Privacy News Highlights
18–24 May 2007
Contents:
US – FBI to Upgrade Biometric
System
CA – UVic Prof Seeks to End LSAT
Fingerprinting
UK – Outrage Over UK Call to Add
Newborns to DNA Database
EU – German Authorities Use Scent
Tracking to Keep Tabs on G-8 Protesters
CA – Parliamentary Privacy Report a
Major Disappointment (Geist Op-Ed)
CA – Supreme Court Case Tests Random
Sniffer Dog Searches vs Privacy Rights.
WW – Privacy International Announces
Global Privacy Invaders
WW – An Empirical Approach to
Understanding Privacy Valuation
CA – Beware Bogus E-Mails Over EI
Benefits, Feds Warn
EU – German Constitution To Be
Amended For Modern Communications Society
EU – CNIL Fines U.S. Employer for
Improper Transfers of Employee Data
US – The Visible Man: An FBI Target
Puts His Whole Life Online
US – Libraries in Illinois Fight
Plan for Computer Restrictions
WW – Report: More Governments Filter
Online Content
US – TJX Estimates Breach-Related
Costs At $25M
UK – Pointless FOI Enquiries to be
Curbed by New Charter: UK Info Commissioner
CA – NB Province Launches Personal
Health Information Task Force
US – New IRS Rule Implicates Medical
Privacy
UK – Anger at Plans for NHS Database
of Gay Men
AU – Memory Sticks a Privacy Threat
UK – UK Shuts Down Online Visa
Application System
CA – Senators Push for Driver’s
Licences
UK – Home Office: Interference With
Privacy ‘Necessary’
US – New U.S. Copyright Advocacy
Group Launches
EU – Europe Votes to Restrict Police
Data Sharing
NZ – Privacy Commish Warns
Information Sent Overseas Not Subject to Privacy Laws
WW – Google to Track and Profile
Users’ Psychologies
WW – MSFT Wants to Identify All Web
Surfers Based on Surfing Habits
US – MySpace Agrees to Share Sex
Offender Data With States
US – Justice Dept. Concerned With
Informant Web Site
US – Ancestry.com Puts 90M War
Records Online
UK – PCC Issues Privacy Guidelines
on Undercover Reporting
US – More Than 12,000 Comments
Submitted on REAL ID Draft Regulations.
US – Researchers, Lawmakers Fuel
Growing Opposition to RFID
US - NIST releases FISMA Security
Control Tools
US – Border Inspectors Rarely Use
Biometric Technology
US – EPIC Urges Release of Documents
Concerning the NSA Surveillance Program
US – CDT Urges Caution on Location
Tracking Mandate for Wireless Devices.
US – Agencies Told to Curb Use of SS
Numbers
US – US Govt Issues Fact Sheet on
the Terrorist Identities Datamart Environment
US – Work Bill Would Create Massive
New ID Database
US – House Approves Bill to Combat
Internet Spyware, Other Scams
The FBI wants its new Next Generation Identification
biometric information system to furnish faster and more high-quality links to
other such repositories than its current methods provide, a senior bureau
official said yesterday at a briefing attended by industry and government
technologists. “Dealing with other repositories has emerged as a major problem,”
said James A. “Jim” Loudermilk II, deputy assistant director at the bureau’s
Information Technology Operations Division, during the briefing. The FBI
technology organization has planned NGI to carry out upgrades such as improved
interoperability with the IDENT system that the Homeland Security Department
operates to carry out many of its immigration data processing functions. The
bureau’s Integrated Automated Fingerprint Identification System already
exchanges specified groups of fingerprints gathered from individuals who
qualify as “the worst of the worst” among immigration law violators, known or
suspected terrorists (KST) and similar wrongdoers. Secretary Michael Chertoff
has mandated that IDENT end its practice of gathering only two fingerprints and
shift to the bureau’s approach of gathering 10 fingerprints. That change will
assist the job of achieving greater interoperability between the department’s
system and IAFIS. [Source]
Fingerprinting Canadians to deter cheating on law
school entrance tests may be scrapped, thanks to a determined University of
Victoria philosophy professor. Since 2005, Eike-Henner Kluge has pursued a
privacy complaint against the American agency administering the test commonly
referred to as the LSAT. The agency demanded that students taking it be
fingerprinted to head off people having others take the test for them. About
7,000 LSATs are administered yearly in Canada. Kluge recently learned the
federal Office of the Privacy Commissioner of Canada has sided with his view that
the fingerprinting practice is an infringement of privacy. The privacy office
has ordered the Law School Admission Council to cease collecting the
fingerprints of Canadian students, and explain how it intends to implement its
recommendation. [Source]
A British peer has triggered a furious row after
