WW – Biometrics Experts from Government and Industry Join Forces

The creation of the International Biometric Advisory Council (IBAC) is the result of calls from government and the private sector for a global body to oversee the development of standards for biometrics. The IBAC is comprised of representatives from the U.S. Department of Homeland Security, IBM and international security organizations. Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario, is among the twelve expert Board Members who will meet twice a year. [Source] [Source]

WW – Survey Commissioned By IBM Finds Consumer Support for Biometrics

Consumers, fearing the theft of their personal information over the holidays, will shop less online and place fewer catalogue orders, according to an Opinon Research Corp. survey commissioned by IBM. Half of the survey respondents indicated they would feel more secure with biometrics. [Source]

WW – Facial Recognition, Auto-Tagging Software

A new software application boasts the ability to automatically recognise people in a digitised photograph and tag the picture with their names. Currently in alpha testing, Riya software works by analysing 50 variables, including hair and eye colours, gender, height, clothing and other features that help identify people. It also uses text recognition to read street signs and other text in photos for clues about a picture’s location. The software must be initially ‘trained’ by users so it learns the features of friends and family members. Once this has been done, it has proven sensitive enough to tell the difference between twins and recognise members of the same family. Riya can also identify unknown faces, giving users the chance to identify the subjects and add them to Riya’s database. Initial tests have shown Riya to be slow but capable, with minimal instances of false recognition. However, some concerns have been raised about privacy protection. Because Riya uses enter the person’s name and email address (which can alert people when a photo they are in is uploaded to an online album), search engines may be able to find this data and use it for producing spam. Riya has reacted by saying that entering email addresses will be optional when the software enters beta testing shortly. [Source]

CA – Federal Privacy Commissioner’s Telephone Records Exposed

Maclean’s magazine: When even the privacy commissioner’s cellphone records are available online, we’ve all got security problems. There’s a point to be made about the type of highly confidential data that can be obtained by anyone with an Internet connection and a credit card, and Commissioner Stoddart has the misfortune of being the perfect illustration. Not that she’s pleased about it. Her eyes widen as she recognizes what has just been dropped on the conference table in her downtown Ottawa office – detailed lists of the phone calls made from her Montreal home, Eastern Townships’ chalet, and to and from her government-issued BlackBerry cellphone. Her mouth hangs open, and she appears near tears. “Oh my God,” she says finally. “I didn’t realize this was possible. This is really alarming.” [Source] Canadian Privacy Commissioner Declines to Investigate Net Data Broker: The Privacy Commissioner of Canada has declined to pursue an investigation against a U.S.-based data broker over the collection of Canadian personal information. The Commissioner indicated that she believes that she lacks the jurisdiction to pursue the case. [Source] CRTC Directs Phone Companies Investigate Privacy Breach Exposed by Maclean’s - The CRTC is calling the country’s phone companies onto the carpet over revelations in Maclean’s magazine that U.S. databrokers are selling the home and cellphone records of Canadian consumers. In a terse letter dated Nov. 18, the telecommunications regulator demands that three phone companies immediately launch internal investigations into how the magazine was able to obtain the phone records of Canada’s privacy commissioner, and another customer, via a Tennessee-based online service. The companies have been given a strict 10-day deadline to report back to the commission with a host of information, including descriptions of the safeguards that were in place when the breaches occurred, explanations of how the companies verify customer identity and new measures being taken to improve security. [Source]

CA – Communications Interceptions Bill Introduced in Parliament

On November 15 Anne McLellan, Deputy Prime Minister and Minister of Public Safety and Emergency Preparedness, introduced legislation on the lawful interception of communications. The Modernization of Investigative Techniques Act (MITA) “will ensure that the law enforcement community and the Canadian Security Intelligence Service (CSIS) maintain their ability to investigate crime and terrorism in the face of rapidly evolving communications technology.” [Source] [Press Release] [Privacy Advocates Blast Bill]

CA – New Emergency Management Act Introduced in Parliament

Deputy Prime Minister and Minister of Public Safety and Emergency Preparedness (PSEPC), Anne McLellan, introduced the new Emergency Management Act, which provides for a comprehensive, all-hazards approach to emergency management. [Source]

