SAITS news - September 2007

Other months: January · February · March · April · May · June · July · August · September October · November · December ·

Earlier years: 2003 · 2004 · 2005 · 2006 ·

Encryption faulted in TJX hacking

(2007-09-25) [The New York Times Company] Hackers stole millions of credit card numbers from discount retailer TJX Cos. by intercepting wireless transfers of customer information at two Miami-area Marshalls stores, according to an eight-month investigation by the Canadian government.

The probe led by Canadian Privacy Commissioner Jennifer Stoddart faulted TJX for failing to upgrade its data encryption system by the time the electronic eavesdropping began in July 2005. The break-in ultimately gave hackers undetected access to TJX's central databases for a year and a half, exposing at least 45 million credit and debit cards to potential fraud. Mark Jewell


Immigrant DNA tests plan raises storm for Sarkozy

(2007-09-14) [The Guardian] Civil liberties groups in France have reacted furiously over government plans to introduce DNA testing for the families of immigrants, to prove their demands for visas are genuine. The tests would not be compulsory, but there are fears that applicants who do not take them would have their cases rejected.

The proposal has been put forward by Thierry Mariani, an MP of the governing UMP party and a confidant of President Nicolas Sarkozy. They envisage possible DNA tests for applications for visas of more than three months; where there was "serious doubt" birth or marriage certificates were genuine, immigration officials could "propose" to applicants that they take, at their own expense, a test to prove a biological link with other family members. Alasdair Sandford

[source: Guardian Unlimited]

Rx data mining: Improving health care or invading privacy?

(2007-09-30) [Geo. J. Foster Company] Dr. Deborah Harrigan remembers the day two pharmaceutical company representatives told her she wasn't prescribing enough of a drug they sold.

The Rochester family physician, who was working at the city's Avis Goodwin Community Health Center at the time, said she was surprised they knew so much about her prescribing history. The information comes from data mining companies, which collect, analyze and sell details about the type of prescriptions Harrigan and other physicians write. The practice isn't without controversy Harrigan, for example, said she believes doctors at least should be told if their data is being collected and sold. That isn't now required. But, she added, the ultimate power does nonetheless lie with doctors. (Excerpt from news story by Robert M. Cook)


Google: Search and Data Seizure

(2007-09-28) [The Nation] Should we be worried about Google? Ten years after the search engine was launched by two Stanford University graduate students, Google has become an empowering force and a adopted behavior that has transformed the way we access news and information, shop for goods and services and--increasingly--how we engage in politics. Who would have imagined four years ago, that Google and its subsidiary YouTube would co-sponsor debates in which ordinary citizens could directly engage with presidential candidates?

Last week, Google's stock hit an all-time high, on the strength of reports that the company will earn more this year than the $10.6 billion it earned in 2006. But while Google has almost overnight become a trusted source of information for the technologically attuned, few have thought to question the extent to which its success poses threats to both our privacy and our aspirations for the positive potential of the Internet. (Excerpt from news story by Jeffrey Chester)

[source: The Nation Online]

'Stronger data breach laws needed in Asia'

(2007-09-28) [CNET Networks, Inc.] Governments in Asia need stronger data-breach laws to ensure businesses improve the security of their customer data, according to a senior CA executive.

Jerry Cox, CA's director of security sales for the Asia-Pacific region, including Japan, said in an interview: "Strong laws would force a company to disclose security breaches often involving the loss of customer data." This, Cox explained, would protect the people whose data was compromised. Strong data-breach laws would also ensure companies took data security more seriously, especially if there were penalties in the form of monetary fines, or risks of reputation damage due to public disclosure. (Excerpt from news story by Victoria Ho)


Google looking at privacy protections for users

(2007-09-28) [Computerworld] Google Inc. the world's Web search leader, told U.S. Senate lawmakers yesterday that the company is pursuing new technologies to protect the privacy of Internet users as it seeks to acquire advertising company DoubleClick Inc. (see "Congress to scrutinize Google-DoubleClick acquisition").

Google's chief legal officer, David Drummond, testified that the company is looking at the Internet display advertising business with a "fresh eye and evaluating whether changes can be made to innovate on user privacy in this space." Critics say Google's $3.1 billion acquisition of DoubleClick, an advertising tools supplier, may give the company too much power over online advertising. Google stores mounds of data on Internet-surfing habits of users and uses the information to make money by selling advertisements. (Excerpt from news story by Peter Kaplan)

[source: Security]

IBM software aids in vast surveillance of Chicago streets

(2007-09-27) [ComputerWorld] The City of Chicago is developing a futuristic video surveillance system designed to scan city streets looking for everything from bombs to traffic jams.

For the past few years Chicago has been rolling out thousands of video surveillance cameras linked by fiber-optic cables. This Operation Virtual Shield system is intended to give the city's emergency response coordination agency the ability to remotely keep track of emergencies in real time. Now, with the help of IBM Corp., Chicago's Office of Emergency Management and Communications (OEMC) is looking to expand the system's capabilities so that IBM's software can analyze the thousands of hours of video being recorded by Operation Virtual Shield. (Excerpt from news story by Robert McMillan)

[source: Security]

Learning to live with Big Brother

(2007-09-27) [The Economist Newspaper Limited] It used to be easy to tell whether you were in a free country or a dictatorship. In an old-time police state, the goons are everywhere, both in person and through a web of informers that penetrates every workplace, community and family. They glean whatever they can about your political views, if you are careless enough to express them in public, and your personal foibles.

What they fail to pick up in the café or canteen, they learn by reading your letters or tapping your phone. The knowledge thus amassed is then stored on millions of yellowing pieces of paper, typed or handwritten; from an old-time dictator's viewpoint, exclusive access to these files is at least as powerful an instrument of fear as any torture chamber. Only when a regime falls will the files either be destroyed, or thrown open so people can see which of their friends was an informer.

[source: The Economist]

Google-DoubleClick Debate Raises Broader Issues

(2007-09-27) [CDT] The debate over the pending merger between Google and Internet advertising giant DoubleClick raises a host of broader questions about the online advertising industry at large and the structures that are in place to protect Internet users' privacy.

In a statement to the Senate panel that is holding a hearing about the merger today, CDT identifies how the evolution of the Internet advertising marketplace has outpaced the industry self-regulatory effort intended to mitigate privacy intrusions. The statement highlights how new approaches, and a new national consumer privacy law, are needed to ensure that consumers are adequately protected.

[source: News]

"Secure Flight" Returns, Lacking Privacy Protections

(2007-09-26) [EFF] I'm currently tapping into my laptop a few feet away from Michael Chertoff, Secretary of the US Department of Homeland Security. He is giving the keynote at Terra Incognita: the annual conference of Data Protection and Privacy Commissioners, here in Montreal.

His audience has him on the defensive. In the room are the European data protection registrars, the government officials who protested strongly against his department's recent agreement with the EU, which hands over their citizens' passenger name records (PNRs) to the United States government with little oversight. To protect himself from their threatening demeanours, Chertoff has some fine phrases. He spoke on how the DHS "defends all of [the United States'] values, including privacy," and how he personally seeks to ensure his department "rigorously adheres to the laws pertaining to privacy." And he noted that his department has released large number of privacy-related notes for public examination.

[source: News]

Human Rights in the Information Society - rediscover the proportionality

(2007-09-26) [EDRI] On 13-14 September 2007 the French Commission for UNESCO, UNESCO and the Council of Europe organised the conference "Ethics and Human Rights in the Information Society" in Strasbourg, to which EDRi was invited to contribute.

