(2007-06-29) [Wired] Heading into freedom weekend, THREAT LEVEL decided to ask readers to indulge in some free speech, whistle blowing, corporate bashing by submitting and voting on which companies have the worst privacy practices. Spammers, squealers and slimy data sellers are all fair game.
For instance, Just a couple weeks ago, I bought a couple tickets to see Sonic Youth perform its Daydream Nation album in its entirety. The tickets were $35 a piece (ouch) and Ticketmaster's usurious fees that reached 33% of the tickets face value, put the tickets at over $90. ... So I'm nominating both Ticketmaster and Live Nation as entrants in this tally of the companies with the worst spam and privacy practices. But I'm certain my pet peeves won't last long in the top ten. (Excerpt from news story by Ryan Singel)
[source: Blogs]
(2007-06-28) [EUobserver] In the final hours of its six-month EU presidency, Germany has succeeded in taking two thorny issues in current transatlantic relations off the table - the US' access to data on European air passengers and financial transactions.
On Friday (29 June), EU diplomats are expected to give the final go-ahead to a tentative agreement on the so-called passenger name records (PNR) deal, tailored to end lengthy wrangling over how Washington can gain, store and use information about every European traveller crossing the Atlantic.
[source: euobserver.com]
(2007-06-30) [CNN International] Ambassadors from European Union nations on Friday backed a deal with the United States on the sharing of trans-Atlantic air passenger data that Washington says is needed to help fight terrorism, diplomats said.
The number of pieces of information to be shared has been reduced from 34 to 19. Envoys from the EU's 27 nations reached a "basic political understanding" on the new deal, which was struck Wednesday by EU and U.S. negotiators, the diplomats said. Now, national parliaments in EU member nations will study the deal, and individual governments must give a formal, final endorsement. The diplomats said that the amount of data handed over would be lower than under the current agreement but U.S. authorities would be able to hold the information for longer.
[source: cnn.com]
(2007-06-30) [BBC] The world's leading industrialised nations have been forced to update privacy laws made obsolete by the huge volume of data moving around the net.
Of particular concern to the 30 OECD states was the increasing amount of personal data flowing between nations. These cross-border torrents made it tricky to prevent unlawful use of people's data and for authorities to enforce existing laws, the OECD said. The newly adopted recommendations update a 27-year-old agreement. The 1980 guidelines laid the foundations of privacy laws amongst OECD states but did not account for the internet age, with instant access to global information.
[source: News]
(2007-06-29) [PinsentMasons] The European Union has come to an agreement with the US over the use of European banking data from payments agency SWIFT. SWIFT's secret permission for the US to use banking data caused outrage amongst data protection officials last year.
The US will be able to continue using data from SWIFT, according to the deal, but the European Commission said that the usage of data will now conform to European data protection principles. "The EU will have now the necessary guarantees that US Treasury processes data it receives from Swift's mirror server in USA in a way which takes account of EU data protection principles," said Franco Frattini, EU Commissioner responsible for justice, freedom and security. "I welcome the United States' Treasury Department's unilateral representations and the opportunity the Treasury has given the European Union to have its views and concerns duly reflected in the representations."
[source: Out-law.com]
(2007-06-26) [ComputerWorld] Using a credit card at a gas station could pose more of a risk for data theft than shopping online. Point-of-sale terminals have emerged as a weak link in the security chain, according to a Gartner Inc. analyst.
When a card is swiped, point-of-sale (POS) terminals often collect and store the data held in the magnetic stripe on the back of a credit card, said Avivah Litan, a Gartner vice president and distinguished analyst. Retailers are often unaware that their POS applications collect so much information. In the hands of sophisticated hackers and counterfeiters, the data collected from the magnetic stripe is enough to create a replica card. "It's almost more dangerous to go to the gas station than it is online," Litan said at Gartner's Identity and Access Management Summit in London on Monday. "The data is just sitting there. No one even thought about what data is on a POS controller." (Excerpt from news story by Jeremy Kirk)
[source: Security]
(2007-06-21) [Security Document World] A new pan-European survey on electronic ID has revealed that citizens still feel positive about the introduction of biometrics and anticipate a wide range of benefits in the future, including better protection against ID theft.
The research -- carried out by LogicaCMG -- reveals that 58% of European respondents would voluntarily join a Government backed identity registration scheme that involved biometrics. 52% of Europeans would agree with it being legally compulsory to join such a scheme with a further 21% undecided. LogicaCMG says: "Putting this in context, 77% of all European
[source: News]
(2007-06-30) [Softpedia] Are you using Windows Vista? Then you might as well know that the licensed operating system installed on your machine is harvesting a healthy volume of information for Microsoft. In this context, a program such as the Windows Genuine Advantage is the last of your concerns. In fact, in excess of 20 Windows Vista features and services are hard at work collecting and transmitting your personal data to the Redmond company.
Microsoft makes no secret about the fact that Windows Vista is gathering information. End users have little to say, and no real choice in the matter. The company does provide both a Windows Vista Privacy Statement and references within the End User License Agreement for the operating system. Combined, the resources paint the big picture over the extent of Microsoft's end user data harvest via Vista. (Excerpt from news story by Marius Oiaga)
[source: Softpedia]
(2007-06-30) [Cable News Network LP, LLLP] Ambassadors from European Union nations on Friday backed a deal with the United States on the sharing of trans-Atlantic air passenger data that Washington says is needed to help fight terrorism, diplomats said.
The number of pieces of information to be shared has been reduced from 34 to 19. Envoys from the EU's 27 nations reached a "basic political understanding" on the new deal, which was struck Wednesday by EU and U.S. negotiators, the diplomats said. Now, national parliaments in EU member nations will study the deal, and individual governments must give a formal, final endorsement.
[source: CNN International]
(2007-06-29) [EFF] Germany's Federal Ministry of Justice has circulated a controversial draft bill that is bad news for online privacy. From preliminary reports, it seems that the bill attempts to outlaw the ability to send anonymous email by ordering ISPs to retain data traceable to individuals, and requiring a passport from anyone attempting to set up a webmail account.
Notably, Google is already pushing back. The German paper Heise reports that Google has threatened to shut down its email service in Germany if the bill becomes law (though this may be overstating the case.) And Google Privacy Counsel Peter Fleischer has come to the defense of anonymous communication, describing the many legitimate scenarios in which a person might want an anonymous email account.
[source: News]
(2007-06-28) [Ars Technica LLC] RFID tags operate over short distances to provide a scanner with basic information about whatever item they're attached to. This is being used commercially to both identify pricing details at retail and to allow users to simply wave credit cards in front of appropriately-configured readers in order to pay for them. But RFID has also moved into the realm of providing personal information; the US is making RFID-enabled passports, and the FDA approved human RFID implants back in 2004. Given the medical and privacy issues associated with human RFID tagging, the American Medical Association called for an evaluation (.doc) of their implications; the resulting report is now available (.doc).
The report makes a distinction between two types of RFID tags. Passive tags have no power source and store information in read-only form; the scanner provides them with enough power to transmit basic information. Active RFID tags contain an internal battery, allowing them to store more sophisticated information, process data, and transmit over longer distances. Currently, only passive tags are approved for human use, but there's no reason to think that current limitations will stand indefinitely. (Excerpt from news story by John Timmer)
[source: ars technica]
(2007-06-28) [EFF] On Wednesday, Slashdot and Wired Compiler ran posts about Privatunes, a program that claims to remove personally identifying information from iTunes Plus files (the current version is closed source and Windows only, though the site says that this will change in the future.)
Privatunes 0.9 overwrites the user's name and address. Unfortunately, the Privatunes coders didn't read our last post about iTunes tracking data -- aside from the name and email address, there are other fields that Apple, or a litigant that subpoenas Apple, could use to identify the purchasers of iTunes Plus files, even if they've been run through Privatunes 0.9.
[source: News]
(2007-06-28) [CIPPIC] In a joint initiative, Privacy Commissioners from across Canada called on the federal government today to suspend its new no-fly list program, Passenger Protect, until it can be overhauled to ensure strong privacy protections for Canadians.
Meanwhile, the government reiterated its commitment to the program.
[source: News]
(2007-06-27) [PRIME Project] Privacy and Identity Management in Europe -- the PRIME Project has just released the second version of its White Paper at https://www.prime-project.eu/. The document serves as an introduction into and overview of the PRIME Consortium's findings shortly after entering the final phase of research.
Identity Management Systems are currently under development by various actors such as Microsoft and Liberty Alliance. The implementations are aimed at facilitating online identification, authentication and transaction. The broad introduction of Identity Management has tremendous potential to fill a gap in the current ICT infrastructure, which lacks an identity layer. Meanwhile, all major actors are aware that better identification may also pose increasing risks for the user's privacy and autonomy. PRIME shows how to counter these risks.
[source: Press Release]
(2007-06-28) [Wired] Following yesterday's post about a flaw in Facebook's privacy settings that would let people using Facebook's advanced search options find personal details about persons who had set their profiles to friends only, Facebook quickly fixed their search tool to eliminate that possibility and today its chief privacy officer Chris Kelly spoke with THREAT LEVEL about Facebook's approach to privacy.
"The glitch was buried pretty deep in the site's search architecture and one had to look deep to find them," Kelly said. "When there are problems we do try to address them quickly, and we were able to rapidly fix [this]." Kelly also clarified that the "search engine indexing" option on the privacy page's search settings only lets search engines know that a person has a profile and some optional aggregate stats such as the number of friends or posts. (Excerpt from news story by Ryan Singel)
[source: Blogs]
(2007-06-28) [PinsentMasons] The world's most developed economies will co-operate to uphold privacy laws in the face of increasing amounts of cross border data transfer. The member countries of the Organisation for Economic Cooperation and Development (OECD) have agreed the plan.
The new deal updates a 25 year old agreement on the upholding of privacy laws. A new deal was needed in order to guard against the privacy risks of the increasing amounts of personal data currently being sent from country to country.
[source: Out-law.com]
(2007-06-28) [ComputerWorld] U.S. and European Union officials have reached a preliminary agreement that would resolve the long-running dispute over the handling of personal data about EU citizens who fly to the U.S., a spokesman who works for the European Commission said Thursday.
According to the spokesman, the resolution plan was agreed to on Wednesday by Franco Frattini, the European commissioner for justice and home affairs, U.S. Secretary of Homeland Security Michael Chertoff and German Interior Minister Wolfgang Schaeuble. Frattini had said last month that he was confident a deal could be reached (Excerpt from news story by Paul Meller)
[source: Security]
(2007-06-28) [InfoWorld] CDT and FTC disagree whether a trio of anti-spyware bills before Congress will result in more prosecutions
Two of the agencies most actively involved in bringing cyber-criminals to justice in the United States have expressed opposing opinions over pending anti-spyware legislation. Even as a trio of spyware bills is moving forward on Capitol Hill, officials from the Center for Democracy and Technology (CDT) and the Federal Trade Commission (FTC) said their two organizations have differing views on the need for passage of the proposed laws. At a forum sponsored by the Anti-Spyware Coalition and held here at Harvard Law School on June 27, officials from the FTC and CDT -- a Washington-based nonprofit that has become a prominent Internet policy watchdog -- detailed areas where their organizations diverge regarding Congressional anti-spyware bills. (Excerpt from news story by Matt Hines)
[source: News]
(2007-06-28) [CIPPIC] Canadian Internet Policy and Public Interest Clinic (CIPPIC) has received a grant of $50,000 from the Office of the Privacy Commissioner of Canada to research online privacy threats.
A report on the research will be published in spring 2008. Other recipients of grants are: University of Ottawa ("Online Privacy Threats: Trends, Developments and Responses"); Centre for Innovation, Law and Policy (CILP), University of Toronto ("Personal Information Protection in the Face of Crime and Terror: Information Sharing by Private Enterprises for National Security and Law Enforcement Purposes"); Law Area, Faculty of Business, Ryerson University ("The Business Risks of Online Social Networks"); Option consommateurs ("Managing Personal Information in the Name of the Federal Government: What do Citizens Know About the Information They Provide to Financial Institutions and to What Degree is the Information Protected?"); University of Ontario Institute of Technology ("PIPEDA-Compliant Privacy Access Control Model for Protected Health Information"); and Department of Computer Science, Memorial University of Newfoundland ("Private/Public Sharing of Personal Information: Lessons from the Health Sector").
