Privacy News Highlights
08–16 March 2007
Contents:
CA – Ontario Privacy
Commissioner Bullish on Privacy-Enhancing Biometric Technology
EU – EU Critics Unite Against
Central Fingerprint Biometric Database.
US – Michigan University Offers
Students Biometric Security Degree
CA – Fewer Than Six in 10 Canadians
Say Yes to Release of Personal Info in 2098
CA – Secure Patient Data, Sick Kids
Told
CA – Stephane Dion Pledges Mandatory
Security Breach Disclosure Legislation.
CA – Theft, Fraud Costs Retailers
$3B/yr: Retail Council of Canada Study.
US – Small Businesses Overconfident
on Security: Study
UK – Brits Dubious of UK Gov’t Data
Sharing Plans
KR – Korea Internet Users Can Clean
Up Personal Information
UK – First Test Launched of NHS’s
Controversial ‘Spine’ Database
US – Laptop Hard Drive With on-Board
Encryption a First: Seagate
EU – European Commission: No Need to
Amend Data Protection Directive
UK – UK Official Calls for
International Privacy Standards
AU – Privacy Chief: Organizations
Should Notify Consumers of Breaches
CH – China to Expand “Great Internet
Firewall”
IN – Indonesia to Tighten Internet
Surveillance
CA – Privacy Commissioner Works With
Equifax To Conclude Audit
UK – Information Commissioner Orders
Firms to Comply With Data Protection Act
US – Hefty Fines Looming for
Non-Compliance with PCI:DSS Credit Card Security
AU – Australia eBay Gives Tax Office
Seller Records
WW – Open Government Gets Its Week
in the Sunshine
US – Report Faults U.S. Federal
Agencies for Online Access to Records.
US – CDT Applauds House Passage of
Open Government Bill
CA – Cdn Court Orders Montreal to
Post Homeowners’ Names
US – Poll: Americans Believe Federal
Government Is ‘Sneaky’
US – Vermont State’s Top Court Hears
DNA Law Challenge
UK – Privacy GP Calls Records Opt
Out Pledge a ‘Decoy’
US – Report: U.S. Behind In Medical
Privacy Efforts
US – Dispute Surfaces Over
Certification for Personal Health Records
CA – Ontario Gives Green Light to
High-Tech Driver’s Licence
CA – Ontario Convenience Stores Set
to Toughen Age Checks
CA – Driver’s Licence Plan Worries
Privacy Czar
WW – Digital Photocopiers Present ID
Theft Risk
WW – Your life is Worth $21(CDN) on
the Net: Study
US – Lawmakers Press for Antispyware
Law Yet Again
WW – Best Practices for Antispyware
Makers Finalized
US – CDT Asks Congress to Adopt
Privacy Law to Combat Spyware
WW – WGA Always Sends Info to
Microsoft
US – Justice: FBI Misused Patriot
Act Powers
US – Governor Announces Florida
First in Nation to Access National Crime Database.
WW – Google Adds a Safeguard on
Privacy for Searchers
EU – SAITS IT Privacy Project
Launched
AU – Access Card Vote Halted By
Privacy Doubts
BA – New Bahamas Data Protection Law
Takes Effect April 2
WW – ITU Initiative Aims to Unify
Identity Management
US – FTC Issues Guidebook on Data
Security
US – FTC Investigating TJX, Winners
Parent Company
US – Five New Congressional Research
Service Reports Have Become Available.
US – RIAA to Universities: Help Us
Threaten Your Students
EU – No Regulations Planned For
Radio ID Tags, EU Says
US – Washington State RFID
Legislation dies
US – DHS Cybersecurity Czar:
Third-Party Security Validation Is Good Idea
US – Study: Companies, Not Hackers,
Responsible For Most Breaches
EU – Sweden Unveils Controversial
Eavesdrop Plan
WW – CEBIT: IBM Researchers Take on
Video Surveillance Privacy
US – AT&T Says Eavesdropping
Case Would Reveal State Secrets
US – Compete CEO: ISPs Sell
Clickstreams for $5 A Month
WW – Human Error Causes Most Data
Loss, Study Says
US – Chertoff: Security and Privacy
Not At Odds on REAL ID
US – Pending Federal Bill Would
Impose New Restrictions on Telephone Carriers
US – Oregon Bill Includes Breach
Notification, Security Freeze Provisions
US – Illinois State Bills to Give
Cops Access to Library Records
US – Texas Senate Ready to Take Up
Records Confidentiality Bill
US – Oregon Identity Theft Bill Has
Support
US – Arkansas Scaled-Back Version of
Rx Drug Database Passes Senate
US – N.J. Senate Committee Advances
Bill to Put Checks on Web Dating Sites.
US – New Colorado Law Helps to
Prosecute Identity Theft
US – Arizona State Senate acts to
Block Car Location Database
US – State Debates Bill On Myspace
Age Check
The Information and Privacy Commissioner of Ontario,
Ann Cavoukian, Ph.D., and Alex Stoianov, Ph.D., an internationally-recognized
biometrics scientist, have announced the publication of their joint research
paper, “Biometric Encryption: A Positive Sum Technology that Achieves Strong
Authentication, Security AND Privacy”, available at www.ipc.on.ca. Biometric Encryption promises
superior privacy, security, and personal control over biometric data, which can
be deployed in a privacy-enhanced way that minimizes the potential for
surveillance and abuse, maximizes individual control, and ensures full
functionality of the systems in which biometrics are used. [Source]
Proposals for a centralized database of fingerprints were revealed last week, fuelling fears of a Big Brother Europe. Under a scheme for a computerized collection of personal details drawn from all 27 EU countries, All EU members would be expected to contribute all the details held by police. These include fingerprints of suspects and people released without charge, as well as those convicted of crimes. The aim is for the database to be up and running by the end of next year. The sensitive information it contains could be shared with third parties, such as U.S. law enforcement authorities. The proposal, which was buried in a lengthy European Commission document setting out policy goals for next year, managed the rare feat of uniting all sides in opposition. Euroskeptics criticized them as the trappings of a super-state, while some of Europe’s most ardent supporters complained of a threat to civil liberties. Officials in Brussels confirmed that an assessment was under way on “implementing a centralized database of fingerprints”. The one-line announcement of the plan as a “key action” for “security and freedom” appeared in the European Commission’s annual policy strategy for 2008. [Source]
Government agencies and private businesses alike are
investing in biometric devices that read and compare fingerprints, eyeball
irises, facial features or vocal patterns for security purposes. Todd Fortier,
19, is among the first group of students enrolled in a new biometric security
degree program that started last fall at Davenport University. Davenport
officials said the university is the first in Michigan to offer degrees in the
field. About 55 students are enrolled in either the two- or four-year biometric
security degree programs at the 13,500-student university. As a worldwide
industry, biometric security has grown from barely $300 million in 2001 to more
than $2 billion last year, said Russ Ryan, a spokesman for the National
Biometric Security Project. [Source]
Fewer than six in 10 Canadians have agreed to the
release of their personally identifiable census information in 2098. The 2006
census marked the first time people were asked whether they consented to the
release of their information in 92 years. Nationally, 56% of respondents
checked the Yes box - the remainder either chose No or gave no reply at all.