This conference was the third in a cycle of regional conferences on the ethical dimensions of the information society, which aims to contribute to the WSIS process and the Internet Governance Forum (IGF). The first two regional conferences took place in Latin-America and Africa. While the Latin-American conference contributed to the exchange of views in the region, the African conference was suffering from a lack of participation of local stakeholders. There, mainly African expatriots from the USA and Europe and representatives of South Africa were present. At the conference in Strasbourg some estimated fifty participants were present. With equality of access, freedom of expression, identity and social networks and security and governance, the presentations and discussions covered the topics of the four round table sessions on a rather global level, while the draft code of ethics presented by the organisers was hardly discussed.

[source: EDRI-gram, Number 5.18]

German police does not understand Tor

(2007-09-26) [EDRI] Alexander Janssen, a German operator of a Tor exit server, has recently revealed in his blog that, at the end of July 2007, the German police arrested him, checked out his entire house and seized his equipment during an investigation of bomb threats considered to have passed through an Internet protocol address that was under his control.

Janssen, who operated a Tor server carrying more than 40GB of random strangers' Internet traffic data per day, was interrogated for hours for an alleged threat to place a bomb in the German Federal Employment Services Agency offices and kill an employee. The police wrongly assumed the Tor server operator was responsible for placing the threat as the IP address related to the posting had been anonymized with the help of the network, thus pointing to the Tor exit node. Janssen was released by a federal German official who admitted the police had made a mistake. Ironically or as it was seen by Janssen, incompetently, the police did not confiscate or even shut down the server in cause, located 500km away in a data centre.

[source: EDRI-gram, Number 5.18]

Surveillance Law Must Protect Privacy and Security

(2007-09-25) [CDT] Congress can enact legislation that meets the needs of intelligence agencies for defending national security, while still protecting the fundamental privacy rights of innocent Americans, CDT Policy Director Jim Dempsey told the Senate Judiciary Committee today.

In his second congressional testimony in as many weeks, Dempsey identified a balanced approach that Congress could use to replace the overreaching Protect America Act, which was adopted last month and expires next year. Dempsey testified last week before the House Intelligence Committee on the same issue. CDT also last week issued memo addressing the poorly understood concept of "minimization" in the surveillance context.

[source: News]

Google sees urgent need for global privacy rules

(2007-09-25) [CNet] National regulators need to agree on a basic set of global privacy protections for the Internet within the next five years, a senior executive with Google said Monday.

Peter Fleischer, the company's global privacy counsel, said three quarters of countries had no Internet privacy standards at a time when the amount of sensitive personal and financial data on the Web was soaring. Google--itself criticized for the threat it poses to personal privacy--says the company's business agenda, the world economy and the Internet could suffer unless more is done to ensure basic privacy on the Web.


Update: New York subpoenas Facebook over user safety

(2007-09-24) [ComputerWorld] New York Attorney General Andrew Cuomo has subpoenaed Facebook because of what he says is the social networking site's lack of controls to protect the safety of its users.

According to Cuomo, Facebook has done nothing to keep its young users safe from sexual predators, despite the representations it makes about the safety measures it has in place on the site. In a letter sent to Facebook that accompanied a subpoena for documents, Cuomo said his office conducted a preliminary review of the site that "revealed significant defects in the site's safety controls and the company's response to complaints -- deficiencies that stand in contrast to the reassuring statements made on the Web site and by company officials." Facebook in an e-mailed statement, said takes the issues raised by Cuomo "very seriously." "As our service continues to grow so does our responsibility to our users to empower them with the tools necessary to communicate efficiently and safely," said Facebook spokeswoman Brandee Barker in a e-mail. (Excerpt from news story by Linda Rosencrance)

[source: Security]

Google says Street View will comply with privacy laws

(2007-09-24) [ComputerWorld] Google Inc.'s Street View application, which has raise privacy concerns because of the street-level views of locations it provides, will respect the local laws of the countries wherever it is available, the company's privacy counsel said today in a company blog.

Global Privacy Counsel Peter Fleischer appears to be responding to concerns raised by Canada's privacy commissioner about the implications of Street View. In a recent letter to Google, Canadian Privacy Commissioner Jennifer Stoddart said Street View may violate that country's privacy law, which prohibits the commercial use of personal data without permission from the individual. Stoddart was likely making preemptive strike since the application isn't offered in Canada yet. Currently, Street View provides users with a close look at U.S. city streets that could include identifiable images of people. Google launched Street View in May with its Canadian partner, Immersive Media Corp. (Excerpt from news story by Linda Rosencrance)

[source: Security]

Data Protection Framework Decision: EDPS concerned about dilution of Data Protection standards

(2007-09-20) [European Data Protection Supervisor] The European Data Protection Supervisor (EDPS) has today welcomed the continued efforts by the Portuguese Presidency to find agreement on the Data Protection Framework Decision (DPFD) in police and judicial cooperation in criminal matters. However, he expresses concern about the agreement by the Council of the European Union on Tuesday to limit the scope of the DPFD so that the text will only apply to the cross-border exchange of personal data. The EDPS emphasises that a drive for agreement should not dilute the level of protection for personal data provided in police and judicial cooperation in criminal matters.

Peter Hustinx, EDPS, says: "When the DPFD was first proposed, it was supposed to cover all aspects of policing and the judiciary. The recent agreement by the Council severely limits the scope of the text, and therefore also limits the level of protection the European citizen can expect from the resulting agreement. As I have stated in previous Opinions, the DPFD cannot lessen the level of protection offered, otherwise this will make it more difficult for police services to meet their international obligations."

[source: Press Release]

MySpace and Facebook Plan to Use Personal Data for "Targeted Advertising"

(2007-09-20) [EFF] Personal data is a hot commodity. All sorts of businesses trade in data concerning what we buy, how much credit we have, where we live, what our interests are. This information is sold to advertisers, who then eagerly use it to more precisely target people whom they hope will be interested in their products, leading to all of those annoying catalogs that litter your doorstep, for example, or the junk emails that choke your inbox every day.

Luckily for the advertising industry, modern web users have begun voluntarily providing all of their personal details on social networking sites like Facebook and MySpace. Users of these sites happily upload all sorts of personal information about what books and music they like, where they shop, who their friends are, and where they live. While users of these sites may imagine that they control the information on their profile pages, advertisers are salivating at the thought of all that personal data just waiting to be processed, analyzed, and turned into profit.

[source: News]

Legal Suicide for Web 2.0 start-ups: A beginner's guide

(2007-09-20) [CNET Networks, Inc.] I got an email from Fred von Lohmann of the Electronic Frontier Foundation yesterday. It began, "Half the companies you blog about have copyright or privacy legal issues simmering just under the surface. Since most of them are thinly capitalized, when they get into trouble, they're likely to call EFF for legal advice. Several already have."

I called von Lohmann right away, since I've had a nagging feeling for months that too many of the interesting products I've been seeing were legally shaky. So I talked with him to come up with this list: 9 Fun Ways Web 2.0 Startups Can Commit Legal Suicide. (Excerpt from news story by Rafe Needleman)

[source: Webware]

DOJ Testimony Alludes to Massive Scope of Wiretapping

(2007-09-18) [EFF] In a recent House Judiciary hearing, Department of Justice Assistant Attorney General Ken Wainstein testified in support of the Administration's request to give the telecom companies retroactive immunity for their participation in warrantless wiretapping.

