian Ministry of Communications and Information Technology for public consultation. The ministry also organized on 26 April a public debate on the draft law.
The first draft was achieved in cooperation with a number of public bodies including the Ministry of Justice, Ministry of Internal Affairs or the Romanian Data Protection Authority.
[source: EDRI-gram, Number 5.9]
(2007-05-09) [EDRI] The European Data Protection Supervisor (EDPS) has issued its report for 2006 that includes activities and events as well as the main trends of the past year and draws conclusions related to complaints, developments in security, justice, freedom and new technologies with possible impact on personal data protection.
One of the conclusions of the report is that while the number of complaints has increased, it is still low and only 20% of the complaints made in 2006 were valid.
[source: EDRI-gram, Number 5.9]
(2007-05-09) [EDRI] The ratification by the Czech Parliament of the proposed agreement between the European Union and the Unites States of America on the processing and transfer of passenger name record (PNR) data has been taken off the agenda based on the position of the Green Party MPs.
On 23 April 2007, EDRI-member Iuridicum Remedium - Czech Republic sent a written appeal to the members of the Green Party parliamentary club, recommending them to vote against the ratification of the proposed agreement between the European Union and the Unites States of America on the processing and transfer of passenger name record (PNR) data for the following reasons:
[source: EDRI-gram, Number 5.9]
(2007-05-09) [EDRI] The European Data Protection Supervisor (EDPS) has shown serious concerns in his opinion on the Commission's new Council Framework Decision proposal regarding the protection of personal data processed in the framework of police and judicial co-operation in criminal matters.
Although appreciative of the German presidency's efforts, Peter Hustinx advised the Council against adopting the proposal considering it failed to provide appropriate data protection. EDPS believes that a Framework Decision on the protection of personal data in the third pillar is essential in the development of an area of freedom, security and justice and that "the growing importance of the police and judicial cooperation in criminal matters as well as the actions stemming from the Hague Programme have highlighted the necessity of common standards in the protection of personal data in the third pillar". At the same time, Hustinx underlines that some of the aspects of the proposal are not in agreement with the EU Treaty and some are even below the standards of the Council of Europe Convention 108 of 1981.
[source: EDRI-gram, Number 5.9]
(2007-05-09) [EDRI] Commissioner Franco Frattini, who is responsible for the legislation concerning co-operation between European police as well as data protection of European police, has shown public support for privacy enhancing technologies (PETs). Frattini's position is surprising taking into consideration its open support for other privacy-invasive projects such as the data retention directive, EU-US PNR agreement or the planned EU fingerprint database.
A public statement published by the European Commission (EC) on 2 May 2007 directly supports PETs, expecting them to improve the protection of privacy as well as help fulfil the data protection rules.
[source: EDRI-gram, Number 5.9]
(2007-05-08) [Help Net Security] Security labs cannot cope with volume of internet threats There is a dramatic increase in the quantity of malware being unleashed on the Internet," said Luis Corrons, technical director of PandaLabs, Panda Software's malware research laboratory.
"There is such a great volume that the computer security labs are being overwhelmed and are not able to keep up with developing the vaccines needed for a large percent of new threats. This means that even computers with antivirus software installed are still vulnerable to new infections."
[source: News]
(2007-05-08) [ABC Inc.] Companies that provide Internet phone service have just six days to meet a deadline from the Justice Department. By next Monday, they'll have to make their systems easier to tap. That's right -- make it easier to secretly listen in on your phone calls, or face daily fines of $10,000 dollars.
FBI phone taps helped bring down the teflon don, John Gotti. Police phone taps helped put Scott Peterson on Death Row for murdering his wife, Laci. Phone taps are also a major weapon in the war on terror. (Excerpt from news story by Eric Thomas)
[source: KGO]
(2007-05-08) [VNU Business Publications Ltd.] Companies could soon face pressure to improve their data protection practices after both the UK's privacy watchdog and the European Commission (EC) announced proposals to better protect individuals' privacy rights.
Speaking to a Parliamentary Home Affairs Select Committee, information commissioner Richard Thomas proposed new safeguards to help ease public concerns about the emergence of a "surveillance society". (Excerpt from news story by Madeline Bennett)
[source: Computing]
(2007-05-08) [ha.ckers.org] RSnake was able to talk to someone who was willing to sit down and write out some thoughts from a phisher's perspective.