Historians and genealogists consider the information a goldmine that allows
them to move past the numbers when writing Canada’s history. Some academics
have said even a small percentage of No responses will compromise their ability
to put a human face on Canada’s history. [Source]
The Ontario
Hospital for Sick Children has been ordered to encrypt all electronic files
after a laptop with information on 2,900 patients, some of it highly sensitive,
was stolen from a doctor’s van. Ontario information and privacy commissioner
Ann Cavoukian also ordered Sick Kids to adopt a strict security policy
prohibiting the removal of any electronic data from the hospital that could
identify patients. Health information whether on desk or laptops or
blackberries, not stored on secure servers must also be encrypted, rendering it
meaningless and making it impossible to decipher without a special program. [Source]
[Source] [Source] [Source]
[Source]
Liberal leader Stephane Dion pledged in a speech this
week to introduce mandatory security breach disclosure legislation (as well as
anti-spam and identity theft legislation). [Source] [Liberals to
Reintroduce Lawful Access Legislation]
Theft and fraud is costing Canadian retailers
$8-million a day or more than $3-billion a year, according to the Retail
Council of Canada. The Council says retail organized crime is a “serious
problem” and includes everything from shoplifting, container theft,
counterfeiting and refund fraud, to the use of fraudulent credit, debit and gift
cards and identity theft. According to the Retail Council of Canada:
- Organized retail crime in North America is pegged at
$40-billion annually and growing;
- Credit card fraud in Canada resulted in losses of
$201-million to major credit card companies in 2005;
- Debit card fraud in 2005 resulted in losses of
$70.4-million;
- In 2005, 422,447 counterfeit bank notes were passed
and seized in Canada. [Source]
In a report released at the Visa USA security summit,
the National Federation of Independent Business and Visa reported that small
businesses are overconfident about their ability to protect their customers’
data. In fact, most companies with fewer than 250 employees are storing
sensitive data that they shouldn’t, the study says. 87% of small businesses
believe that if customers saw how they handled their data, it would either
affirm (4%) or strengthen (3%) the trust that customers put in their businesses.
About 84% of mom-and-pops protect customer information through encryption or
passwords. Yet more than half of small retailers are currently storing
sensitive customer data that they are supposed to purge after a transaction is
complete under the Payment Card Industry (PCI) Data Security Standard, the NFIB
and Visa said. 37% are storing customer credit card numbers; 24% are storing SSNs;
and 28% are storing customer bank account numbers or copies of checks. [Source]
[Source]
[Source]
A week before the complete findings are due to be
published, more details of the Citizens Forum’s fluctuating views have been
revealed by Ipsos MORI, the polling firm, and the UK Cabinet Office. In
February, participants in the forum were asked what they thought of the
government sharing data between departments in order to better deliver public
services. 70% voted in favour. After the forum, participants took home sheets
asking them to consider the pros and cons of government data sharing, as well
as other policy matters. To provoke their thinking, the sheets gave specific
examples of how data sharing was beneficial. But they made only passing
reference to the fact that some people were “concerned” about the idea, while
it made others “worry about civil liberties.” Supporting information consisted
of web addresses to a BBC article about
the Citizen Forum that touched on some of the pros and cons of data sharing,
and a 2003 survey that found that, having considered them in more detail, 60% of
people were concerned about the idea. Citizens were also referred to the
government’s Information
Sharing Vision Statement, which described in detail why information sharing
was a good idea. The sheets did not refer to material that opposed the
government’s datasharing plans. At the Citizen Fourm’s big day at Number 10 on
3 March, policy issues, including data sharing, were again debated. Polled
again by MORI on what they thought of data sharing, support for the idea
dropped to 5%. “As they debated it they became more anxious.” [Source]
[UK
Government to force greater data sharing] [UK
Home Office calls for new data sharing powers Data mining at heart of
immigration enforcement plan]
Internet users will be allowed to find and delete
their resident registration numbers, Korea’s version of SSNs, if they are found
circulating on the Web. The Korean Ministry of Government Administration and
Home Affairs launched a month-long online program last week that will allow
subscribers to track the usage of their identification numbers on Internet Web
sites since 2001. The program, available through April 12, can be accessed
through the Web sites of the ministry and municipal governments, and others
which will be linked to online search programs operated by the Korea
Information Service, the National Information and Credit Evaluation, and the
Seoul Credit Rating and Information. A subscriber can choose one of the three
companies, which will compile a list of Web sites using his or her
identification number. [Source]
[Naver] [Daum]
[Google
Continues to Show Private Data]
The UK government’s plan to put the medical records of
every NHS patient in England on a central electronic database will begin first
trials at two carefully selected GP practices in the north-west. About 14,500
patients in Bolton will be told their confidential medical details will be
uploaded to a national data warehouse known as the Spine, unless they object.
