US – Lockheed Wins FBI Biometrics Contract

Lockheed Martin has been awarded a $1 billion contract to develop the FBI's controversial biometric criminal databank. The contract term is ten years. Once complete, the system, known as Next Generation Identification (NGI), will serve as an anti-crime repository for the biometric signatures of known criminals, known or suspected terrorists and foreign visitors; biometric data collected will include fingerprints, palm prints, iris scans and facial maps. NGI will be the world's largest such database, and the information will be available to the Department of Homeland Security, State Department, Department of Defense, as well as authorities in Canada, the UK and other countries. [Source] [FBI Touts, Critics Decry Biometric Database]

EU – EC's Fingerprint Plan Draws Criticism

A decision by the European Commission to require all travelers entering the European Union to register their fingerprints at the border is drawing sharp criticism from privacy and civil liberties advocates who say the result will be a massive database of biometric info lacking proper protections. While critics charge the plan is thoughtless mimicry of the U.S. system, EU officials say the security measure is necessary because it is much harder to track individuals once inside the 27-member union. [Source] See also: [Fingerprinting at Heathrow Airport Provokes Outrage] see also: [Pilots want “screening passengers by observation” in Canada] [Edinburgh addicts fingerprinted/photographed at chemist] [Proposed shake up of EU security includes call for fingerprinting all visitors] [EU plans to require biometrics of all non-European visitors] [New EU fingerprint scheme fans privacy concerns] [Brussels to tighten EU external borders] [EU to announce fingerprinting for all visitors]

CA – Resolution on Enhanced Driver’s Licences from Canada’s Privacy Commissioners

Plans to consider or implement enhanced driver’s licences (EDL) in several Canadian provinces have prompted federal, provincial and territorial privacy guardians to express their concerns about the privacy and security risks of the EDL program. Canadian information and privacy commissioners and ombudsmen have issued a joint resolution outlining the steps that will need to be taken to ensure the privacy and security of any Canadian’s personal information accessed as part of EDL programs. [Source] [Resolution] [Editorial: Tagging citizens electronically is out of place in a democracy] See also: [Code-broadcasting chips to be embedded in B.C. driver’s licenses]

CA – Canada’s Border Agency to Expand Surveillance Program to Buses, Trains, Ships

Canada’s border agency wants to expand its surveillance of travellers entering the country, with plans to force buses, trains and cruise ships to provide advance electronic lists of passengers and their personal details. Since October 2002, the Canada Border Services Agency has collected advance information from airlines on arriving passengers. The mandatory reporting, enforced with $3,000 fines, now allows the agency to run computer checks on about 96% of all air travellers coming to Canada. A January report from the agency, however, outlines a plan to broaden surveillance to require the same advance electronic data that airlines must provide, covering 100% of passengers on all modes of travel. The report says a single, central authority is being created this year to manage the collection, monitoring and analysis of passenger information to spot potential terrorists and criminals. Some of the information is shared with U.S. agencies under agreement. In a 2006 report, the privacy commissioner warned that the border agency was sometimes sharing personal information with U.S. authorities orally, without written requests, violating government policy. [Source]

CA – RCMP Slammed for Storing Secret Files on Canadians

The RCMP has been squirrelling away far too much highly sensitive information about Canadians on secret databases, an audit by Canada's privacy commissioner has concluded. Commissioner Jennifer Stoddart, who released a report on her findings, said more than 60% of the files contained in a database of criminal intelligence information should not have been stored there. In addition, more than 50% of the files in a database about national security investigations were inappropriate. Both of the databanks are called "exempt databanks," meaning they are highly secretive and are supposed to contain only the most sensitive information. RCMP can refuse to confirm or deny the existence of information in an exempt databank when someone asks to see it. But Stoddart said some people have become the subject of information contained in the banks by simply talking to the wrong person or being in the wrong place at the wrong time. Stoddart said the storing of the information in the databanks could have negative consequences. "For example, it could potentially affect someone trying to obtain an employment security clearance, or impede an individual's ability to cross the border." She said that is especially troubling is that Canadians can't get access to the information about themselves that is stored in the banks. The RCMP said they are working closely with Stoddart to improve the force's databanks over the next two years. [Source] [News Release] [Backgrounder : Examination of RCMP Exempt Data Banks - Section 36 of the Privacy Act] [Report: Examination of RCMP Exempt Data Banks - Section 36 of the Privacy Act]

US – Security Matters for Online Shoppers: Survey

A recent study by Gartner shows that the number and pace of security breaches is having a detrimental effect on consumers’ willingness to make online purchases. The study, entitled U.S. Consumer Secure Payment Preferences Create Opportunities for Nonbanks, reveals that even consumers who are visiting a merchant’s Web site are likely to execute the transaction by making a telephone call to provide payment information – particularly if the shopper has been affected by a data breach in the past. [Source]

