Privacy News Highlights
16–22 March 2007
Contents:
WW – Bioscrypt's Facial
Recognition Selected by Japanese Agency for Access Control
AU – Australia Police Need Federal
DNA Database
CA – Campaign Warns Of Mortgage
Fraud ‘An Incredibly Growing Industry’
US – FTC Seeks Feedback on Proposed
Rule to Improve Consumer Privacy Notices
EU – Germany Wants More Exceptions
to EU Data Protection for Security Reasons
EU – EC Encourages a European eID
system
UK – New UK Passport Applicants Must
Go For Interviews
EU – EU May Broaden Intelligence Use
of Air-Passenger Data
US – Homeland Security Official
Dismisses Privacy Concerns
US – Dept of Treasury: Direct
Deposit Could Prevent ID Theft
US – 100 FACTA Lawsuits Filed in
California Against Businesses Printing PII on Receipts
US – Federal Regulators Seek Public
Comment on Model GLBA Privacy Notice
US – GratisCard Offers a Credit Card
for The Anonymous
UK – MPs Warned Over Curbs on
Freedom of Information (UK)
US – White House Plans to Ignore
Congress on Border ID Rules
US – To Stop ID Theft Government,
Businesses Must Work Together: FTC
JP – Japanese Firm Reports 8 Million
Pieces of Customer Info Stolen
US – Taxpayers’ Cost Doubles For
State to Atone For Allowing SSNs on Tax Forms
US – GAO Issues Report on
Data-Mining, DHS Privacy
WW – Privacy for Internet Names
Moves Forward in ICANN
US – Stolen TJX Data Used In Florida
$8M Crime Spree
US – Doctors Dish on Their Patients
in Anonymous Blogs
UK – UK Experts Seek
California-Style Breach Disclosure Law..
UK – Study to Examine Japanese and
British Attitudes to Online Privacy
US – House Committee Questions FBI
on Overreaching Spy Powers
US – Virginia State Council to
Examine Handgun Permit Privacy
EU – RFID Chips Will Force Changes
to ePrivacy Directive
US – OMB Sets Security Standards for
Windows Computers
WW – Symantec Issues Internet
Security Threat Report
US – Paller: Security Priorities Set
By Shame, Not Risk
US – Survey Indicates Significant
Enterprise Concern over Growing Data Leakage
EU – Swedish Net Surveillance Law
Stalls
US – Have Fun Wiretapping Enemies
and Loved Ones with 2ReCall
US - Justice Dept Pursues Flexible
Identity Management
US – Governors Send Real ID Letter
to Budget Committee
US – Feinstein Charges Again on Data
Breach Notification Bill
US – Utah Bill Will Force
Second-Hand Stores to Collect Personal Info
Bioscrypt today announced the deployment of its
VisionAccess 3D Face Readers at a Japanese Government Agency located in
A national DNA database, accessible by police in any
jurisdiction in
Real estate fraud is an “incredibly growing industry”
that is costing Canadians hundreds of millions -- if not billions -- of dollars
each year. And according to First Canadian Title, one of the country’s largest
title insurers, the spring home selling season can be a breeding ground for
real estate scams that often average as much as $300,000 per case, causing industry
officials to suggest real estate fraud is costing Canadians between $300
million and $1.5 billion each year. With that in mind, First Canadian Title and
the Consumers Council of Canada kicked off a public awareness campaign in
Eight federal regulators this week released a notice
of proposed rulemaking for comment on a model privacy form that financial
institutions could use for privacy notices required under the GLBA. Last October,
President Bush signed into law the Financial Services Regulatory Relief Act of
2006, amending GLBA to require the agencies to propose a model form that is
succinct and comprehensible to consumers, allows consumers easily to compare
privacy practices of financial institutions and uses easily readable type font.