Their reaction will be the first test of whether patients accept the government’s
argument that a national electronic record can save lives – or agree with
campaigners for personal privacy who see the scheme as a lurch towards a Big
Brother state. [Source]
An Ontario company will be the first to sell laptop
computers using Seagate Technology computer hard drives with built-in
encryption technology, the drive maker said last week. ASI Computer
Technologies of Markham will use hard drives that include a chip that
automatically encrypts all data written to them on the fly, rendering it
unreadable without a digital key or password. “I can’t help but think that this
kind of hard drive would become a standard issue on corporate laptops,” said
Dave Reinsel, a storage industry analyst at market research firm IDC. [Source]
[Source]
The European Commission (EC) concludes in a recent
report that the Data Protection Directive does not need any legislative
updates. The directive, according to the EC, is accomplishing the mission of
protecting “individuals against general surveillance or undue discrimination on
the basis of the information others hold on them,” according to the report. The
report warns that some countries have failed to properly implement the
directive’s provisions in a national law. The EC said it would take action
against countries that have failed to adopt a national law that mirrors the
directive. [Source]
The U.K.’s information commissioner, Richard Thomas,
has called for international harmonization of privacy rules. His call follows recent
disputes between the E.U. and the U.S. over privacy safeguards for European air
passenger data and financial transaction information requested by the U.S. as
part of its anti-terrorism efforts. [Source]
Privacy Commissioner Karen Curtiss has made a
substantial submission to the Australian Law Reform Commission on a number of
reforms she is proposing to improve privacy and data protection efforts. Among
her recommendations is a requirement that organizations that fail to adequately
protect personal information should be required to notify consumers of
breaches. Breach notification would “provide a strong market incentive” for
organizations to adopt measures to adequately secure sensitive data, Curtiss
said. This Australian IT story details her other recommendations. [Source]
China will tighten controls on Internet blogs and
webcasts in a response to new technologies that have allowed cyber citizens to
avoid government censorship efforts, state press reported last week. Following
a call from President Hu Jintao in January to “purify” the Internet, the ruling
Communist Party will introduce new regulations targeting blogs and webcasts,
one of the nation’s chief censors was cited as saying. The Chinese government,
which has long maintained strict controls over traditional media, have this
year ramped up a campaign to combat the rising influence of the Internet. “Whether
we can cope with the Internet is a matter that affects the development of
socialist culture, the security of information and the stability of the state,”
Hu said in January as he called for the medium to be “purified.” [Source]
Indonesia plans to tackle Internet crime by tightening
the supervision of web surfers, an official said Tuesday. “The aim is to
minimise the misuse of the Internet, including for criminal activities,” Gatot
Dewa Broto, a spokesman for the country’s telecommunications regulator. [Source] [Source]
See also: [PH:
Philippines NTC publishes draft of new consumer protection rules]
The Office of the Privacy Commissioner of Canada announced
that it has successfully negotiated a resolution with regard to litigation
involving its audit of the credit reporting agency, Equifax. The Commissioner
launched an audit of Equifax in August 2006. The intention was to audit the
personal information management practices of Equifax and, more specifically,
its online identification and authentication system. Details of the successful
resolution were not made available. [Source]
The Information Commissioner’s Office (ICO) has found
that 13 firms have breached the Data Protection Act by discarding documents
containing sensitive customer data. The ICO ordered the firms to comply with
the law in the future. The Post Office was among the banks and other
organizations that dumped the documents into trash bins outside their offices,
according to the ICO. Deputy Commissioner David Smith said that the
organizations must comply to avoid further action by the ICO and to prevent “losing
the trust of their customers.” [Source][Source]
[Source]
Fines for non-compliance with PCI:DSS are set to start
next month with Visa focusing on storage issues - while T J Maxx is still
counting the cost of its high-profile security breach. Fines of US$10,000 a
month from the end of this month have been announced by Visa USA for acquirers
whose Level 1 and Level 2 merchants are still storing Track data, PIN block
data, and CVV2 data post-authorisation. For continued non-compliance, those
fines will increase to US$50,000 a month from June and to US$100,000 a month
from December. Level 1 and 2 retailers include the vast majority of e-tailers
and most tier 1 and tier 2 retailers. While the card companies will be fining
acquirers, these in turn will obviously put pressure on any non-compliant
merchants to conform, with the ultimate sanction for any who still refuse to
upgrade of ending card processing agreements leaving retailers unable to take
payments. Visa USA is introducing the fines for non-approved storage from March
and will introduce fines for acquirers of between US$5,000 and US$25,000 a
month for each Level 1 and Level 2 merchant that has not been certified as
compliant by - respectively - 20 September 2007 and 31 December 2007. [Source]
EBAY has handed over the personal and financial
details of hundreds of its top sellers to the Australian Taxation Office. The
ATO has asked for the details of eBay sellers with an annual turnover of more
than $50,000. The request is understood to be part of an ATO audit to determine
if sellers are avoiding GST, and could affect up to 1000 customers. The ATO had
requested data for the period July 1, 2003, to June 30 last year. The request
was made a month ago and sellers were informed by email yesterday. EBay
provided to the ATO information including members’ contact names, seller user
names, phone numbers, duration of membership and monthly sales turnover for the
periods in question. EBay said the data had been provided in compliance with
eBay’s privacy policy. [Source]
This week is Sunshine
Week - a gentle name for celebrating the serious business of uncovering
secretive government practices. Taking its cue from the famous line by Justice
Brandeis that "sunlight is ... the best of disinfectants", this
year's Sunshine Week reflects on a year of continuing efforts to increase
government visibility, and a renewed interest by the press, activists, and
netizens in investigating its secrets. [Source] [Source] [Sunshine Week Website]
A new study by the National Security Archive, a
nongovernmental research institute and library located at George Washington
University, finds that 10 years after Congress passed “E-FOIA” (Freedom of Information Act), agency Web
sites distinguish themselves more for cyber-foot-dragging than for streamlined
access. A review of 149 federal agencies found that only 1 in 5 posts on its
Web site all the records required and that even fewer –6%– tell people how to
request what does not appear there. [Source]
[Source]
[Source]
The House last week voted overwhelmingly to approve
legislation that strengthens the Freedom
of Information Act (FOIA). CDT applauded the House vote and in a letter
thanked the House Committee on Oversight and Government Reform for its
leadership on the measure. H.R. 1309 – sponsored by Committee Chairman Henry
Waxman (D-Calif.), Rep. William Lacy Clay (D-Mo.) and Rep. Todd Platts (R-Pa.) –
makes improvements to FOIA that have been long sought by the open government
community. [CDT
Letter - HR 1309 [PDF], March 13, 2007]
