Biometrics

CA – New High-Tech B.C. Driver’s Licences Include Facial Recognition

High-tech driver’s licences will soon make their debut in British Columbia to help prevent identity theft and fraud. Solicitor General John van Dongen said the new licences will be hard to forge or get under false names. Security features will include facial recognition technology that analyzes facial characteristics that do not change, such as the size and location of cheekbones and the distance between the eyes. “The use of facial recognition technology has been reviewed for privacy implications and has been found to meet the requirements of the Freedom of Information and Protection of Privacy Act.” B.C. is joining other provinces and 30 U.S. jurisdictions by introducing the licences, which will be issued starting March 2 to drivers who apply for a new, renewed or replacement card. [Source]

US – California: DMV Proposal for Face-Detection Technology Irks Privacy Groups

Officials at the California Department of Motor Vehicles are planning to spend tens of millions of dollars on new driver’s license technology. Privacy advocates say finances are the least of the plan’s problems. The proposed $63 million contract includes facial recognition software that would allow the DMV to quickly compare an applicant’s new photo against other photos in the agency’s database in an effort to deter identity theft. The system could eventually include as many as 25 million images of drivers statewide. Similar software is used in Oregon, New Mexico, Texas, Colorado and Georgia. California DMV officials say that by flagging applicants who already have a license under a different name, the software has led to a reduction in fraudulent licenses and identification cards by as much as 10% in those states. But the five-year contract, which is being fast-tracked and could be approved as early as next month, is drawing objections from privacy advocates who fear state and local authorities could use the biometric technology to monitor the movements of “innocent people” - for instance, spectators at a sporting event or an anti-war rally. “What this would allow law enforcement to do is scan a crowd of folks, check that image against the database and have their names and addresses,” said Valerie Smalls Navarro of the American Civil Liberties Union in Sacramento. The ACLU is fighting the proposal with a handful of other groups, including Consumers Union, the EFF and the Consumer Federation of California, which says the plan poses “massive threats” to personal privacy. [Source]

US – Fingerprint Law Could be Erased for Oklahoman’s Obtaining a Driver’s License

Fingerprints might not be required in the future for people seeking a driver’s license.The Senate Appropriations Subcommittee on Public Safety and Judiciary on Wednesday passed Senate Bill 289 by Sen. Randy Brogdon, R-Owasso. The measure now heads to the Senate Appropriations Committee. The measure, dubbed “The Religious Freedom and Privacy Protection Act of 2009,” would prevent the state from collecting, obtaining or retaining “any biometric data” in connection with motor vehicle registration or driver’s licenses. [Source]

WW – ISO/IEC Report Clarifies Issues Related to Biometric Identification

A new report from the ISO/IEC looks at how societal, cultural and ethical issues and other “soft” issues factor into the usage of biometric technology for security applications. Biometric technologies are currently required in many public and private sector applications worldwide to authenticate an individual’s identity, secure national borders and restrict access to secure sites including buildings and computer networks. ISO/IEC TR 24714-1 will help biometric-based system users, writers of system specifications and decision makers, in the context of cross-jurisdictional and societal considerations for commercial applications of biometrics. The technical report gives generic recommendations providing principles, guidelines and considerations for the design and implementation of biometric systems, including the following:

o Jurisdictional issues related to privacy and protection of personal information

o Health and safety issues

o conditions of the physical environment that may affect the operation, accessibility and usability of a biometric system

ISO/IEC TR 24714-1:2008 covers the following:

o The capture and design of initial requirements, including legal frameworks

o Development and deployment

o Operations, including enrolment and subsequent usage

o Interrelationships with other systems

o Related data storage and security of data

o Data updates and maintenance

o Training and awareness

o System evaluation and audit

o Controlled system expiration.

ISO/IEC TR 24714-1:2008, Information technology – Biometrics – Jurisdictional and societal considerations for commercial applications – Part 1: General guidance, was developed by ISO/IEC JTC 1, Information technology, subcommittee SC 37, Biometrics. [Source]

Canada

CA – Canadians Mourn Loss of Privacy Pioneer John Grace

Canada’s first privacy and information commissioner, John Grace, is being remembered as a pioneer of privacy protection in Canada. Grace suffered a heart attack Thursday morning and passed away. He was 82. Grace, a former editor of the Ottawa Journal, became the country’s first privacy commissioner in 1983 and is credited with using geniality and tenacity to establish the office. He was subsequently appointed information commissioner in 1990 and retired in 1998. [Source] [Source] [Message from Jennifer Stoddart, Privacy Commissioner of Canada]

CA – OPC Tables Audit Report on Privacy Management Framework

The Privacy Commissioner of Canada in Parliament has tabled an Audit Report on Privacy Management Frameworks of Selected Federal Institutions. It is available on the OPC Web site [Audit reveals privacy gaps at federal agencies] [Privacy Management Frameworks of Selected Federal Institutions (PDF version) ] [2009 February Report of the Auditor General of Canada - Managing Identity Information]

CA – Manitoba Ombudsman Fact Sheet on Enhanced ID Card

The Manitoba Ombudsman has released a fact sheet addressing the public’s privacy concerns with the new Enhanced Identification card. The fact sheet - titled ‘10 Points for Privacy Awareness’ – addresses potential privacy issues to consider for those choosing to apply for the voluntary card, touted as an affordable and convenient alternative to a passport for frequent travelers to the US. Gail Perry, Manager of Research and Education for the Manitoba Ombudsman, says the fact sheet outlines steps one should take to minimize the risk of that information being compromised. Provincial, national and international authorities will have the ability to access personal information on the card using sophisticated scanners that ‘read’ the card’s embedded data chip. [Source]

CA – Privacy Must be Part of Olympic Games, say Federal and B.C. Commissioners

The Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia say that security and law enforcement agencies have to find the right balance between security requirements and privacy for the 2010 Olympic Winter Games. Both Commissioners have long taken the position that the right to privacy should only be forfeited where there are no other, less privacy-invasive security measures, which could achieve the same ends. Commissioner Stoddart says there is a need to consider the privacy impacts of widespread and highly sophisticated surveillance systems in use during the Olympics, but especially the legacy of such security measures after the Games. Experience has shown that Olympic Games and other mega-events can leave a troubling legacy large-scale, security surveillance systems installed for mega-events often remain long after the event is over, she says. [Source]

CA – Ontario Privacy Commissioner Releases Federated PIA Tool

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, is releasing a new assessment tool, intended for use by companies that will be sharing their online identity management systems. Calling it the “Federated Privacy Impact Assessment” or F-PIA, it will serve to ensure end-to-end privacy across all members of an association or federation. [Press Release] See also: [Video: Privacy By Design Challenge]

CA – Privacy Commissioner’s Office: Seven Finalist Youth Videos Announced

The office of the federal privacy commissioner has announced the seven finalist videos from their 2008 My Privacy & Me National Video Competition for young people. The videos cover a wide-range of privacy topics and can easily be used as public service announcements. They communicate many different privacy messages and were shot in a variety of formats, from claymation to animation to staged skits. Most importantly, each video conveys the importance of personal privacy. [Watch videos] [Source]

CA – Jury Awards B.C. Man $1.3M for Taxman’s Raid

In a groundbreaking case, a B.C. Supreme Court jury has awarded a B.C. businessman $1.3 million in damages after finding a Canada Revenue Agency search violated his privacy. The jury also recommended the government agency apologize to Hal Neumann of Saanich, B.C., for the September 2005 search of his home by five CRA agents and two armed and uniformed police officers for documents he had already given the government. The jury found Neumann’s right to privacy, which CRA employees infringed, was worth $1 million. The jury also found the CRA employees were negligent and damaged Neumann by breaching his rights to be free from unreasonable search and seizure under the Canadian Charter of Rights and Freedoms. They awarded him $150,000 for pain, injury, suffering and loss of enjoyment of life, $100,000 for aggravated damages and $50,000 for loss of income.[Source]

E-Mail

UK – Thousands Join Email Privacy Plan

When Jacqui Smith unveiled Home Office proposals to track the emails, telephone calls and text messages of every member of the public, she might have got more than she bargained for. Thousands of civil liberties campaigners are planning to flood the Home Secretary’s inbox by copying her in on every email they send on June 15. Martin Allan Gray, an account manager from Dulwich, south-east London, is spearheading the campaign. He said his intention is to send the message: “You want to see our emails? OK then, here they are then!” “This is an immense infringement of civil liberties, not to mention a major risk to our private data - but it won’t make us any safer.” The message calls on group members to copy every email they send and forward every one they receive to the Home Office on June 15. As well as the 6,790 campaign members poised to inundate the Home Office at the click of a button, Mr Allan Gray’s initiative has won the backing of Liberal Democrat MP Lynne Featherstone, Welsh Assembly member Peter Black and the Bishop of Buckinghamshire. [Source]

