Privacy News Highlights
03–10 November
2006
Contents:
US – Iowa Chooses Biometrics Vendor
for New Driver’s Licenses
US – Three
California Elementary Schools to Fingerprint Students
HK – Hong
Kong Privacy Commissioner Halts School Fingerprinting
CA – OPC
Issues Fact Sheet on Applications for Court Hearings Under PIPEDA
WW – Privacy
International: Canada #2 in Maintaining Personal Privacy
CA –
Ancestry.ca Releases First Indexed and Searchable 1851 Census of Canada Online
US –
Consumer Reports: Consumers Rank Privacy, Security as Top Online Concerns
WW – Six
International Groups Form Anti-Spam Alliance
US – HBO
Documentary “Hacking Democracy” (RE: Voting Machines)
EU – Twelve
Hundred Dutch Voting Machines Deemed Unusable
UK – UK Opts
for Cryptomathic’s PKI Technology
EU – Dynamic
Coalition on Privacy Launched at UN Internet Meeting in Athens
EU – New
Security Breach Notification Proposal Under Consideration
WW – US
Leads the UK in Compliance Culture: Survey
WW – 13
Nations Denounced For Web Censorship
US – Banks
Tap Databases for Consumer Information to Replace SS Numbers
UK – Trade
Group: Online Fraud Costs Increase 55% in First Half of 2006
UK – Three
in Four Young Black Men on The DNA Database
UK – UK
Healthcare IT System Will Hold Citizens’ Medical Records
AU –
Australian Pharmacies to Track Cold and Flu Med Buyers
US – Spear
Phishers Target Medical Center Employees
US – Lost
Computer Roundup (6 Stories)
AU –
Legislation Will Prevent Government Smart Cards to Serve as National ID
US – PC
Reseller Charged Over ID Theft of Employee Data
CA – Nova
Scotia Driver’s Licence Gets a New Look
WW – TRUSTe
Launches Program to Certify Consumer Software is not Spyware
WW – Report:
U.S. Leads the World in Phishing Sites.
US – Researchers:
Phishing Ensnares More Victims
UK – New
Project Invites Users to Help Fight Malware
WW – FBI
Cracks Down on Global ID Theft Operation
EU – German
Court Rules ISP Must Delete IP Logs
WW – Company
to Help Get Damaging Info Deleted from Web
US – Adware
Firm Fined $3 Million by the FTC
US – Yesmail
Agrees to Settle Charges With FTC
US – Lawsuit
Filed Against Hospital Group for Mishandling of Patient Data
CA – IBM
Selects Canadian Company to Manufacture New Clipped Tag
CA –
McMaster RFID Lab Launched
WW –
Defending Data Will Be IT Managers’ 2007 Focus
AU –
Australian Tax Records Illegally Accessed By ATO Staff
UK – Blair
Defends National ID, CCTV, DNA Database
WW – Privacy
Chiefs Vow To fight Surveillance Together
UK –
Information Commissioner’s Report Raises Concerns About Social Profiling
CA – BC Auto
Insurer Shelves Black Box Plan
WW – IBM
Touts Smart Surveillance System
WW – Tor
Network Privacy Could Be Cracked
WW – Intel
Drafts Privacy License for Mobile Device Software
US – US
Customs Announces Massive New Database on Trucks and Travelers
US – FTC
Chair Says She Opposes New Laws for Technology
US – FTC
Commissioner: Companies Should Self-Regulate
US – Survey:
One In Four Managers Google Job Candidates
NZ – New
Zealand Workplace Privacy Among the World’s Worst: Study
AU –
Australian Union Says GPS in Trucks “Unacceptable Threat to Privacy”
Joining
The
The
The office of the Privacy Commissioner of
Ancestry.ca, an online website for Canadian family
history records, announced it has released the first complete index of the 1851
Census of Canada. Ancestry.ca is the only source where all publicly available
Canadian census collections from 1851, 1901, 1906 and 1911 are fully-indexed
and searchable online. The launch of the 1851 Census of Canada collection
allows virtually anyone with a computer and an Internet connection to access
this information and view actual images of original census documents. The
addition of the 1851 census to the Ancestry.ca historical records collection
gives Canadians access to an additional 1.4 million Canadian names and more
than 85,000 images and actual census documents. The site also offers the only
online collection of vital records from Ontario and British Columbia as well as
a plethora of digital content from the US, UK, Scotland and Wales, including
the entire U.S. Federal Census Collection from 1790-1930. [Source]
Speaking on a panel at the “Protecting Consumers in
the Next Tech-Ade” hearings, Jeff Fox, technology editor at Consumer Reports,
revealed the results of an online survey. The ConsumerReports.org study found
that 72% of consumers are worried about the security of their personal and
financial information online. The report also found that 64% said they always
use the same credit card when making online purchases and about 70% use the
sites’ privacy policies. [Source] [At FTC Hearing, Privacy
