(2007-07-30) [CDT] In a far-reaching new proposal to Congress, the Administration is asking for authority to intercept, without a court order, any international telephone call or e-mail made by any American citizen. The proposed legislation would not require that the targeted communication involve terrorism or other dangerous conduct.
The proposal would amend the Foreign Intelligence Surveillance Act to allow the National Security Agency to force communications carriers to turn over without a court order any international communications into and out of the United States for indefinite storage and data-mining. CDT strongly opposes the proposal.
[source: News]
(2007-07-27) [NPR] A look at search engines--how they work and where they are headed. With the online world becoming ever more important in people's day to day lives, how will people be able to better manage the flood of information available on the internet? We'll talk about search engine technology, and the challenge of protecting privacy in a web-searching world.
Listen to the podcast (length 25:21).
[source: ScienceFriday]
(2007-07-26) [CDT] A recent federal court decision affirming that e-mail exchanges are protected under the Fourth Amendment brings welcome certainty to an undeveloped area of the law, CDT concludes in an analysis issued today.
The Sixth Circuit court of appeals held in Warshak v. US that Internet users have a reasonable expectation of privacy in e-mail stored with service providers, requiring the government to either get a warrant or provide users notice when the government seeks their e-mail.
[source: News]
(2007-07-26) [CDT] The National Security Letters Reform Act -- introduced in the House of Representatives by Reps. Jerrold Nadler and Jeff Flake -- takes some vital first steps in restoring basic privacy protections to law-abiding Americans, while still providing the government with the tools it needs to pursue real threats, CDT said today.
In 2001, the PATRIOT Act drastically expanded the FBI's authority to obtain the business and personal records of Americans by issuing National Security Letters (NSLs). The National Security Letters Reform Act would limit the reach of this powerful tool by, among other things, requiring that NSLs only be used to obtain records that pertain to suspected spies or terrorists. Although the legislation does not require prior judicial approval of NSLs -- a key reform -- CDT supports the bill and looks forward to working with lawmakers to make it even stronger.
[source: News]
(2007-07-25) [CDT] CDT and the Health Privacy Project called for the inclusion of privacy protection standards in a Senate bill intended to spur development of electronic health records and other applications of information technology in the health care field.
CDT and HPP support the goals of the Wired for Health Care Quality Act, but said in a letter to Sen. Edward Kennedy, chairman of the Senate Health Committee, that privacy should be an integral part of any health information technology project. The bill, S. 1693, was approved by the committee on June 27 and awaits action by the full Senate.
[source: News]
(2007-07-25) [TechNewsWorld] Not one to be left out, Yahoo has joined the chorus of search engines boasting new privacy policies. Yahoo has chosen to anonymize users' search histories after 13 months, rather than the 18 month period settled upon by most rivals. The company's announcement came fresh on the heels of similar news from Microsoft and Ask.com.
In Digital Dialogue: Technology, Capitalism, and the Pursuit of Freedom, Sonia Arrison distills the most pressing tech issues of the day into provocative essays. To purchase a copy of the book, visit Pacific Research Institute. Yahoo became the latest major Internet search provider to alter its user privacy policy Monday. Under the new plan, the company said, it will anonymize search histories after only 13 months, five months earlier than its search competitors at Google, Microsoft and Ask.com. "One of the core tenets of this company is the relationship and trust we have with our users. We are moving forward with a new approach to user search data," Jim Cullen, a Yahoo spokesperson, told TechNewsWorld. "Yahoo's new global policy is: All search log data will be anonymized within 13 months of collection except where users request otherwise or where Yahoo is required to retain the information to comply with legal obligations. We believe the 13 month policy is the appropriate timeline to meet our commitment to our users' privacy while preserving our ability to continue to continue to defend against fraudulent activity and improve our services to advertisers, publishers and users," he added. (Excerpt from news story by Walaika Haskins)
[source: Privacy]
(2007-07-30) [Datatilsynet] Artikkel 29-gruppen gir i sin ferske uttalelse et viktig bidrag til forståelsen av hva som er en personopplysning og hva som faller utenfor begrepet.
Under gruppens siste møte før sommeren ble det vedtatt en uttalelse som gjelder forståelsen av begrepet personopplysning. Det omfattende dokumentet gir gode forklaringer på hva som er en personopplysning ved å dele begrepet opp i bestanddeler og eksemplifisere disse. Dokumentet er en milepæl i gruppens historie, og av stor veiledende verdi.
[source: Nyhet]
(2007-07-30) [MIT Technology Review] If the people in your social circle use Plazes, a Swiss location-tracking startup, they may not be too hard to find. Plazes is an online community where people post and update their location via the Internet or text messaging on cell phones. One hurdle is balancing privacy.
"There are worries about privacy in all the systems," says Yahoo's Naaman. "There's obviously risk in sharing location with the public or even other people." He says that best practices for such systems need to be established so that people have a better understanding of how much they can and should disclose, and to whom. Plazes's approach to privacy, says Petersen, is to let users determine if their locations are public and which friends can see them. In addition, people must manually "plaze" themselves in order for others to know where they are. "People publish their locations," he says. "They have to initiate it." (Excerpt from news story by Kate Greene)
[source: News]
(2007-07-29) [ComputerWorld] Tucked into an affidavit filed by an FBI agent last month was the first hard evidence that federal agents are equipped with more than automatic pistols and handcuffs: The agency was asking a federal judge to let it infect a PC with spyware so they could finger its owner.
The case, which was reported locally in Olympia, Wash., last month and received more national exposure this month, involved bomb threats e-mailed to Timberline High School in Lacey, Wash., an IP trail that went cold in Italy and a call to the FBI. Special Agent Norm Sanders, who swore out the affidavit, could be Efrem Zimbalist Jr.'s doppelganger for all we know, but he must have been more talkative than the close-lipped character from the late-1960s TV drama The FBI to win over a judge. Sanders had to spill some beans about CIPAV, the agency's name for what the rest of us would call spyware -- software the FBI wanted to plant on the PC used to e-mail the bomb threats in the hope of identifying its owner, and thus the sender. (Excerpt from news story by Gregg Keizer)
[source: Security]
(2007-07-27) [CNet] Action by a divided U.S. Senate on Thursday raises new questions about the fate of a contentious plan to outfit Americans with new digital identification cards by 2013.
By a 50-44 vote mostly along party lines, the chamber set aside a Republican-backed amendment to a homeland security spending bill that would have spread $300 million across the states to help them implement the so-called Real ID Act. The Senate also agreed unanimously to adopt an amendment, proposed by vocal Real ID critic Max Baucus (D-Mont.), which prohibits the use of any of the spending bill's funding for "planning, testing, piloting, or developing a national identification card." (Excerpt from news story by Anne Broache)
[source: News.com]
(2007-07-25) [ComputerWorld] Almost a third of Canadian businesses are dragging their feet when it comes to complying with private-sector privacy law. According to a survey recently released by the office of Jennifer Stoddart, privacy commissioner of Canada, 31% of businesses are either still in the process of complying with such law or have yet to begin.