Electronic Records

CA – Alberta Medical Association: Alberta Physicians Oppose Bill 52

The Alberta Government should not proceed with proposed amendments to the Health Information Amendment Act, 2008 because the changes fail to “always respect the privacy and confidentiality of all Albertans - people who are our patients,” Alberta Medical Association (AMA) President-Elect Dr. Christopher J. (Chip) Doig told the all party Standing Committee on Health. According to Dr. Doig, the potential consequences of Bill 52 are serious. “If Bill 52 goes ahead in its current form, the AMA sees two very probable outcomes - and both are bad for patient care: 1. “If patients don’t believe we can protect their privacy and that we may be forced to share the information that they confide in us, they will stop telling us everything we need to know to make the right diagnosis and provide the right care, and 2. “If we as physicians are afraid that we will be forced to share that information, we may turn our backs on technology and return to paper records, or begin keeping hidden records or not recording everything we hear.” Bill 52 proposes changes that would - for the first time ever - include in the provincial electronic health record, or EHR, patient information that has traditionally been stored only in the doctor’s office. Furthermore, if Bill 52 proceeds, it would prevent Albertans from knowing who had looked at much of their personal health information, when and for what purpose. Bill 52 was tabled in the fall sitting of the Legislature and sent to the Standing Committee on Health for review. [Source] [Source] [AMA’s submission to the standing committee]

US – Stimulus Bill Removes Medical-Record Privacy from Patient Control, Claims Group

The Institute for Health Freedom (IHF) is warning the public that the economic stimulus bill mandates the federal government to plan for each American to use an electronic health record (EHR) by 2014 -- without opt-out or patient-consent provisions. “Congress needs to add opt-out and patient-consent provisions to ensure true patient privacy,” says Sue Blevins, IHF president. “The bottom line is that if you want to control the flow of your personal health information, your consent to share the information must be a prerequisite and you must have the right to withhold permission. And neither the current federal HIPAA privacy rule nor the economic stimulus bill guarantees Americans the right of consent.” [Source] [The American Recovery and Reinvestment Act of 2009 | Subtitle D - Privacy | Encryption requirements under the statute ]

CA – Minister Confirms $500M for Electronic Health Records

The federal government confirmed $500 million more in funding to support electronic health records, a move announced last month in its budget. It’s hoped that electronic health records will:

o Reduce wait times by speeding the flow of information through the system.

o Eliminate duplicate or unnecessary tests.

o Reduce medication errors and remind health-care providers of necessary tests or vaccinations through automated alerts and reminders.

The $500-million funding announcement is in addition to $400 million that the federal government pledged to Canada Health Infoway in the 2007 budget, raising Ottawa’s commitment to $2.1 billion. [Source]

US – Experts Urge Overhaul of Health Privacy Rules

Current government rules do too little to protect the privacy of people’s personal health information and also hinder the use of health data in medical research, a panel of experts reported. A committee of the Institute of Medicine, which provides advice to U.S. policymakers, urged Congress to take an entirely new approach to protecting personal health data in research. Better data security is needed, with greater use of encryption and other security techniques, the panel said. Encryption should be required for laptops, flash drives and other devices containing such data, it said. [Source] [Lobbying War Ensues Over Digital Health Data]

US – Vermont State Rx Drug Surveillance/Tracking May Pose Privacy Threat

A new statewide, electronic, prescription drug monitoring system could pose a threat to the privacy of medical records, the head of the ACLU of Vermont said. According to ACLU executive director Allen Gilbert, the new Vermont Prescription Drug Monitoring System which requires pharmacies and other prescribers to report the distribution of controlled substances, could put the medical records of Vermonters at risk if the electronic system is compromised. Vermont, which joins 38 states nationally with similar legislation, has contracted its electronic record gathering out to an Alabama data company that works with other states with a similar reporting system. “We’ve had great concern abut this rule,” Gilbert said Monday. “We all know that these electronic systems claim to be 100% secure but hackers can get into any system. And if that does happen the prescription drug record for anybody could be viewed.” [Source] See also: [Arizona - State-managed database tracking Rx drug use] and [Washington Bill would close loophole in pharmacist-patient privacy]

US – New Hampshire: U.S. Supreme Court Asked to Consider State Rx Privacy Law

Two companies that collect, analyze and sell prescription information are asking the U.S. Supreme Court to step into their continuing fight against New Hampshire’s law making doctors’ prescription writing habits confidential. IMS Health Inc., of Norwalk, Conn.; and Verispan LLC, of Yardley, Pa., want the high court to prevent the law from being enforced, even though a federal appeals court ruled it was constitutional. In court papers filed last week, the companies want the justices to block enforcement of the law, at least until the court considers whether to hear their appeal. Paperwork from the appeals court is supposed to be issued on Monday that would allow the state to begin enforcing the confidentiality law. [Source]

EU Developments

UK – Surveillance Needs Better Control, Warn Lords

The fundamental relationship between Government and the people of the UK is at risk because of the increasing surveillance being carried out by the state and by private bodies, a House of Lords Committee has said. The Lords Constitution Committee has warned that better checks and balances are needed on the use of surveillance if the basis of open democracy is not to be eroded by incursions into citizens’ privacy. The Committee has published the results of an investigation into the amount and nature of surveillance in the UK. The Committee expressed concern about how widespread surveillance was and what a routine part of life it had become. The Committee said that Government should place state use of surveillance within the grasp of the courts, creating judicial oversight for the use of surveillance and compensation for victims of its misuse. It also said that the Government should reconsider whether local authorities should be allowed to conduct surveillance under the Regulation of Investigatory Powers Act (RIPA). It also recommended that the Government be forced to commission an independent PIA every time it proposes the collection of new data on citizens, and that it ask the Information Commissioner’s advice on laws which have privacy implications. “We regret that the Government have often failed to consult the Information Commissioner at an early stage of policy development with privacy implications,” says the report. The Committee also said that the public needed to be better informed about the extent and implications of surveillance. The Committee also recommended that a mandatory code of practice be created to guide private and public operators of CCTV systems. [Source] [The report] [Ubiquitous Surveillance: most significant changes in British society since 1945] [The Government is creating a surveillance state] [Home Office to be criticised for letting councils use terror powers to spy on bin crimes] [Lords want Big Brother state repealed] [Peers warn surveillance state is threat to freedom] [Lords: rise of CCTV is threat to freedom: World’s most pervasive surveillance undermines basic liberties, say peers] [Homeowners spied on by councils ‘should get compensation’] [Surveillance is ‘inescapable’ part of life in Britain] SEE ALSO: [Whitehall data-share plan extends ‘snooper Britain’] and also: [MPs confirm new Information Commissioner]

UK – Spy Centre Will Secretly Track & Record Holiday Travels

The government is building a secret database to track and hold the international travel records of all 60m Britons. The intelligence centre will store names, addresses, telephone numbers, seat reservations, travel itineraries and credit card details for all 250m passenger movements in and out of the UK each year. The computerised pattern of every individual’s travel history will be stored for up to 10 years, the Home Office admits. The government says the new database, to be housed in an industrial estate in Wythenshawe, near Manchester, is essential in the fight against crime, illegal immigration and terrorism. However, opposition MPs, privacy campaigners and some government officials fear it is a significant step towards a total surveillance society. Chris Grayling, shadow home secretary, said: “The government seems to be building databases to track more and more of our lives. “The justification is always about security or personal protection. But the truth is that we have a government that just can’t be trusted over these highly sensitive issues. We must not allow ourselves to become a Big Brother society.” [Source] [Government plans travel database - Similar schemes run in the US, Spain and Canada]