The city of Montreal must restore the names
of all property owners on its online municipal valuation roll, a Quebec Court
judge ruled. Judge Henri Richard accepted in part The Gazette’s appeal of a
2005 decision by Quebec’s access-to-information commission and ruled property
owners’ names are public information that should be accessible at municipal
offices and on the Internet. “The court does not understand why the city
refuses access to information that is integral to the valuation roll,” Richard
said in a ruling from the bench. There’s “nothing illegitimate” in having
access to the names, he said. [Source]
Americans increasingly suspect the federal
government has become cloaked in secrecy, a concern they don’t have with their
local and state governments. People also overwhelmingly believe that their
federal leaders have become sneaky, listening to telephone conversations or
opening private mail without getting court permission, according to a survey of
1,008 adults commissioned by the American Society of Newspaper Editors. By a
2-1 margin, people want FBI agents and other investigators to obtain search
warrants before monitoring private communications, even if they suspect
terrorism. And more than a quarter of the people said they suspect their own
phone calls and letters have been intercepted. The survey was conducted in
observance of national Sunshine Week, which began Sunday. [Source]
The Vermont Supreme Court heard arguments Tuesday in a
case that will determine if the state can continue collecting genetic samples
from nonviolent felons, or whether that practice violates the state’s
constitution. If the court rejects widespread sampling, it could be the nation’s
first successful challenge to such a law, lawyers said. [Source]
A GP who has campaigned for patients to secure an
opt-out from the NHS Care Records Service (NCRS) is claiming that current plans
will still put confidential patient information at risk. Dr Paul Thornton has
written a 12 page report
which claims the government’s pledge of an opt out right from the Summary Care
Record is a “decoy” that will falsely reassure patients that data held on other
aspects of the NCRS is safe. Dr Thornton has sent his report, The NHS Database: Lord
Warner’s opt-out decoy to the British Medical Association, the Royal
College of General Practitioners, the Information Commissioner and the
Department of Health’s own confidentiality watch dog, the Patient Information
Advisory Group. [Report]
[Source]
Canada, the Netherlands and the UK have made more
strides in developing privacy policies that give patients a significant amount
of control over their records, according to a study commissioned
by the Substance Abuse and Mental Health Services Administration. Joy Pritts, co-author
of the study, said that other countries “give their patients a lot more choice,
from a policy angle.” This article explores the systems in other countries,
with an emphasis on patient controls. The 58-page report, co-authored by
Kathleen Conner was released last week at the national meeting of the federally
funded Health Information Security and Privacy Collaboration in Bethesda. [Source]
[Study] [Singapore
takes a shot at sharing e-medical data]
In a rare instance of public dissent, an American
Health Information Community (AHIC) workgroup has split over whether to
recommend that product certification be available for personal health record
software. AHIC, a high-level advisory committee to the Department of Health and
Human Services, sided with the majority on its Consumer Empowerment Workgroup
and voted unanimously in favor of the certification recommendation. A minority –
five members of the 23-person workgroup -- took the position that certification
would be premature and the top priority should be privacy and security policies
for PHRs. "The risks [of certification now] outweigh any potential
benefits," the dissenters said in a letter to AHIC. The workgroup's task
is to foster widespread adoption of PHRs. [Source]
Horror Stories:
US – Medical
Data on 75,000 Blue Cross Members Lost, Found – WellPoint, one of the largest health insurers in
the U.S., has begun notifying 75,000 members of its Empire Blue Cross and Blue
Shield unit in New York that a CD holding their vital medical and other
personal information has disappeared. The information was on an unencrypted
disc that a subcontractor recently sent to Magellan Behavioral Services, a
company that specializes in monitoring and coordinating mental health and
substance abuse treatments for insurance companies. [Source] [Source]
US – Stolen
Hard Drive Holds California National Guard Data – A stolen hard drive contains PII of approximately
1,300 California National Guard troops who have been deployed to the US-Mexico
border. The compromised data include addresses, dates of birth and Social
Security numbers (SSNs). The drive was reported missing in late February from
the California National Guard’s border mission headquarters at San Diego Naval
Base. Guard members affected by the breach were notified on February 28. The
case has been turned over to the Navy’s Criminal Investigative Division. [Source]
[Source]
NZ – NZ Revenue
Dept. Employees Fired for Unauthorized File Access – New Zealand’s Inland Revenue Department (IRD) has
fired nearly 80 employees in the last four years for accessing files
inappropriately. A number of the people who lost their jobs had accessed their
own files or those of family members outside the bounds of their duties. In
2003, a minor scandal erupted when it was discovered that IRD employees had
accessed files of a number of celebrities as well as those of their own
families; 75 people were fired as a result. The number of people caught
snooping has decreased each year since 2003 to just 13 in 2006; there were no
instances of employees accessing celebrities’ files within the last year.
Inland Revenue Deputy Commissioner Colin MacDonald defends the IRD’s strict
codes, saying they are entrusted with ensuring taxpayers’ secrecy. [Source]
US – U. of
Idaho Employee Data Inadvertently Posted to Web – For the second time in three months, the University
of Idaho has experienced a data security breach. UI is notifying 2,700
employees that their personal information was accessible on the school’s web
site for 19 days in February. The file was removed as soon as the IT Services
became aware of the situation. UI is investigating the incident. An authorized
user inadvertently uploaded the file containing the data along with a report.
The data include names, birth dates and SSNs, but no financial account
information. The school plans to move away from using SSNs as unique
identifiers. [Source]
[Source]
JP – Largest
Japanese Data Leak Hits 8.63 Million People – The personal information of 8.63 million customers
was stolen by a former employee of a firm contracted by Dai Nippon Printing Co.
in the largest information leak of its kind. The customer data that was pilfered
had been provided to Dai Nippon by 43 companies, including credit card issuers
and insurance firms, that placed orders with the printing firm for direct
mailers and other publications. Included was such data as credit card numbers,
some of which have reportedly been used in fraudulent Internet transactions. [Source]
Ontario says it’s designing a new high-tech driver’s
licence to combat identity theft that could potentially be used an alternative
to a passport. But Transportation Minister Donna Cansfield says the new
licences will not contain all the new security features right away. Although
the government plans to have the first licences produced by the end of the
year, they will not come embedded with citizenship data or other information
that could be used by American officials as a travel document to cross the
border. Cansfield says that additional data could be added at a later date, but
the government has not yet decided to go that route. The new card’s security
features will include a fine-line background, 2-D bar code, micro and rainbow
printing, a secondary photo, signature images and ultraviolet features.
