Privacy News Highlights
08–14 June 2007
Contents:
EU – EU Backs Biometrics Visa
Database
EU – Germany Adds Digital
Fingerprints to Passports
EU – BioTesting Europe Initiative
Launched
IN – Indian Govt Plans Biometric Ids
For Slum Tenants
CA – Spy Watchdog Issues Annual Report, Says
‘Troublesome’ Law Hampers His Work
CA –
Quebec - Sur Internet, protéger son identité... c’est essentiel !
WW – Online Shoppers Willing to Pay
for Privacy: Study
CA – Two Out of Three Canadians Are Concerned About
Identity Theft: Survey
WW – Survey Indicates More
Uneasiness About ID Theft
WW – Canada Less ‘E-Ready’ Than Ever
CA – Information Management Comes to the Lac Carling Table
US – Standards Body Drafts Guide On
Preventing Data Breaches
EU – New EU Report Critical of
Sharing PNR Data With U.S.
UK – Government Agrees to Enhanced
Powers for UK Information Commissioner
WW – Phishers Like URL Multiplying
Techniques
CA – Demand For Data Loss Liability Coverage Growing
UK – UK Report Calls for More Access
to Public Data
US – New York Assembly Passes DNA
Database Expansion Bill
US – E-Health Records Raise Privacy
Alarms
US – Hackers Access Personal Info on
6,000 UVA Faculty
US – Breach Results Installation of
File-Sharing Software on Pfizer Company Laptop
CA – Canada Quietly Paving Way for National ID Card:
Researchers
CA – Government Delays Tougher ID Rules for Young Flyers
US – TRUSTe Unveils New Look For
Certification, Seal Programs
WW – Privacy International Report
Ranks Google at Bottom of List for Privacy Protection
US – Privacy Groups File Amended
Google/DoubleClick Complaint with FTC.
WW – Google Compromises With EU Over
Data Retention and Privacy Concerns
EU – ENUM Service Launches in
Ireland
WW – OECD Recommends Cross-Border
Co-operation in Enforcement of Privacy Laws
NZ – New Zealand Mulls Security
Breach Notification
IN – India to Establish Data Privacy
Watchdog
US – CDT Urges Removal of REAL ID
Language from U.S. Immigration Bill
US – CDT Applauds Oversight of
Warrantless Snooping
EU – RFID Technologies: Emerging
Issues, Challenges and Policy Options.
EU – Large German Clothes Retailer
Rolls out Major RFID Pilot
CA – Ontario Privacy Chief Issues Security Guide for
Wireless Video Surveillance
US – FBI: Millions of Computers
Infected, Controlled by Hackers
UK – Survey: Almost Half of
Employees Would Steal Data
MX – Smart Card Driving License
Program to be Deployed in Mexico
US – Union Sounds Alarm Over
Background Checks for New ID
US – Secret Surveillance Evidence
Unsealed in AT&T Spying Case
UK – ChoicePoint Subsidiary Rolls
Out License Plate Tracking System in UK
US – T-Mobile: Don’t Legislate
Consumer Privacy Rules
US – Lawmakers Move to Halt Funds
for Data-Mining Plan
US – More U.S. States Rejecting REAL
ID Plan
US – FBI Finds It Frequently
Violated Law In Data Collection
US – U.S. Congress Designates June
as Internet Safety Month
US – House So Serious About Spyware,
It Passes Two Competing Bills
The European Parliament, on 7 June 2007, backed
proposals to set up a European Visa Information System (VIS), set to be the
world’s largest biometric database. The text is the result of an agreement with
Council so the legislative process has been completed at the first reading
stage - however, detractors claim that the system heralds the ever-encroaching ‘Big
Brother’ threat to citizen privacy, and the Conservatives have called for
Britain to opt out. [Source]
See also: [DNA
data deal ‘will create Big Brother Europe’]
Germany will store digital fingerprints in addition to
digital photos in passports as one of several biometric security measures
planned to fight organized crime and international terrorism. All new passports
issued from November will store two digital fingerprints in an embedded chip,
which, since 2005, includes a digital photo. While fingerprints will be stored
exclusively in passport chips, photos will continue to be saved additionally in
databases of local authorities. A new amendment gives police and other
authorized government officials online access to these databases. Moves by the
German government to digitize increased levels of personal data and link
databases among authorities have led to an outcry by some groups, including
federal and state data privacy commissioners. At a meeting in Dusseldorf last
week, the commissioners criticized the government’s programs that amass
personal data, including telephone records, and its plans to give greater power
to police officials to monitor terrorists and other criminals online by
allowing them to hack into computers. In 2008, the German government plans new
ID cards for all citizens with the same biometric features. [Source]
A major European FP6 project known as BioTesting
Europe has been officially launched in a bid to meet the European Commission’s
objective of establishing European interoperability within large scale cross
national identity management systems, such as passports, visas, ID cards and so
on. The European Biometrics Forum is leading BioTesting Europe along
with other experts in biometrics systems and standards and testing, including
the National Physical Laboratory (UK), Fraunhofer IGD (Germany) and DG Joint