UK – National Database to Record Spot Fines for Minor Offences

Civil liberty campaigners hit out yesterday at plans for a national database to record spot fines for minor offences. The £10million system will store details of the hundreds of thousands of fixed-penalty notices handed out each year by police and community support officers. The £80 fines were originally meant as swift and simple punishments for relatively minor matters such as littering, public drunkenness or graffiti. But the fines are increasingly used for more serious crimes including shoplifting up to a value of £200 or possession of cannabis. Critics claim too many offences are being dealt with away from the public scrutiny of the courts. Opponents of the database say it will create ‘unofficial criminal records’ for people punished for very minor offences. Michael Parker, of civil liberty campaign group No2ID, said: ‘By forcing everyone onto a database, the police will be creating a series of permanent records containing details that should be left to fade away in time. ‘It goes against the very reason spot fines were introduced in the first place - to exercise summary minor punishment for very minor offences, without creating criminal records.’ [Source]

UK – British Losing Private Data at Alarming Rate

Information Commissioner Richard Thomas reported that personal information loss in the UK rose an alarming 36% in 2008 and that more than 100 breach incidents had been reported to the Information Commissioner’s Office in the last three months alone. Thomas described the situation as “unacceptable,” and said that his office has no authority to investigate breaches at private companies -- responsible for nearly a third of all known breaches last year -- without their permission. “I have strenuously argued that that is not acceptable. One would not expect a food inspector to have to get the restaurant’s consent before carrying out an inspection,” Thomas said. [Source]

EU – EU Security Agency Draws ‘Privacy Baseline’ for ID Cards

Europe urgently needs to develop a strategy for protecting the privacy of data held through national ID card schemes, a European security agency warns. ENISA (the European Network and Information Security Agency) argues that the “vast disparity between privacy features in electronic ID cards across Europe” is creating a recipe for future trouble. Typical current applications for identity cards include their use for tax declarations and other e-government services, but more ambitious commercial application are in the pipeline. Meanwhile Europe lacks a coordinated strategy on how to go about protecting personal data held on the cards. This is both an obstacle to interoperability and a potential problem in making ordinary punters comfortable with using the technology, ENISA warns. Disclosure of data held on ID cards creates a risk of fraud or other forms of misuse but individual countries have been left to their own devices, resulting in a hodge-podge of different approaches. ENISA is seeking to establish a “privacy baseline” for European ID cards with a new position paper, published last week, that attempts to provide an overview of the roll-out of electronic ID cards across Europe as the first step in developing a trans-national strategy on the technology. “Privacy is an area where the member states’ approaches differ a lot and European eID will not take off unless we get this right,” said Andrea Pirotti, executive director of ENISA. “Europe needs to reflect on eID privacy and its role in the interoperability puzzle. The fundamental human right to privacy must be guaranteed for all European eID card holders. Therefore, ENISA will continue to work in this field in 2009”. Ten national electronic ID card schemes are already in use in various EU countries while 13 more are in development. Privacy-enhancing technologies exist but these have been developed, implemented and tested only at a national level. The paper goes on to pick apart 11 potential risks to personal privacy resulting from the use of national electronic identity card schemes, as well as comparing eight potential risk mitigation approaches. Risks include a range of potential problems ranging from simply losing a card to skimming, location tracking and cryptographic attacks. Countermeasures include encryption, access control and biometrics. This analysis (made with reference to the technical specifications of national identity cards and the available privacy-enhancing features they offer), aims to provide a starting point for “identifying best practices and a source of reference for future choices to be made by European policy makers”, ENISA explains. [Source] [Paper] [European ID card data is not encrypted]

EU – European Court Expands Image Privacy Rights

The European Court of Human Rights has expanded the reach of privacy rights by ruling that a photographer breached someone’s privacy just by taking a photograph, even though that photograph was never published. Privacy law expert Rosemary Jay said that the ruling increased the reach of privacy law, but would not create a US-style image right, which is a commercial right rather than a privacy-related one. The case concerned a newborn baby, Anastasios Reklos, who was put into a sterile unit when born. As a commercial service operated by the hospital his photograph was taken. His parents objected and asked for the negatives to be given to them. The hospital refused, and the Greek courts would not hear the case. The European Court of Human Rights (ECHR) has now ruled that the taking of the photograph without the baby’s parents’ permission was a violation of his rights to privacy. The ruling is available only in French. “The Court reiterated that the concept of private life was a broad one which encompassed the right to identity,” said an ECHR press release about the ruling. “It stressed that a person’s image revealed his or her unique characteristics and constituted one of the chief attributes of his or her personality.” “The Court added that effective protection of the right to control one’s image presupposed, in the present circumstances, obtaining the consent of the person concerned when the picture was being taken and not just when it came to possible publication,” it said. The ECHR said that the taking of the photograph breached the child’s right to a private life as guaranteed by Article 8 of the European Convention on Human Rights, and that the Greek courts had failed to uphold that right. [Source]

UK – ICO Helps Organisations Identify ‘Personal Data’

The Information Commissioner’s Office has released a technical guide to help organisations comply with the Data Protection Act, reports OUT-LAW.com. The guide is designed to help data protection practitioners determine whether the information they hold is data and whether such data falls within the definition of personal data in circumstances where it is not obvious. [Source] [The Guidance]

UK – 10-Point Personal Information Promise

Several public-sector organisations and private companies have signed onto the Information Commissioner’s 10-point Personal Information Promise. But no one from central government has so far. The ICO released the 10-point Personal Information Promise on Data Privacy Day, earlier this week. Those who sign the pledge promise to “go further than just the letter of the law” in handling personal data, the report states. They also promise to minimize the amount of data they collect and retain and commit to staff information-handling training. Companies who have signed the pledge so far include: British Telecom, British Gas, Royal Mail, T-Mobile, Vodafone and three credit-reference agencies. [Source]

EU – Privacy Professional Facing Criminal Charges

Google’s global privacy counsel will appear in Italian court this week on criminal charges of defamation and failure to exercise control over personal data. The charges follow a two-year investigation by Italian authorities into footage uploaded onto Google Video that showed a disabled teen being disparaged by peers. Google’s Paris-based Global Privacy Counsel Peter Fleischer and three other executives charged in the case will appear before the Criminal Court of Milan on February 3. The charges carry a maximum sentence of 36 months. It is believed to be the first criminal sanction ever pursued against a privacy professional for his company’s actions. [Source] UPDATE: [Google privacy trial opens in Milan]

UK – All Data Breaches Must Be Made Public: Hustinx

The good news is that Europe’s lawmakers want to make it obligatory to disclose data breaches. The bad news is that the law will not apply to everyone. Those exemptions are in no-one’s interest, says European privacy tsar Peter Hustinx. [Source]

EU – Germany: QSC Wins Court Case Against Data Retention Obligation

German ISP QSC has been granted an exemption to the obligation to store usage data of its customers by the administrative court in Berlin. QSC is the second ISP to get a court-approved exemption (the first was BT Germany). The court’s reasoning was that requiring the ISP to store the data without any compensation puts a strain on QSC’s storage and violates Germany’s constitution. According to Telecompaper: “The last word with regards to the data retention law lies with Germany’s constitutional court, which will review the cases against BT and QSC as well as complaints from more than 34,000 citizens, individual MPs, political parties and trade unions.” [Source]

EU – Court of Justice Tosses Anti-Terror Challenge

The European Union Court of Justice on Tuesday dismissed as unfounded challenges by Ireland and Slovakia to an anti-terror law requiring that governments retain telephone and Internet data for a period of six months. The two countries felt the law, approved by a majority of EU member states in 2006, should have been part of EU law enforcement rules and not adopted as an economic rule. [Source]

Facts & Stats

US – Survey Shows ID Theft up 22%, 2008 Toll: 9.9 Million People, $48 billion

Identity theft rose by nearly 25% last year in the U.S. according to a new report. The 2009 Identity Fraud Survey Report by Javelin Strategy & Research shows that the number of identity fraud victims increased 22% to 9.9 million people being hit, at a total cost of $48 billion. According to James Van Dyke, president and founder of Javelin, this is the first year since the report began in 2004 that the numbers have gone up. “The industry was surprised at the whopping size of identity theft when it was first studied in the early part of the millennium, but it was beaten back strongly. But now, with the tough economy, criminals have become more desperate, and identity theft has gone up for the first time since we began tracking it,” Van Dyke says. Even though the financial services industry has attacked identity theft and fraud, the bad news says is “Consumers are spending more time fixing identity fraud – an average of 30 hours per case,” Van Dyke says. “And institutions are losing customers because of it, because of ill will on the part of consumers.” [Source] [Study] [Source] [ID fraud up, but low-tech methods still prevalent] [Businesses detecting ID fraud faster, absorbing more costs] [Forbes: Why ID Theft Targets Women - Men’s greater use of online shopping and banking may actually protect them]