calling for DNA from newborn babies to be stored on the national database. Lord
Mackenzie of Framwellgate, formerly Durham’s senior police officer, said the
move would help in the fight against crime and terrorism. But the proposal was
immediately attacked as “abusing the privacy of the innocent” by the Liberal
Democrats, who oppose the Government’s plans to expand the database. DNA
samples from more than 565,000 people across the North-East and North Yorkshire
are already stored, a figure that has more than doubled in 18 months. About
5,700 were taken from people arrested, but never convicted of an offence -
provoking fierce criticism because the innocent are recorded alongside the
guilty. [Source]
German authorities are using scent tracking to keep
tabs on possibly violent protesters against next month’s Group of Eight summit
- a tactic that is drawing comparisons with the methods of former East Germany’s
secret police. Scent samples have been taken from an undisclosed number of
people believed to be a possible danger to the upcoming summit so that police
dogs can pick out the perpetrators if there is violence, the Hamburger
Morgenpost reported Tuesday. [Source]
The Standing Committee on Access to Information,
Privacy and Ethics issued its much-anticipated report on the reform of Canada’s
private sector privacy law earlier this month. Despite hearing from 67
witnesses, the committee followed the lead of Industry Minister Maxime Bernier
and Privacy Commissioner Jennifer Stoddart - neither of whom argued forcefully
for reform - by issuing a tepid report that rejects the changes that many
privacy advocates believe are necessary to improve the effectiveness of the
current legal framework. Instead, the final report, which includes separate
dissenting opinions from the Conservative and Bloc Quebecois Members of
Parliament, features 25 recommendations that at best represent little more than
tinkering with the law and at worst undermine privacy protections in several
key areas, most notably the use of privacy law to counter the mounting spam
problem. Most of the major issues presented to the committee, including beefing
up the privacy commissioner’s powers, adopting a “name and shame” approach for
privacy violators and safeguarding Canadian data that is outsourced to other
jurisdictions, were met with indifference, as the committee recommended no
further reforms. In fact, even a mandatory security breach notification
requirement - widely expected as a response to the massive data security
breaches involving retail giants Winners and Homesense - was tempered with a
recommendation to require notification to the privacy commissioner, not
necessarily to the individuals affected by the breach. [Source]
It took no time at all for a police dog to detect
marijuana amongst a pile of backpacks in the gymnasium of a Sarnia, Ont., high
school. The owner of the offending backpack was charged with marijuana
trafficking, launching a five-year legal journey that will end this week in the
Supreme Court of Canada. In a fascinating, constitutional clash between civil
libertarian values and police techniques in an age of terrorism, the court must
decide whether permitting sniffer dogs to conduct random searches violates the
right to privacy. Lawyers opposing the technique will argue that setting a dog
on a random search for drugs is highly intrusive and chillingly reminiscent of
police state tactics popularized by southern U.S. slave owners and Nazi storm
troopers. In a legal brief to the court, the Criminal Lawyers Association warns
that, “it would follow that there are no public places where the police cannot
attend with investigative dogs. This would include the workplace, places of
worship, schools, shopping centres, athletic facilities, concert halls and so
forth.” In 2004, the Ontario Court of Appeal agreed with this view, resulting
in A.M.’s acquittal. [Source]
See also: [Illinois
lawmakers OK teachers’ searches of lockers] [Measure would allow random
steroid testing of Texas High School athletes]
Privacy International ran the first International Big Brothers Awards ceremony at the ‘Computers, Freedom and Privacy’ conference, with over 200 attendees, PI outed the most invasive companies, projects, officials, and governments. Nominees and Winners were
Winners were given the classic BBA award, a golden statue of a boot stamping upon a human head, as promised by George Orwell in 1984 on a vision for the future. [Source] [Big Brother Awards site] See also: [Italian Big Brother Awards for 2007]
Paper by Luc Wathieu, associate professor in the
Marketing unit at Harvard Business School: “What do consumers value and why?