Research Centre (European Commission, Italy). A BioTesting Europe website http://www.biotestingeurope.eu has
also been launched. According to EC policies, a coherent approach and
harmonized solutions on biometric identifiers and data are necessary in the
fight against illegal immigration and to improve the security of the European
citizens. According to the EBF, although much work has been done in the area of
independent testing of biometric systems, there are still many issues to be
resolved due to a fragmentation of effort and a lack of coordinated input by
end users. To improve this situation, BioTesting Europe aims at setting up a
framework for a European network of testing laboratories for performance and
interoperability testing and security evaluation of biometric systems. The
objectives of the project include outlining the need for testing and
certification schemes, making an inventory of existing capabilities, mapping
user requirements and defining the business case. The BioTesting Europe project
will be completed early next year. [Source]
See also: [Eight New Biometric
Standards Enhance Passports, Financial Services, Conformance Testing, and,
Defense Applications]
The Indian government is considering issuing biometric
identification cards to slum dwellers who will need to produce it for all
transactions involving government housing, in a bid to prevent the resale or
unscrupulous use of proposed rehabilitation units. The cards will help the
government in authenticating the identity of the rehabilitated slum residents
who will get the biometric cards when they are handed over low-cost government
housing. It will also ensure that the housing and the rights to it are handed
over only to genuine slum dwellers. [Source]
The watchdog over Canada’s secret eavesdropping agency
chided the government Tuesday for failing to amend a fuzzy law he says keeps
him in the dark. In his first report to Parliament, Charles Gonthier lamented
his office is still not getting the information it needs to be sure the
Communications Security Establishment is obeying the rules. At issue is the
information the clandestine spy outfit provides when seeking ministerial
permission for sensitive operations. The stumbling block raises questions about
whether Gonthier, a former Supreme Court justice who serves as CSE
commissioner, can provide full assurances the CSE is respecting the privacy of
Canadians. “The legislation lacks clarity and it ought to be amended,” Gonthier
said in his annual report. Gonthier also raised concerns about the CSE’s
authority to disclose personal information to certain federal agencies, such as
the RCMP. It says the CSE acknowledged that “further in-depth analysis” of this
question is required. [Source]
Le lundi a marqué le lancement
de la première semaine québécoise de la sécurité de l’information et de la
protection des renseignements personnels, qui se déroule du 11 au 15 juin sous
le thème «Sur Internet, protéger son identité... c’est essentiel !». Cette
campagne vise à sensibiliser les internautes du Québec, une portion importante
de la population, à naviguer en toute sécurité sur le Web, à protéger leur
identité et leurs renseignements personnels et à effectuer leurs transactions
électroniques de manière sécuritaire. Les citoyennes et les citoyens ont un
rôle important à jouer pour assurer la sécurité et la protection de leurs
renseignements personnels qu’ils échangent sur Internet et qui se retrouvent
dans leur ordinateur. Pour mieux renseigner les internautes et leur fournir des
conseils pratiques, plusieurs outils seront mis à leur disposition, notamment
un blogue (www.isiq.ca) alimenté par un
collectif d’auteurs et promu par un réseau de blogueurs à partir de leur propre
blogue, et un guide électronique. [Source]
Many shoppers are prepared to pay a premium to protect
their privacy when buying from an online retailer, a new Carnegie Mellon
University study suggests. Researcher Lorrie Cranor, director of the Carnegie
Mellon Usable Privacy and Security Labs, said U.S. consumers are willing to pay
as much as 60 cents extra when making a $15 purchase for privacy protection. [Source]
[Source]
[Source]
[P3P Study]
The first edition of a cross-Canada survey on identity
theft shows that two out of three Canadians are concerned about the identity
theft trend, while 4/10 believe they will likely be victims of identity theft
in the years ahead. The study found that 60% of Canadians have taken measures
to protect themselves against identity theft. In fact, 45% of Canadians have
purchased a shredder; 30% have had a home alarm system installed; 30% have
rented a safety-deposit box from their financial institution; and 18% have made
a serious effort to find out more about preventing identity theft. The main
reasons cited by those who have taken no action to guard against identity theft
are: they don’t feel the need to (38%); they don’t know enough about it or how
to protect themselves from it (28%); or they don’t think it’s possible to
prevent it (18%). [Source]
The Identity Theft Resource Center and shredder
manufacturer Fellowes Inc. conducted a survey that found 59% of respondents
said they felt vulnerable to identity theft, compared to 50% in 2006. However,