Filtering

AU – Australian ISP Filtering Gathers Pace

Australian ISPs have set their own timetables to fire the starter’s gun for live filtering trials. Since most ISPs need time to gather customers, both business and residential, and install equipment for the tests, their start dates will vary. Late yesterday, the federal Government revealed the first phase of its controversial live ISP filtering trial, naming six initial service providers -- Primus Telecommunications, TECH 2U, Webshield, OMNIconnect, Netforce and Highway 1. [Source]

WW – Myspace Cuts 90,000 Sex Offenders From Web Site

The online networking site MySpace has identified and barred some 90,000 registered sex offenders from using the site over the last two years, MySpace revealed to an investigative task force. The “shocking” number was 40,000 more than MySpace had previously acknowledged, according to Connecticut Attorney General Richard Blumenthal, a co-chairman of the task force of state attorneys general looking into sex offenders’ use of social networking. MySpace, owned by News Corp.’s Fox Interactive Media digital division, disclosed the figures to the task force in response to a subpoena. Mr. Blumenthal’s office said it was awaiting a response to a similar subpoena issued to Facebook, another popular social networking site that his office said also might host “substantial numbers of convicted offenders.” Facebook’s Chief Privacy Officer Chris Kelly said in a statement it was working with Mr. Blumenthal’s office but said the site had “not yet had to handle a case of a registered sex offender meeting a minor through Facebook.” [Source]

Finance

CA – Credit Histories Abused, Drivers Say

An association of Ontario insurance brokers has called for an investigation into whether auto insurers are discriminating against drivers with poor credit scores – a practice that is illegal in the province. Randy Carroll, chief executive of the Insurance Brokers Association of Ontario, said consumers have complained to the association that their credit reports have been checked after they requested a price for auto insurance. “Current regulation prohibits insurers from using credit information to rate and or underwrite automobile insurance products in the province of Ontario.” Ontario in 2001 turned down the first auto insurer to ask for permission to use a policyholder’s credit history, bankruptcy status, employment stability and other factors in its risk classification system. The province set out general guidelines and followed up later in 2005 by passing Regulation 664 to ban the use of credit history, credit rating, employment history, indebtedness and other factors in setting rates for auto insurance. Some Ontario insurers have, how-ever, used credit scores to qualify policyholders for discounts or surcharges related to home insurance, given that the province does not regulate the pricing of home insurance. But privacy legislation would require the insurer in such cases to obtain consent, to clearly notify consumers of the intended use of credit score information and to not make the consent a condition of obtaining a price quotation. [Source] [Stop screening for credit, income, auto insurers warned]

WW – Deloitte: Fewer Internal Breaches at Financial Institutions In ‘08

First, the good news: Internal data breaches at North American financial institutions dropped to 27% in 2008, down from 44% in 2007. Now the bad news: They still have one of the highest rates of external breaches, yet all the while the economic crisis is taking its toll on security budgets and the profile of security is diminishing at the executive level, according to Deloitte’s annual security survey of financial institutions around the world. The wide-ranging report, taken in 2008, surveyed senior security officers at top global banks, financial institutions, and insurance companies from 32 different countries. Among the results, Deloitte also found a significant drop in the number of institutions with privacy compliance programs. In 2007 around 77% of financial institutions worldwide had a program in place for managing compliance, but only 48% had one last year. Such a big drop is of concern given regulatory compliance is the No. 1 priority at these institutions, according to the report, followed by identity and access management and data leakage. The report cites a lack of resources as the top reason why security projects fail in these organizations, many of which consider the human factor a big factor in their security posture. In fact, 86% of information systems failures are caused by human error, according to the report. Technology was the cause for 63% of these failures. [Source] [Deloitte Global Survey] [New Study Reveals Human Error is Greatest Security Flaw]

FOI

CA – CNA releases 4th Annual Freedom of Information Audit

Many Canadian police forces obstinately refuse to report on taser stun gun usage, despite an apology from RCMP Commissioner William Elliott last year for excessive secrecy, and mounting public controversy surrounding the deaths of taser victims. This is among the findings of a new audit by the Canadian Newspaper Association (CNA) of freedom of information regimes across Canada. The annual exercise tests how readily officials disclose information that should be publicly available on request. As in previous years, the CNA’s 2008 audit finds that officials across Canada are disturbingly inconsistent in their compliance with laws that underwrite the public’s right to know. “Information freely available from some government agencies was denied by others. And when it wasn’t denied, prohibitive fee estimates often took it out of the reach of all but the wealthiest requesters.” The audit grades institutions based on the speed and completeness of disclosure. Grades range widely from an A- for the City of Saskatoon and Province of Saskatchewan, to outright failures in Moncton, Saint John and Quebec City. The CBC, with a D, received the worst grade of any of the federal institutions tested. [Source]

US – Nationwide Campaign Under Way to Evaluate Government Records Online

In preparation for Sunshine Week, March 15-21, a national government transparency project is under way to evaluate public records available on federal, state and local government Web sites. The surveys are being coordinated by Sunshine Week, the American Society of Newspaper Editors’ Freedom of Information Committee, the National Freedom of Information Coalition and the Society of Professional Journalists FOI Committee. Sunshine Week is a non-partisan open government initiative led by ASNE, with print, online and broadcast media; public officials; civic groups and non-profit organizations; public and special libraries; educators and students; religious leaders; and others. It is primarily funded by a grant from the John S. and James L. Knight Foundation. “The survey comes at a time when President Obama -- as well as a growing number of state and local government leaders -- are urging greater Internet access to records,” added Alexander, former Washington bureau chief for Cox Newspapers, who will begin as ombudsman for The Washington Post in February. [Source] See also: [Opinion: Give information commissioner power to order release of information]

US – “Show Us the Data” Project Launches

CDT and OpenTheGovernment.org have launched “Show Us The Data: The Most Wanted Government Documents,” a project aimed at identifying vital government information and encouraging the federal government to make it easily accessible to the public. The project’s goal is to identify the documents and databases the public most wants access to through interactive voting and collaboration. A final report will be produced recommending documents and data that the federal government should make easier to find and use. [Show Us the Data Web Site, February 11, 2009] [Show Us the Data Press Release]

US – Congressional Reports Leaked Online

Open government groups scored a small but potentially decisive victory this week in a long-running battle to win publication of thousands of secret reports that Congress uses to fashion new laws. Each year, with the help of more than $100 million in funding from Congress, the Congressional Research Service (CRS) produces thousands of reports on legislative policy issues ranging from farm subsidies to weapons sales. While the reports are neither copyrighted nor classified, their release has been solely at the discretion of lawmakers. [Washington Post]

Genetics

US – Center Releases Report On Genetic Town Hall Series

The Center has released a summary report on a series of five town halls, part of its Public Consultation Project on Genes, Environment, and Health. In September 2006 the Genetics and Public Policy Center was awarded funding from the National Human Genome Research Institute of the National Institutes of Health (NIH) to study the American public’s attitudes toward a proposed large-cohort research study of genetic and environmental contributors to health. Specifically, NIH and other federal health agencies were interested in the possibility of collecting both genetic and non-genetic information on half a million volunteers who would be followed for a period of 10 or more years to study the links between genetic and environmental factors and common diseases. Prior to undertaking such an initiative, the agencies wanted to understand public attitudes about and willingness to participate in such a research project. The town halls were free, open to all, and publicly advertised. Each addressed three major questions:

1. Do you think the government should create a national biobank? Why or why not?

2. Would you participate in such a biobank? Why or why not?

3. What conditions need to be in place in order for the biobank to happen?

Most participants felt that the biobank should go forward, and more than half indicated they were likely to participate in it if asked. Among the issues participants weighed in on were privacy protections for participants and concerns about possible misuse of information collected, the nature of the proposed study’s consent agreement, and the ability to get individual research results back from the study. [Report - The Genetic Town Hall: Public Opinion About Research on Genes, Environment, and Health] [Overview - Making Every Voice Count: Public Consultation on Genetics, Environment, and Health] [Source]

US – Bill allows DNA from Felony Arrestees

Tens of thousands of Hoosiers never convicted of a crime could find their DNA in state and federal databases under a bill making its way through the Indiana Senate. The legislation is an attempt to take the next step with a scientific advance many consider to be the best crime-fighting tool in decades. But others wonder whether government is going too far and invading the privacy rights of citizens. “Why not just get everyone’s DNA when they are born?” asked Sen. Tim Lanane, D-Anderson. “There is still a presumption of innocence in our system.” The bill passed out of committee 7-2 last week and now must go to the Senate Appropriations Committee because of its price tag. [Source] [Legislature weighs cost, privacy to expand DNA database] See also: [Washington Bill would require police to take DNA from those arrested] [Vermont - DNA from suspects before conviction hits snag]

