Privacy
News Highlights
25 July—10 August 2006
Contents:
AU – Australian
Commissioner Approves Biometric Privacy Code
EU – EU Might Fingerprint Children Before 12 Years Old
CA – N.S. Auditor General Demands Tighter Computer
Security
CA – CIRA Approves New WHOIS Privacy Policy, Seeks Input
WW – Consumer Concerns Mount About Information Security
WW – Microsoft, HP Partner on National ID Systems
KR – 900,000 Korean Resident Registration Numbers Leaked
Through Google
WW – Study: More than 95% of e-Mail is ‘Junk’
AU – Australian Privacy Commissioner Blocks Medicare Link
UK – Gov’t Seeks Input on “Jail for Privacy Violations”
WW – Google Starts Labeling Harmful Search Results
EU – European Parliament Issues Report on PNR
EU – Study Finds Many Companies Fail to Comply With
Privacy Laws
EU – Study: ID Theft Fears Hinder Irish e-Commerce
US – Washington’s Continued War on Offshore Financial
Privacy
WW – Study: Highly Regulated Countries Do Not Result in
Highly Compliant Websites
US – House Passes Broad Mandatory Filtering Bill
EU – EU Privacy Regulators to Investigate SWIFT Transfers
UK – Barclays Bank to Issue Card Readers to Online
Banking Customers
US – Most U.S. Banks Appear Not Ready for Security
Deadline
US – House to Vote on Data Breach Bill
NZ – New Zealand Law Commission Recommends Changes to
Court Records Access
US – New Hampshire Pharma Law- Complaint by Data Broker
US – VA Loses Sensitive Information on Another 38,000
Veterans
CA – Doctors Angry After Laptop Stolen with 8,000
Personal Financial Files
US – Three More Laptop Thefts Reported
UK – Laptops Missing from UK Government Departments
US – Missing Laptop Holding 540,000 NY State Workers’
Data Found
US – Deloitte & Touche Employees Told of Possible
Data Compromise
US – Loan Company Loses Information of Thousands of
Students
CA – BC FIPA Report: PIPEDA & ID Theft: Solutions for
Protecting Canadians
UK – Survey: Younger UK Residents More Vulnerable To ID
Theft
US – Survey Reveals that Americans Acknowledge ID Theft
Problem
WW – Microsoft’s Piracy Checks Create Backlash, Lawsuits
US – Survey: Malware Cost Consumers $7.8 Billion in 2
Years
US – Study: More Than Half of Home Users Secure Wi-Fi
Networks
US – Operation Identity Shield Fights Against Online
Fraud
US – Group Appeals Ruling Forcing ISP’s to Create
Backdoors
CA – Toronto’s new WiFi network raises many concerns
US – AOL Apology Follows Release of Subscriber Search Log
Data
WW – Google CEO Cites Government As Main Threat To User
Privacy
US – Study: Many Advertisers Use Nuisance Adware
Knowingly
WW – “Vishing” Is Latest Twist In Identity Theft Scam
US – Federal Jury Awards Woman $351,000 in ID Theft
Lawsuit
US – $50 Million Verdict for Violating Drivers' Privacy
in Florida
US – GAO Report Finds Data Brokers Not Restricted By
Existing Privacy Law
US – RFID Biometric Passports Vulnerable, Expert Says
US – Credit Cards Containing RFID Chip in Use at San
Diego’s Petco Park
WW – Blackberry a Juicy Hacker Target
US – GPO Issues Contracts for RFID e-Passports
US – Bush Administration Appeals NSA Wiretap Decision
US – D.C. Council Approves Temporary Expansion of Video
Camera Use
US – FTC Seeks Greater Enforcement Power
US – New IRS Online Bill Payment Raises Privacy Concerns
US – DHS Report Notes Security Problems in Transportation
Worker ID Credential
US – CIO Council Releases Tested Version of FEA Security
and Privacy Profile
US – Senate Ratifies Cybercrime Treaty
US – House Approves Health Data Technology Bill
CA – BC Wal-Mart Ordered to Pay $86K Over Privacy
Violation
US – Court: No Expectation of Privacy With Computer
Monitoring Policy
The Australian Privacy
Commissioner, Karen Curtis, has extended the reach of the Australian Privacy
Act by approving the Biometrics
Institute’s privacy code, effective September 2006. Curtis’ office will handle
privacy complaints lodged against member organizations that have agreed to be
bound by the code, which gives stronger protection for biometrics related to