CA – Survey: Security Concerns Prevent 2 / 5 Canadians from Shopping Online

40% of Canadians will avoid shopping online this holiday season due to Internet security concerns, according to a new survey from the Canadian Alliance Against Software Theft. Online consumers in Canada are more worried about internet security than their U.S. counterparts, where only 24% say they will not shop online due to security concerns. Almost all (96%) online consumers surveyed believed it is important to protect themselves online, and most are doing just that with, for example, Anti-virus software (85%), firewall (67%), email filtering (64%) and anti-spyware software (60%). Only 33% of Canadians have web content filtering/blocking software. According to the survey, 88% of Canadian online consumers feel that some Internet retailers have not done enough to protect their online customers. Canada has a high proportion of consumers (73%) who worry that their family members may not be fully aware of existing online security threats. By comparison, only 60% of U.S. consumers share the same concern. Canadians are not yet fully confident in their ability to protect themselves from key online security threats, including loss of personal information (81%), identity theft (77%) and unsolicited email or spam (74%). The survey also indicated that consumers are concerned about e-commerce transactions when shopping on auction sites, with 79% cent of the Canadian respondents worried about bidding/selling goods on auction sites. [Source]

CA – Survey: Security of Corporate Data Questioned

An overwhelming majority of Canadians are concerned about the privacy of information stored in online databases, and more than half of companies admit their data is at risk. A Leger Marketing poll found 83% of Canadians are concerned about the privacy of their personal data, and 55% of companies say their confidential and private data is at risk of an attack. According to the poll, 58% of consumers say they would immediately terminate their relationship with a company that compromised their personal information. “Executives must heed their customers’ calls to take the necessary steps to protect their data and infrastructure from being compromised,” said one of the sponsors of the poll. “This is not a simple business issue. It’s a fundamental matter of trust.” “Smart enterprises know security and privacy are good for business, and yet many companies in Canada and around the world don’t take this message to heart,” said Andy Canham, president of Sun Microsystems of Canada and also a sponsor of the survey. More than one in 10 Canadian consumers believe they have already been a victim of identity theft, and 38% of respondents say they know someone who has been a victim of identity theft. Business leaders believe the greatest threat to their data security comes from inside their own operation. [Source]

WW – Microsoft Privacy Strategist Says Transparency Key to Build Consumer Trust

Peter Cullen of Microsoft commented on privacy-related issues in the marketplace, saying the main challenge for consumers is trying to control how their information is collected and used while navigating through a sea of harms, such as spam, phishing and spyware. Companies are faced with a growing body of regulations over how they collect and manage consumer information. [Source]

WW – Study: Consumer Trust Is the Key to Expand Online Marketing And Commerce

A recent study by Consumer Reports WebWatch underscores the distrust many Internet users harbor about online security and privacy. But the survey reveals an interesting trend: the users who conduct online transactions trust the Web sites they use. For example, the report found that banking Web sites are trusted by 68% of all Web users, but among those who actually bank online, 93% say they trust those sites. This trend demonstrates a simple fact about online behavior: increased trust online breeds online customers. The key to increasing online commerce is to draw in new consumers by removing the barriers to consumer trust. [Source]

WW – Survey: Protecting PII One of the Top 3 Most Socially important issues in UK

Only 16% of people are confident that internet sites will treat their personal information properly, according to a new survey by the Information Commissioner’s Office that found widespread concern about data protection laws and practices. Four out of five of us are concerned about how our finances or health and safety will be affected if our personal data falls into the wrong hands, according to the research published today. The survey, carried out by research firm SMSR Ltd, shows that protecting personal information is now regarded as one of the top three most socially important issues in the UK ranked only behind concerns over crime prevention and improving education standards. [Source]

ON – Ontario to Improve Management of Large-Scale I&IT Projects

The Ontario government will implement all of the recommendations made by a special task force on large-scale government information and information technology (I&IT) projects, Government Services Minister Gerry Phillips said this week, in order “to ensure that large-scale I&IT projects are better designed, stay on track and are reviewed for effectiveness.” [Source]

US – Boeing PC Stolen with Sensitive Data on 161,000 Workers

Highly sensitive personal data on 161,000 current and former Boeing workers are missing after the theft of a company personal computer. The data included “names and Social Security numbers, and in some cases birth dates and banking information,” according to a Boeing statement. [Source]

EU – ECJ AG Urges End to Transatlantic Passenger Data Disclosures

EU handovers of air passenger data to US security agencies should be “annulled”, an advocate general of the European Court of Justice on Tuesday. The advocate general opinion - an indication of the direction of a full ECJ ruling in early 2006 - is a severe setback for the European Commission and the EU council of national governments. [Source]

UK – UK Council: Risks on Government Personal Data Must be Addressed

Privacy, accountability and trust are key to making the most of personal data a new report from the UK Council for Science and Technology (CST) said this week. The use of personal data by Government offers enormous benefits with the potential to create more efficient and accessible public services, the report advised Government. But the report stated that the risks must be addressed in order to secure these benefits, and made key recommendations that included:

extensive public engagement with the public and civil society groups;
regulatory and governance frameworks to minimise the risks;
research into privacy enhancing technologies; and
the creation of federated databases rather than a single database.