The phisher goes by the name "lithium" and agreed to answer a number of questions that have been on my mind for a while now. Huge thanks to him, as I think a lot of this is valuable information to the community at large, These are his words - unmodified.
[source: blog]
(2007-05-08) [The Sydney Morning Herald] Privacy advocates fear the introduction of a single-user name and password for accessing all online government services has the potential to become a digital national ID card.
Today's Federal Budget allocates $42 million to create a single sign-on service as part of the Australian Government Online Service Point. To be built at australia.gov.au, the service will enable Australians to carry out transactions with multiple government agencies, and move between government websites, without the need to reconfirm their identity. (Excerpt from news story by Adam Turner)
[source: smh.com.au]
(2007-05-07) [TheHill] The Department of Homeland Security is feeling the heat from the public about REAL ID, a privacy-invasive mandate that would essentially create a national ID system and force states to develop massive, interlinked databases of your personal information.
DHS provided a mere eight days notice about a national town hall meeting about REAL ID, but the public made its outrage heard at the event in Davis, Calif. Wednesday, both in person and through email comments. One computer science Ph.D. student pointed out that REAL ID "solves the wrong problem," because IDs do nothing to stop those who haven't already been identified as threats. REAL ID also won't prevent wrongdoers from creating fake documents. As the Cato Institute's Jim Harper explained in recent testimony before Congress, a basic analysis using even very generous assumptions shows that the benefit of REAL ID doesn't even come close to the cost.
[source: The Hill's Congress Blog]
(2007-05-04) [National Academies] CSTB releases Engaging Privacy and Information Technology in a Digital Age, which examines how threats to privacy are evolving, ongoing information technology trends, and how society can balance the interests of individuals, businesses, and government in ways that promote privacy reasonably and efficently.
The report provides ways to think about privacy, its relationship to other values, and related tradeoffs and provides an in-depth look at ongoing information technology trends as related to privacy concerns. By doing so, the report is intended to contribute to a better understanding of the many issues that play a part in privacy and contribute to the analysis of issues involving privacy. Perhaps most importantly, the report seeks to raise awareness of the web of connectedness among the actions we take, the policies we pass, and the expectations we change.
[source: News]
(2007-05-03) [Miami Herald Media Co.] The state's clerks of court will get three more years to black out Social Security, bank account, credit, debit and charge card numbers from public records available on the Internet.
That's three more years Florida citizens could be at risk of identity theft courtesy of state and local government. Until then, residents must submit a request in writing to have their personal information stricken from online documents. (Excerpt from news story by Monica Hatcher)
[source: MiamiHerald.com]
(2007-05-03) [MIT Technology Review] The annual Association Computer Machinery (ACM) conference on Computers, Freedom, and Privacy (CFP) was once the only venue where topics like cyber-rights, wiretaps, and cryptography policy were actually discussed. That's before Wired magazine and the birth of the commercial Internet as we know it, of course. But CFP is still one of the few places where technologists, policy wonks, government officials, and the cyber-libertarian fringe can get together and have open and honest, if not entirely friendly, conversations.
I gave a tutorial about computer forensics, then sat in on a talk about U.S. wiretap regulation. In the evening there was a 90-minute session called "Postings from the Edge," at which some of the wise old heads of the Internet gave their opinions about the leading technology and policy problems of our day. By Simson Garfinkel
[source: Blogs]
(2007-05-02) [Privacy International] In an event in Montreal, Canada, Privacy International ran the first International Big Brothers Awards ceremony. At the 'Computers, Freedom and Privacy' (off-site) conference, with over 200 attendees, PI outed the most invasive companies, projects, officials, and governments. A special award for the 'Lifetime Menace' was also announced.
PI's 'Big Brother Awards' have been running for nearly ten years, with events run in eighteen countries around the world. Government institutions and companies have been named and shamed as privacy invaders in a variety of countries and contexts. This year was the first time that Privacy International ran an international event to identify the greatest invaders around the world. The event was hosted by 'the pope', as presented by Simon Davies in full regalia. Previous hosts include 'Dr. Evil' and 'The Queen of England'.
[source: News]
(2007-05-02) [MIT Technology Review] A new type of video surveillance protects the privacy of individuals.
A camera developed by computer scientists at the University of California, Berkeley, would obscure, with an oval, the faces of people who appear on surveillance videos. These so-called respectful cameras, which are still in the research phase, could be used for day-to-day surveillance applications and would allow for the privacy oval to be removed from a given set of footage in the event of an investigation. (Excerpt from news story by Brendan Borrell)
[source: News]
(2007-05-14) "Symposium "Data Protection in Europe"" will take place on June 12, 2007 (Berlin, Germany).