WW – Europe Still Top Source of Spam

According to security vendor Symantec, European spam networks have pumped out more unsolicited e-mail than those in the U.S. for the third month in a row. Symantec called this a “significant shift” in spam trends as, historically, compromised U.S. computers have been used to send spam, and many spammers have been U.S.-based. [CNET] See also: [Largest Can-Spam Penalty Levied by Feds]

WW – SSL Gmail Not as Safe as You Thought – Updated

One of the big stories at DefCon last year was a security researcher’s demonstration of wirelessly sniffing users’ session cookies while they accessed their e-mail accounts or conducted e-commerce transactions via wireless networks. The attack allowed a hacker access to the victim’s Gmail or Hotmail account without needing to decipher the user’s password. Now the security researcher who presented that info has found that even using SSL HTTPS to access your Gmail account -- which was touted at the time as a surefire way to protect Gmail users against such an attack -- is vulnerable to this hack. Robert Graham of Errata Security says he’s been able to grab session cookies even when users access their account in a presumably secure manner. [Source]

EU – Protests in Bulgaria against Data Retention Directive

In January, protesters gathered in Sofia to rally against Bulgaria’s adoption of the European data-retention directive. Under the directive, ISPs and telecom companies would be required to collect traffic data on their clients. Data collected for telephone calls would include the time the call was made, the number called and, for cellphones, data on the geographical position of the caller. In the case of ISPs, the data would include when and to what email addresses email has been sent, instant message contact names and times and dates they have been contacted, websites visited, and so on. According to protesters, the data retention directive expands the rights of police surveillance and violates many of the instruments that guarantee human rights in Europe, including the Data Protection Directive and the European Convention on Human Rights, as well as article 34 of the Bulgarian constitution. [Source]

UK – Concerns Expressed Over Student Database, Tracking

A controversial government plan to establish a database tracking students from age 14 through university is prompting outcry from student groups and civil libertarians, among others. The system would create a permanent record of student performance, including exam scores, which would be available to employers, trainers and other schools. The National Union of Students claims the plan will lead to a national ID, while others fear the database may include information that could create bias against some individuals. Of the plan the University and College Union said, "The government's track record of dealing with complex ID systems is far from impressive. We have all done things at school that we are not proud of, but we do not expect them to hold us back permanently in life and nor should they." [Source] [UK Student Records to Sit in Accessible Database]

US – Florida to Collect DNA from All Arrestees

Daytona Beach Police made headlines this week for taking DNA samples from “persons of interest” during traffic stops, and plans to start taking DNA samples from anyone arrested in the very near future. This extreme policy was ostensibly enacted to catch an elusive serial killer. (Incidentally, a similar DNA dragnet in Truro, Mass. in 2005, yielded nothing. [Source]

CA – Federal Privacy Law Governs Doctors' Notes

In a decision of critical important to the insurance bar, the Federal Court of Appeal has ruled in Wyndowe v. Rousseau that an insured person has the right to access the handwritten notes of a doctor — which are taken during the independent medical examination of an insured person performed in Ontario by the doctor at the request of an insurance company — to the extent that these notes constitute "personal information" under federal privacy legislation. "[The plaintiff" has a right of access to the information he gave the doctor, and to the final opinion of the doctor in the form of the report to the insurer," the Court wrote. "In accordance with [the legislation], this enables [the plaintiff] to correct any mistakes in the information he gave the doctor or which the doctor notes, as well as any mistakes in the doctor's reasoned final opinion about his medical condition. But the process of getting to that final opinion from the initial personal information of [the plaintiff] belongs to the doctor." [Source] [Ruling]

US – New Hampshire Considers Stricter Health Record Rules

The New Hampshire State Legislature is considering a bill that would impose stricter limits on the use and security of healthcare data. House Bill 1587 addresses security issues related to the migration of health records from paper to electronic format. The co-sponsor of the bill says the bill gives patients more control over their healthcare data. "We are changing from an age of paper records to an age of electronic records, and that has huge implications for privacy," adding that he believes making healthcare data available electronically "exacerbates the privacy issues that already exist." [Source] See also: [Abstract: Public Health Surveillance in the Twenty-First Century: Achieving Population Health Goals While Protecting Individuals’ Privacy] See also: [Australia: Outrage over psychiatric patient's files mix-up]

