SAITS news - April 2007

Other months: January · February · March · April May · June · July · August · September · October · November · December ·

Earlier years: 2003 · 2004 · 2005 · 2006 ·

Podcast: Freedom Businesses Protect Privacy

(2007-04-25) [IT Conversations] Eben Moglen -- director of Software Freedom Law Center -- gives a penetrating analysis of privacy and technology.

It is key that we have given this data freely and without contractual agreement, and it is only right that those who now possess the data should think about it and share it with others. It is in the development of necessary contracts that we should concern ourselves. One solution may lie in storing the data ourselves in voluntary collectives: it's all the same free software after all. It is not the technology of memory itself that is the problem; that is the solution, as long as we can agree with what we mean by the term privacy. Listen to the podcast (length 00:40:04).

[source: News]

[Swedish] Vägledning för kommuner: Checklista för säker e-förvaltning

(2007-04-12) [Datainspektionen] Det blir allt mer vanligt att boka färdtjänst, ansöka om förskoleplats och till olika gymnasieutbildningar på webben. Papperssamhället är snart ett minne blott och många kommuner arbetar intensivt med att utveckla sin e-förvaltning. Men hur bygger de en effektiv och rättssäker e-förvaltning med medborgarens integritet i fokus?

Datainspektionen har studerat utvecklingen och har tagit fram en vägledande skrift för att visa på integritetsrisker. Vägledningen fokuserar på de system som gör personuppgifter mer lättillgängliga och vilka krav detta ställer på kommunerna. Handfasta råd ges i olika checklistor om hur man bör hantera elektronisk dokument- och ärendehantering, e tjänster, användning av geografiska informationssystem (GIS) samt mellankommunalt samarbete.

[source: Nyheter]

Google and Privacy

(2007-04-25) [O'Reilly] Tim O'Reilly presents his view on the Google acquisition of Doubleclick, from the privacy point of view.

I wanted to weigh in with a broader perspective, and a counter-argument. While there is some ground for concern, people seem to be ignoring far greater risks to our privacy that are in the hands of people far less scrupulous than Google. Our credit card company knows everything we buy -- and sells that information to marketers; our phone company knows everyone we call -- and sells that information to marketers; our supermarket knows what we buy and how often -- and sells that information to marketers. Meanwhile, here's Google, which is using the information it collects to build better services that we eagerly consume because they are useful to us, and yet we're complaining about the risks of how much data they collect! At least Google's harnessing that data for our benefit, while most of the other big data collectors are simply using it for their own.

[source: radar]

IT Protects IP First; Customer Data ...

(2007-04-30) [ComputerWorld] ... well, that's not as important. That's the finding from a survey of 1,500 IT leaders in five countries by London-based Datamonitor PLC for security vendor McAfee Inc.

What most surprised Carl Banzhof, McAfee's vice president and chief technology evangelist, was that despite the media hoopla about the cost of not protecting customer information, "the type of data most valued" by IT executives is intellectual property (IP). Even among retail businesses, "IP was more valued than customer data," he reports. Perhaps with good reason. The study shows that the average cost of a single IP loss for a company is $1.68 million. One-third of the respondents said they worried that a major data breach could put their firms out of business. Moreover, 60% of the companies that responded said they had experienced a data breach in the previous 12 months. Most of the security snafus were the result of unintentional mistakes by clueless insiders, although 23% of the internal breaches were malicious actions by disgruntled workers, according to the survey. (Excerpt from news story by Mark Hall)

[source: Security]

Britain becoming a Big Brother society, says data watchdog

(2007-04-29) [Independent News and Media Limited] Britain is in danger of "committing slow social suicide" as such Big Brother techniques as surveillance cameras and recording equipment spread into every aspect of our lives, the nation's information watchdog will warn this week.

A new report from Richard Thomas, the information commissioner, will say that the public needs to be made more aware of the "creeping encroachment" on civil liberties created by email monitoring, CCTV and computer tracking of our buying habits. (Excerpt from news story by Sophie Goodchild)

[source: The Independent]

Government firm sells private details

(2007-04-29) [Associated Northcliffe Digital Ltd.] A Government contractor is selling the personal details of more than a million people with financial problems to a controversial 'debt management' company which has been accused of charging exorbitant fees.

Lord Falconer's Department for Constitutional Affairs (DCA) has approved the sale of details of everyone who has accrued court fines or judgments against them to a company targeting people in debt. Registry Trust Ltd (RTL), a contractor working on behalf of the DCA, logs every county court judgment, unpaid magistrates' court fine and Child Support Agency liability order made, then sells this information to 13 finance companies for £2million per year. (Excerpt from news story by Martin Delgado)


Eight Privacy Firms to Watch

(2007-04-27) [ComputerWorld] A handful of brave souls have bet the farm that North American companies have a lot of privacy work left to do and not enough staff to do it. So far, their hunches are paying off. But prospective entrepreneurs, take heed: The privacy market is still new and evolving, with little predictability.

Just seven years ago, there wasn't even a privacy market to speak of. The ink on most privacy laws wasn't dry yet, fewer than 50 people worldwide bore the title "chief privacy officer," and the International Association of Privacy Professionals didn't exist. (Excerpt from news story by Jay Cline)

[source: Security]

CIPPIC releases Working Papers on ID Theft

(2007-04-02) [CIPPIC] CIPPIC has issued the first batch of a series of working papers on identity theft. The papers released today include Introduction and Background, Techniques of Identity Theft, and Legislative Approaches to Identity Theft.

Additional papers examining identity theft caselaw, law enforcement, and policy approaches, as well as a Bibliography on identity theft, will be forthcoming. These working papers reflect research conducted during 2006 with funding from the Ontario Research Network for Electronic Commerce (ORNEC).

[source: News]

Privacy Commissioner rules on SWIFT complaints

(2007-04-02) [CIPPIC] The federal Privacy Commissioner today released her findings on the matter of SWIFT, an international banking transaction clearinghouse that last year admitted to disclosing personal data to the U.S. Treasury in response to a subpoena.

She found that neither SWIFT nor Canadian banks are violating PIPEDA when they disclose personal information about Canadians to foreign authorities in response to subpoenas by those authorities.

[source: News]

Lip Reading Surveillance Cameras To Stop Terror

(2007-04-27) [Alex Jones] "Read my lips...." used to be a figurative saying. Now the British government is considering taking it literally by adding lip reading technology to some of the four million or so surveillance cameras in order identify terrorists and criminals by watching what everyone says.

Electronic Design is reporting that the Home Office is interested in a project being pursued by a senior lecturer in computer vision at the University of East Anglia in Norwich, England: (Excerpt from news story by Steve Watson)


NIST issues RFID guidelines

(2007-04-30) [1105 Media, Inc] The National Institute of Standards and Technology last week issued guidelines and a set of best practices for the use of radio frequency technology by federal agencies, as well as private corporations. The 154-page report is titled Guidelines for Securing Radio Frequency Identification Systems.

NIST said entities deploying RFID technologies need to consider any security or privacy risks that could arise and should minimize those risks by following a list of best practices developed for RFID users. The guidelines focus specifically on the use of RFID technologies for asset management, tracking, matching and process and supply chain control. (Excerpt from news story by John Rendleman)

[source: Government Computer News]

Cybereye | ID theft plan: It's a start

(2007-04-30) [1105 Media, Inc] A presidential task force on identity theft from 17 federal agencies and departments labored for 11 months to determine the obvious: Both the public and private sectors need to do a better job of protecting personal information and helping victims.

Although the conclusions are obvious, the task force has managed to produce some recommendations that could help provide this much-needed protection. They would put controls on the use of Social Security numbers as universal identifiers and establish some standards for responding to breaches of sensitive data. (Excerpt from news story by William Jackson)

[source: Government Computer News]

UK Dept. of Health admits data incident

(2007-04-27) [InfoWorld] The United Kingdom's Department of Health is apologizing publicly for an IT misstep that resulted in the exposure of hundreds of doctors' personal information online.

According to reports in the nation, including IDG's Computerworld UK affiliate, the British DHS mistakenly published an Excel spreadsheet bearing the affected individuals' details -- including their addresses, phone numbers, sexual orientation and previous convictions (yikes!) -- on an unsecured section of its Web site for several hours yesterday. (Excerpt from post by Matt Hines)

[source: Blogs]

[Swedish] Välkommen till ett seminarium om personlig integritet!

(2007-04-20) [SICS] Vid ett halvdagsseminarium (4 juni 2007, SICS, Kista) diskuteras perspektiv på personlig integritet i belysningen av information och kommunikationsteknologi.


Mer information om seminariet finns på seminariets informationssida.

[source: News]

NIST Completes RFID Security Guidelines

(2007-04-27) [RFID Journal LLC] The National Institute of Standards and Technology's report describes the risks to data security and personal privacy that RFID deployments may pose, and provides best practices and procedures to mitigate those dangers.

The National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce (DOC), released this week its guidelines describing the various risks to data security and personal privacy that RFID deployments may pose, while also providing best practices and procedures, based on existing technology and regulations, to mitigate those risks. The 154-page report, Guidelines for Securing Radio Frequency Identification (RFID) Systems, is meant to assist retailers, manufacturers, hospitals, federal agencies and other organizations in understanding how to deploy RFID technology securely and safely.

[source: RFID Journal]

RFID: "Balanced Articles" - Enough Already

(2007-04-26) [AIM, Inc.] Recently, two different publications -- one which should have been quite reputable -- offered what appear, on first glance, to be attempts at balanced articles of RFID. They provided an overview, benefits and potential pitfalls (aka threats).

On closer reading, however, it's clear that they were written, not by journalists or analysts, but by "researchers" who know very little about the technology. The kind of "balance" in these articles does more harm than good. (Excerpt from news story by Dan Mullen)

[source: Aim Global]

German government admits it is already conducting online searches

(2007-04-26) [Heise Zeitschriften Verlag] At a meeting of the Bundestag's Interior Affairs Committee on Wednesday, the Chancellor's Office admitted that Germany's secret services have been conducting controversial, covert online searches of computers since 2005 after being given an order to do so by then-Interior Minister Otto Schily (SPD).

Gisela Piltz, spokesperson for home affairs from the FDP in the Bundestag, made these announcements after the German government was forced to answer her questions concerning the touchy subject of the monitoring of private PCs and storage units on the Internet. The government said that it does not see any breach of the privacy of telecommunications and the basic right to control personal data.

[source: heise on-line]

U.S. Chamber of Commerce: Companies Should Be Allowed To Break Law if Helping Government

(2007-04-25) [Wired] The U.S. Chamber of Commerce is arguing to a federal appeals court that laws shouldn't apply to companies that help the government in the name of homeland security and that the court should dismiss a suit against AT&T for allegedly violating federal privacy laws in helping the government spy on Americans without warrants.