[source: News]
(2007-06-28) [Wired] Private Facebook profiles aren't quite as hidden as many users might think they are. Pages that are supposedly restricted are visible to anyone using searches based on religion, sexual orientation or relationship status.
Security researcher Christopher Soghoian announced the flaw on Tuesday. A quick search by Wired News for women in a major U.S. city who were interested in random hookups with men revealed the names and photos of two high school girls, including one ninth grader. Like many social networks, the increasingly popular Facebook allows its users to mark their profile page as private, semiprivate or open. However, even if you mark your profile to be visible only by friends, that doesn't change how you turn up in Facebook searches or whether your profile is open to indexing by search engines. (Excerpt from news story by Ryan Singel)
[source: News]
(2007-06-27) [Forbes] European Union governments have reached a tentative deal with the United States clarifying how it will use data it receives from Belgian-based bank transfer consortium SWIFT in anti-terror investigations, diplomats said Wednesday.
The deal is aimed at ending a trans-Atlantic battle on privacy rights in the hunt for terrorists, and would close a legal black hole over the status of a data transfer deal SWIFT signed with U.S. authorities after the Sept. 11, 2001, attacks. (Excerpt from news story by Constant Brand)
[source: Forbes.com]
(2007-06-27) [Scientific American, Inc.] In a post-9/11 world, where security demands are high, personal privacy does not have to be sacrificed, says computer scientist Latanya Sweeney, who discusses a few ways to save it.
As security concerns mount, networks proliferate and ever more data move online, personal privacy and anonymity are often the first casualties. For the Insights story, "A Little Privacy, Please," appearing in the August 2007 issue of Scientific American, Chip Walter sat down with Carnegie Mellon computer scientist Latanya Sweeney, who discusses the new threats to privacy and ways to fight identity theft and other misuse of information (Excerpt from news story by Chip Walter)
[source: Scientific American]
(2007-06-27) [ComputerWorld] A little-noticed report released earlier this month might make you think twice the next time you use Google. It ranked Google as the worst Internet company when it comes to protecting the privacy of its users.
A Computerworld article reports that the group, Privacy International, gave Google the worst privacy rating for "comprehensive consumer surveillance and entrenched hostility to privacy." The report went on to say, "Google's increasing ability to deep-drill into the minutiae of a user's life and lifestyle choices must in our view be coupled with well-defined and mature user controls and an equally mature privacy outlook. Neither of these elements has been demonstrated." (Excerpt from news story by Preston Gralla )
[source: Blogs]
(2007-06-27) [ECT News Network, Inc.] The U.S. government is already venturing into risky territory by embedding RFID chips in passports. This allows easy scanning of information, but it also could reveal personal data on U.S. citizens to unfriendly eyes. California has an opportunity to set some standards before the technology is widely used by state and local governments.
Slap a chip costing a few cents on a clock radio or a bottle of Prozac, and you can track it from its manufacturer to the cash register at Wal-Mart. Build a chip into a special windshield tag, and it allows drivers to zip across the Golden Gate Bridge without stopping at a toll booth. Put one in a corporate identification card and all of a sudden it becomes an electronic door key. Such is the power of radio frequency identification, or RFID, a technology that's been around for a half-century but is finally beginning to transform commerce -- and become controversial.
[source: TechNewsWorld]
(2007-06-27) [The Register] The UK, Europe and the US are planning to belt and brace their border databases by using multiple forms of biometrics to identify people.
While a set of fingerprints might be considered enough to tell one person from another, the trio expect to be eventually back this up with iris scans and mug shots. Frank Paul, head of large-scale IT systems at the European Commission's directorate of Justice, Freedom and Security, said the move was necessary so the countries' border systems could talk to one another. (Excerpt from news story by Mark Ballard)
[source: News]
(2007-06-26) [Osprey Media] It is for the Superior Court to decide whether Ontario's Adoption Information Disclosure Act is constitutional, but we cannot see why the province deemed it necessary to depart from similar laws passed in other provinces that allow a veto by birth parents or adopted children of access to their identities.
The option should be left entirely in the hands of the parties involved. But that's not the case in Ontario. The law retroactively opens records of children and parents involved in adoptions. When the province passed the act in 2005, privacy commissioner Ann Cavoukian warned it could be devastating for some people. Said the privacy commissioner at the time: "It will shatter lives. ... People are saying their lives will be ruined. "I keep thinking of the young girls who gave a baby up for adoption 20 years ago thinking they were safe and never thinking a government would reveal their identities."
[source: The Sudbury Star]
(2007-06-26) [CNW Group Ltd.] Privacy Commissioner Jennifer Stoddart welcomes amendments to the Canada Elections Act that help safeguard the privacy of voter information and increase penalties for its misuse.
C-31: An Act to amend the Canada Elections Act and the Public Service Employment Act received Royal Assent on June 22, 2007. As passed by the House of Commons, C-31 would have authorized Elections Canada to release each voter's date of birth to political parties and candidates during an election campaign, in addition to name and address. During her appearance before the Senate Committee on Legal and Constitutional Affairs on May 17, 2007, Commissioner Stoddart questioned the need for this additional information. Her concern was whether it would truly protect the electoral process from voter fraud.
[source: CNW]
(2007-06-26) [IDG] The government is to extend a pilot project sharing individuals' personal data between the Department of Work and Pensions, HM Revenue and customs and local authorities.
New legislation to increase data sharing powers between government departments and other public agencies has been repeatedly promised by ministers, sparking controversy among opposition parties and privacy campaigners. The government argues that greater data sharing will improve public services by reducing the amount of form filling for individuals. (Excerpt from news story by Tash Shifrin)
[source: ComputerWorldUK]
(2007-06-26) [news.com.au] PATHFINDER projects that will ultimately lead to regional cross-border data privacy rules are being discussed by Asia-Pacific Economic Co-operation forum delegates meeting in Cairns this week.
Attorney-General Philip Ruddock said the pilots would test better protection for the transfer of personal data in the region, while keeping the burden on business to a minimum. "Personal information is a global traveller," Mr Ruddock told the APEC Data Privacy Seminar yesterday. It is transferred and accessed across international locations, collected and handled, often simultaneously, by businesses as part of commercial transactions - much of it in the interests of customers. However, a single bad consumer experience such as the mishandling or theft of personal information, or fraud from an online transaction, may have negative consequences for similar industries." (Excerpt from news story by Karen Dearne)
[source: Australian IT]
(2007-06-26) [PinsentMasons] European privacy regulators will expand their investigation into Google's privacy practices to all search engine companies, it has said.
The Article 29 Working Party, a committee of Europe's data protection watchdogs, has been investigating Google's practice of retaining users' search queries along with information that could identify the user. In an exchange of letters the Working Party and Google have outlined their differences, with the Working Party questioning Google over its need for any retention and Google saying that it would anonymise records after 24 months, then shortening that period to 18 months.
[source: Out-law.com]
(2007-06-26) [Help Net Security] In the last few years Firefox gained a massive support from surfers worldwide. This is mainly because Internet Explorer, still the biggest player on the market, has proved to be hopelessly insecure.
Besides offering more security than IE by default, what users appreciate is the fact that Firefox can be expanded with add-ons that offer a variety of functions not integrated in the browser upon install. This article will explore useful security and privacy extensions that will add to your browsing experience. (Excerpt from news story by James Hicks)
[source: News]
(2007-06-26) [ComputerWorld] Banks in New Zealand are seeking access to customer PCs used for online banking transactions to verify whether they have enough security protection.
Under the terms of a new banking Code of Practice, banks may request access in the event of a disputed transaction to see if security protection in is place and up to date. The code, issued by the Bankers' Association last week after lengthy drafting and consultation, now has a new section dealing with Internet banking. (Excerpt from news story by Stephen Bell)
[source: Security]
(2007-06-26) [EPIC] On June 10, in response to a May 16 letter from the Article 29 Working Party announcing an investigation of the proposed merger between Google and DoubleClick, Google announced that it would cut its data retention times from 24 to 18 months. This response came only two months after Nicole Wong, Google's deputy general counsel, asserted that, in its April 20 complaint to the FTC, "EPIC utterly fails to identify any practice that does not comply with accepted privacy standards."
On June 21, the Article 29 Working Party acknowledged Google's response to their May 16 letter and announced that it will expand its investigation to cover the practices of other search engines. The Working Party indicated that it will scrutinize the activities of search engines "from a data protection point of view, because this issue affects an ever growing number of users."
[source: EPIC Alert, Volume 14.13]
(2007-06-26) [EPIC] On June 12, the OECD adopted a new Recommendation setting forth a framework for cooperation in the enforcement of privacy laws. The framework reflects a commitment by governments to improve their domestic frameworks for privacy law enforcement to better enable cooperation between domestic and foreign authorities, as well as to provide mutual assistance to one another in the enforcement of privacy laws.
Specific recommendations include the development of international enforcement cooperation mechanisms and mutual assistance tools such as notification, complaint referral, investigative assistance and information sharing, subject to appropriate safeguards. The recommendations also call for stakeholder discussion and collaboration and instruct the relevant OECD committee to monitor and report on the implementation of these measures.
[source: EPIC Alert, Volume 14.13]
(2007-06-26) [EPIC] The U.S. government has released proposed border crossing rules under the Western Hemisphere Travel Initiative (WHTI). This is a program, developed by the departments of Homeland Security and State, that requires everyone entering the United States through land or sea ports to present a passport or other documents to prove identity and citizenship.
The proposed rules require most U.S. citizens to show either a U.S. passport, U.S. passport card, trusted traveler card (under government programs such as NEXUS, FAST, or SENTRI), Merchant Mariner Document, or U.S. Military identification card. The flawed program has been criticized by many, and its implementation has been filled with problems. Last week, DHS had to delay, by about six months a WHTI requirement that U.S. citizens present a passport, because of massive backlogs in passport processing. Earlier this month, the U.S. House voted to delay the proposed rules until June 2009, and the U.S. Senate is considering a similar measure.
[source: EPIC Alert, Volume 14.13]
(2007-06-26) [EPIC] On June 19, the Government Accountability Office (GAO) released a report recommending that The Department of Health and Human Services (HHS) implement a comprehensive privacy initiative to ensure the protection of electronically stored personal health data.
The report was based on Executive Order 13335, in which President Bush called upon HHS to develop and implement a national interoperable health information network. The GAO report recognized that HHS officials have already undertaken some initiatives to address privacy principles; however, it determined that the agency's work is still in the preliminary stages, and not yet integrated.
[source: EPIC Alert, Volume 14.13]
(2007-06-26) [EPIC] On June 16, the Sixth Circuit court of appeals ruled that portions of the Stored Communications Act violate the Fourth Amendment protection from unreasonable searches and seizures. In Warshak v. United States, the court found that an individual has a reasonable expectation of privacy in the emails one has stored at an ISP. Therefore, the court held, when the government seeks to obtain the contents of emails stored at an ISP, it must either use a warrant or notify the owner of the email account that a subpoena has been issued.
Steven Warshak was under investigation for violating several federal laws. During this investigation the government sent subpoenas to his ISPs requesting his subscriber account information as well as the contents of some of his emails. The orders were issued under seal, but Warshak was later notified of their existence when they were unsealed. Warshak then sued the government asking for an order declaring this access unconstitutional and preventing the government from further accessing his emails. A federal judge in Ohio granted Warshak a temporary injunction barring the government from accessing emails of individuals in its coverage without a warrant or notification to that individual.