WW – Tech Giants Join OpenID, to Promote Open ‘User-Centric’ Identity Management

Google, Microsoft, IBM, Yahoo and Versign report that they have reached an agreement to support the OpenID spec that allows individuals to create one user name, password, and other credentials for logging onto multiple Web sites that support the spec. [Source] [OpenID: http://openid.net ]

UK – Poll Shows Growing Opposition to ID Cards Over Data Fears

The number of people strongly opposed to the introduction of a national identity card scheme has risen sharply, according to the results of an ICM poll. Those campaigning against ID cards said that the poll, with results showing that 25% of the public are deeply opposed to the idea, raises the prospect that the potential number of those likely to refuse to register for the card has risen. If the poll’s findings were reflected in the wider population, as many as 10 million people may be expected to refuse to comply. The ICM survey also shows that a majority of the British people say they are “uncomfortable” with the idea that personal data provided to the government for one purpose should be shared between all Whitehall-run public services. The poll shows that British public opinion is deeply split over the introduction of identity cards, with 50% against the idea and 47% in favour. [Source] See also: [UK has lessons to learn from Hong Kong on ID cards] and [Wales said no to ID cards] and [UK - No2ID: An interesting look into a successful campaign] and also: [UK Consumers warned on government data loss compensation packs]

US – California Court Bars Unmasking of Web Critic

A California appeals court on Wednesday said an anonymous Internet poster does not have to reveal his identity after being sued for making “scathing verbal attacks” against executives at a Florida company on a Yahoo message board. The Sixth Appellate District in Santa Clara County reversed a trial court ruling that would have allowed a former executive at SFBC International to subpoena Yahoo for the names of her critics. [CNET]

US – Identity Fraud $45.3 Bln In 2007, But Declining: Report

Identity theft remains a major problem, with Americans losing $45.3 billion in 2007, but a drop in fraud cases suggests that more consumers and businesses are winning the battle against criminals, a new report shows. Losses declined 11 percent from about $51 billion in 2006, according to the fourth annual study by Javelin Strategy & Research. The average loss fell 6% to $5,574 from $5,920. The study also said that as banks and retailers beef up their in-store and online security systems, frauds are resorting more to the phone and the mail to prowl for victims. [Source]

WW – Overhaul of Net Addresses Begins

The first big steps on the road to overhauling the net’s core addressing system have been taken. This past week the master address books for the net are being updated to include records prepared in a new format known as IP version 6. [BBC]

CA – Canadian Copyright Reform Opposed by Business Coalition

A who's who of powerful companies and business associations have banded together to push for less restrictive Canadian copyright reform. The Business Coalition for Balanced Copyright, a group that includes Google, Yahoo, Rogers, Telus, the Canadian Alliance of Broadcasters and the Retail Council of Canada, among others, on Tuesday sent its stance on seven key copyright principles to Industry Minister Jim Prentice, Canadian Heritage Minister Josée Verner and several other cabinet ministers. [CBC]

EU – EU to Rule on Search Data Retention

Stating that search engine operators are keeping data too long, Peter Schaar, Germany’s Data Protection Commissioner and chairman of the EU’s Article 29 privacy working party, told Financial Times that new guidelines will be issued at the working party’s next meeting, scheduled for February 18. In anticipation of the move, Google, Yahoo and Microsoft reduced their data retention periods to 8 months, 13 months and 18 months respectively, but it is still likely that the working party will impose tighter restrictions. Said Schaar, “I cannot imagine that it is necessary to store data such as IP addresses for security reasons. What is the security threat? Security purposes don’t justify the long-term storage of this data.” [Source]

WW – Kids Safer in Social Networks than Chat Rooms

Social networking websites such as MySpace and Facebook are safer places for children to chat than other types of sites, according to a new survey. The survey, conducted by Internet Solutions for Kids in California and the University of New Hampshire, involved 1588 children between the ages of 10 and 15 years old. It found 28% had been harassed via a social networking site, compared to 33% for the Internet as a whole. [News.com.au] See also: [The Coming Ad Revolution: Esther Dyson opinion]

US – Judge Rules Myspace May Violate Court Order

In one of the first rulings of its kind, a Staten Island judge has said that a teenage girl could be charged with violating a restraining order by using MySpace.com to reach out to people she was told not to contact. [CNET]

WW – Facebook Confronts Controversy Over Deletion Process

Trying to dodge a new controversy, Facebook has promised to simplify procedures for deleting personal information from the social networking site, on the same day news reports spread that the world's richest man had stopped using his account. Microsoft billionaire Bill Gates doesn't go to his Facebook account anymore "because he's just inundated by thousands of 'friend' requests everyday," Microsoft said. [SiliconValley.com] [Facebook takes another step to free users who want out]