Cansfield says the technology behind today’s licences is about 10 years old so
an update is needed. [Source]
[Privatizing health cards &
driver’s licences poses risks: Public Sector Union]
Individuals who looks younger than 25 and try to buy
cigarettes at convenience stores in Ontario will be forced to prove they are
old enough to light up by having their driver’s licence swiped through a
lottery terminal. The Ontario Convenience Stores Association announced last
week that it is introducing the measure to make it easier for retail operators
to prevent young people from getting access to cigarettes, lottery tickets,
adult magazines and fireworks. The so-called “We Expect ID” program should be
up and running in 2,500 of the 10,000 convenience stores across the province by
the end of April. Eventually, it will be rolled out right across Canada. About
80% of young adults in Ontario have a driver’s licence. [Source]
[Source]
[Source] [Ontario to
get toughest ID check system in Canada] [Swiping
licences called no threat to buyers’ privacy] [Stores
Downloading License Data Could Be Violating Privacy Laws: Governmetn Services Minister
Gerry Phillips]
Canada’s privacy commissioner is warning that provincial
plans to include citizenship information on driver’s licences to meet U.S.
passport requirements could come at “a significant cost to privacy.” “The
purpose of a driver’s licence is to show you have met the requirements
necessary to drive,” said a spokeswoman for Jennifer Stoddart, the federal
privacy commissioner. She said that citizenship is “potentially a very
sensitive piece of information. “Provincial and state governments, led by
British Columbia and Washington, concerned about discouraging tourism between
the two countries, have been lobbying to convince U.S. authorities to allow
“enhanced driver’s licences” that would include citizenship information and
improved security features to stand in for passports at land borders. But
privacy and civil-rights experts are increasingly worried that such a proposal
could lead to discrimination against non-citizens and threaten the security of
sensitive information because of the broad range of data bases that will need
to be shared by different levels of government. [Source]
[Source]
[New
Ontario driver’s licence in Ontario not ready as travel document: Transport
Canada]
Experts warn that digital copiers with disk drives are
able to retain the data the machines copy, which presents the potential for ID
theft. Industry experts warn that data retained in the machine’s disk should be
encrypted, or other safeguards should be in place, to prevent access to the
sensitive information. [Source]
[Source]
All of your personal banking and credit card
information, your birth date and your social insurance data are worth about $18
US on the Internet, according to a study released today. And much of that data
may have been stolen from government offices, says the report by computer
security firm Symantec Corp. Symantec says thousands of Internet chatrooms and
websites openly sell credit card and personal information for the purpose of
identity theft -- and are doing plenty of business. [Source]
Members of the U.S. House of Representatives vowed not
to let a bill aimed at curbing spyware die for a third time. Leaders of a House
Energy and Commerce subcommittee focused on consumer protection issues said
they were mystified that earlier versions of the so-called Spy Act overwhelmingly passed the House in 2004 and in 2005 but
were ignored by the Senate. The latest effort would impose extensive
regulations on what types of actions software may perform. [Source] [Ben Edelman’s Advertising
Through Spyware – After Promising to Stop]
The nonprofit Anti-Spyware Coalition announced this
week that it had finalized a set of documents designed to provide software
companies that develop spyware-fighting products with new information and
tactics. One of the documents details a recommended process by which companies
can identify software as unwanted or malicious, based on the ASC’s definition
of spyware and risk models. The second document is geared toward the potential
situation in which two competing antispyware companies stumble into an unwanted
conflict between their respective software products. [Source] [Press
Release, March 15, 2007] [ASC Documents]
Testifying before the House Energy and Commerce
Committee’s Subcommittee on Commerce Trade and Consumer Protection, Ari
Schwartz, CDT Deputy Director, said that a “long-term solution to spyware”
could best be addressed by passage of “baseline privacy legislation.” Such a
law would help to guide businesses as they adopt new technology to collect
information and give consumers “some measure of confidence that their privacy
is protected as companies roll out new ventures.” [Source]
[Source]
[Schwartz
Testimony [PDF], March 15, 2007] [Schwartz
Testimony: Appendix [PDF], March 15, 2007]
Microsoft has acknowledged that its most recent
Windows Genuine Advantage (WGA) update sends some information back to the
company’s Redmond, WA headquarters even if users decline to install the update.
A statement from Microsoft’s UK anti-piracy manager says the information sent
back does not identify individuals. WGA communicates to Microsoft the computers’
globally unique identifiers (GUIDs), user and machine language settings and
whether or not the machine was connected to a domain. [Source]
[Source]
The FBI improperly and illegally used the USA Patriot
Act to secretly obtain personal information about people in the U.S., a Justice
Department audit concluded. And for three years the FBI underreported to
Congress how often it forced businesses to turn over the customer data, the
audit found. Attorney General Alberto Gonzales, who oversees the FBI, described
the problems cited in the report as unacceptable and left open the possibility
of criminal charges. He ordered further investigation. One government official
familiar with the report said shoddy bookkeeping and records management led to
the problems. The FBI agents appeared to be overwhelmed by the volume of
demands for information over a two-year period, the official said “They lost
track,” said the official who like others interviewed late Thursday spoke on
condition of anonymity because the report was not being released until Friday.
The FBI in 2005 reported to Congress that its agents had delivered a total of
9,254 national security letters seeking e-mail, telephone or financial
information on 3,501 U.S. citizens and legal residents over the previous two
years. Justice Department Inspector General Glenn A. Fine’s report says that
number was underreported by 20%, according to the officials. [Source]
[Source]
[Source]
[Source]
[U.S.
