SAITS news - March 2007

Other months: January · February · March April · May · June · July · August · September · October · November · December ·

Earlier years: 2003 · 2004 · 2005 · 2006 ·

REAL ID: Moving Beyond the 9/11 Staff Report

(2007-03-08) [Security Document World] The issue of identity -- verifying it and authenticating the documents used to prove it -- underlay all the 9/11 Commission recommendations on secure IDs and current identity security law. In fact, perhaps the single most effective measure the United States can accomplish to lay the necessary framework for sustainable national and economic security and public safety is to shore up identity document issuance.

Identity documents must be secure in their content, in their physical features, and in their issuance process. Without identity security at the base of our identity document issuance processes, our nation remains at risk. The reasons remain sound.

[source: News]

FBI abusing PATRIOT Act powers

(2007-03-23) [CIPPIC] The US Justice Dept Inspector General recently published a report indicating that the FBI has been engaged in far more secretive surveillance activities than previously thought, and that much of this activity involved improper use of "National Security Letters" to compel telephone companies, banks, and credit institutions to produce customer records.

The report found that the FBI had issued over 44,000 letters containing 143,000 data requests between 2003 and 2005, and that an estimated 3,000 of these letters were illegal or improper.

[source: News]

American Express Addresses RFID People Tracking Plans

(2007-03-09) [CASPIAN, Consumers Against Supermarket Privacy Invasion and Numbering] The top brass at American Express, chagrined at the discovery of its people tracking plans, met with CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) last week to discuss the issue. One outcome of the meeting was a promise by American Express to review its entire patent portfolio and ensure that any people-tracking plans be accompanied by language requiring consumer notice and consent.

The meeting was organized after CASPIAN called attention to one of the company's more troublesome patent applications. That patent application, titled "Method and System for Facilitating a Shopping Experience," describes a Minority Report style blueprint for monitoring consumers through RFID-enabled objects, like the American Express Blue Card.

[source: Spychips]

[Swedish] Datainspektionens årsredovisning 2006

(2007-03-06) [Datainspektionen] Datainspektionens årsredovisning för det gångna året finn tillgänglig.

Ladda ned digital version (pdf).

[source: Nyheter]

[Swedish] Skyddet för den personliga integriteten

(2007-03-29) [Regeringskansliet] Sammanfattning: Integritetsskyddskommittén har haft i uppdrag att undersöka hur integritetsskyddsaspekten har hanterats och reglerats i den gällande lagstiftningen.

På många rättsområden finner kommittén brister i hur integritetsskyddet har tillvaratagits. Dessa brister redovisas utförligt i betänkandet, i vilket kommittén också analyserar orsakerna. Kommittén pekar framför allt på en felaktig metodik och strukturella brister som leder till att integritetsskyddsaspekterna inte beaktas tillräckligt redan när lagstiftningen utarbetas. Rapportens olika delar finns nedladdningsbara.

[source: Nyheter]

Gathering Data from Trash

(2007-03-21) [MIT Technology Review] Sensitive information is accessible on discarded machines because we have no means of securely deleting it.

The U.S. Congress passed the Fair and Accurate Credit Transactions Act (FACT ACT) of 2003. [L]anguage was added to the FACT ACT to force organizations to destroy consumer reports on paper or magnetic media before that media is discarded. Unfortunately, passing the law wasn't enough. First, it has a big hole in it: the implementing regulations specifically exempt companies that collect and resell used equipment. By not making these companies directly responsible for the damage they do, the regulatory bodies basically threw away what could have been one of the most important opportunities for enforcement. (Excerpt from blog post by Simson Garfinkel)

[source: Blogs]

Privacy advocate prompts Colo. to end Web access to some public docs

(2007-03-30) [ComputerWorld] The Colorado Secretary of State's business division shut down online access to certain documents on its Web site after being notified by a privacy advocate that the site had been posting potentially thousands of documents with Social Security numbers since 2001.

Secretary of State Mike Coffman took the step to "prevent identity thieves from pulling personal identifying information from Uniform Commercial Code filings" posted on the site, according to a statement posted on the agency's site last night. (Excerpt from news story by Jaikumar Vijayan)

[source: Security]

Calif. official ends online access to public records with Social Security numbers

(2007-03-27) [ComputerWorld] Three years after it first made available certain documents containing Social Security numbers and other sensitive data on its Web site, the California secretary of state's office last week finally shut down online access to the records because of identity theft concerns.

In a statement, Secretary of State Debra Bowen said her office was also freezing bulk electronic sales of its Uniform Commercial Code (UCC) database until all but the last four digits of Social Security numbers were removed from documents. There are approximately 2 million UCC filings on record with the secretary of state's office; about a third contain Social Security numbers. (Excerpt from news story by Jaikumar Vijayan)

[source: Security]

Perspective: On the Net, they may find out you're a dog

(2007-03-14) [CNet] [A] film studio called Magnolia Pictures--owned by technology/media entrepreneur Mark Cuban--sought relief from a federal court in Dallas to force Google to identify certain people who are alleged to have anonymously placed copyrighted videos on YouTube.

Google very well may provide notice directly to the persons who posted the videos, so that if they want to protect their own anonymity, they can file motions to quash the subpoena. If such motions are not filed, Google then probably would comply with the subpoenas and provide the requested identities. If such motions are filed, then the court would be called upon to determine whether the anonymous posters should have their real-life identities unmasked. The key inquiry would be whether the posters' right to communicate and act anonymously on the Internet is outweighed by the damage they allegedly caused and the need to uncover who they are so that further damage would not be caused and prior damage can be redressed. (Excerpt from news story by Eric J. Sinrod)


Pending Privacy and Data Security Legislation in the 110th Congress

(2007-03-30) [Davis Wright Tremaine LLP] Could this be the year that Congress enacts comprehensive data security and breach notification legislation? As the seemingly endless stream of news stories announcing the latest breaches continue, Members of Congress consistently voice their support for uniform national laws.

Washington insiders and observers have expressed divergent predictions: some are optimistic while acknowledging the challenges of such legislation, while others are less so, often pointing to the fact that similar circumstances surrounded the proposed CAN-SPAM Act, which took four years to become law. (Excerpt rom post by Anne Shelby)

[source: Privacy and Security Law Blog]

[Norwegian] Overføring av passasjeropplysninger til USA

(2007-03-30) [Datatilsynet] Flypassasjerer skal informeres før opplysninger sendes til USA. Artikkel 29-gruppen har kommet med en uttalelse om hvordan informasjonen skal være.

Reisebyråer, luftfartsselskaper og andre som betjener flypassasjerer skal informere passasjerene om hvordan passasjeropplysningene behandles. Kravene fremgår av EUs personverndirektiv, som ligger til grunn for personvernregelverket i EU- og EØS-landene.

[source: Nyhet]

Mobile Phone Wiretapping Likely to Become Legal

(2007-03-29) [The Chosun Ilbo] The National Assembly is likely to pass a revision to the Protection of Communication Secrets Act that would permit wiretapping of mobile phones on April 2. Main opposition Grand National Party Rep. Joo Sung-young, the vice chairman of the National Assembly's Legislation and Judiciary Committee, said Wednesday, "We've finished consultations with the ruling Uri Party, the National Intelligence Service and the Justice Ministry. The bill will be deliberated in a plenary session of the Legislation and Judiciary Committee on Friday and pass the current extraordinary session."

The bill was tabled by GNP lawmakers Kim Jung-hoon and Chung Hyung-keun in 2005, when prosecutors were investigating illegal wiretapping by the NIS. After being shelved for some two years, it was revived by a subcommittee of the Legislation and Judiciary Committee on Tuesday. The revision would require investigation agencies to ask telecom providers for cooperation when they want to eavesdrop on mobile phone conversations. The telecoms must have wiretapping equipment fully or partially paid for by the state. Failure to comply with the request for cooperation will carry criminal charges. Investigation agencies will also be allowed to ask the service providers for GPS-guided information on the location of targets.


We can have 'win-win' on security vs. privacy, says Academy

(2007-03-29) [Policy Dialogue International] People think there has to be a choice between privacy and security; that increased security means more collection and processing of personal private information. However, in a challenging report to be published on Monday 26 March 2007, The Royal Academy of Engineering says that, with the right engineering solutions, we can have both increased privacy and more security. Engineers have a key role in achieving the right balance.

One of the issues that Dilemmas of Privacy and Surveillance - challenges of technological change looks at is how we can buy ordinary goods and services without having to prove who we are. For many electronic transactions, a name or identity is not needed; just assurance that we are old enough or that we have the money to pay. In short, authorisation, not identification should be all that is required. Services for travel and shopping can be designed to maintain privacy by allowing people to buy goods and use public transport anonymously. "It should be possible to sign up for a loyalty card without having to register it to a particular individual - consumers should be able to decide what information is collected about them," says Professor Nigel Gilbert, Chairman of the Academy working group that produced the report. "We have supermarkets collecting data on our shopping habits and also offering life insurance services. What will they be able to do in 20 years' time, knowing how many donuts we have bought?" Read Dilemmas of Privacy and Surveillance report (PDF, 830KB).

[source: eGov Monitor]

[Norwegian] Bestill Personvernrapporten 2007!

(2007-03-28) [Datatilsynet] Personvernrapporten 2007 kommer i april! Vil du få rapporten tilsendt?

Datatilsynet sender Personvernrapporten kostnadsfritt til leserne!

[source: Nyhet]

European Commission broke rules over passenger data, Parliament told

(2007-03-28) [PinsentMasons] The European Commission "clearly breached" its obligations when it agreed a passenger data sharing scheme with the US, the European Parliament has been told. The opinion was given just as negotiations on a new deal are begun.

It also emerged that the US does not believe that it needs a new data sharing deal in order to demand details on Europeans flying into the US. Passenger details, known as the passenger name record (PNR), are passed to US authorities by airlines in a deal brokered by the European Commission but long opposed by the European Parliament as a breach of European privacy and data protection rules.


TRUSTe and Ponemon Institute Announce Results of 2007 Most Trusted Companies for Privacy Study

(2007-03-28) [Compliance & Privacy] TRUSTe and the Ponemon Institute have announced the results of the 2007 Most Trusted Companies for Privacy Study, an annual evaluation of how consumers perceive organizations that collect and manage their personal information. The 2007 Most Trusted Companies for Privacy Study ranks companies and federal agencies industry-by-industry as well as providing a list of overall top performing companies.