Only one in two businesses said they have a high awareness of their responsibilities under the Personal Information Protection and Electronic Documents Act (PIPEDA), and just a third said they have trained staff to handle privacy issues. Worse, according to Stoddart's office, is the fact that only one in five has sought clarification of their role. (Excerpt from news story by Shane Schick)
[source: Security]
(2007-07-24) [The Volokh Conspiracy] Does a user have a reasonable expectation of privacy in their files -- including images of child pornography -- posted on a password-protected website? In a decision handed down last week, Judge Stearns of the U.S. District Court for the District of Massachusetts concluded that the answer is "yes." At the same time, Judge Stearns refused to suppress the evidence in the particular case, finding that its collection was the fruits of a private search by a tipster. The case is United States v. D'Andrea.
Unfortunately, the facts of the case are pretty gruesome, so here is a very brief version. The Massachusetts Department of Social Services received a call from a person reporting that another couple was molesting their 8-year old daughter and putting pictures of the molestation on a password-protected Sprint PCS website. The caller indicated that she was an ex-girlfriend of the man involved, and she told the officials the username and password of the website to access the pictures. A DSS official entered the username and password, accessed the website, and confirmed that images of the molestation were present. The official contacted the police, and the police obtained a warrant to search the couple's home. The woman was home when the warrant was executed; she was taken into custody and confessed to the crime. When charges were brought, both the man and the woman moved to suppress the images and the confession on the ground that they had a reasonable expectation of privacy in the stored files in the account and that the government access to the account without a warrant had violated the Fourth Amendment.
[source: BlogEntry]
(2007-07-18) [Security Document World] Plans to transform India's income tax department into a high-tech operation could result in the introduction of biometric technology later this year.
From October 2007, all new income tax payers in the country could be using biometric Permanent Account Number (PAN) cards, based on fingerprint or iris technology. The new system aims to help reduce the number of duplicate cards in the system .
[source: News]
(2007-07-17) [EFF] Contrary to Google's recent statements, the company's new policy for issuing cookies won't meaningfully help protect users' privacy. Shorter cookie life spans can help limit a site's ability to track you, but Google's change doesn't amount to any practical difference.
To its credit, Google did decide in March to delete key identifying information in its search logs, including cookie ID numbers, after 18 months. As we said at the time, this is a good first step towards protecting users' privacy, but more is needed. Unfortunately, Google's new policy for issuing cookies doesn't move the ball forward.
[source: News]
(2007-07-27) [EPIC] The Government Accountability Office (GAO) has released a report on the progress of the Department of Homeland Security (DHS) Privacy Office in complying with its statutory mandates.
The GAO concluded that significant progress has been made in meeting statutory requirements. For example, the Privacy Office has increased the number and quality of Privacy Impact Assessments issued, and it has managed to incorporate privacy considerations into DHS decision-making via the privacy advisory committee and public workshops. However, the Privacy Office has not been timely in issuing reports. This tardiness has delayed the effectiveness of these reports and eroded the credibility of the Privacy Office.
[source: EPIC Alert, Volume 14.15]
(2007-07-27) [EPIC] European consumer groups ANEC and BEUC have issued a joint policy paper on RFID in Europe. The position paper, based on the European Commission Communication on RFID from March 2007, is their contribution to the RFID Experts stakeholder group and designed to help the European Commission draft a recommendation on privacy and security aspects of RFID.
The groups recommended that the Commission begin "impartial and comprehensive information campaigns on the RFID technology, its potential benefits and risks," to help consumers choose whether to use RFID. Also suggested is the formation of "a European committee dealing with ethics should be created and consulted" concerning any RFID or near field communication (NFC) technology applications."
[source: EPIC Alert, Volume 14.15]
(2007-07-27) [EPIC] EPIC joined Public Knowledge and nine other privacy and consumer rights groups in urging the Federal Communications Commission against requiring broadband Internet Service Providers to use network filters on Web content.
Last month, NBC Universal Inc. requested the FCC mandate content suppression in order to limit illegitimate broadband uses such as online piracy through peer-to-peer file sharing. The privacy and consumer rights groups explained, "Any attempt to use this technology to control what may be done on the Internet will have serious unintended consequences. Particularly, these technologies limit First Amendment freedoms, stifle innovation, threaten personal privacy, and do little to address the underlying problem."
[source: EPIC Alert, Volume 14.15]
(2007-07-27) [EPIC] EPIC's current Spotlight on Surveillance reviews "fusion centers," data sharing entities that acquire information from many sources, including private sector firms and anonymous tipsters.
The Department of Homeland Security is seeking to create a national network of local and state fusion centers. The federal agency has provided more than $380 million to state and local governments in support of these centers. The fusion center program gives DHS enormous domestic surveillance powers.
[source: EPIC Alert, Volume 14.15]
(2007-07-27) [EPIC] On July 18, the Health Information Privacy and Security Act of 2007 (HIPSA) (S.1814), was introduced into the Senate. The bill was sponsored by Senator Patrick Leahy (D-VT) and co-sponsored by Senator Edward Kennedy (D-MA). HIPSA seeks to provide individuals with access to their personal health information while ensuring patient privacy.
HIPSA provides individuals the right to access their health data, prohibits the use of health data without patient authorization. The bill requires that organizations that store health information electronically notify individuals of their privacy practices and establish adequate safeguards to prevent security breaches, or face civil penalties. If a breach does occur, the bill requires patient notification within 15 days of the occurrence. HIPSA also authorizes the Attorney General to file a civil action against organizations that do not properly safeguard electronic health records or provide individuals with information about their health privacy rights.
[source: EPIC Alert, Volume 14.15]
(2007-07-25) [ComputerWorld] Almost a third of Canadian businesses are dragging their feet when it comes to complying with private-sector privacy law. According to a survey recently released by the office of Jennifer Stoddart, privacy commissioner of Canada, 31% of businesses are either still in the process of complying with such law or have yet to begin.
Only one in two businesses said they have a high awareness of their responsibilities under the Personal Information Protection and Electronic Documents Act (PIPEDA), and just a third said they have trained staff to handle privacy issues. Worse, according to Stoddart's office, is the fact that only one in five has sought clarification of their role. (Excerpt from news story by Shane Schick)
[source: Security]
(2007-07-25) [ComputerWorld] Responding to concerns from privacy advocates and the public, Yahoo Inc. said yesterday it will make user search data anonymous after 13 months.