US – Insurer Uses Web Photos to Deny Healthcare Claim

According to Insurance & Technology, New Jersey health insurance provider Horizon Blue Cross Blue Shield has denied a medical claim filed by a family whose 15-year old daughter suffers from an eating disorder because, according to the company, photos the girl posted to social networking sites suggest that her problem is psychological in nature, and not biological and therefore does not fall under the policy's provisions. The case raises issues about the nature and appropriate use of publicly accessible information in today's increasingly Web-facing culture. [Source]

NZ – Law Commission Completes First Stage of New Zealand Privacy Law Review

The New Zealand Law Commission has released a “study paper”, which outlines a range of privacy-related legal issues. The paper does not make recommendations, but looks at definitions of privacy, tensions between privacy and freedom of information and the effect of new surveillance and computer technologies. Included are sections on the increasing surveillance of public places, data matching between government departments and data mining of databases to extract commercially useful information on individuals. Commission president Sir Geoffrey Palmer said the paper set the scene for further work on the subject, including a report on privacy and public registers, a review of criminal law relating to privacy and a review of the Privacy Act. [Source] [Review of Privacy Project] [Review of Privacy] [Privacy Concepts and Issues] See also: [100,000 New Zealanders Victims of Electronic Identity Theft: Report]

AU – Australian Privacy Commissioner Offers Breach Notice Guidelines

In advance of a potential update to the country's privacy law, Australia's Office of the Privacy Commissioner this week announced guidelines for conditions requiring organizations to notify consumers in the event of a data breach. Public pressure for new law requiring data breach disclosure and notice has been mounting of late in Australia. Privacy Commissioner Karen Curtis in December proposed changes to existing law that are under review by the Australian Law Reform Commission. [Source]

US – Civil Liberties Groups Sue DHS for Intrusive Searches of U.S. Travelers

The Asian Law Caucus (ALC) and Electronic Frontier Foundation (EFF) filed suit last week against the U.S. Department of Homeland Security (DHS) for denying access to public records on the questioning and searches of travelers at U.S. borders. Filed under the Freedom of Information Act, the suit responds to growing complaints by U.S. citizens and immigrants of excessive or repeated screenings by U.S. Customs and Border Protection agents. The suit was triggered by California residents last year who said they were grilled about their families, religious practices, volunteer activities, political beliefs, or associations when returning to the U.S. from travels abroad. In addition, customs agents examined travelers’ books, business cards collected from friends and colleagues, handwritten notes, personal photos, laptop computer files, and cell phone directories, and sometimes made copies of this information. When individuals complained, they were told, “This is the border, and you have no rights.” ALC and EFF asked DHS to disclose its policies on questioning travelers on First Amendment-protected activities, photocopying individuals’ personal papers, and searching laptop computers and other electronic devices. The agency failed to meet the 20-day time limit that Congress has set for responding to public information requests, prompting the lawsuit. “The public has the right to know what the government’s standards are for border searches,” said EFF Staff Attorney Marcia Hofmann. “Laptops, phones, and other gadgets include vast amounts of personal information. When will agents read your email? When do they copy data, where is it stored, and for how long? How will this information follow you throughout your life? The secrecy surrounding border search policies means that DHS has no accountability to America’s travelers.” [Source] [Copy of the complaint] See also: [Clarity Sought on Electronics Searches] and [5 things you need to know about laptop searches at U.S. borders]

US – FTC Announces COPPA Settlement With Imbee.com

Last week the FTC announced it had reached a settlement with Industrious Kid Inc. for violations of the Children’s Online Privacy Protection Act (COPPA). Industrious Kid operates imbee.com, a social networking site designed for children between the ages of 8 and 14. The FTC charged that imbeecom collected information from children under the age of 13 without first obtaining parental consent. As part of the settlement Industrious Kid will pay a $130,000 civil penalty and delete all information collected in violation of COPPA. [Source]

US – Bush Orders Clampdown on Flights to US, EU Officials Furious

The US administration is pressing the 27 governments of the European Union to sign up for a range of new security measures for transatlantic travel, including allowing armed guards on all flights from Europe to America by US airlines. The demand to put armed air marshals on to the flights is part of a travel clampdown by the Bush administration that officials in Brussels described as “blackmail” and “troublesome”, and could see west Europeans and Britons required to have US visas if their governments balk at Washington’s requirements. According to a US document being circulated for signature in European capitals, EU states would also need to supply personal data on all air passengers overflying but not landing in the US in order to gain or retain visa-free travel to America, senior EU officials said. And within months the US department of homeland security is to impose a new permit system for Europeans flying to the US, compelling all travellers to apply online for permission to enter the country before booking or buying a ticket, a procedure that will take several days. The data from the US’s new electronic transport authorization system is to be combined with extensive personal passenger details already being provided by EU countries to the US for the “profiling” of potential terrorists and assessment of other security risks. Washington is also asking European airlines to provide personal data on non-travellers - for example family members - who are allowed beyond departure barriers to help elderly, young or ill passengers to board aircraft flying to America, a demand the airlines reject as “absurd”. Seven demands tabled by Washington are contained in a 10-page “memorandum of understanding” (MOU) that the US authorities are negotiating or planning to negotiate with all EU governments, according to ministers and diplomats from EU member states and senior officials in Brussels. [Source]