The report set out that Government must strike the right balance between promoting greater access to personal data and protecting the individual. It recommended adopting the concept of citizens owning their own data and exercising control over how and when it is used. Dr Mark Walport, who co-authored the report, said: “Government is already providing a lead through the recent publication of the new IT strategy, setting out ways to link together personal information to be used more effectively. “But to make the most of the opportunities that intelligent use of personal data offers, including more efficient and better targeted public services, Government must address the risks. “We are at a crossroads in the development and use of personal data. We should not be led down the route where technology dictates its use. Government should take the opportunity to put in place the right safeguards to protect privacy and build public trust.” The CST is the Prime Minister’s top level advisory body on strategic science and technology policy issues. [Source] [Source]

UK – Data Protection Enforcement Strategy Announced: Focus on Serious Breaches

A more selective approach to enforcing data protection legislation is being adopted by the UK information commissioner. The move is part of the government’s broader drive to make regulation more “risk-based”, lightening the routine load on people and businesses while targeting resources on those genuinely abusing the law. Richard Thomas, the information commissioner, said yesterday that investigations and regulatory action, which ranged from advice and cautions to enforcement notices and criminal prosecution, would be focused on cases where failure to comply resulted in “serious consequences”. Less time would be devoted to minor or technical breaches of the law. Serious cases could involve, for example, career-threatening harm to a person from false information about criminal behaviour or less serious harm to many people, said Mr. Thomas. Other criteria for taking action would include “deliberate, willful or cavalier conduct”, or where there was a need to set an example or to clarify the law, he said. [Source] [Source]

US – Court Orders FBI to Release PATRIOT Documents to EPIC

On November 16, a federal judge ordered the FBI to publicly release or account for thousands of pages of information about the government’s use of USA PATRIOT Act powers. The order came as Congress considers whether to renew provisions of the PATRIOT Act that would otherwise expire. In a FOIA request filed in March, EPIC asked the Bureau for information about how it has used investigative authority granted by these expiring provisions of the PATRIOT Act. The controversial provisions are scheduled to lapse next month unless Congress takes further action. Noting that Congress would soon hold hearings on whether to renew the sunsetting provisions, EPIC asked the FBI to release the information quickly. When the Bureau failed to act, EPIC filed a lawsuit in April to force the agency to make the information public. The Bureau released a small number of pages just last month, after Congress had concluded its hearings and already drafted legislation to renew the sunsetting provisions. The few documents that were disclosed included reports of intelligence misconduct from the FBI to an intelligence oversight board, which attracted widespread media attention. In a court hearing last week, Judge Gladys Kessler expressed frustration that the FBI failed to release the information while it could still inform the congressional debate on the PATRIOT Act. [Judge Kessler’s Order]

US – Survey: Medical Records Privacy Important to Americans

67% of adults are concerned about the privacy of their personal medical records, according to a poll by the California HealthCare Foundation and the Health Privacy Project. Also, 52% fear that their health insurance information might be used by employers to limit job opportunities. Congress is considering a proposal to build a national Health Information Network, but it does not yet include adequate privacy safeguards. EPIC and Patient Privacy Rights are calling for strong medical privacy protections in an online petition. [National Consumer Health Privacy Survey 2005 by the California HealthCare Foundation and the Health Privacy Project] [Medical Privacy Petition]

US – U.S. Military Unveils Digital Health System

The military health system is getting an upgrade. Officials unveiled Monday a new global medical information system that will affect 9.2 million beneficiaries. According to the assistant defense secretary for health affairs, the digital system will handle all medical information from “the battlefield to military medical clinics and hospitals … Beneficiaries’ health records will be available around the clock and around the world, available to healthcare providers, yet protected from loss and unauthorized access … “Our electronic health record has matured to a point that its size and complexity are unrivaled.” According to the Secretary, every precaution has been taken to keep the medical records secure. The system is password-protected and no one can get to the information without being traced. The system will be fully implemented in the Department of Defense’s 800 clinics and 70 hospitals by next December. [Source]