Report to Fault F.B.I. Over Special Subpoenas] [Bush
Pledges Swift Action on FBI Reform] [Source]
[Source] [Source] [Source] [Source]
[Source]
[Source]
[FACT SHEET:
Department of Justice Actions on FBI Use of National Security Letters] [Carriers
mum on DoJ report that FBI abused powers] See also: How
to surf anonymously without a trace] [EFF Action Alert] [Coverage]
Governor Announces Florida First in Nation to Access National Crime Database. "This powerful tool will help protect both the victims of child abuse and neglect and the public servants charged with protecting them." [GT: Security and Privacy]
Google said last week that it is changing its policy
on the retention of logs of all searches, along with digital identifiers
linking them to specific computers and Internet browsers. The company will now
make those logs anonymous after 18 to 24 months. Under current practices, the
company keeps the logs indefinitely. Privacy advocates in general said Google’s
policy change is a step in the right direction but not nearly enough to really
protect Web searchers from overzealous law enforcers. Keeping the search
histories could enable investigators and governments to get to all sorts of
personal information about people, they argue. [Source]
[Source]
[Source]
[Source] [Google’s
Press Release] [Google’s
PDF with more details]
SAITS
is a swedish project leadership by the Swedish Institute of Computer Science
and Institutet för rättsinformatik, Stockholms Universitet. The SAITS project
will generate knowledge about the meaning and significance of the term privacy
in future IT environments, how the technological development creates privacy
risks as well as possibilities to protect and enhance privacy, and how
regulations can control how different actors behaves in IT environments. The
goal of these results is to create a foundation for further work about
technologies, privacy needs, and regulations. The project will also form a national
competence in the field of IT privacy. This will be manifested through the
network of competence that will be developed throughout the project period. [Source]
Legislation for the Australian Government’s
controversial health and welfare Access Card will be withdrawn from Parliament
after it was sent back to be redrafted by a cross-party committee over fears
that it represented a threat to privacy. The Government has avoided the embarrassment
of having its own senators cross the floor to vote against the Access Card bill
by declaring it would follow the committee’s recommendation to introduce all
the legislation for the card together in one bundle. But the scathing report
suggests the Government still has a long way to go before it convinces even its
own backbenchers that the Access Card is no Australia Card. The report declares
that: “Imprecise wording of key items in the bill raised concerns that there
are inadequate constraints to prevent the Access Card becoming an ID card.”
Other concerns raised in the report include:
* Biometric photographs on the surface of the card
could turn it into a de facto ID card.
* The card and the supporting database could be used
for unintended purposes.
* The card database could be linked with other
databases to compile extensive information on individuals.
* The Australian Federal Police and ASIO could get
information from the database without a warrant and without the knowledge of
the Parliament. [Source]
[Source]
[Source]
[Source]
[Source]
[Source]
[Source]
[P.Commish:
ID card personal freedom threat]
Government agencies and organizations that collect
personal information must comply with new requirements under the Data
Protection Act. The new law, which takes effect April 2, requires public and
private sector entities to adopt standards for the collection, use and
disclosure of personal information. The law also gives consumers the power to
request that data controllers stop using their information for direct
marketing. Once a consumer makes the request in writing, the data controller is
required to erase, or stop using, all information used for direct marketing. [Source]
ITU wants system interoperability to reduce multiple
user names and passwords. The International Telecommunication Union (ITU) is
backing a new initiative on online identity management to bring
interoperability to solutions that help reduce the need for multiple user names
and passwords. The ITU Focus Group on Identity Management aims to bring global
harmony to identity management through a technology and platform-independent
solution because it believes the use of multiple usernames and passwords is a
boon for hacking, identity theft and other forms of cyber crime. [ITU Focus
Group on Identity Management site] [Source]
The FTC has published a guidebook that may come in
handy for federal agencies working to do a better job of preventing data loss
or theft. The guidebook urges
organizations to take five key steps to keep sensitive information safe: Take
stock of any personal information collected, eliminate data that is unneeded,
properly dispose of unnecessary information, lock up whatever remains and plan
a response to potential security incidents. Deborah Platt Majoras, chair of the
FTC, encouraged federal officials to use the guidebook and other commission
resources on information security. Data security plans have to be tailored to
the size of an organization, Majoras said at an IAPP annual summit in Washington.
“There is no such thing as a one-size-fits-all data security plan.” [Source] [www.ftc.gov/infosecurity] See also:
[OMB Issues
Data Security Solution] [Coverage]
The U.S. FTC last Tuesday confirmed that it has
launched an investigation of TJX, the parent company of T.J. Maxx, Marshalls,
HomeGoods, and other stores. While the FTC wouldn’t reveal the nature of the
investigation or when it began, it’s likely the result of a large data breach
that allowed cyberintruders to steal customer data. [Source]
Congressional Oversight of Intelligence: Current
Structure and Alternatives, RL32525 (pdf). Among the
alternatives this report examines are the proposals in the 9/11 Commission
Report for creating a joint committee on intelligence or strengthening the individual
committees with authorization and appropriations power. Data Mining and
Homeland Security: An Overview, RL 31798 (pdf). The overview
includes the major DHS data mining initiatives and also notes limitations on
the capability of data mining. Data
Security: Federal Legislative Approaches, RL33273 (pdf). The report
addresses proposed legislation for subject area; privacy safeguards;
restrictions on the use of social security numbers; credit freezes; consumer
reports; and preemption. Remedies Available to Victims of Identity Theft,
RL31919 (pdf).
The report covers federal laws that help victims correct their credit records,
as well as criminalize certain identity theft related activity. Identity
Theft: State Penalties and Remedies and Pending Federal Bills, RS 22484 (pdf). The reports
lists state laws that provide criminal and civil penalties for identity theft;
credit freezes; and SSN privacy. [Source]
The RIAA has asked universities and
colleges to forward "pre-lawsuit" letters to alleged filesharers that
promise a "discounted" settlement price if the student agrees to pay
up immediately. Forwarding the letters saves the RIAA the trouble and expense
of filing a lawsuit to obtain students' contact information--a savings that may
be redirected to more lawsuits. To add insult to injury, the letters advise
students to contact the RIAA if they have any questions. It's safe to say that
the RIAA is unlikely to give students the full picture. For example, will the
RIAA tell students that parents are generally
not liable for infringements committed by their
kids, or that the record labels sometimes sue the wrong
people? Probably not. We think students should seek out less biased
sources of information--and their institutions should assist in that process.
Toward that end, we've put together a short FAQ to help students learn more about
their options; we hope colleges and universities that forward the RIAA's threat
letter will take the additional step of directing students to this FAQ as well
as other neutral information sources. Of course, the RIAA should not be putting
universities in this perverse position in the first place. If you'd like to
help academic institutions get back to their real mission –educating students,
not helping to threaten them– Take action now to help stop the lawsuit campaign.