the survey indicates that more Americans are taking precautions against ID
theft. For example, 71% of respondents are shredding documents containing
personal information, up from 66% in 2006. [Source]
According to the Economist Intelligence Unit/IBM 2007
global e-readiness ranking, Canada dropped from 6th to 13th
place globally because of a slightly lower social and cultural environment
score, and a lower score for government policy and vision than other
developed-market peers. And while the decline is also due to methodology changes
this year, the introduction of new categories and gains by less advanced
countries. [Source]
Canadian government I&IT executives recognize that
data disorder in the public sector is unsustainable. “Information management
bubbled up near the top as one of the things we need to work together on at the
recent Lac Carling conference,” said a Peel Region CIO. “What we’re
finding is that as it gets more attention within individual jurisdictions,
people are starting to be given significant roles to make sense of the
information we manage.” Instead of working in isolation, a new sub-committee
has been formed to develop common standards and guidelines across all levels of
government, he says. [Source]
NIST has released a draft of its new guide to better
protect federal agencies from data breaches. The 387-page guide is designed to
help agency technical teams evaluate whether the security controls they have
actually work as intended to protect information systems from being
compromised. It is designed as a companion to an earlier publication on minimum
security controls for federal information systems. That guide defines the
different security controls required by the federal government – including
encryption, identification and authentication of users, access control to
systems, personnel security and physical security. The latest publication lists
the different security measures and explains how to test them. For example, for
continuity of operation requirements, the report outlines how to determine if
an agency really has developed a plan, if people understand it and if it has
been distributed to the right people within the organization. [Source]
See also: [Encryption:
Not the End-All Fix for Data Privacy]
The Lords EU committee has issued a report calling for
stronger restrictions on sharing passenger name record (PNR) data with the U.S.
The report indicates that the PNR data must be collected and analyzed
accurately. It also should be used only to investigate terrorism, according to
the report. The study comes as the U.S. and EU authorities seek to reach a new
agreement about the sharing of information on European airline passengers with
U.S. authorities. The report indicates that airlines must inform their
customers about what happens to their information, including who receives it. [Source]
See also: [EU data
watchdog criticizes states for sacrificing privacy rights] [Privacy chief warns EU on terror laws]
According to this article in the Mondaq newsletter,
the UK government has agreed in principal that the UK Information Commissioner
should be granted additional authority to conduct compliance audits of public
and private sector organizations’ compliance with the Data Protection Act of
1998. The UK’s Information Commissioner, Richard Thomas, has discussed the need
for more authority with the Home Office, the Lord Chancellor and the Department
of Constitutional Affairs. [Source]
In April 2007, the number of unique phishing websites
detected by APWG was 55,643, a 166% rise from the previous month and 48% from
the previous high for phishing URLs (in October 2006). This trend indeed is
going up. It does not follow the total number of unique phishing reports
submitted to APWG. This other statistics is steady and, surprisingly known
mirror sites are more numerous than known attacks! The APWG report explains
this huge number. Similar to what they were doing in late 2006, the phishers
start again using the tactic of putting a large numbers of mirror sites on the
same domain, as many as thousands. Typically, URL multiplying techniques
involve apparently automated creation of subdomains (xxxx.fakedomain.com) to
establish discrete hosts for phishing sites or the use of different directories
on the same domain (xxxx.fakedomain.com/xxxx). Criminals do this in an attempt
to get around website blocking that Internet Explorer 7.0 and Firefox 2 have
deployed to protect consumers from fraudulent sites. [Source]
[Report]
The rapid increase of insider-related security
breaches and of stolen computer equipment and data storage devices has unnerved
the Canadian business community, creating a greater demand for data loss
liability coverage products, says Aon Financial Services Group Canadian
Advisory. “Under lock and key: risk transfer solutions to limit liability for
security and privacy data breaches” explains that while commercial general
liability (CGL) policies may appear to provide some coverage for third-party
losses, some U.S. courts have recently ruled that data is not considered
tangible property under certain CGL policies and, as a result, have excluded