Health / Medical

US – CDT Paper: Rethinking the Role of Consent in Protecting Health Information Privacy

CDT has released a major policy paper intended to move the health privacy debate from its outdated focus on patient consent to a comprehensive framework that will provide more effective privacy protection. CDT is advocating for the inclusion of privacy protections in the President’s economic stimulus bill, which contains at least $20 billion for a national health information technology network. CDT’s paper argues that personal health information should easily flow for treatment, payment, and certain core administrative tasks without requiring patient consent, but that stricter limits need to be placed on marketing and other secondary uses. [Consent Paper Press Release, January 26, 2009] [CDT Consent Paper] See also: [GAO Report: Electronic Health Records: DOD’s and VA’s Sharing of Information Could Benefit from Improved Management. GAO-09-268, January 28] [Highlights]

CA – Alberta Doctors Can’t Give Patient Info to Foreign Parties

Doctors across Alberta are being warned they have no right to give patient information to foreign authorities. The caution came from provincial privacy officials after a Lethbridge man complained about a local physician handing over medical records requested by a Montana lawyer. “The doctor had no authority to directly respond to the subpoena,” concludes a spokesperson for Frank Work, the province’s information and privacy commissioner. Medical staff should consult a lawyer before taking any action on requests of that kind, he warns. The province’s Health Information Act was amended to prevent personal information from being divulged without express permission of the patient. Privacy laws were changed to ensure doctors or other medical staff “do not respond to foreign court orders without making sure they are valid in Alberta,” Work explains. Work’s office announced no penalty for the infraction, but named the Lethbridge doctor in its decision, posted online. Neither his patient nor the two Montana lawyers involved - one hired by the Lethbridge man, the other by another party - were identified. [Source]

US – Group Says Privacy Protections Would Hinder Research

The Association of Academic Health Centers is warning Congress about adding privacy protections to healthcare information technology legislation being considered as part of the proposed economic stimulus package. In a letter to House Ways and Means Committee Chairman Charles Rangel (D-N.Y.) and ranking member Dave Camp (R-Mich.), the association cautioned that “privacy requirements that do not take research into consideration will ultimately undermine the research enterprise and the country’s ability to compete globally in science.” [Source]

CA – Canadian Cancer Coalition Urges More Access to Electronic Records

Canadian cancer patients should be given access to their medical records via the Internet, according to a former oncologist and lead author of a report on cancer care in Canada. Opening electronic health records (EHRs) to patients will allow them to take control of their healthcare and clear the “logjam” caused by barriers to electronic record distribution, such as privacy concerns and incompatibility of different systems, said Dr. William Hryniuk, chair of the report card committee of the Cancer Advocacy Coalition of Canada (CACC), a national patient advocacy group. “From the perspective of the patient, she will be able to share this electronic health care record and cancer treatment with whomever and wherever she wants, and that will make a huge difference to her in terms of quality of care, safety, efficiency and so on,” Hryniuk said. The CACC released its annual checkup of oncology-related issues Tuesday. The recommendation for patient access to EHRs was included in a section on cancer care in smaller communities. The authors also recommended implementing a program that makes patient records available across regions, so that any health care professional treating a patient could access his or her records. [Source]

AU – Canberra Stalls on E-Health Details

Australia has an agreed national strategy for e-health adoption, but the Government is withholding details of the plan, which could save billions of dollars in costs resulting from medical errors. Costs for the National E-Health Strategy have not been released, nor has a rollout schedule. The strategy was developed at a cost of $1.3 million by consultancy Deloitte after extensive consultations with health stakeholders, and was endorsed by the Australian Health Ministers’ Conference in December. [Source]

Horror Stories

US – Heartland Data Breach: More than 100 Institutions Impacted

By the latest count, the number of institutions that have informed their card customers and members that they were hit as a result of the Heartland Payment Systems (HPY) data breach has swelled to 124. While Heartland and the credit card companies remain tight-lipped about the total number of institutions and card account numbers involved, Heartland has said that, at the time of the breach, it processed an average of 100 million transactions per month for more than 250,000 different retailers and merchants. The Independent Community Bankers of America (ICBA) conducted an informal survey of its members after the breach, asking if they had been contacted by Heartland. The survey elicited 512 responses from member banks, and 83% of them said they had either credit and/or debit cards affected by the Heartland breach. Only 13% of the banks said they didn’t know yet if their customers’ card accounts were compromised in the breach. [Source] SEE ALSO: [GAO Guidance: Information Security: Further Actions Needed to Address Risks to Bank Secrecy Act Data. GAO-09-195, January 30 | Highlights]

US – Hacker Broke Into FAA Computers

Hackers broke into the Federal Aviation Administration’s computer system last week, accessing the names and national identification numbers of 45,000 employees and retirees, a union leader says. FAA spokeswoman Laura Brown confirmed the agency’s computers were hacked last week. Union leaders were told hackers gained access to two files. One file had the names and SSNs of 45,000 employees and retirees on the FAA’s rolls as of February 2006. [Source] [Panel scolds FAA for data breach]

US – U.S. Consulate in Israel Auctions Sensitive Information

The U.S. consulate in Israel held an auction in December 2005 to get rid of old furniture and reportedly sold cabinets containing hundreds of files with SSNs of U.S. Marines and state department staff stationed in Israel. The files also included U.S. State Department bank account numbers and documents tracking the U.S. funding of local political movements, such as Shalom Achshav, Peace Now. Among the files was a dossier marked “Secret” detailing an encounter between a U.S. Marine and a young Israeli woman in a Jerusalem hotel bar. The woman who bought the filing cabinets, an American-Israeli, held on silently to her trove until last fall when an event involving her son’s Israeli army unit angered her and she approached reporters. The U.S. consulate asked for her to return the files, but she refused until the Israeli police intervened and threatened her with unspecified charges. [Source]

Identity Issues

UK – Exclusive: ID Cards Are Here - But Police Can’t Read Them

The first UK ID cards have already been issued - but no UK police officers or border guards have any way of reading the data stored on them. Currently no police stations, border entry points or job centres have readers for the card’s biometric chip, the Identity and Passport Service (IPS) revealed in response to an FoI (Freedom of Information) request by silicon.com about the £4.7bn identity cards scheme. The news comes in spite of the first ID cards being issued to foreign nationals in November last year, with the IPS expecting to issue 50,000 ID cards by April this year. The cards themselves carry biographical data, as well as facial and fingerprint scans. While some details about the holder as well as their photo is printed on the face of the card, the cardholder’s fingerprints can only be accessed by reading the chip. Cambridge University security expert Richard Clayton told silicon.com: “If this capability is not there then the biometrics are, in short, a waste of time. “I would have thought that the government would have tried to get the readers rolled out as soon as possible as it is only when you get serious deployments that you start to learn what can go wrong.” No firm timetable has been given for the rollout of chip readers. According to Hillier, it will be up to each police force to decide when it is necessary to invest in the machines while the technology will be rolled out to immigration officers over time. [Source]

CA – Have Passport? Then You Don’t Need ID Card

Manitoba’s Ombudsman weighed in today on privacy concerns regarding Manitoba’s new identity cards. Ombudsman Irene Hamilton said if Manitobans already have a passport they do not need to get the enhanced identity card. Hamilton said that would reduce any possibility of personal information being compromised — an issue that has dogged the cards as provinces and some U.S. states move to introduce them before continental travel restrictions take effect June 1. [Source] [Source] See also: [Real ID Act’s future in Oregon still uncertain: Legislature might address the standards to gain an extension] and [Maine - Push in Legislature to repeal Real ID requirements]

Intellectual Property

UK – Law Will Force ISPs to Pass File-Sharing Data to Record Labels

The UK overnment will create legislation forcing internet service providers (ISPs) to gather information on customers engaged in illegal file-sharing, and forcing them to contact repeat offenders warning them that their behaviour is against the law. The proposal forms part of an interim report, Digital Britain. The proposed legislation stops short of forcing ISPs to directly disconnect suspected file-sharers. “Our response to the consultation on peer-to-peer file sharing sets out our intention to legislate, requiring ISPs to notify alleged infringers of rights (subject to reasonable levels of proof from rights- holders) that their conduct is unlawful,” said the report. “We also intend to require ISPs to collect anonymised information on serious repeat infringers (derived from their notification activities), to be made available to rights-holders together with personal details on receipt of a court order.” The Government said that it would soon begin consultation on the proposed new law. [Source]