Wainstein breathlessly warned that the telecoms might otherwise face "crushing liability." But the statutory penalties for warrantless wiretapping are relatively small per person -- even if AT&T was ordered to pay the maximum penalty, a few hundred illegal wiretaps would amount to less than a rounding error in the phone companies' quarterly statements (AT&T reported revenues of $29.4 billion for the quarter ending June 30). If the NSA was truly limiting its spying to suspected terrorists, the potential liability would be like an annoying gnat on an elephant. So why are the companies so worried? Perhaps the telecoms are actually concerned because they helped the feds intercept the communications of millions of ordinary Americans.

[source: News]

Is Anything Private Anymore?

(2007-09-16) [ParadeNet Inc] Kevin Bankston was a closet smoker who hid his habit by sneaking cigarettes outside his San Francisco office. He expected anonymity on a big city street. But in 2005, an online mapping service that provided ground-level photographs captured him smoking -- and made the image available to anyone on the Internet. This year, Google's Street View project caught him again.

Coincidence? Absolutely. Yet Bankston's twice-documented smoking highlights a wider phenomenon: Privacy is a withering commodity for all of us. What you buy, where you go, whom you call, the Web sites you visit, the e-mails you send -- all of that information can be monitored and logged. "When you're out in public, it's becoming a near certainty that your image will be captured," says (the newly nonsmoking) Bankston. Should you care? I've interviewed numerous people on all sides of the privacy debate to find out just how wary we should be. (Excerpt from news story by Sean Flynn)

[source: Parade Magazine]

Report: ENISA Workshops eID and eAuthentication

(2007-09-01) [ENISA] In the EEMA 2007 conference (Paris, 12th-13th June 2007), security and privacy issues in Social Networking was discussed.

A short report from the sessions on Social Networking and Reputation is now available online (Report: ENISA Workshops eID and eAuthentication (PDF).

[source: Reports]

Podcast: None of Your Business: Privacy in the Information Age

(2007-09-14) [National Academies] Privacy is a growing concern in the United States and around the world. This podcast takes a closer look at the three major drivers of the vast changes affection notions, perceptions, and expectations of privacy today.

Listen to the podcast (length 10:27).

[source: Sounds of Science]

Illinois Gets New Public School Biometric Privacy Protection Law

(2007-09-20) [EPIC] Parents of Illinois public school children are given a new tool to protect the privacy of their children. The new law requires that parents be given effective notice when "unique behavioral or physiological characteristics, including fingerprint, hand geometry, voice, or facial recognition or iris or retinal scans."

Parents must provide an opt-in for their children to participate in any biometric identification program prior to the collection of fingerprint, iris, or other biometric database creation process. Parents can at any time request that their child's information be removed from a biometric system of records, and the school cannot retain the information after a child is no longer enrolled.

[source: EPIC Alert, Volume 14.19]

DHS Privacy Advisory Panel Holds Hearing on Fusion Center

(2007-09-20) [EPIC] The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security held a series of panel discussions on "information fusion centers." The principal role of the fusion center is to compile, analyze, and disseminate criminal/terrorist information and intelligence and other information (including, but not limited to, public safety, law enforcement, public health, social services, and public works) to support efforts to anticipate, identify, prevent, and/or monitor criminal/terrorist activity. Participants in the fusion center development can include local, state, and federal law enforcement; national security agencies; the Department of Defense; and private sector companies.

The committee heard from Department of Homeland Security officials, a representative from the State of Maryland's fusion center, a privacy and civil liberties officer from the Director of National Intelligence, and a panel of privacy and civil liberties advocates. EPIC provided testimony to the committee on the need to make the process transparent and accountable.

[source: EPIC Alert, Volume 14.19]

International Privacy Commissioners Conference Next Week

(2007-09-20) [EPIC] The 29th International Conference of Data Protection and Privacy Commissioners, hosted by the Office of the Privacy Commissioner of Canada, will be held on September 25-28, 2007, in Montreal, Canada. The annual event draws Commissioners from around the world, as well as a host of experts from academia, civil society and the private sector. The theme of this year's conference is "Privacy Horizons: Terra Incognita."

Office of the Privacy Commissioner's media release explains that the theme highlights the emphasis that conference organizers are placing on the challenging issues that data protection and privacy commissioners will need to address in the coming years. A group of leading international privacy experts will tackle these issues in various workshop, plenary and breakout sessions that deal with transborder data flows, ubiquitous computing, youth privacy, biometrics, globalization, public safety, and the intersect between law and technology.

[source: EPIC Alert, Volume 14.19]

Privacy Groups File Additional Papers in Google-DoubleClick Merger

(2007-09-20) [EPIC] At the National Press Club on Monday, EPIC, the Center for Digital Democracy, and US PIRG announced a second supplement to the groups' original complaint and subsequent supplement with the Federal Trade Commission (FTC) concerning the proposed Google-DoubleClick merger. The amended complaint details new facts supporting the conclusion that the FTC should block Google's proposed acquisition of DoubleClick.

At the National Press Club discussion, "Google, Online Advertising, and Privacy," an expert panel reviewed recent developments with online privacy, including behavioral targeting, and the proposed merger of Google and DoubleClick. The panel, moderated by EPIC's Associate Director, Lillie Coney, included Melissa Ngo, Senior Counsel and Director of EPIC's Identification and Surveillance Project; Jeff Chester, Executive Director of the Center for Digital Democracy; Joe Turow, Professor of Communications at the University of Pennsylvania's Annenberg School for Communication; and Amina Fazlullah, Staff Attorney at US PIRG.

[source: EPIC Alert, Volume 14.19]

Privacy a hot topic as RFID tagging grows in use

(2007-09-20) [ComputerWorld] Privacy concerns over RFID tagging are reaching new heights, with state legislators introducing and increasingly passing new measures to restrict their use, while employers face a barrage of concern from workers over RFID-embedded identity badges.

Those worries were aired by speakers and attendees at RFID World: Boston today, even as some RFID technology defenders worried that they haven't done enough to promote the value of RFID in tracking tainted foods or counterfeit drugs and of reducing the cost of tracking inventory. To indicate how extreme the national RFID hysteria has become, one speaker said privacy advocate Katherine Albrecht had urged consumers to microwave new underwear to disable a possible RFID tag and thereby prevent someone from tracking your whereabouts.(However, a check of Albrecht's Web site, actually urges not putting items in the microwave to disable an RFID tag because it could cause a fire.) (Excerpt from news story by Matt Hamblen)

[source: Security]

Lesson From Tor Hack: Anonymity and Privacy Aren't the Same

(2007-09-20) [Wired] As the name implies, Alcoholics Anonymous meetings are anonymous. You don't have to sign anything, show ID or even reveal your real name. But the meetings are not private. Anyone is free to attend. And anyone is free to recognize you: by your face, by your voice, by the stories you tell. Anonymity is not the same as privacy.