The news comes shortly after other Internet companies, including Google Inc. and Microsoft Corp., have taken similar steps to limit the storage of personal data. "One of the core tenets of this company is the relationship and trust we have with our users," said Yahoo spokesman Jim Cullinan in a statement e-mailed to Computerworld (Excerpt from news story by Linda Rosencrance)
[source: Networking & Internet]
(2007-07-24) [CNet] Congress is already well on its way to bestowing new powers on an internal White House panel that's supposed to judge whether Bush administration programs like the National Security Agency's electronic surveillance regime pose privacy and civil liberties concerns.
But the board's chairman on Tuesday had one message for the politicians backing the new authority: thanks, but no thanks. Civil liberties advocates have long dogged the Privacy and Civil Liberties Oversight Board--which was created within the White House by Congress in 2004 at the recommendation of the 9/11 Commission but didn't meet until 2006--for its perceived inability to make real assessments without executive branch officials looking over its shoulder and its lack of transparency to the public. (Excerpt from news story by Anne Broache)
[source: News.com]
(2007-07-24) [CNet] Just in time for the theatrical release of Harry Potter and the Order of the Phoenix, a judge has held that an Internet-based service may not offer its users an invisibility cloak.
The court ordered TorrentSpy to preserve server log data, and make it available to the Motion Picture Association of America as part of the ongoing litigation between them. TorrentSpy objected to the initial request for the preservation and production of the server logs on a number of grounds. Its lawyers claimed that preserving the data would be an undue burden requiring great technical resources and significant funds. (Excerpt from news story by Nancy Prager)
[source: News.com]
(2007-07-23) [ComputerWorld] It's good news when giant Web operations start competing based on whose privacy practices are better. As in, "my privacy policy's better than yours." Here's the summary of a Wall Street Journal article today (subscription required):
Microsoft, Ask and Yahoo are planning new policies to protect the private information of users of their search services, as competition on privacy heats up. (Update: Our version of the story is here at Computerworld.com.) Without getting into the detals here, overall this is the good sign. It means privacy is now a "feature" that deserves its own bells, whistles, customizable options and marketing push. Privacy is now seen as something that can give a company a competitive edge with consumers. (excerpt from blog post by Mitch Betts)
[source: Blogs]
(2007-07-23) [ComputerWorld] From the moment you walk into work until the moment you leave, your boss or his minions may be spying on you.
Computerworld has noted before that surveillance cameras are becoming more common in the workplace ("Big Brother is watching you ... and he's a computer"). But what we are talking about here is the more insidious tracking of your digital footprints as you go about your computing workday. When you start thinking about all the ways that you can be digitally tracked, it can make even the least paranoid person sit up and take notice. (Excerpt from news story by David Strom)
[source: Networking & Internet]
(2007-07-23) [ComputerWorld] College and university systems can be prime targets for identity thieves and hackers -- think open computing environments in which students freely download files, interact on social networking sites and use peer-to-peer applications.
To reduce the risk of personal data being exposed, Temple University in Philadelphia launched an initiative three years ago to eliminate the use of Social Security numbers as a primary means of identifying students and staff. "People aren't expecting to see their Social Security numbers anywhere today," says Barbara Dolhansky, associate vice president of computer systems at the university. But in a sprawling environment such as Temple's, identifying every point at which that information was being collected and stored was no easy task. (Excerpt from news story by Monica Sambataro)
[source: Security]
(2007-07-23) [ComputerWorld] Microsoft Corp. is joining Ask.com in offering Web surfers a way to use its search engines anonymously, and the two companies are now calling on the search and online advertising industry to develop a common set of privacy practices.
By year's end, Microsoft will give users a way to search anonymously on its Microsoft Windows Live Web sites, and it will also implement a new data retention policy that after 18 months will scrub all search query data of any information that could be used to identify the searcher. "We think that we as an industry ought to take a look at ways to further enhance privacy protections," said Microsoft Chief Privacy Strategist Peter Cullen. "We're really trying to make sure that people always have the ability to have a trusted experience." (Excerpt from news story by Robert McMillan)
[source: Security]
(2007-07-20) [EFF] We've often regretted that the most popular search engines have been keeping a dossier of everything you search for -- forever. It's easy to forget just how intrusive this kind of record can be until something like the AOL search history leak occurs and confronts users with even a portion of the search logs that track their everyday on-line activities.
Thus, it's exciting to hear that Ask.com plans to take a leap into the lead of search engine privacy by expressly allowing users to opt-out of tracking -- as the Associated Press and Ars Technica report, Ask has pledged to launch a service called AskEraser that allows users to decline to stop their search histories from being logged. And now, it looks like our hope that other search engines would follow Ask's lead is becoming a reality, and faster than we expected: Microsoft announced over the weekend that it is now intending to offer users the ability to opt out of having their searches automatically associated with a single identifier. Meanwhile, Yahoo! is reportedly shortening its retention period to 13 months, so far the shortest such period amongst the major search engines.
[source: News]
(2007-07-20) [ComputerWorld] Search portal Ask.com plans to make it easier for Web searchers to cover their tracks.
The company is introducing a feature to its Web portal later this year called AskEraser, which will let users perform anonymous searches. When AskEraser is turned on, the Web site will not retain the data it typically stores during a search, said Patrick Crisp, an Ask.com spokesman. "We will allow users to select a privacy setting that says, 'I do not want you to retain my data at all,'" he said. If AskEraser is not turned on, the site will store the search query, the IP (Internet Protocol) address and some cookie information from the user, as well as the URL the user visited before coming to Ask.com, Crisp said. (Excerpt from news story by Robert McMillan)
[source: Security]
(2007-07-20) [ComputerWorld] A new generation of 'snoopware' listens, watches and spies through cell phones
For most of a century, nosey people, both professional and amateur, have used microphones and cameras to listen to and watch unsuspecting targets. In recent years, the miniaturization of electronics has enabled these devices to be hidden. Extreme drops in price have made spy electronics available to anyone, even creepy stalker types. The only remaining challenge is placement: If anyone wants to capture the juicy tidbits, they've got to have a microphone or camera in the right place at the right time. Enter the camera phone, a dream come true for not just spies but a new breed of "cell phone stalkers." (Excerpt from news story by Mike Elgan)
[source: Mobile & Wireless]
(2007-07-20) [InfoWorld] GAO report concludes that theft of personal information isn't a problem, but notifying consumers Is! The GAO reports that identity theft really isn't a problem. The problem, apparently, is that the process of notifying consumers whenever their personal financial information has been compromised is confusing us simple-minded folks. Yes, I've got that right. It's not a comedic headline from The Onion.