Overall, the top three rated companies for privacy trust in 2007 are, in order, American Express, Charles Schwab, and IBM. In 2006 the top three companies were American Express, Amazon, and Procter & Gamble. Previous years' winners have included E-Loan, Hewlett-Packard, and eBay.

[source: News]

American Express most trusted company for privacy, study finds

(2007-03-28) [ComputerWorld] For the second straight year, American Express Co. is the top-rated company in the U.S. for privacy based on responses from more than 7,000 participants in an online survey conducted by Ponemon Institute LLC, an Elk Rapids, Mich. privacy think tank.

Following it are The Charles Schawb Corp. and IBM, both of which moved up a few notches from their rankings of 12 and 8, respectively, in the same survey last year. (Excerpt from news story by Jaikumar Vijayan)

[source: Security]

By addressing data privacy, companies avoid public scrutiny

(2007-03-28) [TechTarget] There is a huge misconception among information security professionals today that data privacy laws are not applicable to private companies, but are only designed for publicly traded companies, government organizations or financial institutions. This is not the case. Whether your company is public or private, large or small, today's information privacy regulations may affect you and your organization on many different levels, not just financially and legally.

Failing to integrate good security practices within a private organization can affect a company's bottom line, customer retention, business reputation and employee morale. In fact, there are dozens of privacy laws pertinent to all types of companies and more are on the way. These issues cover all facets of the information security landscape where governments and individuals are insisting on accountability from private corporations to control their data. (Excerpt from news story by Craig Norris and Tom Cadle)


Parliament to probe Government surveillance of citizens

(2007-03-28) [PinsentMasons] The UK Parliament has launched an enquiry into the surveillance conducted on citizens by the Government. It will investigate the growing number and scope of government databases holding increasing amounts of information on citizens.

The Home Affairs Committee will conduct the inquiry, called 'A Surveillance Society?', so that it can produce rules for Government to follow when building up increasing amounts of sensitive and private information on the general public.


New group created on domain name privacy

(2007-03-28) [The Sacramento Bee] A committee of the Internet's key oversight agency agreed Wednesday to form a new working group that would examine how to offer more privacy to small businesses and people with individual Web sites.

At a meeting of the agency's Generic Names Supporting Organization Council, members opted to focus initially on a proposal known as operational point of contact. (Excerpt from news story by Matt Moore)


EU proposes greater data sharing between police forces

(2007-03-28) [The Register] The German Presidency of the European Union wants police forces across Europe to be able to share data more freely and wants a single body to be in charge of overseeing the process.

The changes are contained in a framework decision proposed by the Presidency to the European Commission designed to outline the protections citizens can expect when their personal data is handled by police and judicial authorities. The agreement augments the Data Protection Directive 95/46/EC and deals with the so called "third pillar", which relates to law and order matters.

[source: News]

New draft of the Framework Decision on data protection

(2007-03-28) [EDRI] The Commission received these days also a totally new draft of the Framework Decision on data protection in police and judicial cooperation. The proposal was sent by Germany as the EU Council President and reffers to data protection in the security sector.

The draft, made public by Statewatch, includes the establishment of an overriding regulatory authority for all the database systems for criminal prosecution, coordinated by the EU Council and is mainly aimed at ensuring the legal sharing of data between criminal prosecutors.

[source: EDRI-gram, Number 5.6]

Civil liberties threatened by the new centralized EU fingerprint database

(2007-03-28) [EDRI] A proposal for the creation of a centralized database of fingerprints from all 27 EU countries was included in a new European Commission document that sets out the goals for 2008.

The fingerprints database is to be operational by the end of 2008 and it will include sensitive information that could be shared with third parties, such as US law enforcement authorities.

[source: EDRI-gram, Number 5.6]

Google limits the search data retention period

(2007-03-28) [EDRI] After consultations with privacy groups in Europe and the US, Google has decided to reduce to 18 - 24 months, the retention time for data related to users and their searches.

Google is presently storing search information together with IP (Internet Protocol) addresses which can be further on used to identify the person behind a search. "When you search on Google, we collect information about your search, such as the query itself, IP addresses and cookie details," said a Google blog post written by Peter Fleischer, the company's privacy lawyer in Europe, and its deputy general counsel Nicole Wong.

[source: EDRI-gram, Number 5.6]

Stakeholder group to advise on EU RFID strategy

(2007-03-28) [EDRI] The European Commission presented its new proposal for the radio frequency identification (RFID) tags strategy for Europe after one year of consultations. The strategy will be drafted in cooperation with a Stakeholder Group to be created and Article 29 Working Party.

An EU study had been initiated after a 6-months period of consultations that had shown concerns related to the use of RFID tags especially regarding public awareness and fears that the system would affect privacy. The study advised on the necessity to assure the public that the tags would not turn into a large-range surveillance system and that people would have control on the information included in the tags.

[source: EDRI-gram, Number 5.6]

Podcast: Consumer Biometrics

(2007-03-27) [WAMU: The Kojo Nnamdi Show] It used to be the stuff of science fiction: the fingerprint or iris scan that checked your identity before you entered a top-secret vault. But these days, biometrics are seeping into our everyday lives, from school cafeterias to the supermarket checkout line. Tech Tuesday looks at the future of consumer biometrics.

Guests: Bill Rogers (Publisher, Biometric Digest), Arun Ross (Assistant Professor, Lane Department of Computer Science and Electrical Engineering, West Virginia University), Shannon Riordan (Vice President of Marketing, Pay By Touch), and Larry Ciaccia (President, Authentec). Listen to the podcast (length: 1:00:00).

[source: Tech Tuesday]

Transatlantic relations and data protection: a never-ending story?Derechos fundamentales

(2007-03-27) [European Parliament] Over five years after the "9/11" attacks in New York, views still differ across the Atlantic on how best to fight terrorism without jeopardising human rights. Does the fight against terrorism really require transatlantic transfers of air passengers' personal data, or of the data required for international banking transactions? And if so, are these data adequately protected? asked MEPs and experts on Monday.

Politicians, experts and NGO representatives agreed on Monday that even years after these transfers to the US administration took place, it is still unclear whether such personal data were really indispensable for catching terrorists. Neither the Council nor the Commission, or even the US administration, have since offered any figures to demonstrate the effectiveness of processing billions of personal data on European citizens and others, MEPs complained.

[source: Notices]

Privacy Principles for Identification

(2007-03-27) [CDT] How to create and manage individual identity is becoming a central challenge of the digital age. As identity-related initiatives are implemented in both the public and private sectors, individuals are being asked to identify themselves in some way with increasing frequency.

Obviously, identity, privacy and security are intimately related, yet the relationship among the three is often not well understood. It is worthwhile, therefore, to develop technology-neutral principles expressing how identity can be created and managed in ways that enhance privacy and security, while also facilitating services and respecting the other needs for which identification is appropriate. Private sector developers of ID technology, government officials, and public interest groups could all benefit from a guiding set of privacy principles or best practices in this area. (Excerpt from news story by Alissa Cooper)

[source: Blog]

Leader: Data privacy - it's your problem

(2007-03-27) [CNet] A report out this week warns the increasing amount of personal information held by various organisations is impacting the privacy of UK citizens.

As individuals, we're handing over our personal details to more and more organisations - and it's something that many of us take for granted. But, as the people whose information is being used, we need to take more responsibility for our data - in terms of the details we give out and who we give them to. In many cases it's a fair trade-off, a little bit of information in return for - say - money off via a loyalty card.


EU proposal seeks greater data sharing between police forces

(2007-03-27) [PinsentMasons] The German Presidency of the European Union wants police forces across Europe to be able to share data more freely and wants a single body to be in charge of overseeing the process.

The changes are contained in a framework decision proposed by the Presidency to the European Commission designed to outline the protections citizens can expect when their personal data is handled by police and judicial authorities. The agreement augments the Data Protection Directive 95/46/EC and deals with the so called "third pillar", which relates to law and order matters.


Survey: E-health records don't have to threaten privacy

(2007-03-26) [Network World, Inc] Electronic health records can be recorded and shared without jeopardizing privacy, according to a Harris Interactive survey of 2,337 adults that was released Monday.

In the survey, 63% of respondents said that a move to electronic health records could be done without endangering their privacy, while 25% disagreed. In addition, 60% of those surveyed said that existing state and federal health privacy laws provide a "reasonable level" of privacy. (Excerpt from news story by Heather Havenstein)

[source: NetworkWorld]

Two in Five Retailers are still breaking email privacy laws

(2007-03-26) [The Retail Bulletin Limited] The latest study published by data specialists CDMS has revealed that 37% of Retailers are not complying with the EU Directive on Privacy and Electronic Communications, more than 3 years after it became law in the UK in December 2003. Moreover, compliance has decreased since 2005 where 33% of companies were non-compliant.

This Europe-wide legislation, which governs email communications with private individuals, demands that companies only send unsolicited sales messages via email to non-customers if they have actively opted-in to receiving them. In practice, this means that whenever someone's details are recorded - for instance as part of a money-off promotion or a competition - they must be asked whether they want to receive subsequent sales marketing e-messages from that company or any other third party. The legislation makes it crystal clear that simply offering someone the opportunity to opt-out of receiving unsolicited emails (or indeed pre-ticking an opt-in box) does not comply with the Directive.

[source: RetailBulletin]

Hi-tech 'threat' to private life

(2007-03-26) [BBC] Bombs triggered by the presence of people with specific biometric traits may soon be feasible, warns a report.

Written by the Royal Academy of Engineering, the report looks at how technology is eroding personal privacy. It shows how abuse of technology can expose people to harm by, for instance, terrorists crafting bombs that use the biometric data stored on passports to target specific nationalities.

[source: News]

Surveillance culture erodes personal privacy

(2007-03-26) [CNet] The increasing amount of personal information held by various organisations is impacting the privacy of UK citizens, according to a report from the Royal Academy of Engineering.

This is due to rapidly increasing CCTV coverage and collection and retention of personal data, the report said. The Dilemmas of Privacy and Surveillance report acknowledges the benefits of these technologies but also raises issues such as privacy and misuse of data - that need to be considered. (Excerpt from news story by Tim Ferguson)


Senate Fails to Establish Independence for Privacy Oversight Board

(2007-03-22) [EPIC] Bill S.4, Improving America's Security Act of 2007, passed by the Senate last week, purports to implement unfinished recommendations of the 9/11 Commission. However, the bill fails to establish independence for the Privacy and Civil Liberties Oversight Board, which is currently within the Executive Office of the President.