[source: EPIC Alert, Volume 14.13]
(2007-06-26) [EPIC] On June 13, the FBI released its updated guidelines for field agents in the use of National Security Letters (NSLs). The revised guidelines summarize and compile existing and new FBI NSL policies. The FBI created the revised guidelines after there was extensive documentation of abuses in an Office of the Inspector General report and a FBI internal audit. Both reports found that the FBI violated its own internal policies, the requirements of the NSL statute and Attorney General guidelines.
NSLs are an extraordinary search procedure by which the FBI obtains customer and consumer transactional information from communications providers, financial institutions and consumer credit agencies without obtaining a warrant or any court authorization. NSLs are issued to third parties during terrorism, espionage, and classified information leak investigations, and are typically accompanied by a non-disclosure certification, also known as a "gag order." This gag order prohibits the recipient from disclosing to anyone, except his or her lawyer, that an NSL letter was issued.
[source: EPIC Alert, Volume 14.13]
(2007-06-26) [EPIC] On June 21, Marc Rotenberg, Executive Director of EPIC, testified before the House Ways and Means Committee's Subcommittee on Social Security. He urged Congress to adopt legislation to address the misuse of the Social Security Number (SSN) and the growing problem of identity theft.
Citing a recent report from the Federal Trade Commission that finds that identity is the number one concern of American consumers, EPIC called for "strong and effective legislation that will limit the use of the SSN," and context-dependent identifiers "that will encourage the development of more robust systems for identification that safeguard privacy and security." EPIC also criticized the President's Identity Theft Task Force for failing to make more aggressive recommendations regarding theft of Social Security Numbers.
[source: EPIC Alert, Volume 14.13]
(2007-06-26) [Datatilsynet] Oslo er en av verdens mest overvåkede byer. Økningen i antallet overvåkningskameraer er markant i hele landet. Hvilke drivkrefter styrer denne utviklingen? I september arrangeres en konferanse som setter fokus på den økende kameraovervåkningen.
Konferansen "Kameraovervåking i det norske samfunn" arrangeres av bransjeforeningene Integra og NELFO, i samarbeid med Datatilsynet, i Oslo 5. september 2007.
[source: Nyhet]
(2007-06-26) [Yahoo!] A program being launched at 10 U.S. airports this year will expand existing identification checks for visitors, including requiring 10 digital fingerprints, but still operate under strict privacy rules, a senior U.S. official said Monday.
The border checks could also soon include other biometric data, such as facial and eye retina scans, as the U.S. upgrades security at its ports, airports and border crossings, said P.T. Wright, operations director for the Department of Homeland Security's US-VISIT Program. (Excerpt from news story by Constant Brand)
[source: Yahoo News]
(2007-06-26) [The Register] Facebook users who like to control who gets to see your account details, take note: political views, religious back ground and other sensitive details may be wide open to prying eyes even though you've configured your profile so its viewable only to designated friends.
That's because the user setting that allows only designated friends to view a user's profile has no effect on whether the contents of that profile can be searched by the Facebook community at large. Users who want to block their profiles from being searched must go through an additional step. (Excerpt from news story by Dan Goodin)
[source: News]
(2007-06-26) [PinsentMasons] Privacy chiefs have given Europe's banks a September deadline for alerting customers that their financial transactions could be tracked by US security agencies. Customers must be warned that even transactions within Europe could be monitored, they said.
The new rules come from the Article 29 Working Party, a committee of European data protection officials, and it has said that banks must inform customers when there is a danger that transactions could be monitored by authorities in the US.
[source: Out-law.com]
(2007-06-26) [InfoWorld] To properly secure their most valuable information, enterprises must determine what types of data need to be held closely and which records don't need to be saved at all
Experts gathered for the ongoing InfoWorld Enterprise Data Protection Forum in New York today said that companies need to get a better handle on all the factors that make their sensitive information susceptible to attack and become more proactive with their overall defensive strategies if they are to improve on their current security status. In a panel presentation featuring leading security executives and consultants, experts highlighted a need for businesses to study all the elements that contribute to classifying their most valuable information as truly sensitive. Protecting records whose value is immediately apparent -- such as social security and credit card numbers -- isn't enough as companies must also shroud any related data that can be used to create an individual profile that could be used to carry out identity theft or other forms of fraud, the speakers said. (Excerpt from news story by Matt Hines)
[source: News]
(2007-06-26) [Network World, Inc.] People concerned about e-mail security got a whole new reason to worry last year with revelations of secret government monitoring. Earlier this month, though, a U.S. Appeals Court told the government where to get off, at least when dealing with people in the Southern District of Ohio.
Security folk have been telling people not to assume that e-mail is secure since about the time that e-mail was invented. The three most common worries are misaddressing, forwarding and storage. It is all too easy to misaddress e-mail, either sending private mail to a mailing list or sending mail to the wrong person (autocomplete of e-mail addresses in e-mail clients has made the latter problem much worse). There is no way to ensure that e-mail you send to a particular person is not forwarded on. (Don't put anything in e-mail about a person that you do not want that person to see.) Finally, e-mail can be stored on laptops and other portable devices, which can get stolen or lost and the stored information compromised. (Excerpt from news story by Scott Bradner)
[source: Network World]
(2007-06-25) [The Kiplinger Washington] Visitors from European nations traveling with visas or visa-free to the United States will soon have to give 10 digital fingerprints when entering the country, a senior U.S. Homeland Security official said Monday.
Border checks could also soon include other biometric data, such as facial and eye retina scans, as the U.S. upgrades security at its ports, airports and border crossings, said P.T. Wright, the operations director for the U.S. Department of Homeland Security's US-VISIT Program.
[source: Kiplinger.Com]
(2007-06-25) [Dow Jones & Company, Inc.] The Web wasn't created to appeal to our sense of voyeurism. It just feels that way sometimes. I'm not talking about dirty pictures, but the ability the Web's given all of us to snoop on our friends, colleagues and neighbors, from Googling the new guy in the next cube to finding out what the people next door paid for their house to seeing which neighbors have given money to which candidates and parties.
Such behavior runs the gamut from generally acceptable nosiness (we're a nation of self-Googlers, after all) to mildly gauche (in New York City discussing what apartments cost is practically a sport) to creepy (keep your nose out of my politics). As with all questions about Internet privacy and personal information, there are generational differences at work -- if you came of age blogging and being Googled, someone seeing you gave $100 to MoveOn.org might not be the biggest deal. (Excerpt from news story by Jason Fry)
[source: Wall Street Journal]
(2007-06-25) [Heise Zeitschriften Verlag] The former developers of the AN.ON anonymizing service have gone into business with JonDos, the research project's commercial successor. However, JonDos is no longer itself the operator of the mix of cascades used to anonymize users, but rather only the financial mediator between users and the various operators of individual cascades. The new network of mixes is now called JonDonym. The Java client formerly known as JAP, which users have to install on their computers, is still available as JonDo, which takes its name from the commonly used generic name "John Doe".
The JonDo software and the mix of cascades provided by independent operators are to remain free. Currently, the software allows the cascades from the Technical University of Dresden and the Independent State Center for Data Protection of Schleswig-Holstein (ULD) to be used for free. However, a volume-based feed will now be charged for the JonDonym mix cascades, which JonDos says are more powerful.
[source: heise on-line]
(2007-06-25) [CNet] Privacy campaigners have called for any further e-voting trials to be scrapped after uncovering evidence of poor security, inadequate audit trails, equipment failures and an over-dependence on technology suppliers during the May local elections.
The Open Rights Group (ORG) had a team of 25 officially accredited election observers at the e-voting and e-counting pilots and has expressed "deep concern" about the use of the technology in a report of its findings. Five councils offered internet and telephone voting and six authorities were approved to use electronic counting technology at the May local elections. (Excerpt from news story by Andy McCue )
[source: silicon.com]
(2007-06-22) [McGraw-Hill Companies Inc.] Kevin Bankston didn't think anyone would notice his little cigarette break. His family didn't know he sometimes snuck a smoke. So Bankston was surprised when a photo of him smoking outside his San Francisco office appeared online several years ago on Amazon.com's (AMZN) now-defunct A9.com map service. He was even more shocked when, in May, he found out he was caught again on candid camera -- possibly smoking -- this time by Google's (GOOG) new "Street View" map service.
Bloggers began buzzing about Bankston's double-lightning-strike luck, and the two photos now appear all over the Internet. A Web search for "Kevin Bankston smokes" reveals more than 20,000 links. "I felt somewhat embarrassed and a bit spied upon," says Bankston. "I am now thoroughly outed as a cigarette smoker." (Excerpt from news story by Catherine Holahan)
[source: Business Week]
(2007-06-22) [CNet] Orange and Littlewoods have been found to be in breach of the data protection act (DPA) by the Information Commissioner's Office (ICO).
The finding relates to customer details being left open to potential fraud or retained without customer consent. Orange call centre employees were found to be sharing log-in details for the customer information database, meaning there was no way of knowing who had accessed data. (Excerpt from news story by Tim Ferguson)
[source: silicon.com]
(2007-06-19) [CDT] A federal appeals court has ruled that an ordinary email user has a reasonable expectation of privacy -- and thus a Constitutional privacy right -- in email stored with an ISP.
This means that the government either obtain a search warrant based on probable cause to seize such email or give users notice and opportunity to object to a subpoena or court order. The Justice Department had argued that email was not constitutionally protected. CDT participated in a friend of the court brief in the case which the court cited as "convincing".
[source: News]
(2007-06-25) [EFF] The Electronic Frontier Foundation (EFF) and Center for Democracy and Technology (CDT) urged a California court Friday to overturn a dangerous ruling that would require an Internet search engine to create and store logs of its users' activities as part of electronic discovery obligations in a civil lawsuit.
The ruling came in a copyright infringement lawsuit filed by motion picture studios against TorrentSpy, a popular search engine that indexes materials made publicly available via the Bit Torrent file sharing protocol. TorrentSpy has never logged its visitors' Internet Protocol (IP) addresses. Notwithstanding this explicit privacy policy, a federal magistrate judge has now ordered TorrentSpy to activate logging and turn the logged data over to the studios.
[source: News]
(2007-06-21) [CNet] Move over, Paris Hilton. We all have celebrity issues in an age when anyone can create an online profile, post confessional videos on YouTube, or make snarky online comments about other people.
The latest generation of Web sites--which attract tens of millions of users daily to share words, photos and videos about themselves and their friends--make a virtue of openness at the expense of traditional notions of privacy. "My grandparents would have had a different attitude about privacy," says Jeff Jarvis, a former critic for TV Guide turned top blogger and columnist for the Guardian in London. "There is a different calculus now." Sites like Facebook, Photobucket and Flickr are enjoying surging popularity for allowing people to control their online identities in ways that make the danger of revealing too much information a constant worry--and all part of the game.
[source: News.com]
(2007-06-21) [The Washington Post] Move over, Paris Hilton. We all have celebrity issues in an age when anyone can create an online profile, post confessional videos on YouTube, or make snarky online comments about other people.
The latest generation of Web sites -- which attract tens of millions of users daily to share words, photos and videos about themselves and their friends -- make a virtue of openness at the expense of traditional notions of privacy. "My grandparents would have had a different attitude about privacy," says Jeff Jarvis, a former critic for TV Guide turned top blogger and columnist for the Guardian in London. "There is a different calculus now," he says. (Excerpt from news story by Eric Auchard)
[source: washingtonpost.com]
(2007-06-21) [Heise Zeitschriften Verlag] Upon presenting his 8th Report Harald von Bose, the Data Protection Commissioner of the German federal state of Saxony-Anhalt, has publicly deplored the increasing degree to which the state and private companies crave and achieve access to the personal data of citizens.
"Restraint and moderation are no longer much in evidence," he said on Wednesday in Magdeburg. "The trend towards a big Brother state defined by comprehensive registration, surveillance, evaluation and control has picked up pace significantly," he added. This could inflict long-term damage on the foundation of values upon which the democratic order and the rule of law in Germany rest, he observed. It was unacceptable for the constraints imposed by the need to combat terrorism to be used to undermine the citizens' constitutional right to informational self-determination.