coverage. While most litigious activity involving data security breaches is
initiated in the U.S., Canadians are catching on quickly, the report warns. “Class
action lawsuits have been filed against Winners and HomeSense in six provinces
for damages arising out of the TJX security breach,” the report says. “The
costs in connection with the potential liability to third parties for privacy
and data breaches due to corporate negligence, is a growing concern.” As a
result, a number of insurance carriers have developed specific privacy and data
loss liability coverage products that provide coverage for businesses when data
in their care and control is compromised. [Source]
See also: [Lawsuits
mounting over massive data breach at TJX Cos.] and [Texas Businesses held
liable for identity theft] [National
retailers sued over credit card receipt details] and [ChoicePoint
details data breach lessons: Assume every piece of information is “potentially
fraudulent,” CIO says] [Who’s Liable When
Private Data Is Improperly Disclosed?] [TJX data
theft leads to money-laundering scam] and also [Websense
Unveils Data Leak Prevention Software]
Government must do more to embrace Web 2.0 tools and
communities, says a UK report commissioned by the Cabinet Office. The report
said that some public data, such as post codes, was already widely used but
much more could be done to open up access to official information. It said
public data should be published in open formats to encourage use. [Source]
Lawmakers in Albany are making progress toward
expanding the state’s DNA database to include all convicted criminals,
including misdemeanor offenders. The Assembly passed a DNA expansion bill this
week that includes all crimes. The bill is similar to a Senate bill, so both
will go to a conference committee of top lawmakers to compromise on a single
version. That would then go to Governor Spitzer. The governor proposed
expanding the database as a law enforcement tool and as a way to exonerate the
innocent. [Source]
Privacy groups are sounding alarms as the nation’s
largest insurance companies finalize plans to allow millions more customers to
post their health records on the Internet. Insurers like Hartford-based Aetna
Inc. say Web-based tools help patients and physicians keep track of medical
information while potentially holding down spiraling medical costs. But privacy
advocates say there’s no guarantee that the records will be safe from hackers.
Some worry that patients may refuse to disclose some illnesses to their doctors
to keep documents out of databases. Aetna, which offers personal health records
to its customers, says security procedures include a member login and an online
registration Web site with secure sign-ons. In addition, customers can restrict
elements of their records from being shared among health practitioners. The
Hartford-based insurer said personal health records are protected by the same
security technology that is used for online banking. [Source]
[Health
analysts see need for health data steward] [Privacy
arguments follow rollout of electronic health records] See also: [SSHA
to use Ontario Hydro One Network]
About 6,000 current and former University of Virginia
(UVa) faculty members are being notified that their names, SSNs and birth dates
may have been stolen by computer hackers between May 2005 and April 19 of this
year. The stolen data includes information on former faculty members who taught
at the school as well as 2,100 current faculty members. Other information might
have been included in some of the records, such as race, marital status, hire
date, tenure date, tenure status, departmental affiliation and address, place
of birth, employment history, and academic matriculation. All current faculty
whose records were exposed have been notified, according to the university,
while former faculty members who were affected are still being contacted by
postal mail and e-mail. The university is offering one year of free credit
monitoring to those affected. A special telephone hotline and Web site have
also been established to provide additional information and assistance. [Source]
Pfizer has informed employees in a June 1 letter that
file sharing software installed on a company laptop led to the exposure of
personal information, including names and SSNs, for more than 17,000 current
and former employees. Pfizer also notified the New Hampshire attorney general
that data belonging to 15,700 employees was accessed and copied. The company
has notified the attorneys general in all the states where employees might be
affected by the breach. [Source]
see also [Conn. AG Asks
Pfizer to Take Steps to Protect Employees in Wake of Breach]
After abandoning plans for a national biometric ID
card three years ago, the federal government has been quietly developing other
documents that could pave the way for just such a card in the future, say
researchers who are studying the issue. And, they say, the work is proceeding
without any meaningful public awareness or input. The researchers, from the
University of Toronto and London School of Economics, presented their findings
at a workshop on national ID card systems this week at Queen’s University.