Researchers on privacy remain stumped by a “privacy paradox.” Consumers declare
that they value privacy highly, yet do not take steps to guard it during
transactions. At the same time, consumers feel unable to enact their
preferences on privacy. Clearly, scholars need a more nuanced understanding of
how consumers treat information privacy in complex situations. To test the
hypothesis that there is a homo economicus behind privacy concerns, not just
primal fear, Wathieu and Friedman conducted an experiment based on a real-world
situation about the transmission of personal information in the context of car
insurance. Their experiment was based on a previous case study about marketing
processes that use membership databases of trusted associations (such as alumni
associations) to channel targeted deals to members through a blend of direct
mail and telemarketing. Key concepts include:
[Source]
[Full Working Paper Text]
The federal government has issued a warning about
phoney e-mails that ask Canadians to divulge personal details online. Service
Canada, which processes things such as employment insurance benefits, says its
clients have been receiving e-mails asking for data purportedly needed to
expedite a claim. In reality, the e-mails form the basis for an identity theft
scam. “Service Canada does not use e-mails to obtain confidential information
from clients,” the department said in an advisory issued Thursday. “Please be
assured that Service Canada is doing everything it can to protect users of its
internet service against any type of fraudulent activity.” The details sought
in the phoney e-mails including a person’s social insurance number, date of
birth and credit card information. [Source]
See also: [Employers
Launch Fake Phishing Emails To Dupe Workers] and [New
antiphishing, antispam specifications unveiled by Internet Engineering Task
Force] [US
Study: More spam but fewer complaints]
Politicians from both the SPD and CDU/CSU are planning
to amend the German constitution to take modern communications into account.
According to a newspaper report, a basic right for freedom on the Internet is
to be established. The SPD’s home affairs reportedly hoped to have a draft
completed by the end of this session of parliament. [Source] See also:
[German IT industry
says proposal for data retention is acceptable]
In what may foreshadow a new era of more aggressive
enforcement, France’s data protection authority - La Commission Nationale de L’informatique
et des Libertés (CNIL) - recently fined Tyco Healthcare France (THF), the local
subsidiary of a U.S. multinational organization, €30,000 for, among other
things, improperly transferring employee information to Tyco’s U.S.
headquarters. The fine appears to be the first imposed on a U.S.-based company
accused of unlawful cross-border transfers of human resources data. The French
government’s enforcement action coincides with recent public declarations by
other European data protection authorities, calling for more aggressive
enforcement of the European Union’s strict data protection regime. [Source]
[Source]
Hasan Elahi whips out his Samsung Pocket PC phone and
shows me how he’s keeping himself out of Guantanamo. He swivels the camera lens
around and snaps a picture of the Manhattan Starbucks where we’re dinking
coffee. Then he squints and pecks at the phone’s touchscreen. “OK! It’s
uploading now,” says the cheery, 35-year-old artist and Rutgers professor,
whose bleached-blond hair complements his fluorescent-green pants. “It’ll go
public in a few seconds. “Sure enough, a moment later the shot appears on the
front page of his Web site, TrackingTransience.net. He posts copies of every
debit card transaction, so you can see what he bought, where, and when. A GPS
device in his pocket reports his real-time physical location on a map Elahi’s
site is the perfect alibi. Or an audacious art project. Or both. The
Bangladeshi-born American says the US government mistakenly listed him on its
terrorist watch list - and once you’re on, it’s hard to get off. To convince
the Feds of his innocence, Elahi has made his life an open book. Whenever they
want, officials can go to his site and see where he is and what he’s doing.