That's obvious and uninteresting, but many of us seem to forget it when we're on a computer. We think "it's secure," and forget that secure can mean many different things. Tor is a free tool that allows people to use the internet anonymously. Basically, by joining Tor you join a network of computers around the world that pass internet traffic randomly amongst each other before sending it out to wherever it is going. Imagine a tight huddle of people passing letters around. Once in a while a letter leaves the huddle, sent off to some destination. If you can't see what's going on inside the huddle, you can't tell who sent what letter based on watching letters leave the huddle. I've left out a lot of details, but that's basically how Tor works. It's called "onion routing," and it was first developed at the Naval Research Laboratory. The communications between Tor nodes are encrypted in a layered protocol -- hence the onion analogy -- but the traffic that leaves the Tor network is in the clear. It has to be. (Excerpt from news story by Bruce Schneier)

[source: News]

Symantec CEO says Internet tracking programs are digital peeping Toms

(2007-09-19) [MIT Technology Review] Cookies to collect Internet user data are a serious invasion of privacy, Symantec chief executive John Thompson said Wednesday, likening them to ''a peeping Tom.''

The head of the security software vendor said he thought cookies were essentially spyware if people are unaware that a program has been downloaded on their machine to record the sites they visit and do not know what will be done with that information. They ''are just as much an invasion of privacy as someone peering in my bedroom window,'' he said.

[source: News]

House committee chair wants info on cancelled DHS data-mining programs

(2007-09-18) [ComputerWorld] Bennie Thompson (D-Miss.), chairman of the House Committee on Homeland Security, has asked Department of Homeland Security Secretary Michael Chertoff to provide a detailed listing of all IT programs that have been canceled, discontinued or modified because of privacy concerns.

He also asked for details on the amount of money the DHS spent on each program, the names of contractors who were awarded the projects, and information about the measures being taken to address privacy issues. Thompson's demand was prompted by the recent cancellation of the agency's Analysis Dissemination Visualization Insight and Semantic Insight (ADVISE) data-mining program, which was shelved because of privacy concerns after $42 million had been poured into it. In a letter to Chertoff yesterday, Thompson expressed concern about the "apparent litany" of DHS programs that have been canceled or otherwise modified after millions of dollars have been spent because of a failure to assess their privacy ramifications early on. DHS officials could not be reached for comment. Jaikumar Vijayan

[source: Security]

Data quality -- the forgotten privacy principle

(2007-09-18) [ComputerWorld] Nearly every major privacy law requires "data quality," but it's become the most forgotten of all of the internationally recognized privacy principles. Why? Three reasons: The laws provide few details on what "data quality" means; companies violating this principle don't make the headlines; and it's not exactly clear what data quality has to do with privacy, anyhow.

Why is this important? Because companies around the globe are spending more time and resources assessing their internal privacy practices, and they need to know what is "good enough" when it comes to data accuracy. ... Even then, delegates debated about whether data quality mattered to privacy. The OECD's expert group concluded that data quality is relevant to "whether or not harm can be caused to data subjects because of lack of accuracy, completeness and updating." Jay Cline

[source: Security]

Facebook, MySpace users will trade privacy for features

(2007-09-18) [ComputerWorld] Facebook and MySpace users are willing to let the sites sell their personal data in return for access to the sites' social networking features, according to new research from Pace University.

Researchers at the university queried users of Facebook and MySpace in August, asking for their views of the privacy protections offered by the sites and their feelings about how much personal information they are willing to post on social networking sites. Catherine Dwyer, a professor at Pace who worked on the study, noted that most Facebook and MySpace users said that they're willing to develop online relationships even though they believe that trust and privacy safeguards are weak. (Excerpt from news story by Heather Havenstein)

[source: Security]

Surveillance Law Must Protect Privacy and Security - Testimony

(2007-09-18) [CDT] Congress can enact legislation that meets the needs of intelligence agencies for defending national security, while still protecting the fundamental privacy rights of innocent Americans, CDT Policy Director Jim Dempsey told a congressional panel today.

In testimony before the House Intelligence Committee, Dempsey identified a balanced approach that Congress could use to replace the overreaching Protect America Act, which was adopted last month and expires next year. CDT also today released a memo addressing the poorly understood concept of "minimization" in the surveillance context.

[source: News]

Technology aids expansion of eavesdropping powers

(2007-09-17) [1105 Media, Inc] A combination of technological and legal circumstances are preserving and even expanding the Justice Department's eavesdropping powers despite a recent court ruling that undercuts the government's wiretapping authority granted by the Patriot Act.

The U.S. District Court for the Southern District of New York issued a decision in John Doe [and others] v. Alberto Gonzales [and others] that would cancel the Patriot Act's sweeping grant of secret-wiretapping authority, passed by Congress in late 2001. Judge Victor Marrero also rejected the act's provision that imposed perpetual gag orders. Recipients of gag order letters are prevented from disclosing the existence of the directives, even to their closest family members. (Excerpt from news story by Wilson P. Dizard III)

[source: Government Computer News]

FBI to automate wiretap database

(2007-09-17) [1105 Media, Inc] The FBI is working to build an automated system to track its National Security Letter wiretap cases in a bid to eliminate cumbersome and error-prone manual entry of data about the eavesdropping projects. The bureau currently relies on Microsoft Access software to track wiretap requests in the Office of General Counsel (OGC) database.

FBI deputy director John Pistole told the House Permanent Select Committee on Intelligence earlier this year that although "the OGC database was a giant technological step forward from three-by-five index cards once used to track NSLs, it is not an acceptable system given the significant increase in use of NSLs since 9/11." The new NSL database management system will use a Java Enterprise Edition application server from Red Hat subsidiary JBoss using Oracle software and is due to roll out Dec. 31. (Excerpt from news story by Wilson P. Dizard III)

[source: Government Computer News]

MySpace is using profile and blog entries to sell targeted ads

(2007-09-17) [MIT Technology Review] News Corp.'s MySpace social networking site is using personal details contained on users' profile pages and blogs to sell highly targeted advertising, the company said Tuesday.

The Web site started the first phase of its ''interest targeting'' experiment in July, culling likes and dislikes from its users' pages to sell ads in 10 broad categories such as finance, autos, fashion and music. The site has more than 3 million users in each category and can place ads based on responses to questions about users' likes and dislikes, favorite movies and music. Data is even extracted from blog entries, where users write at length about their lives. Targeting ads well can be lucrative for MySpace and its corporate parent, but it can also backfire if users believe their personal expressions are being misused.

[source: News]

New threats to privacy

(2007-09-17) [1105 Media, Inc] As a staff attorney at the Electronic Frontier Foundation, one of Kevin Bankston's primary responsibilities is to monitor the effects of new technologies on citizens' privacy rights and occasionally undertake litigation to protect those rights. Recently, he experienced the issue firsthand when he was, without his knowledge, photographed by Google Street View, and his image was posted online.

More information is being generated and collected and stored; in particular, information that is highly sensitive and revealing. There has never been a document -- ever in the existence of humanity, I think -- that is more revealing of the interior concerns and nature of a person than, say, a log of all their Internet search activity. This was born out by my examination of search logs that were "accidentally" disclosed by AOL last year in a frighteningly irresponsible data leak. They released search log histories of several hundred thousand of their users over a three-month period. Looking through those logs, it was clear that people treat their search engine like their most trusted confidante, seeking advice on practically every personal, medical, financial or familial problem you can imagine. So with new technologies, there are new privacy threats which I would say are graver than any we've faced before. (Excerpt from news story by Patrick Marshall)

[source: Government Computer News]

VW 'Nazi' Subpoena Points Up YouTube Privacy Risks

(2007-09-17) [Wired] A legal spat between YouTube and Volkswagen is throwing light on the increasing copyright surveillance of social networking sites.