Policies Bomb]
Six international groups involved in spam-fighting
have joined forces on gathering information and resources. The
StopSpamAlliance, launched last week, is designed to encourage more global
co-operation. The organizations involved are APEC, the European Union’s CNSA
(contact network of spam-enforcement authorities), the ITU, the London Action
Plan, the OECD and the Seoul-Melbourne Anti-Spam group. [Source]
An HBO documentary on the risks of voting machines
aired Thursday November 2. As the election approaches this is becoming a
significant issue. In the 2000 presidential election, an electronic voting machine
withheld over 16,000 votes for Al Gore. [Source]
[Source]
[Source]
[Diebold’s
rebuttal]
After tests demonstrated that certain electronic
voting machines could allow data to be intercepted from 20 or 30 meters away,
the Dutch General Intelligence and Security Service (AIVD) has ruled that the
1,200 machines manufactured may not be used in next month’s elections. Certain
municipalities will have to vote with pencil and paper, though others may
choose to use other voting machines. Some people have claimed that some machines
made, which account for 90% of voting machines used in the country, are vulnerable
to hacking, but AIVD testing found no significant threat. [Source]
[Background]
The UK Identity and Passport service has selected
Cryptomathic’s PKI technology for its national ePassport scheme. Cryptomathic’s
module is responsible for generating all cryptographic data, then encrypting
the data files in a Hardware Security Module (HSM) provided by nCipher and
forwarding them to a production site where the data is securely loaded onto the
passport chip. [Source]
At the Internet Governance Forum (IGF), a diverse group of stakeholders
has agreed to launch a Dynamic Coalition on Privacy, which will address
emerging issues of internet privacy protection such as digital identities, the
link between privacy and development, and the importance of privacy and
anonymity for freedom of expression. It will initiate an open process to
further develop and clarify the public policy aspects of privacy in internet
governance. Participants in
EU commissioners are considering breach notification rules
that would require some companies to notify affected customers and regulators.
Some experts believe that it is time for the EU to adopt U.S.-style breach
notification laws. [Source]
[EU
proposes US-style data breach laws]
A new survey, conducted simultaneously in
Thirteen countries were singled out by Reporters
Without Borders as the worst culprits for systematic online censorship and were
targeted in the group’s 24-hour online protest. The 13 countries were
In an effort to reduce identity theft, banks are no
longer using Social Security numbers, names and addresses to verify their
consumers. Instead, some financial institutions are using details such as the
color of a consumer’s car, father-in-law’s name and other personal details
gleaned from public and private databases. Some privacy advocates say the new
practice could violate consumer privacy. One specific concern voiced by the
Privacy Rights Clearinghouse is the consumer’s lack of control over how the information
about them is used. [Source]
The Association for Payment Clearing Services said
that
Race watchdogs are to investigate the national DNA
database over revelations that up to three quarters of young black men will
soon have their profiles stored. The chairman of the Commission for Racial Equality
(CRE), vowed to examine whether the database breached race relations laws following
the findings by The Sunday Telegraph. “This is tantamount to criminalising a
generation of young black men,” he said. An estimated 135,000 black males aged
15 to 34 will be entered in the crime-fighting- database by April, equivalent
to as many as 77% ofthe young black male population in England and Wales. By
contrast, only 22% of young white males, and six per cent of the general
population, will be on the database. [Source]
[DNA
pioneer voices concern over database] [DNA pioneer
accuses the police of being overzealous]
According to a report in The Guardian, the medical
records of as many as 50 million
Tasmanian pharmacies have had a breakthrough in their
push for a software program to track people who are buying cold and flu tablets
to make illegal drugs. The program, called Project Stop, has been rolled out in
Spear phishers targeted employees at
Starbucks
Announces Missing Laptops Contain PI on Employees: Four
laptops that contained personal information on 60,000 employees in the