employee records, a key concern for many privacy and consumer groups. It also
adds three biometrics privacy principles dealing with data security: informed
user consent, a right to request removal of biometric information, and active
privacy management including audits. [Privacy Code] [Source]
[Source]
[Source]
[Guidelines
underway in new Zealand]
The
report from the EU Council Presidency meeting of 26 June 2006 proposes that all
children in the European Union should be mandatory fingerprinted if they are
over 12 years old. “If provided for by national legislation” this action could
be extended to all children, even below 12 years of age. [Source]
[Report from
the EU Council Presidency meeting] [Report from the
Visa Working Party/Mixed Committee] [Millions
of children to be fingerprinted] [Asylum toddlers get
fingerprinted] [Source]
[Source]
[Source]
Nova Scotia’s auditor general
Jacques Lapointe has expressed concern about the security of the province’s
computer systems. For instance, many employees are using just one password;
some of the employees had changed jobs and should not have access to the
information any more. Lapointe, who became auditor general in March 2006, also
noted that former auditors general had raised many of the same security issues,
but the problems have not yet been resolved. [Source]
[Source]
[Source]
The Canadian Internet
Registration Authority (CIRA) approved a new Privacy Policy for the dot-ca
domain name WHOIS registry. CIRA is preparing to implement this new policy and
seeks final input on its proposed implementation procedures, intended to
improve the accuracy of information in the registry. The new WHOIS policy keeps
the personal information of individual registrants from being publicly
displayed, while ensuring that CIRA will comply with all law-enforcement
agencies and will divulge registrant information to courts and other judicial
bodies when legally obliged to do so. [CIRA
revamps privacy policy for PIPEDA compliance] [Final
consultation for new dot-ca Privacy Policy] [Source]
Concerns in Europe and the
U.S. about the security of personal information are high enough to impact
consumer loyalty and trust in companies, according to a survey fielded by the
Chief Marketing Officer Council and the Business Performance Management Forum.
Underwritten by Symantec and Factiva, the survey indicates that 40% of the
2,200 consumers surveyed have stopped a transaction in progress when they
suddenly felt uncomfortable because of a security concern. [Source] [Survey
Report]
HP and Microsoft are working
together to offer governments national identity systems built on the .Net
platform. The tech giants have been working on a code base that will allow them
to offer a set of technology components for functions such as online and
offline demographic and biometric data capture, regional verification and
registration, and document lifecycle management. They unveiled their plan to
target worldwide governments with the technologies at an event in Geneva last
week. The companies are tapping partners in the security market, such as
biometric technology vendors and public key infrastructure (PKI) providers, to
offer specific national identity systems. [Source]
The resident registration
numbers of more than 900,000 Koreans are wholly or partly exposed on the
Internet through the world’s largest search engine Google. The 13-digit
registration number is widely used as the means for personal identification at
banks, service companies, government offices and many Web sites in South Korea.
As it is easily obtained by using Google, the stolen registration numbers were
often used in creating false IDs in various forms of cyber crime. Google has
been asked to remove the leaked personal information and the whole cleaning
process will take up to two months. [Google
to Delete 95,219 Korean Ids] [Gov’t
Search Reveals Massive Online ID Leak] [Source]
[Source]
More than 95% of e-mail is
junk, be it spam, error messages or viruses, report mail monitoring firms.