Volkswagen has filed a subpoena seeking the identity of a YouTube user who posted a Nazi-themed parody of a recent VW Golf commercial. Volkswagen's move underscores the privacy risks to a blossoming community of users on sites like YouTube and Yahoo Video, and social-networking sites like Facebook and MySpace. Copyright holders and their agents have long been monitoring activity on file-sharing networks such as BitTorrent and Gnutella. Now they're turning their attention to the social networks. "The social networking sites have definitely become a new focal point," said Evan Cox, a San Francisco copyright attorney who, with his colleagues, issue thousands of takedown notices a year. "As a consequence, they've gotten more focus from copyright owners." (Excerpt from news story by David Kravets)

[source: News]

Privacy groups: Google's call for standards not enough

(2007-09-17) [ComputerWorld] The U.S. government still needs to block or impose conditions on Google Inc.'s acquisition of online advertising server DoubleClick Inc., despite Google's call for global privacy standards, three privacy groups said today.

Google last Friday called for a global privacy standard, and the company referred to a framework designed by Asia-Pacific Economic Cooperation. But the APEC standard is "weak," Melissa Ngo, director of the Identification and Surveillance Project at the Electronic Privacy Information Center (EPIC), said during a press conference today. The APEC standard "puts the burden on consumers to prove they are being harmed," she said. Google's call for a global privacy standard does not allay concerns that privacy groups have with Google's proposed $3.1 billion purchase of DoubleClick, said Amina Fazlullah, staff attorney with consumer group U.S. Public Interest Research Group. Grant Gross

[source: Security]

Google Kicks Off Worldwide Consumer Privacy Crusade

(2007-09-17) [Sys-Con Publications] According to Associated Press reports, confirmed by Reuters, Google will propose at a meeting of European policymakers in Strasbourg, France today that national regulators agree on a basic set of global privacy protections.

Peter Fleischer, Google's Chief Privacy Officer, will argue that the future health of the Internet, the global economy and Google's own business agenda depends on the world's success in moving beyond the current patchwork of conflicting privacy rules. As Reuters' Eric Auchard explains: "Google has recently stepped up a push for policy changes and industry self-regulation to fend off criticism over the unprecedented access to personal information the Web provides. Because its stated mission is to organize the world's information and make it universally accessible, Google has come under fire for the threat its services pose to privacy. A recent move to acquire online advertising tools supplier DoubleClick Inc has put Google under increased scrutiny by U.S. regulators concerned by its growing power in online advertising and the mounds of data on surfing habits that Google stores."

[source: SOA World Magazine]

Google Calls for International Standards on Internet Privacy

(2007-09-15) [The Washington Post] Google, a frequent target of privacy advocates, yesterday called for new international standards on the collection and use of consumer data.

Peter Fleischer, global privacy counsel for Google, told a U.N. audience in Strasbourg, France, that fragmentary international privacy laws burden companies and don't protect consumers. He argued for an international body such as the United Nations to create standards that individual countries could then adopt and adapt to fit their needs. "The ultimate goal should be to create minimum standards of privacy protection that meet the expectations and demands of consumers, businesses and governments," Fleischer said, according to a transcript of the speech provided by Google. Catherine Rampell


Big Brother is watching us all

(2007-09-15) [BBC] The US and UK governments are developing increasingly sophisticated gadgets to keep individuals under their surveillance. When it comes to technology, the US is determined to stay ahead of the game.

Gait DNA, for example, is creating an individual code for the way I walk. Their goal is to invent a system whereby a facial image can be matched to your gait, your height, your weight and other elements, so a computer will be able to identify instantly who you are. How you walk could be used to identify you in a crowd "As you walk through a crowd, we'll be able to track you," said Professor Challapa. "These are all things that don't need the cooperation of the individual." Since 9/11, some of the best scientific minds in the defence industry have switched their concentration from tracking nuclear missiles to tracking individuals such as suicide bombers. (Excerpt from news story by Humphrey Hawksley)

[source: News]

Google proposes global privacy standard

(2007-09-14) [CNet] While Google is leading a charge to create a global privacy standard for how companies protect consumer data, the search giant is recommending that remedies focus on whether a person was actually harmed by having the information exposed.

Google's proposal will be presented by Peter Fleischer, Google's global privacy counsel in a speech today in Strasbourg, France, at UNESCO's meeting on ethics and human rights. The proposal follows the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, which has been endorsed by many of the APEC nations, including Australia and Hong Kong, but not all. China (Excerpt from news story by Elinor Mills)


Google plans privacy crusade

(2007-09-14) [News Limited] Drawing upon its clout as the internet's most powerful company, Google is calling on businesses and regulators throughout the world to adopt international standards for protecting consumer privacy online and offline.

The request, to be unveiled later today in France, comes as the online search leader battles privacy concerns that threaten its plan to buy internet ad service DoubleClick for $US3.1 billion. Google, which already runs the internet's most lucrative marketing network, is counting on the purchase to boost its profits by helping sell even more ads. New York-based DoubleClick collects information about the web surfing habits of consumers, an activity that has stirred complaints from privacy watchdogs and prompted antitrust regulators to take a closer look at Google's proposed acquisition. (Excerpt from news story by Michael Liedtke)

[source: AustralianIT]

Google calls for global online privacy standard

(2007-09-14) [InfoWorld] Search giant Google will propose on Friday that governments and technology companies create a transnational privacy policy to address growing concerns over how personal data is handled across the Internet.

Google's global privacy counsel, Peter Fleischer, will make the proposal at a United Nations Educational, Scientific and Cultural Organization meeting in Strasbourg, France, dealing with the intersection of technology with human rights and ethics. Fleischer's 30-minute presentation will advocate that regulators, international organizations, and private companies increase dialog on privacy issues with a goal to create a unified standard. Google envisions the policy to be a product of self-regulation by companies, improved laws, and possible new ones, according to a Google spokesman based in London. "We don't want to be prescriptive about who does that and what those standards are because it should be a collaborative effort," the spokesman said. (Excerpt from news story by Jeremy Kirk)

[source: News]

Google promises to lead crusade for international privacy rules

(2007-09-14) [MIT Technology Review] Drawing upon its clout as the Internet's most powerful company, Google Inc. is calling on businesses and regulators throughout the world to adopt international standards for protecting consumer privacy online and offline.

The request, to be unveiled Friday in France, comes as the online search leader battles privacy concerns that threaten its plan to buy New York-based Internet ad service DoubleClick Inc. for $3.1 billion (euro2.2 billion). Google, which already runs the Internet's most lucrative marketing network, is counting on the purchase to boost its profits by helping sell even more ads.

[source: News]

New Video on NSL Privacy Violations & the Constitution

(2007-09-13) [EFF] National Security Letters (NSLs) are in the news a lot lately. Earlier in the year, a Justice Department report found that abuses of this powerful investigation tool were rampant, despite repeated statements to the contrary by Attorney General Alberto Gonzalez. Then documents obtained by EFF under the Freedom of Information Act exposed chronic misuses of NSLs, as well as other illegal demands that phone companies provide information on a target's "Community of Interest." And let's not forget that earlier this month, a federal judge ruled NSLs unconstitutional.

But what are NSLs, exactly? How do they work? Who receives them, and why? FBI Unbound: How National Security Letters Violate Our Privacy, a new short video produced by the Bill of Rights Defense Committee (BORDC), does a great job of bringing facts and analysis to the discussion of this controversial expansion of executive power. The video describes what happens when an NSL is sent, and how NSLs allow unprecedented spying on American citizens.