While Canada has not officially embarked on a national ID card scheme, “there
are clear signs that important changes are afoot in terms of new national
identity documentation and management measures,” they say. [Source]
Ottawa has eased the ID requirements for young people
flying this summer as it prepares to institute the national no-fly list. The
requirement for anyone who appears to be 12 or older to have at least one piece
of government-issued picture ID (passport, driver’s licence), or two pieces of
non-picture government ID (birth certificate), was supposed to take effect on
June 18. But last week, Transport Minister Lawrence Cannon announced the ID
requirements have been postponed until Sept. 18. Until then young people
between the ages of 12 and 17 will be allowed to board an aircraft with one
piece of non-picture ID. After that the full requirements of the new national
security program called Passenger Protect will take effect. [Source]
See: [Fed.P.Commish:
No-fly list could be a nightmare] [Canada’s
no-fly list worries activist] [Privacy
commissioner ordered to testify at Air India inquiry]
For the first time since its launch 10 years ago,
TRUSTe is unveiling a new identity, complete with an updated seal. The group
certifies a site’s privacy practices, email address gathering practices,
marketing to children, compliance with privacy standards in the EU and Japan
and best practices related to adware and downloadable software. The group’s
icon is visible on 2,400 Web sites. TRUSTe has helped to resolve about 5,000
privacy disputes annually. To cover all of these diverse purposes, the group
has redesigned its icon and introduced new versions. [Source] [Ben Edelman]
Google’s privacy practices are the worst among the
Internet’s top destinations, according to a watchdog group seeking to intensify
the recent focus on how the online search leader handles personal information
about its users. In a report released last weekend, London-based Privacy
International assigned Google its lowest possible grade. The category is
reserved for companies with “comprehensive consumer surveillance and entrenched
hostility to privacy.” None of the 22 other surveyed companies - a group that
included Yahoo, Microsoft and AOL - received such a low grade, according to
Privacy International. While a number of other internet companies have
troubling policies, none comes as close to Google to “achieving status as an
endemic threat to privacy,” Privacy International said in an explanation of its
findings. Google did not comment on the report. A final report is due in
September. [Report]
[Source]
[Source] [Source]
[Google’s
Matt Cutts: Why I disagree with Privacy International] [The public
life of Google’s private data] [Google privacy counsel
acknowledges policy ‘is vague’] [Privacy
International calls meeting of Internet giants to reach accord on privacy]
[Can
A Search Engine Know Too Much?]
Privacy and human rights groups fired their latest
salvo this week in an ongoing battle with Internet giants over their collection
of personal data on Web users. A trio of groups announced the filing of an
amended complaint with the FTC over Google’s planned acquisition of online
advertising company DoubleClick. The groups (EPIC, CDD, U.S. PIRG) say the deal
will place too many details about private individuals into a single company’s
hands, without adequate protections. The amended complaint gives the FTC more
information about the way the “ability to behaviorally track or ... put
together a dossier on a consumer is incredibly magnified because of the
richness of these two data sets,” Too often users do not even realize that
information such as their Web searches are being stored by companies
indefinitely. [Source]
Google has bowed to pressure from the E.U. and agreed
to cut back the amount of time it retains records of what people search for via
its market-leading search engine. In an apparent compromise deal with the EU
which had raised privacy concerns over the retention of such information,
Google has cut the time it stores user data to 18 months, the low end of what
it originally proposed to regulators in March. But Peter Fleischer, Google’s
global privacy counsel said in a letter addressed to the Article 29 Data
Protection Working Party in Brussels that any regulatory requirement to keep
data for less than 18 months would undermine Google’s services. “After
considering the Working Party’s concerns, we are announcing a new policy: to
anonymise our search server logs after 18 months, rather than the previously
established period of 18 to 24 months,” he said in the letter dated June 10th.