NZ – Privacy Bungle at VTNZ

A computer glitch is being blamed after the private details of more than a thousand Vehicle Testing New Zealand customers were accidentally circulated by e-mail. Yesterday, the company sent out reminder e-mails alerting motorists their registration was due. However, attached was a list of 1780 names and addresses of other customers who were also sent reminder notices. VTNZ is currently investigating the privacy botch up, but say at this stage it appears only a small number of customers received the attachment. [Source]

WW – Wacoal Says Online Customer Data, Credit Card Numbers Leaked

Wacoal Holdings Corp., a Japanese lingerie maker, said information on 4,757 customers, including address and phone data and some credit card numbers, was stolen from its online shopping server. Credit card numbers of 1,988 clients were accessed, and 10 customers have reported their cards may have been illegally used, the company said in a statement on its Web site yesterday. Wacoal will investigate details of the unlawful access to the server, which is operated by a subsidiary of NEC Corp. [Source].

US – Study: Identity Fraud Due to Breaches Rare

Only 98 of 100,000 data breaches – or 0.098% – result in a consumer’s becoming a victim of fraud or identity theft, study results released last week found. “There was no evidence that the breached file was being exploited by fraudsters to perpetrate large-scale identity fraud scams,” ID Analytics Corp. said in a report on a survey it conducted of 100,000 consumers whose personal data was compromised this year. That included lapses of security involving credit card account details, which could result in transaction fraud, and people’s personally identifiable information, which could put them at risk for identity theft. ID Analytics, of San Diego, is a technology firm banks and other financial companies hire to flag possible indicators of fraud in credit applications. So few data breaches lead to fraud or ID theft, the firm said, because fraud rings simply do not have “the time or manpower to use hundreds of thousands of identities available to them in their nefarious pursuits.” As a result, the study said, “there exists a feasibility limit associated with fraudsters committing identity fraud using breached identities.” The study was released at a hearing in the House Financial Services subcommittee on financial institutions. Privacy Times publisher Evan Hendricks said at the hearing that “more and more thieves are sitting on data hoping to use it later” after data-breach victims let down their guard and relax monitoring of their accounts. Mr. Hendricks was not commenting specifically on the ID Analytics study. [Source] [Brief Overview of Findings]

WW – Consumers Worried over Holiday ID Theft

A majority of consumers believe they are more susceptible to identity theft during the holiday season, reports a survey by Sun Microsystems. The survey also showed that many shoppers will take their business elsewhere if their personal data is compromised. Sun Microsystems Inc. released findings this week from a recent survey conducted on its behalf by Harris Interactive that examined consumer views on holiday online shopping and online banking. The nationwide survey of more than 2,000 U.S. adults revealed that one in three has been a victim of identity theft or knows someone who has been victimized, and a majority say they are likely to stop shopping and banking with institutions that put their personal data at risk. Nearly two-thirds of U.S. online adults plan to shop online this holiday season. Americans are, however, taking notice of how banking institutions and retailers treat their personal data and will hold them culpable if their data is compromised. “Not only will data breaches at online retailers and financial institutions result in bad publicity, but the survey results suggest they’ll also result in lost revenues and lost customers,” said Sara Gates, vice president of Identity Management at Sun Microsystems. “And as guidelines and legislation around customer notification continue to get implemented, we think more and more customers will demand that the companies they choose to do business with have a method of securing their personal information.” [Source]

WW – IBM VP: Global Body Needed to Establish Standards for Identity Verification

Cal Slemp, vice president and global leader for security and privacy services at IBM Global Services, said recently that international standards are needed for quick and accurate verification of personal identities. The need is particularly urgent as the United Kingdom and the U.S. increase their use of biometrics and other technology in ID cards and border screenings, Slemp said. A third-party is needed to establish standards that countries could then build from to meet their needs. [Source]

WW – Sony DRM Plan Triggers Civil and Class Action Lawsuits

The fallout from a hidden copy-protection program that Sony BMG Music Entertainment put on some CDs is only getting worse. Sony’s suggested method for removing the program actually widens the security hole the original software created, researchers say. [Source] [Civil and Class Action Lawsuits Filed] Texas Attorney General Greg Abbott filed a civil lawsuit on Monday against Sony BMG Music Entertainment for allegedly including spyware within the copy-controls on its CDs. Texas is seeking civil penalties of $100,000 per violation of the state’s Consumer Protection Against Computer Spyware Act, which was enacted earlier this year. [Coverage] [Complaint] The Electronic Frontier Foundation, along with two leading national class action law firms, has filed a lawsuit against Sony BMG, demanding that the company repair the damage done by the First4Internet XCP and SunnComm MediaMax software it included on over 24 million music CDs. The suit, to be filed in Los Angeles County Superior court, alleges that the XCP and SunnComm technologies have been installed on the computers of millions of unsuspecting music customers when they used their CDs on machines running the Windows operating system. [Source]

