Get documents about "WEEKLY PRIVACY-SECURITY REPORT
Document Sample
Privacy & Security News Brief
November 24 – November 30, 2007
Vol. 1, No. 8
TABLE OF CONTENTS
BIOMETRICS ..............................................................................................................................................................5
Biometrics won‘t fix data loss problems _______________________________________________________ 5
It could happen again _________________________________________________________________ 5
DATA BREACH ...........................................................................................................................................................5
$10,000 reward for missing VA computers _____________________________________________________ 5
Security Breach Costs Jump 30% _____________________________________________________________ 5
TJX e-mails tell the tale ____________________________________________________________________ 5
Report Details Real Costs of Data Breaches _____________________________________________________ 6
30,000 Dutch Telsell-customer credit card details stolen from Telsell computers, Telsell claims not their
responsibility ____________________________________________________________________________ 6
Canadian government exposes health data ______________________________________________________ 6
Hackers Cracked Charities' Addresses and Passwords _____________________________________________ 6
Hacker Steals Nonprofits' Data From Marketing Firm _______________________________________ 6
AIB error led 15,000 customers to get details of other accounts _____________________________________ 7
UK Government Loses Personal Details of 25 Million ____________________________________________ 7
Social Security numbers of former UF students leaked on Web site __________________________________ 7
E-COMMERCE ............................................................................................................................................................7
E-Commerce Fraudsters' Haul May Reach $3.6B in 2007 __________________________________________ 7
EDITORIALS & OPINION .........................................................................................................................................8
America Already Is in a Cyber War, Analyst Says________________________________________________ 8
Just An Online Minute... Opt-Outs Don't Solve Facebook Privacy Fiasco _____________________________ 8
Privacy and piracy: What are we telling the kids? ________________________________________________ 8
Scary Stuff ______________________________________________________________________________ 8
Why should we care about privacy? ___________________________________________________________ 9
Success of online services down to trust _______________________________________________________ 9
Experts: Privacy and security officers living in silos ______________________________________________ 9
Why Must ID Security Be So Hard? __________________________________________________________ 9
EDUCATION................................................................................................................................................................9
Network Access Control Helps With Wireless LAN Security at College ______________________________ 9
Public safety or ‗big brother‘ watching: College mandates GPS cell phone tracking ____________________ 10
EMPLOYEE ............................................................................................................................................................... 10
FINANCIAL ............................................................................................................................................................... 10
GOVERNMENT – U.S. FEDERAL .......................................................................................................................... 10
TSA plan to gather more data protested _______________________________________________________ 10
Cellphone Tracking Powers on Request _______________________________________________________ 10
Cell Phone Tracking Powers Raise Privacy Concerns ______________________________________ 10
New Privacy Rules Imminent, Another Privacy Change Contemplated ______________________________ 10
GOVERNMENT – U.S. STATES .............................................................................................................................. 11
CALIFORNIA __________________________________________________________________________ 11
California Plan To Outsource E-Mail Service Raises Privacy Questions ______________________________ 11
COLORADO ___________________________________________________________________________ 11
Denver Deploys New Graffiti Surveillance System ______________________________________________ 11
FLORIDA ______________________________________________________________________________ 11
Florida Attorney General Brings Cyber Safety Program to Tallahassee ______________________________ 11
INDIANA ______________________________________________________________________________ 11
State sues do-not-call violators ______________________________________________________________ 11
OHIO _________________________________________________________________________________ 12
Next time you renew license, forget your Social Security card, BMV says ____________________________ 12
PENNSYLVANIA _______________________________________________________________________ 12
Ping: Bob Maley _________________________________________________________________________ 12
NEVADA ______________________________________________________________________________ 12
Nevada Tightens Payroll Security ___________________________________________________________ 12
HEALTH & MEDICAL ............................................................................................................................................. 12
NH may track prescription drugs ____________________________________________________________ 12
IDENTITY THEFT .................................................................................................................................................... 13
FTC Survey Shows 8.3 Million ID Theft Victims in 2005 _________________________________________ 13
FTC report: identity theft fell; results disputed ____________________________________________ 13
Reports show identity theft is a growing business, costing billions ____________________________ 13
INTERNATIONAL..................................................................................................................................................... 13
AFRICA.................................................................................................................................................................. 13
ASIA/PACIFIC ...................................................................................................................................................... 13
AUSTRALIA ___________________________________________________________________________ 13
Google-mobiles start snapping Aussie cities ___________________________________________________ 13
AFL apologises for privacy breach ___________________________________________________________ 13
Industry push on privacy laws ______________________________________________________________ 14
EUROPE ................................................................................................................................................................ 14
EUROPEAN UNION _____________________________________________________________________ 14
EU ponders targeted advertising privacy concerns _______________________________________________ 14
Warning on e-government 'risks' ____________________________________________________________ 14
FRANCE ______________________________________________________________________________ 14
France Announces Massive Internet Surveillance by ISPs _________________________________________ 14
GERMANY ____________________________________________________________________________ 14
Federal Parliament passes data retention and wire tapping legislation ________________________________ 14
IRELAND ______________________________________________________________________________ 15
Finance Minister Calls For Immediate Data Protection Review ____________________________________ 15
UNITED KINGDOM _____________________________________________________________________ 15
Privacy warning for young users of networking sites _____________________________________________ 15
MIDDLE EAST ..................................................................................................................................................... 15
ISRAEL _______________________________________________________________________________ 15
Google to hand over blogger's IP address ______________________________________________________ 15
SYRIA ________________________________________________________________________________ 15
Syria blocks Facebook in Internet crackdown __________________________________________________ 15
NORTH AMERICA .............................................................................................................................................. 16
CANADA ______________________________________________________________________________ 16
N.L. police probe security breach of patient information __________________________________________ 16
Tories introduce legislation to crack down on identity theft________________________________________ 16
Identity-theft proposal hailed as a first step _______________________________________________ 16
Reckless Data Handling Could Violate ID Theft Law ______________________________________ 16
2
Canadians want strong protections for health data _______________________________________________ 16
SOUTH AMERICA ............................................................................................................................................... 16
LEGISLATION – FEDERAL .................................................................................................................................... 16
Senators Raise Google-DoubleClick Questions _________________________________________________ 16
Google-Double Click Privacy Concerns Prompt Senate Protest _______________________________ 16
Genetic Nondiscrimination Bill Stalled in Senate _______________________________________________ 17
LEGISLATION – STATE .......................................................................................................................................... 17
LITIGATION & ENFORCEMENT ACTIONS ........................................................................................................ 17
TJX reaches $40m settlement with Visa over data breach _________________________________________ 17
Visa fines Ohio bank in TJX data breach ________________________________________________ 17
TJX consumer settlement sale offer draws scorn __________________________________________ 17
A Loss for Privacy Rights __________________________________________________________________ 17
Feds cancel Amazon customer ID request _____________________________________________________ 17
JPL Scientists Stand Up To Government For Right To Privacy _____________________________________ 18
MOBILE/WI-FI .......................................................................................................................................................... 18
Verizon Wireless Says ‗Bring Your Own‘ Device _______________________________________________ 18
iPhone IMEI privacy: Apple off the hook _____________________________________________________ 18
ODDS & ENDS .......................................................................................................................................................... 18
Teen questioned in computer hacking probe ___________________________________________________ 18
Google Service Uses Cell Towers to Locate Users ______________________________________________ 18
Eighty-Five Percent of Public Lack Confidence in Local Government's Computer Security, Survey Reveals _ 19
Is Obama the Privacy Candidate? ____________________________________________________________ 19
Obama Courts Tech Voters ___________________________________________________________ 19
Electronic Tracking 'Remedy' for Gang Violence _______________________________________________ 19
ONLINE ...................................................................................................................................................................... 19
Facebook May Revamp Beacon _____________________________________________________________ 19
Facebook 'to drop' creeptech ad system __________________________________________________ 19
Facebook alters notifications after privacy furor ___________________________________________ 19
Facebook responds to MoveOn criticism of ad program _____________________________________ 19
Facebook faces UK data probe ________________________________________________________ 20
Facebook Grants Email Opt-Out Amid Privacy Concerns ___________________________________ 20
Facebook‘s Tracking of User Activity Riles Privacy Advocates, Members ______________________ 20
Facebook hit with privacy backlash ____________________________________________________ 20
Privacy Fears over Facebook Feature ___________________________________________________ 20
Internet Users Give Up Privacy in Exchange for Trust ___________________________________________ 20
Personal Computing: The Threat of "Typosquatting" ____________________________________________ 20
RFID ........................................................................................................................................................................... 20
Benefits and Risks Of Fitting Patients With Radiofrequency Identification Devices_____________________ 20
Samsung brings mobile RFID chip to market; Big Brother is pleased ________________________________ 20
SECURITY.................................................................................................................................................................. 21
Defending Against Internet Security Risks Becoming More Difficult ________________________________ 21
Hacker Threat to U.S. Rising _______________________________________________________________ 21
Hackers Will Feed on Vista in 2008, Says McAfee ______________________________________________ 21
Voice over IP hacking is easy _______________________________________________________________ 21
Security Concerns Cloud Virtualization Deployments ____________________________________________ 21
Standards Suggested for Writing Secure Java __________________________________________________ 22
12 spam research projects that might make a difference __________________________________________ 22
Defense In Depth: A Blueprint For Security ___________________________________________________ 22
Special Section: Coverage of the UK 25M record Data Breach ............................................................................... 23
UK Government Loses Personal Details of 25 Million ___________________________________________ 23
3
U.K. Rocked by Loss of 25M Records __________________________________________________ 23
25 million reasons they‘re in trouble ____________________________________________________ 23
Loss of data on 25 million people puts pressure on Brown ___________________________________ 23
Missing: 25 million child benefit records ________________________________________________ 23
Chancellor Does His Best to Assuage ID Theft Fears in Wake of Government Breach _____________ 23
Millions on fraud alert after benefit breach _______________________________________________ 23
Apologetic PM orders security check ___________________________________________________ 23
Individuals value their privacy – institutions do not (EDITORIAL) ____________________________ 23
Is 2,100 breaches of security a lot? _____________________________________________________ 23
Careless data loss 'should be an offence' _________________________________________________ 23
Security expert's data alert went unheeded _______________________________________________ 23
Government says data protection laws under review _______________________________________ 23
Chancellor under fresh fire over HMRC data loss __________________________________________ 23
HMRC fiasco places data protection in the spotlight _______________________________________ 23
Emails confirm HMRC mistake was attempt to save money _________________________________ 23
SEMINARS ................................................................................................................................................................. 24
PAPERS ...................................................................................................................................................................... 24
Security Experts Report on Hazards of New Surveillance Architecture ______________________________ 24
Self-disclosure, Privacy and the Internet ______________________________________________________ 24
4
ARTICLE SUMMARIES AND LINKS
BIOMETRICS
Biometrics won’t fix data loss problems
Six leading academics have written to a Parliamentary committee to express their dismay at the way biometrics has
been used as a magic wand which would have supposedly stopped Darling's great data giveaway. The six said of
claims by the Prime Minister and his Chancellor: "These assertions are based on a fairy-tale view of the capabilities
of the technology and in addition, only deal with one aspect of the problems that this type of data breach causes."
