Privacy News Highlights
23 –30 March 2007
Contents:
EU – Ireland’s Information
Commissioner Warns Schools on Biometrics
CA – Toronto Company Webcam Makes Your Face Your Password
CA – Canadian Opposition MP Re-Introduces Lawful Access
Bill
UK – Report: Personal Privacy Rests in the Hands of IT
Professionals
WW – Ponemon Survey: the Relationship Between Privacy and
Marketing
UK – Half of Internet Users Feel Responsible for
Protecting Their Data Online
WW – Survey: Privacy and Marketing: “Use Privacy to Build
Customer Trust, Loyalty”
AU – Future Uncertain for Australia’s Smartcard
US – Controversy over American Express Patent for
Tracking People With RFID
US – Telco Customers at Risk of Facing Online Breaches of
Private Info
US – NIST to Decide on Standards for E-Records
WW – Regulation Sparks Increased Demand for Data
Encryption
EU – 40% of Retailers Not in Compliance With EU Email
Directive: Study
EU – Brussels Downbeat on US Passenger Snoop Plan, PNR
Deal Yet to Take Off
US – Pasta, Meatballs, and Credit Card Theft
US – SEC Urged To Improve Computer Security
WW – New RFID Equipped Cards Leak Personal Info
UK – UK Government May Back Down on ‘Neutering’ of FOI
Law
US – California’s Secretary of State Closes Online Access
to Records Containing SSNs
US – Calif. Lawmaker: State Was Selling ‘Identity Theft
Starter Kit’ Online
US – Local DNA Labs Avoid State and U.S. Limits
CA – Ontario Privacy Commissioner Pans Smart Systems for
Health Agency
NZ – 3500 New Zealand GPs Blast Gov’t for Breaching
Patient Privacy
US – Harris Poll: Most OK with Use of Health Info
US – Data-Mining Firms vs. Nevada State on Prescription
Privacy
US – HIV Patient Names to be Tracked in All 50 States By
Year’s End
US – TJX Says Info from 45.7 Million Cards Stolen:
Largest Breach Ever
US – Pennsylvania Passport Clerk Faces 18 Counts of
Identity Theft
US – Corporate Sloppiness is the Real Culprit for Data
Loss, Not Vilified Hackers
US – CDT Releases Draft Privacy Principles for
Identification, Seeks Comment
CA – PIAC Releases Report and Recommendations on ID Theft
Insurance
US – Online Resource for Identity Document Security
Information
WW – Report: ID Theft Threats Soar 200% in First Two
Months of 2007
WW – Liberty Alliance New Specifications to Link Digital
IDM to Consumer Devices
WW – Photo Copying Personal Documents Can Risk ID Theft
WW – Privacy Options Proposed for Domain Name Owners
ZA – State Snoopers Want Everyone’s SIM Card Info
KR – Korean Mobile Phone Wiretapping Likely to Become
Legal
JP – Police call on Internet Cafes to Record Users’ Data
to Fight Cyber Crime
WW – New Group Created on Domain Name Privacy
EU – Germany Launches Anti-Terrorism Data-Bank
US – FBI Chief Blames Computers for Privacy Flap
US – Truste and Ponemon Institute Releases Annual Corporate
Privacy Survey
US – FCC Proposes $100,000 Fine for Failing to Protect
Data
US – Iron Mountain’s Transport Methods Disturb Some Users
US – California Receives Accolades for Privacy Law
Efforts
US – North Dakota Set to Ban the Forced RFID Implants
US – Senate Panel Approves Bill to Ban RFID Chip
Implantation
EU – RFID Research Project Examining Security and Privacy
in the Supply Chain
US – Third Eye Uses RFID to Monitor Employees’ Hearts
US – NSF Issues New Cyber Infrastructure Vision Document
WW – Keylogger Programs Frequently Target User Data for
Online Payment Systems
CA – Senate Panel Says Ports Sorely Lack Security
AU – Australia Sign-up Queue Card’s Biggest Hurdle
UK – CCTV Cam Upgrading: Deepens “Surveillance Society’’
Concern
UK – New Child Checks to Identify Future Criminals
UK – MPs Probe ‘Surveillance Society’
SG – Son of TIA Will Mine Asian Data
US – U.S. FCC to Study Internet Service
US – Ordinary Customers Flagged as Terrorists
US – GAO Seeks Privacy Impact Assessment on DHS
Data-Mining Program
US – CDT Urges Judicial Review for “National Security
Letters”
US – DHS Privacy Chief: More Investigators Needed to
Assess Government Networks
US – GAO Raps IRS on Information Security (again)
US – FTC Says It Can’t Protect Mortgage-Seekers From
‘Trigger Lists’
US – Senators Sceptical of Real ID Act Rules
US – CDT Urges Major Changes to REAL ID Act and
Regulations
US – Washington State to Collaborate With DHS for
Enhanced Driver’s Licenses
US – Terrorism Database Raises Concerns About Privacy,
Errors
US – Washington Bill Would Create Registry Keep Tabs on
Personal Information
US – Michigan Lawmakers Approve Identity Theft
Legislation
US – Montana Credit Freeze Bill Contains Unique Provision