See calendar entry.
(2007-05-03) [CNW Group] Yesterday the House of Commons Standing Committee on Access to Information, Privacy and Ethics ("the Committee") made recommendations in its fourth Report to Parliament, following a statutory five-year review of Canada's federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).
Under section 29 of PIPEDA, and pursuant to an order of the House of Commons, Part I of the Act, Protection of Personal Information in the Private Sector is subject to review every five years. Following a review, the Committee must submit a report to Parliament that includes a statement of any recommended changes to Part I or its administration. (Excerpt from news story by Ariane Siegel)
[source: News]
(2007-05-01) [IT Conversations] Gelman talks about privacy and the new ubiquitous services on the web.
The Geospatial Web promises a wealth of cool new applications that will map people and objects from real space into cyberspace. Users will be able to connect with each other, learn about their environment, and find products and services they are interested in linked to their current location. This is an exciting proposition but it poses significant privacy risks. The recent public uproar when Google and other search companies were asked to reveal search terms to the government demonstrates that users demand privacy in the things that they look for on the Web. This expectation will only increase when the Geospatial Web links their online activity to their location in real space. People may want to find stuff--but will they be equally willing to be found? Lauren Gelman of Stanford University explain aspects of current U.S. law that protect users' location and online privacy, and areas where the law fails and technology must step in. If the builders of geospatial tools fail to embrace privacy-promoting design, the potential of next-generation web applications may never be realized. However, thinking about this at the inception of this new location-based technological frontier, and designing an architecture that protects user privacy, will pay off in the long run as people are more willing to embrace cool new tools knowing their privacy will be protected. Listen to the podcast (length 00:17:29).
[source: News]
(2007-05-02) [EU] The Commission adopts today a Communication with the purpose of identifying the benefits of Privacy Enhancing Technologies (PETs) and laying down the Commission's objectives in this field, to be achieved by a number of specific actions supporting the development of PETs and their use by data controllers and consumers.
The development of information and communication technologies is constantly offering new services which improve people's life. However, alongside these benefits, new risks also arise for the individual, such as identity theft, discriminatory profiling, continuous surveillance or deceit. See also background report.
[source: Press Release]
(2007-05-03) [EU] Identifying the benefits of Privacy Enhancing Technologies (PETs) and promoting their development is the goal of a new Communication adopted by the European Commission on 2 May.
The right to the protection of personal data is enshrined in Article 8 of the Charter of Fundamental Rights of the European Union, and the Data Protection and ePrivacy Directives set out in detail the obligations of the data controller as well as what happens if a data subject's rights are breached. While information and communication technologies (ICT) have brought numerous benefits to consumers, they also bring about risks such as identity theft, discriminatory profiling and deceit. The new Communication highlights the need to identify the technological requirements of PETs and fund more research into them. Under the Sixth Framework Programme (FP6), the EU spent over €18 million on PET research, a figure which is expected to increase significantly in the coming years. The Commission will also promote the development of these technologies through large-scale pilot demonstrations.
[source: News]
(2007-05-04) [United Press International] NASA scientists joined a growing list of groups opposed to a Bush administration plan to standardize federally issued IDs.
Four National Aeronautics and Space Administration scientists from the Jet Propulsion Laboratory sent a letter to Congress asking for a bipartisan effort to oppose the plans currently pursued by the Department of Homeland Security. Following the Sept. 11, 2001, attacks on New York and Washington, the Bush administration passed a number of directives to standardize federally issued identification. The scientists are just one group that has voiced concerns about the standardization procedures.
[source: upi]
(2007-05-03) [ABCNews Internet Ventures] While federal Homeland Security is meticulously warning American citizens about the potential for identity theft, not to mention terrorism, many state governments are making private records, such as Social Securqity numbers, mother's maiden names, signatures and addresses available online for anyone to see.
"I found John McCain's parking space number in Arlington County, Va., and Colin Powell's Social Security number in Fairfax County, Va., as well as Tom DeLay's in Fort Bend County, Texas," said B.J. Ostergren, a Virginia activist who is fighting to get state governments to remove personal records from the Internet. (Excerpt from news story by Melissa Cornick)
[source: ABC News]
(2007-05-04) [East Valley Tribune] The announcement last week of a deal between Google and four states, including Arizona, to allow direct access to online state-government public records through Google's own search engine represents a huge leap forward in the cause of keeping government accountable through easier access to public documents.