US – Encyclopedia of Privacy Earns Scholarly Honor

The Encyclopedia of Privacy - which was edited by a Kansas University professor and included a Lawrence attorney on its editorial advisory board - was included among the best scholarly publications of 2007 by Choice magazine. The two-volume encyclopedia was edited by William Staples, a professor and chairman of KU’s sociology department. Serving on the encyclopedia’s three-member advisory board included David J. Brown, managing attorney for The Law Offices of David J. Brown LC, Lawrence. <| Powered by www.ISPIClips.com |> Choice magazine’s January issue included the encyclopedia on a list of Outstanding Academic Titles, reflecting the best in scholarly titles reviewed by Choice. The list includes about 10 percent of the 7,000 titles reviewed by the magazine each year. [Source] [The Encyclopedia of Privacy - Greenwood Press]

EU – Privacy Experts Warn of ‘Ambient Intelligence’ Risks

A group of European technology researchers and academics has warned industry and policy makers of the privacy and security risks posed by gathering and using so-called “ambient intelligence” - data gathered from ubiquitous technology. A book published last week, Safeguards in a World of Ambient Intelligence, claims both customers and citizens could be alienated if information collected by embedded devices, such as RFID tags, as well as surveillance technologies, biometrics and communications devices, is not properly controlled. “If companies are not careful with the technologies they install or the security measures they employ, once it becomes known that their systems, technologies or services are impacting [on] privacy or have led to a data breach, the company could suffer damage [to its reputation].” Following a number of recent reports of data breaches affecting both public and private-sector organisations, companies should look on the implementation of privacy-enhancing technologies as an investment or insurance against the costs of a security incident, the researchers claimed. [Source]

EU – Dutch RFID Public Transit Card Hacked

The Dutch RFID public transit card, which has already cost the government $2B -- no, that's not a typo -- has been hacked even before it has been deployed. By some students. Security expert Bruce Schneier ooines that the system was designed by people who don't understand security, and therefore thought it was easy. [Source] [Source]

US – California Senate Passes Bill Outlawing RFID Skimming

The California State Senate took action to outlaw “skimming,” the surreptitious reading of personal information stored on RFID-enabled ID cards, State Senator Joe Simitian announced. “The problem is real,” Simitian said. In a controlled experiment, “the card I use to access the State Capitol was skimmed and cloned by a hacker in a split second. Minutes later, using that clone of my card, he was able to walk right into the Capitol through a ‘secure’ and locked entrance.” By a vote of 36 to 3, the Senate passed Simitian’s Senate Bill, SB 31, which now moves to the Assembly. The bill would make it a crime to surreptitiously read information stored on RFID tags. The bill makes exceptions for inadvertent scanning and also permits various emergency medical services and law enforcement agencies to scan without a bearer’s permission to identify or assist an unresponsive person, or to solve a crime, as long as a search warrant has been issued. “If you’ve been mugged, or even had your pocket picked, you know you’ve been a victim. You can take steps to protect yourself against identity theft,’’ said Simitian. “But if your personal information has been ‘skimmed’ without your knowledge or consent, you’re completely vulnerable.” [Source] See also: [

KU – RFID in Play at Children’s Superstore

A Kuwait-based company, MS Retail, has deployed an RFID-based tracking system enabling parents to monitor their kids in a secure playground while they shop in peace. Store workers provide childcare services, and parents can monitor their kids from five terminals around the store. Children are assigned a wristband upon entrance, in the form of a plush toy lion containing an ultra-wideband (UWB) battery-powered RFID tag. The wristband transmits short 6-to-8 GHz signals encoded with that child’s ID, to be picked up by playground interrogators. The ID and transmission strength are forwarded to a back-end system, which calculates the child’s location. Parents can stop at the store’s information kiosks, where they can input their child’s ID number to view his or her location on a map and access a digital camera view of the child at play. Baroue’s playground and child-tracking system seems to be a hit with parents and offspring alike, exceeding the systems’ capacity, which is limited to the number of wristbands (currently 200) that MS Retail has deployed. [Source]