US – Hawai’i Murder Case Prompts ID Theft Legislation
US – Colorado Lawmaker Drops Database Bill
US – Inmate GPS Tags Approved By California Panel
EU – Italian Data Protection Authority Issues Email,
Internet Guidelines
A Canadian company has announced a new camera that
functions as both a Webcam and a security system that scans a face in three
dimensions. Toronto-based Bioscrypt
claims an industry first with its 3D DeskCam. The 3-inch tall, half-inch wide
camera uses infrared along with a lens to scan a face in three dimensions and
authenticate users accessing computers, the company said. [Source]
See also: [New
Wrinkle In Face Recognition Technology]
Canadian opposition MP Marlene Jennings last week
reintroduced lawful access legislation that mandates new surveillance
capabilities for ISPs. A prior version of the bill was introduced in 2005 but
did not receive Parliamentary approval. [Source] [Bill C-416] [Coverage] [Opposition:
Gov’t Should Expand Domestic Surveillance]
The Royal Academy of Engineering has issued a report
recommending that computer engineers should receive training on how to design
systems that contain privacy protections. The report also recommends that the
Information Commissioner’s powers should be enhanced. The report also takes the
position that abusers of private information should face jail sentences. [Source]
[Dilemmas
of Privacy and Surveillance report] [Source] [Source]
The Ponemon Institute’s study, “What Marketing
Professionals Think About the Value of Privacy to Consumers,” serves as the
backdrop for this DM News article by Charles Giordano, Associate Director of
Privacy Marketing Strategy at
A joint survey from Get Safe Online and the BBC News
website found that 48% of adult Internet users in the
The Ponemon Institute’s study, “What Marketing
Professionals Think About the Value of Privacy to Consumers,” serves as the
backdrop for this DM News article by Charles Giordano, Associate Director of
Privacy Marketing Strategy at
After an Australian Senate committee said current
legislation is lacking security and privacy safeguards, the future of
A 2005 American Express patent application suggests
that RFID technology could be used to identify shoppers in stores, track where
they go within the store and study their buying behaviour. Dr. Katherine
Albrecht, founder and director of CASPIAN Consumer Advocacy, presented
information on the patent filing at a conference held last month in
Telcos conducting business online need to buck up
customer privacy even as their ability to communicate improves. Those are the
findings of the Customer Respect Group (CRG), a research and consulting firm
focused on how corporations treat their online customers. The group this month
released findings from its First Quarter 2007 Online Customer Respect Study of
the Telecommunications Industry. The study found that telecommunications
companies overall are slipping — especially compared to retail and other
high-tech industries — when it comes to addressing consumers’ privacy concerns.
Telecom firms ask for more personal data than companies in other industries,
CRG found, and this data is often unconnected to the request being made by the
customer. The collection of data is one breach of the customer’s privacy; in
addition, the telecom industry goes on to reuse the data more than other
industries. [Source]
The National Institute of Standards and Technology is
determining whether to make standards developed by the E-Records Management
e-government project a government-wide requirement or just a guidance. Karen
Evans, the OMB’s e-government and IT administrator, said no matter what NIST
decides, the adoption of these standards and how records are transferred to the
National Archives and Records Administration will be the initial measure of
success. “We are pushing hard for NIST to finish them,” Evans said. “If NIST
decides it should be guidance, and then OMB will follow up on them.” One
approach OMB might take is to add the validation of records management
standards to the work the agency inspector generals already do. IGs certify how
agencies meet the Federal Information Security Management Act as well as
privacy mandates. [Source]
The increased mobility of data is leading to a greater
demand for security solutions. Encrypting data will become more commonplace,
according to a security analyst quoted in this article. Microsoft is responding
to this increased demand by developing a Data Encryption Toolkit for laptops.