WW – Machines and Objects to Overtake Humans on the Internet

Machines will overtake humans to become the biggest users of the Internet in a brave new world of ‘always on’ electronic sensors, smart homes, and tags that track users’ movements and habits, the UN’s telecommunications agency predicted. In a report entitled “Internet of Things“, the International Telecommunication Union (ITU) outlined the next stage in the technological revolution where humans, electronic devices, inanimate objects and databases are linked in real time by a radically transformed Internet. [Source]

US – Are You a ‘Public Figure’?

Can being mentioned on the net turn an ordinary citizen into a public figure with severely limited abilities to fight libel and defamation lawsuits? According to a Florida judge’s ruling – perhaps the first of its kind in the United States – the answer is yes. In an Oct. 21 ruling, Florida circuit court Judge Karen Cole threw out a defamation case against two TV stations because she deemed the plaintiff – a Jacksonville woman -- to be a public figure who had been subject to “substantial” internet debate. [Source]

UK – Commuters Face Airport-Style Scans

Rail and London Underground passengers could soon face airport-style scanning techniques under new anti-terror plans, the transport secretary revealed today. Alistair Darling pledged to reduce the risk of another terrorist attack on London but admitted that security systems on rail networks would never be as stringent as those in airports. [Source]

SA – New Legislation to Protect Privacy

In South Africa, giving out or selling people’s personal information could land you behind bars for 10 years. With the introduction of laws protecting personal information, the police will also be barred from seizing documents containing communication between a professional legal adviser and his client. And, if the Protection of Personal Information Bill is passed by parliament, it will be against the law to insist on being given certain information such as a person’s sexual orientation, age, or religion. The bill will introduce new laws protecting the right to privacy and regulating the way in which information is gathered. [Source]

WW – Hackers Installing Keyloggers at a Record Rate

Keyloggers are becoming an indispensable tool for online fraudsters, if research from iDefense is any indication. The digital underground is on pace to launch an unprecedented 6,191 keyloggers by year’s end -- a 65% spike from the 3,753 released last year. “Keylogging is a very effective method for hackers,” Joe Payne, vice president of iDefense Security Intelligence Services, a division of Mountain View, Calif.-based VeriSign Inc., said in a statement released Tuesday. “Fraudsters can launch hundreds of keylogging attacks around the world in seconds, gathering sensitive data to conduct large-scale monetary transfers for their illegal activities.” Security experts have fingered keyloggers as one of the more insidious forms of spyware. [Source] [Source]

WW – Internet Companies Create Download Standard to Fight Spyware

An anti-spyware initiative backed by Internet portals Yahoo and AOL would certify downloadable software as consumer-friendly and non-invasive. Under the program, which was to be formally announced this week, developers that want to obtain certification for their downloads would also have to prove their products can be easily removed from computers once installed. TRUSTe, an organization that already certifies and monitors website privacy and e-mail practices for businesses, will rely on testing by two outside labs for the vetting. It would not name the labs. Developers earning TRUSTe’s certification will not be permitted to promote that fact, said its executive director, Fran Maier. Rather, TRUSTe will issue a “white list” of trusted programs that partners Yahoo Inc., America On-line Inc., CNET Networks Inc. and other Web publishers may use in determining whose software they wish to ally with or distribute. The Trusted Download Program is to begin early next year. [Source] [Source] [Source]

WW – APEC Ministers Endorse Privacy Framework for Information

Ministers of the 21 member economies of the Asia-Pacific Economic Cooperation (APEC) forum have endorsed a framework agreement that will strengthen electronic commerce in the region by guaranteeing quick, safe and confidential transfer of information across borders, according to a November 16 news release from the APEC Electronic Commerce Steering Group. The ministers, gathered in Busan, South Korea, for the 17th Annual APEC Ministerial Meeting, approved the APEC Privacy Framework, a plan to facilitate the cross-border flow of information while protecting from criminal activity the personal and sensitive data of consumers, businesses and governments. [APEC Privacy Framework]