Indeed, his server logs show hits from the Pentagon, the Secretary of Defense,
and the Executive Office of the President, among others. [Source]
Public libraries throughout
Illinois took the political battle over Internet freedom directly to their own
patrons on Monday, lobbying libraries’ computer users to oppose state legislation
requiring software that filters out pornography. As part of a loosely
coordinated, one-day statewide campaign, libraries in the Metro East area
passed out fliers, bookmarks and, in one case, installed computer screensavers
- all calling attention to what librarians say is an onerous proposal that
would infringe on the budgets of libraries and the privacy rights of library
patrons. A handful of libraries in other parts of the state made that point by
shutting down their own Internet services for the day. One conservative group
claims the lobbying efforts may have been an illegal use of public resources.[Source]
As more people use the
Internet to inform themselves, more governments around the world want to filter
what they read, according to an academic study. State-based Internet filtering
is on the rise – not only in the sheer number of governments engaging in
content filtering but also in the scope of the material they’re blocking,
according to the report. The year-long study of thousands of websites across
120 ISPs found 25 of 41 countries blocked content, and is the work of the
OpenNet Initiative (ONI), launched by four universities: Cambridge, Harvard,
Oxford and Toronto. [Source] [Source] [Source]
[Research OpenNet Initiative] See
also: [ITU
and UNCTAD publish the World Information Society Report 2007]
TJX provided new figures for expenses related to a
computer intrusion that led to the exposure of data of more than 45 million
credit and debit cardholders. The company indicated in a securities filing that
the company has spent $25 million so far in the aftermath of the breach. The
company also said it does not yet have enough information to estimate what
additional costs it faces in the months ahead. [Source]
TJX reported this week that its first-quarter profits declined by 1 percent as
a result of breach-related costs so far. Besides the $25 million breach-related
costs incurred to date, the company said it will face additional expenses for
the investigation of the intrusion into its computer system. It also predicts
additional expenses to upgrade computer security as well as legal and other
costs. However, the company acknowledged that it is unsure how much higher the
cost will be to cover legal proceedings and other expenses in the future. [TJX
Security Breach Costs Cut Into Profits] and [TJ Maxx/TK Maxx
Security Breach Cost May Reach US$8.3B] see also: [PCI
Standard Driving IT Security Spending] [Minnesota
becomes first state to make core PCI requirement a law; Texas legislators
considering a similar move]
As debate continues over legislation that would exempt
members of UK parliament from the Freedom
of Information Act, the UK Information commissioner Richard Thomas announced
plans to deter vexatious requests made under the Act. At a conference in London this week he said that such cases
can waste public money and jeopardise the reputation of the Act. Thomas said that examples were a
request to 10 Downing Street about the amount of toilet paper used and a
request to Hampshire Police about the number of eligible bachelors in the
force. His office is developing further guidelines to help public bodies resist
requests which are pointless. A Charter for Responsible FOI Requests will help
to prevent requests which have no serious purpose or value, impose
disproportionate burdens or have the effect of harassing the public body. “I am
sympathetic towards public authorities that refuse to deal with vexatious
requests which clearly serve no reasonable purpose. But I am surprised that
public authorities are not making more robust use of the existing provisions
under the Act for excluding vexatious requests,” Thomas said. [Source][Info
Commissioner to Scrutinize Repeat Efforts to Obtain Public Records] See
also [MPs
vote themselves exemption from Freedom of Information law] [Straw
leads MPs’ plot to dodge freedom bill] and also: [Australian
Right to Know Campaign on the move]
Health Minister Michael Murphy announced the creation
of the Personal Health Information Task Force, to consult New Brunswickers on
accessing and protecting personal health information. Murphy said government
plans to introduce legislation that is specific to the use and protection of
personal health information as part of the Charter for Change commitment to ‘modernize
privacy and right to information laws in New Brunswick and further protect an
individual’s personal information from misuse…’ Currently, access and privacy
issues related to personal health information are addressed in a number of
provincial and federal statutes that cover information in general. “We believe
that an individual’s health information warrants stand-alone legislation, and
we plan to move in this direction after we receive the input of New
Brunswickers through the Personal Health Information Task Force,” he said. [Source]
Initial reactions to a decision last week by the
Internal Revenue Service were overwhelmingly positive. But in the passing of a
few days and with sober reflection, not everyone sees the new IRS policy as an
unalloyed good thing. Deborah Peel, founder of Austin, Texas-based, Patient
Privacy Rights Foundation, in an e-mail, said the group “deplores” the