US – Scrubbed
Laptop Still Held Sensitive Data: A laptop computer that used to
belong to Intermountain Healthcare in
US –
US – Army
Command Laptop Missing: The Army’s Accessions Command
in
CA
– Stolen
In an effort to give citizens as much control over new
smart cards the government will introduce in 2008, Human Services Minister Joe
Hockey announced this week that legislation will be introduced next year that
would ensure that the cardholders have legal ownership of them. The legislation
would prevent the card from serving as a form of identification. The new
high-tech cards, which will contain a microchip, will replace 17 health and
social services cards, including the Medicare card, healthcare cards and veterans’
cards. The cards will have the person’s name and digital photo, but not their
address and birth date. [Source]
[Smartcards
to get privacy ID protection] [Access
card to be owned by user]
The owner of Compulinx Managed Services and his nephew
have been indicted on fraud and conspiracy charges. The pair allegedly used
Compulinx employees’ and customers’ personal information to falsify information
on applications for loans, credit cards, and credit lines. [Source]
TRUSTe and sponsors representing content and search
providers, anti-spyware vendors and online advertisers announced that software
publishers may begin submitting requests to join the Trusted Download Program,
a program to certify consumer downloadable software programs. The Trusted
Download Program aims to provide market incentives for adware and trackware
companies to clearly and unavoidably communicate key functionalities and obtain
informed consumer consent prior to download. “Consumers want control and
transparency over the collection and use of their personal information,” said
Peter Cullen, chief privacy strategist, Microsoft Corp. “TRUSTe’s Trusted
Download Beta Program will help software developers empower consumers with this
kind of control.” [Source] [Trusted Download website] [Microsoft
to combat internet fraudsters]
PhishTank, a group that monitors phishing sites,
released its October statistics, which found that the
A recent study by researchers at the
The volunteers behind the Phishing Incident Reporting
and Termination Squad have started a new project to crack down on malware. It
is called the Malware Incident Reporting and Termination Squad, according to
Paul Laudanski, owner of Computer Cops LLC and the leader of the project. [Source]
The FBI is cracking down on an international identity
theft operation that involves the trading of social security numbers, the sale
of stolen credit card account information, and phishing. Called Operation
Cardkeeper, the investigation has brought about the arrests of more than a
dozen people in the United States and other countries who are members of online
communities that specialize in “carding,” the trafficking of stolen identities
and credit card and bank account information. [Source] [Source]
The highest appeal court in
A new startup, ReputationDefender, will act on your
behalf by contacting data hosting services and requesting the removal of any
materials that threaten your good social standing. Any web citizen willing to
pay ReputationDefender’s service fees can ask the company to seek and destroy embarrassing
office party photos, blog posts detailing casual drug use or saucy comments on
social networking profiles. [Source]
In a settlement with the FTC, Zango Inc. has agreed to
pay a $3 million fine to the FTC. It has also agreed to clearly notify
consumers and seek their consent before installing its software, which critics
call “adware,” onto Web surfers’ computers. The company said it would also make
it easier for consumers to remove the software. [Source]
[FTC to Pressure
Adware Advertisers] [FTC
Decision]
The Federal Trade Commission (FTC) this week announced
an agreement with Yesmail for alleged violations of the CAN-SPAM Act that
involved failure to honor consumers’ unsubscribe requests. The company has
agreed to pay $50,717 civil penalty. The FTC’s complaint alleged that Yesmail’s
spam filtering software treated some recipients’ “reply to” unsubscribe
requests as spam. As a result, Yesmail allegedly failed to process unsubscribe
requests. The company sent thousands of commercial emails to recipients more
than 10 business days after their unsubscribe requests. The CAN-SPAM Act
requires commercial emailers to offer recipients a way to opt-out and to
process those unsubscribes within 10 business days. [Source] [FTC Hits Telemarketers
With $500K Fines]
A lawsuit has been filed against the Sisters of St.