The group contends that companies can't defend themselves from such suits since doing so would require disclosing classified information -- which is banned by federal law -- and that allowing such suits would dissuade companies from helping the government.

[source: Blogs]

UPI Poll: Don't suspend privacy rights

(2007-04-25) [United Press International, Inc] A majority of respondents to a UPI-Zogby International poll said the U.S. government shouldn't be allowed to suspend privacy laws to share terror information.

The 5,932 U.S. residents who took part in the April 13-16 Zogby interactive poll were asked whether the government could suspend privacy laws to enable the sharing of counter-terror information that could include private data on U.S. citizens. More than one-third -- 35 percent -- said they strongly disagreed with that idea while another 18.4 percent somewhat disagreed. A total of 22.5 percent somewhat agreed with the concept and 16.4 percent strongly agreed.

[source: UPI]

Municipal Wi-Fi Raises Privacy Concerns

(2007-04-25) [NewsFactor Network] In a study conducted of six proposed municipal Wi-Fi systems in San Francisco, the Electronic Privacy Information Center concluded that only one of the six would adequately protect user privacy, in large part because they did not require users of the system to log in to get access to the Internet.

Some groups are raising concerns about whether municipal Wi-Fi systems will do an adequate job of protecting the privacy of the millions of people who would be using those systems. (Excerpt from news story by Frederick Lane)

[source: Sci-Tech Today]

Privacy bodies investigate Google's data protection standards

(2007-04-25) [EDRI] Even though Google recently announced the reduction to 18 - 24 months of the retention time for data related to users and their searches, its privacy practices are discussed by the Article 29 Working Group and could be investigated by the US Federal Trade Commission (FTC).

The Norwegian Data Protection Group has already sent a letter to the major search engine with concerns over several data protection issues, especially on data retention. A second letter is expected to come from the European Commission on behalf of the Article 29 Working Party regarding Google's compliance with the European data protection legislation. Following this process, if Google privacy practices are considered in breach of the European legislation, the company could be fined by the national data protection authorities.

[source: EDRI-gram, Number 5.8]

Data retention and increased surveillance in Germany

(2007-04-25) [EDRI] The German government has approved the draft legislation that implements the data retention directive, but the political opposition and the growing anti-surveillance movement shows an important resistance to the new plans of the federal Minister for the interior, Wolfgang Schäuble, who wants an ever increased surveillance.

The draft bill adopted by the German Government on 18 April 2007, was called by the Minister of Justice, Brigitte Zypries, "reasonable and constitutional." But the adopted draft expands what was initially proposed by Zypres, making traffic data accessible not only for criminal prosecution purposes, but also in order to "prevent considerable dangers" and "fulfil the legal duties" of all security police. Zypries also stated "the data retained could be used to prevent crime... if the police laws of the German states allow for this."

[source: EDRI-gram, Number 5.8]

French Government Decree on data retention - another Big Brother act

(2007-04-25) [EDRI] The French Government, during this election period, is preparing a decree for the application of the law on the confidence in the numerical economy (LCEN) of 21 June 2004, which requires webmasters, hosting companies, fixed and mobile telephony operators and Internet service providers to retain all information and on Internet users and telephone subscribers and to deliver it to the police or the State at a simple request.

The present text requires the data retention for a year, and according to the digital rights associations, such as EDRI-member IRIS, this goes even further up to retaining the passwords supplied when subscribing to a telephone service or an Internet account or payment details such as amount, date or type.

[source: EDRI-gram, Number 5.8]

Press privacy complaints rising

(2007-04-24) [Northern and Shell Media Publications] The number of people taking privacy and intrusion issues to the Press Complaints Commission (PCC) is growing - and dwarfs the number of cases taken to courts, according to its annual report.

The newspaper and magazine industry's self-regulatory body dealt with 206 privacy complaints last year, the report said. But that number failed to reflect the great deal of work it was doing in the field of privacy, it added.

[source: Daily Express]

Industry group wants government data protection standard, too

(2007-04-24) [ComputerWorld] A leading industry advocacy group today endorsed the recommendations of a presidential task force that wants a national standard for private sector data protection as a key component of fighting identity theft. But it faulted the task force for failing to recommend a similar national standard for government entities.

"The recommendations to limit the unnecessary use of Social Security numbers, establish a National Identity Theft Law Enforcement Center and execute additional public awareness campaigns are important and necessary measures," said Liz Gassiter, general counsel for Cyber Security Industry Alliance (CSIA) in a statement. But "the report stops short of requiring a national standard for the public sector that would mirror the mandatory data protection requirements and breach notification requirements suggested for the private sector. (Excerpt from news story by Jaikumar Vijayan)

[source: Security]

2007 Privacy Report to Congress

(2007-04-23) [Privacy and Civil Liberties Oversight Board] The annual Report to Congress is published.

The Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), which created the Privacy and Civil Liberties Oversight Board (Board), requires that "[n]ot less frequently than annually, the Board shall prepare a report to Congress, unclassified to the greatest extent possible . . . on the Board's major activities during the preceding period." This report discusses the Board's activities from its first meeting on March 14, 2006, at which the Members were sworn in and an Executive Director was appointed, through March 1, 2007. Read the report (PDF).

[source: Press Release]

McAfee: RFID chips exposing users to danger

(2007-04-23) [ComputerWorld] The current generation of radio frequency identification (RFID) technology is vulnerable to eavesdropping, cloning and forging.

That's according to an April security trends report (download PDF) from security software vendor McAfee Inc. The Sage report is issued semiannually by McAfee Avert Labs based on its research into high-tech threats. (Excerpt from news story by Marc L. Songini)

[source: Mobile & Wireless]

ID theft task force recommends stronger laws

(2007-04-23) [ComputerWorld] The U.S. government plans to establish a national identity theft law enforcement center and create a multiyear public education campaign about the dangers of ID theft, as part of a series of recommendations released by a task force Monday.

The President's Identity Theft Task Force, created by George Bush in May 2006, also called for national data protection standards for private companies that collect and sell personal information, as well as a national law requiring companies to tell customers when their personal data has been compromised. Federal agencies should stop the unnecessary use of Social Security numbers, and the federal government should step up its efforts to educate agencies about data security best practices and regulations in place, the task force recommended. (Excerpt from news story by Grant Gross)

[source: Security]

Canada, Mexico travel cards under privacy attack

(2007-04-23) [CNet] A forthcoming travel identification card geared toward Americans who frequently cross U.S. borders into Mexico and Canada is drawing renewed criticism.

At a Monday workshop here, privacy advocates said they were puzzled that come summertime, the U.S. Department of State, in consultation with the Department of Homeland Security, still hopes to begin issuing so-called "passport cards" embedded with radio frequency identification (RFID) chips whose data can be skimmed by readers up to at least 20 feet away. Anne Broache


Privacy, trust still the biggest barriers to electronic record sharing

(2007-04-23) [Wisconsin Technology Network LLC.] Is America rushing into the adoption of electronic medical records and patient data exchange without enough concern for data security?

The question has been raised on many fronts, including the Congress, where some bills seek to provide incentives to encourage the adoption of interactive personal health records, and others that raise privacy concerns are construed as a barrier to the adoption of EMRs. (Excerpt from news story by Joe Vanden Plas)

[source: Wisconsin Technology Network]

McAfee: RFID chips exposing users to danger

(2007-04-23) [ComputerWorld] The current generation of radio frequency identification (RFID) technology is vulnerable to eavesdropping, cloning and forging.

That's according to an April security trends report (download PDF) from security software vendor McAfee Inc. The Sage report is issued semiannually by McAfee Avert Labs based on its research into high-tech threats. (Excerpt from news story by Marc L. Songini)

[source: Security]

Tragedy spurs renewed interest in mining Internet to spot killers

(2007-04-23) [New Jersey On-Line LLC] Can Internet search technology identify psychopaths before they commit atrocities like last week's Virginia Tech massacre?

The government already is pursuing a range of controversial "data-mining" projects, meant to scour Web sites and documents for subtle patterns and associations that might flush out terrorists. (Excerpt from news story by Kevin Coughlin)


Europe makes 'progress' on police data protection

(2007-04-23) [The Register] The European Council has swept aside widespread reservations about its proposals for a police data protection law.

The German Presidency of the European Union claimed in a statement last week that its revised proposal for data protection in the third pillar had been so well received by other member states that it might even make "significant progress" on the measure by the end of its tenure in July. (Excerpt from news story by Mark Ballard)

[source: News]

Privacy Groups: Double-Check DoubleClick Deal

(2007-04-23) [CIO Today] On Friday, three consumer privacy groups filed a complaint with the Federal Trade Commission, asking the government's main consumer protection agency to take a close look at Google's planned $3.1 billion purchase of online advertising giant DoubleClick.

In their complaint, the Electronic Privacy Information Center (EPIC), the Center for Digital Democracy (CDD), and the U.S. Public Interest Research Group (U.S. PIRG) allege that "the acquisition of DoubleClick will permit Google to track both a person's Internet searches and a person's web site visits." (Excerpt from news story by Frederick Lane)

[source: News]

CDT Unveils Draft Identity Principles

(2007-04-23) [CDT] As information-gathering technology improves and governments seek to bolster their capacity to identify individuals, questions surrounding how to manage individual identity have mounted.

CDT today officially unveiled its draft Privacy Principles for Identity in the Digital Age, which seek to address those issues in a way that takes into account privacy, security, as well as the broader issues associated with identity. CDT Deputy Director Ari Schwartz discussed the principles at the Federal Trade Commission workshop "Proof Positive: New Directions for ID Authentication."

[source: News]

EU police data-sharing plan draws criticism

(2007-04-19) [InfoWorld] Plans by several European Union members states to establish a system for sharing police data have drawn criticism from the region's data-protection watchdog.

European Data Protection Supervisor (EDPS) Peter Hustinx warns that the proposal, in its current form, still lacks safeguards to ensure sufficient data protection for the public. "The proposal is very open on crucial points," Hustinx said. "We need a framework of common rules before we can move ahead." (Excerpt from news story by John Blau)

[source: News]

Study finds U.S. teens limit social-networking data

(2007-04-18) [MIT Technology Review] U.S. teenagers generally do not think twice about including their first names and photos on their personal online profiles on social networking Web sites, but most refrain from using full names or making their profiles fully public, a new survey finds.

The Pew Internet and American Life Project reported Wednesday that two-thirds of teens with profiles on blogs or social-networking sites have restricted access to their profiles in some fashion, such as by requiring passwords or making them available only to friends on an approved list.