Both Gordon Brown and Alistair Darling claimed, after the loss of CDs containing 25m recipients of child benefit,
that the data would somehow be protected by biometric information if we had national ID cards.
http://www.theregister.co.uk/2007/11/27/biometrics_not_magic_bullet/
(The UK Register – 11/27/07)
Also see:
It could happen again
http://www.newstatesman.com/200711290040 (New Statesman, UK – 11/29/07)
DATA BREACH
$10,000 reward for missing VA computers
An Indiana congressman says the Veterans Affairs hospital in Indianapolis failed to follow new safety protocols,
leading to a possible breach of veterans' personal information last weekend. U.S. Rep. Steve Buyer, a Monticello
Republican and the ranking GOP member of the House Veterans Affairs Committee, said he plans to return to
Indiana to get a briefing from hospital officials. "The information that was accessed should have never been
portable," Buyer said in an interview Thursday from Washington. The names, Social Security numbers and dates of
service of 12,000 veterans were compromised when three computers were stolen from the Roudebush Veterans
Affairs Medical Center over the Veterans Day holiday weekend, officials said. It was the third time computers
containing sensitive information have been stolen from a Veterans Affairs facility.
http://www.indystar.com/apps/pbcs.dll/article?AID=/20071128/LOCAL/71128044
(Indianapolis Star – 11/28/07)
Security Breach Costs Jump 30%
The cost of recovering from a single data breach now averages $6.3 million-that's up 31 percent since 2006 and
nearly 90 percent since 2005, according to the Ponemon Institute, which studies privacy and information
management. Two-thirds of that cost is spent recovering business that's lost after a breach, a cost that has risen 30
percent since last year. More customers stop doing business with a company after their information is exposed, and
it's getting more expensive to replace them. "As consumers and end users get more educated, I think there's less
tolerance," says John Dasher, the director of product management for PGP, which, along with Vontu, co-sponsored
the Ponemon study.
http://www.baselinemag.com/article2/0,1540,2223732,00.asp
(Baseline Magazine – 11/28/07)
TJX e-mails tell the tale
Executives at TJX Cos., which in January revealed a massive security breach that put millions of its customers‘
personal information at risk, knew two years ago that the company‘s wireless payment network was vulnerable to
attack, according to court documents. In 2005, TJX officials also discussed the need to update the company‘s
wireless network security to a more secure WiFi protected access (WPA) system and whether it could be deferred to
save money, according to e-mail exchanges between TJX employees.
http://news.bostonherald.com/business/general/view.bg?articleid=1047504
(Boston Herald – 11/28/07)
5
Report Details Real Costs of Data Breaches
A Ponemon Institute study released Wednesday shows the cost of a data breach is becoming increasingly expensive
for firms—not so much because of the technological steps needed to fix the problem—but because the increasingly
savvy public bails on the victim of the breach and takes their business with them. The study found that data breach
incidents cost companies $197 per compromised customer record in 2007, compared to $182 in 2006. For a financial
services firm, the cost was even more expensive at $239 per lost record. Most of the cost, $128 out of the $197, is
from lost business and having to acquire new customers. This data, according to the study and some security experts,
is starting to affect how companies operate.
http://www.internetnews.com/ent-news/article.php/3713261
(Internet News – 11/28/07)
30,000 Dutch Telsell-customer credit card details stolen from Telsell computers, Telsell
claims not their responsibility
Customers of the television-sales organization TelSell can not only tele-shop while relaxing in their lazy chair, they
also have a good chance to be robbed, while in that same chair. Earlier this year the details of over 30,000
creditcards have been stolen from Telsell‘s computer systems. The details are from customers who in the past
ordered Telsell products, including slimming belts, fitness equipment and figure-correction underwear. With the
card details cybercriminals can relatively easy make illegal transfers, where the victims are served the bill. The
Dutch company Telsell has been aware of this theft since 6 months, but never informed those customers at risk. The
company decided to take the credit card organization, looking at Telsell for recovery of the stolen amounts, to court.
This has been discovered in procedural legal documents, obtained by the Telegraaf, the largest Dutch newspaper.
http://www.first.org/newsroom/globalsecurity/176842.html
(Telegraaf, 11/27/07)
Canadian government exposes health data
Officials in Canada are investigating a data breach that exposed the medical histories of an unknown number of
patients. The Government of Newfoundland and Labrador said that an anonymous security researcher claimed last
week that he had been able to remotely access the medical histories of patients in the area. Government officials said
that the data was being housed on a government computer located at the home of a consultant. The consultant had
taken the desktop system in order to work from home, but had exposed the data through an unprotected internet
connection which was then accessed by the researcher. Information stored on the machine included patients' Medical
Care Plan numbers, age and gender, physician's name and test results for diseases such as HIV and hepatitis.
http://www.vnunet.com/vnunet/news/2204369/canadian-government-exposes
(vnunet.com – 11/27/07)
Hackers Cracked Charities' Addresses and Passwords
Convio, a company that provides online database software and services to a number of charities and non-profit
organizations, announced in early November that hackers had been able to obtain access to the email addresses and
passwords belonging to thousands of people who donated money to its clients. Convio's Tad Druart says the
problem only affected users of GetActive, a business that the company acquired nearly a year ago. As of Nov. 14,
only four organizations had notified donors--freepress.net, CARE, the Museum of Natural History, and Credo
Mobile, a for-profit wireless company that tries to get its customers to support a number of progressive causes.
Although there is no evidence that any fraud has been committed, these organizations have urged donors to change
their passwords if they use the same password for other purposes. Other organizations affected by the breach have
been hesitant to inform donors, due in large part to fear that doing so would affect donations.
http://www.nytimes.com/2007/11/27/us/27charity.html
(New York Times – 11/27/07)
Also see:
Hacker Steals Nonprofits' Data From Marketing Firm
http://www.pcworld.com/businesscenter/article/140094/hacker_steals_nonprofits_data_from_marketing_fir
m.html
(PC World – 11/28/07)
6
AIB error led 15,000 customers to get details of other accounts
A significant error at AIB bank earlier this month led it to send 15,000 notifications to its customers containing the
private bank account details of other individuals. A total of 11,000 AIB customers are affected by the move, writes
John Downes. Last night, it also emerged that some of the bank account details sent to AIB customers in recent days
relate not just to AIB accounts, but also reveal the names and bank account details of customers with other banks.
It is understood that as many as 7,500 of the notices contained the names, addresses and full bank account numbers
of AIB customers. This means these details, contained in notices relating to "inward" payments, are now in the
possession of other customers of the bank.
http://www.ireland.com/newspaper/frontpage/2007/1123/1195682121693.html?via=me
(The Irish Times – 11/23/07)
UK Government Loses Personal Details of 25 Million
Disks containing personal data of 25 million child benefit recipients in England are lost in the mail. The British
government has lost confidential details of 25 million child benefit recipients that had been stored on two computer
disks, according to officials. Revenue and Customs, or HMRC, only admitted the loss Nov. 20, despite the breach
occurring Oct. 18, leading to the resignation of HMRC Chairman Paul Gray. The disks were lost while being
transported via internal mail from the National Audit Office department to HMRC. A junior employee at the
National Audit Office is believed to have sent the disks through the mail, but the disks didn't appear at HMRC.