EPIC recommended stronger oversight mechanisms for the Board, consistent with the recommendations of the 9-11 Commission Report, in its testimony before the 9/11 Commission. The House has introduced the Implementing the 9/11 Commission Recommendations Act of 2007, H.R.1, that would make the Privacy Board into an independent agency, require Senate confirmation of all members, and establish subpoena authority and reporting requirements.

[source: EPIC Alert, Volume 14.06]

European Commission Report Discusses Public Knowledge of RFID Use

(2007-03-22) [EPIC] A new report from the European Commission reviewed a poll of 2,190 respondents from European Union member-states concerning the use of radio frequency identification technology. "Overall, 60% of respondents feel that there is insufficient information available to make an informed analysis of RFID technologies," the report said.

The report also looked at privacy questions, and found that "privacy is seen as being more than just the security of the devices or the protection of the personal data per se (integrity, illegal access, etc.). It extends to the use of personal data in networks; its storage, collection and how it is linked to different sources," (emphasis in original).

[source: EPIC Alert, Volume 14.06]

DHS Privacy Office Assesses Proposed REAL ID Regulations

(2007-03-22) [EPIC] The Department of Homeland Security Privacy Office has released its Privacy Impact Assessment of the proposed regulations to implement the REAL ID Act, which mandates federal requirements for state driver's licenses and requires state DMVs to verify identification documents, such as birth certificates.

The Assessment "examines the manner and method by which the personal information of American drivers and ID holders will be collected, used, disseminated, and maintained pursuant to the proposed [regulations]." Notably, the proposed regulations do not mandate encryption technology to protect the privacy and security of personal, data even though the Privacy Office recommends such technology in its assessment.

[source: EPIC Alert, Volume 14.06]

Google Announces Data Retention Policy

(2007-03-22) [EPIC] Google Inc. announced its new data retention policy last week. Google stated that it will partly obscure the IP address associated with its users' searches after somewhere between 18 and 24 months, "unless legally required to retain the data for longer."

Previously, said Google, "we kept this data for as long as it was useful." The information on specific searches will remain indefinitely but it will be harder to tie searches to specific individuals or computers. The 18-24 month retention period represents the maximum period of data retention currently adopted in the EU Directive on Mandatory Retention of Communications Traffic Data.

[source: EPIC Alert, Volume 14.06]

ICANN Committee Endorses Privacy Safeguards for WHOIS Data

(2007-03-22) [EPIC] On March 12, 2007, the Internet Corporation for Assigned Names and Numbers (ICANN)'s WHOIS task force issued its Final Report on WHOIS Services. The task force considered two different approaches to limiting the public availability of WHOIS data, and endorsed the Operational Point of Contact (OPoC) proposal, which would remove registrants' mailing addresses, phone and fax numbers and email addresses from the Whois database, and replace this information with an "operational point of contact" who would contact the registrant in the case of an issue with the domain name.

EPIC submitted comments to ICANN supporting the Operational Point of Contact proposal to limit access to registrants' information. EPIC stressed that current WHOIS policies requiring the publication of personal information conflict with national privacy laws, and reach beyond the original technical purpose of WHOIS, putting individual registrants at risk of spamming, phishing, and identity theft. However, EPIC also stated that while the OPoC proposal does provide more privacy safeguard than currently exist, it does not go far enough. According to EPIC, registrants' names and/or countries should be removed from public access, because anonymous registration of domain names may be critical for political, artistic and religious expression.

[source: EPIC Alert, Volume 14.06]

Son of TIA Will Mine Asian Data

(2007-03-22) [Wired] Nearly four years after Congress pulled the plug on what critics assailed as an Orwellian scheme to spy on private citizens, Singapore is set to launch an even more ambitious incarnation of the Pentagon's controversial Total Information Awareness program -- an effort to collect and mine data across all government agencies in the hopes of pinpointing threats to national security.

The Singapore prototype of the system -- dubbed Risk Assessment and Horizon Scanning, or RAHS -- was rolled out early this week at a conference in the Southeast Asia city-state. Retired U.S. Adm. John Poindexter, the architect of the original Pentagon program, traveled to Singapore to deliver a speech at the unveiling, while backers have already begun quietly touting the system to U.S. intelligence officials. (Excerpt from news story by Sharon Weinberger)

[source: Technology]

DHS must assess privacy risk before using data mining tool, GAO says

(2007-03-22) [ComputerWorld] A tool being developed by the U.S. Department of Homeland Security (DHS) to help it sift through large volumes of data in the search for terrorist threats poses several privacy concerns, the Government Accountability Office (GAO) warned in a report released yesterday. The agency also called on the DHS to conduct a privacy impact assessment of the tool immediately to help ameliorate those risks.

The tool, called ADVISE, for Analysis, Dissemination, Visualization, Insight and Semantic Enhancement, is designed to cull very large databases and search for patterns, such as relationships between individuals and organizations, to ferret out suspicious people or activity. ADVISE is currently under development by the DHS. (Excerpt from news story by Jaikumar Vijayan)

[source: Business Intelligence]

RFID chips will force changes to Privacy and Electronic Communications Directive

(2007-03-20) [PinsentMasons] The European Commission will make changes to the Privacy and Electronic Communications Directive to take account of the exploding market in radio frequency identification (RFID) chips, it has said. Amendments will be proposed by the middle of this year.

The Commission has published a Communication, intended as "a step towards a policy framework," for dealing with RFID chips, whose usefulness is seen by some to be at odds with privacy and data protection.


New Report: "Digital Security and Privacy for Human Rights Defenders"

(2007-03-20) [Front Line] The report "Digital Security and Privacy for Human Rights Defenders" has been publiched.

Download the report.

[source: News]

New report: "Ethical Implications of Emerging Technologies: A Survey"

(2007-03-20) [UNESCO] The report "Ethical Implications of Emerging Technologies: A Survey" is available.

Download the report.

[source: Information for All Programme]

[Norwegian] Vern postlista mot treff frå søkjemotorar

(2007-03-16) [Datatilsynet] Det offentlege gjer i stadig større utstrekning postlister og saksdokument tilgjengelege på Internett. Ikkje alle vernar personopplysningane i dokumenta mot direktesøk gjennom søkjemotorar.

Eit vern inneber at ein fyrst må klikke seg fram til det aktuelle forvaltningsområdet, og så søkje derfrå. Mange av sakene som blir behandla i offentleg sektor gjeld enkeltpersonar. Saksinformasjon som gjeld ein privatperson kan dermed lett kome til å dukke opp når ein søkjer på Internett, kanskje med heilt andre søkjekriterium, og heilt andre mål for søkinga. Søkjer ein på Internett for eksempel etter konsertar på Kongsvinger, får ein kanskje også opp saker som gjeld namnebrørne eller -søstrene til musikarane sine søknader om barnehageplass, skulefri, nytt gjerde, redusert renovasjonsavgift eller liknande.

[source: Nyhet]

[Norwegian] Vern postlista mot treff frå søkjemotorar

(2007-03-16) [Datatilsynet] Det offentlege gjer i stadig større utstrekning postlister og saksdokument tilgjengelege på Internett. Ikkje alle vernar personopplysningane i dokumenta mot direktesøk gjennom søkjemotorar.

Eit vern inneber at ein fyrst må klikke seg fram til det aktuelle forvaltningsområdet, og så søkje derfrå.

[source: Nyhet]

Google to Adopt New Privacy Measures

(2007-03-16) [Wired] Google Inc. is adopting new privacy measures to make it more difficult to connect online search requests with the people making them - a thorny issue that provoked a showdown with the U.S. government last year.

Under revisions announced late Wednesday, Google promised to wrap a cloak of anonymity around the vast amounts of information that the Mountain View-based company regularly collects about its millions of users around the world. (Excerpt from news story by Michael Liedtke)

[source: News]

Google's New Plan to "Anonymize" Search Logs: A Good First Step, But More Is Needed

(2007-03-15) [EFF] After years of criticism from EFF and other privacy advocates, Google announced yesterday a new policy on how it handles logs of its users' searches: after 18-24 months, it will delete key information in its server logs that could be used to link particular users to records of their search queries.

This is a big change from Google's previous policy, which was essentially to keep all of those logs forever in identifiable form, and we're certainly glad to see that Google is starting to limit its retention of such sensitive data. Your Google search history can paint an intimate portrait of your most private interests and concerns. Particularly in light of the disastrous AOL search terms disclosure, recent scandals involving government surveillance, and Google's own recent court fight with the government over a subpoena for search records, it seems that Google has finally realized that limiting the retention of such records is essential to protecting your privacy.

[source: News]

Google To Anonymize Data -- Updated

(2007-03-14) [Wired] Google is reversing a long-standing policy to retain all the data on its users indefinitely, and by the end of the year will begin removing identifying data from its search logs after 18 months to two years, depending on the country the servers are located in.

Currently, Google indefinitely retains detailed server logs on its search engine users, including user's IP addresses -- which can identify a user's computer, the query, any result that is clicked on, their browser and operating system, among other details. Even if a user never signs up for a Google account, those searches are all tied together through a cookie placed on the user's computer, which currently expires in 2038. (Excerpt from blog post by Ryan Singel)

[source: Blogs]

How to surf anonymously without a trace

(2007-03-12) [ComputerWorld] The punchline to an old cartoon is "On the Internet, nobody knows you're a dog," but these days, that's no longer true.

It's easier than ever for the government, Web sites and private businesses to track exactly what you do online, know where you've visited, and build up comprehensive profiles about your likes, dislikes and private habits. (Excerpt from news story by Preston Gralla)

[source: Networking & Internet]

The Smart Card Alliance Thinks Privacy Is Bunk

(2007-03-12) [The Technology Liberation Front] A spokesman for the Smart Card Alliance says: Privacy concerns are all perception and hype and no substance but carry considerable weight with state legislators because no one wants to be accused of being soft on privacy.