[source: Blogs]

Privacy concerns dog Google-DoubleClick deal

(2007-04-17) [CNet] There is growing unease among consumer privacy advocates over Google's proposed $3.1 billion acquisition of DoubleClick.

How will the search-advertising powerhouse treat the massive amounts of data it already stores on people's search histories, once it also has at its disposal a storehouse of data on people's surfing habits from DoubleClick, the No. 1 digital ad-serving company? (Excerpt from news story by Stefanie Olsen)


Velger fingeravtrykk frem for lånekort

(2007-04-13) [IDG Magazines Norge AS] Det er slutt på å glemme lånekortet på Ringkøbing Bibliotek. Nå er det fingeren som gjelder. Biblioteket har begynt å teste bruken fingeravtrykk for å låne bøker, skriver Computerworld Danmark.

Biblioteket innledet et prosjekt hvor brukerne låner bøker ved å identifisere seg med fingeravtrykket. Meningen med prosjektet er å gjøre det lettere å bruke biblioteket, og samtidig vil kommunen ha erfaringer med bruk av biometri. - Det er overveldende godt mottatt. Vi har allerede rundt 500 brukere, forteller bibliotekssjef Per Høgh fra Ringkøbing Bibliotek. (Forf: Nard Schreurs)

[source: ComputerWorld/no]

New event: Seminarium om personlig integritet

(2007-04-30) "Seminarium om personlig integritet" will take place on June 4, 2007 (Kista, Sweden).

See calendar entry.

New event: First International Workshop on Sustaining Privacy in Autonomous Collaborative Environments (SPACE 2007)

(2007-04-30) "First International Workshop on Sustaining Privacy in Autonomous Collaborative Environments (SPACE 2007)" will take place on July 30, 2007 (Moncton, New Brunswick, Canada).

See calendar entry.

Privacy is the last thing we need

(2007-04-22) [FairfaxDigital] The so-called right to privacy has become so bloated that it is endangering the right to life of Victorians. In the latest scandal, the Department of Human Services omitted to tell police the identities of HIV-positive men suspected of deliberately trying to spread AIDS.

For the past few years, our confused Government has been talking up the notion of human rights at the expense of the common good. This culminated in the Charter of Human Rights, which took effect this year and is the first in Australia. Taking pride of place in the charter is the right to privacy (section 13). Even before the charter, the right to privacy was harming Victorians. It shielded some of the most depraved who had harmed some of the most vulnerable. (Excerpt from opinion by Mirko Bagaric)


Google's data-storing feature fuels privacy fears

(2007-04-21) [Los Angeles Times] Facing worries about its tracking Web surfers' every move, Google Inc. is now offering a feature to track Web surfers' every move.

Its free Web History service is strictly voluntary -- Google users can sign up to have the Internet giant keep detailed records of every website they visit so they can easily find them again later. The feature is similar to that offered by Web browsers, except the data are stored on Google's servers instead of users' computers and there's no set time after which it is erased. (Excerpt from news story by Joseph Menn)


Google draws privacy complaint to FTC

(2007-04-20) [CNet] Three public-interest groups are expected to file a joint complaint on Friday with the Federal Trade Commission calling for an investigation into the potential threat to consumer privacy posed by Google's planned acquisition of DoubleClick.

The Washington-based Electronic Privacy Information Center (EPIC), along with the Center for Digital Democracy (CDD) and the U.S. Public Interest Research Groups (U.S. PIRG), are asking the FTC to stop the $3.1 billion merger until the trade commission investigates Google's data collection and storage practices, orders DoubleClick to sweep out its data storehouse and requires the search giant to offer a public plan for safeguarding consumer privacy. (Excerpt from news story by Stefanie Olsen)


Book Review: "A Crowd of One: The Future of Individual Identity"

(2007-04-20) [EPIC] Melissa Ngo reviews "A Crowd of One: The Future of Individual Identity" (by John Henry Clippinger. PublicAffairs, 2007, ISBN 978-1-58648-367-8).

Quote: In "A Crowd of One," John Henry Clippinger, an expert on identity and Senior Fellow at the Berkman Center for Internet & Society at Harvard Law School, says his motivation for the book comes from the traditional model for influence, force, and "its instant power and its limitations." Clippinger explores alternative forms of influence, "in pursuit of the ultimate 'virtuous circle,' that might under the right conditions yield trust, reciprocity, and the will to not go to war." The key decisions that we make in life are not necessarily rational, because our personal identity is derived from our relationships with others, and we must understand those social connections.

[source: EPIC Alert, Volume 14.08]

European Human Rights Court Protects Workplace Privacy

(2007-04-20) [EPIC] The European Court of Human Rights issued a decision regarding employees' right to privacy in their correspondence sent from a workplace. In Copland v. The United Kingdom, the Court found that the monitoring of a public employee's telephone, email, or Internet interferes with the right to privacy guaranteed by Article 8 of the European Convention on Human Rights.

Article 8 states that "everyone has the right to respect for his private and family life, his home and his correspondence." The decision prohibits surveillance of private communications in the workplace if there is no legal basis for the monitoring.

[source: EPIC Alert, Volume 14.08]

Montana and Washington Formally Reject REAL ID Act

(2007-04-20) [EPIC] This week, Montana and Washington became the first two states to formally reject the REAL ID Act. Previously, Maine, Idaho, and Arkansas passed resolutions declaring opposition to REAL ID, but the laws passed by Montana and Washington go further. Montana's law declares that it "will not participate in the implementation" of REAL ID and prohibits the state from implementing any changes related to the national identification system.

Washington's bill forbids use of state funds unless certain protections, including privacy and security safeguards, are met. About 20 states are debating similar legislation. Controversy continues to surround the national ID scheme, and the public is invited to comment on the Department of Homeland Security's draft regulations to implement the REAL ID Act. The deadline for public comment is May 8, 2007.

[source: EPIC Alert, Volume 14.08]

North Dakota Is Second State to Ban Forced RFID Implantation

(2007-04-20) [EPIC] North Dakota has become the second state to ban forced RFID implantation in humans. The law makes such action a "Class A misdemeanor," but penalties for violating the law have not been set. Wisconsin passed similar legislation last year.

However, voluntary implantation is still permissible under the North Dakota law, and the two-line bill does not address what is considered "voluntary." EPIC has repeatedly warned against the use of RFID to identify individuals, highlighting the risk that people could be tracked in real-time.

[source: EPIC Alert, Volume 14.08]

Pew Reports on Teens' Online Activity

(2007-04-20) [EPIC] The Pew Internet & American Life Project released a report on teens' management of their online identities. Entitled "Teens, Privacy and Online Social Networks: How teens manage their online identities and personal information in the age of MySpace," the report is based on surveys and focus groups of teenage social network software users. Pew has conducted previous studies on online dating and wired seniors.

The report concludes that the majority of teens who have online profiles manage them in order to protect sensitive information. Providing a first name and photo are standard, but rarely is information given out that would allow an individual to physically locate a teen. Girls are more concerned about the release of information than boys. Over half of teens protect their privacy by posting false information. A quarter of teens have made friends online, and 1/3 have been contacted by a stranger via social networking. The survey further found that teens are aware of the differences in sharing information offline and posting it online.

[source: EPIC Alert, Volume 14.08]

Justice Department Proposes Vast Expansion of Domestic Surveillance

(2007-04-20) [EPIC] The Justice Department released a legislative proposal to amend the Foreign Intelligence Surveillance Act (FISA). The law would allow the president "acting through the Attorney General, may authorize electronic surveillance without a court order under this title to acquire foreign intelligence information for periods of up to one year." The president would also have to power to approve physical searches under the proposed amendment.

The proposed legislation would remove the terms "wire" and "radio communication" from the current legislation, and amend the definition of electronic surveillance as follows: "electronic surveillance would mean: (1) the installation or use of an electronic, mechanical, or other surveillance device for acquiring information by intentionally directing surveillance at a particular, known person who is reasonably believed to be located within the United States under circumstances in which that person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes; or (2) the intentional acquisition of the contents of any communication under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes, if both the sender and all intended recipients are reasonably believed to be located within the United States." This amendment would capture a wider range of communications technologies, and provides for future innovations.

[source: EPIC Alert, Volume 14.08]

Google draws privacy complaint to FTC

(2007-04-20) [CNet] Three public-interest groups are expected to file a joint complaint on Friday with the Federal Trade Commission calling for an investigation into the potential threat to consumer privacy posed by Google's planned acquisition of DoubleClick.

The Washington-based Electronic Privacy Information Center (EPIC), along with the Center for Digital Democracy (CDD) and the U.S. Public Interest Research Groups (U.S. PIRG), are asking the FTC to stop the $3.1 billion merger until the trade commission investigates Google's data collection and storage practices, orders DoubleClick to sweep out its data storehouse and requires the search giant to offer a public plan for safeguarding consumer privacy. (Excerpt from news story by Stefanie Olsen)


Tool mines personal data from across Net

(2007-04-19) [CNet] Who needs to dive through dumpsters or steal snail mail when so many details on people are available simply by searching the Web?

South African security researcher Roelof Temmingh, known for his work on security tools such as Wikto, is taking the search for personal information a step farther. (Excerpt from news story by Joris Evers)


Pew Reports Most Teens Proactive in Seeking to Maintain Online Privacy

(2007-04-19) [Davis Wright Tremaine LLP] The Pew Internet & American Life Project has issued a report indicating that even teenagers who are very active on the Internet are careful to limit the personal information they place online out of concern over keeping sensitive data out of the hands of strangers, parents, and other adults.

While almost two thirds of teenagers with online profiles acknowledged that someone hunting for information, armed with the right tools and incentive, could identify them based on information in their online profiles, most reported taking steps to make such identification more difficult, such as declining to post a full name, home phone number or cell phone number. The report is among the first in-depth looks at the privacy-related awareness and practices of teenagers that avidly use social networking sites such as MySpace or Facebook. (Excerpt from post by Ronald London)

[source: Privacy and Security Law Blog]

Google to strengthen Calendar privacy warnings

(2007-04-19) [ComputerWorld] Google Inc. is working on making privacy warnings around its Calendar application stronger amid concerns that some users of the service may unintentionally be exposing more information than they mean to.

The Web-based calendar was launched last year. Similar to other desktop calendar applications, it allows users to store event information, contacts and other data. The information is kept online by Google and can be accessed over the Net from anywhere. Users have the choice of making their calendar entries private -- the default choice -- or allowing public searches of the information. (Excerpt from news story by Jaikumar Vijayan)

[source: Security]

Consumer data protection faces legal, tech hurdles

(2007-04-18) [InfoWorld] Lawmakers and technology providers concede that they must create stronger mechanisms to improve protection of electronic consumer records, but claim that members of private industry must aid in the effort if those plans are to succeed.