[source: heise on-line]
(2007-06-21) [International Business Times] The European Union's data watchdog will expand its investigation of Web search engines beyond sector leader Google and write to that company, a European Commission source said on Thursday.
The Article 29 Data Protection Working Party "will prepare a substantial letter of response to the letter of Google and they have also decided they will look into other search engines," the source said. The source was referring to a letter Google wrote last week saying the company was ready to curtail the time it stored user data to a year and a half. It was seeking to mollify the watchdog, which had questioned its privacy policies last month. That storage time was the low end of an 18- to 24-month period it had originally proposed to regulators in March.
[source: ibt.com]
(2007-06-21) [International Herald Tribune] European Union data privacy officers set a Sept. 1 deadline on Thursday for banks to tell clients that their personal information may be forwarded to U.S. authorities when they make financial transfers within Europe.
The EU panel -- which includes national data protection officials from all 27 EU nations -- told banking transfer company SWIFT that more work still needed to be done to bring the company into line with EU privacy law. They said banks still have a legal obligation to tell customers that the U.S. might see data such as their name, address and the amount of money they are sending.
[source: iht.com]
(2007-06-20) [Seattle Post-Intelligencer] Google Inc., which faces scrutiny in the European Union over its privacy laws, will have to wait until at least July to find out whether it must further cut the time it stores personal information from users' online searches.
The EU data protection agency, made up of experts from 30 European countries, warned Google in a letter on May 16 that keeping personal records for as long as two years may be too much. The group was due to study Google's response Wednesday at a meeting in Brussels. Instead, the agency decided to refer the matter to one of its subgroups. (Excerpt from news story by Stephanie Bodoni)
[source: seattlepi.com]
(2007-06-20) [CNet] Countless studies quote consumers saying they care about their privacy on the Internet. However, simply stating concern about privacy is a far cry from actually taking steps to protect one's own privacy in cyberspace.
Indeed, many consumers do not even check Web site privacy policies when they divulge their sensitive personally identifiable information. Yet, according to a recent report, when consumers are given a specific choice, many may actually pay more money during a transaction in return for privacy protection. The report, prepared by Lorrie Cranor, who directs the Carnegie Mellon Usable Privacy and Security Labs, documents that consumers would pay an extra 60 cents for privacy protection on purchases of $15. Cranor came to this result by way of a hypothetical experiment. (Excerpt from news story by Eric J. Sinrod)
[source: News.com]
(2007-06-20) [PinsentMasons] Most internet shoppers do not know about their right to cancel and 28% of UK-based online traders are not aware or only slightly aware of the laws applying to internet shopping, according to a report published by the Office of Fair Trading (OFT) yesterday.
While 56% of internet shoppers surveyed did not know about their right to cancel under the Distance Selling Regulations, 29% did not know where to turn to get advice on their rights. Two-thirds of UK-based traders had never sought advice on internet shopping laws, according to the OFT's research. More than one-fifth of sites examined by the OFT failed to provide an email address, a requirement of the E-commerce Regulations.
[source: Out-law.com]
(2007-06-20) [Wired] Is your laptop a fancy piece of luggage or an extension of your mind? That's the central question facing a federal appeals court in a case that could sharply limit the government's ability to snoop into laptop computers carried across the border by American citizens.
The question, before the 9th U.S. Circuit Court of Appeals, arose from the prosecution of Michael Timothy Arnold, an American citizen whose laptop was randomly searched in July 2005 at Los Angeles International Airport as he returned from a three-week trip to the Philippines. Agents booted the computer and began opening folders on the desktop, where they found a picture of two naked women, continued searching, then turned up what the government says is child pornography. (Excerpt from news story by Ryan Singel)
[source: News]
(2007-06-20) [CMP Media LLC.] The vast majority of people who participated in the miSense biometric airport security trials at Heathrow Airport would recommend the service to their fellow travellers.
The report published by miSense evaluates the experiences and feedback of the 3,166 passengers who took part in the voluntary trials in Heathrow's Terminal 3 during a sixteen week period with 89 percent saying they would recommend the service and 66 percent sa ying it took less than 15 seconds to use the gate. The report finds that passengers not only accept the need for biometric technology as a means of providing increased levels of security, but also believe that it can significantly improve their journey through the airport. (Excerpt from news story by Colin Holland)
[source: EE Times]
(2007-06-20) [EDRI] Google has answered several questions related to its data protection standards addressed by the Article 29 Working Party, especially on the period after which the anonymisation of the search server logs can be obtained.
Initially Google announced in March 2007 a reduction of the retention period for data related to users and their searches to 18-24 months, but, after the Article 29 Working Party's letter, Peter Fleischer, global privacy counsel at Google, accepted a period of 18 months. However, he also stated that the period could be extended to 24 months, depending on the implementation of the Data retention directive in some of the EU member states.
[source: EDRI-gram, Number 5.12]
(2007-06-20) [EDRI] The legislative package on the Visa Information System (VIS) was adopted by the European Parliament and a political agreement was reached within the Justice and Home Affairs Council in the last couple of weeks. This means that the final steps have been adopted to create the biggest biometric database in the world.
The VIS Legislative package is formed by the VIS Regulation and the VIS Decision. The VIS Regulation will allow consulates and other competent authorities to start using the system when processing visa applications and to check visas. The VIS Decision will allow police and law enforcement authorities to consult the data under certain conditions that should ensure a high level of data protection.
[source: EDRI-gram, Number 5.12]
(2007-06-20) [EDRI] Privacy International (PI) has undertaken a study that reveals the privacy threats and rank the positions in this matter of key players on the Internet services market. The objective of the research is not only to point fingers but also to find out trends and emergent issues related to privacy on the Internet.
The report was issued by PI after a six-month investigation on the privacy practices covering search, email, e-commerce and social networking sites. The methodology used included 20 main parameters among which data collection and processing, data retention, openness and transparency or responsiveness to customers' complaints.
[source: EDRI-gram, Number 5.12]
(2007-06-20) [EDRI] The EU has adopted as its own law, with very little alterations, the so-called Prüm Treaty, signed on 27 May 2005 by Belgium, Germany, Spain, France, Luxembourg, The Netherlands and Austria, which allowed the police forces of their countries to compare and exchange data more easily.
The new law, adopted by the European Parliament's report of Fausto Correia (PES, PT) and approved by the Council of Ministers during a meeting of the justice and home office ministers last week, gives the EU member-states three years to rewrite domestic laws in order to comply with it.
[source: EDRI-gram, Number 5.12]
(2007-06-20) [EDRI] The Council of the European Union disscused again in its Justice and Home Affairs Council meeting on 12-13 June 2007 the Council Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters, without making any clear steps for its adoption or taking into consideration the European Data Protection Supervisor (EDPS) comments.
The conclusions of the Council meeting note that the new framework decision will be based on the Council of Europe established minimum data protection principles set by the Convention of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data and its Additional Protocol of 8 November 2001, including Recommendation (87)15 regulating the use of personal data in the police sector.
[source: EDRI-gram, Number 5.12]
(2007-06-20) [MIT Technology Review] In May, I gave up my fingerprints and a scan of my irises and joined a program called Clear at the British Airways terminal at John F. Kennedy International Airport in New York, thus becoming one of the first "registered travelers." The registered-traveler program is based on a set of standards, issued by the U.S. government, that's meant to speed "safe" passengers through airport security checks.
Launched in 2005 and implemented by private contractors, it's designed to help airports improve efficiency by separating trusted travelers from the unknown. Clear opened the first dedicated registered-traveler lane at Orlando International Airport in 2005, and four more have followed. A whole nation's worth, of course, is planned. (Excerpt from news story by Bryant Urstadt)
[source: News]
(2007-06-19) [Help Net Security] Tor is a tool that can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol.
This is a graphical overview that shows the interface and functionality of Tor (through Vidalia interface).
[source: News]
(2007-06-18) [Wired] A federal appeals court on Monday issued a landmark decision (.pdf) that holds that e-mail has similar constitutional privacy protections as telephone communications, meaning that federal investigators who search and seize emails without obtaining probable cause warrants will now have to do so.
"This decision is of inestimable importance in a world where most of us have webmail accounts," said Kevin Bankston, a staff attorney for the Electronic Frontier Foundation. The ruling by the Sixth U.S. Circuit Court of Appeals in Ohio upheld a lower court ruling that placed a temporary injunction on e-mail searches in a fraud investigation against Steven Warshak, who runs a supplements company best known for a male enhancement product called Enzyte. Warshak hawks Enzyte using "Smiling Bob" ads that have gained some notoriety. (Excerpt from news story by Luke O'Brien)
[source: Blogs]
(2007-06-18) [msnbc] Federal investigators overstepped constitutional bounds by searching stored e-mails without a warrant in a fraud investigation, a federal appeals court ruled Monday.
In a case closely watched by civil-liberties advocates in the still-emerging field of Internet privacy, a three-judge panel of the 6th U.S. Circuit Court of Appeals found that e-mail users have a reasonable expectation of privacy.
[source: msnbc.com]
(2007-06-18) [BBC] Dan Senior confronts Google about online privacy Privacy campaigners are convinced that big companies, from Google to Tesco, know too much about us - and are not careful enough with our data. We asked a young Londoner to find out what three big organisations knew about him.
Dan Senior used to be a lawyer but gave up the legal world to go travelling. Right now, he lives an easy-going life with his girlfriend in their flat in London's Bethnal Green. He spends a lot of time online playing poker and using Google for his searches. (Excerpt from news story by Rory Cellan-Jones )
[source: News]
(2007-06-17) [Media General Inc.] Want to know how much your boss earns? Or whether your daughter's fiance is in debt? For Swedes, it takes just a few clicks on the Internet to find out.
But many feel the Web has taken things too far, and proud though they are of Sweden's unusual history of openness, they have pressured providers to put some limits on a service that allowed Swedes to snoop through each other's finances anonymously and free of charge. "Your neighbor knows what you're making, your brother-in law knows what you're making, and people around you can know whether you're on any records for outstanding payments. It's private and a bit embarrassing," said Hans Karnlof, a lawyer at the Swedish Data Inspection Board. (Excerpt from news story by Louise Nordström)
[source: TBO.com]
(2007-06-16) [ctvGlobeMedia] A Nova Scotia family has inadvertently been on Internet "candid camera" for months without their knowledge. Dale Gass became their peeping tom by accident.
"It is kind of disturbing these videos are being sent to me. It's an invasion of privacy," he said. Gass used to own a wireless security camera. Unfortunately, it is now installed in the family's house, and no one seemed to have a clue where they lived. (Excerpt from news story by John Vennavally-Rao)
[source: CTV.ca]
(2007-06-14) [InfoWorld] Europeans who visit the U.S. will be required to fill out an online questionnaire two days before they enter the country under a proposal being studied by the U.S. Department of Homeland Security.
The department has been discussing the idea internally for about a month, said Hugo Teufel III, chief privacy officer for the DHS, in a meeting with journalists in Paris on Thursday. He could not say when the registration system might be introduced. (Excerpt from news story by James Niccolai)
[source: News]
(2007-06-14) [ComputerWorld] Just when you thought the federal government had gone as far as it could toward invading your privacy, comes this news: The FBI wants to build a massive data-mining program that would contain 6 billion records by 2012. This time around, though, Congress may put the kibosh on it.
The Associated Press reports that the FBI has asked Congress for $12 million next year to establish the National Security Branch Analysis Center, which would have 59 employees. Its purpose: use data mining to uncover terrorist "sleeper cells" and head off attacks. (Excerpt from news story by Preston Gralla)
[source: Blogs]
(2007-06-13) [PinsentMasons] Google is not bound by the Data Retention Directive when it comes to search engine logs, Europe's data protection committee has said. Google has used the Directive to justify keeping data, but OUT-LAW has learned that the law does not apply.
Google has come under increasing pressure in Europe to anonymise its server data, but the company says that it will wait until 18–24 months have passed before anonymising. Among its reasons for this was the Data Retention Directive. However, a senior European data protection official told OUT-LAW today that Google cannot rely on that law as justification for its retention.