US – Groups Outline Effective ID Theft Law

EPIC and 12 privacy and consumer groups have set out a framework for effective legislation to address the growing problem of identity theft. Identity theft now costs the economy over $50 billion annually, and consumers foot much of the bill. The groups recommend strong notification requirements, better consumer control over personal information, limits on the use of the SSN, regulation of commercial data brokers, and protection for good state privacy initiatives. [Coalition Letter on Effective Identity Theft Prevention]

US – Industry Calls for Uniform Federal Security-Breach Notification Standards

Mark Bohannon, the Software and Information Industry Association’s (SIIA) general counsel, recently testified before the House Financial Services Committee and asked federal lawmakers to create a uniform standard for security-breach notification to replace the myriad of state laws that currently regulate information brokers. The SIIA is pushing for a “meaningful threshold for breach notification” to avoid consumer confusion. The group also is seeking clarification of the definition of personal information to exclude data available from public sources. [Source]

US – Revised America Online Inc. Privacy Policy Permits Targeting Of Ads

AOL’s revised privacy policy allows the tracking of what users do at its sites to tailor news, weather and ads based on online habits. Under its old policy, the company was prohibited from serving up targeted ads and content. The new policy also makes official a marketing practice the company stopped a year ago – sharing names and home addresses with other companies. [Source]

US – HP Buys Defunct User Group Data

Hewlett-Packard was the highest bidder for the now-defunct Interex HP user group’s customer database and mailing list, which were auctioned off late last month after Interex declared itself bankrupt. HP offered US$66,500 for the database and mailing list, topping two other bidders. By purchasing what are, in effect, the records of its own customers, HP sees itself as being akin to a white knight. It won’t comment on how it plans to use the information, but HP spokesman Don Gentile says the Interex data is being purchased “to ensure that the privacy of our customers would not be compromised”. Interex filed for Chapter 7 bankruptcy protection in August, after closing its operations in July and cancelling its annual HP World conference. The user group shut down after incurring about US$4 million in debt. The sale of the customer database and mailing list by the court-appointed trustee was designed to help pay off its creditors. Bidding began after Genisys offered to buy the database for US$15,000. Trustee Carol Wu then auctioned the list after receiving bids from HP and another bidder. [Source]

US – FDA Approves Injecting ID Chips in Patients

The U.S. Food and Drug Administration has approved the practice of injecting humans with tracking devices for medical purposes, according to a Florida company that makes the devices. Applied Digital, maker of the implantable VeriChip for humans, announced Wednesday the FDA’s approval of its technology for use in hospitals following a yearlong review by the agency. The computer chips, which are about the size of a grain of rice, are designed to be injected into the fatty tissue of the arm. Using a special scanner, doctors and other hospital staff can fetch information from the chips, such as the patient’s identity, their blood type and the details of their condition, in order to speed treatment. [Source]

US – Survey: Consumers “Somewhat Willing” to Pay Fees to Keep Accounts Secure

A survey by Unisys has found that nearly 40% of Americans are somewhat willing to pay for identity theft protections compared with 27% of respondents in 2004. The survey also showed that 73% of Americans are worried about thieves using their bank accounts or credit cards. [Source]

UK – Passport Price Forced up by Biometric Chip Costs

The price of a UK passport is to rocket 18 per cent because of the cost of new security measures including biometrics. From December the price of a standard 10-year adult passport will jump £9 to £51. The government said the price hike reflects the cost of implementing anti-fraud measures to combat the rapidly growing threat of passport fraud and forgery. Anti-fraud features include the gradual introduction of new biometric ‘ePassports’ from February 2006, which will contain a scan of the holder’s facial features embedded in a chip. The UK Passport Service said it will manage the volume of biometric ePassports issued during the anticipated six-month rollout period. Biometric and traditional passports will be identically priced during that period but that will cease when biometric passports are fully rolled out and old-style passport production stops. [Source]

US – Debate About Magnetic Hotel Room Keys Escalates

The American Hotel and Lodging Association estimates that 83% of hotels have electronic locks – most of which use magnet swipe-card technology to gain entry into a hotel room. The concern about inadequate security of magnetic cards stirred anew recently with the alleged discovery of personal information encoded on cards used by at least three hotel chains. While the companies deny that personal information is encoded on the magnetic key cards, some chains are moving to new technology – a change that will likely take some time to spread throughout the industry, experts say. Nonetheless, consumers are urged to treat the cards as if they did contain sensitive personal information. [Source]