CA – GS1 Canada Launches Knowledge Center

GS1 Canada has launched a new education initiative, the GS1 Knowledge Center, to educate Canadian businesses—particularly small and medium-size enterprises (SMEs)—about how they can become more competitive by employing technology based on GS1 and Electronic Product Code (EPC) standards that focus on radio frequency identification. The program includes both on-demand online modules and classroom workshops. The courses are offered with the financial support of the Ontario government and are free to all Canadian companies. The classroom workshops, which will take place through the end of February at GS1 Canada’s headquarters in Toronto, began with a special seminar on EPC RFID at RFID Journal LIVE! Canada 2007, in November. “The focus is on productivity and competitiveness as it relates to supply chain processes,” says EPCglobal Canada. [Source] [GS1 Knowledge Centre]

UK – Heathrow Airport Launches RFID Baggage Tracking Pilot

The BBC reports that a baggage-tracking pilot has kicked off at London's Heathrow airport. Working with Dubai-based airline Emirates and Motorola, the British Airports Authority (BAA) will devote £150,000 to the six-month trial, in which as many as 50,000 bags per month could be tracked. [Source]

CA – Canadian IT Pros See Few Security Best Practices

The Canadian Advanced Technology Alliance (CATAAlliance) has identified a lack of IT security best practices as one of the top challenges faced by IT security professionals, according to a new report. The need for best practices knowledge was identified by 16% of respondents as the top IT Security challenge affecting organizations today. Coming in at a close second was data protection, cited by 15% of respondents, and access management as the third rated challenge, which was answered by 13% of those surveyed Another finding indicated that IT security professionals believe that their organizations don’t put enough emphasis on IT security challenges and, often times, react after the problem arrives on their doorstep.. [Source]

WW – Employees have “Too Much Access” to Information Resources, IT Pros Believe

Most IT professionals polled in a recent survey believe access rights are not well-managed in their organization, and 78% thought employees had too much access to information resources not pertinent with their job function. Two separate security surveys this week on network access control reach similar conclusions: Employees have immoderate access rights, and management should face up to the challenge of reining in out-of-control access without sacrificing productivity gains. Research firm Ponemon Institute released the results of its “2008 National Survey on Access Governance,” which polled 700 information technology practitioners from business and government on the topic of how organizations determine who should have access to information resources and the appropriate level of access. The study concluded “taken together, our findings indicate that the distributed nature of the organization has resulted in a breakdown in centralized policy management.” Ponemon’s study stated it was hard to pinpoint accountability for granting access and too frequently there was no review of what employees’ jobs require them to do over time. A separate survey of 2,000 remote workers and IT professionals worldwide showed employees are often left to their own devices -- and are enjoying it. The survey showed corporate computers are frequently used for shopping and social networking while the individual’s home computer, not under management of the IT department, is often used to access work files. Issues with remote workers are coming to the fore because “companies are becoming highly decentralized,” comments Tom Gillis, vice president of marketing in Cisco’s IronPort unit. “There’s a blurring line between business and personal use here.” [Source]

WW – We Are the Security Problem: Deloitte Report

Human threats score much higher than those posed by technology, according to a new survey by consulting firm Deloitte of more than 100 technology, media and telecommunications companies worldwide. 75% ocompanies listed human error as the leading cause of security failures such as breakdowns and systems outages. 48% also cited operations and technology lapses as key causes of security failures. Problems resulting from third parties such as contractors and business partners, meanwhile, received 28%of the votes as a root cause of security failures. Misbehaving employees also figure prominently in IT fears: 91% respondents say the risk of employee misconduct related to information systems worries them. To mitigate these security threats, Deloitte recommends that security goals be integrated into business strategies and plans. Measuring ROI on security efforts and providing thorough and ongoing security training to all levels of the organization are also key, Deloitte advises. Training can educate employees on how to deal with the latest security threats and can serve as a reminder to stay vigilant. [Source]

WW – Web Browsers Under Siege from Organised Crime: IBM Report

IBM has released the findings of the 2007 X-Force Security report, detailing a disturbing rise in the sophistication of attacks by criminals on Web browsers worldwide. According to IBM, by attacking the browsers of computer users, cybercriminals are now stealing the identities and controlling the computers of consumers at a rate never before seen on the Internet. The study finds that a complex and sophisticated criminal economy has developed to capitalise on Web vulnerabilities. Underground brokers are delivering tools to aid in obfuscation, or camouflaging attacks on browsers, so cybercriminals can avoid detection by security software. [Source] [IBM Report]