[Source]
As president of the EU Council, Germany has proposed a
framework
resolution for data protection in the security sector, which is highly
controversial as it would expand demands already on the table for the protection
of personal data used by the police; the proposal also calls for the
establishment of an overriding regulatory authority for all of the database
systems coordinated by the EU Council for criminal prosecution. The German
government wants to allow police to share data with non-member states even if
the framework resolution is passed, and to exempt all authorities "that
deal specifically with matters of national security." In general, the
proposed framework resolution aims to ensure that data are shared legally
between criminal prosecutors; it is also intended as an amendment to the
general Data Protection Directive of
1995. The proposal also directly affects citizens, for instance by granting
them the right to access data that security authorities have about them, in
some cases through intermediate oversight bodies. In addition, the various
public administration organizations are to be obligated to inform citizens that
information about them is being processed and what the purpose is. Furthermore,
there is to be a stipulation that erroneous data be deleted, data flows be
better documented, and time limits be marked for data archives. [Source]
The European Commission is examining ways of
introducing an interoperable eID system across
More than 600,000 people a year applying for a
passport for the first time will from May have to attend a compulsory interview
up to 20 miles from their home, it was announced this week. The new applicants,
half of whom will be aged 16 to 19, will be asked to prove their identity by
responding to a stock of about 200 possible questions on their family and
financial history. The admission that each passport application would be
checked against a dossier of personal information drawn from existing
government databases led anti-ID card campaigners to argue that it undermined
ministers’ claims that the passport/identity card would not involve any more
information than existing passports. The Home Office justified the intention to
open a network of 69 passport and identity card offices by releasing an
estimate saying that up to 10,000 passports were being issued by post to
fraudulent applicants each year. Officials said compulsory interviews would
curb most fraudulent applications as the majority of these came from people
involved overseas in organised illegal immigration rings. Phil Booth, of the
No2ID campaign, described the network of offices as “interrogation centres” and
said the 20-minute “grilling” was now to be based on a dossier on private
lives, built by bureaucrats. From 2009, fingerprints will also be taken from
each applicant. The Home Office said that the personal information arising at
the interviews would be destroyed once the passport was issued and no one would
pass or fail the interviews. Those who fail to satisfy the interviewer that
they are genuine will be referred to anti-fraud experts and be asked to attend
another interview or provide further documentary proof. The Home Office said
that as passports were issued under the royal prerogative there was no formal
appeal procedure. Instead an “escalating complaints” procedure would be
available for those refused a passport. [Source]
Inspired by the
A senior U.S. Department of Homeland Security official
this week said he finds privacy concerns prompted by the proposed Real ID
regime puzzling. Stewart Baker, the department's assistant secretary for
policy, said a forthcoming system of uniform national identification cards will
not put more personal information into the hands of motor vehicle
administrators or result in a massive centralized database that's more
susceptible to hackers. [Source]
To combat identity theft, the Department of the Treasury’s
financial management service bureau launched a campaign this month to convince
people who receive Social Security and other federal benefits by paper check to
switch over to direct deposit. According to a corresponding survey, four out of
10 respondents had been victims of ID theft or knew someone who had, and
Americans are making it easier for criminals by using paper checks. “Last year,
57,000 checks issued by Treasury were fraudulently endorsed, while problems
with direct-deposit payments were negligible. In fact, while paper checks make
up about 20% of the total Social Security and supplemental-security-income
payments, they account for more than 90% of reported payment problems,” Kenneth
R. Papaj, commissioner of the FMS, said in a statement. However, 40% of
respondents to the Treasury-sponsored survey still thought paper checks were
better than direct deposit at preventing theft or loss of payments. The Go
Direct campaign coincides with the passage of a Senate resolution -sponsored by
Sen. Elizabeth Dole, R-N.C. - declaring March 2007 Go Direct Month. “Direct
deposit eliminates the risk of lost or stolen checks, prevents identity theft
and fraud, and saves taxpayer dollars,” she said in a statement. [Source]
A recent article in the BNA Privacy & Security Law
Report about over 100 lawsuits that have recently been filed within the
Eight federal regulators today released a notice of
proposed rulemaking (NPR) requesting comment on a model privacy form that
financial institutions can use for their privacy notices to consumers required
by the Gramm-Leach-Bliley Act (GLB Act). The privacy notices must describe an
institution's information sharing practices, and, for certain types of sharing,
consumers have the right to opt out. The notices must be provided when a
consumer first becomes a customer of a financial institution and then annually
for as long as the customer relationship lasts. [Source] [Comptroller
of the Currency Praises Effort to Improve Privacy Notices, Calls for Financial
Industry Feedback (Press Release)] [FTC:
Interagency Proposal for Model Privacy Form under GLBA]
GratisCard Inc. launched on April 1 it’s plans to
introduce the nation's first completely anonymous credit card with no name or
number and no physical data stored on the card itself. It will also be the
first credit card in the
Plans to curb people’s ability to ask for data from
the state under the Freedom of
Information Act will “significantly reduce” the number of disclosures in
the public interest, MPs were warned this week. Richard Thomas, the information
commissioner, in effect called on the government to drop the plans, telling the
constitutional affairs committee that the proposed curbs “will introduce new
layers of procedural and bureaucratic complexity”. The government intends to
limit individual requests and make it easier for authorities to reject
difficult and time-consuming requests on the grounds of cost. [Source]
A senior State Department official says the Bush
administration plans to require passports at the Canadian border starting Jan.
1, despite legislation putting off the deadline for at least three more months.
The government can’t keep putting off deadlines, “or we will lose our momentum
on this,” Elizabeth Whitaker, deputy assistant secretary of state, said in an
interview. Rep. Louise M. Slaughter, DFairport, said that “I won’t sit idly by
while local economies . . . are severely damaged by ill-conceived proposals
like this,” said Slaughter, who is also chairwoman of the House Rules Committee
and a member of the House majority leadership.