CA – CCTV Deployed in Downtown Thunder Bay

Eight years, three city councils, 15 public sessions and more than 100 committee meetings later, 16 cameras in a dozen locations are eyeballing Thunder Bay’s downtown cores to deter crime and make residents feel safer. The Eye on the Street surveillance camera program was officially launched Tuesday. [Source]

US – New Library Program to Help Improve Privacy Protection

All county library patrons will soon have to use their library card numbers to use the Internet, but officials say their privacy will be more secure than ever. The new $307,000 computer system doesn’t keep a record of what materials a user has examined, said Laurie Hayes, a spokesman for the library system. And while the current system maintains a cache of Web sites visited, making it easy to see what the previous user was examining, the new system will automatically erase all references, bookmarks and history as soon as a user leaves the system. “There is no record anywhere of what you have been doing,” Ms. Hayes said of Internet access. “It is safer than what currently exists - there is no way for a patron or our staff to see what you have been doing.” The changes in library access come as Congress is reauthorizing the Patriot Act, a controversial 2001 federal law that gave investigators in terrorism cases broad powers to search people’s personal records, including library records. “This has absolutely nothing to do with homeland security,” Ms. Hayes said of the new program. [Source]

KR – Groups Select Samsung SDI as Worst Privacy Offender

Civic groups have selected Korea’s high-tech manufacturer Samsung SDI as the “worst private company” offender on the suspicion it tracked the mobile phones of its employees to monitor their whereabouts. Samsung SDI won the first Korean version of the “Big Brother” awards on Tuesday. It was arranged by civic groups to increase public awareness of excessive surveillance by government and big business. A total of 27 awards were given in three categories, including the worst companies, government ministries and projects. Samsung SDI was chosen among 10 corporations exposed by the groups for their abuse of privacy rights. Credit card issuer BC Card, accused of gathering excessive personal information of their customers, was one of the winners. [Source]

US – Cable Companies Plan to Roll out Cable Boxes that Track Viewing Habits

Two cable companies in the U.S. are planning to introduce cable boxes next year that would track what a subscriber watches. The software, after factoring in an address, would then estimate age, gender, interests and income to help advertisers send targeted ads to different viewers. The new practice would likely draw opposition from privacy advocates. Although it may be a while before the technology is available in Canada, advertisers, broadcasters and media buyers are eager for its arrival. [Source] [Source]

WW – Vital Data often Stored on Unsecured Devices

One in three mobile computers and smart phones is not protected with a password or security lock, even though they contain PIN codes and sensitive information, a survey showed on Monday. “Three out of 10 of these sloppy, handheld-happy users store their PIN numbers, passwords and other corporate information on them,” according to the annual Mobile Usage Survey from security software firm Pointsec. Smart phones are handsets mainly used by business users offering limited PC-type functionality, including e-mail. According to the global survey, corporate personnel now store huge amounts of corporate data on their mobile devices, including customer contacts, e-mail details, passwords and bank account details as well as personal and private information. More people than ever admit to having lost their mobile device. This year, 22% of interviewees said they had lost their device against 16% in 2004. Of those who lost their smart phone or handheld computer, 81% had not encrypted the information on it. [Source]

US – Congress Reaches Tentative Deal on Changes to Patriot Act

House and Senate negotiators reached a tentative agreement on revisions to the USA Patriot Act that would limit some of the government’s powers while requiring the Justice Department to provide a better accounting of its secret requests for information on ordinary citizens. But the agreement would leave intact some of the most controversial provisions of the anti-terrorism law, such as government access to library and bookstore records in terrorism probes, and would extend only limited new rights to the targets of such searches. [Source] [CDT Letter]

US – Senate Considers Data Broker Regulation; Few Thrilled by ID Theft Bill

Last week, the Senate Judiciary Committee approved, by 13-5, a bill intended to protect consumers when data brokers reveal sensitive personal information. The bill, S. 1789, The Personal Data Privacy and Security Act, requires a data broker to warn consumers about a data breach if they face a “significant risk of harm” because of the breach. At issue is exactly what constitutes a significant risk, and whose job it is to decide that. As currently worded, the bill tacitly says that it’s up to the breached company to decide if the risk is significant. Said one Gartner industry analyst: “Who’s going to define what’s risky? It’s such a major loophole. They are avoiding that whole issue.” The bill was inspired by recent security breaches which have made the issue a priority. A similar bill called the Data Accountability and Trust Act is currently being marked up in the House Subcommittee on Commerce, Trade and Consumer Protection. Neither bill directly addresses who is responsible to decide what constitutes a significant risk, nor whether a Congressional bill would supersede the current state laws on the matter. The matter of determining what risk is significant is a slippery one. On one hand, “some disclosures are overboard. There are some very marginal risks, such as tapes falling off a UPS truck”. However, “Any data poses a risk of some sort in the wrong hands. No one knows what the crooks do with the information they get.” The best solution is to place tighter controls on sensitive information. “Instead of focusing on disclosure, (Congress should) just focus on not breaching security,” she said. “Try to prevent it from happening in the first place. There are no standards being created except for disclosure.” [Source] [S. 1789, the Personal Data Privacy and Security Act of 2005] [Source]