At the ongoing Authentication and Online Trust Alliance (AOTA) Summit 2007, being held here April 18-19, experts from both communities cited shortcomings in their abilities to prevent online attacks aimed at stealing consumer data. (Excerpt from news story by Matt Hines)

[source: News]

Peter Cochrane's Blog: Heathrow's iris scan failure

(2007-04-18) [CNet] For nearly a year I have considered joining the iris-scanning security trial at Heathrow Airport. But I have so far managed to miss every opportunity. How come?

The traveller going through the iris scan enters the booth with full confidence. Then the 'dance of the immature technology' begins. Move closer, move to the left, stand further back, look up, look down and so on. The traveller is then asked to leave the booth, re-enter and start again. This dance is repeated until an attendant arrives to reboot the technology. (Excerpt from news story by Peter Cochrane)


Google Vows to DoubleProtect Consumer Privacy

(2007-04-17) [Wired] When Google announced its purchase of the internet's largest placer of banner ads, DoubleClick, last Friday for $3.1 billion in cash, the search and text-ad giant took a big step closer to online omniscience, and immediately drew the ire of privacy advocates and competitors.

Google's acquisition of the ad company -- which pioneered the business of tracking consumers from website to website -- will make it even easier for Google to create profiles on internet users, without being transparent about what it is doing, charges Jeffrey Chester of the Center for Digital Democracy. (Excerpt from news story by Ryan Singel)

[source: News]

California Senate fights RFID tracking for schoolkids

(2007-04-17) [The Register] California's state Senate struck a major blow against the enemies of mankind in the inevitable war against The Machines.

Legislation approved Monday would prohibit public schools from requiring the implementation of radio-wave devices that broadcast students' personal identification and monitor their movement around campus -- information the mechanical horrors could theoretically use to turn our children into livestock. (Excerpt from news story by Austin Modine)

[source: News]

Facial recognition 'proven' as airport crowd filter

(2007-04-17) [The Register] Facial recognition cameras have been proven as a means of spotting wanted people in crowds, claimed LogicaCMG.

However, the proof was limited and the owners of public venues have proven reluctant to pay for the technology because they believe their business is entertainment rather than security. (Excerpt from news story by Mark Ballard)

[source: News]

Employers warned on e-mail spying

(2007-04-17) [BBC] A new ruling which said a college had breached a woman's privacy by secretly monitoring her e-mails, means employers cannot spy on staff, say legal experts.

Lynette Copland, who works at Carmarthenshire College in west Wales, successfully sued her employer for breaching the Human Rights convention.

[source: News]

UK consumers demand data breach disclosure

(2007-04-17) [CNet] UK consumers are demanding companies that suffer data security breaches must let their customers know.

The majority of respondents to a survey carried out by Ipsos MORI for database security company Secerno felt institutions that have suffered a breach should inform customers automatically, with more than 82 per cent expecting to be informed of any data loss. (Excerpt from news story by Jo Best)


FIRST Conference puts Spotlight on Digital Privacy

(2007-04-17) [ENISA] Around 400 of the world's top computer and Internet security practitioners are expected to come to Spain for the 19th Annual Conference of FIRST (the Forum of Incident Response and Security Teams). This year's event will be held at Seville's Melia Sevilla Hotel from 17-22 June. The conference theme is related to the hazards and responsibilities of digital privacy: 'Private Lives and Corporate Risk'.

"Privacy is now the hottest topic in our business", explained conference joint organiser, Ian Cook. "We know that so much damage has been done by accidental losses and leaks or deliberate thefts, with millions of innocent people exposed to fraud and identity theft, that governments all over the western world are planning new laws to regulate public and private bodies and force them to go public when their data bases are lost, leaked or violated. The consequences of that, in reputation terms alone, for those 'named and shamed' will be catastrophic." Read more in ENISA Quarterly vol 3 no 1.

[source: News]

Latest national research reveals lack of consumer trust in the security of personal data in the UK

(2007-04-17) [Daryl Willcox Publishing Ltd.] UK company Secerno, the technology leader in data security, today announced the results of an independent survey of over 1,200 UK consumers reviewing their concern on the issue of personal data theft.

The survey, conducted by Ipsos MORI, reveals that 91% of the country is bothered about the protection of their personal data. The recent publicity on international breaches, such as the TJX/TKMaxx data loss, seems to have had a dramatic impact on the UK consumer. More than half would take their custom elsewhere in the event of such a data loss.

[source: Response Source]

Health information privacy is crucial

(2007-04-17) [CanWest Interactive] Your sixth toe is a medical secret and no one needs to know about it, according to experts at Monday's Prairie Health Information Privacy conference in Regina.

"For most of us the most sensitive and prejudicial information is about our health," said Gary Dickson, the Saskatchewan Information and Privacy commissioner. (Excerpt from news story by Matthew Barton)

[source: Leader Post]

Google plan raises privacy issue

(2007-04-17) [Los Angeles Times] Google Inc.'s purchase of DoubleClick Inc. would create the world's single largest repository of details about people's behavior online, an unnerving prospect for some privacy experts.

The $3.1-billion acquisition would combine two companies with massive troves of information about most people who use the Internet. "This is something that is concerning," said Kurt Opsahl, an attorney with the nonprofit Electronic Frontier Foundation. (Excerpt from news story by Joseph Menn)


Not all agree with privacy week's focus

(2007-04-16) [Crain Communications, Inc.] Who can argue with a week devoted to "raising awareness among healthcare professionals, their employers and the public of the importance of protecting the privacy, confidentiality and security of personal health information?"

Deborah Peel, an Austin, Texas, psychiatrist and founder of the Patient Privacy Rights Foundation, that's who. Peel is arguing about the focus on personal health records and other nuances of the privacy debate that the American Health Information Management Association put forth as part of its fourth annual Health Information Privacy and Security Week, which was held last week. (Excerpt from news story by Andis Robeznieks)

[source: Modern Healtcare Online]

Invasion of the identity snatchers

(2007-04-16) [The Buffalo News] In February, Hank and Roma Gerbus received an odd phone call. Last year, the Cincinnati couple had had their computer hard drive replaced at a local Best Buy store and were assured that the old drive would be destroyed. But in February, the couple heard from a Chicago man who said that he had bought their old hard drive at a flea market and that their Social Security numbers were still intact.

Such corporate and government security breakdowns that could lead to identity theft have become almost routine. Since early last year, personal information has been put at risk by 138 security breaches at private companies and government agencies, according to the Privacy Rights Clearinghouse, a San Diego nonprofit. Recently, in the largest known threat to date, a Department of Veterans Affairs laptop computer was stolen, exposing 28.6 million current and former military personnel to potential identity theft. (Excerpt from news story by Steve Alexander)

[source: News]

Bill Would Require Disclosure of Data Mining Programs

(2007-04-16) [CDT] Last week, the Senate Judiciary Committee approved the Federal Agency Data Mining Reporting Act (S. 236). The bi-partisan legislation would require federal agencies to report to Congress on their data mining activities.

"This would be an important first step in setting reasonable limits on data mining," said Jim Dempsey, CDT policy director. "Currently, Congress and the public have no clear picture of what data mining programs are even in operation." S. 236 also would require the Administration to assess the effectiveness of each program. Similar language was included earlier this year in the Senate-passed bill on the recommendations of the 9/11 Commission.

[source: News]

[Norwegian] Menneskerettsdomstolen: Overvåking i strid med menneskerettighetene

(2007-04-16) [Datatilsynet] Overvåking av epost, internettbruk og telefonsamtaler uten varsel og klar lovhjemmel strider mot den europeiske menneskerettskonvensjonen.

En kvinne som arbeidet på Carmarthenshire College i Wales ble utsatt for overvåking av logger over telefonsamtaler, eposter og internettbruk. Arbeidsplassen hadde ingen retningslinjer for slik kontroll, og den ansatte hadde heller ikke blitt informert.

[source: Nyhet]

Calif. Lawmakers to Vote on Five Bills to Regulate RFID Technology

(2007-04-09) [ComputerWorld] The California State Senate is expected to vote as early as this week on several bills that would regulate the use of radio frequency identification (RFID) technology in government documents.

Similar legislation was approved by the state legislature last year only to be vetoed by California Gov. Arnold Schwarzenegger in October. At the time, Schwarzenegger said he rejected the Identity Information Protection Act of 2006 because it could be overly restrictive to state agencies. (Excerpt from news story by Marc L. Songini)

[source: Mobile & Wireless]

Privacy Advocate Pushes to Protect Data in Public Records

(2007-04-09) [ComputerWorld] For nearly five years, Betty "BJ" Ostergren -- a feisty 57-year-old former insurance claims supervisor -- has led a one-person crusade to persuade county and state government officials to stop posting public records containing Social Security numbers and other personal data on their Web sites.

Last month, Ostergren persuaded the secretaries of state in Colorado and Arizona to break links to some commercial and tax lien documents. And last week, she began putting public pressure on Massachusetts Secretary of State William Galvin to do the same thing. Ostergren, who lives in Virginia, spoke with Computerworld about her privacy campaign last week. Excerpts follow: (Excerpt from news story by Jaikumar Vijayan)

[source: Security]

German minister wants access to private computers

(2007-04-05) [Expatica Communications BV] German Interior Minister Wolfgang Schaeuble has confirmed plans to seek a change to the constitution to allow the state secret access to the computers of private individuals, in an interview published Thursday.

"Under certain conditions it must be possible for the Federal Criminal Police Office to search computers in secret," Schaeuble told the Handelsblatt newspaper.

[source: Expatica]

Webcast: The Impact of RFID

(2007-04-01) [MIT Technology Review] What is the future of RFID? We have in this webcast assembled an expert panel of experts in the field to explore the current state of RFID and the future impact of this revolutionary technology. Watch this webcast to learn more about the promise of RFID and how it can impact your bottom line.

Learn about important developments in RFID, such as: Solutions to privacy concerns; Important data management tactics for your business; RFID cost and size reductions and what that means for you; and Important implications for the environment and our safety.

[source: News]

Washington Rejects REAL ID

(2007-04-16) [EFF] The state of Washington recently passed legislation rejecting implementation of the costly, privacy-invasive REAL ID Act. REAL ID essentially forces states to create a national ID, requiring standardization of drivers' licenses and the creation of a vast national database linking all of the ID records together.

Thankfully, there's a growing chorus of opposition to this misguided federal mandate -- Washington is the fourth state to reject its implementation, and Congress is considering repealing it.