That's Randy Vanderhoof, the Smart Card Alliance's executive director, quoted in a Federal Computer Week article on the collapsing REAL ID Act/national ID plan. He was speaking of Congressman Tom Allen's (D-ME) bill to restore the 9/11 Commission-inspired ID provisions of the Intelligence Reform and Terrorism Prevention Act of 2004. (Posted by Jim Harper)

[source: Blog]

REAL ID: Moving Beyond the 9/11 Staff Report

(2007-03-08) [Security Document World] The issue of identity -- verifying it and authenticating the documents used to prove it -- underlay all the 9/11 Commission recommendations on secure IDs and current identity security law. In fact, perhaps the single most effective measure the United States can accomplish to lay the necessary framework for sustainable national and economic security and public safety is to shore up identity document issuance.

Identity documents must be secure in their content, in their physical features, and in their issuance process. Without identity security at the base of our identity document issuance processes, our nation remains at risk. The reasons remain sound. This paper sets out the policy backdrop for the legislation that creates minimum standards for state-issuance of identity documents known as REAL ID, the Act's content, and what is at risk if it fails.

[source: News]

Biometric passport: security in question

(2007-03-26) [ComputerWorld] Singapore's biometric passport could be compromised as it follows the same International Civil Aviation Organization (ICAO)-recommended standard for machine-readable passports as the UK, which recently reported a security breach.

Glaring weaknesses in the UK's biometric passport system were uncovered and reported early March by the Daily Mail newspaper, in an experiment with the help of Adam Laurie, an independent computer security consultant who specialises in RFID (radio frequency identification) and Bluetooth technology. (Excerpt from news story by Irene Tham and Jeremy Kirk)

[source: CW Singapore]

Human implant RFID gets owned

(2007-03-25) [InfoWorld] Radio frequency identification tags have taken another hit from the security community and Adam Laurie -- an independent security researcher based in the U.K. -- can claim another first.

After setting off a torrent of worldwide media coverage by hacking the U.K.'s new RFID-enabled passports in a project sponsored by and first detailed by the Daily Mail newspaper earlier his month, Laurie used his presentation at the ongoing ShmooCon confab to show off techniques for hacking other RFID tags -- including one implanted inside a live human being. (Excerpt from blog post by Matt Hines)

[source: Blogs]

No fingerprint, no car? No deal, she said

(2007-03-25) [Daily Breeze] Lorna Herf thought she had found the new car she was looking for. Her credit checked out. A deal had been struck. And then she hit a snag: Management at South Bay BMW in Torrance wouldn't sell her the $40,000 car until she did one last thing: 'Well, just give us your thumbprint, and we'll finish the deal.'

She had better get used to it. Although still not common, asking to provide the added proof of identification is being used more and more often. Buying a house? Get ready to roll up your sleeves. Applying for a loan? Bring out the ink pad. "You see that banks do it more and more often," said Frank Scafidi, a spokesman with the National Insurance Crime Bureau. "It's a statement on how society has evolved. Wise people won't take people at face value as much as they would like to." In Herf's case, the dealer earlier this month explained that the information was to protect her as well as them. With the print in their files, nobody else can usurp her identity to steal a car. (Excerpt from news story by Josh Grossberg)

[source: News]

FTC, FDIC, SEC, CFTC, NCUA, OTS, Federal Reserve and Comptroller Seek Comment on Model Gramm-Leach-Bliley Privacy Notice

(2007-03-25) [Davis Wright Tremaine LLP] Eight federal regulatory bodies have come together to jointly initiate a new rulemaking that seeks comment on proposed rules that would adopt a model privacy form for financial institutions to use as the notice that the Gramm-Leach-Bliley Act (GLBA) requires them to provide new customers and to existing customers on an annual basis.

The GLBA requires the notice to set forth the institution's information sharing practices and the consumer's right to opt out of certain types of such information sharing. The notice of proposed rulemaking (NPR) is the first step in implementing Section 728 of the Financial Services Regulatory Relief Act of 2006, which amended the GLBA to require the agencies to adopt a privacy notice form that is succinct and comprehensible to consumers, allows them to compare easily the privacy practices of financial institutions, and can be easily read. (Excerpt from blog post by Ronald London)

[source: Privacy and Security Law Blog]

New Credit Cards Leak Personal Info

(2007-03-23) [PC World Communications, Inc.] You may be carrying a new type of credit card that can transmit your personal information to anyone who gets close to you with a scanner.

The new cards--millions of them have been issued over the past year--use RFID, or Radio Frequency Identification, technology. RFID allows scanners to use radio signals at varying distances to read information stored on a computer chip, a chip that is embedded in the card (click on image above). (Excerpt from news story by Erik Larkin)

[source: PC World]

Patient's candid camera sends shockwaves through hospitals

(2007-03-23) [Boston Herald and Herald Media] A nurse's discovery of a Webcam hooked up by parents in their child's Boston hospital room has stunned the patient's doctor, raised a mound of privacy issues and potentially left medical staff looking over their shoulders.

Dr. Samuel Blackman, a pediatric oncologist at Dana-Farber Cancer Institute, would not speak for the record when contacted by the Herald about the incident at Children's Hospital. But in an entry on his blog titled "Hemorrhage! You're On Candid Camera," Blackman strongly questioned the use of the camera in the child's room, asking, "Should parents have the right to a hospital version of a NannyCam?" (Excerpt from news story by Jessica Fargen)


My National Security Letter Gag Order

(2007-03-23) [The Washington Post] The Justice Department's inspector general revealed on March 9 that the FBI has been systematically abusing one of the most controversial provisions of the USA Patriot Act: the expanded power to issue "national security letters."

It no doubt surprised most Americans to learn that between 2003 and 2005 the FBI issued more than 140,000 specific demands under this provision -- demands issued without a showing of probable cause or prior judicial approval -- to obtain potentially sensitive information about U.S. citizens and residents. It did not, however, come as any surprise to me.


Ireland pounces on school fingerprinters

(2007-03-23) [The Register] The Irish Information Commissioner's Office has come down on the notion of school fingerprinting and taken early action to prevent the technology being deployed arbitrarily.

It has told the first handful of Irish schools known to be establishing biometric systems that they ought to have a good reason for doing so and has said it will use its powers to order schools to rip out systems it considers excessive. (Excerpt from news story by Mark Ballard)

[source: News]

California Selling Social Security Numbers

(2007-03-22) [Sacramento Television Stations Inc.] Today, a Sacramento lawmaker showed how you could go to the Secretary of State's the web page where, until today, the state was selling your personal information for only $6 -- the cost of lunch.

"I was really surprised to see this and really stunned to see the names of people I knew in the community, businesses large and small and see their social security numbers, signatures and their addresses," said State Assemblyman Dave Jones. In fact, Jones' staff got 14 people's records from the Secretary of States' website for less than $90. (Excerpt from news story by Charlotte Fadipe)


To fight ID theft, a call for banks to disclose all incidents

(2007-03-21) [CNet] There is little consensus on whether financial institutions and law enforcement agencies are making headway in combating identity theft. But Congress is nonetheless taking aim at the crime as a major consumer protection problem.

The Senate Judiciary Committee's subcommittee on terrorism, technology and homeland security will take up the issue in a scheduled hearing Wednesday titled "Identity Theft: Innovative Solutions for an Evolving Problem." (Excerpt from news story by Brad Stone)


Biometrics: What and How

(2007-03-19) [Help Net Security] Humans use body characteristics to recognize each other. Some characteristics don't change over time and some do. What characteristics do we use for identifying people? Are they accurate? Can we depend on them in our daily life?

A biometric system is a pattern recognition system; it operates by acquiring biometric data from a person, extracting a feature set from the acquired data and comparing this feature against the templates in the database. (Excerpt from news story by Moustafa Kamal El-Hadidi)

[source: News]

Public Pitfalls Of Privacy Policies

(2007-03-19) [CMP] What does a privacy policy mean for your organization in legal terms? Think of it as a legally enforceable promise that you make to your customers--one you shouldn't break lightly.

Not too many years ago, it was an open question whether your Internet site required a privacy policy. Now, you'd be hard-pressed to find a site without one. Your customers and clients simply demand it. Although users who actually read a privacy policy may be few and far between, you'll quickly hear from them should you fail to provide one. So, what does a privacy policy mean for your organization in legal terms? In particular, in the midst of record numbers of personal data breaches, how does your privacy policy fit into the legal fallout following a breach? (Excerpt from news story by Patrick Mueller)

[source: Network Computing]

Government puts smart card bills on hold

(2007-03-15) [FairfaxDigital] The government is heading back to the drawing board after a senate committee found its proposed new smart card was likely to become an identity card.

The access card was intended to replace the Medicare card and other benefits cards, streamlining access to a wide range of government health and welfare services. The government had explicitly ruled out its use as a national ID card amid widespread concerns that was what it would become.


EC chucks RFID regs back to industry

(2007-03-15) [The Register] CeBIT The European Commission effectively handed regulation of RFID to the RFID industry today when it announced the results of last year's consultation on the technology.

Commissioner for information society and media Viviane Reding said: "Today I'm going to tell you no regulation." After announcing a consultation on the implications of RFID a year ago, Reding and her team have concluded the best thing to do is hand regulation over to the stakeholders. An RFID Stakeholder Group will provide advice and assistance to the commission in developing Europe's RFID policy. The group will work with the Article 29 Data Protection Working Party. (Excerpt from news story by Joe Fay)

[source: News]

Politicians press for antispyware law yet again

(2007-03-15) [CNet] Members of the U.S. House of Representatives vowed Thursday not to let a bill aimed at curbing spyware die for a third time.

Leaders of a House Energy and Commerce subcommittee focused on consumer protection issues said they were mystified that earlier versions of the so-called Spy Act overwhelmingly passed the House in 2004 and in 2005 but were ignored by the Senate. Politicians from both parties said they hoped the third time would be the charm. (Excerpt from news story by Anne Broache)


Google has data-retention change of heart

(2007-03-15) [CNet] Google is changing its data retention practices to make it harder to identify the specific computers used in searches.

Google's servers log information every time someone conducts a web search, keeping data such as the keywords used, the IP address or unique number assigned to that person's computer, and information from web cookies, which are small bits of data exchanged between a server and a web browser each time the browser accesses the server. Cookies are used to authenticate the user and maintain information such as the user's site preferences. (Excerpt from news story by Elinor Mills)


Online fraud up but card fraud down

(2007-03-15) [CNet] Card fraud losses fell in 2006 but online card-related fraud once again increased as fraudsters continued to target online transactions.