However, the arrangement, as reported by the Associated Press in Monday's Tribune, comes with a few caveats. Marc Rotenberg, executive director of the Washington-based Electronic Privacy Information Center, told the AP of two valid concerns
[source: East Valley Tribune]
(2007-05-03) [Heise Zeitschriften Verlag] Peter Hustinx, the European Data Protection Supervisor (EDPS) has warned against the planned networking of the police databases of all EU member states. Before that happened common data protection rules and standards would need to be established, Mr. Hustinx said on Wednesday in Brussels.
"We should not miss this chance to combine effective criminal prosecution with good data protection," he added. Any other approach would be irresponsible, he observed. In mid-February the 27 ministers of the interior of the EU member states had agreed in principle to extend the exchange of police data, which today is restricted to Germany, France and five other member states, to the whole of the European Union.
[source: heise on-line]
(2007-05-03) [Dennis Publishing Limited] Bloc to examine use of privacy enhancing technologies to battle identity theft and surveillance, the commission has said.
The European Commission has set out plans to examine the use of Privacy Enhancing Technologies (PETs) to counteract identity theft, discriminatory profiling and surveillance. The commission will promote the research and development of PETs, run large-scale pilots in industry and public sectors, and create an European Union-wide privacy seal system. (Excerpt from news story by Nicole Kobie)
[source: ITPro]
(2007-05-03) [ComputerWorld] The government must publish "gateway reviews" on the progress of its ID card scheme, the Information Tribunal has ruled.
The tribunal is the agency that hears and rules on appeals against decisions made by the Information Commissioner's Office, the data protection watchdog. Its ruling will allow greater public scrutiny as the ID card project develops. The tribunal upheld information commissioner Richard Thomas's decision ordering the Office of Government Commerce, which carries out gateway reviews on major public sector projects, to disclose its reviews of the ID programme and its "traffic light status" at the gateway review 1 stage, in line with requests under the Freedom of Information Act. (Excerpt from news story by Tash Shifrin)
[source: ComputerworldUK]
(2007-05-03) [Heise Zeitschriften Verlag] The Financial Times Deutschland (FTD) is reporting that the SWIFT finance network is planning additional data centers in Europe and the US, but it wants to leave European payment data in Europe so that US authorities do not have such easy access to the data. In doing so, Swift is at least satisfying its fiercest critics, who have refuse to accept the current efforts towards a safe harbor regulation because US authorities do not have to fulfill European data protection laws.
The paper quotes Axel Weiß, an expert for payment transactions on the Central Credit Committee, who says that SWIFT has presented a solution that banks have been waiting for. The deputy data protection officer of the German state of Schleswig-Holstein, Johann Bizer, sees this move as a "trust-building measure." SWIFT will reportedly be spending up to 300 million euros to upgrade its IT infrastructure. The FTD reports that the project will be presented to the supervisory board in June. A decision could be reached in September, but it could take from three to five years to complete the transition. But the newspaper says that Bizer does not understand why it would take so long.
[source: heise on-line]
(2007-05-03) [The Harvard Crimson, Inc.] Working paper calls for search engines to delete Internet activity records. Big Brother could be watching you online. That's what one Kennedy School associate faculty member cautioned yesterday, calling for a change in the way that internet activities are monitored and recorded.
In "Useful Void: The Art of Forgetting in the Age of Ubiquitous Computing," Associate Professor of Public Policy Viktor Mayer-Schoenberger argued for computer systems to regularly delete information, a practice he calls "data ecology." (Excerpt from news story by Beryl C.D. Lipton)
[source: Harvard Crimson]
(2007-05-03) [CanWest MediaWorks Publications Inc.] Privacy commissioner would decide whether to tell people affected Companies may soon be forced to tell Canadians when their personal information is lost or stolen by identity thieves under recommendations released Wednesday by a parliamentary committee moving to strengthen federal privacy laws.
Companies that suffer a security breach should be required to inform the federal privacy commissioner, who will then decide whether the loss is serious enough to inform the people affected, said the report by MPs on the privacy and ethics committee. (Excerpt from news story by Carly Weeks)
[source: Edmonton Journal]
(2007-05-02) [newswise] In a major article examining the strength of legal arguments to protect private e-mail expression, a University of Arkansas law professor concludes that, based on the historical common law, today's Federal Copyright Act does not protect someone from copying and distributing another person's private expression, which means that forwarding e-mail without permission of the sender may be against the law.