Facing mounting evidence of the damage companies face after security breaches,
many organizations are exploring encryption as the solution. Another factor
leading companies to bolster data security is the increase in regulations they
face from state and federal laws. [Source]
In the three years since the EU Directive on Privacy
and Electronic Communications became law, a study indicates that 37% of
retailers are not complying with this Europe-wide legislation. Data specialists
CDMS released the status report on compliance with the directive, which
requires companies to send unsolicited email marketing messages to
non-customers only if they have opted-in to receive them. The study also found
that 69% of the companies analyzed are following the directive, which is
slightly higher than a similar 2005 study. [Source]
See also: [Communication
from the Commission to the European Parliament and the Council on the follow-up
of the Work Programme for better implementation of the Data Protection
Directive]
Transatlantic talks over the
The next time you go out for some pizza, a nice steak
dinner or even a trip to the salad bar, you might get something else with your
meal: identity theft. The most common place for credit card information to be
stolen is at a restaurant, according to Visa. The credit card company, which
constantly monitors cardholder transactions and data for fraud, has determined
that 40% of all credit card theft occurs at dining locations - more than at any
other type of merchant. [Source]
The Securities and Exchange Commission needs to apply
its information security program more consistently in order to fully protect
the sensitive financial data in its possession, congressional investigators
said. Congress’ Government Accountability Office said in a report that the
commission has made significant progress in correcting weaknesses in its
computer security programs that were documented in a 2005 audit. [Source]
You may be carrying a new type of credit card that can
transmit your personal information to anyone who gets close to you with a
scanner. The new cards--millions of them have been issued over the past
year—use RFID. RFID allows scanners to use radio signals at varying distances
to read information stored on a computer chip, a chip that is embedded in the
card. According to a study by researchers at the
The Government has stepped back from controversial
plans to change the Freedom of
Information (FOI) Act. It has
launched a supplementary consultation that could result in a U-turn on some of
its widely-opposed plans. Following a Government-commissioned report which
identified journalists as a likely source of the most expensive FOI requests,
the Department of Constitutional Affairs (DCA) said that it was “minded” to
lower the cost threshold above which public authorities could refuse requests.
Crucially it also increased the number of activities which could be charged for
in the calculation of costs, putting most complicated requests beyond the
threshold and eligible for refusal on cost grounds. The DCA has now launched a
supplementary consultation, asking for views on the plans and for alternative
suggestions of how it could balance open-ness and the need to keep costs to the
public purse down. [Source]
California Secretary of State Debra Bowen has
announced that her office’s Web site will no longer offer for sale electronic
documents that contain SSNs until those documents can be redacted. Her office
is researching a technology option that would block out the first five digits
of SSNs from the documents. Bowen also said she supports legislation that would
limit to no more than four the number of digits that could be contained in
state and county public records. Bowen said previous Secretaries of State have
attempted to make records available online, but state laws have not kept pace
with technology, leading to the possibility that ID thieves could tap public
records for SSNs and other personal information. [Source]
Assemblyman Dave Jones, D- Sacramento, is miffed that
the Secretary of State’s Office was offering for sale public records for three
years that include enough information, including SSNs, that would arm ID
thieves with enough personal data to defraud consumers. Jones bought 20 public
records – 14 of which contained enough information to obtain a credit card
account using another person’s data. The Secretary of State has disabled that
feature on its Web site. Jones is seeking passage of a bill that would ban
state agencies from releasing entire SSNs. [Source]
[State
Posted ID Data on Web]
A growing number of police crime labs are adding DNA
from suspects to databases that operate outside of state and federal law by matching
those suspects to unrelated crimes. Proponents say the databases, which have
solved more than 50 crimes, are legitimate because no laws forbid them. Defence
lawyers and privacy advocates counter that the federal government and all 50
states require individuals to be convicted or in some cases indicted for a
serious crime before their DNA can be added to the FBI’s national criminal
database. Searching a suspect’s DNA, they argue, violates privacy rights. [Source]
[Authorities
find more uses for DNA databases] [S.Carolina
- Senate bill mandates DNA samples in all arrests] See also: [Federal
Bills would bar genetic data from insurers]
Doctors have accused the Ministry of Health and
district health boards of breaching patient confidentiality after they
installed software that extracted personal data without the patients’
permission. The GP Leaders Forum wrote to the country’s 3500 GPs advising them of
what it regards as a serious breach of patient confidentiality. It was also
concerned that the ministry and DHBs went ahead to install software to extract
patient data without discussing first with GPs what data would be taken. [Source]
See also: [Hospital
discourage laptop use for patient records] See also: [AU
– ID needed to buy cold and flu medicine]
While many
Datamining companies are disputing allegations that they
violated
The names of people infected with HIV will be tracked
in all 50 states by the end of 2007, marking a victory for federal health
officials and a quiet defeat for AIDS advocates who wanted to keep patients’
names out of state databases.