The European Commission said this week that it would
not curb the growth of the tiny radio transmitter tags that transportation
companies, retailers and manufacturers use to track goods and purchases, saying
it was confident that the RFID tags could be designed to protect consumer
privacy. The announcement by Viviane Reding, the European commissioner
responsible for Internet and communications, who has taken an aggressively
pro-consumer attitude since she took office in 2004, signaled to businesses
that the development of the tracking devices would not be hindered in the
European Union. Instead, Reding said she planned to create an advisory group of
industry representatives, privacy advocates, consumers and scientists to
determine whether changes were needed to the EU’s existing electronic privacy
directive to accommodate RFID use while protecting personal privacy. The group
is expected to make a recommendation by the end of this year. The EC also plans
to issue RFID recommendations for member states. Reding said the goal is to
avoid over-regulating RFID, which could stunt its development. [EU
Press Release] [EU
Consultation Report] [Source]
[EU
Working Towards RFID Standards] [EU: Security
Needs to Be Built Into Tags] [EU RFID
Web site] [Source] See
also: [VeriChip
Passes Significant Milestone] and [Diabetics
Have Got RFID Under Their Skin]
In February, Washington state legislators introduced a
bill that would impose rules on how companies could deploy RFID and retain
personal information gathered via the technology. This article from
the RFID Journal by Representative Morris, the sponsor of the Washington
State legislation indicates that the legislation died last week, by failing to
make it onto the Floor calendar for this year however interested parties should
expect that this issue will not go away in Washington or anywhere else. [Source]
[Source]
Greg Garcia, the Homeland Security Department’s
Assistant Secretary for Cybersecurity and Telecommunications, last week told
attendees at the Visa Security Summit in Washington, D.C., that he supports a
seal of approval for the private sector’s information security efforts.
According to an article in National Journal’s Technology Daily, Garcia said he
would like to see a “third-party validation of security.” This story details
comments made by other speakers, including former FTC Commissioner Orson
Swindle, now a Senior Policy Advisor at Hunton & Williams. [Source] [Source]
The University of Washington, Seattle, conducted a study of 550
security breaches from 1980 to 2006. The study’s aim was to analyze the role of
the organizational behavior in privacy blunders, according to this
Computerworld story. The researchers found that 61% of the violations were the
result of posting PII online; losing equipment or backup tapes; or other errors
that led to data leaks. Hackers were responsible for 31% of the incidents. 9%
of the incidents had undetermined causes. More results:
·
Malicious
intrusions by hackers make up a minority (31%) of 550 confirmed incidents
between 1980 and 2006; 60% were attributable to organizational mismanagement.
·
The
number of reported incidents more than tripled in 2005 and 2006 (424 cases)
compared to the previous 24 years (126 cases).
·
The
education sector, primarily colleges and universities, amounted to less than 1%
of all lost records, but accounted for 30% of all reported incidents.
[Source]
[A Case of
Mistaken Identity? News Accounts of Hacker and Organizational Responsibility
for Compromised Digital Records, 1980–2006] [Dataset]
See also: [Taking
Action to Protect Sensitive Data] [Coverage]
The Swedish government has proposed a plan that would
give a domestic defence intelligence agency far-reaching powers to monitor
e-mail traffic and phone calls crossing the nation’s borders, without a court
order. The National Defence Radio Establishment currently has the power to
listen in on military communications but needs a court order for any other
surveillance. The new proposal, which requires parliamentary approval, would
allow the agency to use data-mining software to search for sensitive keywords
in phone and e-mail communication passing across the country’s borders. Critics
say the government’s promise to limit the monitoring to international
communications will be impossible to enforce. They’re going from fishing with a
hook to fishing with a net,” said a spokesman for the New Welfare Foundation, a
civil liberties think tank. “We are crossing a very fundamental border.” [Source]
[Swedish Official: Country Has
Tapped Citizens' Phones 'For Decades']
Researchers at IBM Corp. are trying to address privacy
concerns about video surveillance systems, part of a broader effort by IBM to
build a new business in the fast-growing surveillance market. Concerns about
security in cities, airports and other public places are causing a
proliferation of video surveillance systems, but the increase has heightened
concerns about privacy among regulators and the general public. IBM hopes to
alleviate the concerns with technology that can pick out faces in a video frame
and automatically blur them, so that people's images -- and therefore their
movements -- are not recorded, said Joachim Stark, director of digital video
surveillance with IBM's global services group. An obvious hurdle is identifying
the potential suspects from innocent bystanders. Investigators often review
closed-circuit video footage after a crime is committed, and blurring faces
would defeat much of the point of doing surveillance. [Source]
The U.S. federal government is urging an appeals court
to dismiss a lawsuit challenging President Bush’s domestic eavesdropping
program, warning that disclosure of such activities could compromise national
security. Documents were filed late Friday and released Monday by the
Electronic Frontier Foundation, which brought the suit. It accuses AT&T of
illegally making communications on its networks available to the National Security
Agency without warrants, and challenges Bush’s assertion that he could use his
wartime powers to eavesdrop on Americans without a warrant. [Source]
At the Open Data 2007 conference in New York last week,
David Cancel, the CEO of Compete Inc. revealed that ISPs happily sell
clickstream data -- and that it's a big business. They don't sell your name --
just your clicks -- but the clicks are tied to you as a specific user (User 1,
User 2, etc.). How much are your clicks worth? About 40 cents a month per user
(per customer)... and the Compete CEO estimates that there are 10-12 big buyers
of this data. In other words, your ISP is probably making about $5 a month ($60
a year) off your clickstreams. [Source] See also: [Michael
Zimmer blog]
Human error accounts for three-quarters of incidents
where sensitive data is lost, new research has revealed. A report from the IT
Policy Compliance Group says a fifth of organizations are hit by 22 or more
sensitive data losses a year, with customer, financial, corporate, employee and
IT security data going missing because it is stolen, leaked or destroyed. It
reveals that user error is responsible for half of all sensitive data losses,
with policy violations – either deliberate or accidental- accounting for
another 25%. The main channels through which data is lost – In order of risk –
are PCs, laptops and mobile devices, email, instant messaging, applications and
databases. The report also notes that businesses are seeing an 8 percent loss
of revenue and a similar loss of customers in the wake of publicly reported
data breaches, while notifying customers and restoring data costs another $73
per customer record. [Source]
The head of the US Department of Homeland Security
last week downplayed privacy concerns raised by the government’s efforts to
create standardized, data-chipped drivers licenses across the country. The same
technology that makes information on identification cards more reliable can
also protect privacy, DHS Secretary Michael Chertoff said during a speech to
the Northern Virginia Technology Council. “It’s my contention that properly
used technology ... actually protects privacy,” he said. “We should not allow
folks to be captivated by the argument that every time we do something with a
computer, it invades privacy.” Chertoff was referring to privacy concerns
surrounding the Real ID Act, a law passed by Congress in 2005 that would
require states to create machine-readable ID cards containing the name of the
holder, the data of birth, a digital photograph and other information. Chertoff
said those raising privacy concerns about the use of IT in the U.S. government’s
domestic security efforts create a false tension between security and privacy. “This
kind of Luddite attitude ... is exactly wrong,” he said. “Security and privacy
are very much the same type of value. I don’t think they’re mutually exclusive,
they’re mutually reinforced.” [Source]
[Source] [Source] [Source]
[S.C.