Sending such information via internal mail is a breach of rules governing data protection. Copies of the disks were
then resent, using registered and traceable mail. This is also the second time since March that the data protection
rules had been broken by HMRC, although the first incident did not result in a data breach.
http://www.eweek.com/article2/0,1895,2219668,00.asp
(eWeek – 11/20/07)
For full coverage of the UK data breach, please see special section at end of Weekly Privacy Review
Social Security numbers of former UF students leaked on Web site
More than 400 former UF students might have been put at risk for identity theft after their Social Security numbers
were posted on UF's Computing & Networking Services Web site. A news release from the Liberty Coalition, a
group that works to preserve the privacy of individuals, said 14 files on the Web site contained "sensitive
information" of 534 former UF students, including 415 Social Security numbers. All the individuals were former
students of Richard Elnicki, a professor of information systems and operations management, and had taken classes
ISM 4220 or ISM 4330 with him between 1998 and 2001, the release stated.
http://www.alligator.org/articles/2007/11/21/news/campus/ssn.txt
(The Independent Florida Alligator – 11/07)
E-COMMERCE
E-Commerce Fraudsters' Haul May Reach $3.6B in 2007
CyberSource estimates that cybercriminals will intercept over $3 billion from e-commerce this year. Although
online merchants have implemented more secure tools for mitigating fraud, Web sites have consequently
experienced a slowdown for genuine customer orders. The percentage of orders manually reviewed by e-commerce
companies this year increased to 27 percent, while losses from fraudsters are slated to hit $3.6 billion, compared to
last year's total of $3.1 billion. CyberSource found that top merchants use up to eight antifraud tools on their sites,
while over half of those surveyed use at least five tools or more. Such fraud detection measures are costly, though,
and an estimated $100 million was lost to merchants due to the number of manual order reviews. Phishing tools and
corporate attacks have maintained their status as primary hacker strategies, but many companies have now employed
data encryption as a safeguard for potential losses.
http://www.ecommercetimes.com/story/60394.html
(E-Commerce Times – 11/19/07)
7
EDITORIALS & OPINION
America Already Is in a Cyber War, Analyst Says
The U.S. government has started to implement its plan for securing government and private networks against
cyberattacks, former CIA official Andrew Palowitch said Tuesday during a talk at Georgetown University's Center
for Peace and Security Studies. However, Palowitch said that specific details of the program are likely to remain
secret. The Defense and Homeland Security departments are responsible for the national cyber-security initiative,
which is tied to the establishment of a U.S. Air Force cyber command in September and the reallocation of $115
million to Homeland Security's cyber division in November. Palowitch said that he agrees with the assessment of
Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, that the country is already at war in cyberspace,
considering there have been about 13,000 direct attacks on federal agencies and 80,000 attempts on Defense
systems. Some of the attacks "reduced the U.S. military operational capabilities," Palowitch said.
http://www.infoinc.com/nascio/nascioHTML.html
(National Journal‘s Technology Daily – 11/27/07)
Just An Online Minute... Opt-Outs Don't Solve Facebook Privacy Fiasco
The more details that emerge about Facebook's Beacon platform, the worse an idea it seems. It's glaringly obvious
that the new program -- which alerts people's friends of their online purchases -- violates users' privacy. And, while
Facebook argues that the program poses no threat because users can always opt out of it, it's now come to light that
the opt-out mechanism itself is seriously flawed. The Associated Press reported last week that Facebooks users who
make purchases at sites participating in the program have just 20 seconds in which to opt out of having that
information published. That's because the opt-out mechanism consisted of a small pop-up that vanishes 20 seconds
after it appeared. After the window disappears, so does the user's chance to opt out. At launch, 44 companies are
participating in the Beacon program, including movie ticketer Fandango, travel company Travelocity and online
shoe retailer Zappos.
http://publications.mediapost.com/index.cfm?fuseaction=Articles.showArticleHomePage&art_aid=71549
(Media Post Publications – 11/26/07)
Privacy and piracy: What are we telling the kids?
While I understand the frustration of artists and performers whose recorded works are taken and distributed without
consent or compensation, the MPAA and RIAA seem to be doing as much for the rights of those artists as the media
consumers -- that is to say, not much. In fact, there's every indication that these trade federations are doing a whole
lot more harm than good, ensuring short-term profits for their members at the expense of both their own longevity
and the U.S. legal system as it concerns intellectual works. Worse, it's misusing information security technology to
breed a generation of cynics, whose dim view of security, privacy and information governance puts us on the road to
lost opportunity (via way stations of mistrust and apathy). It's worth setting aside the legal minutiae, and the moral
debate as RIAA and the MPAA are attempting to frame it, to consider the messages this mess sends the kids.
http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9048
698&taxonomyId=17&intsrc=kc_feat
(Computer World – 11/26/07)
Scary Stuff
Government and corporate officials responsible for compliance with privacy laws in Canada and Europe are using a
whole new language in 2007. Much of the jargon has passed by the American public. So listen up. This is important.
At their annual meeting this fall in Montreal, there was little of the traditional talk among the international privacy
people about the nuts and bolts of data protection. Instead, there were urgent and distressed discussions about
"uberveillance," "ambient technology," "ubiquitous computing," "ingest-ible bugs" and nanotechnology. The terms
may be overlapping and may in fact be somewhat synonymous. They all refer to an environment in which electronic
media are everywhere, gathering and processing information in a seamless way, beyond the control of each human
being.
http://www.forbes.com/opinions/2007/11/21/privacy-surveillance-technology-oped-cx_res_1126privacy.html
(Forbes – 11/26/07)
8
Why should we care about privacy?
Facebook and Google are regularly criticised for invading user's private spaces - and yet millions of us are happy to
keep using their services. Is it time we gave up arguing about privacy? Facebook's new advertising systems have
come in for plenty of criticism - not least this weekend, when we wrote that it was spoiling Christmas thanks to its
new "Beacon" feature. Beacon interacts with third party websites in order to add your commercial purchases into
your news feed: think "Bobbie just bought MIA's album from Amazon", or whatever. Opinion seems divided on
whether it's a good thing or a bad thing, although nobody seems particularly keen on the way it operates (if you don't
opt out from a Beacon alert, it tells the world what you've been buying). It all comes back to the age old argument.
Do users care about privacy - and should they?
http://blogs.guardian.co.uk/technology/2007/11/26/why_should_we_care_about_privacy.html
(The Guardian – 11/26/07)
Success of online services down to trust
Online organisations need to work harder to gain the trust of their users, researchers revealed today. The Economic
and Social Research Council claimed that surfers will only divulge information to trusted online third parties. "Even
people who have previously demonstrated a high level of caution regarding online privacy will accept losses to their
privacy if they trust the recipient of their personal information," said study leader Dr Adam Joinson of the School of
Management at the University of Bath.
http://www.vnunet.com/vnunet/news/2204096/trust-key-success-online
(vnunet.com – 11/22/07)
Experts: Privacy and security officers living in silos
In the past, a company's privacy and security officers worked within their own confined orbits, oblivious to the
common risks each department faced. But with corporate data breaches compromising nearly 216 million private
records, the two sides can no longer afford to ignore each other. Industry experts delivered that message during the
recent (ISC)2 SecureBoston conference in Quincy, Mass. Privacy and security teams should communicate regularly
on each others' challenges and activities, and should work together on an effective response plan in the event of a
data breach, the experts said. "With the growing data breach threat, privacy and security officers must work closer
than ever before and accept the fact that they are partners," said Peter Kosmala, assistant director of the York,
Maine-based International Association of Privacy Professionals (IAPP).
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1282982,00.html
(SearchSecurity.com – 11/20/07)
Why Must ID Security Be So Hard?