[Source]
An official from the Federal Trade Commission told a
Senate panel that the government and private sector must continue to work
together to reduce the opportunities for thieves to obtain consumers’ personal
information and make it more difficult for them to misuse that information if
they obtain it. Lydia Parnes, director of the FTC’s Bureau of Consumer
Protection, told the Senate Judiciary Committee Subcommittee on Terrorism,
Technology, and Homeland Security that the government and business community
should evaluate whether they need to collect and maintain the data they have
about consumers, better protect the data that they do possess and develop
better ways to authenticate customers to keep identity thieves from using the
information they steal. According to the testimony, “a recent Wall Street
Journal/Harris Interactive survey … found that, as a result of fears about
protecting their identities, 30 percent of consumers polled were limiting their
online purchases and 24 percent were cutting back on their online banking.” The
testimony noted that “since 2001, the Commission has brought 14 cases
challenging businesses that failed to reasonably protect sensitive consumer
information that they maintained. … Together, the cases stand for the
proposition that companies should maintain reasonable and appropriate measures
to protect sensitive consumer information.” [Source] [Proposal
to Require Banks to Disclose Identity Theft Statistics] [Hoofnagle paper]
[Lawmakers
Seek Solutions To Identity Theft]
One of
Taxpayers in
The Homeland Security Department has not built
adequate privacy protections into a data-mining program under development,
increasing the risk that innocent people could be tagged as terrorists or
criminals, government auditors concluded in a report Wednesday. A Government Accountability Office
investigation of the department's Analysis, Dissemination, Visualization,
Insight and Semantic Enhancement (ADVISE) program is sure to fuel controversy
between officials who defend data-mining tactics and privacy advocates who say
the government is overreaching. The ADVISE program has been under development
since 2003 and is intended to help counterterrorism analysts sift through huge
volumes of structured information, such as information in a database, and
unstructured data, such as e-mails and news articles. [Data Mining: Early
Attention to Privacy in Developing a Key DHS Program Could Reduce Risks.
GAO-07-293, February 28] [Highlights] [Auditors
urge DHS to assess privacy risks in data-mining program]
Many owners of Internet addresses face this quandary:
Provide your real contact information when you register a domain name and
subject yourself to junk or harassment. Or enter fake data and risk losing it
outright. Help may be on the way as a key task force last week endorsed a
proposal that would give more privacy options to small businesses, individuals
with personal Web sites and other domain name owners. “At the end of the day,
they are not going to have personal contact information on public display,”
said Ross Rader, a task force member and director of retail services for
registration company Tucows Inc. “That’s the big change for domain name owners.”
At issue is a publicly available database known as Whois. With it, anyone can
find out the full names, organizations, postal and e-mail addresses and phone
numbers behind domain names. [Source]
See also: [CIRA announces
the results of WHOIS consultation]
Stolen TJX data used in Florida crime spree:
"Breached chain retailer TJX knew about a Florida crime ring using credit
card data stolen from its servers months before the company notified its
customers, according to Florida Department of law Enforcement officials.
As Internet blogging spreads across professions,
doctors' observations and opinions about patients – some expressed in graphic detail
-- are now ending up on the Web for all to see. Hundreds of doctors across the
country are writing Internet diaries that sometimes include harsh judgments of
patients, coarse observations and distinct details of some cases. Medical
blogging is so new that medical boards, schools and professionals disagree on
what is acceptable. Critics say the blogs cross into an ethical gray area and
threaten patient privacy while posing liability risks for health workers and
their employers. [Source]
Recent security breaches have led supporters of
consumer breach notification to call on
The way in which online privacy is perceived in
Widespread abuse of the FBI’s authority to secretly
obtain Americans’ telephone, Internet and financial records drew pointed
questioning on Tuesday from a key U.S. House of Representatives panel. As
promised by House Judiciary Committee Chairman John Conyers (D-Mich.), the
panel chided U.S. Department of Justice Glenn Fine and FBI General Counsel
Valerie Caproni about an internal audit released earlier this month that
detailed the FBI’s missteps and illegal use of an investigative tool known as
national security letters. [Source] [EPIC letter] [FBI
Confirms Contracts with AT&T, Verizon and MCI] [FBI
Violations May Number 3,000, Official Says] [Report
Finds Underreporting and Abuse of USA PATRIOT Act Powers]
A
The European Commission will make changes to the
Privacy and Electronic Communications Directive to take account of the
exploding market in RFID chips, it has said. Amendments will be proposed by the
middle of this year. The commission has published a Communication,
intended as “a step towards a policy framework,” for dealing with RFID chips, whose
usefulness is seen by some to be at odds with privacy and data protection. Reding
announced the creation of an RFID Stakeholder Group to help the commission