Total losses through card fraud fell by three per cent in 2006 - from £439.4m in 2005 to £428m - according to the UK payments industry body Apacs. An Apacs spokeswoman said this fall is mainly due to the introduction of chip and PIN payment tech in the UK. Card fraud losses at UK retailers fell by 47 per cent -- meaning a fall of £146.7m in just two years. (Excerpt from news story by Tim Ferguson)


Anti-Spyware Coalition Finalizes Best Practices

(2007-03-15) [Center for Democracy and Technology] The Anti-Spyware Coalition (ASC) today finalized its landmark "best practices" for the anti-spyware community. The document provides a critical tool to consumers and software developers -- illustrating the process by which software can be identified as "unwanted."

ASC published a draft version of the best practices document for comment at the end of January. The version issued today reflects numerous refinements made after the comment period ended on Feb. 26. ASC also today released the finalized version of its Conflict Identification and Resolution Process, which establishes a routine methodology for resolving software conflicts between anti-spyware tools. CDT coordinates ASC activities.

[source: News]

Chertoff: Security and privacy not at odds

(2007-03-15) [ComputerWorld] The head of the Department of Homeland Security on Thursday downplayed privacy concerns raised by the government's efforts to create standardized, data-chipped drivers licenses across the country.

The same technology that makes information on identification cards more reliable can also protect privacy, DHS Secretary Michael Chertoff said during a speech to the Northern Virginia Technology Council. "It's my contention that properly used technology ... actually protects privacy," he said. "We should not allow folks to be captivated by the argument that every time we do something with a computer, it invades privacy." (Excerpt from news story by Grant Gross)

[source: Security]

RFID: "Et tu, Brute?" -- Killing Some RFID "Truths"

(2007-03-15) [AIM, Inc.] Since this issue comes out on the Ides of March, the date on which Julius Caesar was reportedly murdered in the Forum by the Senators of Rome "for the good of Rome," it seems appropriate to try to "kill" some widely held "truths" about RFID.

Since "RFID Connections" tends to explain the benefits of RFID, this may be seen as "traitorous" -- but it needs to be done "for the good of the industry." Because telling the truth about RFID is the true purpose of this e-newsletter. (Excerpt from news story by Bert Moore)

[source: Aim Global]

Congress urged to adopt privacy laws

(2007-03-15) [VNU Business Publications Ltd.] A US pressure group has made a direct appeal to the US Congress to adopt new privacy laws to tackle spyware.

The Center for Democracy and Technology (CDT) claimed that a failure to adopt privacy laws will mean constant legal changes to keep up with spyware creators. "We remain firmly committed to the idea that a long-term solution to spyware and other similar issues requires baseline privacy legislation," Ari Schwartz, deputy director of the CDT and coordinator of the Anti-Spyware Coalition, said during a consultation over the proposed HR 964 Spy Act. (Excerpt from news story by Matt Chapman)

[source: WhatPC]

Your ISP may be selling your web clicks

(2007-03-15) [Ars Technica LLC] David Cancel, the CTO of the web market research firm Compete Incorporated, raised eyebrows at the Open Data 2007 Conference in New York when he revealed that many Internet service providers sell the clickstream data of their users. Clickstream data includes every web site visited by each user and in which order they were clicked.

The data is not sold with accompanying user name or information, but merely as a numerical user value. However, it is still theoretically possible to tie this information to a specific ISP account. Cancel told Ars that his company licenses the data from ISPs for millions of dollars. He did not give a specific figure about what this broke down to in terms of dollars per ISP user, although someone in the audience estimated that it was in the range of 40¢ per user per month -- this estimate was erroneously attributed to Cancel himself in some reports on the event. Cancel said that this clickstream data is "much more comprehensive" than data that is normally gleaned through analyzing search queries. (Excerpt from news story by Jeremy Reimer)

[source: ars technica]

Breaches of personal data: blaming the myth and punishing the victim

(2007-03-14) [Ars Technica LLC] A study that will appear in the Journal of Computer-Mediated Communication later this year analyzes failures to secure computerized personal records. One of its authors, Phil Howard, was kind enough to provide Ars with a draft copy of the paper. The analysis suggests that both the public understanding of these leaks and the legislative response to them are focusing on the wrong targets.

The study used press reports to identify incidents in part because there is no centralized reporting mechanism, and in part because many of the incidents have not resulted in prosecutions. The authors did require independent verification of incidents, and used the lowest figure for the number of records compromised when reports did not agree. Even by these conservative standards, the results were enormous: over 1.9 billion records exposed, or an average of 9 records for every American citizen. (Excerpt from news story by John Timmer)

[source: ars technica]

Details on card held forever

(2007-03-15) [News Limited] The Federal Government has admitted transaction logs for the $1.1 billion welfare smart card will be kept indefinitely, prompting new concerns about tracking and surveillance abuse.

The Human Services department has told the Democrats logs would be retained for "audit and security" purposes. A Senate committee will today table its report into the welfare card, which the Government wants used by 17 million Australians by 2010. (Excerpt from news story by Kim Wheatley)

[source: Adelaide Now]

UNESCO states position on ethical issues in the information society

(2007-03-14) [Heise Zeitschriften Verlag] UNESCO has published a brochure entitled "Ethical Implications of Emerging Technologies" dealing with the consequences of the use of RFID chips, biometric identification systems, and location-based services (LBSs).

Written by lawyers from the US, the brochure was published as part of the "NGO Geneva Net Dialogue" in which non-governmental organizations stated their case after the UN World Summit on Information Freedom and the Internet Governance Forum. The results of the dialogue are to be included in the WSIS Action Line C10 "Ethical dimensions of the Information Anzeige Society."

[source: HeiseOnline]

Diabetics have got RFID under their skin

(2007-03-14) [CNet] While the privacy debate around RFID chips still rages, 18 diabetics in the US have voluntarily signed up to have the tags put under their skin.

The 18 were implanted with the chips by RFID company VeriChip at the Atlanta Diabetes Expo. The diabetics will now be added to the database for VeriChip's patient identification system. Should chipped patients turn up at hospital unconscious or unable to communicate, the RFID tags they carry inside their bodies can be scanned using an RFID reader and their details called up from a database. (Excerpt from news story by Jo Best)


Photocopiers: The newest ID theft threat

(2007-03-14) [ComputerWorld] Photocopiers are the newest threat to identity theft, a copier maker said today, because newer models equipped with hard drives record what's been duplicated. At tax time, when Americans photocopy tax returns, confidential information may be easily available to criminals.

"Consumers and business owners will photocopy highly confidential tax forms containing Social Security numbers, employer identification numbers and other sensitive information in places outside the home, leaving them vulnerable to digital theft," Ed McLaughlin, president of Sharp Document Solutions Company of America, said in a statement. (Excerpt from news story by Gregg Keizer)

[source: Security]

Bos investigates bank info to US

(2007-03-14) [Expatica Communications BV] Finance Minister Wouter Bos is surprised at reports that the US intelligence services have access to data on Dutch bank account holders. "This is news to us and a reason for concern for myself and my colleagues," the minister said.

Bos announced that an investigation would be launched. He and Justice Minister Ernst Hirsch Ballin want to know how far the tentacles of the US services reach into the Dutch financial world. Bos promised to report to Parliament before the end of April, the Volkskrant reports.

[source: Expatica]

Google Logs New Data Privacy Policy

(2007-03-14) [McGraw-Hill Companies Inc.] Google and other online services have long been criticized for collecting unimaginable amounts of data on its users, such as what they've searched for. And many of them keep that personally identifiable data indefinitely, raising privacy concerns. That's about to change, at least in Google's case.

Good thing, since there have been recent incidents that highlight the privacy threats that data pose, such as AOL's release of private data on individuals last year and the Department of Justice's 2005 subpoena requesting months of search data from several search sites, which Google refused to do. (Excerpt from news story by Rob Hof)

[source: Business Week]

Google Cooperating with Mumbai & Brazilian Police

(2007-03-14) [] Boing Boing has two good posts detailing how Google has been cooperating with Mumbai and Brazilian authorities to help censor content and track down offenders on their Orkut social networking service.

... Google's social networking service Orkut will cooperate with the Mumbai Police to share IP addresses of users who post "objectionable content" on Orkut.

[source: Blog]

UK Home Office plans to fingerprint children starting 11

(2007-03-14) [EDRI] "Restricted" documents circulated among officials in the UK Identity and Passport have shown Home Office plans to fingerprint children aged 11 years and over, beginning with 2010, as part of the programme for the introduction of new biometric passports and ID cards.

The fingerprints are to be stored in a big database expected to cover about half a million children by 2011 that will be also used by the Immigration and Nationality Directorate to store fingerprints of asylum seekers.

[source: EDRI-gram, Number 5.5]

Cross-border wiretapping proposed by the Swedish Government

(2007-03-14) [EDRI] Mikael Odenberg, the Swedish defence minister presented on 8 March 2007 a draft law to the parliament that would give the national defence intelligence agency the power to monitor all cross-border phone calls and email traffic without court order.

The proposal, which according to the government, is meant to combat terrorism and other threats to national security, would allow the National Defence Radio Establishment (FRA) to use computer software to search for sensitive keywords in all cross-border phone and e-mail communications.

[source: EDRI-gram, Number 5.5]

French High Court cancels the creation of illegal migrants database

(2007-03-14) [EDRI] In a decision published on 13 March, the Conseil d'État, the French highest administrative court, cancelled the ministerial order ("Arrêté") by which the Interior Ministry created the ELOI file, a database aimed at facilitating the expulsion of illegal migrants.

On 2 October 2006, four French NGOs filed this case against the Interior minister: CIMADE and GISTI (two associations defending the rights of migrants), LDH (the French Human Rights League), and French EDRI member IRIS. While the database creation itself is allowed by the French code on immigration and asylum (CESEDA), the NGOs argued that the ELOI file would contain excessive and inadequate personal data on the foreigners themselves, their children, the citizens with which they were staying, and their visitors in retention centres. Moreover, these data were supposed to be kept for an excessive duration.

[source: EDRI-gram, Number 5.5]

Google adding search privacy protections

(2007-03-14) [Cnet] Google is changing its data retention practices to make it harder to identify the specific computers used in searches.