[source: Out-law.com]
(2007-06-12) [InfoWorld] Privacy International has released preliminary findings of its study of privacy practices at 20 major Net companies, and has named Google the worst of a generally bad lot.
In its cheerfully color-coded system, only Google receives PI's black spot, labeled "Hostile to Privacy." Reading the comments in the prelim report (PDF), it seems Google is getting dinged primarily for a) collecting oodles of information, b) being vague about what it does with this data, and c) not returning PI's phone calls. Frustrating, yes. Alarming, maybe. But hostile? If this was merely PI's way of getting Google's attention, it worked. Google allegedly responded by spreading rumors that PI was in Microsoft's pocket. (Knowing Simon Davies, PI's London-based head honcho, I'd say 'not bloody likely.') Davies responded to that by publishing a strongly worded open letter to Google CEO Eric Schmidt. The spitting match continues. (Excerpt from news story by Robert X. Cringely)
[source: Blogs]
(2007-06-11) [PinsentMasons] E-commerce businesses could charge more for their wares if they implemented an established privacy technology, an academic report has found. The study showed that online shoppers are prepared to pay more at sites that guarantee their privacy.
Researchers at Carnegie Mellon University in the US armed a number of shoppers with the Platform for Privacy Preferences (P3P) tool, which alerts them to the privacy practices of sites they visit. They found that shoppers were prepared to pay 30p more on goods worth £7 at sites that guaranteed they would not abuse their private details.
[source: Out-law.com]
(2007-06-09) [The Washington Post] Google Inc.'s privacy practices are the worst among the Internet's top destinations, according to a watchdog group seeking to intensify the recent focus on how the online search leader handles personal information about its users.
In a report released Saturday, London-based Privacy International assigned Google its lowest possible grade. The category is reserved for companies with "comprehensive consumer surveillance and entrenched hostility to privacy." None of the 22 other surveyed companies _ a group that included Yahoo Inc., Microsoft Corp. and AOL _ sunk to that level, according to Privacy International. (Excerpt from news story by Michael Liedtke)
[source: washingtonpost.com]
(2007-06-17) [Scientific American, Inc.] Computer scientist Latanya Sweeney helps to save confidentiality with "anonymizing" programs, "deidentifiers" and other clever algorithms. Whether they are enough, however, is another question
Latanya Sweeney attracts a lot of attention. It could be because of her deep affection for esoteric and cunning mathematics. Or maybe it is the black leather outfit she wears while riding her Honda VTX 1300 motorcycle around the sedate campus of Carnegie Mellon University, where she directs the Laboratory for International Data Privacy. Whatever the case, Sweeney suspects the attention helps to explain her fascination with protecting people's privacy. Because at the heart of her work lies a nagging question: Is it possible to maintain privacy, freedom and safety in today's security-centric, databased world where identities sit ripe for the plucking? Several years ago Scott McNealy, chairman of Sun Microsystems, famous-ly quipped, "Privacy is dead. Get over it." Sweeney couldn't disagree more. "Privacy is definitely not dead," she counters; those who believe it is "haven't actually thought the problem through, or they aren't willing to accept the solution." (Excerpt from news story by Chip Walter)
[source: Scientific American]
(2007-06-17) [Helsingin Sanomat] Protection of privacy has been underscored considerably by Finnish courts in recent years, alongside freedom of speech, says Päivi Tiilikka in a doctoral thesis that she is defending on Friday at the Faculty of Law at the University of Helsinki.
Her thesis, Sananvapaus ja yksilön suoja: Lehtiartikkelin aiheuttaman kärsimyksen kovaaminen ("Freedom of Expression and Protection of Privacy. Compensating for Suffering Caused by a Newspaper Article") is the first doctoral thesis in Finland on the legal responsibilities of the press. "Courts have given more attention than before to the fact that people in the public eye have the right to protect their privacy, if their private lives are not linked with the use of power in society", Tiilikka points out. Finnish legal practice has been moulded by decisions made by the European Court of Human Rights, which members of the Council of Europe are obliged to follow.
[source: Helsingin Sanomat International Edition]
(2007-06-15) [Wired] Homeland Security's chief privacy officer Hugo Teufel III told reporters in Paris that the U.S. will soften its stance on some portions of a contentious E.U.-U.S. agreement about passenger data sent to the U.S. for terrorism screening programs.
"I believe that there will very likely be increased privacy protections with respect to the [Passenger Name Record] data," Teufel said on Thursday according to IDG's James Niccolai. That's a stark about-face for the U.S. since just last fall DHS Assistant Secretary Stewart Baker told the E.U. that earlier provisions limiting how the U.S. could share the data were now moot, that it could add more data elements to its request unilaterally, and that it planned to push to keep the data for longer than the 3.5 years it originally agreed to. The original agreement allowed the government to hold onto the data for 3.5 years, but since the 2004 agreement was supposed to be revisited in 2007, the U.S. has never destroyed any E.U. traveler data. (Excerpt from news story by Ryan Singel)
[source: Blogs]
(2007-06-14) [PC World Communications, Inc] The U.S. may be willing to give some ground in a dispute with European regulators over access to trans-Atlantic passenger data, although reaching a compromise before a July deadline remains uncertain.
The issue of how long the U.S. holds onto passenger data has been one of the sticking points in the dispute, which threatens airlines' ability to carry passengers to the U.S. without violating U.S. or European law. (Excerpt from news story by James Niccolai)
[source: PC World]
(2007-06-14) [OECD] This Recommendation was developed by the OECD Committee for Information, Computer and Communications Policy (ICCP), through its Working Party on Information Security and Privacy (WPISP). The work was led by Jennifer Stoddart, Privacy Commissioner of Canada, with the support of a number of representatives from privacy enforcement authorities participating as part of their country delegations. It has also benefited from a constructive consultation with other key stakeholders in the privacy and data protection community. It was adopted as a Recommendation of the OECD Council on 12 June 2007.
To complement the Recommendation, the OECD has been working on more practical tools to facilitate privacy law enforcement co-operation. These include two model forms that have been developed. The first is to assist in the creation of a list of contact points in each country to co-ordinate requests for assistance. The second is a form for use by an authority in requesting assistance to help ensure that key items of information are included in the request. Copies of these forms as well as other information about this project are available at www.oecd.org/sti/privacycooperation.
[source: Report]
(2007-06-14) [PinsentMasons] European police forces will have easier access to each others' information on criminals and suspects after ministers agreed a new data swap system. But Europe's data protection chief told OUT-LAW that his concerns over the system had been sidelined.
Two years ago some European countries signed a deal called the Prüm Treaty, which enabled police forces to compare and swap data more easily. The EU has now adopted that as its own law, with minor alterations, giving countries three years in which to rewrite domestic laws in compliance with the agreement.
[source: Out-law.com]
(2007-06-14) [Security Document World] The European Parliament has backed proposals to set up the European Visa Information System (VIS), which is destined to become the world's largest biometric database and should prevent the phenomenon known as 'visa shopping'.
The project, which has been on the drawing block for some years, had been waiting for the legal go ahead, having already signed up the key players to take the project forward. The agreement of the text was opposed by some, who claimed that the system is a threat to citizen privacy. Meanwhile, the Conservatives called for Britain to opt out of the system.
[source: News]
(2007-06-14) [ComputerWorld] The Senate is finally getting around to pushing a national data breach law out of the Committee on Commerce, Science, and Transportation (thanks, TJX! ).
This represents a major change in how the federal government views the privacy of personal information, shifting away from a mix of self-regulation, state laws, and industry specific requirements (HIPAA, GLBA) towards a comprehensive national policy. The road to this point has been long, but it's worth examining to understand what's ahead. (Excerpt from news story by Patrick Lamphere)
[source: Security]
(2007-06-14) [InfoWorld] Europeans who visit the U.S. will be required to fill out an online questionnaire two days before they enter the country under a proposal being studied by the U.S. Department of Homeland Security.
The department has been discussing the idea internally for about a month, said Hugo Teufel III, chief privacy officer for the DHS, in a meeting with journalists in Paris on Thursday. He could not say when the registration system might be introduced. (Excerpt from news story by James Niccolai)
[source: News]
(2007-06-14) [EPIC] As the deadline for compliance draws closer, more states are opting out of the controversial REAL ID national identification system. Arkansas, Colorado, Georgia, Hawaii, Idaho, Illinois, Maine, Missouri, Montana, Nebraska, Nevada, New Hampshire, North Dakota, South Carolina, and Washington have all passed anti-REAL ID legislation.
Public resistance to REAL ID is also growing. In May, more than 60 organizations and 215 blogs joined a campaign to submit comments against REAL ID. There are bills in both the U.S. House and Senate to repeal the national identification scheme. EPIC and 24 experts in privacy and technology submitted detailed comments explaining the many privacy and security threats raised by the REAL ID Act. The Department of Homeland Security's Data Privacy and Integrity Advisory Committee refused to endorse the draft regulations, stating that they did not resolve problems with privacy, redress, management controls, and more.
[source: EPIC Alert, Volume 14.12]
(2007-06-14) [EPIC] On June 9, London-based human rights research and campaign organization Privacy International issued an interim privacy ranking of 23 Internet service companies. The report did not give any of the companies it looked at the highest grade of "privacy-friendly and privacy enhancing."
However, Google's "vague, incomplete and possible deceptive privacy policy," lack of responsiveness to customer complaints, its ability to match data gathered by its search engine with information collected from its other services, and its merger with DoubleClick earned Google the lowest possible privacy ranking, reserved for those companies with "comprehensive consumer surveillance and entrenched hostility to privacy."
[source: EPIC Alert, Volume 14.12]
(2007-06-14) [EPIC] Representatives Brad Miller and James Sensenbrenner have asked the Government Accountability Office to investigate the FBI's proposal for a National Security Branch Analysis Center. The FBI intends to use the Center to "leverage existing data-mining tools to help identify relationships between individuals, locations and events that may be indicators of terrorist or other activities of interest."
The Department of Justice predicts that the Center will hold 6 billion records by the year 2012.
[source: EPIC Alert, Volume 14.12]
(2007-06-14) [EPIC] On June 6, EPIC, the Center for Digital Democracy, and U.S. PIRG filed a supplement to their initial complaint concerning Google's proposed acquisition of DoubleClick. In the initial complaint, filed on April 20, 2007 with the Federal Trade Commission, these consumer advocacy groups requested that the Commission open an investigation into the proposed acquisition, specifically with regard to Google's ability to collect, record, and analyze personally identifiable information about Internet users and, through use of this information, to track the Internet activity of these users.
The June 6 supplement provides further detail on the information that Google collects about its users, the ways in which Google uses that information, and the privacy impacts of Google's many commonly used services. In addition, the June 6 supplement describes similar aspects of DoubleClick's business model and operations. EPIC, CDD, and U.S. PIRG explain that there are unique privacy issues raised by the proposed combination of the Internet's largest search engine and the Internet's largest advertising company. Allowing the merger to proceed as it is currently constructed would allow a single company to have an unprecedented level of access to information about Internet users, the groups said.
[source: EPIC Alert, Volume 14.12]
(2007-06-14) [EPIC] At a House Subcommittee on Social Security hearing on June 7, EPIC Executive Director Marc Rotenberg urged the strengthening privacy safeguards associated with employment eligibility verification systems and said existing agency database problems should be corrected before a nationwide expansion is considered. The Subcommittee is reviewing an immigration bill that would establish a national employment eligibility verification systems; a similar bill is pending in the Senate.
EPIC recently scrutinized the proposed employment verification systems in its "Spotlight on Surveillance." Under both H.R. 1150 and S.AMDT 1645, every employer in the country would be required to submit detailed personal information on every employee to the Department of Homeland Security (DHS). This information would then be cross-referenced with that retained by the Social Security Administration. Should a discrepancy arise, workers would have to appeal to DHS and SSA to prove their identity. The appeals process could last as long as two and a half months, and if the appeal is ultimately denied the individual would not be able to work legally in the United States until the discrepancy was somehow corrected. The House bill would also transform all Social Security Cards to include biometric and machine-readable features.