memorandum, decrying what she called “a dirty little secret”—that many
hospitals sell patient data as a revenue source. “By ‘giving’ physicians
electronic records that they can data-mine, hospitals have just massively
enhanced the value of the data they sell to third parties. Physicians who
accept EHRs that will be data-mined by hospitals are accepting a ‘gift’ that
violates medical ethics and the laws of every state.” [Source]
An NHS database holding intimate information about the
sexual behaviour of thousands of gay men is being planned by health trusts as
part of a drive to encourage safer sex, a charity disclosed this week. The
possibility that sensitive data could be accessed by computer hackers is
causing anxiety across the gay community in London, where it will be launched
later this year. [Source]
Drug companies trying to improve their market share
have put patient privacy at risk by demanding pharmacists allow them to insert
memory sticks in pharmacy computers.The Pharmacy Guild has asked members to ban
the practice because it could breach patient privacy - drug companies allowed
to use the memory sticks could find out what drugs individual patients were
taking.”This is just not on,” Pharmacy Guild president Kos Sclavos told The
Daily Telegraph.[Source]
The UK’s Foreign and Commonwealth Office closed its
online visa application Web site after a security breach last week. Officials
are investigating following the discovery that applicants using the online
service could view other online applications that included phone numbers,
addresses and social security numbers by making a minor change in the browser’s
URL. [Source]
[Source]
[Source]
[Source] [Source]
Horror Story Roundup: [Stolen
Laptop Contains Personal Data On NU Students] [Hackers Get E-mail
Addresses from British ISP] [Confidential
Illinois Student Data Exposed Online] [Two
Arrested in Hospital Computer Theft] [Columbia
Bank Online Customers Notified of Breach] [Illinois State
Database Suffers Security Breach Affecting 300,000] [Nevada
College Server Infected] [Alcatel-Lucent
Trying to Find Lost Disk] [Private
medical records of Colorado residents exposed on Internet] [Worker
mistakenly sends personal email database] [Bank
of America Sues ID Theft Victim] [Virgin
exposes customers’ details down under] [UPMC mailing exposes
patients to identity theft risk] [Report details BofA
theft] [Stolen
employee information nets no prison time, but restitution] [Private
documents dumped in Issaquah recycling bin] [Columbia
Bank says online hackers breached security] [Medical Records
Exposed In Dumpster] [Hospitals wrongly send
out information] [Israel:
Database upgrade threatens mental patients’ privacy] [Substitute
teachers’ Social Security numbers stolen in car break-in] [Thousands
of police at risk from stolen laptop database] [Canadian Man
charged with stealing 2,000 credit cards] [Ryanair
check-in site exposes data]
Canada’s push for an alternative to passports at the
border is getting a major endorsement from two U.S. senators who want to give
U.S. citizens the option of using secure driver’s licences at land crossings.
Minnesota’s Norm Coleman and Susan Collins of Maine, both Republicans, have
introduced a measure to create a national licence program, saying recent
technological advances have made the documents a safe bet for weeding out
terrorists. Their amendment also would require U.S. officials to wait on the
passport plan until a pilot project using driver’s licences at crossings
between British Columbia and Washington state is evaluated. [Source]
See also: [We
need harmony in U.S. border security]
Home Office minister Liam Byrne has responded to
questions posed by the joint committee on human rights (JCHR) and defended the
government’s ID card programme. “The government recognises that taking
biometric or other information from a person, and storing that information and
requiring a BID [biometric immigration document] to be used for specific
immigration purposes may be an interference in the right to respect for private
life,” he admitted. “However, we have considered, and remain of the view, that
if there were any interference, we would ensure that this was necessary and
proportionate.” [Source]
See also: [Secret
plans to turn staff into police informers]
Some of the staunchest advocates for stricter
copyright laws have formed a new alliance designed to pressure Congress into
preserving stronger intellectual property rights. The Copyright Alliance
consists of 29 national organizations and companies that purport to represent
11 million workers in copyright-related industries. [Source]
The European Parliament voted this week to reinstate the
principles of data protection in legislation that would allow police across
Europe to routinely share data about their activities. As the Parliament has no
authority in the third pillar (the EU’s jurisdiction for police and judicial
matters), the amendments it proposed last night have no official clout. But the
European Council, which calls the shots on this framework, did formally ask the
Parliament for its opinion on the matter, and the German Presidency has
consulted MEPs. Voting last night to endorse amendments that would ensure firmer
data protection, MEPs have restored hope that data sharing between European police
forces will only be allowed if it is done with proper regard for civil
liberties. The Germans have made the first concerted effort to revive the
legislation since the Italian and Greek presidencies gave up on it in 2003 –