US – Senate Passes Health Technology Bill

The Senate likes the idea of carrying your medical records on a key chain. The chamber has passed a bill that encourages the Health and Human Services Department to find ways to improve the information technology used in health care. Under the bill, hospitals and other health care providers could apply for grants to create new technologies. Such technology might create a universal way to carry records on a key chain. Sen. Mike Enzi, R-Wyo., said advanced technology would mean no more patients filling out that clipboard about your health whenever you visit a new doctor. Privacy advocates are concerned that the bill doesn’t include enough privacy protections. [Source]

US – Survey: What is a Privacy Professional?

What makes up the daily life of a privacy professional? According to a 2005 joint survey the International Association of Privacy Professionals (IAPP) and the Ponemon Institute, privacy officers spend roughly half their time on three activities: responding to incidents, developing and implementing policies, and advising the organization on proper privacy practices. See table below for full brekadown. [Source]

Core activities	% of total time
Responding to incidents	19
Developing and implementing policies and guidance	14
Advising/consulting the organization	13
Administration (personnel and budget)	9
Developing and performing training and communications	8
Developing privacy strategies	7
Analyzing regulations	7
Performing risk assessments and data inventories	5
Monitoring and measuring compliance (enforcement)	4
Reporting to management	2
Other	12

US – News Trucks Equipped With GPS Tracking Equipment

Employees of WABC-TV in New York are concerned about their privacy since GPS transmitters were installed in their news trucks. The head of Local 16 of the National Association of Broadcast Engineers and Technicians says that members are concerned about the possible misuse of information collected by the system. The use of the technology continues to be a workplace concern as companies rely on the technology to track the whereabouts of their employees. [Source]

WW – New Technology Provides Voice Confidentiality in Open Environments

A device called Babble aims to drown out eavesdropping by office mates. In the age of cubicle farms and other open-office environments, overhearing the details of co-workers’ failed dates and surrepticious doctors’ appointments are now unwelcome facts of corporate life. Enter Babble, a device that turns a neighboring worker’s speech into indecipherable gibberish. According to its marketers, Babble’s technology provides “voice confidentiality” at your desk, which the company says can be useful when employees are discussing sensitive or proprietary information. It also claims the device offers reduced distraction for employees who may find themselves inadvertently eavesdropping on their coworkers’ conversations. The product, which hit store shelves this fall, uses patented technology that blends the user’s voice with random versions of the user’s exact voice. Herman Miller, parent company of Babble distributor Sonare Technologies, says it’s “privacy without walls.” [Source]

WW – Study: Unencrypted Backup Tapes “Still the Norm”

Almost a year of near-continuous warnings about the vulnerability of backup tapes has gone unheeded, results from a survey showed today. Less than a quarter of companies currently encrypt their backup tapes, closely matching results of a survey (“Information at Risk: The State of Backup Encryption“ From the research conducted by Enterprise Strategy Group, Inc.) conducted in March 2005. In fact, DISUK’s global ‘Paranoia Audit 2005’ showed markedly less paranoia worldwide than might be considered healthy to ensure rigorous data security. Only 34% of respondents said that their corporate security policy included backup encryption, and only 23% said that it was actually taking place. However, of the non-encrypting 77%, more than 46% plan to incorporate encryption. But, overall, this still leaves almost one in six firms with no plans to encrypt backup tapes any time soon. A lack of a standard approach to data security is also revealed by a lack of consistency and uncertainty over precisely with whom, within organisations, responsibility lies. Less than one in five respondents cited the storage manager, with the security manager named by 41%. Of more concern, responsibility was deemed to be shared between these two by 17% of respondents, while nine percent admitted that responsibility was unclear and 2% replied that no-one was responsible. This suggests that lines of responsibility are either unclear or non-existent in more than a quarter of organizations. [Source]

-----------------------------------