Google's servers log information every time someone conducts a Web search, keeping data such as the keywords used, the Internet Protocol address or unique number assigned to that person's computer, and information from Web cookies, which are small bits of data exchanged between a server and a Web browser each time the browser accesses the server. Cookies are used to authenticate the user and maintain information such as the user's site preferences. (Excerpt from news story by Elinor Mills)


Google to make search logs anonymous

(2007-03-14) [ComputerWorld] In a victury for privqacy activists, Google Inc. will start making its records about users' searches anonymous after 18 to 24 months under a policy announced Wednesday.

Until now, the dominant search company has indefinitely retained a log of every search, with identifiers that can associate it with a particular computer. The new policy, to be implemented within the next year, is intended to better protect users' privacy, two executives wrote in a Google Blog entry posted Wednesday. (Excerpt from news story by Stephen Lawson)

[source: Security]

Temaer og tendenser i 2006

(2007-03-13) [Datatilsynet] Datatilsynet trakk frem seks tendenser som har vært særlig fremtredende i meldingsåret.

Tendensene er hentet fra erfaringer fra tilsyn og saksbehandling, fra høringsarbeidet, deltakelse i forskjellige arbeids- og styringsgrupper, samt gjennom saker som Datatilsynet er blitt oppmerksom på gjennom medieomtale. Beskrivelsen av tendensene bygger på en grundigere omtale andre steder i årsmeldingen.

[source: Nyhet]

Populære undervisningspakker

(2007-03-13) [Datatilsynet] Det nylanserte undervisningsopplegget om personvern -- "Det er DU som bestemmer" -- har blitt svært godt mottatt i skole-Norge. Det første opplaget ble revet bort i løpet av den første måneden, og nå trykkes et nytt opplag.

Etterspørselen etter det nye undervisningsopplegget har vært enorm etter lanseringen i slutten av januar. Responsen fra skole-Norge vitner om et stort behov for informasjon som øker ungdoms kunnskap og bevissthet knyttet til eget og andres personvern.

[source: Nyhet]

Podcast: Spyware

(2007-03-13) [WAMU: The Kojo Nnamdi Show] Spyware and viruses cost Americans nearly $8 billion in the last two years, and experts say online attacks are getting more insidious and harder to fix.

We'll look at the evolving nature of spyware and assess federal efforts to prosecute online wrongdoers. Guests: Ari Schwartz (Deputy Director, Center for Democracy and Technology; and Coordinator, Anti-spyware Coalition), Tom Liston (Senior security consultant, Intelguardians Network Intelligence, LLC; Co-author, "Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses"), and Jerry Cerasale (Senior Vice President for Government Affairs, Direct Marketing Association). Listen to the podcast (audio length 00:52:00)

[source: Tech Tuesday]

Your New ID-Theft Worry? Photocopiers

(2007-03-13) [Wired] Consumers are bombarded with warnings about identity theft. Publicized threats range from mailbox thieves and lost laptops to the higher-tech methods of e-mail scams and corporate data invasions.

Now, experts are warning that photocopiers could be a culprit as well. That's because most digital copiers manufactured in the past five years have disk drives - the same kind of data-storage mechanism found in computers - to reproduce documents. As a result, the seemingly innocuous machines that are commonly used to spit out copies of tax returns for millions of Americans can retain the data being scanned. (Excerpt from news story by May Wong)

[source: News]

Law school symposium explores privacy rights

(2007-03-12) [The California Aggie] Eleven law professors from universities across the country converged at the UC Davis School of Law Wilkins Moot Court Room on Friday for the UC Davis Law Review's annual symposium.

Entitled "Katz v. United States: 40 Years Later - From Warrantless Wiretaps to the War on Terror," the three-panel discussion focused on the applicability of the Fourth Amendment's protection of a person's reasonable expectancy of privacy in the midst of national security surveillance.

[source: California Aggie]

ID card details for sale to banks

(2007-03-12) [Associated Northcliffe Digital Ltd] Banks and other businesses are to be sold access to personal information stored on the Government's ID cards database.

Ministers want to raise hundreds of millions towards the £540m a year cost of running the controversial scheme. The Government is already facing a backlash over charging people £93 each for an ID card - which will contain 49 different pieces of personal data. (Excerpt from news story by James Slack and Sue Reid)

[source: this is money]

Internet Users Can Clean Up Personal Information

(2007-03-12) [] Internet users will be allowed to find and delete their resident registration numbers, Korea's version of social security numbers, if they are found circulating on the Web.

The Ministry of Government Administration and Home Affairs launched a month-long online program Monday that will allow subscribers to track the usage of their identification numbers on Internet Web sites since 2001 (Excerpt from news story by Kim Tong-hyung)

[source: Korea Times]

We need multiple biometrics - "Say, do I know you?"

(2007-03-12) [CNet] Have you noticed how easy it is to recognise a friend or loved one at a distance? How do we do that?

For sure it isn't on the basis of a single parameter recognition system. We don't look at the face alone, which may be indistinguishable or even turned away from us. We take a multi-parameter approach. Body size and shape, skin colour and tone, facial expressions, clothing, jewellery, mannerisms, gait, behaviour patterns all play a vital part in the complete picture that tells us, yep, that is my wife or husband, brother, sister or friend. (Excerpt from news story by Peter Cochrane)


[Norwegian] To nye biometrivedtak

(2007-03-12) [Datatilsynet] Personvernnemnda har fatta vedtak i to saker som gjeld bruk av fingeravtrykk, klagar frå Esso Norge og REMA 1000.

Datatilsynet nekta desse to verksemdene å bruke fingeravtrykk etter ei tolking av personopplysningslova si § 12. Denne paragrafen krev at verksemder som vil ta i bruk eintydige identifikasjonsmidlar må ha eit sakleg behov for sikker identifisering, og at metoden må vere nødvendig for å oppnå slik identifisering.

[source: Nyhet]

Popular P2P apps could expose sensitive files, report says

(2007-03-12) [ComputerWorld] Did the distributors of popular peer-to-peer file-sharing programs such as Kazaa, LimeWire and Morpheus include features in their products that they knew, or should have known, could cause users to inadvertently share sensitive information on their computers with other users of the software?

According to the U.S. Patent and Trademark Office (USPTO), the answer is an unequivocal yes. The agency last week released an 80-page report based on an analysis of five specific features included in file-sharing software from Kazaa, LimeWire, Morpheus, BearShare and eDonkey between 2003 and 2006. (Excerpt from news story by Jaikumar Vijayan)

[source: Security]

Texas House Votes to Exempt Clerks From Privacy Laws

(2007-03-12) [ComputerWorld] The Texas House of Representatives last week passed an emergency bill that exempts courthouse clerks in Texas from state and federal laws requiring that Social Security numbers be kept confidential.

The bill has moved on to the Texas Senate for debate and a vote. If passed by a two-thirds majority, it would go into effect immediately. The legislation would negate a Feb. 23 ruling by Texas Attorney General Greg Abbott that disclosing Social Security numbers in public documents violates state and federal privacy laws. (Excerpt from news story by Jaikumar Vijayan)

[source: Security]

UK official calls for international privacy standards

(2007-03-09) [ComputerWorld] The U.K.'s information commissioner, Richard Thomas, has called for international harmonization of privacy rules.

His call follows recent disputes between the E.U. and the U.S. over privacy safeguards for European air passenger data and financial transaction information requested by the U.S. as part of its anti-terrorism efforts. Speaking at the International Association of Privacy Professionals' summit in Washington, Thomas said: "We must all do global privacy better. Information flows do not recognize international boundaries. The internet is rightly called the world wide web. Likewise travel, finance, commerce, telecoms, crime, scams and terrorism all increasingly operate internationally. (Excerpt from news story by Tash Shifrin)

[source: Security]

New event: re:publica 2007 - Leben im Netz

(2007-03-26) "re:publica 2007 - Leben im Netz" will take place on April 11 -- 13, 2007 (Berlin, Germany).

See calendar entry.

New event: A Case of Misplaced Blame? News Accounts of Hacker, Consumer, and Organizational Responsibility for Compromised Records

(2007-03-26) "A Case of Misplaced Blame? News Accounts of Hacker, Consumer, and Organizational Responsibility for Compromised Records" will take place on March 19, 2007 (Stanford, CA, US).

See calendar entry.

US and EU 'must be more consistent'

(2007-03-09) [IDG] The information commissioner, Richard Thomas, has called for international harmonisation of privacy rules.

His call follows recent disputes between the EU and the US over privacy safeguards for European air passenger data and financial transaction information requested by the US as part of its anti-terrorism efforts. Speaking at the International Association of Privacy Professionals' summit in Washington, Thomas said: "We must all do global privacy better. Information flows do not recognise international boundaries. The internet is rightly called the world wide web. Likewise travel, finance, commerce, telecoms, crime, scams and terrorism all increasingly operate internationally. (Excerpt from news story by Tash Shifrin)

[source: ComputerworldUK]

Anonymization: Protecting Customer Privacy While Sharing Data

(2007-03-09) [CXO Media Inc.] Jeff Jonas, the chief scientist and distinguished engineer at IBM's entity analytic solutions group, has developed a means of sharing corporate data without revealing what that data contains.

This technology, called anonymization, effectively "shreds" information, making it possible for companies to share information about their customers with governments or other companies without giving away any personal data. Over time, Jonas believes companies will increasingly use anonymization to defend their data, and corporate well-being, from competitors and identity thieves. Jonas recently sat down with IDG News Service in Singapore to discuss anonymization and how protecting customer privacy will make companies more competitive. (Excerpt from news story by Sumner Lemon)

[source: CSO Magazine]

Canadian Survey on Identity Fraud

(2007-03-09) [EPIC] The Canadian Strategic Counsel recently published its annual Fraud Prevention Report for 2006. The survey found that 86% of Canadians across all demographic groups consider marketing fraud to be a serious problem, a slightly higher rate than the 2005 survey.

Almost the same number of respondents believes that identity theft is on the rise. 1 in 6 Canadians surveyed reported having been victimized by identity theft in 2006. However, few individuals make a significant effort to report or resolve the incident. The most common reasons for not taking action include that it requires too much effort to report, or the amount of money was not significant enough to bother.

[source: EPIC Alert, Volume 14.05]

Hearing in the European Parliament on Passenger Name Records

(2007-03-09) [EPIC] On March 26, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) will hold a public seminar on Transatlantic Relations and Data Protection regarding passenger name record information, SWIFT financial data, and the Safe Harbour agreement.