largely because a few countries, most notably Britain, didn’t like the idea
that the common rules would be applied to national police operations as well. They
broke this deadlock by proposing that the legislation will only apply to data
shared between European police forces and not to data held by national police
forces. However, in three years the commission will look again to decide
whether it ought to be applied nationally. [Source]
New Zealand’s privacy laws do not apply to information
stored and processed in overseas databases, Privacy Commissioner Marie Shroff
said recently. Shroff also highlighted during remarks before the Government
Information System Managers’ Forum that public sector agencies increasingly are
matching data -- a trend that she said few New Zealanders know about. [Source]
See also: [NZ Greens
call for inquiry, fresh laws on databases]
The Guardian reports on a patent filing by Google
revealing how the company could compile psychological profiles of millions of
web users by covertly monitoring the way they play online games: The company
thinks it can glean information about an individual’s preferences and
personality type by tracking their online behaviour, which could then be sold
to advertisers. Details such as whether a person is more likely to be
aggressive, hostile or dishonest could be obtained and stored for future use,
it says. The patent says: “User dialogue (eg from role playing games,
simulation games, etc) may be used to characterise the user (eg literate,
profane, blunt or polite, quiet etc). Also, user play may be used to
characterise the user (eg cautious, risk-taker, aggressive,
non-confrontational, stealthy, honest, cooperative, uncooperative, etc).” The
information could be used to make adverts that appear inside the game more “relevant
to the user”, Google says. [Source] [A Look
at Google’s Plans to Stockpile Personal Data] [Michael
Zimmer blog] [Why
does Google remember information about searches?] [CBC’s “The
Current” ran an excellent piece on the Internet’s memory (available in podcast HERE)]
[Google’s
goal to organise your daily life]
Not wanting to be outdone by Google’s recent news
about profiling users based on their psychological profiles, reports have
emerged that Microsoft is developing new technologies to identify users based
on their browsing habits. The computing giant is developing software that could
accurately guess your name, age, gender and potentially even your location, by
analysing telltale patterns in your web browsing history. The software could
get its raw information from a number of sources, including a new type of “cookie”
program that records the pages visited. Alternatively, it could use your PC’s
own cache of web pages, or proxy servers could maintain records of sites
visited. So far it can only guess gender and age with any accuracy, but the
team say they expect to be able to “refine the profiles which contain bogus
demographic information”, and one day predict your occupation, level of
qualifications, and perhaps your location. [Source]
[Original MSFT White Paper]
[Microsoft
to Buy Online Ad Company aQuantive] See also: [Query Log Analysis: Social
and Technological Challenges] and [Microsoft
opens up its identity management e-wallet]
Faced with legal demands from state attorneys general,
MySpace.com said this week it will release data on registered sex offenders it
has identified and removed from the popular social networking Web site. The
company, citing federal privacy laws, initially rebuffed a demand from North
Carolina Attorney General Roy Cooper and colleagues in seven other states who
last week asked for data on how many registered sex offenders are using the
site and where they live. [Source] [Source]
See also: [Citing
privacy, MySpace won’t give names of sex offenders] See also: [Illinois
bill calls for Web data of sex offenders: One day after the MySpace agreed to
turn over to state attorneys general the names of 7,000 members who were
convicted sex offenders, the Illinois Legislature voted to add offenders’
identities on MySpace and other online networking sites to the state’s sex
offender registry. Source]
A new Web site devoted to exposing the identities of
witnesses cooperating with the government has emerged, posting their names and
mug shots, along with court documents detailing what they have agreed to do in
exchange for lenient sentences. Federal prosecutors are furious, and the
Justice Department has begun urging the federal courts to make fundamental
changes in public access to electronic court files by removing all plea
agreements from them — whether involving cooperating witnesses or not. [Source]
This week, Ancestry.com unveiled more than 90 million
U.S. war records from the first English settlement at Jamestown in 1607 through
the Vietnam War’s end in 1975. The site also has the names of 3.5 million U.S.
soldiers killed in action, including 2,000 who died in Iraq. [Source]
UK Newspaper regulator the Press Complaints Commission
(PCC) has issued new guidelines on privacy and data protection for newspapers
conducting investigations which involve subterfuge. The new rules are a
reaction to the recent jailing of a News of the World reporter and a private
investigator. The PCC, which is the industry’s self-regulatory body and which
publishes a Code of Practice for newspapers and magazines, conducted an
investigation both of the News of the World and of the newspaper industry to
discover the industry’s practices in relation to subterfuge and newsgathering.