The SANS NewsBites, one of my top information sources on security news, turned me on to The United States Government Accountability Office's new report to congressional requesters called Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown. The 50-page report was developed to assist Congress with crafting all the various data breach notification legislation being proposed (the Data Security Act of 2007 (H.R. 1685), Data Accountability and Trust Act (H.R. 958), Identity Theft Prevention Act (S. 1178), and the Personal Data Privacy and Security Act of 2007 (S. 495), to name a few.) Overall, it's not an entirely bad report, but it comes to nebulous conclusions. (Excerpt from news story by Roger A. Grimes)
[source: News]
(2007-07-18) [CNet] A member of an influential European Union privacy group has said it will meet to discuss whether Google has gone far enough in reducing the amount of time the Google cookie stays on computers.
Alexander Dix, Berlin's security and privacy representative, told CNET News.com sister site ZDNet UK that the Article 29 Data Protection Working Party, a group of European privacy experts, welcomed Google reducing its cookie time to two years, but said the group would discuss whether Google has gone far enough. (Excerpt from news story by Tom Espiner)
[source: News.com]
(2007-07-18) [EDRI] The Irish Data Protection Commissioner has indicated that there is a widespread problem with government officials selling or leaking personal information to the insurance industry.
Recent media reports have indicated that members of the Irish police force have been providing access to the police computer system to insurance companies investigating car accidents. An inquiry arising from those concerns has discovered that there is also a wider problem in the insurance industry involving access to private social welfare records of individuals. The Data Protection Commissioner Billy Hawkes is quoted as saying that the practice of obtaining such information has been and continues to be "systematic" across the industry.
[source: EDRI-gram, Number 5.14]
(2007-07-18) [EDRI] The Spanish Plenary Congress of Deputies approved on 21 June 2007 the draft law on the retention of traffic data requiring fixed and mobile telephony, but also ISPs to retain data for a period of one year and to make it available to law enforcement or secret services under court order.
The bill, called Electronic Communications and Public Communications Network Data Storage Act, represents the implementation of the EU Directive 2006/24/CE on data retention. According to the draft act, the data will be retained only with the purpose to: "detect, investigate and prosecute serious crimes stipulated by the Criminal Code and other special laws" and could be accessed by law enforcement and secret services only under court order.
[source: EDRI-gram, Number 5.14]
(2007-07-18) [EDRI] In an unprecedented decision, the Court of First Instance in Bruxelles has order Scarlet, a Belgium ISP, to implement technical measures in order to prohibit its users to illegally download music files.
The decision comes after a complaint initiated in 2004 by Sabam (Belgian Society of Authors, Composers and Publishers) against the Belgium ISP Tiscali, now renamed as Scarlet. A first intermediary ruling of 26 November 2004 accepted the possibility for an ISP to disconnect customers if they violate copyrights, and block the access for all customers to websites offering file-sharing programs. But further technical clarifications were needed, so an expert was appointed in order to present its opinions.
[source: EDRI-gram, Number 5.14]
(2007-07-18) [EDRI] On 10 July 2007 the members of the European Parliament (EP) adopted with an overwhelming majority, close to 90%, a Resolution that heavily criticizes the new PNR agreement struck by the European Commission with the US Department for Homeland Security (DHS), considering it "substantively flawed", in particular by "open and vague definitions and multiple possibilities for exception".
The EP considers that the new deal still fails to offer an adequate level of data protection and that it has been concluded without any involvement of parliaments from both sides, lacking democratic oversight. The resolution explains what are the main weak points of the agreement: ...
[source: EDRI-gram, Number 5.14]
(2007-07-17) [Dr. Dobb] Microsoft has filed for a patent for an advertising system that would use just about anything on a computer's hard drive as a contextual trigger to deliver advertising.
Microsoft has filed for a patent for an "advertising services architecture" that would allow, for instance, your word processor to display ads to you based on the words that you were typing, or for your media player app to display ads to you based on what music it found on your hard drive. The application, filed July 5th, seems to indicate a system that would leave no stone unturned in its search for context data, and would operate at the operating system level to monitor potentially anything the user does, and any data the user interacts with, and would target ads to the user based on that data. (Excerpt from news story by Kevin Carlson)
[source: Windows/.NET]
(2007-07-17) [ComputerWorld] Google Inc. said it will soon start issuing user cookies that automatically expire after two years for users who don't return to the search site.
However, the cookies -- small bits of code stored on a computer -- of users who continue to click on Google for search during this time period will automatically renew, wrote Peter Fleischer, Google's privacy counsel in the official Google blog yesterday. "Regular Google users will have their cookies auto-renew, so that their preferences are not lost," Fleischer said. "And, as always, all users will still be able to control their cookies at any time via their browsers." He said the new cookie policy will start "in the coming months." (Excerpt from news story by Linda Rosencrance)
[source: Networking & Internet]
(2007-07-16) [Ars Technica LLC] Students who turn in research papers four months late are likely to be rewarded with a big fat zero; the Department of Justice, on the other hand, has to face the wrath of Sen. Patrick Leahy (D-VT), who chairs the Senate Judiciary Committee. Leahy was unhappy after the DoJ turned in a late report on the FBI's use of data mining, but he was unhappier still about the report's conclusions than its tardiness.
"This report raises more questions than it answers and demonstrates just how dramatically the Bush Administration has expanded the use of this technology, often in secret, to collect and sift through Americans' most sensitive personal information," Leahy said in a statement. "Unfortunately, the Congress and the American public know very little about these and other data mining programs, making them ripe for abuse." (Excerpt from news story by Nate Anderson)
[source: ars technica]
(2007-07-16) [ComputerWorld] The European Parliament's technology assessment task force has concluded in a study (download PDF) that the public is unaware of what it calls considerable threats posed by radio frequency identification technology to the security of their personal information.
The June survey, titled "RFID and Identity Management in Everyday Life," cited a number of high-profile RFID implementations in Europe as examples of the growing prevalence of the technology on the continent, and listed actual and potential problems with each. "Until recently, RFID was mainly used for logistical purposes to identify cargo," stated the report. "Now it has entered the public space on a massive scale: public transport cards, the biometric passport, micro-payment systems, office ID tokens, customer loyalty cards, etc." (Excerpt from news story by Marc L. Songini)
[source: Mobile & Wireless]
(2007-07-14) [EPIC] Recently, New York City Police officials announced the "Lower Manhattan Security Initiative," which would greatly enhance the surveillance of downtown streets. By the end of 2007, approximately 115 surveillance cameras will have begun monitoring traffic moving through parts of lower Manhattan. If the surveillance system, modeled after London's "ring of steel," becomes fully operational by the estimated year 2010, the number of cameras in the Manhattan area would expand to 3,000, and license plate scanners would be used to track drivers, and the program might use face recognition technology.
The city estimates the new surveillance system would cost $90 million, $15 million of which would come from Homeland Security grants and $10 million from NYC. The city also is seeking to charge drivers a fee for entering lower Manhattan; the fees would go toward the surveillance project. EPIC has repeatedly explained that camera surveillance systems do not deter crime; in fact, no studies have shown that camera surveillance systems significantly reduce crime, though several have been conducted by police departments in the U.S. and U.K.