A hacker or hackers stole data from at least 45.7
million credit and debit cards of shoppers at off-price retailers including
T.J. Maxx and Marshalls in a case believed to be the largest such breach of
consumer information. For the first time since disclosing the theft more than
two months ago, the parent company of nearly 2,500 discount stores put a number
on how much card data was compromised. TJX Cos. acknowledges the number could
go still higher. [Source] [Source]
[Source]
[Six
Charged In Theft Of Credit Info From Major Retailers] [UK
Info.Commish investigating TJX credit card security] [TJX
breach may spur greater adoption of credit card security standards] [Scope of
TJX Breach Has Some Questioning Attainability of PCI] [US
– Massachusetts Official: Governor’s Web Site Violates Privacy Rights of Voters]
[US
– AP Alerts Rudy Giuliani’s Campaign Web Site to Hacking Vulnerability]
CA – Alberta Privacy Commissioner Launches
Investigation Into Wireless Breach: An unsecured computer server in an
EU – Stolen Hard Drives Hold Patient Data: Approximately 19,000 current and former
patients of the Swedish Urology Group in the Seattle area have been informed
that their personal information has been compromised. Three hard drives used to
back up the practice’s data were stolen from a locked office on March 10; there
were no signs of forced entry, suggesting that the perpetrator may have had a
master key. The data go back as far as four years in some cases. The drives
contain physician and staff information as well as patient data. [Source] [Source]
US – Stolen Government Laptop Contains Information On
16,000 Civilians: A
password-protected laptop that contained the names, SSNs and pay information
for 16,000 Army Training and Doctrine Command civilians was stolen from an
employee’s car. The laptop also was protected with a security device known as a
common access card. The employee was authorized to take the laptop home, but
did not realize the payroll information was on the laptop, according to a
spokesman. [Source]
US – DOD Investigating
Electronic Thefts from Military Pay Accounts: According to US DOD
reports, more than 20 service members had money siphoned from their military
pay accounts. The Defense Finance and Accounting Service’s “myPay” program
allows service members to manage their pay data online. Services include being
able to designate accounts for direct deposits. The theft of the funds is
likely due to keystroke loggers and other spyware having infiltrated the home
computers of affected service members. The stolen money has been returned to
the affected accounts. [Source]
[Source]
US – 32,000
Virginians’ Personal Information Leaked to Internet: A General Assembly computer system released personal
information on as many as 32,000 people to the Internet. The information
included constituent names, addresses, phone numbers and e-mail addresses. The
leak to the Google search engine resulted when legislative employees made
changes to the assembly’s IT system. [Source]
JP – Printing Firm Loses
Personal Data Of Successful University Applicants: A floppy disc containing
names and other private information of 972 people who passed entrance
examinations for Waseda University’s commerce faculty has been lost, it has
emerged. The company later told officials of the university that it had lost a
floppy disc containing the names, addresses, and examinee numbers of the 972
people. [Source]
OTHER: [Students’
personal information stolen from UM-Western office] [Bush
Press Corps in an E-mail Blunder] [Navy Laptops
With Sailor Info Stolen] [TX:
RadioShack customers’ personal info found in dumpster] [LA: SS
numbers accessed] [Hundreds
Of Gmail, Yahoo, MSN Passwords Exposed By Entertainment Web Site] [Conservatives
ridiculed for leaving behind personnel files] [Restaurant Manager Faces
40 Counts Of ID Theft]
A passport clerk was accused of using the names and SSNs
of customers at the post office where she worked to unlawfully obtain 18 credit
cards, police said. The names on the cards obtained by the clerk matched those of
people whose passport applications handled from January to March, authorities
said. The 27-year postal employee did not actually use any of the cards, because
they were seized when they showed up at her post office box, investigators
said. She surrendered to authorities and was charged with 18 counts of identity
theft. Investigators said there could be other victims who have not yet
discovered their names were used to open accounts. [Source]
See also: [Worker
arrested in Baptist privacy breach]
Researchers at the university in Seattle estimate that
electronic records-those containing Social Security or credit card numbers,
academic grades or medical history-are bleeding out of North American
organizations at the rate of 6 million a month so far in 2007-up some 200,000 a
month from last year. Excluding the exceptional 2003 incident that involved 1.6
billion records stolen from information aggregator Acxiom, hackers have been responsible
for only about 550 (31%) of confirmed breaches between 1980 and 2006. The
majority, 60%, of incidents of compromised records were attributed to
organizational mismanagement. That includes missing or stolen hardware,
administrative errors, insider abuse or theft or accidental posting of
sensitive information online. The balance of 9% of breaches were due to
unspecified circumstances. Even with Axciom removed from the picture, the