At the end of its investigation it made a number of recommendations. It has now
told newspapers that contracts for freelance or external contributors should
require that they obey both the Data Protection Act and the PCC’s Code in the
same way that staff contracts now do. [Source] [Report
& Guidelines]
The Department of Homeland Security announced that it
has received more than 12,000 comments on its draft implementation regulations
for the REAL ID Act, even though the comment process was marked with problems.
EPIC and 24 other experts in privacy and technology jointly submitted comments
warning the federal agency not to go forward with the REAL ID proposal. The
group urged DHS to recommend to Congress that REAL ID is unworkable and must be
repealed: “The REAL ID Act creates an illegal de facto national identification
system filled with threats to privacy, security and civil liberties that cannot
be solved, no matter what the implementation plan set out by the regulations,”
the group said. The group said that the ill-conceived plan would increase the
risk of and the damage caused by identity theft. Creating a national
identification database full of personal documents such as birth and citizenship
certificates, making that database accessible to thousands of people, while not
requiring adequate security and privacy safeguards, will necessarily make us
less secure as a nation and as individuals. REAL ID faces considerable
opposition by the public, the States and in Congress. More than 60
organizations and 200 blogs joined a campaign to file comments against REAL ID.
Washington and Montana passed legislation to opt-out of REAL ID completely.
Colorado, Georgia and Idaho will either delay or not spend any money on
implementation. Arkansas, Hawaii, Maine, Nevada, and North Dakota are calling
for the repeal of REAL ID. Legislation has been introduced in both houses of
Congress to repeal REAL ID. Last week, at a Senate Judiciary Committee hearing about
REAL ID, Chairman Patrick Leahy said, “The days of Congress rubber-stamping any
and every idea cooked up by this administration are over.” [Comments
of EPIC and 24 Experts in Privacy and Technology] [Senate Judiciary
Hearing, “Will REAL
ID Actually Make Us Safer? An Examination of Privacy and Civil Liberties
Concerns“] [Department of
Homeland Security’s Notice of Proposed Rulemaking on REAL ID] [EPIC’s Page on National ID Cards
and REAL ID Act] [Stop
REAL ID Campaign site] see also: [States move warily on
Real ID]
Some privacy advocates have long raised concerns about
the potential use of RFID to track individuals. But the list of potential
detractors is growing as some researchers and state lawmakers are opposing the
technology’s uses. Twenty-two states in the past year have introduced
legislation related to RFID technology. Legislation is pending before the
California state Senate that would prohibit the use of RFID in driver’s
licenses and in public schools. There is no federal RFID legislation, but Sens.
Byron Dorgan (D-N.D.) and John Cornyn (R-Texas) formed an RFID group nearly a
year ago. RFID supporters contend that concerns about RFID use are unfounded. [Source] See also: Tracking Humans with RFID: [Arcade
gamers to pay with RFID wristbands] [Single
chip for Mastercard & Visa contactless payments] [RFID
skin patches to act as diagnostic sensors] [ Georgia
Bureau of Investigation buys into VeriTrace] [Texan
county adopts electronic inmate tracking] [RFID
returns to the fitting room - in a 'magic mirror']
The National Institute of Standards and Technology has
released a suite of tools to help automate vulnerability management and
evaluate compliance with federal IT security requirements. The Security Content
Automation Protocol is an expansion of the National Vulnerability Database. It
is an automated checklist that using a collection of recognized standards for
naming software flaws and configuration problems in specific products. It can
help test for the presence of vulnerabilities and rank them according to
severity of impact. The checklist files are mapped to NIST specifications for
compliance with the Federal Information Security Management Act, so that the
output can be used to document FISMA compliance. [Source] See also: [Survey:
Half Of Windows Vista Adoption Driven By Security: A new study shows that
IT managers are intrigued about Vista’s new on-board security, along with user
account control and an overall sense of better safeguards]
The face- and fingerprint-matching technology that has
been touted over the past decade as a sophisticated new way to stop terrorists
and illegal immigrants from entering the country through Mexico has one major
drawback: U.S. border inspectors almost never use it. In fact, the necessary
equipment is not even installed in vehicle lanes along the border. Government
officials told The Associated Press that checking more people would create too
big a backup at the border, where hours-long traffic jams are already common.