The server logs refer to software that stores web search histories. [Source]
[Data retention laws do not cover
Google searches, says Europe] [Google
not covered by the Data Retention Directive] [EU Official Welcomes Google
Cutting Search History Retention]
An ENUM service, which makes it possible to link
commonly-used internet addresses with traditional telephone numbers, has been
launched in Ireland. Electronic NUmber Mapping (ENUM), which is primarily used
in combination with VoIP, allows users to type a telephone number into a web
browser and retrieve the number-holder’s e-mail address, website URL, mobile
phone number or VoIP contact details. ENUM essentially maps phone numbers to
web addresses, so in theory, it allows someone to use one phone number to
receive texts, e-mails, and voice calls to both landlines and mobiles. A ENUM
entry can show a person’s preferred means of contact, which means callers can
then use the cheapest or most efficient way to contact that person. IENUM
Limited, a subsidiary of the IE Domain Registry (IEDR), the organisation which
doles out the dot-ie internet address, and of Internet Privatstifung Austria
(IPA), the Austrian organisation which operates the dot.at domain name and
provided the first commercial ENUM registry service in the world, announced the
launch of the services this week. [Source]
OECD governments have agreed on a new framework for
co-operation in the enforcement of privacy laws. The initiative is motivated by
a recognition that changes in the character and volume of cross-border data
flows have elevated privacy risks for individuals and highlighted the need for
better co-operation among the authorities charged with providing them
protection. Embodied in the new OECD Recommendation
on Cross-Border Co-operation in the Enforcement of Laws Protecting Privacy,
the framework reflects a commitment by governments to improve their domestic
frameworks for privacy law enforcement to better enable their authorities to
co-operate with foreign authorities, as well as to provide mutual assistance to
one another in the enforcement of privacy laws. The work, conducted in close
cooperation with privacy enforcement authorities, was led by Jennifer Stoddart,
Privacy Commissioner of Canada. Background report and other materials at www.oecd.org/sti/privacycooperation.
[Source]
Privacy Commissioner Marie Shroff’s office has
conducted a survey that indicates that concern is mounting over data security.
In a 2001 survey, 49% said they were concerned or very concerned about the use
of data. But last year, that percentage rose to 56%. Shroff said her office is
watching carefully what approaches other countries take to security breaches.
She said her initial conclusion is that “something needs to be done,” according
to this Computerworld New Zealand story. [Source]
[Source]
[Source] [Privacy
Commissioner readies data-breach position] [Australia
Review of ID Theft Legislation]
A data privacy watchdog is to be set up in India to
oversee the country’s IT industry amidst international concerns about the
security of outsourced customer records and data. India does not have any data
protection law equivalent to that in the UK and there have been recent cases of
information being leaked from call centres to criminals who have then
blackmailed the companies involved. The Data Security Council of India (DSCI)
is being set up by Indian IT industry group Nasscom. [Source]
[India
To Launch New Data Security Council]
The Center for Democracy & Technology is calling
on the Senate to strike from the immigration bill language that would require
Americans to present a REAL ID card before they are permitted to work. Senator
Max Baucus (D-Mt.) is leading the effort to remove the REAL ID provision, which
represents the sort of dangerous “mission creep” that opponents of REAL ID have
long warned of. Although the REAL ID Act was not intended to create a national
ID card, the mandate in the immigration bill makes clear that it would be
difficult, if not impossible, to hold the line against widespread use of the
cards for other governmental and private purposes. The American Association of
Motor Vehicle Administrators and several public interest advocates are calling
for the removal of the REAL ID language. [Source]:
The Administration must come clean with a full
accounting of its domestic surveillance activities before Congress can be
expected to make any changes to the laws that protect Americans against
uncontrolled government snooping. The Center for Democracy & Technology
applauded the House Judiciary Committee Subcommittee on the Constitution, Civil
Rights and Civil Liberties for holding a critical hearing on the topic this
week, and urged lawmakers to fully explore all aspects of the government’s
domestic spying activities. The White House has been aggressively promoting
legislation aimed at “modernizing” the Foreign Intelligence Surveillance Act
(FISA), which governs how national security surveillance is conducted in the
United States. [Source]
The European Commission Institute for Prospective
Technological Studies has published a report on RFID technology. According to
the report, RFID has enormous socio-economic potential but it also brings
challenges, such as serious security threats and the potential danger of
impinging on personal lives, which if not addressed properly may limit the
foreseen benefits from the wide-spread deployment of this technology. The
report gives an overview of established and emerging RFID technologies, RFID
standards and spectrum allocation, presents RFID market parameters and
forecast, privacy and security issues and social aspects of RFID. Five case
studies from different application sectors (animal tracking, healthcare, ICT
sector, identity cards and public transport) allow us to draw conclusions about
both specific areas of development and the whole RFID market in Europe. In the
final part, the likely role of Europe is presented, as are policy options for
further initiatives. [Source]
[Executive Summary] [Report]
Karstadt, a German retailer with €4.89 billion in
sales in 2006, and more than 36,000 employees, is about to embark on its first
RFID pilot. During the pilot, Karstadt will implement RFID in three separate
processes: tracking goods from the time of arrival at a store until the point
of sale; performing and managing inventory; and locating goods to facilitate
price changes. [Source]
Ann Cavoukian, Ontario’s Information and Privacy
Commissioner, has issued a five-point security checklist for wireless video
surveillance systems after an incident with such a system at a methadone clinic
in Sudbury, Ont. When a driver with a similar device was backing up in the
clinic’s parking lot, it intercepted a wireless transmission of an image of a
patient providing a urine sample. Cavoukian has issued the checklist after a
CBC reporter contacted her office about the problem with the wireless system.