[source: EPIC Alert, Volume 14.14]
(2007-07-14) [EPIC] A recent Government Accountability Office (GAO) report examined the Department of Homeland Security's utilization of data mining techniques to identify potential terrorist activities. The report found that while data mining can be effective, it also has limited capabilities for two reasons.
First, data mining cannot identify causal relationships, merely connections between variables. Second, although data mining reveals patterns, it does not show the significance of the pattern. The GAO report suggests that Congress may wish to consider data mining implementation and oversight issues in the future, because of the potential for mission creep, data inaccuracies, and privacy abuses.
[source: EPIC Alert, Volume 14.14]
(2007-07-14) [EPIC] The Government Accountability Office (GAO) released a report titled "Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown." The GAO found that, of the 24 breaches it studied from 2000-2005, only three included clear evidence that the breach resulted in fraud on existing accounts.
Based on this data, the GAO suggested that Congresional enactment of a risk-based federal notification system could avoid posing undue burden on orgnanizations who may otherwise have to provide notification for breaches that pose little risk.
[source: EPIC Alert, Volume 14.14]
(2007-07-14) [EPIC] The Congressional Research Center (CRS) has published a new report entitled, "Fusion Centers: Issues and Options for Congress." The report offers insight on the deployment of over 40 law enforcement fusion centers throughout the nation. The goal of fusion centers is to bring together information from distributed sources for the purpose of risk assessment and "preventive action."
The CRS report states that officials justifying the development of fusion centers use a number of presumptions, and that the goals of the centers seem to be unfocused with wide-ranging explanations on what they are intended to accomplish. The report outlined threats to civil liberties and privacy posed by the deployment of fusion centers, because of the scope and volume of personally identifiable information that could be collected on entire populations within the jurisdiction of a fusion center. The report states that there are no federal laws that provide oversight for the work of fusion centers.
[source: EPIC Alert, Volume 14.14]
(2007-07-14) [EPIC] On July 9, EPIC joined five groups in filing a "friend of the court" brief in New Jersey v. Reid, an appeal to the state Supreme Court regarding an illegal subpoena to an Internet service provider demanding data on a subscriber. The lower court held that subscribers have a reasonable expectation of "informational privacy," defined as "the ability to control the acquisition or release of information about oneself."
In their brief, the groups explained, "This case raises far-reaching questions about the scope of privacy protection in the electronic environment," especially because subscriber information "can reveal substantially more about an individual than, for example, the phone numbers she dials." The groups urged the NJ Supreme Court to uphold the ruling: "Like the ability to engage in phone calls confidentially from one's home, so too is the right to make confidential electronic communications from one's home computer deserving of protection."
[source: EPIC Alert, Volume 14.14]
(2007-07-14) [EPIC] On July 9, FBI Director Robert S. Mueller III met with EPIC and several other privacy groups to discuss the FBI's new internal guidelines for the use of national security letters (NSLs). NSLs are an extraordinary search procedure by which the FBI can compel disclosure of data from telephone companies, financial institutions, Internet service providers and consumer credit agencies without judicial approval.
In March, the Department of Justice's Office of the Inspector General (OIG) issued a report detailing significant abuse of the FBI's NSL powers. On March 29, 2005, EPIC sent a Freedom of Information Act request seeking records on the FBI's use of its expanded Patriot Act powers. The documents obtained by this request describe 13 cases of possible FBI misconduct in intelligence investigations. In response to these reports, the FBI issued new internal guidelines to all of its agents in June on the "use, requirements, and reporting of National Security Letters."
[source: EPIC Alert, Volume 14.14]
(2007-07-14) [EPIC] This week EPIC joined nine other privacy and consumer in submitting comments to the Federal Communications Commission (FCC) calling for stronger safeguards for customers' telephone records. The Consumer Coalition recommended that the FCC establish comprehensive privacy rules that would require telephone companies to limit access to and retention of consumer call data, implement audit trails to track access to data, and curtail delays of law enforcement to customer notification in the event of a security breach.
Last month, in response to a 2005 EPIC petition, the FCC adopted new rules to strengthen the security of consumers' phone records and requested comments on additional security proposals. The new rules relate to the treatment of customer proprietary network information (CPNI), which includes time, date, duration and destination number of each call, type of network a consumer subscribes to, and any other data that appears on the consumer's telephone bill.
[source: EPIC Alert, Volume 14.14]
(2007-07-14) [EPIC] On June 28, the European Union and the United States reached agreements on two forms of data sharing - that of passenger travel records and that of consumers' financial data.
The first agreement concerns the transfer of passenger name record (PNR) information for travelers on all flights originating in the EU and landing in the US. A 2004 agreement on the same subject was declared invalid by the European Court of Justice in 2006. Although the Court's decision did not address the privacy issues of PNR data transfer, EU officials have expressed concern during agreement negotiations over the amount of data collected, the length of time for which the data is retained, and the lack of access and redress for EU citizens.
[source: EPIC Alert, Volume 14.14]
(2007-07-12) [CNet] Interpol's secretary general tells CNET News.com that his agency should be a central hub for tracking international travelers and compiling fingerprints from criminal suspects.
The head of Interpol believes terrorists and other criminals are traveling freely around the globe in ways that police agencies find difficult to track, but he says he knows how to cripple their movements. Interpol Secretary General Ronald Noble on Wednesday suggested two solutions: first, airlines should forward passenger data on international flights to Interpol; and second, nations that arrest foreign visitors should share those fingerprints with the international police agency as well. Noble, who is meeting on Thursday with American Airlines to discuss the proposal as a pilot project, said linking databases can help detect people flying on passports reported as lost or stolen. Ramzi Yousef, who was convicted of the 1993 World Trade Center bombing, entered the United States carrying a stolen Iraqi passport. (Excerpt from news story by Declan McCullagh)
[source: News.com]
(2007-07-12) [EFF] The Ninth Circuit recently held in US v. Forrester that the Fourth Amendment does not protect against government surveillance of the to/from addresses of one's email messages, the IP addresses of websites one has visited, and the total volume of information transmitted to or from one's ISP account.
This dangerous decision relies on a faulty analogy. The court accepted the argument that, because it is not a Fourth Amendment search for the government to capture dialed telephone numbers with "pen registers" and "trap and trace devices," the same is true for capturing email addresses (as opposed to subject lines in email headers) and IP addresses. But, as we've pointed out elsewhere, the latter can reveal far more intimate details about Internet activities. Unlike a phone number, an email address can communicate a message (e.g., "VoteBush@aol.com" or "repealPatriot@eff.org") and include constitutionally protected content.