New York Times columnist M.P. Dunleavy lauds the credit bureaus for offering consumers credit freezes. However,
as the victim of ID theft, Dunleavy found in some research on the topic of credit freezes that consumers are faced
with a complex analysis of state laws and credit bureau policies before they proceed with obtaining a freeze on their
credit. He points out that the research is necessary because "even with the nationwide provision in place from the
bureaus, the freeze law in your state might be cheaper or more convenient." He adds that "two national freeze-rights
bills before Congress could help consumers protect their data more cheaply and easily." The credit bureaus, he
concludes, surely "can find ways to make freezes safe, simple and inexpensive for everyone."
http://www.nytimes.com/2007/11/17/business/yourmoney/17instincts.html?_r=3&r&oref=slogin&oref=slogin
(New York Times – 11/17/07)
EDUCATION
Network Access Control Helps With Wireless LAN Security at College
Securing wireless connections while maintaining connectivity was a vital aspect of the Secure LAN Strategy
launched by Dayton, Ohio's Sinclair Community College IT services director Scott McCollum in 2005. McCollum
recognized that problems with connectivity would have far-reaching implications for Sinclair. To realize his
ambitions, McCollum created a tiered-policy architecture and instituted two-factor authentication, by device and
user.
http://www.computerworld.com.au/index.php/id;880244998;fp;4194304;fpid;1;pf;1
(Computer World -11/27/07)
9
Public safety or ‘big brother’ watching: College mandates GPS cell phone tracking
A new, intrusive plan is underfoot, and may be coming to a college near you. Should cell phone ownership a
requirement for college attendance? In the case of New Jersey‘s Montclair State University, every student will now
be required to have a cell phone — not just any cellphone — but one with GPS technology that enables emergency
locating of any student on campus — and it all in the interest of ―public
safetyhttp://www.clarksvilleonline.com/2007/11/27/public-safety-or-big-brother-watching-college-mandates-gps-
cell-phone-tracking/
(Clarksville Online – 11/27/07)
EMPLOYEE
FINANCIAL
GOVERNMENT – U.S. FEDERAL
TSA plan to gather more data protested
A government proposal to start collecting birth dates and genders of people reserving airline flights is drawing
protests from major airlines and travel agencies that say it would be invasive, confusing and "useless." The
Transportation Security Administration (TSA) wants passengers to give the additional personal information — as
well as their full names — so it can do more precise background checks that it says will result in fewer travelers
being mistaken for terrorists. Travelers currently must provide only a last name and a first initial.
http://www.usatoday.com/travel/flights/2007-11-29-secure-flights_N.htm
(USA Today – 11/28/07)
Cellphone Tracking Powers on Request
Federal officials are routinely asking courts to order cellphone companies to furnish real-time tracking data so they
can pinpoint the whereabouts of drug traffickers, fugitives and other criminal suspectss. In some cases, judges have
granted the requests without requiring the government to demonstrate that there is probable cause to believe that a
crime is taking place or that the inquiry will yield evidence of a crime. Privacy advocates fear such a practice may
expose average Americans to a new level of government scrutiny of their daily lives. Such requests run counter to
the Justice Department's internal recommendation that federal prosecutors seek warrants based on probable cause to
obtain precise location data in private areas
http://www.washingtonpost.com/wp-dyn/content/article/2007/11/22/AR2007112201444.html?hpid=topnews
(Washington Post – 11/23/07)
Also see:
Cell Phone Tracking Powers Raise Privacy Concerns
http://www.efluxmedia.com/news_Cell_Phone_Tracking_Powers_Raise_Privacy_Concern_10968.html
(eFlux Media – 11/24/07)
New Privacy Rules Imminent, Another Privacy Change Contemplated
New rules providing privacy protection for case files posted online in the federal district, bankruptcy and appellate
courts are scheduled to take effect December 1, 2007. Some of the rules represent a change in Judicial Conference
policy. Meanwhile, a Judicial Conference committee is studying a related privacy issue: Whether courts should
restrict Internet access to plea agreements in criminal cases, which may contain information identifying defendants
who are cooperating with law enforcement investigations. The rules require parties to redact certain personal
information from each filing.
http://www.uscourts.gov/ttb/2007-11/new/index.html
(The Third Branch, Newsletter of the U.S. Federal Courts – 11/07)
10
GOVERNMENT – U.S. STATES
CALIFORNIA
California Plan To Outsource E-Mail Service Raises Privacy Questions
California is weighing a plan to hand off the hosting of e-mails--to, from, and between state workers--to either
Google (NSDQ: GOOG) or Microsoft (NSDQ: MSFT). Is everybody comfortable with that? Here's the background.
The California state government has formed a working group to study hosted e-mail offerings from Google and
Microsoft. The task force, comprised of technology officials from various state agencies, is evaluating the cost and
feasibility of moving e-mail services for as many as 250,000 state workers off of internally maintained systems and
onto Web-based platforms operated by one of the two tech giants.
http://www.informationweek.com/blog/main/archives/2007/11/california_plan.html
(Information Week -11/29/07)
COLORADO
Denver Deploys New Graffiti Surveillance System
Mayor John Hickenlooper, Graffiti Task Force Co-Chair Councilwoman Judy Montero and Denver Police Chief
Gerry Whitman announced that the City and County of Denver will participate in a beta test of a newly developed
graffiti surveillance system in an effort to mitigate the city's graffiti problem. Law Enforcement Associates (LEA)
will provide the Denver Police Department with eight of its Graffiti Cam units free of charge.LEA will also provide
free training to the Denver Police Department on product set up and installation, as well as free ongoing
maintenance and 24-hour tech support. If the department is satisfied with the results at the end of the 30-day beta
test, the units will be transferred to the Denver Police Department.
http://www.govtech.com/gt/articles/186222?utm_source=newsletter&utm_medium=email&utm_campaign=JPS_20
07_11_26
(Government Technology – 11/15/07)
FLORIDA
Florida Attorney General Brings Cyber Safety Program to Tallahassee
Attorney General Bill McCollum today visited Leon High School in Tallahassee, Florida's oldest continuously
accredited high school, and spoke to students, teachers and administrators about the importance of cybersafety.
Designed to empower children to recognize and avoid Internet child predators, the Attorney General's program
combines real-life stories and examples to help students stay safe online. "The Internet provides our young people
exciting, ever-expanding opportunities for learning and communicating, but online dangers are also growing and
evolving," said McCollum. "I greatly appreciate the support of Florida's education community to bring this message
to our children and their parents. Their partnership is vital in our effort to reach every middle and high school
student in Florida."
http://www.govtech.com/gt/articles/207863?utm_source=newsletter&utm_medium=email&utm_campaign=GTSN_
2007_11_27
(Government Technology – 11/20/07)
INDIANA
State sues do-not-call violators
A 2005-2006 telemarketing campaign in Northwest Indiana has resulted in a state lawsuit against three Illinois
companies. Indiana Attorney General Steve Carter announced his office has filed suit in Porter County against three
telemarketing firms, Sonnenschein Financial Services, based in Springfield, Ill., Sonnenschein Marketing Services,
of Matteson, Ill., and Target Marketing of Illinois Inc., of Matteson, for violating the state's do-not-call laws. The
Post-Tribune was unable to reach a spokesman for the three companies. The suit stems from nearly 80 consumer
complaints about a marketing campaign lodged with the attorney general's office from November 2005 through May
2006. "Any time you've got 80 complaints, you know there's got to be more people who got these calls who didn't
go through the (complaint process)," Carter said. "We don't know if there were hundreds (of other people) or
thousands."
http://www.post-trib.com/business/658761,carter.article
(Post-Tribune – 11/20/07)
11
OHIO
Next time you renew license, forget your Social Security card, BMV says
People renewing their Ohio driver‘s license card will no longer have to tear their homes apart trying to remember
where they hid their Social Security card. The state Bureau of Motor Vehicles announced yesterday that it has done
away with the Social Security card requirement to reduce wait times and improve customer satisfaction. The change
also applies to people renewing their commercial-driver‘s license or state identification card, as long as their card is
current or has been expired less than six months and their Social Security number is in the bureau‘s records. First-
time license applicants and new residents from other states or immigrants to the U.S. still must provide documents
that prove their date of birth and Social Security number.
http://wwwphp.dispatch.com/news-story.php?story=dispatch/2007/11/22/20071122-A1-01.html
(Columbus Dispatch – 11/22/07)
PENNSYLVANIA
Ping: Bob Maley
Bob Maley faced a number of challenges when he became Pennsylvania's first chief information security officer in
2005. Upon accepting the job Maley was charged with putting together a comprehensive security strategy and
architecture for 80,000 users on a limited budget. At the time, every one of Pennsylvania's 47 agencies took a
different view of security. The agencies handled content filtering on their own and there was no assurance that it was
being done--something that was a problem for a network that sees 1 billion events a month, Maley said. In addition,
server builds were different from agency to agency and there was no common desktop image. To address these
issues Maley and his team put in network intrusion prevention, an identity and access management program, and a
security assessment framework. Maley also worked to educate users about security. He started a security awareness
month in October as well as an online enterprise-wide security awareness program that all commonwealth
employees are required to participate in.
http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1280053,00.html
(Information Security – 11/07)
NEVADA
Nevada Tightens Payroll Security
Following a security breach involving over 400 missing CDs containing state employees' Social Security numbers
and other payroll information, Nevada has instituted more stringent security controls for managing employee payroll
data. Nevada's personnel department has delivered payroll data CDs to over 80 agencies every two weeks since
2004, but the missing disks prompted the implementation of tighter security standards for managing and collecting
employee payroll information. Employees will now be identified by unique identifiers instead of Social Security
numbers, and passwords will be required for CD access.
http://www.gcn.com/online/vol1_no1/45412-1.html
(Government Computer News – 11/14/07)
HEALTH & MEDICAL
NH may track prescription drugs
N.H. Lawmakers Set To Consider Electronic Prescription Drug Monitoring: Opponents of a prescription drug
monitoring bill cite privacy as one of the main drawbacks of a bill that would set up an electronic database for
certain classes of prescription medications, according to this Union Leader article. The Legislature has studied the
concept for nearly two years, and a bill is expected to emerge for consideration early in the new year after approval
last week in the House Health, Human Services and Elderly Affairs Committee. Supporters of the bill say that an
electronic system would reduce medical errors and help to identify patients suffering from prescription drug
addictions. The bill calls for an advisory council to oversee and establish the program. The advisory council would
have to authority to refer potential illegal activity to law enforcement and regulators, according to the article.