Internet / WWW

WW – Fresh Privacy Fears Over IE 8 Suggested Sites: Richard Clayton

A top security researcher has called for Microsoft to rethink aspects of its Suggested Sites feature in IE8. The optional feature in the next version of Microsoft’s browser allows users to “discover websites you might like based on sites you’ve visited”, as Microsoft explains it. When the feature is activated, the addresses of sites visited are sent to Microsoft, alongside information such as IP address, browser type, regional and language settings, in an encrypted form. Microsoft draft IE8 privacy policy explains that “information associated with the web address, such as search terms or data you entered in forms might be included”. Microsoft was able to allay concerns that data from secure sites might be sampled or that the feature might be used to serve up targeted advertising in response to our earlier queries on the technology, prompted in response to posts by privacy activists on the No Deep Packet Inspection campaign website. However, concerns about the privacy implications of the technology remain. [Source] [IE8 Suggested Sites suggested to be snoopy (29 Jan 2009)] [Microsoft to act on IE8 ‘show stoppers’ (28 Jan 2009)] [Microsoft boasts ‘out of box’ IE8 clickjack protection (27 Jan 2009)] [Microsoft’s IE 8 beta adds ‘special’ list (27 Jan 2009)]

Law Enforcement

CA – Lawful Access to Return to Canadian Legislative Agenda

The Canadian government is preparing sweeping new eavesdropping legislation that will force Internet service providers to let police tap exchanges on their systems - but will likely reignite fear that Big Brother will be monitoring the private conversations of Canadians. The change is certain to please the RCMP and other police forces, who have sought it for some time. But it is expected to face resistance from industry players concerned about the cost and civil libertarians who warn the powers will effectively place Canadians under constant surveillance. [Globe & Mail]

US – Confidential LAPD Misconduct Files Mistakenly Posted On Internet

The L.A. Police Commission violated its own strict privacy policy – and perhaps state law – releasing a confidential report on the Internet that contained the names of hundreds of officers accused of racial profiling and other misconduct. The blunder, which police officials attributed to a clerical error, marks an embarrassing misstep for a police department that has staunchly rebuffed efforts by the public to learn the identities of accused officers and gain greater access to the discipline process. An electronic version of the report, which was disseminated to members of the news media in an e-mail and posted to the city’s website, included the names of about 250 officers recently investigated by the LAPD’s Internal Affairs Group over allegations that they used a person’s race to justify a traffic or pedestrian stop. [Source]

WW – Data Breach Led to Multi-Million Dollar ATM Heists

Personal and financial data compromised as a result of a data breach, disclosed in late December by Atlanta-based RBS WorldPay, was used to swipe more than $9 million in one day during a highly coordinated, global ATM heist. Using a group of individual “cashers” operating in 49 cities around the world, the FBI told the Washington Post that the crime ring made off with $9 million in withdrawals from ATMs in the United States, Canada, Europe and Asia. The hackers used the pilfered data to create clone ATM cards that were distributed to a network of dozens of individuals who used the cards to steal the money in early November. [Source]

Online Privacy

EU – Social Websites Sign EU Pact Vs. “Cyber-Bullying”

Seventeen social networking sites in Europe including Facebook and MySpace signed a pact aimed at curbing “cyber-bullying” and protecting the privacy of underage users, the European Commission said. The Commission, the 27-nation EU’s executive arm, said the agreement will cut the risks of children harassing peers online and curb “grooming” -- the practice of adults befriending children online with the intention of committing sexual abuse. The Commission said the voluntary agreement was hoped to:

Ensure that private profiles of users under the age of 18 are not searchable on the websites or search engines.
Provide an easy to use and accessible “report abuse” software button, allowing users to report inappropriate contact from or conduct by another user with one click.
Make sure that the full online profiles and contact lists of website users who are registered as under-18s are set to “private” by default, making it harder for people with bad intentions to get in touch with young people.

The British Home Office took similar steps to improve online safety last April, while 49 State Attorneys General in the United Sates have signed similar separate agreements with Myspace and Facebook. The other sites that signed the EU agreement include: Arto, Bebo, Dailymotion, Giovani.it, Google/YouTube, Hyves, Netlog, Nasza-klaza.pl, One.lt, Skyrock, StudiVZ, Sulake/Habbo Hotel, Yahoo!Europe, and Zap.lu. [Source] See also: [Article 29 Data Protection Working Party - PRESS RELEASE - 69th meeting,

10-11 February 2009 - Search Engines]

WW – Facebook Networking Site Cashes In On Friends

Facebook is planning to exploit the vast amount of personal information it holds on its 150m members by creating one of the world’s largest market research databases. In an attempt to finally monetise the social networking site, once valued at $15bn (£10.4bn), it will soon allow multinational companies to selectively target its members in order to research the appeal of new products. Companies will be able to pose questions to specially selected members based on such intimate details as whether they are single or married and even whether they are gay or straight. The company, which has struggled to make money from advertising, has been demonstrating the benefits of its new instant polling tool to some of the most influential business leaders at the World Economic Forum in Davos. Facebook has already sold the new polling system, called engagement ads, to CareerBuilder, a global graduate recruitment company, and AT&T, the US telecoms giant, is trialing the system. A Facebook spokesman said the company’s advertising department is marketing the new service to thousands of companies worldwide and it hopes the polls will go live this spring. All the company’s previous attempts to monetise the site have failed after members railed against the site’s invasion of their privacy. Mr Zuckerberg pulled Beacon, a service that notified users of their friends’ purchases on external sites such as Amazon, after members launched a campaign in December 2007. Mr Zuckerberg said the coming year will be “intense” for Facebook as advertising revenue dries up. [Source] [Facebook plays down privacy concerns]

WW – Fake Social Network Profiles: a New Form of Identity Theft in 2009

Forget credit cards and social security numbers, a new lot of identity thieves will soon come after your web profiles, or says security firm Aladdin in their Annual Threat Report. According to the firm, if you don’t own and control your online persona, it’s relatively easy for a criminal to aggregate the known public information about you in order to create a fake one. This new type of identity theft was listed among other predictions for 2009 in the firm’s annual report and was based on previous trends which included a rise in attacks distributed through social networking channels. For example, in 2008, we saw worm writers (like those behind Koobface) taking advantage of the growing popularity of social networks as a means of distributing their worms. As these sites continue to grow, the potential for criminal activity surrounding them will grow as well. [Source]

Other Jurisdictions

HK – Privacy Vow Before Google Hits Hong Kong Streets

A controversial Google mapping project involving real-life images taken from street level has been given the go-ahead despite privacy concerns. But the Hong Kong Privacy Commissioner said he will look seriously into any complaint brought to him about the Google Street View Project. Roderick Woo Bun made the pledge after ensuring the initiative complies with the Personal Data (Privacy) Ordinance. “I have not received any complaint against Google in connection with the project, and the facts presently known to me do not suggest that there has been a breach of the Hong Kong privacy law,” Woo said. “That said, I wish to assure the public that I shall look seriously into any complaint made by an affected individual in accordance with the Personal Data (Privacy) Ordinance.” [Source]

BG – CEZ Fined for Unnecessary Data Collection

Bulgaria’s Commission for Personal Data Protection (CPDP) has fined electricity distribution company CEZ for continued breaches of privacy protection regulations. Last year the commission ordered CEZ to stop requiring proof-of-right-to-use documentation from new clients. “They do not need this data,” said CPDP member Krassimir Dimitrov. Before actually levying the 100,000 Leva fine, the commission will again investigate CEZ to see if the practice has been stopped. The CPDP is investigating other Bulgarian companies for the unnecessary collection of data. Recently, the commission ordered Sofiyska Vodka to stop over-collecting. [Source]

Privacy (US)