UK – Thousands of NHS Smartcards Missing

Thousdans of NHS smartcards giving computer access to patient records have been lost or stolen, figures showed this week. A total of 4,147 smartcards have been reported lost or stolen - 1,240 since January 2007. The data was released by Connecting for Health which is overseeing the Government’s NHS IT upgrade after a request from Pulse magazine. NHS staff use the cards to access confidential patient records by keying in their own six digit pin code. [Source]

US – Police Go Live Monitoring D.C. Crime Cameras

D.C. police are now watching live images from dozens of surveillance cameras posted in high-crime parts of the city, hoping to respond faster to shootings, robberies and other offenses and catch suspects before they get away. Since August 2006, the city has installed 73 cameras across the city, mostly on utility poles, at a cost of about $4 million. But until recently, officers were using them mainly as an investigative tool -- checking the recordings after crimes were committed in hopes of turning up leads and evidence. Police Chief Cathy L. Lanier said she thought the department wasn’t making the most of the technology and was missing opportunities to more quickly solve crimes -- or even stop them in progress. “I thought, ‘Why the heck aren’t we watching them?’ “ Lanier said. And so, for about 40 hours a week, a small team of officers in the department’s Joint Operations Command Center watches the live feeds from 10 to 15 of the cameras. They choose locations based on the latest crime trends. The District is following cities such as Baltimore, Chicago, New York and Philadelphia, where police have actively monitored live camera scenes for years. [Source] See also: [Montreal Second Cup owner forced to take down fake bathroom surveillance camera]

UK – Survey: Scots Overwhelmingly Against Sound on CCTV, says ICO

Almost three-quarters of people surveyed in Scotland have come out against CCTV cameras which record conversations, according to research by the Information Commissioner’s Office. The Scottish have shown a similar aversion to CCTV cameras which record sound to Londoners, according to a new survey from the Information Commissioner’s Office (ICO). A survey of a thousand Scots has shown 72% are against such technology. Similar research carried out last month in London and the South East showed seven out of ten people in those regions were against such technology being used. [Source]

US – Cellphone Directory Halted On Complaints

Intelius Inc., a start-up that launched online directory assistance for cellphone numbers, has shut the service after complaints from consumers and Verizon Wireless. Intelius had 90 million numbers in its database, according to its website, and was selling them for $15 (U.S.) each to anyone who had a name and wanted a number. The company said in a statement that it has discontinued the directory service due to “consumer feedback.’’ Intelius still operates a reverse cellphone lookup, which reveals names for a given number. [Source]

US – Wisconsin State Seeks Changes to Health Data Privacy Laws

Wisconsin may soon change its health data privacy rules to make it easier for organizations to share medical records, a central component of Gov. Jim Doyle’s plan to boost the use of health information technology in the state. Under a bill that’s expected to be introduced in the forthcoming session of the state Legislature, which is scheduled to adjourn by the end of March, all information other than that covered by the Health Insurance Portability and Accountability Act (HIPAA) could be shared without a patient’s consent. Kevin Hayden, secretary of the Wisconsin Department of Health and Family Services, reportedly told the recent annual membership meeting of the Wisconsin Health Information Exchange that legislation to enable this has already been approved by Gov. Doyle. The new disclosure rules, according to Wisconsin Technology News, would allow information such as name, address, name of mental health provider, diagnoses and medication, among others, to be shared without consent. Hayden’s office did not return calls seeking comment. [Source]

US – States, Advocates React to Real ID Rules

Critics have renewed their offensive on a federal law mandating changes to state-issued drivers licenses after the US Department of Homeland Security issued final rules January 14 implementing the controversial measure. Security researchers and advocates of civil liberties and states’ rights lined up to attack the rules, which are required under the REAL ID Act of 2005. They direct states to add new features to drivers licenses, check applicants citizenship status and verify the authenticity of documents provided during the application process. [ACLU: Funding for Invasive Real ID Cons States in Exchange for Their Privacy] [Montana’s Last Stand Against REAL ID] [Real ID worries domestic violence groups] [FAQ: How will Real ID affect you?] [Real ID: boon or boondoggle?] [Religious minorities face Real ID crackdown] [Real ID could mean real travel headaches] [Federal buildings become Real ID zones]

[DHS official moots Real ID rules for buying cold medicine]

US – DHS Annual Privacy Report Released

The U.S. Department of Homeland Security Privacy Office has issued its third Annual Report covering July 2006 through July 2007. This report is the centerpiece of their transparency obligation and summarizes how DHS protects the privacy of personally identifiable information. According the Hugeo Teufel, the Chief Privacy Officer, considerable work has been accomplished in conducting Privacy Threshold Analyses, Privacy Impact Assessments, and Privacy Act System of Records Notices. [Source] [2007 Annual Privacy Report] and [DHS' annual privacy report later than expected, again] See also: [GAO Report: Information Security: Although Progress Reported, Federal Agencies Need to Resolve Significant Deficiencies. GAO-08-496T, February 14, Highlights]