http://www.unionleader.com/article.aspx?headline=NH+may+track+prescription+drugs&articleId=5a2afbcc-3c3c-
4c75-b8d2-dce8042bd8c3
(Union Leader – 11/18/07)
12
IDENTITY THEFT
FTC Survey Shows 8.3 Million ID Theft Victims in 2005
The Federal Trade Commission today released a survey showing that 8.3 million American adults, or 3.7 percent of
all American adults, were victims of identity theft in 2005. Of the victims, 3.2 million, or 1.4 percent of all adults,
experienced misuse of their existing credit card accounts; 3.3 million, or 1.5 percent, experienced misuse of non-
credit card accounts; and 1.8 million victims, or 0.8 percent, found that new accounts were opened or other frauds
were committed using their personal identifying information. The survey found that the costs associated with
identity theft varied widely. The survey first looked at the value of the goods or services that the thieves obtained
using the victims' personal information. In at least half of all incidents, thieves obtained goods or services worth
$500 or less. In 10 percent of cases, however, thieves got at least $6,000 worth of goods or services.
http://www.govtech.com/gt/articles/209065
(Government Technology – 11/27/07)
Also see:
FTC report: identity theft fell; results disputed
http://www.usatoday.com/money/industries/technology/2007-11-27-id-theft_N.htm
(USA Today – 11/27/07)
Reports show identity theft is a growing business, costing billions
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/11/28/BUV5TJVKQ.DTL
(San Francisco Chronicle – 11/28/07)
INTERNATIONAL
AFRICA
ASIA/PACIFIC
AUSTRALIA
Google-mobiles start snapping Aussie cities
Camera-shy pedestrians should be advised to stay indoors this summer as a fleet of Google-mobiles equipped with
roof-mounted cameras trawl Australian capital cities snapping locales for the Internet search giant‘s Google Street
View. The cars will be doing the rounds in Australian capital cities, taking 360 degree panoramic street-level
photographs to be used on Google Maps‘ Street View feature. The project, which has been running in the US since
May has already captured images in 17 cities in North America and Canada.
http://www.itnews.com.au/News/65783,googlemobiles-start-snapping-aussie-cities.aspx
(IT News – 11/26/07)
AFL apologises for privacy breach
The AFL has apologised for a printing error that has affected the privacy of potentially hundreds of its members.
The league said it had already heard from 140 members who have received renewal forms that contain private
details of other people. "The AFL has been made aware that personal details such as name, email address, date of
birth and phone numbers of some AFL members have been printed on the renewal forms of another member," the
league said in a statement. "The AFL is currently trying to ascertain how many members have been affected by this
error, which occurred in the digital printing process at the mailhouse Printpoint, resulting in some personal contact
details of some members appearing in renewal invoices addressed to another member. "
http://www.theage.com.au/news/Sport/AFL-apologises-for-privacy-breach/2007/11/24/1195753365048.html
(The Age (Australia) – 11/24/07)
13
Industry push on privacy laws
The banking industry is pushing for an overhaul of privacy laws so lenders can check the history of customers who
may move between institutions seeking one more loan after borrowing to capacity elsewhere. Australia and New
Zealand are two of the only countries in the developed world where banks are unable to do credit checks of
customers who have yet to default but have taken out and used the maximum amount of loans with other lenders.
The chief risk officer of the Commonwealth Bank's retail banking division, David Grafton, who is heading an
industry taskforce charged with lobbying the Federal Government on the issue, said the change would help the
industry's role as being a "responsible lender".
http://business.smh.com.au/industry-push-on-privacy-laws/20071122-1c7o.html
(Sydney Morning Herald – 11/23/07)
EUROPE
EUROPEAN UNION
EU ponders targeted advertising privacy concerns
European Union regulators have concerns over online privacy and targeted online advertising is about to come under
heavy scrutiny. The online advertising industry is growing more than 25 percent a year and many large businesses
are looking to take advantage of advances in targeted advertising methods. But there is a balance to be struck, says
Vincent Bonneau from French telecom‘s research group Idate. The EU‘s scrutiny comes as over 13,000 Facebook
users have signed a petition protesting against the networking site's new advertising system which alerts members of
friends' purchases online.
http://www.bizreport.com/2007/11/eu_ponders_targeted_advertising_privacy_concerns.html
(BizReport – 11/26/07)
Warning on e-government 'risks'
Governments need to do more to ensure they preserve trust as they put more services online, says a report. Emerging
from a European Commission project, it warns that technology could lessen the trust governments have instilled in
citizens before now. Officials must move beyond security measures to reassure people about how they are being
treated, it said. The report comes as the UK government tries to reassure Britons after losing data records for 25
million people. The report was written by a research body, bankrolled by the EC's Information and Society Unit, that
is looking at "citizen-centric" e-government.
http://news.bbc.co.uk/2/hi/technology/7108967.stm
(BBC News – 11/23/07)
FRANCE
France Announces Massive Internet Surveillance by ISPs
In a breathtaking act of arrogance reminiscent of the heyday of Louis XVI, the French government and its overseers
(the entertainment industry), along with a cowering collection of gutless ISPs, have announced an agreement for
ISPs to become the Internet Police Force in France. Under the agreement (see below for links) ISPs will monitor
users for presumed illegal activities (read that as "file sharing") and send reports on the accused to what amounts to
an anti-piracy board. This board could then mete out punishments as it sees fit, including (attempted) banishment
from the Internet (via what amounts to a national blacklist).
http://lauren.vortex.com/archive/000331.html
(Vortex.com – 11/26/07)
GERMANY
Federal Parliament passes data retention and wire tapping legislation
The Bundestag has approved a bill that would amend wiretapping legislation and bring into force EU guidelines on
data retention of phone and Internet data. Federal Minister of Justice Brigitte Zypries defended the data retention
bill, saying that the country was not headed toward a surveillance society. Opposition parties voted against the bill,
which Zypries said would adopt the EU Data Retention Directive to a "minimal extent." A spokesman for legal
policy for the Greens, Jerzy Montag, said during heated debate of the bill that it was a "pitch-black day for civil
rights in Germany."
http://www.heise.de/english/newsticker/news/99158
(Heise Online – 11/17/07)
14
IRELAND
Finance Minister Calls For Immediate Data Protection Review
In the wake of the UK government security breach, Ireland's Finance Minister Peter Robinson has ordered a 4-week
review of the data protection systems in the Northern Ireland Civil Service. Robinson said that since last summer,
the protection of personal information of Northern Ireland citizens has been studied, according to this story in The
Irish Times. Robinson said the newly ordered review would look at the effectiveness of the data protection
safeguards already in place. When the news broke about the UK breach, calls flooded into the Information
Commissioner's Office in Northern Ireland.
http://www.ireland.com/newspaper/breaking/2007/1121/breaking77.htm
(The Irish Times – 11/21/07)
UNITED KINGDOM
Privacy warning for young users of networking sites
Official guidance for millions of people who use networking sites will be published today by the information
commissioner amid growing concerns that young people are being naive about the personal details they put online.
The watchdog fears that most youngsters do not realise that the information they place on websites such as MySpace
and Bebo leaves an electronic footprint which could be traceable to them in the future. In a survey by the
Information Commissioner's Office almost 60% of young people aged 14-21 said they did not realise the
information they placed online could be permanently linked to them.
http://www.guardian.co.uk/technology/2007/nov/23/news.facebook?gusrc=rss&feed=technology
(The UK Guardian – 11/23/07)
MIDDLE EAST
ISRAEL
Google to hand over blogger's IP address
Google Inc. (Nasdaq:GOOG) has agreed to supply the IP address of an Israeli blogger who used "Google Blogger"
for a blog in which he slandered Shaarei Tikva council members running for reelection. The election is being held
today. The slandered Shaarei Tikva council members asked Google for the blogger's name. They reached a
settlement with the company on the basis of an Israeli ruling on the subject. The settlement stipulates that 72 hours
before a hearing on the case at the Rishon LeZion Magistrates Court, the council members would leave the blogger a
message on his blog summoning him to the hearing, or else his IP address would be handed over. The notice would
invite the blogger to disclose his identity, participate in the hearing, or oppose the disclosure of his identity by filing
a motion as "anonymous".
http://www.globes.co.il/serveen/globes/DocView.asp?did=1000279585&fid=1725
(Globes Online – 11/27/07)
SYRIA
Syria blocks Facebook in Internet crackdown
Syrian users of Facebook said on Friday the authorities had blocked access to the social network Web site as part of
a crackdown on political activism on the Internet. "Facebook helped further civil society in Syria and form civic
groups outside government control. This is why it has been banned," women's rights advocate Dania al-Sharif told
Reuters. "They cut off communications between us and the outside world. We are used to this behavior from our
government," said Mais al-Sharbaji, who set up a Facebook group for amateur Syrian photographers. There was no
comment form the government, which has intensified a campaign against bloggers, virtual opinion forums and
independent media sites in recent months.