[source: News]

U.S. Watch Lists Sow Frustration and Fear

(2007-04-16) [Wired] [A] growing club of American citizens' lives have been touched by a slew of government watch lists proliferating with little oversight or redress mechanisms since the 9/11 attacks. Containing, by some estimates, hundreds of thousands of names submitted by dozens of agencies, the lists have not only snagged people like Kushigian -- who wind up on them for mysterious reasons -- they've also stigmatized and inconvenienced thousands of others whose names happen to be similar to an entry on the list.

The issue returned to national debate last week after one of the nation's most respected constitutional law professors was told by an airline official that he'd been placed on a watch list for his criticism of the president, a claim that U.S. officials deny. (Excerpt from news story by Ryan Singel)

[source: News]

A Watch List Is Born

(2007-04-16) [Wired] Prior to the airline hijackings on Sept. 11, 2001, the Federal Aviation Administration's "no-fly list" contained 11 names.

Soon after the attacks, the Transportation Security Administration was created, and given direct authority over airline security screening and the watch list. The list soon began to expand almost daily, according to government documents. The last credible report on the list put its length at 119,000 names, though the TSA says it has since narrowed it to a smaller number that must remain a secret. (Excerpt from news story by Ryan Singel)

[source: News]

Privacy worries prompt scrutiny

(2007-04-15) [Canoe Inc] Canada's independent watchdog for privacy rights is expressing concerns over justice, health and other sensitive government records being managed by private companies.

"It's something we'll be looking at more in the future," said privacy commissioner Jennifer Stoddart. "It's of increasing concern to us." (Excerpt from news story by Alan Findlay)

[source: cnews]

Workgroup may propose extending HIPAA to health info exchanges

(2007-04-13) [1105 Media, Inc.] A workgroup of the American Health Information Community is likely to recommend in May that the privacy and security rules associated with the Health Insurance Portability and Accountability Act of 1996 be extended to apply to almost all users of health information exchanges.

Although AHIC's Confidentiality, Privacy and Security Workgroup is still debating the exact wording, members did not take issue with the intent of the recommendation during an April 12 meeting at the Department of Health and Human Services headquarters in Washington. (Excerpt from news story by Nancy Ferris)

[source: Government Health IT]

Sweden 'breaking EU privacy rules'

(2007-04-13) [The Local Europe AB] Sweden is breaking EU law by making people's personal details public, according to a lawyer who is suing the Swedish state.

The state is being taken to court by a man from Stockholm who received a demand for payment from the Swedish Enforcement Authority (Kronofogden), which was acting on behalf of someone who wanted to exact revenge on the man.

[source: News]

Mining our own business

(2007-04-13) [Blethen Maine Newspapers, Inc.] A doctor's office is a private place. Patients would never assume their treatment and conditions are being used in sophisticated drug company marketing schemes targeted at their doctor. But that's what is happening.

Without physicians' consent, private companies make millions of dollars buying and selling information about which drugs doctors prescribe for their patients. What many patients and doctors think is confidential information protected by law, is actually for sale to pharmaceutical companies. Those companies then use it to influence prescribing choices made by physicians through aggressive direct marketing.

[source: ennebec Journal]

Australian ISP's Spam Solution: Block Gmail Messages

(2007-04-12) [techdirt] You might remember that some time ago, Verizon tried a novel way to cut down on the amount of spam its customers received -- by blocking most foreign email. Though it eventually dropped the policy (after a lawsuit), the company's anti-spam practices still leave a lot to be desired.

Meanwhile, over in Australia, incumbent telco Telstra was blocking messages sent from Gmail, claiming Google doesn't do enough to stop spam being sent from the service. Rather than being a fair indictment of Gmail, this simply sounds like an admission that Telstra's simply not up to the task of adequately dealing with spam -- after all, it's hard to see how simply blacklisting messages from such a large email provider could really be seen as an adequate solution. If anything, it will just drive users away from Telstra's service and to Gmail.

[source: blog]

FBI wants years to cough up privacy records

(2007-04-12) [Tacoma News, Inc.] The oldest reported Freedom of Information Act request in the federal government resides at the Justice Department and is 18 years old -- or, as the National Security Archive, a research group that tracks these things, likes to say, "old enough to enlist in the Army and go to Iraq."

So perhaps it should be no surprise that the FBI has just told a federal court that it will need until 2013 to fully process a request for information from the Electronic Frontier Foundation, a privacy organization. The group sued the Justice Department last fall under FOIA for records that detail how the FBI protects privacy while collecting hundreds of millions of personal records in its Investigative Data Warehouse, a database used for counterterrorism purposes. (Excerpt from news story by Ellen Nakashima)

[source: The News Tribune]

Panelists Debate Online Anonymity

(2007-04-12) [Harvard Law School] After weeks of debate over the pros and cons of online anonymity, several groups, including The Dean of Students Office, HLS Student Government, HLS ACLU, Women's Law Association, Journal of Law and Gender, JOLT, and Stop DV, organized a panel discussion on the subject on Thursday, April 5 in Langdell North.

The panel, moderated by Professor Charles Nesson, sought to address the following issues, as stated on the event's wiki: "Open forums with anonymous postings discussing issues relating to law school, such as AutoAdmit, have become more prevalent on the Internet. Do targets of offensive postings have the right to have such material removed? Are these attacks, or are they just expressions of free speech? These questions and more will be discussed by a panel representing a wide range of views from free speech issues to anti-defamation issues, women's issues, and internet capabilities and responsibilities." (Excerpt from news story by Anna Brook)

[source: The Record]

EU data protection chief slams police data sharing treaty

(2007-04-12) [The Register] The European Commission, pushed by the European Council, neglected its statutory obligation to ensure its initiatives are democratically accountable, transparent, and planned wisely, when considering plans for police data sharing the European Data Protection Supervisor (EDPS) said yesterday.

The EDPS took the unusual step of speaking out of turn on the Treaty of Prüm, a legislative measure designed to give European police forces a legal basis for sharing data with one another. There's nothing wrong with sharing data to catch baddies, but the framework has been knocked up in such a hurry since the treaty was signed in May 2005 that the EDPS is worried it pays scant regard to the liberties of ordinary people. (Excerpt from news story by Mark Ballard)

[source: News]

Monitoring staff email, internet? Read on...

(2007-04-12) [CNet] Monitoring employees' internet and telephone use at work may contravene human rights laws, after a landmark case in the European Court of Human Rights last week.

The case involved a public-sector employee, who won Euro 3,000 in damages and Euro 6,000 in court costs and expenses, after her communications were intercepted by her employer, Carmarthenshire College, based in South Wales. (Excerpt from news story by Tom Espiner)


The fine art of data destruction

(2007-04-12) [ComputerWorld] Amid mounting legislation and a steady flow of horror stories -- about identity theft, lost tapes, stolen credit-card data, and the unintended exposure of private data after used hard drives, cell phones and PDAs are sold on eBay -- it behooves companies to protect sensitive or government-regulated personal information throughout its life cycle.

Experts maintain that, just as it is developed for data in flight and data at rest, policy should be developed for end-stage data disposal or data destruction. (Excerpt from news story by Michele Hope)

[source: Storage]

E-mail monitoring may violate European laws

(2007-04-12) [CNet] Monitoring employees' Internet and telephone use at work may contravene human rights laws in Europe, according to a ruling in a landmark case in the European Court of Human Rights last week.

The case involved a public-sector employee who won $5,910 in damages and $11,820 in court costs and expenses after her communications were intercepted by her employer, Carmarthenshire College, based in South Wales. Lynette Copland successfully took the U.K. government to court after her personal Internet usage and telephone calls were monitored by one of her bosses in 1999. (Excerpt from news story by Tom Espiner)


[Swedish] Vägledning för kommuner: Checklista för säker e-förvaltning

(2007-04-12) [Datainspektionen] Det blir allt mer vanligt att boka färdtjänst, ansöka om förskoleplats och till olika gymnasieutbildningar på webben. Papperssamhället är snart ett minne blott och många kommuner arbetar intensivt med att utveckla sin e-förvaltning. Men hur bygger de en effektiv och rättssäker e-förvaltning med medborgarens integritet i fokus?

Datainspektionen har studerat utvecklingen och har tagit fram en vägledande skrift för att visa på integritetsrisker. Vägledningen fokuserar på de system som gör personuppgifter mer lättillgängliga och vilka krav detta ställer på kommunerna. Handfasta råd ges i olika checklistor om hur man bör hantera elektronisk dokument- och ärendehantering, e tjänster, användning av geografiska informationssystem (GIS) samt mellankommunalt samarbete.

[source: Info]

[Norwegian] Standardavtaler og samtykke til bruk av personopplysninger

(2007-04-12) [Datatilsynet] Mange virksomheter tar inn avtalevilkår om senere bruk av personopplysninger til markedsføring i sine standardavtaler. Dette er problematisk fra et personvernståsted.

Standard avtalevilkår brukes ofte når forbrukeren skal inngå ulike avtaleforhold. For å få bankkonto, ulike fordelskort, forsikring, mobilabonnement etc., kreves det som oftest at du inngår en standardavtale med virksomheten som tilbyr deg tjenesten. I den senere tid er det blitt vanlig at et såkalt "personopplysningsvilkår" inntas i disse kontraktene. I dette vilkåret informeres det i tråd med informasjonsplikten etter personopplysningsloven, om hvilke av dine personopplysninger som skal brukes til hva -- og at du ved inngåelse av kontrakten samtykker til denne bruken. Det er en gjennomgående trend at virksomheten ønsker å "sikre" seg i forhold til mulig fremtidig bruk av opplysningene, særlig i relasjon til markedsføringsaktiviteter. Dette kommer til uttrykk ved at forbrukeren gjennom avtaleinngåelsen samtidig må godta at hans/hennes innsamlede personopplysninger benyttes i markedsføringsøyemed, herunder utleveres til eksterne samarbeidspartnere. For å motta en tjeneste som forbrukeren behøver, må vedkommende faktisk samtidig være nødt til å akseptere bruk av egne personopplysninger i markedsføringsøyemed.

[source: Nyhet]

CoE to address the impact of technical measures on human rights

(2007-04-12) [EDRI] With its seventh meeting held on 26-27 March 2007 in Strasbourg, the Council of Europe Group of Specialists on Human Rights in the Information Society (CoE MC-S-IS) is pursuing its mandate for another two-years period, as affirmed in its revised terms of reference. There are little changes in the group composition among voting members (member states of the CoE).

EDRI remains a non governmental observer to the MC-S-IS group. For 2007, the group elected as chairman Thomas Schneider (Swiss federal office of communications), who, inter alia, has been active in the Swiss delegation to WSIS and then to IGF, and as vice-chairman Michael Truppe, from the Austrian Federal Chancellery.