Francis Health Services Inc. for allegedly violating HIPAA regulations and
failing to promptly notify individuals whose data were compromised in a
security breach last summer. The lawsuit was filed by one man on behalf of all
those whose data were exposed. The suit seeks damages for each individual
affected in the amount of no less than US$5,000. The breach occurred in July
2006 when a contractor working for the hospital left CDs containing personally
identifiable information of 260,000 patients and other people associated with
the hospitals in a laptop case that was returned to a store. Those affected
were not notified of the breach until October. [Source]
[Source]
Marnlen RFID, based in
McMaster University’ has officially launch its new
radio frequency identification lab, a $750,000 venture into asking not only “can
we” about new technology, but “should we?” Pankaj Sood conceived the centre
while finishing Mac’s graduate degree in engineering entrepreneurship and
innovation. “This is a way of knowing where your assets are at all times, but
we also want to take a holistic view,” he said. “Rather than just looking at
the technology itself, we’ll cross disciplines here and look at public policy issues
as well.” Some of those issues can be especially thorny – RFID technology is
used in the transponders that track vehicles on Highway 407 – raising questions
in some minds about “Big Brother” tracking our smallest movements. Florence
Nguyen, spokesman for the Office of the Privacy Commissioner of
Regulatory requirements and increasing consumer concerns
about information security breaches are making data-level security controls a
top priority for 2007, according to IT managers at the Computer Security
Institute trade show held this week. After years of implementing technologies
such as firewalls and intrusion-detection systems to keep network perimeters
safe, companies now must move similar controls down to the data level, they
said. “The data now matters above everything else.” [Source]
The tax records of hundreds of Australians have been
illegally accessed by Australian Taxation Office staff over the past two years.
Breaches include spying on clients’ records and unauthorized access of data systems.
917 taxpayers have had their records inappropriately accessed by ATO staff
since October 2004 and high-profile celebrities and sports stars may have been
affected. Assistant Treasurer Peter Dutton, who tabled the figures in
Parliament this week, said the ATO took its responsibilities of protecting taxpayer
information very seriously. “The ATO’s systems have comprehensive audit trails
and … investigations are conducted to identify unauthorized access or
modification of taxpayer records,” he said. [Source]
Blair says ID cards will be used to fight crime: Tony
Blair revealed a secret plan to check the fingerprints of every adult in the
country to see if they have been involved in a crime. Police will be allowed to
trawl through fingerprints given by anybody signing-up for a controversial ID
card. The Prime Minister said that up to 900,000 unsolved crimes could be
solved by comparing fingerprints left at the scene by entries on the new
database. But the revelation outraged civil liberties groups who said Mr Blair
was effectively turning every person in the country into a suspected criminal.
In the future, they warned, people would be ‘all presumed guilty until proven
otherwise. [Source]
[Blair
defends national ID, CCTV, DNA database] [Blair
dismisses civil rights argument against ID cards] [British Prime
Minister Speaks About Biometric ID Cards]
Last week during the annual Conference of Data
Protection and Information Commissioners in
More databases means more profiling - at least that’s
one concern raised in a report commissioned by Information Commissioner Richard
Thomas. The report analyzes surveillance in the
ICBC has quietly ditched its plan to install black box
data recorders in the cars of some volunteers to monitor their driving habits.