http://www.washingtonpost.com/wp-dyn/content/article/2007/11/23/AR2007112301259.html
(Washington Post – 11/23/07)
15
NORTH AMERICA
CANADA
N.L. police probe security breach of patient information
Officials in Newfoundland and Labrador are investigating a computer security breach involving sensitive patient
information that may have been accessed through the internet. The data, including lab test results for infectious
diseases such as HIV and hepatitis along with patient names and health numbers, was stored on a government
desktop computer. The computer was unplugged and taken to the home of a consultant working for the Provincial
Public Health Laboratory, something Wiseman said should never have happened
http://www.cbc.ca/canada/newfoundland-labrador/story/2007/11/24/security-breach.html
(CBC News – 11/24/07)
Tories introduce legislation to crack down on identity theft
The federal Conservative government introduced legislation on Wednesday that would amend the Criminal Code to
crack down on those who steal people's identity information, Justice Minister Rob Nicholson said. Nicholson said if
passed, the bill would give police extra tools to catch those in possession of people's identity information before
fraud has been committed. "Every day, identity theft impacts the daily lives of more Canadians," Nicholson told
reporters in Ottawa.
http://www.cbc.ca/canada/story/2007/11/21/identity-theft.html
(CBC News – 11/22/07)
Also see:
Identity-theft proposal hailed as a first step
http://www.thestar.com/News/article/278914
(The Toronto Star – 11/22/07)
Reckless Data Handling Could Violate ID Theft Law
http://www2.csoonline.com/blog_view.html?CID=33323
(CSO Online – 11/27/07)
Canadians want strong protections for health data
An overwhelming majority of Canadians say the government must create strong new systems to protect their
personal health information, particularly as an increasing number of patient records are stored electronically, reveals
a new survey. There has been a major push across Canada in recent years to eliminate paper records and store more
patient information electronically as a way to increase efficiency and accuracy.
http://www.canada.com/topics/news/national/story.html?id=7a253d52-e834-484f-8a66-ffafe4ca213e&k=52768
(Canada.com – 11/20/07)
SOUTH AMERICA
LEGISLATION – FEDERAL
Senators Raise Google-DoubleClick Questions
The chairman of the Senate subcommittee on Antitrust, Competition Policy and Consumer Rights is urging the
Federal Trade Commission to be wary of Google's proposed $3.1 billion acquisition of DoubleClick. The acquisition
would combine two of the biggest players in online advertising. Google's text-based AdSense business is based on
clickable links, while DoubleClick's technology places targeted banner ads and other display advertising on popular
online sites.
http://www.eweek.com/article2/0,1895,2219600,00.asp
(eWeek – 11/20/07)
Also see:
Google-Double Click Privacy Concerns Prompt Senate Protest
http://www.internetnews.com/bus-news/article.php/3712386
(Internet News – 11/20/07)
16
Genetic Nondiscrimination Bill Stalled in Senate
With several private companies launching businesses to provide customers with unprecedented access to their
genomes' secrets, legislation protecting people from genetic discrimination is more timely than ever. But Sen. Tom
Coburn (R-Oklahama) is single-handedly stalling federal legislation to do just that. The Senate passed earlier
versions of the bill twice before, but they were blocked from coming up for House floor votes. This year, the House
passed it by a bipartisan landslide, but Coburn has held up the legislation in the Senate, saying it could place too
much strain on businesses.
http://www.wired.com/science/discoveries/news/2007/11/genomics_sidebar
(Wired.com – 11/17/07)
LEGISLATION – STATE
LITIGATION & ENFORCEMENT ACTIONS
TJX reaches $40m settlement with Visa over data breach
Framingham retailer TJX Cos. said this morning it has reached an agreement with payment card network Visa USA
Inc. to fund up to $40.9 million for payments to certain banks following a massive breach of TJX's computer
systems through last year. Under the terms of the agreement, TJX, the parent of discount chains including TJ Maxx
and Marshalls, said banks that issued Visa payment cards potentially affected by the computer breach could receive
payments in return for agreeing not to sue or take other steps against TJX and banks such as Fifth Third Bancorp of
Ohio that process its transactions. Roughly 100 million credit- and debit-card accounts were compromised in the
intrusion first disclosed in January, the largest in history.
http://www.boston.com/business/ticker/2007/11/tjx_reaches_40m.html
(Boston Globe – 11/30/07)
Also see:
Visa fines Ohio bank in TJX data breach
http://www.boston.com/business/globe/articles/2007/11/24/visa_fines_ohio_bank_in_tjx_data_breach/
(Boston Globe – 11/24/07)
TJX consumer settlement sale offer draws scorn
http://www.theregister.co.uk/2007/11/20/tjx_settlement_offer_kerfuffle/ (The UK Register – 11/20/07)
A Loss for Privacy Rights
This week, the Supreme Court let stand a disturbing ruling out of California that allows law enforcement to barge
into people‘s homes without a warrant. The case has not prompted much outrage, perhaps because the people whose
privacy is being invaded are welfare recipients, but it is a serious setback for the privacy rights of all Americans. San
Diego County‘s district attorney has a program called Project 100% that is intended to reduce welfare fraud.
Applicants for welfare benefits are visited by law enforcement agents, who show up unannounced and examine the
family‘s home, including the insides of cabinets and closets. Applicants who refuse to let the agents in are generally
denied benefits.
http://www.nytimes.com/2007/11/28/opinion/28wed2.html?ei=5070&en=965404eccf2c1bd6&ex=1196917200&em
c=eta1&pagewanted=print
(New York Times – 11/28/07)
Feds cancel Amazon customer ID request
Federal prosecutors have withdrawn a subpoena seeking the identities of thousands of people who bought used
books through online retailer Amazon.com, newly unsealed court records show. The withdrawal came after a judge
ruled the customers have a First Amendment right to keep their reading habits from the government. "The
(subpoena's) chilling effect on expressive e-commerce would frost keyboards across America," U.S. Magistrate
Judge Stephen Crocker wrote in a June ruling. " http://www.usatoday.com/tech/news/techpolicy/2007-11-27-feds-
amazon_N.htm
(USA Today – 11/27/07)
17
JPL Scientists Stand Up To Government For Right To Privacy
Next week 28 NASA Jet Propulsion Lab scientists (including William Banerdt, a project scientist on the Mars rover
program) will fight for their right to privacy in the U.S. Ninth Circuit Court of Appeals in Pasadena, California.
They are fighting against Homeland Security Presidential Directive-12 (HSPD-12) that President Bush issued in
August 2004. Policies resulting from the directive requires all federal employees and contractors to "voluntarily"
(JPL employees would be terminated immediately for non-compliance) sign a form allowing the government the
right to investigate them "without limit" for two years- even if they leave government work during that time.
http://blog.wired.com/wiredscience/2007/11/jpl-scientists.html
(Wired.com – 11/27/07)
MOBILE/WI-FI
Verizon Wireless Says ‘Bring Your Own’ Device
Verizon Wireless has stunned the wireless world by announcing that by sometime next year it will open its network
to ―any apps, any device.‖ The essence appears to be that Verizon will offer two flavors of service: its traditional
bundle, which typically includes a subsidy for phone purchase and various other features, and ―bring your own‖
device service, which will be open to any device that meets ―minimum technical standards.‖ The company went on
to say: ―While most Verizon Wireless customers prefer the convenience of full service, the company is listening
through today‘s announcement to a small but growing number of customers who want another choice without full
service.‖ Verizon Wireless had several reasons to get ahead on unbundled access. If it didn‘t, T-Mobile or Sprint
would surely have taken the lead. And the move helps attract devices that could compete against the Apple iPhone.
http://bits.blogs.nytimes.com/2007/11/27/verizon-wireless-says-bring-your-own-device/
(New York Times – 11/27/07)
iPhone IMEI privacy: Apple off the hook
Earlier this week anybody with an ounce of concern for their privacy gurgled with unabated horror at the news that
the iPhone might be sending its IMEI to Apple with every Weather and Stocks update. At the time, we pointed out
that packet-sniffing tests were still ongoing to ascertain exactly what the handset was transmitting; now the results
are in, and thankfully (although disappointing if you‘re the sort of soothsayer that enjoys predicting privacy
meltdown) it appears that the codes sent are identical among all iPhones.
http://www.myitablet.com/iphone-imei-privacy-apple-off-the-hook-201761.php
(My iTablet – 11/20/07)
ODDS & ENDS
Teen questioned in computer hacking probe
New Zealand teenager has been questioned in connection with a scheme by hackers to remotely take over more than
1 million computers worldwide and use them for criminal activity, New Zealand police and the FBI said Thursday.