"Going back more than 250 years, the common law recognized that authors of personal correspondence hold absolute property rights in their private expression," said Ned Snow, assistant professor of law. "Although the Copyright Act has been construed to preempt common law rights of expression and thereby deprive authors of privacy, there is no such preemption. Under the Constitution, private expression falls outside the scope of expression that is subject to federal regulation. The routine practice of e-mail forwarding violates principles of common-law copyright regardless of what the Federal Copyright Act says."
[source: newswise]
(2007-05-02) [eux.tv] European governments risk violating the protection of their citizen's personal data by acting hastily in approving the use of fingerprints and iris scans in passports, the European Union's data watchdog warned Wednesday.
The 27-member EU was "rushing in a new era" of using biometric identifiers for security checks while standards for data protection were still not clear, the EU's independent data protection supervisor Peter Hustinx told reporters.
[source: eux.tv]
(2007-05-01) [news.com.au] Companies may face tough new data protection rules requiring them to tell customers when personal records are lost or exposed, as support grows for a US-style mandatory data breach notification law.
Leading credit reporting provider Veda Advantage is calling on businesses to lead the way in applying stronger data governance standards to sensitive customer information held in company systems. (Excerpt from news story by Karen Dearne)
[source: Australian IT]
(2007-05-02) [PinsentMasons] The number of complaints to the European Data Protection Supervisor (EDPS) almost doubled in 2006, but only 20% were valid complaints for the privacy watchdog of the EU institutions, its annual report has said.
The number of complaints remained small, rising from 27 in 2005 to 52 in 2006. All but 10 of the complaints should have been directed to national data protection authorities and not the European Supervisor. In 2005 all but five of the complaints were similarly misdirected.
[source: Out-law.com]
(2007-05-02) [Los Angeles Times] Google Inc. and Yahoo Inc. should adopt policies to protect privacy and human rights in countries with authoritarian governments, New York City's comptroller said Tuesday.
William C. Thompson plans to urge the Internet companies to adopt such rules at their annual meetings over the next two months. The city's pension funds own about $124 million of Yahoo shares and $338 million in shares of Google, Thompson said in a statement.
[source: latimes.com]
(2007-05-01) [The Sacramento Bee] Citing security and privacy concerns, department of motor vehicles officials from Western states on Tuesday urged the U.S Department of Homeland Security to slow down implementation of a law requiring states to standardize supporting documents for driver's licenses.
"We have established a secure level of privacy and security and we would say that should be the level that all states achieve before we would be willing to share information with other states," George Valverde, director of the California Department of Motor Vehicles, told a DHS panel meeting on the campus at the University of California, Davis. His counterparts from Arizona and Nevada agreed. (Excerpt from news story by Aurelio Rojas)
[source: sacbee.com]
(2007-05-01) [FOX News Network, LLC.] A debate over whether federal terror lists are wrongly singling out innocent Americans has been revived in a recent report suggesting that landlords, employers and even health insurers are vetting people against a Treasury Department terror list and not always getting it right.
The Lawyers Committee for Civil Rights of the San Francisco Bay Area alleges that more Americans than ever are being mistakenly connected to the Treasury Department's Office of Foreign Assets Control (OFAC) list of persons and companies engaging in or affiliated with terrorism. (Excerpt from news story by Kelley Beaucar Vlahos)
[source: Fox News]
(2007-05-01) [Fairfax New Zealand Limited] Australia's privacy review has discovered that one of the key concerns for Australia's young people is whether their medical information should be kept confidential from their parents.
Australian Law Reform Commission (ALRC) president Professor David Weisbrot said research indicated that young people's attitudes to privacy differ significantly from the attitudes of their parents, grandparents, and even older siblings. "We've been holding a series of youth workshops, and have set up a special 'Talking Privacy' website aimed at young people to test this theory as part of our comprehensive review of Australia's federal privacy legislation," he said. So far, the youth workshops, which are aimed at 12 to 25 year olds, have been held in Sydney, Perth, Brisbane, and Hobart. Exploring a range of privacy issues, the workshops have sought the experiences and opinions of young people on how the current privacy laws are working, and what changes should be made for the future.
[source: stuff]
(2007-05-01) [Policy Dialogue International] The Information Commissioner, Richard Thomas, is today proposing new safeguards -- including privacy impact assessments and inspection powers -- to ensure public confidence in initiatives and technologies which could otherwise accelerate the growth of a surveillance society.