[source: EPIC Alert, Volume 14.12]
(2007-06-14) [EPIC] As a result of a 2005 petition filed by EPIC, the Federal Communications Commission (FCC) adopted new rules last week to strengthen the security of consumers' phone records. The FCC also published a Notice of Proposed Rulemaking, stating that it is seeking comments on further privacy protections for customer information. Comments are due July 9, 2007.
The new rules relate to customer proprietary network information (CPNI), which is the data collected by telecommunications corporations about a consumer's telephone calls. CPNI includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer's telephone bill. Currently, the use of CPNI data is protected by the 1996 Telecommunications Act.
[source: EPIC Alert, Volume 14.12]
(2007-06-13) [New York Times] Complicated privacy laws have left education, health care, and law enforcement officials confused about what they can legally tell one another concerning dangerous and mentally ill people, and that confusion has limited the ability of these officials to prevent the kind of violence that occurred at Virginia Tech, according to a federal report released today.
The federal report also says that many states and communities have done too little to prepare for emergencies and violent incidents in schools. And it says that state laws do not uniformly ensure that the federal firearms database is kept current regarding people who should be restricted from possessing firearms. (Excerpt from news story by Ian Urbina )
[source: Web News]
(2007-06-13) [msnbc] EU justice chief Franco Frattini said Wednesday that Internet search leader Google Inc. had offered to cut the time it retains data on user searches from the current 24 months to 18 months amid growing concerns it could be violating EU privacy rules.
The EU justice and home affairs commissioner welcomed a letter sent by Google officials to an independent EU data protection panel earlier this week in which the company said it would raise its data privacy standards for all users. "It is indeed a good step, I have appreciated the commitment of Google not only to meet our expectations in terms of protection of privacy or better on cutting the time and reducing the time of retention of personal data," Frattini said.
[source: msnbc.com]
(2007-06-13) [American Public Media] The new Street View feature of Google Maps provides 360 degree panoramic street-level views of New York City, San Francisco, Miami, Denver, and Las Vegas. Camera-equipped vehicles gathered the images while driving public streets. This feature - which will be expanded to include more cities - has raised some privacy concerns. Critics point to images of men leaving strip clubs, abortion clinic protesters, bikini-clad sunbathers, and one guy apparently picking his nose.
Before launching the service, Google removed photos of domestic violence shelters, and allows users to request the removal of inappropriate or sensitive images. Kevin Bankston, staff attorney with the Electronic Frontier Foundation, has emerged as a top critic of Street View. It turns out that Street View captured Bankston walking to work while smoking a cigarette. What's more, this isn't the first time the privacy crusader has been captured by street-mapping cameras. Listen to the podcast (length 04:58).
[source: Future Tense]
(2007-06-12) [UCL Crypto Group] A research team in cryptography from the Catholic University of Louvain (Louvain-la-Neuve) disclosed serious weaknesses in the Belgian biometric passport, the only type of passport distributed in Belgium since the end of 2004. The work carried out in Louvain-la-Neuve during the course of May 2007 show that Belgian passports issued between end 2004 and July 2006 do not include any security mechanism to protect the personal data embedded in the passport's microchip.
Passports issued after July 2006 do benefit from security mechanisms but these ones are flawed. This means that anyone possessing a little electronic reading device, which is easy and cheap to acquire, can steal the passport content while it is still in the pocket of the victim owners and thus without their knowing. Face and signature are among the data at risk. This news is all the more surprising because Karel De Gucht, the Minister for Foreign Affairs, declared in the Parliament on 9th January 2007 that the Belgian passport benefited from the security mechanisms advocated by the International Civil Aviation Organization.
[source: Info]
(2007-06-12) [ComputerWorld] Google Inc. has decided to make the data it stores about end users anonymous in its server logs after 18 months, according to a blog posted yesterday by the company's global privacy counsel.
Previously, Google had said it would make the data anonymous after 18 to 24 months. The decision comes in response to a letter the company received last month from a European Union data protection working group regarding Google's privacy policies. Separately, a report released last week by Privacy International ranked Google worse than any other Internet company in protecting the privacy of its users. (Excerpt from news story by Linda Rosencrance)
[source: Security]
(2007-06-12) [msnbc] The European Union on Tuesday approved a European visa data system which will store biometric information like fingerprints and photos on 70 million visa-holders who pass through the EU's borderless travel zone each year.
The agreement reached by EU justice and interior ministers will set up a common EU database which can be accessed by all 15 EU nations participating in the so-called Schengen borderless travel area. German Interior Minister Wolfgang Schaeuble, whose country holds the EU presidency, said the system is "an important tool" to boost border security, adding it would also enable participating EU nations to prevent people from so-called visa shopping between European nations.
[source: msnbc.com]
(2007-06-12) [CNet] Google is scaling back how long it keeps personally identifiable data accumulated from its Web users, seeking to mollify a European Union watchdog that has questioned its privacy policies.
The world's top provider of Web search services said late Monday that it is ready to curtail the time it stores user data to a year-and-a-half, the low end of an 18- to 24-month period it had originally proposed to regulators in March.
[source: News.com]
(2007-06-12) [CNet] One lazy afternoon, Maer Israel and a colleague ducked out of work to have a double espresso at a nearby cafe in San Francisco. Several weeks later, the information technology manager at the French American International School was alerted that a picture of him sitting at the cafe could be found on Google's online map as part of the search giant's new street-level photo view.
Google's recently unveiled Street View stunned many with its photos of the unsuspecting, from a man climbing a front gate to another walking out of a strip club, but it's hardly the first time the company has compiled a massive database of material that some would want to remain private. Indeed, Google has for years been storing every Web search and analyzing the topics of Gmail so it can serve customers with related advertisements. (Excerpt from news story by Elinor Mills)
[source: News.com]
(2007-06-12) [Wired] EFF privacy advocate and unhappy Street View model Kevin Bankston made good on his vow to try out Google's take-down policy after THREAT LEVEL found a picture of his unwitting mug stalking the sidewalks near EFF's offices. What he learned: Google is happy to remove you from Street View ... provided you give them a wealth of additional information, including a photo of your driver's license.
Here's Google's requirements, as sent to Bankston: To request removal of your image from Street View, you must demonstrate that you are the person shown in the panorama you would like removed. We will not take action if you are reporting on behalf of someone else (such as a friend, relative or stranger), except that you may report on behalf of your minor child. To show that you are the person in the image you would like removed, you must provide us with the information specified below. To expedite our ability to process your request, please use the following format on your verification form: ... (Excerpt from news story by Kevin Poulsen)
[source: Blogs]
(2007-06-12) [Reuters] Google Inc. is scaling back how long it keeps personally identifiable data accumulated from its Web users, seeking to mollify a European Union watchdog that has questioned its privacy policies.
The world's top provider of Web search services said late on Monday that it is ready to curtail the time it stores user data to a year-and-a-half, the low end of an 18 to 24 month period it had originally proposed to regulators in March. But Peter Fleischer, Google's global privacy counsel said in a letter addressed to the Article 29 Data Protection Working Party in Brussels that any regulatory requirement to keep data for less than 18 months would undermine Google's services. (Excerpt from news story by Eric Auchard)
[source: News]
(2007-06-12) [Inside Higher Ed] Experts repeatedly returned to the rules, regulations and lack of resources that can prevent college and government officials from most effectively responding to campus mental health concerns during a meeting Monday of the Independent Virginia Tech Incident Review Panel appointed by Virginia Gov. Tim Kaine.
"Has the pendulum swung too far in terms of privacy rights?" asked Diane M. Strickland, a former judge and a member of the eight-person panel appointed to study the April 16 slaughter of 32 faculty members and students by Cho Seung-Hui, a student, before he turned the gun on himself. The tensions between privacy and protection continually mounted throughout Monday's meeting at George Mason University, with college officials stressing a need for a freer flow of information even as complete information about Cho's own medical history continued to be withheld from the investigative panel itself.
[source: News]
(2007-06-12) [Ledger-Enquirer] The European Union's data protection watchdog urged governments on Tuesday not to sacrifice personal rights in their talks with the U.S. on the transfer of air passenger data.
EU Data Protection Supervisor Peter Hustinx said various EU nations have suggested they are willing to put security ahead of fundamental rights when it came to fighting terrorism. "More and more statements are being made by leaders and representatives of member states which seem to suggest that rights afforded by privacy and data protection legislation are viewed as incompatible with security and justice," Hustinx said. (Excerpt from news story by Constant Brand)
[source: Ledger-Enquirer.com]
(2007-06-12) [Security Document World] Projects that form the EU's BioDev II initiative being undertaken by Austria, Belgium, France, Germany, Luxembourg, Portugal, Spain and the UK are set to get under way next month.
Contracts to provide the technology for the project were awarded in April 2007, and the trial is expected to last 15 months. Winners of the deals were Motorola, Zetes and Sagem. Motorola won the lion's share of contracts, with deals to provide Austria, Luxembourg, Portugal, Spain and the UK. Zetes scooped the Belgian and German projects, and Sagem gained the French contract. Zetes says it will supply, implement, integrate and provide technical support of country-customised hardware and software biometric solutions (with capture of fingerprints and ICAO-compliant pictures) for consulates, border control, central AFIS system (in collaboration with NEC) and secure communication systems between consulates, border checkpoints and national VISA systems.
[source: News]
(2007-06-11) [Wired] It's official. Every new street level map view service has to capture an image of EFF staff attorney Kevin Bankston sneaking a cigarette. Amazon's now-defunct A9 service first nailed Bankston outside EFF's San Francisco office a few years ago. He'd been trying conceal his smoking from his family.
These days Bankston uses that anecdote as a weapon in his principled but quixotic campaign against Google's new Street View service. Bankston argues Street View is legal, but irresponsible, and should include facial obfuscation technology so every face is blurred or made to resemble the mush-visaged demons from Jacobs Ladder. (Excerpt from news story by Kevin Poulsen)
[source: Blogs]
(2007-06-11) [CIPPIC] In a consultation report released today, Privacy International assesses the practices of key Internet-based companies, listing the best and worst performers across the spectrum of search, email, e-commerce and social networking sites.
None of the 23 online companies assessed were found to merit the top "privacy-friendly" rating, and some demonstrated "willful or mindless disregard for the privacy rights of their customers". Privacy International invites comments on this consultation report, with a view to publishing a more detailed report in September.
[source: News]
(2007-06-11) [CNet] Web search leader Google's commitment to consumer privacy has come under fire from Privacy International, a British activist group that has previously singled out Google for criticism.
The London-based group released a report on Saturday entitled "A Race to the Bottom--Privacy Ranking of Internet Service Companies" that rates Google, alone among 20 sites, as having an "entrenched hostility to privacy." With each search on Google, the company gathers information about a customer's tastes, interests and beliefs that could potentially be used by third parties such as advertisers. But the company says it never passes on personal data.
[source: News.com]
(2007-06-11) [Matt Cutts: Gadgets, Google, and SEO] Sigh. Google as a company takes privacy very seriously. I personally feel strongly about protecting our users' privacy. So I'm frustrated by a recent study that Privacy International did, and I want to know if I'm off-base in my reaction. I got back home from SMX and I'm surfing the web when I see this AP article entitled "Watchdog group slams Google on privacy":
So I surf over to Privacy International (PI) to read the actual report, and I have to be honest with you -- it made me mad. But I try not to blog when I'm angry, so I decided to sleep on it. After sleeping on it, I'm still pretty frustrated with Privacy International's conclusions. Here's my take.
[source: Blog]
(2007-06-10) [Privacy International] Dear Mr. Schmidt, You may be aware that Privacy International yesterday published its first privacy ranking of leading companies operating on the Internet. Google Inc performed very poorly, scoring lowest among the other major companies that we surveyed.