[source: News]
(2007-07-12) [ComputerWorld] The FBI is using data mining programs to track everyone from potential terrorists to individuals who file fraudulent automobile insurance claims, according to a U.S. Department of Justice report filed with Congress this week.
The DOJ report, which is required under the Patriot Improvement and Reauthorization Act of 2005, details six pattern-based data mining initiatives currently under way or planned by the department and its components. "Each of these initiatives is extremely valuable for investigators, allowing them to analyze and process lawfully acquired information more effectively in order to detect potential criminal activity and focus resources appropriately," a DOJ spokesman said in an e-mailed statement. (Excerpt from news story by Jaikumar Vijayan)
[source: Business Intelligence]
(2007-07-12) [InfoWorld] Study reveals how hackers were able to monitor mobile phone calls of government officials in sophisticated spying operation
A highly sophisticated spying operation that tapped into the mobile phones of Greece's prime minister and other top government officials has highlighted weaknesses in telecommunications systems that still use decades-old computer code, according to a report by two computer scientists. The spying case, where the calls of around 100 people were secretly tapped, remains unsolved and is still being investigated. Also complicating the case is the questionable suicide in March 2005 of a top engineer at Vodafone Group in Greece in charge of network planning. (Excerpt from news story by Jeremy Kirk)
[source: News]
(2007-07-12) [International Herald Tribune] Almost every lesson on Internet safety warns against posting personal information such as phone numbers and school names. Researchers are now suggesting, though, that such advice, however well-intentioned, does not necessarily make children safer from predators and related threats.
In a recent study published in the Archives of Pediatrics and Adolescent Medicine, researchers found no evidence that sharing personal information increases the chances of online victimization, such as unwanted sexual solicitation and harassment. Rather, victimization is more likely to result from other online behavior, such as talking about sex with people met online and intentionally embarrassing someone else on the Internet.
[source: IHT.com]
(2007-07-11) [PinsentMasons] The Government and some of Britain's largest companies are guilty of "careless and inexcusable" data security lapses leading to serious breaches of privacy, the Information Commissioner has said.
In an impassioned attack on the failure of large organisations to take data protection seriously enough, the Commissioner, Richard Thomas, said that big business and government departments were not living up to their responsibilities. "Over the last year we have seen far too many careless and inexcusable breaches of people's personal information. The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying," he said.
[source: Out-law.com]
(2007-07-11) [CNet] The United Kingdom's information commissioner is calling on chief executives to take the security of customer and staff information more seriously.
"The roll call of banks, retailers, government departments, public bodies and other organizations which have admitted serious security lapses is frankly horrifying," Richard Thomas wrote in a report. "How can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store card transactions fall into the wrong hands?" The Information Commissioner's Office (ICO) received almost 24,000 inquiries and complaints concerning personal information, and it prosecuted 16 individuals and organizations in the past 12 months, according to its annual report for 2006 and 2007. (Excerpt from news story by Gemma Simpson)
[source: News.com]
(2007-07-10) [Datainspektionen] Världens största databas med biometrisk information ska lösa EU:s asylproblem, är det tänkt. Om bara något år kommer alla som söker visum till Sverige och tolv andra EU-länder att få sina fingeravtryck registrerade. Fullt utbyggd kan databasen innehålla en miljard fingeravtryck. Men hur pålitligt är systemet?
Annat i tidningen är: Ungdomar om integritet; Skratta inte åt Ubicomp!; Brått med ny polisdatalag; IP-nummer är personuppgifter; Bris får inte hantera brottsuppgifter. Du kan ladda ner Magazin DIrekt 2/2007 )(1,47 MB).
[source: Nyheter]
(2007-07-09) [New York Times] By the end of this year, police officials say, more than 100 cameras will have begun monitoring cars moving through Lower Manhattan, the beginning phase of a London-style surveillance system that would be the first in the United States.
The Lower Manhattan Security Initiative, as the plan is called, will resemble London's so-called Ring of Steel, an extensive web of cameras and roadblocks designed to detect, track and deter terrorists. British officials said images captured by the cameras helped track suspects after the London subway bombings in 2005 and the car bomb plots last month. If the program is fully financed, it will include not only license plate readers but also 3,000 public and private security cameras below Canal Street, as well as a center staffed by the police and private security officers, and movable roadblocks. "This area is very critical to the economic lifeblood of this nation," New York City's police commissioner, Raymond W. Kelly, said in an interview last week. "We want to make it less vulnerable." But critics question the plan's efficacy and cost, as well as the implications of having such heavy surveillance over such a broad swath of the city. (Excerpt from news story by Cara Buckley)
[source: Web News]
(2007-07-09) [CNet] By the end of this year, police officials say, more than 100 cameras will have begun monitoring cars moving through Lower Manhattan, the beginning phase of a London-style surveillance system that would be the first in the United States.
The Lower Manhattan Security Initiative, as the plan is called, will resemble London's so-called ring of steel, an extensive web of cameras and roadblocks designed to detect, track and deter terrorists. British officials said images captured by the cameras helped track suspects after the London subway bombings in 2005 and the car bomb plots last month. If the program is fully financed, it will include not only license plate readers but also 3,000 public and private security cameras below Canal Street, as well as a center staffed by the police and private security officers, and movable roadblocks. (Excerpt from news story by Cara Buckley)
[source: News.com]
(2007-07-06) [Security Document World] The Silicon Trust has called on Europe to take the lead in recommending interoperable solutions for registered traveller programmes (RTPs), following a workshop with EU representatives last week.
The workshop, which examined the progress of RTPs in Europe and looked at the technical developments taking place in Europe and beyond, featured input from Elfa Kere, DG Justice, Freedom and Security (DG JLS) at the European Commission (EC), as well as industry opinions from Gemalto, Giesecke & Devrient, IBM, Infineon Technologies, Precise Biometrics, Schiphol Group, Siemens and TeleTrust.
[source: News]
(2007-07-06) [PinsentMasons] The retention of search engine query data is a security matter and not one for Europe's data protection officials, according to Google's global privacy chief. Peter Fleischer said that its retention of user search data was "just not their field".
Speaking to weekly technology law podcast OUT-LAW Radio, Fleischer said that it is interesting to hear the views of the committee of Europe's privacy watchdogs the Article 29 Working Party, but that the matter is not up to them. "Remember the Data Retention Directive comes out of the security side of government, not the data protection side," said Fleischer. "So it's interesting to me to hear what an official from the data protection world thinks about data retention, but it's like asking somebody who works for the railroad what they think of airline regulation. It's just not their field." Google has been embroiled in controversy over the fact that it stores records of what users have searched for along with internet protocol addresses that could be used to identify the searcher.