Giving evidence before the Home Affairs Select Committee the Information Commissioner will also call for stronger powers to allow his Office (the ICO) to carry out inspections and audits. Currently the Commissioner must gain consent before inspecting an organisation for compliance with the Data Protection Act.
[source: eGov Monitor]
(2007-05-30) [Bank Technology News and SourceMedia, Inc.] Privacy is a mixed blessing in America. In the wake of The TJX Companies' breach, in which the personal information of 45.7 million credit and debit cardholders was stolen, market watchers expected consumers to vote with their feet. They did, sending sales up 11 percent - an increase of $1.7 billion over a five-week period ending in early April - in spite of the company's admission that the data theft is far worse than originally presumed. This is not exactly the response observers anticipated.
TJX, based in Framingham, MA, was ranked the 138th largest company on the Fortune 500 list in 2006. At press time, more than 60 of the 205 banks in TJX's home state had reissued cards after being contacted about the breach, according to the Massachusetts Bankers Association. (Excerpt from news story by Holly Sraeel)
[source: btn]
(2007-05-03) [ComputerWorld] Privacy advocates are making a last-ditch effort to muster public opposition to the controversial Real ID bill, which proposes to create a national standard for issuing state drivers' licenses and other forms of state-issued identification.
Earlier this week, a broad coalition of more than 40 organizations launched a national campaign urging the public to submit comments to the U.S. Department of Homeland Security (DHS) expressing opposition to Real ID. (Excerpt from news story by Jaikumar Vijayan)
[source: Government]
(2007-05-04) [CDT] CDT urged the State Department to comply with the Freedom of Information Act and the E-Government Act of 2002 and release "privacy impact assessments" (PIAs) on the electronic passport and the proposed PASS card program.
In a letter this week to Secretary of State Condoleezza Rice, CDT reported submitting a FOIA request for the documents in December 2006. After receiving initial word that a State Department official that the request was being processed, further attempts to follow up have failed. CDT urged the department to produce the required PIAs as soon as possible and to post all future PIAs to its public Web site.
[source: News]
(2007-05-03) [CIPPIC] The House of Commons Standing Committee on Access to Information, Privacy and Ethics released its report on the federal private sector data protection legislation yesterday.
The report contains numerous recommendations for amendments to PIPEDA, including a data breach notification requirement. However, the Committee recommended against giving the Privacy Commissioner order-making powers.
[source: News]
(2007-05-01) [PinsentMasons] Information Commissioner Richard Thomas will demand new powers from Parliament today. Thomas will tell a Parliamentary committee that an increase in his authority is essential to stop the UK becoming a surveillance society.
"Last year I warned about the dangers of waking up to a surveillance society," said Thomas. "While I do not believe that we are living in the type of society associated with totalitarian regimes it is important that there is a vigorous debate around the issue of surveillance -- about where lines should be drawn and the restrictions and safeguards which are needed."
[source: Out-law.com]
(2007-05-03) [EPIC] A majority of Americans, 53.4 percent, polled by United Press International and Zogby International said they did not agree that "the government could suspend privacy laws to enable the sharing of counter-terror information that could include private data on U.S. citizens."
More than one-third, 35 percent, strongly disagreed with that statement. The April 13-16 survey included 5,932 U.S. residents and had a margin of error of 1.3 percentage points. The poll comes as senior Bush administration officials told Congress that they believed the president had the authority to decide whether to conduct surveillance without warrants, despite the Foreign Intelligence Surveillance Act.
[source: EPIC Alert, Volume 14.09]
(2007-05-03) [EPIC] The President's Privacy and Civil Liberties Oversight Board has released its first annual report to Congress. The report lists various activities during the past year, but provides little insight as to the Board's position on such key issues as the President's domestic surveillance program, government watch lists, or the terrorist scoring that the Department of Homeland Security assigns to US citizens. A search for "Privacy Act," the primary federal law that safeguards the rights of Americans, produces 0 hits.
The Privacy and Civil Liberties Board, which operates within the Executive Office of the President, is intended to "[advise] the President and other senior executive branch officials to ensure that concerns with respect to privacy and civil liberties are appropriately considered in the implementation of all laws, regulations, and executive branch policies related to efforts to protect the Nation against terrorism." Its five members are appointed by and serving at the pleasure of the President.