commercial sector still accounts for about 252 million individual compromised
records, four times that of the next-highest contributor, the government. [Source] See
also: [By
addressing data privacy, companies avoid public scrutiny]
How to create and manage individual identity is
becoming a central challenge of the digital age. According to a new
consultation document by CDT, private sector developers of ID technology,
government officials, and public interest groups could all benefit from a
guiding set of privacy principles or best practices in this area. In order to
begin the process of developing such principles, CDT has released a draft of Privacy Principles for
Identity in the Digital Age. It is based on two earlier efforts CDT
coordinated: the 2003
Authentication Privacy Principles and the 2006 Privacy
Best Practices for RFID Technology. The FTC is holding an
identity authentication workshop on April 23 and 24. CDT hopes to testify,
and we would like to use the workshop as an opportunity to expose the concepts
in the draft principles for comment and reaction. CDT is seeking comments or questions
about these principles. [Source]
[Draft for
Comment: Privacy Principles for Identity in the Digital Age]
The Public Interest Advocacy Centre (PIAC) has
released a report examining the nascent identity theft insurance market and
related consumer service of “credit monitoring”. The report concludes that the
present product offerings of both identity theft insurance and credit
monitoring are flawed in that a major component of each is already provided
free to consumers who are aware of it. The report calls for provincial insurance
regulators to ensure that companies offering identity theft insurance are
required to disclose that there are these free services that overlap with the
intended coverage or service. Identity theft coverage as it now stands is also
of questionable value, given that its major potential claims items, that is,
payment for time off work to resolve identity theft issues, as well as legal
assistance, are capped at low recovery levels. Uncertainty over the extent of “legal
assistance” under these agreements abounds, and it is noted that most identity
theft victims do not actually need full legal defence services to recover from
identity theft. Credit monitoring also has been used as an inadequate form of
recompense to consumers after a corporate data breach. Instead, governments
should consider the effectiveness of data breach disclosure laws and consumer
credit freezes. The report notes that corporations may be the real parties in
need of identity theft insurance, in the form of data breach insurance, and
that such insurance might encourage corporations to institute best practices
for information handling. The report closes with a recommendation that identity
theft insurance increase coverage of actual fraud losses and the consumers
think carefully before purchasing these services in their present state. [Source]
[Report]
See also: [N.Y.
Insurer to Pay Customers for Unlawful Access to Credit Reports]
Former 9/11 Commission counsel Janice Kephart
announces the launch of an online Identity Document Security Library,
consisting of legal, technical and policy pieces regarding identity document
security. Kephart, a nationally recognized border security expert, created the
library to serve as a ‘one-stop-shop’ information portal for those seeking
objective, credible information on the issue of identity document security. The
library contains federal, state and international legal materials; standards
and best practices; federal, state and association activity, reports and
letters; state leadership in identity document security; information on
identity theft and counterfeiting; news and opinion pieces. Where possible,
links to primary sources and Web sites are provided. [Source]
Phishing and malware have increased substantially in
the first two months of 2007 as the number of brands used in phishing attacks
increased 50% and malware attacks soared by 200%. The largest increases in
Phishing attacks have targeted organizations in the following industries:
Credit Unions: 584% increase; Associations: 329% increase; Banks: 325%
increase; Insurance: 300% increase; Payment Services: 285% increase. These
figures come from a report prepared by Cyveillance, a provider of online risk
monitoring and management solutions. The report also found that more than 1
million stolen SSNs are available on the Internet. [Source] [Source]
[Report (reg. req’d)] See
also: [Economist
Article]
Liberty Alliance has announced the release of the
Advanced Client specifications designed to allow enterprise users and consumers
to manage identity information on devices such as cameras, handhelds, laptops,
printers, and televisions. The Advanced Client is part of
One electronics company is warning consumers about the
potential dangers of making copies of tax returns or other personal information
on copy machines that have hard drives. Those hard drivers retain data from
images that are copied on the machines, leaving people at risk for ID theft. Experts
said people making copies of personal documents at public businesses or other
places where the copy machine is accessible to identity thieves should be more
cautious. “Anyone with a little bit of technical know how that could extract the
hard drive from the machine could then read any of the data that’s on it.”