Holders of the cards come across the border tens of millions of times each
year. But on average, in only about 2% of those cases are the cardholders
screened with the biometric technology to verify their identities and check
law-enforcement records. [Source]
In papers filed in Washington, DC, EPIC, the ACLU, and
the National Security Archive urged a federal district court to require the
Justice Department to disclose documents about the NSA Domestic Surveillance
program. The motion follows the testimony
of former Deputy Attorney General James Comey before the Senate Judiciary
Committee that indicated that top officials at the Department of Justice
believed that the program was illegal. EPIC first sought documents regarding
the legal basis for the program just hours after the warrantless surveillance
program was first reported in the NY Times in December 2005. [papers] [EPIC vs. DOJ] See
also: FRONTLINE: Spying on the home front: video of full show is available: www.pbs.org/wgbh/pages/frontline/homefront/view/.
The Federal Communications Commission should conduct
further research and seek public comment before it adopts any rule requiring
computers and other Internet access devices to include location tracking
capabilities, CDT urged in comments filed May 17. The FCC has been considering
how to ensure that voice services using the Internet can call 911 and report
the user’s location in emergencies. CDT supports that goal, but notes to the
Commission that how it is achieved has major implications for privacy, security
and innovation. [CDT
Comments on Location in the VoIP and IP-Enabled Contexts] [FCC
Notice of Proposed Rulemaking] see also: [“Who’s Watching You Now,”
article on privacy and location information]
Plagued by regular breaches in the security of
personal data, federal agencies were ordered Tuesday to eliminate the
unnecessary collection and use of Social Security numbers by early 2009. That
order and several other new security measures against identity theft were
outlined in a memo to all department and agency heads from Clay Johnson III,
deputy director for management of the Office of Management and Budget. [Source]
The National Counterterrorism Center has produced the
following fact sheet about US terrorism watch lists and how they are managed: “The
Terrorist Identities Datamart Environment (TIDE) is the US Government’s (USG)
central repository of information on international terrorist identities. TIDE
supports the USG’s various terrorist screening systems or “watchlists” and the
US Intelligence Community’s overall counterterrorism mission. The Terrorist
Identities Group (TIG), located in NCTC’s Information Sharing & Knowledge
Development Directorate (ISKD), is responsible for building and maintaining
TIDE. The TIDE database includes, to the extent permitted by law, all
information the U.S. government possesses related to the identities of
individuals known or appropriately suspected to be or have been involved in
activities constituting, in preparation for, in aid of, or related to
terrorism, with the exception of purely domestic terrorism information. [Fact sheet on the Terrorist
Identities Datamart Environment]
The U.S. Congress is poised
to create a set of massive new government databases that all employers must use
to investigate the immigration status of current and future employees or face
stiff penalties. The Employment Eligibility Verification System would be
established as part of a bill that senators began debating this week,
representing the most extensive rewrite of immigration and visa laws in a
generation. Because anyone who fails a database check would be out of a job, the
proposed database already has drawn comparisons with the “no-fly list” and is
being criticized by civil libertarians and business groups. As many as 7
million employers would be required to verify identity documents provided by
both existing employees and potential hires, the legislation says. The data,
including SSNs, would be provided to Homeland Security, on penalty of perjury,
and the government databases would provide a work authorization confirmation
within three business days. There is no privacy requirement that the federal
government delete the information after work authorization is given or denied.
Employers would be required to keep all the documentation in paper or
electronic form for seven years “and make it available for inspection by officers
of the Department of Homeland Security” and the Department of Labor. It would
also open up the IRS’ databases of confidential taxpayer information to
Homeland Security and its contractors. [Source] [Source] [Secure
Borders, Economic Opportunity and Immigration Reform Act]
The U.S. House passed legislation yesterday to combat
the criminal use of Internet spyware and scams aimed at stealing personal
information from computer users. The bill makes it a criminal offence, subject
to a prison term of up to five years, to access a computer without
authorization to further another federal criminal offence. Obtaining or
transmitting personal information with the intent of injuring or defrauding a
person or damaging a computer is punishable by up to two years in prison. [Source]
Other US Legislation in the news: [Credit
Freeze Bill Heads to Nebraska Governor’s Desk] [New
Credit Freeze Law Offers Consumers Tool To Prevent Identity Theft In Maryland]
[Ohio
House OKs ID-theft weapon] See also: [New
U.S. State and Federal Privacy Bills Introduced, and Some New State Data
Protection Laws Signed]
--------