[source: EPIC Alert, Volume 14.09]
(2007-05-03) [EPIC] Last week, a Google shareholder group submitted a proposal to ban censorship and protect user identity. The proposal was submitted by the Office of Comptroller of New York City, which oversees retirement plans for city employees, teachers, police officers, and firefighters. Combined, these funds hold 486,617 shares of Google stock worth about $228.2 million.
The proposal argues that the United Nation's Universal Declaration of Human Rights guarantees the freedom to access information on the Internet. Accordingly, the proposal urged Google to institute the following "minimum standards" to protect freedom of Internet access in human-rights challenged countries: (1) not hosting personally identifiable information in counties that censor Internet access, where political speech can be considered a crime; (2) not engaging in pro-active censorship; (3) using all legal means to resist demands for censorship, and only engage in censorship when legally required; (4) informing users when Google has agreed to a government censorship request; (5) informing users about Google's data retention and data sharing policies; and (6) documenting all instances in which Google complies with a legally binding censorship request, and make such information publicly available.
[source: EPIC Alert, Volume 14.09]
(2007-05-03) [EPIC] In comments to the Federal Trade Commission this week, EPIC urged the FTC to limit the disclosure of personal information related to security breach investigations. EPIC said that the Privacy Act exemption sought by the Commission was far too broad, and the Commission should notify individuals whose personal data may have been improperly disclosed in a security breach before other government agencies are notified.
EPIC criticized the FTC proposal to broadly expand a Privacy Act exemption to allow disclosure of affected individuals' personal data to the "vague groups that the FTC finds 'reasonably necessary to assist' the agency in 'in connection with' its response to security breaches, that are 'suspected or confirmed.'" EPIC said that a data breach, or suspected breach, should not entitle even more people to view the personal data of the individuals affected by the security breach. "Such mass disclosure is especially questionable in light of the financial nature of the data involved. Would the entire case file, including Social Security Numbers and credit card information, be released to all the 'agencies, entities, and persons' that the FTC finds 'reasonably necessary to assist' in its investigations?"
[source: EPIC Alert, Volume 14.09]
(2007-05-03) [EPIC] This week, 54 organizations representing transpartisan, nonpartisan, privacy, consumer, civil liberty, civil rights, and immigrant organizations joined to launch a national campaign to solicit public comments to stop the nation's first national ID system: REAL ID.
The groups joining in the anti-REAL ID campaign are concerned about the increased threat of counterfeiting and identity theft, lack of security to protect against unauthorized access to the document's machine readable content, increased cost to taxpayers, diverting of state funds intended for homeland security, increased costs for obtaining a license or state issued ID card, and because the REAL ID would create a false belief that it is secure and unforgeable.
[source: EPIC Alert, Volume 14.09]
(2007-05-02) [CIO Today] At the Center for Digital Democracy, CEO Jeff Chester has been tracking the privacy implications of Google's growth, particularly in light of Google's plans to index data from government Web sites. "To the extent that Google can match up public records with other user data that goes into advertising targeting programs, that's a problem," he said.
As Google CEO Eric Schmidt has repeatedly said, the goal of his company is nothing less than to index all of the world's information and make it available to anyone with an Internet connection. It is a lofty, even visionary goal that already has begun reshaping how we look at (and look up) information. But as George Orwell might have said, had he written "Server Farm," not all information is created equal. In its relentless, Borg-like pursuit of information, Google is increasingly handling and indexing vast quantities of personal information that all too easily can be used to commit identity theft and other modern data crimes. (Excerpt from news story by Frederick Lane)
[source: News]
(2007-05-03) [CNet] Six years into the "new normal" of terror alerts, identification checks, electronic surveillance, and increasing levels of secrecy-based security, the prospect of a national identification card needs serious public debate. Security experts Richard Forno and Bruce Schneier say Homeland Security is committing a blunder of historic proportion.
In March, the Department of Homeland Security released its long-awaited guidance document regarding national implementation of the Real ID program, as part of its post-9/11 national security initiatives. It is perhaps quite telling that despite bipartisan opposition, Real ID was buried in a 2005 "must-pass" military spending bill and enacted into law without public debate or congressional hearings. (Excerpt from story by Richard Forno and Bruce Schneier)
[source: News.com]
(2007-05-02) [SRC07] Slides from a presentation on the tension between security and privacy.