The image was intended for transmission only to a monitor in the nurse’s
station, but Cavoukian said the incident underscores that unsecured wireless
communication can be intercepted by other nearby monitors. Cavoukian’s checklist
advises that even after patients provide consent for the use of wireless video
surveillance, special precautions are needed to “protect the privacy of video
images.” [Source]
See also: [Mobile
security: the balancing act] and [Google Lobbies For Open
Wireless Networks]
More than 1 million computers are used by hackers as
remote-controlled robots to crash online systems, accept spam and steal users’
personal information, the FBI said this week. The government has no way to
track down all the computers, both in the U.S. and elsewhere, that hackers have
massed into centrally controlled collections known as botnets. But the FBI has
pulled the plug on several botnet hackers, or zombies. What was viewed seven
years ago as a kind of prank to boot people off-line has evolved into schemes
to defraud people by stealing credit card and Social Security data, by crashing
retail Web sites and through ‘‘pump-and-dump’’ online stock deals. [Source]
Almost half of UK employees would take information and
data with them to their next job, new research has found. A survey conducted by
internet security firm Check Point Software Technologies, questioning 200
senior IT professionals, found that three-quarters of firms lack any security
measures to prevent information from being shared outside the company.
Moreover, 85% of employees said it was easy for them to download competitive
information and take it to their next job, despite three-quarters of these
companies having a policy that specifically stated otherwise. The same survey
conducted with Scandinavian employees found that only 32% would use information
from their previous employer for competitive advantage in their next job. [Source]
[Source] [Source]
Gemalto has announced that it has successfully
delivered Mexico’s first smart card driving license to the city of Monterrey, Mexico.
The contract includes 900,000 driving licenses over a period of 3 years. This
new card also acts as a reliable ID document and opens up the potential for
additional e-schemes like healthcare for the benefits of all citizens. The
driving license is a chip-based ID document that entitles a specific person to
drive a certain category of vehicle. The microprocessor securely stores a high-resolution
picture of the holder, his/her blood type, and the drivers’ credentials to
enable digital signature. The chip also contains the history of drivers’ fines,
allowing the transit authorities to easily monitor drivers’ behavior on the
roads and could, in the future, be used for insurance companies to calculate
policy costs. Fingerprint and facial picture of the driver are encoded in the
card body. [Source]
Background investigations of federal and contract
workers being conducted for a new government-wide identification card, which
carries a computer chip, have drawn objections at two agencies and rumblings of
concern at others. The National Federation of Federal Employees has raised
questions about the background checks on behalf of its unionized members at the
General Services Administration. Before cards are issued, federal employees and
contractors must provide fingerprints and disclose financial, medical and other
personal data. The forms filled out by employees and contractors are matched
against databases to verify the information. For some employees holding
sensitive jobs, agents are sent to interview neighbors. [Source]
More documents detailing secret government
surveillance of AT&T’s Internet traffic have been released to the public as
part of the Electronic Frontier Foundation’s (EFF’s) class-action lawsuit
against the telecom giant. Some of the unsealed information was previously made
public in redacted form. But after negotiations with AT&T, EFF has filed
newly unredacted documents describing a secret, secure room in AT&T’s
facilities that gave the National Security Agency (NSA) direct access to
customers’ emails and other Internet communications. These include several
internal AT&T documents that have long been available on media websites,
EFF’s legal arguments to the 9th Circuit, and the full declarations of the
whistleblowers. ‘This is critical evidence supporting our claim that AT&T
is cooperating with the NSA in the illegal dragnet surveillance of millions of
ordinary Americans,’ said the EFF Legal Director. [unredacted Klein
declaration] [internal documents]
[Unredacted Marcus
declaration] [EFF’s
9th Circuit brief] [For more
on the class-action lawsuit against AT&T] See also: [Official:
Cheney Urged Wiretaps] and [NSA
Surveillance Program Violated Congressional Notification Law?] [Justice
Lawyer Refuses to Give Congress Legal Opinions on NSA Surveillance Program]
and also [U.S.