I am writing to express my concern not just at this unfortunate result, but also at communications between Google Inc and members of the media during the period immediately prior to publication of our report. Two European journalists have independently told us that Google representatives have contacted them with the claim that "Privacy International has a conflict of interest regarding Microsoft". I presume this was motivated because Microsoft scored an overall better result than Google in the rankings.
[source: News]
(2007-06-10) [ComputerWorld] When it comes to protecting the privacy of its users, Google Inc. ranks worse than any other Internet company, according to an interim report by Privacy International. The international watchdog group also accused Google of engaging in a smear campaign in response to its findings, and demanded an apology.
Privacy International's findings (PDF format), based on six months of research, placed Google at the bottom of 23 Internet companies examined by the group. Google was the only company to earn the bottom ranking, for "comprehensive consumer surveillance and entrenched hostility to privacy." Other companies, such as Microsoft Corp. and Yahoo Inc., rated slightly better that Google. Microsoft was given a rating of four out of six, for "serious lapses in privacy practices." Yahoo was given a ranking of five of six, one better than Google, for "substantial and comprehensive privacy threats." (Excerpt from news story by Sumner Lemon)
[source: Security]
(2007-06-10) [Infoworld] Google questioned integrity of recent privacy report by suggesting "conflict of interest regarding Microsoft," non-profit says
Privacy group accuses Google of smear campaignJust one day after slamming Google with the worst privacy ranking among top Internet companies, London-based Privacy International (PI) has publicly accused the search behemoth of attempting to undermine the non-profit's report, saying Google suggested to the media that PI has a "conflict of interest regarding Microsoft." Meanwhile, Google has lashed back at PI's report, released Saturday, saying in a statement that it the company "aggressively protects its users' privacy and stands behind its track record," according to reports. (Excerpt from blog post by Ted Samson)
[source: Tech Watch]
(2007-06-09) [Privacy International] This report has been prepared by Privacy International following a six-month investigation into the privacy practices of key Internet based companies. The ranking lists the best and the worst performers both in Web 1.0 and Web 2.0 across the full spectrum of search, email, e-commerce and social networking sites.
The analysis employs a methodology comprising around twenty core parameters. We rank the major Internet players but we also discuss examples of best and worst privacy practice among smaller companies. The report was compiled using data derived from public sources (newspaper articles, blog entries, submissions to government inquiries, privacy policies etc), information provided by present and former company staff, technical analysis and interviews with company representatives. Because the 2007 rankings are a precedent, Privacy International will regard the current report as a consultation report and will establish a broad outreach for two months to ensure that any new and relevant information is taken into account before publishing a full report in September.
[source: News]
(2007-06-09) [New York Times] With the mayor's congestion-pricing plan gaining political support, some critics said yesterday that the network of several hundred cameras that would be installed on the streets of Manhattan could be too intrusive.
The cameras, which would record the license plate numbers of all vehicles that pass them, would be installed in 340 locations below 86th Street, said John Gallagher, a spokesman for the mayor. They would be the eyes of the billing system, which would charge drivers of cars $8 a day for entering the zone and $4 a day for driving within it, according to the mayor's plan. Drivers of commercial trucks would pay $21 to enter the zone and $5.50 to drive within it. (Excerpt from news story by Patrick Mcgeehan)
[source: Web News]
(2007-06-08) [Security Document World] The National Biometric Security Project (NBSP) has published a raft of new biometric standards covering applications as diverse as passports, financial services, conformance testing and Department of Defense requirements.
According to the NBSP: "Numerous national and civilian security applications will see improvement in functionality because of newly published biometric standards. Biometrically enabled passports will be made more robust as a result of new standards that define a general specification for physical characteristics, layout and security of passports. A new FBI Electronic Fingerprint Transmission Specification standard helps ensure the reliability and quality of fingerprints submitted to the FBI. A new biometrics standard for financial services defines the security framework for using biometrics for authentication of individuals in financial services transactions. Additionally, a new testing methodology standard provides specific details on methods and techniques for conducting scenario or technology tests."
[source: News]
(2007-06-08) [ComputerWorld] Germany will store digital fingerprints in addition to digital photos in passports as one of several biometric security measures planned to fight organized crime and international terrorism.
All new passports issued from November will store two digital fingerprints in an embedded chip, which, since 2005, includes a digital photo, the German Federal Ministry of the Interior said Friday. While fingerprints will be stored exclusively in passport chips, photos will continue to be saved additionally in databases of local authorities. A new amendment gives police and other authorized government officials online access to these databases. (Excerpt from news story by John Blau)
[source: Security]
(2007-06-08) [CNet] A court decision reached last month but under seal until Friday could force Web sites to track visitors if the sites become defendants in a lawsuit.
TorrentSpy, a popular BitTorrent search engine, was ordered on May 29 by a federal judge in the Central District of California in Los Angeles to create logs detailing users' activities on the site. The judge, Jacqueline Chooljian, however, granted a stay of the order on Friday to allow TorrentSpy to file an appeal. The appeal must be filed by June 12, according to Ira Rothken, TorrentSpy's attorney. TorrentSpy has promised in its privacy policy never to track visitors without their consent. (Excerpt from news story by Greg Sandoval)
[source: News.com]
(2007-06-08) [CNet] Despite a series of technical hiccups, the first public trials of Australia's biometric SmartGate project are set to take place in Brisbane in August, six months behind schedule.
In development since 2002, SmartGate uses facial-recognition technology to verify the identity of travelers by comparing a scan of their face with a facial scan encoded in the microchip contained within the newly launched ePassport. While facial-scan technology has been successfully tested in the Sydney and Melbourne airports, with Qantas staff and a select group of frequent flyers, integrating the e-passport readers and extending the technology to all travelers has proved more challenging.
[source: News.com]
(2007-06-07) [Mac Publishing LLC.] The revelation that Apple watermarks the new DRM-free iTunes Plus tracks it now sells has sent some into a tizzy (even though Apple has always done this with the content it sells). Personally, I couldn't care less. Should one of my iTunes Plus tracks make its way into the wild the worst that could conceivably happen is that someone might find out that I have a name and a particular email address. Last time I looked, Google provided much the same service. (Inconceivably, the RIAA could swoop down in black helicopters and send me off to Pirate camp and, frankly, hooks, wooden legs, and eye-patches match nothing in my wardrobe.)
Still, people will worry about the darndest things. If you're among that number and a Mac user, there's a solution. Rogue Amoeba's $32 audio editor, Fission, can strip out the identifying information in an iTunes Plus track without changing the file's audio. (Excerpt from news story by Christopher Breen)
[source: News]
(2007-06-06) [MTV Networks] While fans and some critics cheered iTunes' Friday roll-out of iTunes Plus -- which offers songs from the EMI catalog sans digital rights management but at a premium price -- you can bet that Apple wouldn't give up DRM without getting something in return, and that something is information about you.
Just days after the new downloads became available on iTunes, tech bloggers began furiously jumping on what seemed like a security system that embeds the customer's name and Apple I.D./e-mail address in the purchased tracks. While Apple deferred comment on the matter, experts downplayed the seriousness of the issue, and other leading digital stores assured MTV News that their tracks don't contain any widely accessible personal information. (Excerpt from news story by Gil Kaufman)
[source: News]
(2007-06-17) "The Revealed "I"" will take place on October 25 -- 27, 2007 (Ottawa, Canada).
See calendar entry.
(2007-06-17) "Harvard University Privacy Symposium" will take place on August 21 -- 24, 2007 (Cambridge, MA., US).
See calendar entry.
(2007-06-08) [CNet] Would you pay a little more for that book you bought online if it meant lowering your chances of being hassled by marketers, spammers and hackers?
Researchers at Carnegie Mellon University believe consumers will pay more per item online to protect their private information, according to a paper presented at the 2007 Workshop on the Economics of Information Security. (Excerpt from news story by Candace Lombardi)
[source: silicon.com]
(2007-06-07) [CNet] A T-Mobile executive on Thursday said there's no need for Congress to pass new laws prescribing requirements governing how mobile phone carriers handle their subscribers' personal information.
Criminal penalties for scammers--such as those contained in a bill signed by President Bush earlier this year--are great, but further regulations are unnecessary and unwise, said Kathleen Ham, T-Mobile's director of federal regulatory affairs. "I think we have every incentive to want to protect the privacy of our customers," she said during a panel discussion at the annual Pike & Fischer Broadband Summit here. (Excerpt from news story by Anne Broache)
[source: News.com]
(2007-06-07) [Hearst Communications Inc.] A coalition of privacy groups have taken another swing at Google Inc.'s proposed acquisition of online advertising firm DoubleClick, calling on federal regulators to prohibit the merged companies from compiling detailed dossiers about users' online behavior.
The groups said in an amended complaint with the Federal Trade Commission Wednesday that the government should allow Google to collect personal information about users only after getting their permission, and then give users the right to review that information and, if they choose, delete it. (Excerpt from news story by Verne Kopytoff)
[source: SFGate.com]
(2007-06-07) [BBC] Many web shoppers worry about what happens to personal data People will pay more for goods if a website does a good job of protecting their privacy, a study shows.
The Carnegie Mellon study looked at what shoppers do when they are told what sites do with personal data. It suggests that shoppers will pay a premium equal to about $0.60 (30p) on goods worth $15 (£7) if they are reassured about privacy.
[source: News]
(2007-06-07) [ComputerWorld] This article is excerpted from Privacy on the Line: The Politics of Wiretapping and Encryption, Updated and Expanded Edition, by Whitfield Diffie, vice president and chief security officer, and Susan Landau, distinguished engineer, both of Sun Microsystems. Diffie is also co-inventor of Diffie-Hellman public key cryptography. This excerpt is used with permission of The MIT Press
Control of society is, in large part, control of communication. From the right to assemble enumerated in the U.S. Constitution to the antitrust laws prohibiting competitors from agreeing on prices, there is a tension between the right to communicate and limitations on communication. As society evolves, particularly as technology evolves, the government's power to control communications changes. Telecommunication, barely a century and a half old, has so transformed society that, for most people in industrialized countries, it is a necessity, not an option. People move thousands of miles from friends and family, knowing that they can keep in touch by phone and e-mail. People telecommute to work or, having commuted to the office, spend the day doing their work via telephone, e-mail and the Web. People order goods from dealers on the other side of the continent by dialing 800 numbers or opening Web pages. For a remarkable range and an increasing number of activities, telecommunication stands on an equal footing with physical communication. (Excerpt from text by Whitfield Diffie and Susan Landau)
[source: Security]
(2007-06-07) [Wired] Have you noticed? We've become a people that no longer respects, or apparently desires, privacy. Our own or anybody else's.
That's a remarkable thing, when you stop to think about it. We Americans, historically, have fiercely guarded our personal privacy. It's one of our defining characteristics. Others, who live in societies where personal privacy isn't so easily taken for granted, have looked on with a mixture of admiration and bemusement. "Mind your own business" is a singularly American expression. But now we've allowed that birthright to be compromised, in a hundred little ways, and in a few conspicuously big ones, by an increasingly meddlesome government -- not to mention opportunistic, predatory marketers -- armed with the technology that gives them an easy entrée into our most secret places. Why is that, do you suppose? Have we surrendered to Big Brother because "you can't fight city hall," or have we been lied to, cajoled and softened up for so long by so much stupid television and the endless drumbeat of consumerism that we no longer care? (Excerpt from news story by Tony Long)
[source: News]
(2007-06-06) [Press Esc] People are willing to pay more to buy items from online retailers who make their privacy policies clear, a new Carnegie Mellon University study showed.
Participants in the laboratory study used the university's shopping search engine Privacy Finder, which can automatically evaluate a Web site's privacy policies and display the results on the search results page. (Excerpt from news story by Vidura Panditaratne)
[source: Blog post]
(2007-06-06) [EDRI] The State Council of France validated on 23 May 2007 the automatic tracing of illegal downloading in P2P networks. This decision cancelled the 18th October 2005 CNIL (Commission nationale de l'informatique et des libertés) decision that rejected the introduction of surveillance devices proposed by Sacem and other 3 author and producer associations asking for the automatic tracing of infringements of the intellectual property code.