US – Industry Giants to Weigh in on US Privacy Laws

A group of U.S. companies, led by technology giants Microsoft, Hewlett-Packard and eBay, is set to outline recommendations for new federal data-privacy legislation that could make life easier for consumers and lead to a standard federal breach-notification law. The recommendations, which were developed by a group of industry players called the Consumer Privacy Legislative Forum, are set to be released at an upcoming privacy conference six weeks from now, according to Peter Cullen, Microsoft’s chief privacy officer. The companies have been working for the past three years to encourage the adoption of federal consumer data-privacy laws and to answer the question of what federal legislation should look like. Other forum members include Google, Oracle, Procter & Gamble and Eli Lilly. One idea is that laws should make it easier for consumers to understand what they’re getting into when they share their personal data with Web sites, Cullen said. “The whole focus on consent really puts an unfair burden on the consumer,” he said. “My mom doesn’t know what an IP address is.” The recommendations will cover rules around data use and the ability of consumers to correct inaccurate data. And they will cover data breach notification, which is now covered by a patchwork of state laws. [Source]

US – Montana Data Collection on Students With Disabilities Sparks Privacy Concerns

Montana’s Office of Public Instruction has begun collecting information - including medical data - on students with disabilities, raising some confidentiality concerns among school officials. In addition to a list of the physical and emotional disabilities students have, Sullivan also is concerned that the state requires general income information by asking which students are eligible for a subsidized school lunch, said Doug Sullivan, superintendent of schools in Sidney. “I asked the principal not to disclose some of that specific information about my son, but he told me that could jeopardize federal funding of school programs,” Sullivan said. “But that jeopardizes my right as a parent to control information about my own child.” Madalyn Quinlan, chief of staff for OPI, said the data is required by the Achievement in Montana system, which is used to assess and track the educational progress of students. “It’s an accountability requirement for the federal government to ensure we are providing services to the students they’re providing funding for.” [Source]

US – Countrywide Settlement for CT

Bank of America will pay the State of Connecticut $350,000 as part of a settlement on the Countrywide Financial Corp. data breach that affected 30,000 Connecticut residents. Bank of America acquired Countrywide last year. In addition, the bank has set aside $25,000 to reimburse residents for costs associated with freezing and unfreezing their credit reports. The FBI arrested a former Countrywide employee last August for selling the personal information of 2 million Countrywide loan applicants. [Source]

US – FTC Settles With Geeks.com

As part of a settlement with the Federal Trade Commission, Genica Corp., operators of computer and electronics supply Web site Geeks.com, must submit to five independent security audits over the next decade after security failures resulted in a data breach last year. The breach was notable due to numerous security oversights and false claims, including the display of a McAfee “Hacker Safe” seal that McAfee said had been revoked after scans found vulnerabilities. The article made no mention of financial penalties. Names, mail and e-mail addresses, telephone numbers, and credit card account information were exposed as a result of the breach. [Source]

RFID

WW – Passport RFIDs Cloned Wholesale by $250 eBay Auction Spree

Using inexpensive off-the-shelf components, an information security expert has built a mobile platform that can clone large numbers of the unique electronic identifiers used in US passport cards and next generation drivers licenses. The $250 proof-of-concept device - which researcher Chris Paget built in his spare time - operates out of his vehicle and contains everything needed to sniff and then clone RFID tags. During a recent 20-minute drive in downtown San Francisco, it successfully copied the RFID tags of two passport cards without the knowledge of their owners. [Source and video]

US – White-Hat Hacker to Show Way to Clone Passport Card Data

A computer security researcher is set to demonstrate this weekend how simple it is to read and clone RFID tags from U.S. government-issued passport cards. Chris Paget last week posted a YouTube video that chronicled him driving around San Francisco, where he successfully cloned two RFID tags from U.S. Passport Cards, first released last fall, in 20 minutes. Detailing the dangers of RFID technology has become commonplace at hacker events. At last year’s Black Hat show in Las Vegas, researcher Nate Lawson warned that automatic toll collection systems lack privacy controls and can easily be cracked to steal customer identification numbers. In 2007 at Black Hat, Paget was scheduled to show how he could clone widely used RFID-enabled employee badges, but canceled the talk under increasing pressure from the badge maker. The Federal Trade Commission is studying ways to tighten regulations around RFID. [Source]

US – RFID Gives Dementia Patients Their Freedom

Thanks to passive tags sewed into clothing, residents at risk for wandering away from the Shady Palms assisted-living facility no longer need to be confined to a secured area. Roughly 70% of the 100 residents the assisted-living facility located in Tampa, Fla., suffer from some type of dementia. Because of this, many of them sometimes become disoriented and attempt to leave the facility. “They’ll say, ‘I’m leaving; I need to go home now,’“ says Robert Bennett, the facility’s administrator. This tendency to flee, referred to in the industry as “elopement,” poses a significant threat to the health and safety of the ailing residents, he explains, and also presents a serious liability threat to the facility. But Shady Palms has installed an RFID-based tracking system—which Bennett refers to as “the best thing since sliced bread”—that alerts staff members if a resident suffering from dementia attempts to leave the facility. According to Bennett, staff members can also employ a handheld RFID reader to locate articles of tagged clothing. Early tests have shown that this can be a useful application, he explains, since residents sometimes misplace their clothing. He says he’s also considering a move to tag all clothing for every resident, so that the garments can be better tracked as they are put through the laundering process. [Source] See also: [University of Florida Research: RTLS Offers Novel Approach to Dementia Research]

Security

US – Security Problems Still Plague Retailers’ Wireless LANs: Survey

A large-scale scan by Motorola’s AirDefense group has found that wireless LAN vulnerabilities in retailer networks though much improved over last year, are still all too common, despite repeated, widely-publicized wireless security breaches. The scan of WLANs in big city shopping malls found about 44% of some 3,000 client devices detected, including barcode scanners, notebooks PCs and mobile computers, could be compromised, according to Motorola AirDefense CTO Amit Sinha. That percentage is a huge drop from last year’s survey, which found 85% of the detected client devices were exposed in various ways. Retailer access points were better protected: 68% of just over 7,900 access points were using some kind of encryption, leaving nearly one-third of them with no data scrambling at all. That percentage is worse than last year, which found that 35% of the detected access points were wide open. And of those that were encrypted, 25% in the new survey were using WEP, a flawed encryption scheme that can be cracked in minutes by a knowledgeable attacker. [Source]

US – Data Losses Proving More Costly for Businesses

Data breaches are costing companies more than ever as consumers shun those that have lost information, according to a new study. The study is based on a survey of 43 U.S. companies that lost data in 2008, ranging from 4,200 records to 113,000 records across 17 industry sectors, according to the Ponemon Institute, which studies privacy practices at companies and government organizations. It cost companies on average $202 for every data record lost in 2008. That’s compared with $197 in 2007, $182 in 2006 and $138 in 2005, the first year the study was conducted. Factored into those figures are how much companies spend on detecting data losses, costs incurred notifying victims and hiring forensic experts and paying for free credit checks for affected consumers, among others. The most costly factor, however, was loss of business. Of the $202, $139 represented the cost of lost business, up 69% over 2007. [Source]

US – Obama Orders 60-day Cybersecurity Review

President Barack Obama ordered an immediate 60-day review of federal cyber security efforts and named Melissa Hathaway, a top U.S. intelligence official, to oversee the effort, according to a White House statement. Hathaway, who served as a top cyber security adviser to Mitch McConnell, the former director of national intelligence, will conduct the review for the White House National Security and Homeland Security Councils. The review, which will examine what the federal government already is doing to protect vital U.S. computer networks, underscores mounting concerns about the risks of cyber attacks, and points to a growing market for U.S. contractors. [Source] [Source] [Source]

WW – Cellphone Recycler Says 99% of Phones Still Contain Personal Data

Regenersis studied a random sample of 2000 handsets processed during the first week in December and found that 99% of handsets received contained some sort of personal data, including: contacts, SMS messages, pictures, music, videos, calendar entries, emails, notes, mailing lists and to do lists. In some cases, extremely sensitive information was contained, including bank details, addresses, and confidential emails. This study was based on European phone donations, but we’re not going to pretend that U.S. citizens are ahead of the curve when it comes to data privacy. So please: recycle your phones, but don’t leave sensitive info on them. If you need to erase your phone but don’t know how, try Googling the phrase “wipe phone data” + the name of your phone. Or visit this website and search for your phone there. [Source] See also :