[source: News]

Google maps under scrutiny again

(2007-09-13) [News Limited] The Street View feature of Google Maps, with its close-up views of city streets and recognizable shots of people, could violate a Canadian law protecting individual privacy, officials said. Google introduced street-level map views in May, giving web users a series of panoramic, 360-degree images of nine US cities. Some of the random pictures feature people in informal poses who can clearly be identified.

Canada's Privacy Commissioner Jennifer Stoddart wrote to Google in early August asking for more details. She said if the Street View product were expanded to Canada without being amended, it could well violate privacy laws. The images were produced in partnership with Canadian firm Immersive Media, which says it has taken similar street level pictures of major Canadian cities. (Excerpt from news story by David Ljunggren)

[source: AustralianIT]

Google proposes global privacy standard

(2007-09-13) [CNet] While Google is leading a charge to create a global privacy standard for how companies protect consumer data, the search giant is recommending that remedies focus on whether a person was actually harmed by having the information exposed.

Google's proposal is scheduled to be presented by Peter Fleischer, Google's global privacy counsel, in a speech Friday in Strasbourg, France, at Unesco's meeting on ethics and human rights. He briefed reporters on Thursday. Elinor Mills


Tor's Privacy Problems

(2007-09-11) [CML Media LLC] People have an innate need to feel secure in their privacy. Our founding fathers built the United States on the understanding that people should be able to revolt and overthrow any government that oppresses them. Over time, Americans have lost more and more privacy rights as new laws have crept in. Fear of government, however, has never been lost.

The Internet has evolved in a similar fashion. For years it was unregulated, and largely unwatched. That all changed with the introduction of Echelon, the super-secret global Internet eavesdropping infrastructure purported to be operated by a number of countries. Still, people latched onto the idea that the Internet should be an anonymous network. Then along came Peek-a-booty.

[source: Dark Reading]

Scientists Use the "Dark Web" to Snag Extremists and Terrorists Online

(2007-09-10) [Natinal Science Foundation] Funded by the National Science Foundation and other federal agencies, Hsinchun Chen and his Artificial Intelligence Lab at the University of Arizona have created the Dark Web project, which aims to systematically collect and analyze all terrorist-generated content on the Web.

Using advanced techniques such as Web spidering, link analysis, content analysis, authorship analysis, sentiment analysis and multimedia analysis, Chen and his team can find, catalogue and analyze extremist activities online. According to Chen, scenarios involving vast amounts of information and data points are ideal challenges for computational scientists, who use the power of advanced computers and applications to find patterns and connections where humans can not.

[source: Press release]

Facebook to Share Members' Information with Public

(2007-09-07) [EPIC] Facebook announced that it will open its database to public search, effectively creating an Internet white pages of its users. Non-Facebook users will be able to search the Facebook database and will receive in return information such as name and picture.

These public profiles will become indexed by major search engines such as Google in the coming month. Facebook has automatically included all of its users in this information sharing, and those who do not want their information shared have to manually opt-out via Facebook's privacy page.

[source: EPIC Alert, Volume 14.18]

Government Quietly Ends Another Data Mining Program

(2007-09-07) [EPIC] This week, the Department of Homeland Security announced it would end a federal data mining program created to troll vast amounts of data in order to attempt to find suspicious people. DHS has spent four years and $42 million on the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE) program.

ADVISE was temporarily suspended in March after a Government Accountability Office review identified numerous privacy risks. These "include the potential for erroneous association of individuals with crime or terrorism and the misidentification of individuals with similar names," the GAO said. The program was recently reviewed by the DHS Inspector General and its Privacy Office, which recommended ending ADVISE permanently.

[source: EPIC Alert, Volume 14.18]

Internet Oversight Agency Working Group Report on Domain Name Privacy

(2007-09-07) [EPIC] The Internet Corporation for Assigned Names and Numbers (ICANN)'s WHOIS working group submitted its Final Report on WHOIS. The report discusses the implementation issues surrounding the use of an Operational Point of Contact (OPoC) to limit public access to domain name registrants' personal information by allowing registrants to use alternate contact details.

The report examines, among other issues, the roles, responsibility and requirements of the OpoC and what happens if they are not fulfilled. Rather than reaching any final decisions on implementation issues, the report outlines implementation options and indicates general support and/or alternative views.

[source: EPIC Alert, Volume 14.18]

EPIC Urges Federal Trade Commission to Restrict Use of SSN

(2007-09-07) [EPIC] In comments to the Federal Trade Commission, EPIC urged the Commission to create regulations to limit the use of the Social Security number, but said those restrictions should "not limit the ability of the states to develop better safeguards."

In Congressional testimony and previous comments, EPIC has consistently called for more restrictions on SSN use and recommended the creation of context-dependent identifiers "that will encourage the development of more robust systems for identification that safeguard privacy and security." EPIC said "the use of the Social Security Number as an identifier or authenticator . . . will increase rather than decrease instances of fraud and identity theft."

[source: EPIC Alert, Volume 14.18]

EPIC Recommends Suspension of Secret Traveler Profiling Program

(2007-09-07) [EPIC] In comments to the Department of Homeland Security, EPIC urged the agency to either suspend the Automated Targeting System or to fully apply all Privacy Act safeguards to any individual subject to ATS. The system creates secret, terrorist "risk assessments" on tens of millions of U.S. citizens and foreign visitors. This new rulemaking was in response to public criticism that arose from DHS's November 2006 rulemaking, where EPIC led 29 organizations and 16 privacy and technology experts in condemning the many privacy and security risks of ATS.

ATS was originally established to assess cargo that might pose a threat to the United States. However, since 1999, ATS was used to assign a "risk assessment," which is essentially a terrorist risk rating, to all people "seeking to enter or exit the United States," "engag[ing] in any form of trade or other commercial transaction related to the importation or exportation of merchandise," "employed in any capacity related to the transit of merchandise intended to cross the United States border," and "serv[ing] as operators, crew, or passengers on any vessel, vehicle, aircraft, or train who enters or exits the United States."

[source: EPIC Alert, Volume 14.18]

Plan to put everyone in DNA database hinges on human rights case

(2007-09-07) [PinsentMasons] Lord Justice Sedley's proposal to put everyone in the UK on a DNA database would be dependent on a British man's case against the UK at the European Court of Human Rights (ECHR), according to a privacy law expert.

Michael Marper is objecting to the retention of his DNA information on the Home Office's database, despite the fact that he has never been convicted of a crime. He has appealed through the English courts and the ECHR agreed earlier this year to hear his case. Sedley is an Appeals Court judge who this week proposed that to eradicate the imbalance of ethnic minorities on the DNA database, everyone in the UK, including visitors, should be put on to the system. The ECHR ruling could make that illegal, though, said Dr Chris Pounder, a privacy expert with Pinsent Masons, the law firm behind OUT-LAW.COM.


New event: 2008 IEEE Symposium on Security and Privacy

(2007-09-25) "2008 IEEE Symposium on Security and Privacy" will take place on May 18 -- 21, 2008 (Oakland, California, USA).

See calendar entry.

New event: 13th Australasian Conference on Information Security and Privacy (ACISP 2008)

(2007-09-25) "13th Australasian Conference on Information Security and Privacy (ACISP 2008)" will take place on July 14 -- 16, 2008 (Wollongong, Australia).

See calendar entry.

New event: Government ID Technology Summit 2

(2007-09-25) "Government ID Technology Summit 2" will take place on September 24 -- 25, 2007 (Washington DC, USA).

See calendar entry.