Analysis of the contents of millions of e-mails has revealed that less than 4%
is legitimate traffic. Further work has shown that most of this junk mail is
originating on hijacked home computers. E-mail security firm Return Path said
99% of the computers it monitors that send mail have been taken over by
spammers or virus writers. The root cause of spam is the existence of an ever
growing and strengthening network of ‘botnets’. [Source]
Australia’s privacy
commissioner has ruled out linking personal medical claims data on Medicare and
Health Department databases, flagging an intention to extend the ban to all
government databases. The Health Department had submitted that Medicare
Australia should be permitted to use and disclose linked and identified MBS and
PBS data for “secondary purposes”, including research and health access cards,
under special arrangements with the Office. [Source]
The UK Government is to ask
the public whether those who misuse personal data for profit should be
imprisoned for up to two years. It proposes increasing penalties available to
the courts to deter people who are guilty of trying to profit from illegal
trade in personal information or who deliberately give out personal data to
those who have no right to see it. [Source] [Source]
[Source]
[Source]
Google has started warning
people when search results could potentially lead them to malicious code. The
search giant is using data from the Stop Badware Coalition to flag sites that
are potentially host to malicious software. [Source]
Report with a proposal for a European
Parliament recommendation to the Council on the negotiations for an agreement
with the U.S. on the use of passenger name records (PNR) data to prevent and
combat terrorism and transnational crime, including organised crime. Prepared
by Committee on Civil Liberties, Justice & Home Affairs [Source]
A recent survey of business
executives found that German comprehension and compliance with privacy law is
strikingly low. Businesses were found to have little knowledge of German
privacy law, and apparent compliance lapses were cited. [Source]
A study by Computer Associates
(CA) has calculated that Irish business are losing out on 250m Irish Pounds in
annual revenue because so many consumers are afraid of identity theft and avoiding
online transactions. Chief among consumer concerns (81%) is the prospect of
having credit card details stolen or exposed. Exposure of personal information,
such as postal addresses and phone numbers, worried 37%. 2% of the
internet-using population claimed to have had their identity stolen, and a
further 10% said it had happened to somebody they know. These experiences and
fears have had a serious impact on online commerce. Only 17% of Irish consumers
believe that online organizations are currently doing enough to protect their
private data, and one in 10 online transactions are not completed because of
security concerns. “Ultimately, Irish businesses need to be seen to take
greater levels of care of consumer personal details such as passwords and credit
card details.” [Source]
Offshore tax havens offer the wealthy a “black box” for stashing
trillions of dollars, mostly impervious to tax, regulatory and law enforcement
authorities, a Senate panel concluded after a yearlong investigation.
The havens allow Americans to
avoid paying $40 billion to $70 billion in taxes each year, with the help of
“an armada” of professional advisers. [Source]
A recent Canadian study of
website operations in the UK and US has suggested that heavily regulated jurisdictions
may not create greater privacy protections for consumers. The study found that
privacy and security standards were largely comparable between the US and UK,
but that there were greater numbers of non-compliant sites in the UK. [Source]
The U.S. House of
Representatives has passed a bill that would force schools and libraries to
block chat and social networking sites as a condition of receiving federal
funding. According to CDT, the bill goes far beyond the already broad mandate
that requires schools and libraries to filter out obscenity and
“harmful-to-minors” content and would block access to many legal and valuable
web sites and Internet tools. Because chat and social networking are woven into
the fabric of Internet communication, a huge range of sites may be declared off
limits in libraries and schools. The bill appoints the FCC as the arbiter of
what can and cannot be accessed in libraries around the country, meaning that
for the first time, the federal government would be getting the business of
evaluating and screening wholly lawful Internet content. [H.R. 5319]
EU data protection officials
have begun an investigation into data on EU-based financial transactions being
shared with US investigators. These transactions are enabled by SWIFT, a
service based in Brussels. [Source]
The UK’s Barclays bank will
issue card readers to its online banking customers. The bank hopes to reduce
“card-not-present” fraud with the devices, which will give users a one-time
pass code to enter the online banking portal after they have read the cards’
chips. Other banks have adopted two-factor authentication methods, such as
key-ring password generation devices. [Source]
For some bank IT managers,
last fall’s release of federal guidelines on validating the identities of
online users helped catalyze ongoing efforts to adopt so-called strong
authentication measures. But a majority of U.S. banks appear unprepared to meet
the Dec. 31 deadline for complying with the guidelines, several analysts said.