Governor Sanford right to encourage S.C. participation in rebellion] [USA
Today Goes 0-5 on REAL ID] [ACLU View] [ACLU Scorecard] [Under Bill, Ariz. Would Opt Out Of National Id Card]
[S.C.
DMV director: National driver’s license will be a hassle] [Idaho Becomes
Second State to Reject Real ID]
Telephone carriers would be required to adopt stronger
protections for consumer telephone records under the Prevention of Fraudulent Access to Phone Records Act. Last year, a
similar bill failed to make it before the full House for a vote after the
companies opposed the more stringent security standards. Congress instead
approved a bill that imposes fines and prison terms for anyone convicted of
pretexting as well as the buying and selling of phone records. The president
and CEO of a wireless association told the committee that “much progress” has
been made to protect customer information. Another wireless trade association
official told the lawmakers that the opt-in requirement would not increase
customer security or reduce the amount of marketing materials consumers
receive. [Source]
[FTC
Supports Pretexting Bill That Would Impose Civil Fines]
Gov. Ted Kulongoski and a group of lawmakers have
unveiled a bill that includes several measures to better protect consumers from
identity theft. The bill would allow consumers to request a freeze on their
credit for $10 - a fee that would be waived for ID theft victims. The proposed
legislation also would require organizations that collect driver’s license
numbers or Social Security numbers to adopt “reasonable safeguards” to protect
the information from disclosure. In the event of a security breach, the bill
would require consumer notification “in the most expedient time possible.” The
Senate Commerce Committee is mulling other ID theft measures, including a bill
that would make aggravated identity theft a crime. [Source]
Several Naperville city leaders voiced support for a
state bill that would give law enforcement officials more authority in
libraries, which the police chief referred to as a refuge for criminals. [Source]
The Texas Senate is expected to vote early this week
on a bill that passed unanimously in the state House, and would change the
Texas Public Information Act to declare that Social Security numbers not be
considered confidential. [Source]
Banking industry leaders say they generally support an
identity theft measure backed by Oregon Gov. Ted Kulongoski and legislative
Democrats. SB 583, a bill that would provide several protections against
identity theft. The Oregon Consumer
Identity Protection Act would:
· require businesses and organizations that collect
PI such as driver’s license or SSNs to install “reasonable safeguards” to
protect that information;
· prohibit the public display or disclosure
of more than the last four digits of a SSN;
· require businesses to notify persons when
their information is subject to a security breach;
· give residents the right to request a
security freeze on their credit files of credit reporting agencies; and
· give the state’s Dep’t of Consumer &
Business Services ability to enforce the law. [Source]
[Source]
Scaling back the scope of a statewide database to
monitor some prescription drug purchases gained Senate approval of the measure.
The bill’s sponsor said the amendments were intended to address concerns about
patient privacy. The Senate also approved a $50 million matching fund for a
cancer center to be named in honor of late Lt. Gov. Win Rockefeller, while the
House approved putting a $300 million bond issue for the Natural Resources
Council on the 2008 ballot. By a 20-7 vote, the Senate approved a bill by Sen.
Denny Altes, R-Fort Smith, that would allow the state Board of Pharmacy to
establish standards for setting up the database on drug purchases. The database
would track schedule II and schedule III narcotics, such as morphine or
OxyContin. [Source]
Internet dating in New Jersey will require more of a
commitment if a bill approved by a state Senate committee becomes law. The
bill, S-1977, would mandate that Internet dating services doing business in New
Jersey advise whether their users have undergone criminal background checks and
warn that those checks are not necessarily foolproof. The bill, sponsored by
Senate President Richard Codey, D-Essex, was unanimously approved by the Senate
Budget and Appropriations Committee. If enacted, the measure would make New
Jersey the fourth state to adopt legislation requiring such disclosure of whether
criminal background checks are required of online dating services. Florida
passed a similar bill last year; Michigan and Texas did in 2005. [Source]
A new identity theft law that came out of the Colorado
Legislature last summer clears up “piecemeal” bits of criminal law and provides
a more comprehensive approach to prosecute identity theft activities, a Deputy
District Attorney said. “It basically has cleaned up a lot of loose ends and
made things more comprehensive,” he said, adding that the new law moves away
from a “shotgun approach” of prosecuting smaller more fragmented offenses
toward the larger picture of what somebody is doing when they engage in
identity theft activities. Some activities that in the past were a series of
misdemeanors could now be a felony. “If in fact somebody has a stolen credit
card but they don’t use it, in the past it simply would have been theft of a
credit card,” he said. Now it could be a felony. [Source]
State lawmakers took the first steps Wednesday to
block police from building a database of where Arizonans - or at least their
cars – have been. On a voice vote, the Senate gave preliminary approval to
requiring police departments using special license-plate scanners to wipe the
information obtained from their computers within 24 hours. The only exception
would be for ongoing undercover investigations. Senators also approved a second
measure Wednesday to protect individual privacy. They directed the state
Department of Transportation not to cooperate with the federal Real ID act,
which directs the state to make its driver’s licenses into a sort of national
identification card. [Source]
Connecticut lawmakers debated a bill last Thursday
that would require social-networking Web sites such as MySpace to verify users’
ages and force minors to obtain parental consent before posting profiles.
Intended to protect children from sexual predators, the bill proposed by state
Attorney General Richard Blumenthal would be the first of its kind in the U.S.
to impose strict regulations on the fast-growing sites, which are a virtual
hangout for millions of American teenagers. [Source]
--------