The State Council believes that such devices are acceptable considering the extent of the piracy phenomenon in France. The number of downloaded files decreased by half in 2006 as compared to 2005 but according to GfK institute this is probably due to the evolution from a quantitative type of downloading to a qualitative one.
[source: EDRI-gram, Number 5.11]
(2007-06-06) [EDRI] The laws on computer crimes have become stricter in Germany where the creation, use or distribution of so-called "hacking tools" have been banned.
On 23 May 2007, the Committee on Legal Affairs of the Bundestag (the lower chamber of Germany's Federal Parliament) approved a controversial government bill meant to improve criminal prosecution of computer crimes. The Criminal Code has been modified so as to make illegal for the unauthorized users to access secure data by bypassing the computer security protection system. The "deliberate acquisition of data by tapping into a non-public transmission of data or by way of reading radiation leaked by a data processing system" is now considered a crime.
[source: EDRI-gram, Number 5.11]
(2007-06-06) [EDRI] On 2 May 2007 a new technical platform for the interception of traffic data in all types of communication systems was discretly put into operation by the French Ministry of Interior, covering communication data related to text messages, mobile or Internet.
The security services are now in the position of knowing who has contacted whom, when and where and, by a simple click, they can obtain from the telephone operators the list of all calls from and to a subscriber. They can obtain the subscription documents of the respective person with address and bank information and can also require all the Internet sites or forum addresses the respective person has accessed.
[source: EDRI-gram, Number 5.11]
(2007-06-06) [EDRI] On 21 May 2007, the European Parliament (EP) voted for the reinstallation of the data protection principles in the legislation that allows the police forces in Europe to share data.
The European Council, which is the one deciding in police and judicial matters, had formally asked the EP for its opinion on this issue as, lately, concern has been expressed on the lack of proper protection of personal data processed in the framework of police and judicial co-operation in criminal matters. Such a concern has been expressed also by the European Data Protection Supervisor (EDPS), Peter Hustinx who, at the end of May, advised the Council against adopting the Commission's new Council Framework Decision proposal as he considered the proposal did not provide appropriate data protection.
[source: EDRI-gram, Number 5.11]
(2007-06-06) [EDRI] Following the public consultations on RFID last year, the European Commission announced the creation of an RFID Expert Group to assist in drafting the future RFID strategy. The group's kick-off meeting was held in Brussles last week. EDRi was invited to participate in the group.
The Group has been established for two years and includes representatives from the industry, standardisation bodies and the civil society. The EU data protection authorities participate as observers.
[source: EDRI-gram, Number 5.11]
(2007-06-06) [Datatilsynet] De europæiske datatilsyns årlige forårskonference blev i 2007 afholdt af det cypriotiske datatilsyn. Konferencen fandt sted i Larnaka den 10.-11. maj 2007.
På konferencen i Larnaka vedtog datatilsynene følgende dokumenter: "Declaration on the Principle of Availability together with the Common Position and Checklist", "Declaration on the Proposal of the Council for a draft Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters".
[source: Nyheder]
(2007-06-06) [Aftenposten Multimedia A/S] Three out of four Norwegians are conditional supporters of more surveillance in society. The prerequisites for extra monitoring of public spaces are that it would result in safer daily life and that it be done as a reaction to suspected crime.
The acceptance for extra security measures sinks rapidly when not associated with crime prevention. The oldest segment of the population has the greatest reservations against surveillance, according to a survey carried out by Norstat for the Norwegian Board of Technology.
[source: Aftenposten]
(2007-06-06) [Telegraph Media Group Limited] Private sector employers are being warned they could face claims for breach of human rights if they monitor an employee's email, phone or internet traffic following a European court ruling.
Lawyers are briefing companies about the outcome of the case involving Lynette Copland who was awarded damages of Euro 3,000 and Euro 6,000 in legal costs after the European Court of Human Rights found her employers, Carmarthen College in Wales, breached her privacy rights by monitoring her calls without permission. (Excerpt from news story by Roland Gribben)
[source: Telegraph.co.uk]
(2007-06-05) [The News & Observer Publishing Company] When the number of video cameras focusing on Oriental's waterfront doubled recently, Tony Tharp decided it was time for a '60s-style protest -- complete with a public demonstration and a soapbox.
It doesn't matter that there are only two Web cams -- one centered on the town dock and the other on a scenic park overlooking the Neuse River. This is Oriental, a laid back Pamlico County town of 875 people, where boats outnumber people three to one and townfolk revere fanciful dragons. (Excerpt from news story by Jerry Allegood)
[source: The Newa & Observer]
(2007-06-05) [House of Lords] The House of Lords European Union Committee have today set out their criteria for a new EU/US Passenger Name Record (PNR) Agreement. They argue that the collection of data should not go beyond that needed in the fight against terrorism.
The Committee fully accept the potential value of PNR data in the fight against terrorism. But the data must be collected accurately, analysed correctly, and used only for counter-terrorism and related crimes..
[source: Press Release]
(2007-06-05) [PinsentMasons] The Government is not serious enough about protecting citizens' data when it comes to pan-European data sharing schemes, a parliamentary committee warned today. The Government should back the adoption of a sidelined data protection measure, it said.
The Select Committee on Home Affairs said that the Government was so focused on law enforcement that it was ignoring the need to ensure
[source: Out-law.com]
(2007-06-05) [IT Analysis Communications Ltd.] It is now three years since retailer Wal-Mart announced that it would mandate the use of RFID by its suppliers, with the eventual intention of deploying RFID technology throughout its supply chain to improve efficiencies. And it is not the only firm to have taken such a decision, as retailers such as Metro of Germany and Target in the US have introduced such mandates. The US Department of Defense has also leapt onto the rolling bandwagon.
When Wal-Mart took the RFID decision, it stated, to some skepticism, that the benefits would be felt by all, providing suppliers with a better mechanism for controlling inventory and sales velocity, and giving them more demand signals to help them forecasting demand for their products more effectively. But what do the suppliers really think? (Excerpt from news story by Fran Howarth)
[source: it-director.com]
(2007-06-05) [PinsentMasons] Like a trigger-happy tourist, Google has shot almost every street in five US cities and added its pics to what might be the world's biggest holiday album. But if Google ever starts shooting the streets of Europe, courts here could fight back.
Google Maps Street View is the latest service from the search giant. Vehicles with multi-lens cameras travelled the streets of San Francisco, New York, Las Vegas, Denver and Miami and snapped everything in their paths. The images were uploaded to Google Maps and now, when you're looking at a location in Google Maps that has been photographed, you can see the pics. If you live in a featured city and you've been passed by a Google van or a car from its partner, Immersive Media, the cameras probably saw you too.
[source: Out-law.com]
(2007-06-04) [MediaPost Communications] As the Federal Trade Commission examines the Google-DoubleClick merger, privacy advocates are growing vocal about the fear of an unholy alliance. Groups including the Center for Digital Democracy have gone so far as to urge the Commission that "there is simply no consumer privacy issue more pressing" for the FTC to consider than the future of Google.
Enough has been written about whether GoogleClick really will or will not threaten our privacy, so I'll stay on the sidelines of that issue. Instead, I want to raise a related question that, to my mind, remains largely -- and unfortunately -- overlooked. Assuming that GoogleClick is a threat to privacy (for the sake of argument), is it possible that we, as a society, could decide that we're OK with that threat to privacy - as long as we get a better online life in return? (Excerpt from news story by Mark Simon)
[source: SearchINSIDER]
(2007-06-04) [inthenews] Almost 300 schools are regularly fingerprinting pupils, the Liberal Democrats have claimed.
Following a poll of Local Education Authorities (LEAs), the party claims that 285 schools said they used fingerprinting as a means of monitoring pupils. Those schools also revealed they stored biometric details of their pupils and the Lib Dems suggest the real number of schools conducting fingerprint checks could be much higher.
[source: News]
(2007-06-04) [allmediascotland] The Press Complaints Commission (PCC) has issued new guidance on privacy and data protection compliance for newspapers when involved in undercover newsgathering.
The guidance follows a PCC investigation into industry practices following the jail sentences handed down earlier this year to a News of the World reporter and a private investigator who tapped phone messages of Royal Family employees in order to source stories. Despite the successful court prosecutions, the PCC felt the case raised sufficiently important issues on compliance with its Code of Practice, to merit further investigation. It was also concerned that the case would not be seen as an isolated one and would undermine public confidence in journalism. (Excerpt from news story by Tods Murray LLP)
[source: News]
(2007-06-04) [Wired] Search terms related to music and technology are most likely to return sites with spyware and other malicious code, a new study finds.
Some 42 percent of the results using the term "screensavers," for example, led to sites flagged with a "red" warning or a cautionary "yellow" by McAfee Inc.'s SiteAdvisor service. Other keywords McAfee deemed risky include names of file-sharing software - "BearShare," "LimeWire" and "Kazaa." (Excerpt from news story by Anick Jesdanun)
[source: news]
(2007-06-04) [1105 Media, Inc] The Office of Management and Budget has handed down a set of requirements on "safeguarding against and responding to the breach of personally identifiable information." It requires, among other things, that agencies reduce the amount of personal information held and establish by September a policy for notifying persons whose information might have been compromised.
This is a welcome move, but do not expect any immediate dramatic changes in how our personal data is handled. A good part of the 22-page memorandum is devoted to reminding agencies of "existing security requirements agencies already should be implementing" under current security and privacy laws. Other requirements, such as the culling of unnecessary Social Security numbers, probably will take a long time to accomplish. (Excerpt from news story by William Jackson)
[source: Government Computer News]
(2007-06-03) [Concurring Opinions] Morrison & Foerster has launched a terrific website for international privacy law. The website features information about U.S. federal and state privacy statutes as well as the text of privacy laws from around the world.
It's a fantastic website, especially for those interested in privacy statutes from other countries which are often hard to track down. (Excerpt from blog post by Daniel J. Solove)
[source: Blog]
(2007-06-01) [CanWest MediaWorks Publications Inc.] The majority of businesses in Canada collect personal information from customers, but many are ignoring privacy laws and may be using sensitive data illegally, putting Canadians at risk of fraud, warns new research released Thursday by the federal privacy commission.
What's more, a new survey conducted for the commission reveals an overwhelming percentage of staff -- about two-thirds -- at Canada's small, medium and large businesses have little or no training for handling personal information and ensuring that it does not fall into the wrong hands. (Excerpt from news story by Carly Weeks)
[source: Edmonton Journal]
(2007-06-01) [FairfaxDigital] The European Union's data watchdog will take months to decide whether Google may be violating European privacy laws, a spokeswoman for the group said on Thursday.
The EU body, made up of national protection supervisors of the bloc's 27 member states, said earlier this month that Google seemed to be failing to respect EU privacy rules and asked for clarifications before its next meeting on June 19-20. The June meeting "will not be the end of the discussion," said a spokeswoman for Peter Schaar, chairman of the Article 29 Data Protection Working Party, as the group is known. The EU data watchdog will decide in June on how to proceed, including whether to invite Google to its next meeting in early October, said spokeswoman Gabriele Loewnau.
[source: theage.com.au]
(2007-06-01) [New York Times] For Mary Kalin-Casey, it was never about her cat. Ms. Kalin-Casey, who manages an apartment building here with her husband, John Casey, was a bit shaken when she tried a new feature in Google's map service called Street View. She typed in her address and the screen showed a street-level view of her building. As she zoomed in, she could see Monty, her cat, sitting on a perch in the living room window of her second-floor apartment.
"The issue that I have ultimately is about where you draw the line between taking public photos and zooming in on people's lives," Ms. Kalin-Casey said in an interview Thursday on the front steps of the building. "The next step might be seeing books on my shelf. If the government was doing this, people would be outraged." Her husband quickly added, "It's like peeping." (Excerpt from news story by Miguel Helft)
[source: News]