[source: Out-law.com]
(2007-07-04) [Datatilsynet] Elektronisk billettering er tatt i bruk i flere fylker, og er under innføring i andre. Reisekortene gjør det mulig å følge den enkelte i større utstrekning enn før. Datatilsynet har konkrete krav til personvern i disse sakene.
Datatilsynet har mottatt flere klager fra personer som uoppfordret har fått tilsendt et reisekort med navn og fødselsdata i posten. Reisekortet er en fjernavlesbar elektronisk billett i kredittkortstørrelse. Med kortet følger et tilbud om opprettelse av en reisekonto, hvor innehaveren overfører et nærmere bestemt pengebeløp til kortets "konto" i forkant av reisen. Kortet kan "lades" i automater og via Internett. Slike systemer finnes blant annet i Oppland, Hedmark, Rogaland og Troms, og det er under oppbygging i flere andre fylker, som Hordaland, Oslo og Akershus. I flere av disse fylkene er det sendt ut til samtlige innbyggere over 16 år.
[source: Nyhet]
(2007-07-04) [ComputerWorld] Last week, I discussed the doublethink and newspeak of "the Campaign to Protect America," an initiative launched by the Coalition Against Counterfeiting and Piracy as well as the shameful strong-arm bullying tactics of the Recording Industry Association of America.
My big concern about this coalition is that it isn't just about Big Entertainment trying to stop "piracy", it also includes the National Association of Manufacturers and Big Pharma on the pretext of addressing the problems of counterfeiting. As I suggested at the end of last week's rant, the CACP ploy could be very bad news for us all because its goal will be to extend the law into all sorts of areas where we really don't want it, and I threatened that this week I'd look at what it might be able to do. Here's the worst-case scenario: Consumer PCs would, by law, be directly monitored by ISPs to ensure compliance, and the legal consequences for any attempt to circumvent mointoring would make the punishment for murder look like a slap on the wrist. (Excerpt from news story by Mark Gibbs)
[source: Security]
(2007-07-03) [ComputerWorld] Critics of last week's agreement allowing European passengers' personal data to be shared with U.S. authorities have just under a month to reshape the accord before it comes into force, said Stavros Lambrinidis, vice president of the European Parliament's civil liberties committee Monday.
"There is a battle to make this agreement respectful of European citizens' civil liberties, and it's not over," he said in a telephone interview. The European Parliament has no direct say in the shaping of an agreement that will give U.S. customs, the Department of Homeland Security and other agencies including the Central Intelligence Agency free access to airlines' passenger databases to help them prevent potential terrorist attacks (Excerpt from news story by Paul Meller)
[source: Security]
(2007-07-01) [Seeing Yellow] When you print on a color laser printer, it's likely that you are also printing a pattern of invisible yellow dots. These marks exist to allow the printer companies and governments to track and identify you -- presumably as a way to combat money counterfeiting. When one person asked his printer manufacturer about turning off the tracking dots, Secret Service agents showed up at his door several days later.
Upset? You should be! Let's stand up to silent tracking and government bullying and send a strong message to printer manufacturers. Our privacy and our control over our own technology is far too important to give up over trumped up fears of photocopied money.
[source: Web site]
(2007-07-01) [Social Science Research Network] A new paper by Daniel J. Solove can be downloaded.
Abstract: In this short essay, written for a symposium in the San Diego Law Review, Professor Daniel Solove examines the nothing to hide argument. When asked about government surveillance and data mining, many people respond by declaring: I've got nothing to hide. According to the nothing to hide argument, there is no threat to privacy unless the government uncovers unlawful activity, in which case a person has no legitimate justification to claim that it remain private. The nothing to hide argument and its variants are quite prevalent, and thus are worth addressing. In this essay, Solove critiques the nothing to hide argument and exposes its faulty underpinnings.
[source: Announcements]
(2007-07-30) "PIPA Conference: Private Sector Privacy in a Changing World." will take place on September 20 -- 21, 2007 (Vancouver, Canada).
See calendar entry.
(2007-07-06) [The Register] The retention of search engine query data is a security matter and not one for Europe's data protection officials, according to Google's global privacy chief.
Peter Fleischer said that its retention of user search data was "just not their field". Speaking to weekly technology law podcast OUT-LAW Radio, Fleischer said it is interesting to hear the views of the committee of Europe's privacy watchdogs the Article 29 Working Party, but that the matter is not up to them.
[source: News]
(2007-07-06) [The Financial Times Ltd] Yahoo and Microsoft are preparing to announce concessions in their privacy policies in the next few weeks, as pressure mounts in Europe over the length of time internet search companies should be allowed to hold personal data.
The Article 29 Working Party, a group of national officials that advises the European Union on privacy policy, last month said it wanted to investigate how long companies such as Yahoo and Microsoft kept data on individuals who used their search engines. The working party has already been in discussions with Google over its policies for keeping data, and intends to widen scrutiny to the rest of the market. (Excerpt from news story by Maija Palmer)
[source: Financial Times]
(2007-07-06) [Washinton Post] I've been playing around with Google Calendar, a beta service from the search-engine giant that lets users store -- and share -- calendar data online. It's a great Web-based tool, but in experimenting with it I found that far too many people are using Google Calendar without fully understanding how to protect their personal information.
Since security is what this blog is all about, I plugged "password" into a search of Google Calendar's public events, and within the first few pages of results found a username and password for a credit report account at TransUnion. The credentials belonged to Douglas Kerr, a network administrator for a software company in Charlotte, N.C. Kerr said he'd been experimenting with Google Calendar for a few weeks, but had no idea that he'd imported that record into the application. (Excerpt from news story by Brian Krebs)
[source: Blog]
(2007-07-05) [Independent] The chairman of the new Press Council of Ireland has urged the Government not to rush into drafting legislation to protect people's privacy.
Announcing the 13 independent members of the council yesterday, Prof Thomas Mitchell said privacy was already "quite well safeguarded" and that the new council would have an important role in protecting it. Although a new defamation law would assist the council in carrying out its work, it was his personal view that a "wait and see" approach might better serve the public. (Excerpt from news story by Paul Melia)
[source: Independent.ie]
(2007-07-05) [Chronicles of Dissent] The June GAO report, Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown [GAO-07-737] was released today. Looking through it, it is clear that they relied heavily on data and statistics provided by Attrition.org, the Privacy Rights Clearinghouse, the Identity Theft Resource Center, and reports obtained from NY and NC under FOIA by Chris Walsh.
Although it is encouraging that that the government is actually using the data that these organizations and individuals have worked so hard to compile, some of the implications suggested by the GAO report are troubling from the perspective of a privacy advocate.
[source: Blog]
(2007-07-05) [Glenbrook Partners LLC.] The Government Accountability Office has published a new report titled "Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown".