The FBI has identified at least 2.5 million unsuspecting computer users who have been victims of so-called "botnet"
activity. Hackers install viruses, worms and other attack programs that allow them to take over the computers and
use them to commit cyber crimes. Industry numbers suggest there are as many as 5 million infected computers.
http://www.cnn.com/2007/TECH/11/29/fbi.botnets/index.html
(CNN.com – 11/29/07)
Google Service Uses Cell Towers to Locate Users
Google launched a location service for mobile users that doesn't rely on GPS. Google Maps with My Location,
currently in beta, locates users who don't have GPS-enabled phones based on their location to nearby cell towers.
The result isn't as accurate as GPS (Global Positioning System) but works for people who lack the positioning
technology in their phones. "It helps users speed up search by showing the general neighborhood they're in," said
Steve Lee, product manager at Google for the service.
http://www.pcworld.com/article/id,140080-c,webservices/article.html
(PC World – 11/28/07)
18
Eighty-Five Percent of Public Lack Confidence in Local Government's Computer Security,
Survey Reveals
A Sophos survey reveals that 85 percent of the public believes that federal Web services have been vulnerable to
security breaches. Eighty-six percent of public users believe that local officials, not cybercriminals, are responsible
for security vulnerabilities. Sophos' poll found that almost 60 percent of the public believes that local authorities
should have more stringent procedures in place for securing public information, while 62 percent stated that both
public and private companies were equally negligent in reducing public security risks.
http://www.govtech.com/gt/articles/208163
(Government Technology – 11/21/07)
Is Obama the Privacy Candidate?
The Ponemon Institute has conducted a poll of 600 adults to find out how presidential candidates rate when it comes
to privacy protection. The survey found that Barack Obama is the top privacy candidate among the Democrats. On
the GOP side, 39 percent of respondents identified John McCain as the best privacy candidate. The poll also found
that young voters increasingly are concerned about privacy. Fifty-four percent of the 18- to 28-year-old adults said
privacy issues would be a factor they consider when choosing a candidate for president, compared to 40 percent of
other respondents.
http://redtape.msnbc.com/2007/11/americans-think.html#posts
(MSNBC – 11/20/07)
Also see:
Obama Courts Tech Voters
http://www.govtech.com/dc/articles/186290?utm_source=newsletter&utm_medium=email&utm_campaign
=DC_2007_11_20 (Digital Communities Magazine – 11/15/07)
Electronic Tracking 'Remedy' for Gang Violence
Gang area zoning involves the zoning of specific known and targeted gang areas. Sky Detective, Inc. has a Pending
Patent for a GPS/CDMA assisted device that can be attached to individual gang members by order of the Court, as a
condition of their probation or parole, which provides the gang member's location at all times. He or she would not
be able to leave or enter designated areas (inclusion or exclusion zones) without alerting the Monitor for immediate
action
http://www.govtech.com/gt/articles/184687?utm_source=newsletter&utm_medium=email&utm_campaign=JPS_20
07_11_26
(Government Technology – 11/12/07)
ONLINE
Facebook May Revamp Beacon
In the wake of mounting criticism, Facebook executives are discussing changes to a controversial advertising tool
that publicizes users' Web activities outside of the popular social network. Alterations to the recently introduced
Beacon system could be announced as early as Nov. 29, BusinessWeek.com has learned. Executives of the three-
year-old company were in deep talks over proposed changes late into the afternoon on Nov. 28, according to a
person familiar with the matter. At issue is the Beacon program, which alerts members' Facebook "friends" to
purchases and other activities on third-party Web sites.
http://www.businessweek.com/technology/content/nov2007/tc20071128_366355.htm?campaign_id=rss_daily
(Business Week – 11/28/07)
Also see:
Facebook 'to drop' creeptech ad system
http://www.theregister.co.uk/2007/11/29/facebook_beacon_ditch/ (The UK Register – 11/29/07)
Facebook alters notifications after privacy furor
http://www.reuters.com/article/internetNews/idUSN2925736120071130 (Reuters – 11/30/07)
Facebook responds to MoveOn criticism of ad program
http://www.news.com/8301-13577_3-9821651-36.html?tag=cd.blog (CNet News – 11/22/07)
19
Facebook faces UK data probe
http://www.theregister.co.uk/2007/11/20/facebook_uk_data_protection/ (The UK Register – 11/20/07)
Facebook Grants Email Opt-Out Amid Privacy Concerns
http://blog.wired.com/business/2007/11/facebook-grants.html (Wired.com – 11/20/07)
Facebook’s Tracking of User Activity Riles Privacy Advocates, Members
http://online.wsj.com/public/article/SB119560466428899897-
9XRA4XmBETuYnPhd3RuSQr5HKPs_20071221.html?mod=tff_main_tff_top (Wall Street Journal –
11/21/07)
Facebook hit with privacy backlash
http://www.theglobeandmail.com/servlet/Page/document/v5/content/subscribe?user_URL=http://www.theg
lobeandmail.com%2Fservlet%2Fstory%2FLAC.20071122.RFACEBOOK22%2FTPStory%2FBusiness&or
d=214494&brand=theglobeandmail&force_login=true (Globe and Mail – 11/22/07)
Privacy Fears over Facebook Feature
http://www.msnbc.msn.com/id/21942570/ (Financial Times – 11/24/07)
Internet Users Give Up Privacy in Exchange for Trust
New research funded by the Economic and Social Research Council suggests that Internet users are likely to provide
more personal information online if they consider the Web site to be trustworthy. "Even people who have previously
demonstrated a high level of caution regarding online privacy will accept losses to their privacy if they trust the
recipient of their personal information," says Dr. Adam Joinson, head of the Privacy and Self-Disclosure Online
project. However, Internet users who have some concerns about a Web site will become more guarded alter their
behavior.
http://www.sciencedaily.com/releases/2007/11/071122104159.htm
(Economic & Social Research Council – 11/26/07)
Personal Computing: The Threat of "Typosquatting"
In getting to Web sites, neatness counts. If you type in the wrong Web address, you might be in for a surprise. You
could be taken to a site run by a business that competes with the site you were trying to get to, to a rogue site that
lampoons the intended site, to a porn site that tricks you or your children into its seediness, or to a spam or phishing
site that steals your e-mail address, your money or your identity. This phenomenon goes by the names
"typosquatting" and "URL hijacking."
http://www.govtech.com/gt/articles/208732?utm_source=newsletter&utm_medium=email&utm_campaign=GTSN_
2007_11_27
(Government Technology – 11/26/07)
RFID
Benefits and Risks Of Fitting Patients With Radiofrequency Identification Devices
In 2004, the United States Food and Drug Administration approved a radiofrequency identification (RFID) device
that is implanted under the skin of the upper arm of patients and that stores the patient's medical identifier. What are
the pros and cons of patients getting fitted with such an RFID chip? When a scanner is passed over the RFID device,
the identifier is displayed on the screen of an RFID reader. An authorized health professional can then use the
identifier to access the patient's clinical information, which is stored in a separate, secure database.
http://www.sciencedaily.com/releases/2007/11/071126201345.htm
(Science Daily - 11/28/07)
Samsung brings mobile RFID chip to market; Big Brother is pleased
Samsung‘s new chip will be able to interface with RFID tags built into various items like movie posters or tourist
exhibits allowing services and products to be sold to you wherever you go. Privacy advocates may point out that the
same RFID chip could be used to track you wherever you go whether you want it to or not. One the other hand this
type of system may be able to pinpoint your wants and needs for better than the ham handed advertising that we
currently suffer through.
http://www.gadgetell.com/2007/11/samsung-brings-mobile-rfid-chip-to-market-big-brother-is-pleased/
(Gadgetell – 11/28/07)
20
SECURITY
Defending Against Internet Security Risks Becoming More Difficult
Social engineering and the targeting of custom-made applications were the two major trends identified in the SANS
Institute's latest list of top Internet security risks. The former technique involves hoodwinking those with privileged
access, such as IT staff and executives, in order to compromise high-value computers. The latter consists of
attacking specially-built applications, frequently Web applications, to infect more computers on the client side and
expose data on the server side.
http://www.gcn.com/online/vol1_no1/45468-1.html
(Government Computer News – 11/27/07)
Hacker Threat to U.S. Rising
In response to the hundreds of assaults against government computer systems' firewalls on a daily basis, the U.S.
military is weaving computer technology into its standard warfare arsenal. Computer-security operations are
underway in all branches of the military, and the Air Force is establishing a full-blown cybercommand. The
military's blueprint is the "2006 National Military Strategy for Cyberspace Operations." In the 2007 fiscal year, the
Department of Homeland Security recorded 37,000 reports of attempted breaches on private and federal systems.
Many countries have advanced computer operations, and foreign hackers affiliated with hostile governments are
often believed to be behind attacks on U.S. systems, according to experts.
http://www.sacbee.com/111/story/520067.html
(Sacramento Bee – 11/26/07)
Hackers Will Feed on Vista in 2008, Says McAfee
Analysts at McAfee's Avert Labs predict that over 40 vulnerabilities in Windows Vista will be reported in 2008.