It would have signaled a potential move toward broad use of electronic data
recorders, following in the footsteps of an
IBM Corp. hopes to capitalize on the enormous growth
in video surveillance by selling technology from its research labs that
performs real-time analysis on footage captured by security cameras in stores
and sensitive locales. Several companies already offer systems that can alert
security guards if something unusual appears to be going on – such as someone
entering an off-limits room or a jewelry store employee leaving a key in a
display case. But IBM contends that it is the first to add advanced search
functions that make use of computers’ improving ability to recognize video
content. For example, the IBM system would let a user search for all instances
of a green car passing by a store on a certain day. [Source]
[Source]
[IBM’s
digital video surveillance services]
Tor, a peer-to-peer network of routers that lets users
keep their IP addresses private as they connect to Web servers, isn’t as ironclad
as some might think, according to a recent report from Danish research firm
FortConsult. For legitimate users, the findings mean a malicious hacker could
potentially invade their privacy. For those who use Tor to mask fraudulent
activity, however, it means investigators could develop the means to uncover
their tracks. The report
explains how hackers could compromise the system’s anonymity by interfering with
traffic passing through Tor’s exit server. [Source]
Intel has attached a privacy license to its new
location-aware software product, intended to protect cell phone users’ personal
information as mobile devices increasingly rely on tracking technology to provide
targeted services. Installed on a smart phone or ultramobile PC, location-aware
software can use Global Positioning System technology to produce tailored information
like driving directions, nearby restaurants and movie schedules. The downside
of that feature is that handsets can double as tracking devices if location
data is not kept private. The abuse of such access could range from civil
liberties violations to physical threats in the cases of vulnerable people like
battered spouses, Intel fears. So, Intel has added a privacy addendum to the
Eclipse Public License it uses for the software application called Privacy
Observant Location System (POLS), according to a posting on Intel’s
Web site by John Miller, the privacy and security policy manager of Intel’s
corporate technology group. The addendum says that vendors must inform the
end-user what information is recorded and how long it is stored, and it
requires developers to include opt-out capability so users can change those
settings, Miller said. [Source]
[Addendum]
US Customs and Border Protection issued a notice in the Federal
Register this week which detailed the agency’s massive database that keeps
risk assessments on every traveler entering or leaving the country. Citizens
who are concerned that their information is inaccurate are all but out of luck:
the system “may not be accessed under the Privacy
Act for the purpose of contesting the content of the record.” The system in
question is the Automated Targeting System, which is associated with the
previously-existing Treasury Enforcement Communications System. TECS was built
to screen people and assets that moved in and out of the
The head of the FTC voiced reluctance toward adopting
consumer protection laws that target technological concerns du jour, saying the
“collective voice” of consumers often prompts change. Deborah Platt Majoras,
the agency’s Republican chairwoman, said she prefers relying on a combination
of existing laws, vigorous competition and user pressure to address complaints
about new products or potentially worrisome uses of technology. Majoras made
the remarks at the start of a 3-day FTC event, “Protecting Consumers in the
Next Tech-ade.” [Source]
[Source]
The FTC will not shy away from using its powers to
bring actions against online fraudsters, said an FTC commissioner during Day 2
of the “Protecting Consumers in the Next Tech-Ade” hearings. However, companies
have a role to play by self-regulating their practices or contributing to
education efforts, according to the commissioner. Online advertising that
targets consumers based on Web surfing habits presents increased challenges for
regulators in “a growing media universe,” said FTC Commissioner J. Thomas
Rosch. [Source]
[FTC
Commissioner Urges Congress to Grant Agency Expanded Authority To Impose Civil
Penalties On Spyware Distributors] [Consumerists
Want FTC Probe of Online Advertising] [FTC Chief Warns Against ‘Unnecessary’
Net Rules]
uGoofed: Internet background
checks costing people jobs: A survey by CareerBuilder.com finds that one in
four managers use Internet search engines to check up on job candidates. Even
more potentially troubling for job candidates is the impact the searches are
having on hiring decisions. More than half of the candidates fail to make the
cut after the online prowling. Experts are reminding students to think twice
before revealing information online that could impact their future career
success. The Careerbuilder.com survey pointed to the following information they
discovered on the Web that caused them to deny hiring of potential employees:
New Zealand workplaces have been fingered as allegedly
among the world’s worst for prying on staff, but employers deny being nosier
than most. A British-based organization, Privacy International, has given
Telstra’s largest union, the Communications,
Electrical and Plumbing Union (CEPU) has claimed that the installation of GPS
systems linked to field workforce management tools pose an unacceptable threat
to employee privacy. The CEPU has called for a halt to installations of the
equipment until clear guidelines about its use can be agreed on. It has also
advised its members not to consent to having these devices placed in their
vehicles. [Source]
--------