develop its RFID policy as part of an action plan to address the potential
pitfalls and benefits of using RFID technology. She also announced that changes
to the Privacy and Electronic Communications Directive (also known as the ePrivacy
Directive) would be proposed by summer to take account of RFID applications, as
part of the EU Telecom Rules’ review. The commission conducted research which
discovered that people in the EU were not really aware of RFID’s risks or
benefits. “The commission’s Europe-wide public consultation in 2006 identified
a strong lack of awareness and considerable concern among citizens,” said
Reding. “The commission’s RFID strategy will therefore seek to raise awareness,
stress the absolute need for citizens to decide how their personal data is
used, and ensure that
In an attempt to improve the government’s information
security, the Office of Management and Budget on Tuesday gave agencies until
May to plan how they will implement a standard security configuration for
Microsoft computer operating systems. In a memorandum to agency chief
information officers and their deputies, Karen Evans, OMB’s administrator of
e-government and information technology, said agencies must implement the
standard security setting for all computers running Microsoft Windows XP and
This volume of the Internet Security Threat Report
offers an overview of threat activity between July 1 and December 31, 2006. The
current Internet security threat environment is characterized by an increase in
data theft, data leakage and the creation of malicious code targeting specific
organization for information that can be used for financial gain. Attackers are
now refining their methods and consolidating their assets to create global
networks that support coordinated criminal activity. Volume XI includes a new
category: “Underground Economy Servers”. These are used by criminals and
criminal organizations to sell stolen information, including government-issued
identity numbers, credit cards, bank cards and personal identification numbers
(PINs), user accounts, and email address lists. To reduce facilitating identity
theft, organizations should take steps to protect data stored on or transmitted
over their computers. It is critical to develop and implement encryption to
ensure that any sensitive data is protected from unauthorized access. [Source]
When it comes to prioritizing IT security solutions, “convenience
trumps security, but embarrassment trumps convenience.” That’s the rule of
thumb offered by Alan Paller, director of research at the SANS Institute, and a
guest speaker at FOSE 2007 today. He said that organizations are investing in
security solutions sometimes to address material weaknesses, but frequently in
response to the crisis du jour. [Source]
Enterprises seeking to combat data leakage will
require a comprehensive approach, says a recent survey commissioned by Provilla
Inc. While enterprise security professionals are currently most concerned about
two or three points of vulnerability, once those leaks are controlled, new
leaks frequently appear through other endpoints. The threat of information or
data leakage is quickly becoming one of the most serious threats that
organizations face, with the potential to result in embarrassing publicity,
loss of valuable intellectual property, and financial loss.[Source]
The Swedish Social Democratic Party said Monday that
it will block a bill authorizing extensive surveillance of e-mail and other Internet
communications. Although the announcement was welcomed by privacy advocates, it
delays but does not permanently block the bill. The Social Democrats, being a minority
in Parliament, can only postpone the vote on the FRA bill for one year. They’re
supported by the Green Party and the Left Party. [Source]
The Justice Department is piloting a federated
identity management system to tackle the problem of how to give thousands of
potential users, spread across multiple organizations, selective access to its
critical systems. Such a system could be used to verify government online
identities across different agencies, said Boris Shur, Justice’s manager for
the pilot project. “If [the pilot] is good enough, it is our intention to
establish a trusted-broker infrastructure, within at least DOJ,” said Shur, who
outlined the project at the Collaborative Expedition Workshop recently in
Arlington, Va. Multiple agencies The Law Enforcement Information Sharing
Program (LEISP), run by Justice’s Office of the Chief Information Officer,
could offer validated user credentials to multiple applications that are being
run across multiple agencies. The primary driver for the pilot is to find ways
that other federal agency employees, as well as users at state, local and
tribal law enforcement agencies, can access Justice systems. [Source]
U.S. Senator Dianne Feinstein (D-Calif.) renewed her
call for a federal data breach disclosure law Wednesday afternoon, seeking to
stir new life into her almost four-year-old legislation known as the
Notification of Risk to Personal Data Act. If Thursday's attendance at
Feinstein's hearing on data privacy is any indication, Feinstein will need a
big straw. Only Feinstein, the chairman of the Subcommittee on Terrorism,
Technology and Homeland Security, and ranking Republican member John Kyl showed
up. Kyl left 30 minutes after the hearing began. [Source] See
also [New
Mexico Approves Legislation to Limit Access to Credit Reports] [House
votes to allow security freeze on credit reports] [Iowa
Breach Notification Bill] [Omnibus
data security bill, H.F. 655] [Indiana's Do Not Fax
law in effect]
A debate is growing between some small
--------