Helps Mexico Intercept Phone Calls and E-Mail] and [Congressman
Wants to Train Spies in College]
Giant American data peddler ChoicePoint last week
unveiled a new system in the UK for analyzing the thousands of license plate
numbers collected by automated cameras nestled surreptitiously throughout the
English heather. Called the “analyst’s workstation” and designed by i2, a
ChoicePoint-owned company, the system interfaces with three major databases and
uses license plate information to help cops bust bad guys. [Source]
A T-Mobile executive last week said there’s no need
for Congress to pass new laws prescribing requirements governing how mobile
phone carriers handle their subscribers’ personal information. Criminal
penalties for scammers—such as those contained in a bill signed by President
Bush earlier this year—are great, but further regulations are unnecessary and
unwise, said
T-Mobile’s director of federal regulatory affairs. A few months ago, the
FCC issued a list of regulations that
prohibits carriers from releasing sensitive personal data without a password
and requires them to notify customers immediately when changes are made to
their accounts. Members of Congress have been exploring
a similar move through new legislation. [Source]
House appropriators want to halt funding for a
Homeland Security Department data-mining program until the department verifies
that adequate privacy protections are in place. The fiscal 2008 Homeland
Security appropriations bill, scheduled to be on the House floor next week,
would stop funding for the Analysis, Dissemination, Visualization, Insight and
Semantic Enhancement program, which is known as ADVISE. Funding would be
withheld until the department submits a privacy-impact assessment for the
program. Under development by Homeland Security’s science and technology
directorate, ADVISE “is designed to help detect threatening activities by
allowing an analyst to search large amounts of information for patterns in the
data and to provide visual representations of these patterns,” appropriators
wrote in a report accompanying the bill. “At this time, DHS has not assessed
the privacy risks associated with ADVISE.” Appropriators noted that the
Government Accountability Office recently concluded that “until a
privacy-impact assessment is conducted, little assurance exists that privacy
risks have been rigorously considered and mitigating controls established.” [Source]
South Carolina this week became the latest state to
formally reject a federal mandate that sets new national driver’s license
standards. Gov. Mark Sanford signed a bill into law that says the state will
not participate in the federal act because it costs taxpayers too much and
would create long lines at Department of Motor Vehicle offices. South Carolina
became the fifth state to refuse to participate in the federal 2005 REAL-ID
Act, joining Montana, Washington, Oklahoma and Maine. [Source] See also: [Maine
Governor to Sign Bill to Block Real ID Plan] See also: [Washington
State Legislature revolts against Real ID program] and [Illinois
sides with foes of U.S. ID: Identity card law called a nightmare] and [S.C. rejects U.S. mandate
for driver’s licenses] and [Four
states rebelling at adoption of Real ID Act]
An internal FBI audit has found that the bureau
potentially violated the law or agency rules more than 1,000 times while collecting
data about domestic phone calls, e-mails and financial transactions in recent
years, far more than was documented in a Justice Department report in March
that ignited bipartisan congressional criticism. The new audit covers just 10% of
the bureau’s national security investigations since 2002, and so the actual
number of mistakes in the FBI’s domestic surveillance efforts probably number
several thousands, bureau officials said in interviews. [Source]
Welcome to National Internet Safety Month. Its sole
purpose? Reminding America how dangerous the internet is. That’s the gist of an
official resolution, quietly signed by 18 U.S. Senators in both parties at the
end of May. Senate Resolution 207 specified that the month of June provides
Americans an opportunity to “learn more about the dangers of the Internet.”
June is for commending organizations which “promote awareness of the dangers of
the Internet.” They might as well call it internet-is-dangerous month. This
internet-is-dangerous resolution was passed.unanimously. [Source]
The House of Representatives has just passed another
piece of anti-spyware legislation. The bill, HR 964, is known as the “Securely Protect
Yourself Against Cyber Trespass Act“ (the “SPY ACT Act”), and it’s the
second such bill that the House has passed in the last few weeks. The Senate,
meanwhile, has not taken any action on the issue. The SPY ACT Act has proved to be more
controversial than the other measure, the I-SPY
Act, despite both having equally ridiculous acronyms. The I-SPY bill is
shorter and narrower, which is good news to software makers worried about
running afoul of a complicated laundry list of personal information
requirements. The SPY ACT spells everything out in much greater detail and
attempts to halt spyware, adware, and even phishing scams. It requires adequate
notice and consent before information-gathering programs can be installed, but
it carves out exceptions so that cookies and other user-tracking schemes can
still function for web-based advertising. It also gives additional enforcement
powers to the FTC, which should enable the Commission to seek far larger fines
(up to $3 million per offense) against miscreants. [Source]
--------