[Source]
The House Financial Services
Committee is pressing for a floor vote on its version of a data breach bill,
despite the concerns of state law enforcement and consumer groups. State
attorneys general have urged Congress to pass a bill that preserves state protections
and state enforcement, while the Financial Services bill preempts state law.
The bill also drew harsh criticisms from a coalition of consumer groups, who
said that existing state laws are more effective at protecting consumers.[H.R. 3997, the
Financial Data Protection Act] [Statement by
Consumer Groups on the Financial Services Bill] [Statement by State
Attorneys General on Data Breach Bills]
The New Zealand Law Commission
president says the rules on public access to records of court proceedings are a
mess, and need changing. A report compiled by the Commission, tabled in
Parliament, recommends that the public have greater access to the records. Its
president, Sir Geoffrey Palmer says the existing rules governing such access
are shrouded in mystery and confusion. [Source]
Two health data companies have
filed a lawsuit to challenge a recently enacted New Hampshire law that limits
the ability of companies to gather data on prescriptions in the state. This
data is used to target pharmaceutical marketing to doctors and medical
facilities in the state. [Source]
A desktop computer containing the names, SSNs and medical data of up to
38,000 people is missing from the offices of a VA subcontractor. The computer
also may contain addresses, birth dates, insurance carrier and billing information,
and dates of military service. The subcontractor, Unisys Corp., was hired to
assist in insurance collections for those medical centers. VA said it is
working with Unisys to offer notifications and credit monitoring to those who
may be affected. [Source]
[Source]
[Source]
[Source]
Hundreds of angry doctors and
their families are demanding answers from a financial services company after a
laptop containing thousands of personal files was stolen from a car in a parking
lot. About 8,000 clients of MD Management, a subsidiary of the Canadian Medical
Association, received a letter from the company dated June 29 warning them that
a laptop computer containing detailed information about their financial and
professional circumstances had been stolen. [Source]
The president of Belhaven
College has acknowledged that a laptop stolen from a school employee contained
names and SSNs of an undetermined number of college employees. [Source]
A laptop computer was stolen from the West Virginia Division of Rehabilitation
Services; the computer held agency clients’ names, addresses and SSNs. The
agency notified those affected by mail in late July. [Source]. More than
3,000 current and former Cal Poly University-San Luis Obispo students were
notified that their names and SSNs were stored on a laptop computer that was
stolen from a professor’s home in July. The University is attempting to
eliminate the use of SSNs as unique identifiers for its students. [Source]
[In-Depth Review: Why Colleges Struggle with Cyber Security: Part
1, Part
2, Part
3]
A recent FOI enquiry provided
data about the numbers of missing laptop computers from various UK government
departments. The Defence Ministry reported 21 stolen laptops, the Home Office
reported 19 and the Department of Trade & Industry reported 16. The Health
Department said it could not account for 18 laptops, but did not clarify if
they had been stolen or lost. The enquiry also turned up information about the
numbers of mobile phones missing from government departments. [Source]
[Source]
A laptop containing personal
information of 540,000 NY state workers has been found after it was discovered
missing in May from the offices of CS Stars, a Chicago-based data management
company. The FBI is investigating the computer’s disappearance and conducting
analysis on the recovered machine. CS Stars last week sent letters to people
whose data were on the computer; they were each offered one year of credit
monitoring and US$25,000 in identity theft insurance. [Source]
[Source]
A laptop computer stolen from
the locked car of a Deloitte & Touche employee held personal data belonging
to approximately 12,000 current and former Armstrong World Industries
employees. The data on the computer includes names, SSNs and salary and wage