From the European Conference on Security Research SRC '07 (March 26-27, 2007, Berlin, Germany): Stephan Engberg's (Priway ApS ,DK) talk "From Central Command & Control toCitizen Empowerment & Dependability" showed how the unbalanced surveillance is increasing security problems and went on how to dismantle the illisions of tradeoffs between security & freedom. He argued to move past National Id 1.0 and re-address the root democratic balances between protecting the citizen from others vs protecting others from the citizen knowing that perimeter security disappear in a digitally integrated world. Look at the slides.
[source: News]
(2007-05-02) [Wired] Department of Homeland Security officials got an earful Tuesday during a webcast town-hall-style meeting on the controversial Real ID initiative -- a federal government plan to standardize state-issued ID cards and link identification databases nationwide.
States and civil liberties groups have been bristling at the requirements of the Real ID Act, which would require states, starting in 2008, to revalidate citizens' birth certificates, store copies of the documents, and interconnect their databases to prevent duplicate licenses. Current holders of driver's licenses would have to return to their state motor vehicle departments with certified source documents to re-up their licenses as part of the proposed upgrade, which DHS estimates will cost states and citizens $20 billion. (Excerpt from news story by Ryan Singel)
[source: News]
(2007-05-01) [Ars Technica LLC] Don't carry RFID? You might be surprised; the short-range ID technology is currently found in everything from US passports to swipeless credit cards to public transit passes to World Cup tickets to car keys to the building access pass for your office building. A few of the digerati even elect to have RFID implants from VeriChip slipped beneath their skin in order to use them as cashless payment systems.
Much of the information on these chips can be read without exotic equipment, assuming an attacker can get within several feet with a concealed RFID reader. Unfortunately, most tags give users no control over when they respond to queries, and they offer no notification, which means that sensitive data could be at risk in public places. (Excerpt from news story by Nate Anderson)
[source: ars technica]
(2007-05-01) [CNet] Spies in the sky may track motorists in Britain within a decade if the government goes ahead with controversial plans to manage traffic flow and introduce road fees for drivers, scientists said on Tuesday.
The plans were unveiled in November in a report on future transportation policies designed to help cut traffic congestion. The plans prompted 1.8 million people to sign an electronic protest petition.
[source: News.com]
(2007-05-02) [New York Times] For more than five years, President Bush authorized government spying on phone calls and e-mail to and from the United States without warrants. He rejected offers from Congress to update the electronic eavesdropping law, and stonewalled every attempt to investigate his spying program.
Suddenly, Mr. Bush is in a hurry. He has submitted a bill that would enact enormous, and enormously dangerous, changes to the 1978 law on eavesdropping. It would undermine the fundamental constitutional principle -- over which there can be no negotiation or compromise -- that the government must seek an individual warrant before spying on an American or someone living here legally.
[source: News]
(2007-05-01) [CNet] The UK's data protection watchdog wants to be given more power to check companies are compliant with privacy laws.
Currently the watchdog must gain consent before inspecting an organisation for compliance with the Data Protection Act. But giving evidence before the Home Affairs Select Committee, information commissioner Richard Thomas called for stronger powers to allow his office to carry out inspections and audits. (Excerpt from news story by Gemma Simpson)
[source: silicon.com]
(2007-05-01) [CDT] CDT called for stronger standards to protect the privacy of Americans in written testimony submitted today to the Senate Select Committee on Intelligence.
Responding to the Bush Administration's calls for broader authority to conduct warrantless surveillance of citizens' calls, CDT argued that changes in technology and the global economy have made it easier, not harder, for the government to conduct surveillance on ordinary Americans. The committee is slated to hear testimony from government officials seeking expanded surveillance powers.
[source: News]
(2007-05-01) [ComputerWorld] Checkpoint Systems Inc. is rolling out a new line of radio frequency identification (RFID) enabled labels that it boasts can be used to both support advanced inventory control and help catch shoplifters, allowing retailers to consolidate its use of the technology.
The technology, however, is already alarming consumer privacy advocates, who fear such a combination could permit the surreptitious tracking of customers who carry away the RFID chips in their purchases. The Thorofare, N.J.-based security technology maker unveiled the label, called Evolve, today. Checkpoint said the Evolve label carries an industry standard Generation 2 RFID tag for tracking and a separate radio frequency circuit to enable in-store electronic article surveillance. (Excerpt from news story by Marc L. Songini)
[source: Security]
(2007-05-07) "Civil Society Privacy Conference: Privacy Rights in a World Under Surveillance" will take place on September 25, 2007 (Montreal, Canada).
See calendar entry.