Growing EU concern about the privacy of personal data, particularly after the disclosure of the US' use of the Automated Targeting System on individuals, will weigh heavily in negotiations of a new EU-US passenger name record transfer agreement this spring. The European Parliament has adopted a Resolution on SWIFT, the PNR agreement and the transatlantic dialogue on these issues, which calls for Parliamentary involvement, greater transparency and the inclusion of redress measures in future agreements.

[source: EPIC Alert, Volume 14.05]

Five New Congressional Research Service reports have become available

(2007-03-09) [EPIC] New Congressional Research Service reports have become available as downloadable PDFs.

Titles are: "Congressional Oversight of Intelligence: Current Structure and Alternatives," RL32525 (Feb. 15, 2007); "Data Mining and Homeland Security: An Overview," RL 31798 (Jan. 18, 2007); "Data Security: Federal Legislative Approaches," RL33273 (Jan. 25, 2007); "Remedies Available to Victims of Identity Theft," RL31919 (Jan. 23, 2007); and "Identity Theft: State Penalties and Remedies and Pending Federal Bills," RS 22484 (Jan. 11, 2007).

[source: EPIC Alert, Volume 14.05]

FTC Report on Children's Online Privacy Protection Act

(2007-03-09) [EPIC] The Federal Trade Commission reports that the Child Online Privacy Protection Act (COPPA) has been successful at protecting children's privacy online. The report concludes that no changes to the regulations are warranted at this time, and that continuing enforcement with increasing civil penalties against significant violations will adequately deter unlawful conduct. The report was issued in according with Congressional demands for a "rule review" after 5 years.

Congress enacted COPPA in 1998, and the FTC issued rules which became effective in April of 2005. COPPA requires explicit parental consent of data collected on children under the age of 13; provides parents with the ability to see the data that was collected; and allows consent to be revoked and the data to be deleted. COPPA enforcement is via a mixture of FTC action and industry "safe harbor" self-regulation. The FTC has certified certain self-regulatory bodies, and it will not prosecute websites that comply with those bodies' standards.

[source: EPIC Alert, Volume 14.05]

Homeland Security Abandons Visitor Tagging Plan Criticized by EPIC

(2007-03-09) [EPIC] Plans to use radio frequency identification (RFID) technology in the US-VISIT border security system have been abandoned after pilot testing failed, Department of Homeland Security Secretary Michael Chertoff admitted in Congressional testimony on February 9th. A government report released in January said testing of RFID tags embedded in I-94 documents was unsuccessful. Chertoff said about the program, "I think, yes, we're abandoning it. That's not going to be a solution."

In 2005, the Department of Homeland Security began testing RFID-enabled I-94 forms in its United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program to track the entry and exit of visitors. The RFID-enabled forms stored a unique identification number, which is linked to data files containing foreign visitor's biographic information, including name, date of birth, country of citizenship, passport number and country of issuance, complete U.S. destination address, and digital fingerscans.

[source: EPIC Alert, Volume 14.05]

After Long Delay, Regulations Issued for Flawed National ID Plan

(2007-03-09) [EPIC] More than two years after Congress rushed through passage of the REAL ID Act, the Department of Homeland Security announced proposed regulations on March 1 that would turn the state driver's license into a national identity card. The estimated cost of the plan could be as high as $23.1 billion, according to the federal government, and the national ID system will increase security risks as well as the threats to personal privacy.

The federal agency claims that no national ID database will be created under these regulations, because there will not be a single database maintained by a federal agency. However, under the proposed regulations, DHS will impose new requirements on state motor vehicle agencies so that all state databases will be linked together. A national database with personal information of 245 million license and state ID cardholders across the country is a tempting target for identity thieves and other criminals. Yet the regulations merely include the vague requirement that states prepare a "comprehensive security plan" for REAL ID implementation. DHS does not set minimum security or privacy standards to protect a national database with sensitive personal information.

[source: EPIC Alert, Volume 14.05]

Biometrics in ID Cards?

(2007-03-08) [MIT Technology Review] According to a recent poll by Truste, 82 percent of Americans "support the use of biometric identification on passports," 75 percent support adding biometrics to driver's licenses, and 73 percent support adding it to social-security cards. They're wrong.

The survey has some contradictions. For example, 68 percent of the respondents believe that biometrics added to identity documents will make it harder for thieves to engage in identity theft, but 67 percent think that "criminals will find a way around the technology." The real problem with adding biometrics to identity documents isn't that crooks will find a way around the technology, but that crooks will get identity documents that have your name but their biometrics.

[source: News]

Come clean on privacy

(2007-03-08) [] Organisations which fail to properly secure personal data should be required to tell their customers when a breach occurs, says Privacy Commissioner Karen Curtis in a broad-ranging review of data and privacy law.

Compulsory notification of data loss or exposure would "provide a strong market incentive for organisations to adequately secure databases" containing consumer information, she said. (Excerpt from news story by Karen Dearne)

[source: Australian IT]

New paper: "Privacy's Other Path: Recovering the Law of Confidentiality"

(2007-03-08) [Social Science Research Network] A new paper by Neil M. Richards and Daniel J. Solove can be downloaded.

Abstract: The familiar legend of privacy law holds that Samuel Warren and Louis Brandeis "invented" the right to privacy in 1890, and that William Prosser aided its development by recognizing four privacy torts in 1960. In this article, Professors Richards and Solove contend that Warren, Brandeis, and Prosser did not invent privacy law, but took it down a new path. Well before 1890, a considerable body of Anglo-American law protected confidentiality, which safeguards the information people share with others. Warren, Brandeis, and later Prosser turned away from the law of confidentiality to create a new conception of privacy based on the individual's "inviolate personality." English law, however, rejected Warren and Brandeis's conception of privacy and developed a conception of privacy as confidentiality from the same sources used by Warren and Brandeis. Today, in contrast to the individualistic conception of privacy in American law, the English law of confidence recognizes and enforces expectations of trust within relationships. Richards and Solove explore how and why privacy law developed so differently in America and England. Understanding the origins and developments of privacy law's divergent paths reveals that each body of law's conception of privacy has much to teach the other.

[source: Announcements]

Seven ways to keep your search history private

(2007-03-08) [ComputerWorld] The greatest threat to your privacy may not come from cookies, spyware or Web sites tracking and analyzing your Web surfing habits.

Instead, it may come from search engines, which collect and store records of your searches. Search engines track your search terms, the sites you visit as a result of your searches, the times you conduct your searches and your IP address. This makes it possible to figure out who you are, what your likes and dislikes are, and what you do online. (Excerpt from news story by Preston Gralla)

[source: Networking & Internet]

Gates urges federal data privacy law

(2007-03-07) [CNet] Microsoft Chairman Bill Gates has added to his legislative wish list, renewing his push for Congress to pass an "all-inclusive" consumer privacy and security law by year's end.

In his keynote speech at a dinner here Wednesday hosted by the advocacy group Center for Democracy and Technology, Gates shifted his focus away from the calls for education and immigration changes that dominated his appearance at a morning Senate hearing. (Excerpt from news story by Anne Broache)


ID theft forecast: Gloomy today, worse tomorrow

(2007-03-07) [ComputerWorld] Virtually every trend line for identity theft is bad news, a research analyst said today as she released a survey showing that 15 million Americans were victimized during a recent 12-month span.

For the year-long period that ended last August, 15 million people were burned by some kind of fraud related to identity theft, said Avivah Litan, a Gartner Inc. analyst. That number is 50% higher than 2003 data released by the Federal Trade Commission. (Excerpt from news story by Gregg Keizer)

[source: Security]

Gates calls for new consumer privacy law

(2007-03-07) [ComputerWorld] Microsoft Chairman Bill Gates asked Congress to pass a comprehensive privacy law this year, allowing consumers to control how their personal information is used.

Gates repeated past Microsoft calls for a wide-ranging privacy law during a speech at advocacy group the Center for Democracy and Technology's (CDT) annual gala dinner Wednesday. A comprehensive privacy bill should allow consumers to control their personal data, should provide transparency about what their data is used for, and should notify them when their data has been compromised, Gates said. (Excerpt from news story by Grant Gross)

[source: Security]

KOREA: Google continues to show private data

(2007-03-06) [UCLA] Google, the world's foremost Internet search engine, continues to reveal sensitive data on Korean people despite the nation's requests for a change.

The Ministry of Information and Communication yesterday said the U.S.-based Google keeps showing resident registration numbers, the rough equivalent of social security numbers, in search results. "Local portal sites like Naver and Daum automatically filter resident registration numbers but Google can't do so," said Oh Jin-ho, director at the ministry. (Excerpt from news story by Kim Tae-gyu)

[source: AsiaMedia]

HIPAA privacy rule still causing confusion

(2007-03-06) [Crain Communications, Inc.] It's been more than 10 years since the Health Insurance Portability and Accountability Act became law, but many healthcare practitioners across the country are still unsure of what the law requires and how its provisions interact with other state and federal privacy laws, according to participants in a federally funded healthcare privacy research project who are meeting in Bethesda, Md., this week.

That sense of confusion won't be alleviated even after the two-day national gathering of the 33-state, Health Information Security and Privacy Collaboration ends today. (Excerpt from news story by Joseph Conn)

[source: Modern Healthcare Online]

Data sharing powers questioned in Lords

(2007-03-06) [PinsentMasons] Better safeguards are needed in new Government data sharing proposals according to the Conservative spokesperson on home affairs in the House of Lords. Baroness Anelay of St Johns has tabled a series of amendments to a new Government Bill.

The Serious Crime Bill allows for the sharing of data for comparison as a crime fighting measure. Called data matching, this involves public sector financial watchdog the Audit Commission comparing different records to try to detect fraud. But the Government's proposals are too wide ranging and do not contain enough safeguards against the invasion of citizens' privacy, according to the amendments proposed by Anelay.


Big Brother is watching ... and you'll never guess how

(2007-03-06) [PipeDream] Technological advances over the last decade have birthed a surveillance revolution of an unprecedented scale. The technologies are in wide circulation, yet few people understand what the powerful devices are capable of.