[source: EDRI-gram, Number 5.7]

Monitoring employee's Internet breaches human rights, says ECHR

(2007-04-12) [EDRI] The Welsh Government, through Carmarthenshire College, was found in breach of human rights by the European Court of Human Rights (ECHR) for having monitored one of the college employee's e-mails, internet traffic and telephone calls.

As the College is publicly funded, Lynette Copland sued the government for infringing Art.8 of the European Convention on Human Rights that says "everyone has the right to respect for his private and family life, his home and his correspondence".

[source: EDRI-gram, Number 5.7]

One third of people will resist ID checks, Government predicted

(2007-04-11) [PinsentMasons] One in three people will resist identity checks according to Government figures. The just-released statistics predict a widespread revolt over identity cards, but the Home Office has dismissed the figures as irrelevant and out of date.

In 2004 Mark Oaten, the then Liberal Democrat spokesman on home affairs, asked for figures to be published on the assumptions being made by Government about ID cards' use. The Government refused. Oaten's request was backed by the Information Commissioner and an Information Tribunal and the figures have now been released.


DNA database 'will span most of the UK population'

(2007-04-11) [PinsentMasons] The Government's DNA retention policy combined with increasingly sophisticated statistical techniques means that eventually most citizens in the UK will be linked to data stored on the police's DNA database, according to a privacy law expert.

The outcome of an appeal to the European Court of Human Rights (ECHR) that challenges the UK's DNA retention policy will not limit the ultimate reach of the DNA database, only the speed of its compilation, says Dr Chris Pounder of Pinsent Masons.


[Norwegian] Overvåking av spillatferd

(2007-04-11) [Datatilsynet] "Datatilsynet har ikke kjent til planene for detaljovervåking av hver enkelt spiller på spilleautomatene, slik Norsk Tipping påstår", sier avdelingsdirektør Knut-Brede Kaspersen i Datatilsynet.

Påstandene ble fremsatt av Norsk Tippings direktør Reidar Nordby i NRK-programmet Standpunkt den 10. april 2007. Det ble også påstått at Datatilsynet "er med i hele spillerkortkonseptet" til Norsk Tipping. Påstandene ble fremsatt i forbindelse av en presentasjon av en planlagt oppkopling av alle automater i et nettverk med sanntidsovervåking av hver enkelt spillers atferd.

[source: Nyhet]

[Swedish] Nytt nummer av Magazin DIrekt -- 1/2007

(2007-04-11) [Datainspektionen] Fritt fram med nya PuL? Den 1 januari trädde "nya PuL" i kraft och vi refererar några beslut som kommer att bli vägledande. Hittills har det mest handlat om behandlingar som inte längre omfattas av hanteringsreglerna. Är det fritt fram att registrera då? Inte alltid. Behandlingen kan vara kränkande och därmed förbjuden.

Annat ur innehållet: Datachef på två stolar; Myndigheter måste kryptera; "Tjallarsajt" är laglig; IP-nummer är personuppgifter; och Bristfällig information gav ogiltiga samtycken. Du kan ladda ner Magazin DIrekt 1/2007 (640 kb)

[source: Nyheter]

Shoppers risk their information online

(2007-04-10) [VNU Business Publications Ltd] British consumers are happy to put their personal and financial information at risk if it means saving time on the internet, according to a survey by consultancy The Aziz Corporation.

Seventy two per cent acknowledge that there are risks involved with having personal information stored by web sites, but believe they are not great enough to outweigh the benefits of having their details and preferences ready to be quickly retrieved on sites they use regularly. (Excerpt from news story by Tom Young)


Steve Gibson to Keynote Anti-Spyware Coalition Workshop

(2007-04-10) [CDT] Spyware expert Steve Gibson will keynote the Anti-Spyware Coalition's third public workshop June 27th, 2007 at Harvard University Law School in Cambridge, Mass., the ASC announced today.

Gibson is CEO of Gibson Research Corporation, a security software firm, and an outspoken proponent of giving consumers greater control over their computers. Following the same format as last year's successful public meetings, the June workshop provides an opportunity for the public to meet with the members of the ASC, discuss the issues affecting the anti-spyware industry and give feedback to the ASC on its work and public documents. CDT coordinates ASC activities.

[source: News]

Invention: All-knowing browser

(2007-04-10) [New Scientist] Ever given false information when prompted for personal details by a website? Don't worry, the US copying and computing company Xerox hopes to eliminate that kind of questioning because it believes it can get the information without even asking.

Even if you choose not to reveal who you are, Xerox says it can determine demographic information such as your age, sex and perhaps even your income by analysing the pattern of pages you choose to access on the web and comparing them to a database of surfing patterns from other users with a known background. (Excerpt from news story by Justin Mullins)

[source: News]

Facial recognition technology enters new era

(2007-04-10) [Security Document World] Results from the highly-anticipated Face Recognition Vendor Test (FRVT) 2006 have been released by the USA's National Institute of Standards and Technology. The improvement in facial recognition was impressive and should go some way to changing conceptions that facial recognition technology is not an accurate enough technology for one-to-one verification applications.

In 1993, at a false accept rate of 0.001 (letting in one person falsely out of every one thousand impostor attempts) the false reject rate (the ratio of people turned away falsely by the system) was 0.79. By 1997 the FRR had fallen to 0.54 and then again to 0.20 in 2002. In the latest tests this figure had dropped to 0.01 (achieved by Neven Vision on the very high resolution still images in the trials and Viisage on the 3D images).

[source: News]

All Your Data Belongs to Us

(2007-04-10) [MIT Technology Review] Data servicing is another problem for data privacy.

There are many documented cases in which a reputable service center nevertheless allowed the data from a customer's machine to leak back into the datasphere. Last year there were reports in the media about a hard drive that had been taken to a major electronics store for warranty repair, and it ended up being sold (with most of its data intact) at a swap fest. (Excerpt from blog post by Simson Garfinkel)

[source: Blogs]

Experts eye up iris recognition

(2007-04-10) [VNU Business Publications Ltd.] Iris recognition is destined to become most used and researched biometric technology, according to industry experts.

US-based technology strategy and research consultancy, Acuity Market Intelligence, will make the upbeat prediction in its forthcoming market report, The Future of Biometrics. The research reveals that iris recognition will rapidly evolve in capabilities and ease of use over the next 10 to 15 years catapulting the technology to the forefront of biometrics applications. (Excerpt from news story by Clement James)

[source: Personal Computer World]

Privacy vs. the right to know

(2007-04-10) [The Roanoke Times] The General Assembly needs to strike a delicate balance in dealing with whether a list of concealed carry holders should be public.

The decision of the Virginia State Police to close its list of residents licensed to carry a concealed weapon is unfortunate, but it probably won't be the final word. Perhaps the General Assembly can bring better clarity to the situation next year. This editorial page bears no small measure of responsibility for this decision -- which comes after Attorney General Bob McDonnell issued an opinion at the request of Del. Dave Nutter, R-Christiansburg. Nutter was reacting to outrage prompted by our online publication of a database of concealed carry holders in the state in conjunction with an editorial writer's column marking Sunshine Week, a celebration of open government.


Court of Human Rights protects the private use of the Internet

(2007-04-04) [Heise Zeitschriften Verlag] A school employee in Great Britain has won a case in Strasbourg concerning the monitoring of her office Internet connection and telephone, which she had been using privately.

The European Court of Human Rights announced today in Strasbourg that the monitoring done by the school's headmaster constituted a violation of privacy. The court said that such monitoring lacked any legal basis. The 57-year-old plaintiff was awarded roughly 3,000 euros in damages.

[source: HeiseOnline]

Monitoring of employee breached human rights, says European court

(2007-04-04) [PinsentMasons] The monitoring by a Welsh college of an employee's email, phone and internet use was a breach of her human rights, the European Court of Human Rights has ruled. The UK Government must pay £3,000 damages and legal costs in the case.

Lynette Copland said that her email traffic, internet activity and telephone usage were all monitored by the deputy prinicipal of Carmarthenshire College or his staff in a manner that breached her rights to a private life as enshrined in the European Convention on Human Rights.


US travellers show no interest in RT programmes

(2007-04-04) [Security Document World] A new survey has found that the vast majority of US travellers don't plan to enrol in the country's Registered Traveller program, despite the fact that their biggest security-related complaint is long queues at airports. The Tourism, Hospitality & Leisure survey was commissioned by Deloitte & Touche USA.

The Transportation Security Administration's (TSA) Registered Traveller Program is designed to enable passengers to move quickly through security checkpoints at participating US airports. When registering for the programme, they undergo an in-depth security background check and provide biometric information such as fingerprints and iris scans. An identification card will be issued for use at participating airports.

[source: News]

Home Office publishes data retention proposal

(2007-04-03) [PinsentMasons] The Home Office has published draft Regulations to require the retention of certain call data by phone companies for 12 months. Internet telephony and internet access data will not be covered for the time being.

The Regulations will apply to phone providers by September of this year, subject to Parliament's approval. To comply with last year's EU Directive on Data Retention, these rules must be extended or new rules passed to mandate the retention of internet data, including Voice over Internet Protocol (VoIP) data, by 15th March 2009.


New event: Roundtable on Health IT and privacy

(2007-04-10) "Roundtable on Health IT and privacy" will take place on April 13, 2007 (Washington, DC., US).

See calendar entry.

We've given away our privacy, a card's just the final blow

(2007-04-10) [FairfaxDigital] The Government has plans to give you an iPod. It's only a nano, mind, but it's an iPod all the same. Don't believe me? Just listen to former Human Services Minister Joe Hockey speaking on Radio National's Background Briefing program: "We're basically giving every Australian a mini iPod and saying, 'You can put information on it that you want and you control it.' "

There are a few catches to the Government's plan to ensure that no Australian will be living without an iPod by 2010. The first is that the Government-issued iPod won't come with those nifty white headphones. In fact, it won't even have a jack in which to plug them. The second is that it won't work with iTunes and there will only be enough memory to hold around four seconds worth of music. The third is that it isn't made by Apple and won't be called an iPod. Instead, it'll be called an "Access Card". (Excerpt from news story by Christopher Scanlon)


Schools may fingerprint six million children

(2007-04-09) [Independent News and Media Limited] Almost six million children at 17,000 schools could have their fingerprints taken, intensifying fears of the growth of a "surveillance society" where personal information is gathered from cradle to grave.