Sharp Electronics issued a warning to consumer about the possible threat after
research showed many people make copies of their tax returns at a business. Most
photocopiers made in the last 5 years have hard drives. Sharp recommends asking
the copy shop if its machines are encrypted. [Source]
Many owners of Internet addresses face this quandary:
Provide your real contact information when you register a domain name and
subject yourself to junk or harassment. Or enter fake data and risk losing it
outright. Help may be on the way. A key task force last week endorsed a
proposal that would give more privacy options to small businesses, individuals
with personal Web sites and other domain name owners. [Source]
SEE ALSO: [Department
of Homeland and Security wants master key for DNS]
Snoop laws that give the government the power to
intercept and monitor everyone’s communications will also make it compulsory
for the cell phone numbers of all South African cell phone users to be
registered with the interception authorities before the end of the year. [Source]
The National Assembly is likely to pass a revision to
the Protection of Communication Secrets
Act that would permit wiretapping of mobile phones on April 2. The bill
will be deliberated in a plenary session of the Legislation and Judiciary
Committee and pass the current extraordinary session.” The committee vice chairman said, “We’ve
provided a control device in the bill to the effect that in case they are
wiretapped or their location is detected, subscribers will be notified after a
certain period, and that a limit is set on the wiretapping period.” [Source]
See also: [KR:
South Korea to implement e-passport system in ‘08]
A committee of the Internet’s key oversight agency
agreed to form a new working group that would examine how to offer more privacy
to small businesses and people with individual Web sites. At a meeting of the
agency’s Generic Names Supporting Organization Council, members opted to focus
initially on a proposal known as operational point of contact. A slight majority
of a GNSO task force recommended that approach earlier this month, but left
many implementation details unanswered. The new working group would be tasked
with trying to fill some of those gaps. The proposal would give domain name
owners more choices in whom they list in publicly accessible databases known as
Whois. Currently, they must provide their full names, organizations, postal and
e-mail address and phone numbers. [Source]
A terrorism data-bank allowing access to information
on suspects for both police and the intelligence services went into operation
in
FBI Director Robert Mueller yesterday said secret
“national security letters” are invaluable in unearthing telephone and e-mail
logs and blamed computer snafus for deceiving Congress about how often the
technique is used. In an appearance before the Senate Judiciary Committee,
Mueller attempted to downplay widespread concerns about the FBI’s illegal use
of the letters, which came to light in an inspector general’s report earlier
this month. The report found that the FBI underreported the number of national
security letters and concluded there was “serious misuse” of the surveillance
power. [Source] [Mueller
to Congress: FBI Didn’t Mean to Break the Law] [Office of the
Inspector General’s Report] [ACLU
Urges Senators to Hold FBI Responsible; Concerns About National Security Letter
Abuses Remain]
American Express Co. has received top billing as the
most trusted company for privacy in the
The FCC is proposing a $100,000 fine against Amp’d
Mobile Inc., the wireless phone company aimed at the youth market, and two
other companies for failing to protect consumers’ personal calling records from
thieves. [Source]
See also: [Information
Commissioner Seeks Tougher Sentences For Information Thieves]
Gaps in
Joanne McNabb, Chief of the California Department of
Consumer Affairs’ California Office of Privacy Protection, testified before the
Senate Judiciary Committee’s Subcommittee on Terrorism, Technology and Homeland
Security last week about
The Ko-RFID research project, sponsored by the German
Federal Ministry of Economics and Technology, addresses RFID and collaboration,
and the impact of the former on the latter within the supply chain. The project
is divided into nine sub-projects, each approaching the main research questions
from a different angle, according to a university statement. Initiated by
Humboldt-Universit¿zu Berlin, the Ko-RFID
project was started in August 2006 and is dedicated to studying the impact
that RFID technology might have on the coordination and cooperation processes
within an RFID-enabled supply chain. The project is split into nine modules,
each having its own objectives and responsibility for certain aspects of the
general problem area, according to the university. The primary focus of the “Privacy
and Security” module addresses security aspects of data storage, processing and
sharing in the RFID-enabled supply chain. The objective of the research
activities is to evaluate and produce solutions for security threats in the
supply chain. [Source]
[Ko-RFID Project] See also: [RFID chips will force changes to EU
Privacy and Electronic Communications Directive] and [EU Public to shape
smart tag policy]
Portable surveillance systems company Third Eye, Inc.