McAfee's Craig Schmugar asserts that Vista, in its first year, has escaped the notice of hackers, who are motivated
by money.. In response to Microsoft's claim that Vista is more secure than Windows XP, Schmugar acknowledges
that the malware statistics are likely correct, but adds that Vista's superior performance stems not only from its
security competency, but also from the fact that it has largely been ignored by attackers to date
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=windows&articleI
d=9049018&taxonomyId=125
(Computer World – 11/26/07)
Voice over IP hacking is easy
An insecurity expert has worked out a way to hack into Voice over IP calls. UK-based VoIP expert, Peter Cox has
released proof-of-concept software that can eavesdrop on the VoIP-based phone calls. Called SIPtap, the software
snuffles around several VoIP call streams, earwigs in on them and records them as .wav files for later distribution.
All it takes is one trojan installed in the company's network and it is good night Vienna for your VoIP network.
http://www.theinquirer.net/gb/inquirer/news/2007/11/23/voice-ip-hack-easy
(The Inquirer – 11/23/07)
Security Concerns Cloud Virtualization Deployments
Security experts say virtual servers are vulnerable to the same types of attacks that physical servers are prone to, and
that they are also vulnerable to threats that exploit weaknesses in hypervisor technology. For instance, a security
attack that is designed to exploit a hypervisor could infect virtual machines that reside on the same physical host in
what is called a "virtual-machine escape." In this scenario, if a virtual machine "escapes" the isolated environment in
which it resides and interacts with the parent hypervisor, it could be possible for an attacker to gain access to the
hypervisor and thus gain control over other virtual machines and avoid the security controls that are designed to
protect the virtual machine.
http://www.networkworld.com/news/2007/112107-security-virtualization.html
(Network World – 11/21/07)
21
Standards Suggested for Writing Secure Java
The Secure Programming Council has created a series of documents that outline the skills coders need to write Web
applications that are more capable of withstanding attacks. The first of these documents was released earlier this
month and lists the skills that the council believes are essential to writing Java and JavaEE code that is free of flaws
that hackers could exploit. SANS Institute director of researcher Alan Paller says that some schools and groups offer
secure coding courses, but the curriculums are developed based on the instructors' knowledge and best efforts, often
contain security gaps, and do not adhere to industry standards for what the course should include. Paller says the
Secure Programming Council documents are intended to address such shortcomings by drawing from existing texts
as well as input from secure-coding trainers and businesses that work to train in-house programmers in secure
training.
http://www.networkworld.com/news/2007/112007-java-programming-essentials.html
(Network World - 11/20/07)
12 spam research projects that might make a difference
Those who commit cybercrime know they need to stay on the cutting edge of technology to come up with new and
different ways to swindle people. Luckily, the good guys are also spending time in research labs developing ways to
thwart the latest tricks employed by spammers, phishers and other criminals. Below is a list of a dozen research
projects underway that focus on new technology and techniques to stop spam. While in many cases these projects
are reacting to exploits already in use, such as image spam and phishing, the work by these researchers is designed
to counter spammers‘ current developments and may also lead to prevention of future ones. This list, by no means
complete, contains select papers recently made public.
http://www.networkworld.com/news/2007/112007-spam-research.html
(Network World – 11/20/07)
Defense In Depth: A Blueprint For Security
As the IT network's borders blur, it is vital for security leaders to secure data however and whenever it is accessed.
Telecommuting and outsourcing, which occur at nearly every company, mean that employees are accessing
corporate resources through non-traditional networks, which could be compromised or hostile. Therefore, security
experts must design infrastructures that will reduce attackers' opportunities for data abuse. Companies should
implement data protection solutions as unified policies across applications and platforms, such as with the Trusted
Platform Module microcontroller. Controlling the way applications access the network is also key.
http://www.informationweek.com/management/showArticle.jhtml;jsessionid=Q2SHG3EH5GMIAQSNDLQCKHS
CJUNN2JVN?articleID=203100772
(Information Week – 11/17/07)
22
Special Section: Coverage of the UK 25M record Data Breach
UK Government Loses Personal Details of 25 Million
Disks containing personal data of 25 million child benefit recipients in England are lost in the mail. The British
government has lost confidential details of 25 million child benefit recipients that had been stored on two computer
disks, according to officials. Revenue and Customs, or HMRC, only admitted the loss Nov. 20, despite the breach
occurring Oct. 18, leading to the resignation of HMRC Chairman Paul Gray. The disks were lost while being
transported via internal mail from the National Audit Office department to HMRC. A junior employee at the
National Audit Office is believed to have sent the disks through the mail, but the disks didn't appear at HMRC.
Sending such information via internal mail is a breach of rules governing data protection. Copies of the disks were
then resent, using registered and traceable mail. This is also the second time since March that the data protection
rules had been broken by HMRC, although the first incident did not result in a data breach.
http://www.eweek.com/article2/0,1895,2219668,00.asp
(eWeek – 11/20/07)
For more information, see:
U.K. Rocked by Loss of 25M Records
http://www.gcn.com/online/vol1_no1/45464-1.html (Government Computer News – 11/21/07)
25 million reasons they’re in trouble
http://news.scotsman.com/politics.cfm?id=1831812007 (Scotsman – 11/20/07)
Loss of data on 25 million people puts pressure on Brown
http://www.ireland.com/newspaper/front/2007/1121/1195251591168.html (Irish Times – 11/20/07)
Missing: 25 million child benefit records
http://www.silicon.com/research/specialreports/digitaldefences/0,3800014341,39169217,00.htm
(Silicon.com – 11/20/07)
Chancellor Does His Best to Assuage ID Theft Fears in Wake of Government Breach
http://news.bbc.co.uk/1/hi/business/7103940.stm (BBC News – 11/20/07)
Millions on fraud alert after benefit breach
http://www.ft.com/cms/s/0/5b99e960-9769-11dc-9e08-0000779fd2ac.html?nclick_check=1 (Financial
Times – 11/21/07)
Apologetic PM orders security check
http://www.guardian.co.uk/uklatest/story/0,,-7093807,00.html (The UK Guardian – 11/21/07)
Individuals value their privacy – institutions do not (EDITORIAL)
http://comment.independent.co.uk/commentators/article3182300.ece (Independent – 11/22/07)
Is 2,100 breaches of security a lot?
http://www.emergentchaos.com/archives/2007/11/is_2100_breaches_of_secur.html (Emergent Chaos Blog
– 11/22/07)
Careless data loss 'should be an offence'
http://www.timesonline.co.uk/tol/news/politics/article2933457.ece (Times Online – 11/24/07)
Security expert's data alert went unheeded
http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/11/25/ncustoms625.xml (UK Telegraph –
11/25/07)
Government says data protection laws under review
http://www.techworld.com/applications/news/index.cfm?newsID=10756&pagtype=sa (Techworld –
11/26/07)
Chancellor under fresh fire over HMRC data loss
http://www.computerworlduk.com/management/government-law/public-
sector/news/index.cfm?newsid=6447 (ComputerworldUK – 11/29/07)
HMRC fiasco places data protection in the spotlight
http://www.whatpc.co.uk/computing/analysis/2204470/hmrc-fiasco-places-protection-3680396 (What PC?
– 11/29/07)
Emails confirm HMRC mistake was attempt to save money
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=hardware
&articleId=9048719&taxonomyId=149&intsrc=kc_top (Computerworld – 11/29/07)
23
SEMINARS
Seattle Technology Law Conference
December 13-14, 2007
Seattle, WA.
http://www.lawseminars.com/seminars/07COMWA.php
US Department of Homeland Security Privacy Office Public Workshop - Developing Privacy Best Practices.
December 17-18, 2007
Arlington, VA
privacyworkshop@dhs.gov
ACI's 7th National Symposium on Privacy & Security of Consumer and Employee Information
January 23-24, 2008
Philadelphia, PA.
http://www.americanconference.com/privacy
Computer Professionals for Social Responsibility: Technology in Wartime Conference
January 26, 2008
Stanford University
http://cpsr.org/news/compiler/2007/Compiler200707#twc
IAPP Privacy Summit
March 26-28, 2008
Washington, D.C.
http://www.privacysummit.org/
Conference on Ethics, Technology and Identity.
The Hague.
June 18-20, 2008.
http://www.ethicsandtechnology.eu/ETI
_____________________________________________________________________
PAPERS
Security Experts Report on Hazards of New Surveillance Architecture
This summer's Protect America Act (PAA) temporarily authorized warrantless surveillance of communications that
Americans have with individuals abroad. The use of this authority will require the deployment of new interception
technologies. These new technologies raise several significant security risks. The report identified the three most
serious security risks. The experts pointed to the danger that the system could be exploited by unauthorized users.
Another risk is the misuse by a trusted insider. The third major risk is misuse by the US government.
http://www.crypto.com/papers/paa-comsec-draft.pdf
Self-disclosure, Privacy and the Internet
New research, funded by the Economic and Social Research Council, has revealed that internet users will reveal
more personal information online if they believe they can trust the organisation that requests the information. The
findings of the study are vital for those aiming to create online services that pose a potential privacy threat, such as
Government agencies involved in developing ID cards. The project found that even those people who declared
themselves unconcerned about privacy would soon become opposed to ID cards if the way that they were asked for
information made them feel that their privacy was threatened.
http://iet.open.ac.uk/pp/a.n.joinson/prisd/PRISD_report2.pdf
24