As soaring numbers of schools require pupils to have biometric checks to register in the morning, buy canteen food or borrow a book, it emerged that less than one-quarter of local education authorities have banned collecting fingerprints. (Excerpt from news story by Nigel Morris)

[source: The Independent]

Defining Privacy -- and Its Limits

(2007-04-09) [Inside Higher Ed] A student in a public university dormitory room had a "reasonable expectation of privacy" for his personal computer and its hard drive, a federal appeals court ruled on Thursday. The decision also found that despite that right to privacy, an administrator in the case under review had the right to conduct a remote search of the computer -- without a warrant -- because of the circumstances involved.

The decision -- by the U.S. Court of Appeals for the Ninth Circuit -- is among the highest level court rulings to date on a set of legal questions pitting privacy vs. security that are increasingly present in academe. While experts cautioned that the decision involved a specific set of facts, several also said it provided guidance for students on their privacy rights and for administrators at public colleges and universities on setting computer policies that give them the flexibility they feel they need to prevent security breaches. (Excerpt from news story by Scott Jaschik)

[source: News]

Podcast: The Present State of E-mail Security

(2007-04-09) [Help Net Security] Amir Lev co-founded Commtouch in February 1991 and serves as Chief Technology Officer and President. In this podcast he discusses the current state of e-mail security and presents an overview of the threats.

Listen to the podcast (length 0:05:57).

[source: News]

Calif. Lawmakers to Vote on Five Bills to Regulate RFID Technology

(2007-04-09) [ComputerWorld] The California State Senate is expected to vote as early as this week on several bills that would regulate the use of radio frequency identification (RFID) technology in government documents.

Similar legislation was approved by the state legislature last year only to be vetoed by California Gov. Arnold Schwarzenegger in October. At the time, Schwarzenegger said he rejected the Identity Information Protection Act of 2006 because it could be overly restrictive to state agencies. (Excerpt from news story by Marc L. Songini)

[source: Mobile & Wireless]

An IBM Engineer Preaches Privacy

(2007-04-07) [CMP] When banks, retailers, hospitals, and other businesses talk about allowing access to data internally and with partners, they're often talking about their customers' personal data: addresses, phone numbers, Social Security numbers, etc. At IBM, distinguished engineer Jeff Jonas has developed technology he says improves data sharing while securing that personal information. It's called anonymization.

Brilliant, earnest, and obsessed with testing himself to the limits--last month he completed his seventh Ironman triathlon in Australia--Jonas has emerged as one of IBM's thought leaders on information management. He came to IBM through the company's June 2005 acquisition of the Las Vegas company he founded, SRD Software. SRD made middleware that casinos use to pull information about specific people from different databases and thereby identify relationships to help spot cheaters and partners in crime. IBM customers use the software, now called DB2 Identity Resolution, to create a single view of a customer account and to detect fraud. A bank that's merged with another, for example, might use the software to recognize two accounts that belong to the same person by spotting commonalities in data. (Excerpt from news story by Mary Hayes Weier)

[source: InformationWeek]

Privacy can't be absolute

(2007-04-07) [The London Free Press] The information age raises concerns about privacy rights -- but privacy cannot be absolute or considered without context.

Two decisions of the Privacy Commissioner of Canada balance privacy expectations with the needs of business to identify their customers. (Excerpt from opinion piece by David Canton)

[source: News]

Music and movie piracy hunters go after privacy law

(2007-04-07) [The Ithaca Journal] The music and movie industries are lobbying state legislators for permission to deceive when pursuing suspected music pirates.

The California Senate is considering a bill that would strengthen state privacy laws by banning the use of false statements and other misleading practices to get personal information. Known as pretexting, the tactic created a firestorm of criticism when Hewlett-Packard Co. detectives used it last year to obtain phone records of board members, journalists and critics. (Excerpt from news story by Dawn C. Chmielewski and Marc Lifsher)

[source: Ithaca Journal]

Personal info law taken too literally

(2007-04-07) [The Yomiuri Shimbun] In light of the inordinate observance of the provisions of the Personal Information Protection Law, there have been rising calls for revising the law. Only two years after the law's full enactment, a committee of the Cabinet Office's Quality of Life Policy Council has entered the final stage of discussions on reviewing it.

When the law was enacted, special committees of both houses of the Diet devised supplementary resolutions, saying necessary measures should be taken three years after the law's full enactment. That time frame is next spring. (Excerpt from news story by Toru Tsunetsugu and Aki Nakamura)

[source: Daily Yomiuri]

California's Constitutional Right to Privacy is Limited by Statutory Litigation Privilege

(2007-04-06) [Davis Wright Tremaine LLP] On April 5, 2007, a unanimous state Supreme Court ruled that California's litigation privilege extends to claims based on the state's constitutional right to privacy. While conceding that the statutory privilege would have to yield to the constitutional privacy right if the two conflicted, the court concluded that "the statutory and constitutional provisions are not in conflict; they can and do coexist."

The case, Jacob B. v. County of Shasta, S142496, dealt with a letter that a county official wrote in connection with a family law proceeding involving visitation rights. The letter claimed that the plaintiff had molested his five-year-old nephew. At trial, the county relied on the litigation privilege of Civil Code section 47(b), which bars tort liability for publications made in connection with a judicial proceeding. The trial court ruled that constitutional privacy interests overrode the litigation privilege, but the Court of Appeal reversed. (Excerpt from news story by Rory Eastburg)

[source: Privacy and Security Law Blog]

Litigation Privilege Not Limited by Constitutional Privacy Right

(2007-04-06) [Metropolitan News Company] The litigation privilege extends to causes of action based on the constitutional right to privacy, the Supreme Court ruled yesterday. In a unanimous decision, the justices agreed with the Third District Court of Appeal that the state constitution's privacy right does not limit Civil Code Sec. 47(b), the "litigation privilege" that generally protects from tort liability any publication made in connection with a judicial proceeding.

Justice Ming W. Chin, writing for the court, explained that voters adopted the constitutional privacy right provision in 1972 with knowledge of the preexisting litigation privilege. "The parties have not cited, and we are not aware of, anything in the ballot materials or history of the 1972 initiative that added the constitutional right to privacy that suggested any intent to limit the scope of this preexisting privilege or to create a right of privacy that would prevail over the privilege," he said. (Excerpt from news story by Tina Bay)

[source: Metropolitan News]

Perspective: Real ID is bad? Compared to what?

(2007-04-05) [CNet] The Department of Homeland Security has published the proposed details of the Real ID act, and criticism is starting to pour in from all sides. The Real ID act is supposed to standardize driver's licenses issued by the states. Supporters say that this is necessary to improve security. Critics usually focus on the weakening of privacy protections. The arguments and counterarguments usually don't bother to address each other and, lofted on volume rather than substance, quickly grow heated and dim.

There's a way to have a meaningful debate on this. Any new security proposal must be compared to the status quo on four dimensions: Security, privacy, convenience and cost. If the new proposal is clearly better at all four, then it's a no-brainer. If the new program is worse on all four, then, well, it has no brains. What if the new program is better on some dimensions but not on others? Should we weigh the relative merits and compromise? Yes, eventually, but not right away! Since the new proposal enjoys the airy freedom of not actually existing yet, we should go back and rework the proposal until it is overwhelmingly better than the status quo. If we just throw our hands up and refuse to engage Real ID, we'll get the lousy law we deserve. (Excerpt from news story by Phil Libin)


Ontario Information and Privacy Commission Report on Biometric Encryption

(2007-04-05) [EPIC] The Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian, released a joint research paper with Dr. Alex Stoianov, an internationally-recognized biometrics scientist. The paper, entitled, "Biometric Encryption: A Positive Sum Technology that Achieves Strong Authentication, Security AND Privacy," discusses how biometrics can be deployed in a privacy-enhanced way that minimizes the potential for surveillance and abuse, maximizes individual control, and ensures full functionality of the systems in which biometrics are used.

The paper suggests that biometric encryption can address the privacy, security and trust problems of current biometric information systems. With biometric encryption, instead of storing a sample of one's fingerprint in a database, you can use the fingerprint to encrypt or code some other information, like a PIN or account number, or cryptographic key, and only store the biometrically encrypted code, removing the need to collect and store the biometric itself.

[source: EPIC Alert, Volume 14.07]

EU, U.S. commit to swift air passenger data deal

(2007-04-05) [ComputerWorld] The European Union and U.S. have made progress in talks on sharing air passenger data and are confident that they will reach an agreement before a July deadline, possibly even this month, they said today.

German Interior Minister Wolfgang Schaeuble said he is aiming to clinch a deal on the measure, which is designed to fight terrorism but has been criticized by civil liberties advocates, before an EU-U.S. summit at the end of this month in Washington. (Excerpt from news story by Madeline Chambers)

[source: Security]

Government Report: Data Mining Program Has Numerous Privacy Risks

(2007-04-05) [EPIC] A federal data mining program created to troll vast amounts of data in order to attempt to find suspicious people has numerous privacy risks, according to the Government Accountability Office. In a report, the GAO says the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE) program's privacy risks "include the potential for erroneous association of individuals with crime or terrorism and the misidentification of individuals with similar names."

The GAO recommends that the Department of Homeland Security "immediately conduct a privacy impact assessment of the ADVISE tool to identify privacy risks and implement privacy controls to mitigate those risks." Previous data mining efforts by the federal government include the 2002 Total Information Awareness system, envisioned to give law enforcement access to private data without suspicion of wrongdoing or a warrant.

[source: EPIC Alert, Volume 14.07]

UK Report: You Can Have Security and Privacy

(2007-04-05) [EPIC] In a new report, "Dilemmas of Privacy and Surveillance," the Royal Academy of Engineering explains that security and privacy are not at odds. The Academy urges the UK government to make "full use of engineering expertise in managing the risks posed by surveillance and data management technologies."

The Academy also says "[o]rganisations should not seek to identify the individuals with whom they have dealings if all they require is authentication of rightful access to goods or services." The Academy suggests that travel and shopping services can be designed to allow anonymous use, thereby maintaining personal privacy. For example, subway cards should not be linked to any personally identifiable data, because all that is needed is the authentication of the riders' ability to pay.

[source: EPIC Alert, Volume 14.07]

EPIC Recommends Against Use of Universal Identifiers

(2007-04-05) [EPIC] In comments to the Federal Trade Commission, EPIC warned against using universal identifiers in authentication systems. "Any move toward universal identifiers, while potentially deterring amateur thieves, increases the potential for misuse once determined criminals steal that data," EPIC said.

EPIC also urged the restriction, rather than expansion, of the use of Social Security numbers as identifiers. "Social Security numbers have become a classic example of 'mission creep,' where a program designed for a specific, limited purpose has been transformed for additional, unintended purposes, sometimes with disastrous results," EPIC said. The pervasiveness of the SSN and its use to both identify and authenticate individuals threatens privacy and financial security; expanding use of the SSN, making it a universal identifier, would harm, rather than help, security efforts, EPIC said.