WW – Survey: 40% of Hard Drives Bought on Ebay Hold Personal, Corporate Data

A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive information – everything from corporate financial data to the Web-surfing history and downloads of a man with a foot fetish. Kessler International conducted the study over a six-month period, buying up disk drives ranging in size from 40GB to 300GB from the U.S. and Canada. Kessler International offered this breakdown of the kind of data it retrieved: Personal and confidential documents, including financial information, 36%; e-mails, 21%; photos, 13%; corporate documents. 11%; Web browsing histories, 11%; DNS server information, 4%; miscellaneous data, 4%. “We were more concerned with searching for people’s identification, which is what we found, but we were surprised by all the corporate spreadsheets and business finance records we found,” Kessler said. The forensics firm even found one company’s “secret” recipe for French fries, Kessler said. [Source]

Smart Cards

WW – “Off Switch” Could Curb Privacy Concerns for New Ontario Driver’s Licence

A U.K.-based firm, Peratech, has developed a touch-sensitive switch that could allow holders of RFID-enabled cards to turn their cards on or off. With many Ontarians likely to carry RFID-enabled drivers licence cards to speed their entry into the U.S., such a switch could come in handy. Privacy advocates are concerned that drivers will unwittingly leak out personal information as a result of these cards, and are looking too Peratech for assistance. “We have a unique material that transitions from a very low conducting point to an almost pure conductor,” says Philip Taysom, the director of Peratech Ltd. “The material is very similar to a bathroom sealant.” “The only time you need your licence engaged is when you’re actually crossing the border,” she says. “When you’re driving around Ontario on a daily basis, you don’t want it on.” [Source]

Surveillance

US – Cambridge Rejects Surveillance Cameras

The Cambridge City Council has pressed the “Stop” button on a project that would have activated eight surveillance cameras in the community, saying the project raised concerns about possible invasion of privacy. The council unanimously adopted two orders last night calling for a halt to work on the camera network. One, sponsored by Councilor Marjorie Decker, said “the potential threats to invasion of privacy and individual civil liberties outweigh the current benefits.” “The essence of this debate is that the council and I don’t have enough information” about the cameras, said Mayor Denise Simmons. “We don’t know how they’re going to be operated. We don’t know how they’re going to be governed. We don’t know who’s going to have access to the information that they collect.” “There has not been enough public discussion about these cameras, so City Council is not convinced that their proposed benefits will outweigh the potential risk,” she said. It was the first time a community in the state had rejected the cameras, the American Civil Liberties Union of Massachusetts said in a statement. [Source] See also: [Korea - All Seoul Schools to Have CCTVs]

US – Georgia Mulls Ban on Covert GPS Trackers

According to a slew of federal court rulings, police can use hidden tracking devices to monitor the public movements of a person or vehicle without bothering with a court order, since these devices don’t violate any “reasonable expectation of privacy.” But the sponsors of a bill making its way through the Georgia General Assembly think these GPS trackers do violate a privacy interest worth protecting-at least when they’re used by private citizens. House Bill 16, sponsored by State Rep. Kevin Levitas, would make it a crime to “use an electronic tracking device to determine the location or movement of another person without such other person’s consent,” with a few notable exceptions. The statute exempts parents who want to lojack their own kids, individuals or businesses who want to track their own vehicles, and of course, law enforcement. But private investigators, who make routine use of GPS trackers in their work, have been left out, and are fighting to get their own exemption written in. [Source] [Source]

Telecom / TV

WW – Where Are The Kids? Check Google’s Maps

With an upgrade to its mobile maps, Google hopes to prove it can track people on the go as effectively as it searches for information on the Internet. The new software to be released Wednesday will enable people with mobile phones and other wireless devices to automatically share their whereabouts with family and friends. The feature, dubbed “Latitude,” expands upon a tool introduced in 2007 to allow mobile phone users to check their own location on a Google map with the press of a button. “This adds a social flavour to Google maps and makes it more fun,” said Steve Lee, a Google product manager. It could also raise privacy concerns, but Google is doing its best to avoid a backlash by requiring each user to manually turn on the tracking software and making it easy to turn off or limit access to the service. Google also is promising not to retain any information about its users’ movements. Only the last location picked up by the tracking service will be stored on Google’s computers, Mr. Lee said. The software plots a user’s location — marked by a personal picture on Google’s map — by relying on cellphone towers, global positioning systems or a Wi-Fi connection to deduce their location. The system can follow people’s travels in the United States and 26 other countries. It’s left up to each user to decide who can monitor their location. The social mapping approach is similar to a service already offered by Loopt Inc., a 3-year-old company located near Google’s Mountain View headquarters. [Source] [Google Latitude -a free and fabulous tracking service if you aren’t paranoid about privacy] [Privacy Critics Don’t Give Google Enough ‘Latitude’] [Google Latitude Spurs Privacy Backlash] [Privacy International] [Latitude Sparks Privacy Debate in Canada]

WW – Google’s G1 Phone Makes It Easy to Track Surfing Habits

The new Google phone, dubbed the G1, has been touted as a working man’s smartphone - a cheap, Web-friendly wireless device that can make life easier for millions of consumers. The G1, as it turns out, also stands to make life a whole lot easier for Google - by making it a snap to track your movements on the mobile Web and send you ads as it does on the desktop. The device, sold exclusively by T-Mobile, gives Google access to your e-mail, instant messages, contact lists, Web-search history and geographic location. By keeping tabs on your mobile life, Google (GOOG) can quickly figure out what sort of ads to send your way, and when. “It’s like a walking surveillance device,” says Jeffrey Chester, executive director of the Center for Digital Democracy, a consumer watchdog group. [Source] See also: [AT&T Mobility lawsuit tackles autodialing telemarketers, claims ‘annoyance and intrusion’]

US – Congressman’s Twittering Raises Security Concerns

The top Republican on the U.S. House intelligence committee landed in hot water this week after using his Twitter page to update the public on his precise whereabouts while traveling through Iraq and Afghanistan. The revelation prompted the Pentagon to review its policy, which regards such information as sensitive. [SiliconValley.com] See also: [Fake Dalai Lama Exiled From Twitter]

US Government Programs

US – House Approves Whitelist of People Who Aren’t Terrorists

The House overwhelmingly adopted legislation this week mandating the creation of a new kind of terrorist watchlist: a database of people who aren’t terrorists, but are routinely flagged at airports anyway. The U.S. government maintains a list of about a million names of suspected terrorists that is crosschecked with passenger names ahead of airline boarding. The list has been dogged for years by sloppy name matches that have ensnared innocent travelers, children, prominent politicians and government officials, the U.S. Conference of Catholic Bishops’ secretary of education and all men named David Nelson. Under the new plan, approved late Tuesday 413-3, innocent victims of the terrorist watchlist must prove to the Department of Homeland Security, through an undetermined appeals process, that they are not terrorists. They would then get their names put on what the legislation calls the “Comprehensive Cleared List.” The FAST Redress Act, if approved by the Senate, requires the government to report within 240 days on its progress in implementing the new list. [Source]

US – Draft Letter to DHS Secretary and Acting CPO on Privacy-Related Priorities

This letter reflects the consensus recommendations provided by the Data Privacy and Integrity Advisory Committee to the Secretary and Acting Chief Privacy Officer of the Department of Homeland Security (DHS). The Committee’s charter under the Federal Advisory Committee Act is to provide advice on programmatic, policy, operational, administrative, and technological issues relevant to DHS that affect individual privacy, data integrity and other privacy-related issues. The Committee deliberated on and adopted the recommendations set forth below during a public meeting held by teleconference on February 3, 2009. This letter outlines certain key privacy issue [Letter] [Source] See also: [GAO Guidance: Federal Information System Controls Audit Manual (FISCAM). GAO-09-232G, February 2]

US Legislation

US – Virginia’s General Assembly Rejects REAL ID Provisions

The Virginia House and Senate have overwhelmingly passed legislation rejecting elements of the federal government’s Real ID law, which requires states to issue federally mandated drivers’ licenses or similar forms of identification that would become part of a national database. The House approved Del. Robert Marshall’s, R-Prince William, bill 88-10, and the Senate passed legislation from Ken Cuccinelli, R-Fairfax, 30-9. Critics of the program argue that the law is an invasion of privacy. “There’s [absolutely] no reason that we should link our data to another database that’s going to be broken into,” said Mike Stallenwerk, chairman of the Fairfax County Privacy Council. “That’s happened time and time again. “This is fake security,” he added. “It’s not real security.” The Virginia law, if signed by Gov. Tim Kaine, would not overtly reject Real ID. Rather, it would prohibit the state from complying with any element of the act that would compromise economic privacy, such as residents’ tax returns, financial transactions and investment transactions, or the security of biometric data, like fingerprints, retinal scans and DNA samples. [Source]

+++