To start with, if your cell phone is on, it is ceaselessly communicating your whereabouts to your provider by a process known as triangulation. The data is systematically stored in your provider's database and may be subpoenaed or seized by the government (or private litigants in the case of former) as untainted evidence admissible in court. Color laser printers, CD burners and other common devices also now come standard with tracking enablers. (Excerpt from news story by Jennifer Frank)

[source: Blogentry]

European Commission debates eID

(2007-03-06) [The Register] The European Commission is considering the feasibility of an interoperable electronic identity (eID) system across Europe. The eID system is expected to help reduce the administrative burden on mobile workers and travellers in the EU. It will also simplify cross border business transactions, company registrations, or payment of tax obligations for small businesses.

Speaking at the International Conference Advancing eGovernment in Berlin on 1 March 2007, Viviane Reding, EC member responsible for information, society and media, told delegates: "Proving one's identity, securing rights for allowances and filling in unfamiliar documentation can be a real struggle." (Excerpt from news story by Kablenet)

[source: News]

Publishing online pics raises privacy issues

(2007-03-06) [Shanghai Daily Publishing House] Extensive circulation online of mobile phone photos taken without the subjects' knowledge raises concerns over invasion of privacy.

During the recent Spring Festival a group of handset photography amateurs, armed with photo-handies, roamed the streets and alleys of Chongqing in search of photo ops afforded by chance passersby, with a view to chastizing "uncivilized conduct," such as spitting, jaywalking, littering and so forth. The pictures they took have since been published on the Internet, according to the Chongqing Morning News (February 26). (Excerpt from news story by Ma Jun)


Crack! Security expert hacks RFID in UK passport

(2007-03-06) [ComputerWorld] A security expert has cracked one of the U.K.'s new biometric passports, which the British government hopes will cut down on cross-border crime and illegal immigration.

The attack, which uses a common RFID (radio frequency identification) reader and customized code, siphoned data off an RFID chip from a passport in a sealed envelope, said Adam Laurie, a security consultant who has worked with RFID and Bluetooth technology. The attack would be invisible to victims, he said. (Excerpt from news story by Jeremy Kirk)

[source: Security]

Nothing to fear over ID cards privacy, says passport chief

(2007-03-06) [CNet] The man in charge of the government's national ID cards scheme has dismissed claims the cards will lead to a personal audit trail of each citizen's movements and transactions.

Privacy groups have claimed records of each time an ID card is used, where and what it is used for will create a vast personal tracking database of every individual on the National Identity Register. (Excerpt from news story by Andy McCue)


ECB breach data protection act

(2007-03-05) [The Wisden Group] The England & Wales Cricket Board have been given a warning by the Government's data protection watchdog for abusing their access to routine criminal clearance applications.

Lord's officials have been told by the Information Commissioner's Office that if they do not stop using Criminal Records Bureau lists for marketing purposes they will face prosecution. The ECB were caught trying to canvas support for their year-old Officials Association by writing to people who had applied for criminal records clearance through the ECB, a list that was supposed to be confidential. (Excerpt from news story by Charles Randall)


The Dangers of DNA Testing

(2007-03-05) [McGraw-Hill Companies Inc.] DNA testing is in the news a lot these days, and not solely because of the saga of Anna Nicole Smith, whose burial was delayed amid a legal tussle over the paternity of her 5-month-old daughter, Daniellyn. The growing success in obtaining convictions by genetic matching (since the O.J. Simpson trial anyway) has made it the preferred identification technology for law enforcement, as well as by other federal agencies. The U.S. military requires every serviceman to give blood for future DNA analysis, presumably for body identification.

States are among the most aggressive users of DNA testing. The New Jersey Supreme Court recently upheld a Garden State law requiring DNA testing of all felons, with the results maintained in a state database and submitted to the FBI. (Excerpt from news story by David H. Holtzman)

[source: Business Week]

Top Secret: We're Wiretapping You

(2007-03-05) [Wired] It could be a scene from Kafka or Brazil. Imagine a government agency, in a bureaucratic foul-up, accidentally gives you a copy of a document marked "top secret." And it contains a log of some of your private phone calls. You read it and ponder it and wonder what it all means. Then, two months later, the FBI shows up at your door, demands the document back and orders you to forget you ever saw it.

By all accounts, that's what happened to Washington D.C. attorney Wendell Belew in August 2004. And it happened at a time when no one outside a small group of high-ranking officials and workaday spooks knew the National Security Agency was listening in on Americans' phone calls without warrants. Belew didn't know what to make of the episode. But now, thanks to that government gaffe, he and a colleague have the distinction of being the only Americans who can prove they were specifically eavesdropped upon by the NSA's surveillance program. (Excerpt from news story by Ryan Singel)

[source: News]

Privacy Board Clears U.S. Spy Programs

(2007-03-05) [Wired] A White House privacy board is giving its stamp of approval to two of the Bush administration's controversial surveillance programs - electronic eavesdropping and financial tracking - and says they do not violate citizens' civil liberties.

Democrats newly in charge of Congress quickly criticized the findings, which they said were questionable given some of the board members' close ties with the Bush administration. (Excerpt from news story by Hope Yen)

[source: News (AP)]

New event: Workshop on Surveillance & Inequality

(2007-03-12) "Workshop on Surveillance & Inequality" will take place on March 16 -- 18, 2007 (Tempe, Arizona, US).

See calendar entry.

New event: Conference on Interdisciplinary Studies in Information Privacy and Security

(2007-03-12) "Conference on Interdisciplinary Studies in Information Privacy and Security" will take place on May 22, 2007 (New Brunswick, New Jersey, US).

See calendar entry.

New event: Proof Positive: New Directions for ID Authentication Public Workshop.

(2007-03-12) "Proof Positive: New Directions for ID Authentication Public Workshop." will take place on April 23 -- 24, 2007 (Washington DC, US).

See calendar entry.

New event: Privacy Coalition meeting

(2007-03-12) "Privacy Coalition meeting" will take place on March 30, 2007 (Washington DC., US).

See calendar entry.

New event: Data Privacy and Integrity Advisory Committee meeting

(2007-03-12) "Data Privacy and Integrity Advisory Committee meeting " will take place on March 21, 2007 (Washington, DC, US).

See calendar entry.

New event: Patient Privacy Coalition meeting

(2007-03-12) "Patient Privacy Coalition meeting" will take place on March 21, 2007 (Patients Privacy Rights).

See calendar entry.

New event: 4th Annual Electronic Health Records Conference

(2007-03-12) "4th Annual Electronic Health Records Conference" will take place on February 13, 2007 (Vancouver, Canada).

See calendar entry.

New event: RFID and Ubiquitous Computing

(2007-03-12) "RFID and Ubiquitous Computing" will take place on March 12, 2007 (Brussels, Belgium).

See calendar entry.

The Top Privacy Issues of the Day: PRC Releases New Report

(2007-03-03) [Privacy Rights Clearinghouse] Some people are more concerned about privacy than others. But, nearly all of us have at least one "hot button" privacy issue. You may be concerned about your child's use of the Internet, identity theft, or an employer's intrusive background check. Or, you may shudder to read stories about the latest technology that tracks, monitors, and records your every move.

Whatever your privacy issue happens to be, you will find it discussed in PRC Director Beth Givens' latest report on the privacy concerns of the day. Givens' report, Privacy Today: A Review of Current Issues highlights and summarizes 19 key privacy issues affecting consumers today and tomorrow.

[source: Topics]

International Association of Privacy Professionals Keynote Speaker U.S. Attorney General Gonzales

(2007-03-02) [WebWire] U.S. Attorney General Alberto R. Gonzales will address the largest international gathering of privacy pros on March 8 at the Renaissance Washington DC Hotel, the International Association of Privacy Professionals (IAPP) announced today.

Gonzales, the nation's 80th Attorney General, will give his keynote speech at 9:15 a.m. Gonzales joins other high-profile keynote speakers, including the Federal Trade Commission Chairman, Deborah Platt Majoras, UK Information Commissioner Richard Thomas, Sun Microsystems Chair Scott McNealy and Sidley Austin Partner Alan Charles Raul, who also serves as the Vice Chairman of the President's Privacy and Civil Liberties Oversight Board.

[source: Press release]

Google's privacy practices 'may run afoul'

(2007-03-02) [American City Business Journals, Inc] Google Inc. said in its annual report filed Thursday that it is involved in a yearlong unresolved tax dispute with the Securities and Exchange Commission.

Mountain View-based Google said the SEC on March 16 questioned how it accounts for income taxes. "We believe that we properly account for our income taxes. We will continue to work to resolve these comments with the SEC," Google said in the filing.

[source: Sacramento Business Journal]

EU data retention law could impact Asia

(2007-03-02) [CNET Networks, Inc.] The data retention legislation passed by the European Union (EU) could spill over to Asia and force communications service providers and operators in this region to comply, say market experts.

Approved early last year amid much controversy, the EU data retention directive requires Internet service providers (ISPs), fixed-line and mobile operators to preserve details of their customers' communications for up to two years. Information such as the date, destination and duration of the mobile call, for example, must be stored and made available to law enforcement authorities for between six and 24 months. (Excerpt from news story by Eileen Yu)

[source: ZDNet Asia]

Privacy guardians call for government action as Fraud Awareness Month begins

(2007-03-01) [Rogers Communications Inc] Privacy guardians across the country say Canada needs to do more to protect its citizens against e-mail spam and identity theft.

To mark the start of Fraud Prevention Month today, provincial and national privacy commissioners said tougher criminal sanctions should be considered to better protect personal information. They suggest it's particularly important to start addressing the problem of "pretexting" - impersonating someone to gain access to their personal information.

[source: 680 News]

1 in 6 Canadians hit by identity theft, survey suggests

(2007-03-01) [CBC] Identity theft has hit one out of every six adult Canadians -- more than 4.2 million people -- either directly or within their immediate households, a survey suggests.

The poll, conducted in 2006 by the Strategic Counsel for the Competition Bureau of Canada, suggests that 17 per cent of Canadians aged 18 or older have either been victimized themselves or had an incident affect someone in their homes.

[source: CBC News]

New event: Privacy and Public Policy Challenges of Social Technology - a talk by Chris Kelly

(2007-03-05) "Privacy and Public Policy Challenges of Social Technology - a talk by Chris Kelly" will take place on March 5, 2007 (Stanford Law School, Stanford, CA, US).

See calendar entry.

Latest update: 2007-05-27 13:49:08