New event: 3rd 2007 Technical Assistance Seminar on International Implementation of the APEC Privacy Framework

(2007-09-12) "3rd 2007 Technical Assistance Seminar on International Implementation of the APEC Privacy Framework" will take place on September 22 -- 23, 2007 (Vancouver, Canada).

See calendar entry.

New event: Data Privacy and Integrity Advisory Committee meeting

(2007-09-12) "Data Privacy and Integrity Advisory Committee meeting" will take place on September 19, 2007 (Arlington, VA, US).

See calendar entry.

New event: Identity, Privacy and Security Initiative

(2007-09-12) "Identity, Privacy and Security Initiative" will take place on September 17, 2007 (Toronto, Canada).

See calendar entry.

New event: FISA Modernization - National Security Surveillance In the 21st Century

(2007-09-12) "FISA Modernization - National Security Surveillance In the 21st Century" will take place on September 10, 2007 (Washington, DC, US).

See calendar entry.

Privacy, secrets, and your phone company

(2007-09-12) [ComputerWorld] We know already that the FBI has engaged in a highly controversial wiretapping program with the cooperation and blessing of the various telecoms (one more reason I won't get an iPhone; none of that AT&T for me).

Now evidence is mounting that the telecoms are doing some unsavory data-mining of their own, the scope of which moves them from the just-following-orders category over to more of a Junior G-Man role. I don't seem to remember seeing anything about that sort of behavior in the customer-solicitation literature from AT&T, Verizon or MCI (!). (Excerpt from blog post by Angela Gunn)

[source: Blogs]

Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise

(2007-09-10) [Wired] A security researcher intercepted thousands of private e-mail messages sent by foreign embassies and human rights groups around the world by turning portions of the Tor internet anonymity service into his own private listening post.

A little over a week ago, Swedish computer security consultant Dan Egerstad posted the user names and passwords for 100 e-mail accounts used by the victims, but didn't say how he obtained them. He revealed Friday that he intercepted the information by hosting five Tor exit nodes placed in different locations on the internet as a research project. (Excerpt from news story by Kim Zetter)

[source: News]

DHS Scraps ADVISE Data-Mining Software

(2007-09-10) [EFF] The Department of Homeland Security's (DHS's) ADVISE has followed a familiar pattern. Just like Total Information Awareness (TIA) and CAPPS II before it, ADVISE was once touted as an essential tool in protecting national security, only to fall from grace once serious mistakes and privacy abuses were revealed. But dead programs in a National Security state never quite die -- they are often just re-shuffed and re-named.

Since 2003, the DHS has spent $42 million developing ADVISE software, which is intended to identify patterns hidden in vast stores of data that could reveal suspicious behavior. But the program was suspended in March after the Government Accountability Office warned that the program could lead to individuals being falsely linked to criminal or terrorist activities. Subsequent investigations from the DHS Privacy Office and the DHS Inspector General found that live data, including personal information from real individuals, was used to test the software, creating "unnecessary privacy risks." (Excerpt from news story by Hugh D'Andrade)

[source: News]

F.B.I. Data Mining Reached Beyond Initial Targets

(2007-09-09) [New York Times] The F.B.I. cast a much wider net in its terrorism investigations than it has previously acknowledged by relying on telecommunications companies to analyze phone-call patterns of the associates of Americans who had come under suspicion, according to newly obtained bureau records.

The documents indicate that the Federal Bureau of Investigation used secret demands for records to obtain data not only on individuals it saw as targets but also details on their "community of interest" -- the network of people that the target was in contact with. The bureau stopped the practice early this year in part because of broader questions raised about its aggressive use of the records demands, which are known as national security letters, officials said. (Excerpt from news story by Eric Lichtblau)

[source: News]

Book review: "The Search"

(2007-09-07) [EPIC] Marc Rotenberg reviews "The Search: How Google and Its Rivals Rewrote the Rules of Business and Transformed Our Culture" (by John Battelle, Penguin, Harmondsworth, 2005; ISBN 9781591840886).

Quote: "But Google's dominance may not be all to the good, as a recent editorial in The Economist suggests. As the writers for the British magazine observe, Google has become ''a custodian of a far wider and more intimate range of information about individuals.'' The company "through the sheer speed with which it accumulates the treasure of information" tests the limits of what society may tolerate. ... Battelle's first report on Google was aptly titled ''The Search.'' A sequel could well be named ''The Searched.''

[source: EPIC Alert, Volume 14.18]

Facebook to Share Members' Information with Public

(2007-09-07) [EPIC] Facebook announced that it will open its database to public search, effectively creating an Internet white pages of its users.

Non-Facebook users will be able to search the Facebook database and will receive in return information such as name and picture. These public profiles will become indexed by major search engines such as Google in the coming month.

[source: EPIC Alert, Volume 14.18]

Government Quietly Ends Another Data Mining Program

(2007-09-07) [EPIC] This week, the Department of Homeland Security announced it would end a federal data mining program created to troll vast amounts of data in order to attempt to find suspicious people.

DHS has spent four years and $42 million on the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE) program. ADVISE was temporarily suspended in March after a Government Accountability Office review identified numerous privacy risks. These "include the potential for erroneous association of individuals with crime or terrorism and the misidentification of individuals with similar names," the GAO said.

[source: EPIC Alert, Volume 14.18]

Internet Oversight Agency Working Group Report on Domain Name Privacy

(2007-09-07) [EPIC] The Internet Corporation for Assigned Names and Numbers (ICANN)'s WHOIS working group submitted its Final Report on WHOIS. The report discusses the implementation issues surrounding the use of an Operational Point of Contact (OPoC) to limit public access to domain name registrants' personal information by allowing registrants to use alternate contact details.

The report examines, among other issues, the roles, responsibility and requirements of the OpoC and what happens if they are not fulfilled. Rather than reaching any final decisions on implementation issues, the report outlines implementation options and indicates general support and/or alternative views.

[source: EPIC Alert, Volume 14.18]

Judge deals blow to Patriot Act

(2007-09-06) [CNet] A key portion of the Patriot Act is unconstitutional and violates Americans' free speech rights, a federal judge said Thursday in a case that could represent a bitter setback for the Bush administration's attempts to expand its surveillance powers.

U.S. District Judge Victor Marrero said the section of the Patriot Act that permits the FBI to send Internet service providers secret demands, called national security letters, for customer information violates the First Amendment and unreasonably curbs the authority of the judiciary. (Excerpt from news story by Declan McCullagh)


Facebook, people search and privacy

(2007-09-05) [ZDNet] Facebook is now giving members the option to make their profiles searchable (see Techmeme for the various viewpoints on the news). In effect, your Facebook profile can be injected into the Web at large and non-members can see portions of Facebook profiles. This news isn't surprising. Facebook is spreading out its tentacles and gaining more traffic via search engines.

The extension of the social Web in to search engines is not surprising, but you could view this development as another step on the slippery slope of privacy matters. Between cameras watching every move in large cities, DNA databases and Web sites collecting your clickstreams, social graph, wish lists and other data, the machine has the raw materials to knit together highly invasive individual dossiers. At this point, at least in most countries, privacy regulations are helping to keep the spies, stalkers, criminal hackers and unprincipled marketers at bay. (Excerpt from news story by Dan Farber)

[source: blogs]

Debate rages over German government spyware plan

(2007-09-05) [ComputerWorld] When it comes to who can and who can't be a hacker, the German government appears to want to have its cake and eat it, too.