information. [Source] [Source]
Nelnet Inc. announced this
week that that it has lost a computer data tape containing the unencrypted
personal information of approximately 188,000 students. The tape was lost when
it was shipped by UPS from Aurora to Austin, TX. Nelnet has stated that there
have been no reports of unauthorized activity as a result of the loss, but
encourages the affected students to monitor their credit carefully. [Source]
The BC Freedom of Information
& Privacy Association (FIPA) has published an analysis of the intersection
between identity theft, technology, and current private sector information
management practices. The report details how identity thieves use the latest
technology, as well as “low tech” means, to take advantage of private sector
practices to perpetrate their crime. It suggests how Canada’s Personal Information Protection and
Electronic Documents Act may be implemented so as to improve the Act’s
effectiveness in dealing with identity theft. The FIPA report was funded by the
Office of the Privacy Commissioner of Canada. [FIPA Report on Identity Theft]
[pdf
version]
A survey published by YouGov
and an electricity supplier found that one in 10 people believe they have been
victims of identity fraud. The survey also found that more than two-thirds of
people under 30 said they had provided personal details to friends or relatives
that could leave them vulnerable to ID theft. The survey also indicated that
28% of those people under 30 were unaware that that stolen utility bills could
be a source for an identity thief to steal someone’s identity. [Source]
According to a national survey of 1,000 Americans
conducted by the nonprofit Identity Theft Resource Center, 81% of Americans are
aware that ID theft can happen at any time and 65% are using tools to protect
themselves. Despite this awareness, Americans do not feel secure. “The fact
that consumers are taking precautions is a good sign, but awareness does not
mean much if consumers are confused about how to protect themselves,” said the
executive director of the Identity Theft Resource Center. [Source]
[National Crime Prevention Council: Half of
Identity Theft is Committed by Someone You Know]
When Microsoft said it planned
to begin checking for pirated copies of its Windows operating system using the
method it set up to send people security fixes, even some of the company’s
traditional critics could sympathize. Nevertheless, 18 months after announcing
the Windows Genuine Advantage piracy check, Microsoft faces controversy and
backlash, including two lawsuits. [Source]
Consumers paid as much $7.8
billion over two years to repair or replace computers that got infected with
viruses and spyware, a Consumer Reports survey found. That figure was down from
a similar survey a year ago. Still, it suggests that people are paying large
sums to cope with the flood of malicious viruses and other programs that can
slow computers or render them inoperable. [Source]
Statistics from
JupiterResearch indicate that 60% of computer users with Wi-Fi home networks
enable security on those networks. The Wi-Fi Protected Access (WPA) protocol
“is included with virtually all consumer-grade wireless access cards and
routers.” Other data indicates roughly 30% of home users have piggy-packed on
unsecured wireless networks while they were traveling and about 10% have
piggy-backed on neighbors’ networks at home. [Source] [Source]
According to the Department of
Justice, the crime of identity theft costs the US an estimated $6.4 billion a
year. Operation Identity Shield, formally announced yesterday at the Black Hat
Conference in Las Vegas, is a collaborative effort of the FBI and the
technology industry already credited with contributing to a number of arrests.
[Source]
[Related: FBI Tells
Hackers, “We Need Your Expertise”]
A coalition of civil liberties groups and technology companies is
appealing a federal court ruling that forces Internet service providers to
create backdoors for government wiretapping. The coalition has asked the full
U.S. Court of Appeals in Washington, D.C., to review a June 9
ruling that sided with the Bush administration. That 2-1
ruling said that Internet providers must rewire their networks and follow a
complex scheme of eavesdropping regulations. The deadline is set for May 2007.