has released a Security Alert Tracking System (SATS) designed to alert casino,
bank and convenience store management if an employee’s heart begins racing. The
goal is to add intelligence to security and surveillance by letting a manager
know if an employee is under stress and could be involved in an emergency
situation—or even planning a theft against the business. [Source]
Cyberinfrastructure Vision
for 21st Century Discovery
is a sweeping call to reimagine: 1) Cyberinfrastructure resources, tools and
related services such as supercomputers, high-capacity mass-storage systems,
system software suites and programming environments, scalable interactive
visualization tools, productivity software libraries and tools, large-scale
data repositories and digitized scientific data management systems, networks of
various reach and granularity and an array of software tools and services that
hide the complexities and heterogeneity of contemporary cyber infrastructure
while seeking to provide ubiquitous access and enhanced usability, and; 2) The
preparation and training of current and future generations of researchers and
educators to use cyber infrastructure to further their research and education
goals, while also supporting the scientific and engineering professionals who
create and maintain these IT-based resources and systems and who provide
essential customer services to the national science and engineering user
community. The vision document was developed by the National Science Foundation’s
Cyber infrastructure Council. [Source] [Source]
The percentage of computers invaded by keylogger
programs that capture what users type on their keyboards has remained stable
since 2005, when about 10 million PCs contained the malware, according to an
analyst quoted in this InformationWeek story. The story notes that consumers
may not face financial peril for online theft resulting from keyloggers because
banks limit losses. However, consumers eventually pay the price when banks that
absorb the losses pass those costs onto their customers. A recent Webroot
Internet security report found that about 18% of businesses have reported
keylogging attacks. [Source]
A Senate panel says
The fate of the Australian Government’s Access Card
scheme rests upon successfully registering more than 16 million people at a
rate of well over 30,000 per working day between 2008 and 2010, a Consumer and
Privacy Taskforce warns. “In many respects, making decisions about the
architecture, defining technical specifications and creating the legislative
framework are the easier parts of the whole proposal,” the Taskforce says in
its registration discussion paper released this week. “What is really
challenging is the need to engage with, and enrol, in excess of 16 million
Australian citizens, permanent residents and other eligible persons and to
provide them with their own card. “In short, the registration system will only
be effective if all adults eligible for a variety of Commonwealth benefits take
steps to register.” The initial application will have to be in writing,
followed by attendance at a face-to-face interview where people will have to
produce a range of identity documents which will be copied for checking. A
biometric photograph will be taken for inclusion on the card, and people will
need to provide a digital signature. [Source]
[Task
Force Press Release]
UK Police and the Home Office are planning a
significant upgrade of the CCTV network in a move that will deepen concern
about a lurch towards a “surveillance society’’. New laws would require camera
operators to ensure that their equipment produces images good enough for police
investigations. This follows an 18-month review carried out by the Home Office
and the Association of Chief Police Officers (ACPO) amid concern about the
quality of evidence supplied by millions of cameras. The findings are due to be
published within weeks.
Checks will be made on all children to identify
potential criminals under a further extension of the “surveillance state”
announced by Tony Blair this week.
An inquiry into the growing use of surveillance in
society is to be held by an influential committee of MPs. The Commons Home
Affairs committee is about to announce the inquiry, leader of the Commons Jack
Straw told MPs. The Information Commissioner last year warned the
[Source] See
also: [UK -
Blair plans to monitor children for signs of criminality] [Every
child to be screened for risk of turning criminal under Blair justice plan]
Nearly four years after Congress pulled the plug on
what critics assailed as an Orwellian scheme to spy on private citizens,
Singapore is set to launch an even more ambitious incarnation of the Pentagon’s
controversial Total Information Awareness program – an effort to collect and
mine data across all government agencies in the hopes of pinpointing threats to
national security. The
The U.S. Federal Communications Commission regulatory
agency said Thursday it will study the business practices of high-speed
Internet providers and consider adopting regulations to ensure all Web traffic
is treated equally. The study will focus on how Internet service providers are
managing traffic on their networks and whether they are charging different
prices for different speeds or levels of service, the commission said. The FCC
adopted four principles on Internet policy in 2005, and the study will consider
whether a principle of nondiscrimination in Internet traffic should be added.
Consumer advocates and other supporters of so-called net neutrality have pushed
for the FCC to adopt such rules. [Source]
Private businesses such as rental and mortgage
companies and car dealers are checking the names of customers against a list of
suspected terrorists and drug traffickers made publicly available by the
Treasury Department, sometimes denying services to ordinary people whose names
are similar to those on the list. The Office of Foreign Asset Control’s list of
“specially designated nationals” has long been used by banks and other
financial institutions to block financial transactions of drug dealers and
other criminals. But an executive order issued by President Bush after 9/11 has
expanded the list and its consequences in unforeseen ways. Businesses have used
it to screen applicants for home and car loans, apartments and even exercise
equipment, according to interviews and a report