After passing anti-hacking legislation earlier this year to crack down on the sharp rise in computer attacks in the public and private sectors, the government is now floating a plan to develop and smuggle its own spyware on to the hard drives of suspected terrorists through e-mail messages. German Interior Minister Wolfgang Schäuble has been feverishly seeking support for a new security law that would allow federal authorities to investigate suspects' Internet use and stored data without their knowledge, ever since the country's Federal Court of Justice halted their cybersnooping activities in February. The judges argued that the hacking of computers by the police is not permitted under Germany's strict phone-tapping laws and that legislation would be needed to enable covert surveillance. (Excerpt from news story by John Blau)

[source: Security]

So When Did Protecting Privacy Become Unconstitutional?

(2007-09-05) [Davis Wright Tremaine LLP] The clash between privacy advocates and those companies who make millions of dollars collecting and selling data about pharmaceutical prescription patterns was perhaps inevitable. When the State of New Hampshire passed the Prescription Confidentiality Act last year, leading health information brokers were quick to challenge the law which prohibited prescription information records which contain identifiable data about a patient or prescriber from being transferred, licensed, sold, or used for most commercial purposes. The Act specifically precluded the use of prescriber-identifiable data for "physician detailing" used by pharmaceutical companies to track the prescribing-habits of physicians in order to target individual sales pitches to such physicians.

This past April, the federal District Court for New Hampshire struck down the new law holding that the Act was an unconstitutional restriction of the commercial speech rights of data brokers and pharmaceutical companies in violation of the First Amendment. IMS v. Ayotte (2007 DNH 061 P, April 30, 2007). The New Hampshire Attorney General filed an appeal to the United States Court of Appeals for the First Circuit. (Excerpt from post by Thomas Jeffry)

[source: Privacy and Security Law Blog]

Smile! Big Brother software is watching you

(2007-09-05) [CNet] A Japanese company has developed "smile checker" software that can tell whether someone looks happy, sad or somewhere in between. By analyzing facial features, such as wrinkles around the mouth and eyes and the space between the lips, Omron's new software can spot a smile in less than one tenth of a second and rate it on a scale of zero to 100 percent.

The company envisions the software can be used in digital cameras so a photo can be snapped when everyone is grinning, to help robots figure out if humans are happy, and give "smile ratings" to people working in the service industry. But can the software tell if the smiles are sincere? "(The engineers) said that they've never really tested this, but the percentage rating would probably drop with a forced grin," said Omron spokesman James Seddon.


DHS Ends Criticized Data-Mining Program

(2007-09-05) [Wired] The Homeland Security Department scrapped an ambitious anti-terrorism data-mining tool after investigators found it was tested with information about real people without required privacy safeguards.

The department has spent $42 million since 2003 developing the software tool known as ADVISE, the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement program, at the Lawrence Livermore and Pacific Northwest national laboratories. It was intended for wide use by DHS components, including immigration, customs, border protection, biological defense and its intelligence office. Pilot tests of the program were quietly suspended in March after Congress' Government Accountability Office warned that "the ADVISE tool could misidentify or erroneously associate an individual with undesirable activity such as fraud, crime or terrorism." (Excerpt from news story by Michael J. Sniffen)

[source: news]

Judge calls for "universal" national DNA database

(2007-09-05) [CNet] A senior judge has called for a universal national DNA database containing the details of every UK citizen and visitor to the country.

In an interview on BBC Radio 4's Today Programme Lord Justice Ledley called the situation with the existing DNA database "indefensible" because of the numbers of innocent people acquitted and the disproportionately high number of ethnic minorities stored on it. The national DNA database contains the samples of around four million people, including more than 100,000 adults and 24,000 people under 17 years of age who have been arrested but never convicted of a crime. Everyone arrested in England and Wales has their DNA sample taken and stored on the database forever, regardless of whether they are prosecuted or convicted. (Excerpt from news story by Andy McCue)


California outlaws the forced subdermal RFID tagging of humans

(2007-09-04) [Ars Technica LLC] Worrying that your employer will force you to stick a small chip beneath your skin ranks low on the list of employee concerns in most parts of the country, but that didn't stop the state of California from passing a bill last week to ban such forced tagging of humans. The state senator who sponsored the bill called forced RFID tagging the "the ultimate invasion of privacy," and his bill is now on its way to the governor's desk for his signature.

Senate Bill 362 "would prohibit a person from requiring, coercing, or compelling any other individual to undergo the subcutaneous implanting of an identification device," and a similar version has already passed the state Assembly. Joseph Simitian, who came up with the idea, laments the fact that the RFID industry does not appear to find his idea a good one. (Excerpt from news story by Nate Anderson)

[source: ars technica]

People search engine Rapleaf revises privacy policy

(2007-09-04) [CNet] Specialized search engine Rapleaf changed its privacy policy and removed a Web site on Friday in an effort to disclose the part of its business that sells data to marketers about people's online social ties.

Following inquiries for an article published Friday by CNET, Rapleaf added nearly 700 words to its privacy policy to show its relationship with TrustFuse, a formerly separate part of its business that sells personally identifiable data about Internet users, which it obtains through various social networks and sites. The company also removed the Web site for, which now redirects visitors to a page at The updated Rapleaf privacy policy lets people opt out of its system by sending an e-mail to the company. (Excerpt from news story by Stefanie Olsen)


Privacy watchdog clamps down on DVLA data sharing

(2007-09-04) [CNet] Data protection watchdog the Information Commissioner's Office (ICO) has published guidelines outlining how motorists' personal data can be used by the Driver and Vehicle Licensing Agency (DVLA).

The ICO guide attempts to explain the circumstances where the DVLA is allowed to share their personal details with third parties without breaking data protection rules. The DVLA can pass on an individual's personal details to a third party if there is "reasonable cause" to do so - such as the prevention or detection of crime - according to the guidance published by the ICO. (Excerpt from news story by Gemma Simpson)


The Privacy Market Has Many Sellers, but Few Buyers

(2007-09-03) [Wired] Privacy is fast becoming the trendy concept in online marketing. An increasing number of companies are flaunting the steps they've taken to protect the privacy of their customers. But studies suggest consumers won't pay even 25 cents to protect their data.

In one week in July, unveiled AskEraser, a tool that will allow users to obliterate their search histories; Microsoft announced enhanced privacy controls for its Windows Live service; and Google and Yahoo shrank the amount of time they retained IP addresses and search logs, reducing the ability of government agencies to subpoena such data. Startups are aiming to carve out a piece of the privacy market. ReputationDefender, which allows individuals to manage what people say about them online, launched the beta version of a new subscription service on Sep. 1. Its service, called MyPrivacy, lets users control how their personal data is brokered across the web (the service was announced last fall but is only now publicly available). (Excerpt from news story by Dan Tynan)

[source: News]

Is Your Boss Spying on You?

(2007-09-01) [Reader's Digest] It's legal, it's happening and it can get you fired.

It's a fact of life in the 21st-century workplace: The boss may well be watching, especially if you use a computer. A 2005 survey by the American Management Association and the ePolicy Institute found that about three out of four companies regularly track which websites their employees visit. More than half use surveillance software to scour office e-mail (looking for hot-button keywords like sex in the subject line or body of messages). More than a third extend their snooping to monitor how much time workers spend at the computer, record their keystrokes or log their downloads. And one in four companies reports firing someone for improper e-mail use. (Excerpt from news story by Kim Zetter)

[source: Living]

Latest update: 2007-10-25 17:03:07