[Source]
The wireless (WiFi) network soon to be launched by Toronto Hydro Telecom
(THT) has triggered quite a few concerns about user privacy, data security, and
even public health. THT has reiterated that the security features of the new
network - dubbed One Zone - will not be intrusive. They will protect against
criminal activity, but will not be used to pry on people. [Source]
AOL has launched an internal
investigation into how randomly selected search log data was posted publicly on
a new AOL Research site. The company issued an apology for the incident, and
noted that while it was not defending the mishap, there was no PII linked to the
search log data of 658,000 subscribers. Privacy advocates said identifying
individuals from the search data would be easy in many cases involving people
who conducted an online search of their name. [Source]
[AOL search
data released] [AOL
Removes Search Data on Group of Web Users] [AOL’s
Big Privacy Blunder] [Background]
[Searchable Mirror of Search Log Data]
[Some
of the most bizarre search queries (recommended reading)] [Coverage]
[Coverage]
[80% of online U.S. adults search for health
info]
Government intrusion, not
accidental disclosure of search data, poses the most significant challenge to
maintaining online privacy, Google CEO Eric Schmidt told an industry conference
yesterday. Earlier this year, Google battled the Justice Department in an
effort to obtain search data on Google users. [Source]
[Google
CEO: We won’t Pull an AOL]
More than half of the pop-up
ads served by nuisance “adware” programs are placed knowingly by advertisers,
CDT has found in a new study. Although many ads purchased by major national
companies pass through complex networks of affiliates before being displayed by
nuisance adware distributors, 55% of the ads served by those distributors are
placed directly by the companies being advertised, according to “Following the Money II:
The Role of Intermediaries in Adware Advertising.” The study builds on the
findings of Following
the Money I, which untangled the complicated web of affiliate relationships
common to nuisance adware models. [Press release]
It’s called “vishing,” and
it’s similar to “phishing” scams that rely on email to steal consumer’s
identities. Vishing uses Internet telephone calls and camouflaged Caller ID
information to make requests appear legitimate. Victims report receiving either
an e-mail that appeared to originate from their institution, or a phone call
claiming that their account had experienced fraudulent activity and required
immediate attention. When consumers called the supplied number, an automated
system, much like legitimate customer service systems, instructed the
unsuspecting victims to enter their account number in order to be connected to
a customer service representative. [Source]
A Virginia woman whose SSN was
stolen by a temporary employee at a hospital where the ID theft victim gave
birth has won $351,000 in damages after a trial. Equifax Information Services
LLC was ordered to pay the woman the damages after attempts to restore her
credit at the three major credit agencies failed. The woman reached settlements
with the other two credit agencies and CitiFinancial, which the victim accused
of sending an account she did not open to collections, which resulted in
harassing calls from debt-collection agencies. [Source]
[Source]
Hundreds of thousands of
Florida motorists will get up to $160 each under a $50 million class-action
settlement with Fidelity Federal Bank & Trust. The bank ran afoul of a
federal anti-stalking law that makes it illegal for companies to buy driver
records from state governments. Fidelity Federal bought 565,600 names of
motorists from the Florida Department of Highway Safety and Motor Vehicles from
2000 to 2003 and used the information to send brochures advertising auto loans.
Fidelity Federal paid a penny a name -$5,656- for names and addresses of
motorists who recently bought cars. An attorney for Fidelity said the bank
didn’t know buying the names violated federal law. [Source]
[Source]
[Source]
In a recent report from the
GAO, data resellers were found to be largely outside the reach of existing U.S.
privacy laws. The GAO report recommends Congressional action to bring these
companies under the current security and privacy standards found in the FCRA
and GLBA. [Source]
Electronic passports being
introduced in the U.S. and other countries have a major vulnerability that
could allow criminals to clone embedded secret code and enter countries
illegally, an expert warned. A demonstration last week by German computer
security expert Lukas Grunwald showed how personal information stored on the documents
could be copied and transferred to another device. It appeared to contradict
assurances by officials in government and private industry that the electronic
information stored in passports could not be duplicated. “If there is an
automatic inspection system, I can use this card to enter any country,”
Grunwald said, holding up a computer chip containing electronic information he
had copied from his German passport. “The whole passport design is totally
brain damaged. From my point of view all of these [biometric] passports are a
huge waste of money - they’re not increasing security at all.” [Source]
[Source]
[Researchers:
E-passports pose security risk] [Source] [New RFID Passport
Scare -- Does it Matter?] [Hacker Cracks, Clones RFID
Passport] [Researcher
warns of security problem in electronic passports] [Senators
call for more RFID education]
The park’s concession stands
are accepting credit cards containing a RFID chip that allows users to make
their purchases quickly from concession stands without handing over their
contactless card to a cashier. For purchases under $25, there is no need to
sign the receipt, which also speeds up the transactions, according to the
companies that offer the cards. [Source]
A computer security researcher
says he’s found an unexpected new path into company networks: the Blackberry.
He has developed a hacking program that exploits the trust relationship between
a Blackberry and a company’s internal server to hijack a connection to the network.