[source: EPIC Alert, Volume 14.07]

EPIC Speaks Before European Parliament on Transatlantic Privacy

(2007-04-05) [EPIC] EPIC Executive Director Marc Rotenberg appeared before the European Parliament's Committee on Civil Liberties, Justice and Home Affairs for a public seminar on transatlantic relations and data protection. The European Parliament is currently reviewing the transfer of travel, consumer, and financial information on European citizens to the United States government. European institutions are concerned about the absence of adequate privacy protection for personal information.

The seminar examined the constitutional and legal context of data processed in Europe, and in the USA, as well as the applicable principles on the international level for transfer of personal data, particularly as they pertain to passenger name records and financial data. The self-regulatory Safe Harbor model of data transfer was also discussed. Members of the European Parliament particularly wanted to know: what kinds of data are being collected; what are the reasons for the collection; problems that have arisen following collection; and what kinds of joint review and redress mechanisms exist.

[source: EPIC Alert, Volume 14.07]

New Privacy Safeguards for Telephone Customers

(2007-04-05) [EPIC] In response to a petition filed by EPIC, the Federal Communications Commission issued rules to protect the privacy of consumers' telephone records. The new safeguards prohibit unauthorized access to phone records, require passwords for customer accounts, require notice of any changes to account information, and establish opt-in consent before disclosing customer information.

FCC Chairman Martin called the unauthorized disclosure of customer information "a significant privacy invasion." In its petition, EPIC proposed five security measures that would more adequately protect access to call detail information: consumer-set passwords, security breach notification, audit trails, encryption, and limiting data retention. The FCC addressed the first two security measures in its rule, and announced a new rulemaking to consider audit trails, encryption, data retention, and safeguards for information stored in cell phones.

[source: EPIC Alert, Volume 14.07]

ISPs uneasy about data retention

(2007-04-05) [VNU Business Publications Ltd] ISPs are concerned about plans to make it a legal requirement to store and provide data about communications to police and security services on request.

At the moment communication providers usually provide such information voluntarily since the Anti-Terrorism Crime and Security (ATCS) code of practice was instigated after the 11 September security attacks. But the government wants to initiate a statutory scheme. (Excerpt from news story by Tom Young)


Data privacy at risk in EU-US air data talks-Frattini

(2007-04-04) [Reuters] Data privacy will be weakened if Washington pushes to replace an EU-U.S. air passenger data deal with individual deals with EU states or airlines, the bloc's top security official said ahead of talks in Berlin.

Under a temporary agreement reached as part of U.S. efforts to combat terrorism, European airlines must pass on up to 34 items of data on passengers, including their addresses and credit card details, to be allowed to land at U.S. airports. That deal expires at the end of July. (Excerpt from news story by Ingrid Melander)

[source: News]

Confusing Osama bin Laden with Johnny Rotten

(2007-04-04) [MIT Technology Review] The U.S. government's passenger screening technologies would mistake the terrorist mastermind for the Sex Pistol. In fact, data broker ChoicePoint possesses better tracking systems.

At the end of last February, the U.S. Department of Homeland Security (DHS) launched its Traveler Redress Inquiry Program for the 30,000-plus individuals who in the years since September 11 have been misidentified as possible terrorists by the Transportation Security Administration's (TSA) infamous "no fly" and "selectee" lists. These people may now ask for investigative reviews via an official website, in the hope that the TSA will eventually remove their names. (Excerpt from news story by Mark Williams)

[source: News]

That face! Those eyes! How recognizable?

(2007-04-03) [1105 Media, Inc] Technology for computerized facial recognition is ten times more accurate now than it was four years ago, and the best of the systems outperform humans, the National Institute of Standards said.

The federal government has pressed the private sector to improve facial and iris recognition technology dramatically so as to pave the way for improved biometric systems, and NIST has overseen the process in tests called the Face Recognition Vendor Test (FRVT) 2006 and the Iris Challenge Evaluation (ICE) 2006. The facial-recognition test has compared vendor systems on in their ability to recognize high-resolution still images and three-dimensional facial images, under both controlled and uncontrolled illumination. The ICE 2006 test reported iris recognition performance from left and right irises. The study compared the facial recognition test results with an earlier evaluation called the FRVT 2002. ICE 2006 reported iris recognition performance from left and right irises. (Excerpt from news story by Wilson P. Dizard III)

[source: GCN]

Surveillance society

(2007-04-03) [British Computer Society] The House of Commons' home affairs committee has launched an inquiry entitled 'A Surveillance Society?' and BCS is looking for your help in order to contribute to the report.

The inquiry will consider the growth of numerous public and private databases and forms of surveillance with a direct relevance to the work of the Home Office. They either derive directly from the work of the Home Office, and its related public functions, or are controversial because, whilst they offer the potential to play a part in the fight against crime, their use may impinge on individual liberties.

[source: News]

That face! Those eyes! How recognizable?

(2007-04-03) [1105 Media, Inc] Technology for computerized facial recognition is improving, according to a recent NIST report.

Technology for computerized facial recognition is ten times more accurate now than it was four years ago, and the best of the systems outperform humans, the National Institute of Standards said. The federal government has pressed the private sector to improve facial and iris recognition technology dramatically so as to pave the way for improved biometric systems, and NIST has overseen the process in tests called the Face Recognition Vendor Test (FRVT) 2006 and the Iris Challenge Evaluation (ICE) 2006. (Excerpt from news story by Wilson P. Dizard III)

[source: GCN]

E.U. official: Now isn't time for RFID regulations

(2007-04-02) [CNet] The European Commission may have decided against imposing new rules on radio frequency identification tags for now, but a top official warned Monday that regulations are likely if future uses of the technology don't protect fundamental privacy rights.

Gerald Santucci, head of the European Commission unit whose domain includes RFID issues, said he feared that rushing to place restrictions on industries hoping to use the technology would choke its potentially valuable application in health care, business, transportation and other realms. (Excerpt from news story by Anne Broache)


Who's guarding your data in the cybervault?

(2007-04-02) [USA] In a remarkable turnaround, ChoicePoint, the giant data broker excoriated two years ago for its lack of precautions as it went about gathering and selling personal data, has recast itself as a model corporate citizen.

California's milestone data-theft disclosure law forced ChoicePoint in February 2005 to reveal that it had sold sensitive information for at least 166,000 people to a Nigerian con artist posing as a debt collector. The Federal Trade Commission hit ChoicePoint with a record $10 million fine and ordered it to set aside $5 million to aid data breach victims. The once-obscure data broker, tucked away in a nondescript business park 20 miles north of Atlanta, also embraced extensive reforms. The result: ChoicePoint is regarded by a dozen leading privacy advocates interviewed by USA TODAY as the most responsible company among dozens in the lightly regulated, fast-growing field of aggregating and selling sensitive information. (Excerpt from news story by Jon Swartz and Byron Acohido)

[source: News]

Privacy options proposed for domain name owners

(2007-04-02) [Cox Texas Newspapers, L.P.] Many owners of Internet addresses face this quandary: Provide your real contact information when you register a domain name and subject yourself to junk or harassment. Or enter fake data and risk losing it outright. Help may be on the way.

A key task force last week endorsed a proposal that would give more privacy options to small businesses, individuals with personal Web sites and other domain name owners. "At the end of the day, they are not going to have personal contact information on public display," said Ross Rader, a task force member and director of retail services for registration company Tucows Inc. "That's the big change for domain name owners." At issue is a publicly available database known as Whois. (Excerpt from news story by Anick Jesdanun)


Washington State, DHS May Use RFID in Licenses

(2007-04-02) [ComputerWorld] The state of Washington and the U.S. Department of Homeland Security plan to jointly develop a driver's license, likely embedded with radio frequency identification (RFID) technology, as an alternative to a passport for travel to some countries.

The state and the DHS late last month announced plans to launch a pilot program to offer drivers in Washington a license that complies with the federal Western Hemisphere Travel Initiative. (Excerpt from news story by Marc L. Songini)

[source: Mobile and Wireless]

Privacy advocates: Risk is embedded in each e-passport

(2007-04-01) [New Jersey On-Line LLC] When you get your new passport, should you dunk it in a tub of water? Wrap it in tin foil? Microwave it? Or just smash it with a hammer?

Those are some of the suggestions that have been popping up on Web sites and blogs as the U.S. State Department begins nationwide distribution of new passports with a controversial computer chip embedded in the back cover. The new travel documents, called e-passports, are being issued to Americans who apply to either renew their passport or receive their first one. They look similar to the old passports, but they have a rectangular symbol printed on the cover indicating they contain a computer chip. (Excerpt from news story by Kelly Heyboer)

[source: The Star Ledger]

New event: 19th Annual FIRST Conference, "Private Lives and Corporate Risk"

(2007-04-02) "19th Annual FIRST Conference, "Private Lives and Corporate Risk"" will take place on June 17 -- 22, 2007 (Seville, Spain).

See calendar entry.

New event: ENISA/EEMA European eIdentity conference - Next Generation Electronic Identity - eID beyond PKI

(2007-04-02) "ENISA/EEMA European eIdentity conference - Next Generation Electronic Identity - eID beyond PKI" will take place on June 14, 2007 (Paris, France).

See calendar entry.

New event: Symposium on e-democracy

(2007-04-02) "Symposium on e-democracy" will take place on April 23 -- 24, 2007 (Strasbourg, France).

See calendar entry.

New event: Privacy Coalition meeting

(2007-04-02) "Privacy Coalition meeting" will take place on March 30, 2007 (Washington DC, US).

See calendar entry.

New event: 4th International Conference on Trust, Privacy & Security in Digital Business

(2007-04-02) "4th International Conference on Trust, Privacy & Security in Digital Business" will take place on September 3 -- 7, 2007 (Regensburg, Germany).

See calendar entry.

New event: FIPTM 2007 -- Joint iTrust and PST Conferences on Privacy, Trust Management and Security

(2007-04-02) "FIPTM 2007 -- Joint iTrust and PST Conferences on Privacy, Trust Management and Security" will take place on July 30 -- August 2, 2007 (Moncton, New Brunswick, Canada).

See calendar entry.

New event: Fourth European Workshop on Security and Privacy in Ad hoc and Sensor Networks

(2007-04-02) "Fourth European Workshop on Security and Privacy in Ad hoc and Sensor Networks" will take place on July 2 -- 3, 2007 (Cambridge, UK).

See calendar entry.

New event: SecPerU07 - 3rd International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing

(2007-04-02) "SecPerU07 - 3rd International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing" will take place on July 20, 2007 (Istanbul, Turkey).

See calendar entry.

Latest update: 2007-09-25 23:38:12