Quotes: In recent years, many entities in the private, public, and government sectors have reported the loss or theft of sensitive personal information. These breaches have raised concerns in part because they can result in identity theft--either account fraud (such as misuse of credit card numbers) or unauthorized creation of new accounts (such as opening a credit card in someone else's name). Many states have enacted laws requiring entities that experience breaches to notify affected individuals, and Congress is considering legislation that would establish a national breach notification requirement. GAO was asked to examine (1) the incidence and circumstances of breaches of sensitive personal information; (2) the extent to which such breaches have resulted in identity theft; and (3) the potential benefits, costs, and challenges associated with breach notification requirements. To address these objectives, GAO reviewed available reports on data breaches, analyzed 24 large data breaches, and gathered information from federal and state government agencies, researchers, consumer advocates, and others.
[source: Payment News]
(2007-07-04) [EDRI] Italy is preparing its DNA database law, claiming that it needs harmonization with the other European states situation, but forgetting about the privacy concerns. According to col. Luciano Garofano from RIS (Reparti Investigazioni Scientifiche), it is not very long until the law allowing archiving DNA data will be in place.
In Garofano's opinion, Italy is actually one of the last to have a legislation in the domain and the problem is that although Italy has signed the Prüm treaty to exchange data, it has no data to exchange.
[source: EDRI-gram, Number 5.13]
(2007-07-04) [EDRI] Yahoo and Google seems to have problems adapting their business to the tough requirements of the German law regarding content harmful to minors and the implementation of the data retention directive, respectively.
Yahoo has recently changed the way the content filter setting for its photo-sharing service Flickr works for German members so that they can't view photos labelled as "moderate" or "restricted" via the search function. This caused a lot of complaints from German users, that created special groups on the platform such as Against Censorship! Also they started uploading anti-Flickr pictures in the Yahoo photo sharing service and tag them as "thinkflickrthink". In the end Flickr allowed the German users to turn SafeSearch off to allow photos flagged as 'moderate' and tried to explain the situation.
[source: EDRI-gram, Number 5.13]
(2007-07-04) [EDRI] A spokesman of the Federal Ministry of Transport, Innovation and Technology has confirmed that due to the flood of responses to the law proposal there is no way to have data retention ready before the deadline set by the directive.
The ministry received a total of 90 statements from various organisations. Most of them voiced severe concerns about the suggested implementation of data retention. The supporters were various bodies of the entertainment industry, demanding longer retention periods and a lower threshold. They demanded extending access to retained data for violations of copyright, by a law that is being implemented to help fight terrorism.
[source: EDRI-gram, Number 5.13]
(2007-07-04) [EDRI] A new framework has been agreed by the 30 members of OECD (Organisation for Economic Co-operation and Development) regarding the co-operation in the enforcement of privacy laws, updating a 27 year old statement (OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data).
The large volume of the data being exchanged across borders and the changes in the character of these exchanges having increased the risks to privacy for individuals have brought up the need for a better co-operation between authorities in charge with data protection.
[source: EDRI-gram, Number 5.13]
(2007-07-04) [EDRI] After a long and difficult period of negotiations, on 28-29 June 2007, final agreements were reached between EU and USA on the data regarding European financial transactions operated by Belgian consortium SWIFT and on the passenger name records (PNR) issue respectively.
Regarding the access to financial data from SWIFT, the US has committed to use any data received from SWIFT exclusively for counter-terrorism purposes, the data retention period being of 5 years.
[source: EDRI-gram, Number 5.13]
(2007-07-02) [Network World, Inc.] Once upon a time ISPs just transported packets of information from place to place without looking at them other than to find out where they should go. Of course that could not last. Now a company is selling ISPs a device designed to spy on customer traffic, track preferences and insert specially selected ads during Web surfing.
Start-up NebuAd seems to be trying to put all ISP-related, bad network-behavior into a single box. It is trying to sell a device that, according to its Web page, will "analyze and act on consumer behavior" in order to develop a "keen insight into a consumer's dynamic, Web-wide behavior." Basically, the device spies on traffic to try to determine the "demographics, geography, life style and interests" of individual customers (see the Web site for NebuAd's Fair Eagle division). The box then inserts ads into the data stream the customer is receiving back from a Web site. This is done without the knowledge or permission of the customer or the Web site owner. Predictably, just like the data brokers who sell your every secret to the lowest bidder, NebuAd tries to claim that this is in the best interest of the consumer. Also note that the company could be subpoenaed for any spying it might have done on traffic to or from your IP address. (Excerpt from news story by Scott Bradner)
[source: Network World]
(2007-07-02) [CMP] Visa plans to roll out new, highly customized incentive and reward programs based on more detailed consumer information, including data on purchases, buying habits, and retailer loyalty.
Having completed a multi-year upgrade and modernization of its payment processing systems, credit-card giant Visa plans to roll out new, highly customized incentive and reward programs based on more detailed consumer information, including data on purchases, buying habits, and retailer loyalty, company officials said during a tour of the company's central-United States data center. Crafted two years ago and known as "account-level processing," the plan will enable Visa's payment processing system to manage transactions in real time using the entire 16-digit credit card number, rather than the six-digit bank identification number (BIN) that has traditionally been used. It will allow consumers to carry their account numbers with them if they move up to pricier and more exclusive cards, and merchants to offer new services and benefits, such as loyalty programs, to customers, said senior VP Jim McCarthy, head of consumer products for Visa USA: "This allows us to take a specific action in real time based on consumer behavior at a specific merchant and a specific location." (Excerpt from news story by Richard Martin)
[source: InformationWeek]
(2007-07-02) [The London Free Press] In her latest annual report, Ontario Privacy Commissioner Ann Cavoukian says there is a need for a culture of privacy in Canada.
She says "organizations that fall under Ontario's three privacy acts must not only educate their staff about privacy legislation and the privacy information policies and practices implemented by their organizations, they must work towards ensuring that privacy become embedded into their institutional culture and that staff understand how serious a privacy breach can be." (Excerpt from news story by David Canton)
[source: News]
(2007-07-01) [msnbc] Some of the alleged conspirators involved in last week's thwarted car bombings in London and the attack on the Glasgow airport have been apprehended, and the reason is television.
True, it was merely good luck that the plot was uncovered in the first place. One perpetrator in London haplessly called attention to himself by clumsily crashing into parked cars and then abandoning his bomb-laden Mercedes. And at least one of the bombs was inexpertly constructed and would not explode as intended, providing London with another bit of good fortune. The Glasgow attackers failed as well. Had the plots succeeded, hundreds of innocent people would have been killed, burned and maimed, but fate intervened and a terrible tragedy was averted. (Excerpt from news story by Jack Jacobs)
[source: msnbc.com]
(2007-07-09) "Workshop on Privacy Enforcement and Accountability with Semantics" will take place on November 12, 2007 (Busan, Korea).
See calendar entry.