Because the data tunnel between the Blackberry and the server is encrypted,
intrusion detection systems at the perimeter of the network won’t detect the
attack. [Source]
The Government Printing Office
has issued two contracts to producers of contactless smart chips to furnish
large-scale quantities of electronic passport covers. The contracts follow
months of testing, policy disputes and legal wrangling over the use of
contactless smart chips to embed biometric and biographic data in passport
covers. Wide-scale adoption of the State Department’s version of the technology
likely will influence other federal programs which will involve biometric ID
systems. [Source]
The Bush administration has
asked a federal appeals court to halt a lawsuit alleging AT&T illegally
opened its communication networks to surveillance by the National Security
Agency. Permitting the lawsuit to proceed would endanger national security and
possibly expose classified information, the U.S. Department of Justice said in
a legal brief filed on Monday. [Source]
The D.C. Council agreed last
week to install 23 surveillance cameras in residential neighborhoods for the
first time. This action, along with an earlier curfew and police access to
confidential juvenile information, was taken in response to a proposal from
Mayor Anthony Williams for emergency legislation. [EPIC’s
Comments to the D.C. Council on the April CCTV proposal] [D.C. Council Home Page] [Small-town Alberta
pondering surveillance cameras] [NYC
Transit, announced video surveillance for Manhattan buses] [Toronto
Police to watch Caribana with cameras]
The Federal Trade Commission
is seeking additional legislative tools that will allow the agency to more
aggressively pursue online fraud and privacy violations. The call for these
tools has been seen as an early indicator of the content for the FTC’s workshop
on the subject in early November. [Source]
Privacy and consumer advocates
are wary of a new system the IRS is setting up to allow tax preparation
agencies to make it more convenient for taxpayers to pay their delinquent taxes
on the Web. Few details are available presently to evaluate the new system’s
level of security and how it will work, leading to the concerns. [Source]
A report from the DHS IG
Richard Skinner says the Department’s Transportation Worker Identification
Credential (TWIC) has a number of “security-related issues [that] may threaten
the confidentiality, integrity and availability of sensitive TWIC data.” The
version of the report made available to the public was redacted to remove
information about the specific security problems, but it is known that they
involve default security settings and patch management. The report also says
the program does not comply with certain requirements of the Federal
Information Security Management Act. TWIC plans to issue biometric
identification cards to US transportation workers. [Source] [Source]
[DHS
Report]
The CIO Council’s Federal
Enterprise Architecture Security and Privacy Profile suggests best practices
for government agencies to protect data shared with others. The document also offers
ideas for integrating security and privacy requirements into technology purchases.
[Source] [Source]
The US Senate has ratified the
Council of Europe’s Convention on Cybercrime. The treaty aims to align laws
pertaining to Internet crime in the 43 countries that have already signed. It
also looks toward “improving investigative techniques and increasing
cooperation among nations.” The treaty calls for signatory nations to cooperate
on cybercrime investigations, and to pass similar cybercrime laws addressing issues
such as computer intrusion, computer-facilitated fraud, child pornography and
copyright infringement. The US may decline to cooperate when requests violate
free speech or other rights. [Source]
[Source]
[Source]
[Convention
on Cybercrime text] [Bob
Barr: Cybercrime treaty wrecks cyberprivacy]
The U.S. House of
Representatives has approved legislation aimed at accelerating the use of
computerized health records by removing legal barriers and moving toward
national standards. The bill seeks to establish a committee to make
recommendations on medical data storage, form a committee to govern national
standards, clarify privacy laws that apply to electronically stored medical
data, expand the number of billing codes used by health care providers, and
allow hospitals to provide doctors with IT hardware. [Source] [Source]
A former Wal-Mart manager has
been awarded $86,000 in a B.C. Supreme Court decision published this week. The
former manager of the Guildford retail outlet sued the company last year
claiming he was wrongfully dismissed in 2003 and that his privacy was violated
when the company published his image as part of an advertising campaign after
he had been terminated. [Source]
A U.S. Circuit Court of Appeals has ruled that
workers have no legitimate expectation of privacy when employers have a policy
in force that informs employees that computer usage is monitored in the
workplace. The decision stems from an unsuccessful argument by a Montana man
that the evidence collected from his work computer should not be admissible in
court because the FBI obtained it without a search warrant. [Source]
--------