US – Bush Pushes House to OK Immunity for Telecoms in Eavesdropping Law

President Bush pressured the House to pass new rules for monitoring communications, saying "terrorists are planning new attacks on our country ... that will make Sept. 11 pale by comparison." Bush said he would not agree to giving the House more time to debate a measure the Senate passed Tuesday governing the government's ability to work with telecommunications companies to eavesdrop on phone calls and e-mails between suspected terrorists. [SiliconValley.com] [Bush Threatens to Veto Surveillance Bill that Don’t Protect Telecoms] See also: [Opinion: How to Buy the Senate Surveillance Votes] and [CDT Protest site: “Stop the Spying.com”]

US – U.S. House Rejects Temporary Spy Law Extension

The House of Representatives rejected a Democratic measure that would have extended an expiring spy law for three weeks, a vote that gave President George W. Bush a victory on the issue. By a vote of 191-229, the House rejected the temporary extension that Bush threatened to veto. The president instead backs a bill passed by the Senate on Tuesday that would shield telecommunication companies from potentially billions of dollars in civil damages and expand the government's powers to track suspected terrorists. House Democrats argued unsuccessfully that they needed the three weeks to review and possibly offer revisions to the White House-backed bill. [Source] [CDT Statement on Senate Passage of FISA Amendment Act, February 12, 2008]

US – Privacy Laws Make Progress in California

Two new laws aiming to boost consumer privacy protections are progressing through the California legislature. SB 612 would allow cases of identity theft to be prosecuted in the victim’s home county rather than the county where the crime took place, making it easier for victims to press charges when not faced with the cost and time commitment required to travel. SB 364 would require that companies convey clear, concise information when notifying consumers of a breach, and would also require the state to establish a central database of breaches that would be available for public search. The bills, both authored by State Senator Joe Simitian, passed easily in the Senate and are now before the State Assembly. [Source] See also: [Medical Breach Disclosure Law Will Be Influential]

US – Massachusetts Adopts Data Breach Law

Massachusetts has joined the list of states that have adopted data breach notification laws. The law affects any person or commercial or public entity that handles the personal information of Bay State residents. According to the new law, Massachusetts defines personal information as a first and last name, or first initial and last name, in combination with one of the following: Social Security number, driver’s license or state-issued identification number, financial account or credit card number, or biometric identifier. Paper and electronic records are covered by the law, but information protected by 128-bit encryption may not constitute a breach if exposed without the encryption key. [Source] See also: [Interactive Map Tracks Progress Of Privacy Laws - data breach]

CA – Ottawa Cabbies Plan Privacy Protest

Capital cabbies planned a rolling protest to City Hall Tuesday morning as part of their fight against the city’s plan for in-taxi cameras. The union representing the city’s 1,500 drivers expects most will join the driving rally at 10 a.m. via Coventry Rd., winding their way through the city to municipal headquarters on Elgin St. Their message is that the city foisted the cameras on them without proper consultation, that they are too expensive and are an invasion of their privacy. [Source] See also: [Firefighters Say Cameras Invade Their Privacy] and [Employee privacy, Web 2.0 and other random musings of a management employment lawyer] and [Employers Must Use Caution When Monitoring Employees (Canada) ]

CA – Alberta Court Upholds Site Access Drug Testing Decision

Last November, the Alberta Court of Queen’s Bench dismissed a judicial review application which sought to quash an arbitrator’s endorsement of a site-access testing policy brought in by an Alberta construction site owner. Petro Canada implemented a site access drug and alcohol testing rule at an Oil Sands construction site in 2004. It required Bantrel (the employer) to apply the policy to its employees who were already on site. The drug test to be conducted was not a “current impairment test,” but it gave employees two months’ notice so they could refrain from drug use and pass a test. Most or all of the employer’s available work was on the Petro Canada site, so employees who refused or failed the test were laid off with or without accommodation as appropriate. In March 2007, an arbitration board held the employer had implemented a reasonable work rule. She reasoned that an employer that imposes a work rule based on a third-party requirement must still demonstrate that it is reasonable to enforce the third-party requirement. Despite this, she held that testing was reasonable in all the circumstances.. Even though the employer was not testing for current impairment she held that site access testing implemented on two months’ notice was a reasonable risk management tactic [Source] [Reasons for Judgement]

--------