by the Lawyers’ Committee for Civil Rights of the San Francisco Bay Area issued
today. Said the report’s author. “The government is effectively
conscripting private businesses into the war on terrorism but doing so without
making sure that businesses don’t trample on individual rights.” The lawyers’
committee has documented at least a dozen cases in which
The Government Accountability Office is concerned that
the DHS has yet to assess the likelihood for a new data-mining program to
misidentify people or mistakenly link them to terrorism investigations. DHS
officials have taken the position that a privacy assessment is unnecessary for
the new program, known as Analysis, Dissemination, Visualization, Insight and
Semantic Enhancement (ADVISE). [Source] [Source]
[GAO Report] [GAO, DHS disagree on need
for privacy study]
The FBI’s widespread violations in issuing “national
security letters” to obtain detailed personal information about Americans were
unfortunate, but predictable given the extent to which policy and technological
changes have undermined the rules intended to protect the privacy rights of
law-abiding citizens, CDT Policy Director Jim Dempsey told a congressional
panel this week. Testifying before the House Permanent Select Committee on
Intelligence, Dempsey said that the evolution of NSLs from a limited law
enforcement tool to one that can be used broadly, with few standards and in
secret has led to a “privacy nightmare.” Dempsey urged lawmakers to move to reinstate
meaningful judicial review over the issuance of NSLs. [Dempsey Testimony]:
Hugo Teufel, the Chief Privacy Officer for the
Department of Homeland Security (DHS), told a House panel that the agency needs
a 16 percent increase to hire employees to conduct assessments of government
information networks and to handle Freedom of Information Act requests. Teufel
is seeking $5.1 million for the privacy office in fiscal 2008 – a 16 percent
budget increase. [Source]
With tax day fast approaching, tens of millions of
When you apply for a mortgage and get a barrage of
irritating and confusing phone calls from competing lenders before noon the
next day, can you turn to the government for help? The FTC issued a
long-awaited answer to that question recently, and the decision is attracting
criticism. The FTC, which has regulatory oversight concerning consumer credit,
says it lacks the legal authority to crack down on unwanted “trigger-list”
phone solicitations to consumers who have applied for mortgages within the
preceding 24 hours. [Source]
Not one senator voted against a 2005 emergency
spending bill that created federalized ID cards. But two years later,
skepticism on Capitol Hill about the wildly controversial Real ID rules is
beginning to surface. Leaders of a U.S. Senate Homeland Security and
Governmental Affairs panel joined a chorus of outsiders, including many state
government officials, who have questioned the costs and privacy implications of
the congressionally mandated shift to identification cards that must adhere to
a bevy of national standards. [Source] [Source] [Senators
Question Smart Card ID Requirements] [Senators
call for REAL ID overhaul] [DHS Data
Privacy and Integrity Advisory Committee] [DHS’s Notice of
Proposed Rulemaking on REAL ID] [DHS
Privacy Office’s Privacy Impact Assessment of the Proposed Regulations] [EPIC’s
Testimony at March 21, 2007 Meeting of DHS Data Privacy and Integrity Advisory
Committee] [CDT’s
Testimony at March 21, 2007 Meeting of DHS Data Privacy and Integrity Advisory
Committee] [ACLU’s
Real ID Scorecard] [National
Governors Association’s Page on REAL ID] [EPIC’s Spotlight
on Surveillance on REAL ID Regulations] [EPIC’s page on
National ID Cards and the REAL ID Act]
The Department of Homeland
Security can and should make substantial changes to its proposed REAL ID
regulations in order to avoid serious privacy and security risks, CDT testified
to the DHS Data Privacy and Integrity Advisory Committee. Following the oral
testimony given last week, CDT today issued its full recommendations to the
committee. CDT believes that the REAL ID Act itself is fundamentally flawed in
a way that can’t be fixed with regulatory tweaks and must be repealed or
substantially rewritten. But there are several areas where the draft
regulations could be significantly improved to better protect the privacy and
security of Americans should the Act remain unchanged. [DHS Testimony]
This Washington Post story examines the issues related
to the Terrorist Identities Datamart Environment, or TIDE database, that has
grown to include 435,000 files since President Bush ordered intelligence
officials to house data on terrorists in a central location. Russ Travers, who
heads the effort, tells the Post that he is concerned about “long-term quality
control.” Privacy experts have expressed concerns about errors that have proved
nearly impossible for people to correct. The secrecy associated with the
database, which includes information on anyone that officials believe may harm
the
The Senate has unanimously passed a bill that would
require the state Department of Information Systems to create a comprehensive
registry of state computer systems that contain personal information. “It is
very possible that, after we go through this registry, that we will find there
is information out there that doesn’t need to be stored,” said Jennifer Shaw of
the ACLU. Sen. Adam Kline, D-Seattle, sponsored the bill, SB 5869. [Source]
Michigan House lawmakers have passed a bill that would
allow residents to place a security freeze on their credit reports. The bill
will now be taken up in the Senate. Differences in both bills need to be worked
out, including the amount of fees consumers would pay to obtain the freeze. [Source]
See also: [Florida
- Tougher Penalties for Elderly ID Theft]
A bill that would allow
Lawmakers are no longer considering a proposal that
would have allowed a state department to create a database of millions of
Coloradans’ names, Social Security numbers, employers and health coverage
information. Health plans and some lawmakers called it a huge invasion of
privacy. The Colorado Department of Health Care Policy and Environment said it
was the best way to ensure millions of taxpayer dollars aren’t being misused in
the Medicaid program. [Source]
After an emotional plea from the mother of a slain
--------