News release: "The FBI has withdrawn an unconstitutional national security letter (NSL) issued to the Internet Archive after a legal challenge from the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF). As the result of a settlement agreement, the FBI withdrew the NSL and agreed to the unsealing of the case, finally allowing the Archive's founder to speak out for the first time about his battle against the record demand...The NSL was served on the Archive -- a digital library recognized by the state of California -- and its attorneys in November of 2007. The letter asked for personal information about one of the Archive's users, including the individual's name, address, and any electronic communication transactional records pertaining to the user. Kahle, who is also a member of EFF's Board of Directors, decided to fight the NSL because it exceeded the FBI's limited authority to issue such demands to libraries."

• For the newly unsealed documents (still partially redacted)
  
• For more information about this case
  
• Related postings on National Security Letters

Huge Databases Offer a Research Gold Mine — and Privacy Worries
As states create warehouses of information about students, scholars see opportunities to assess the effectiveness of education..The fusion-center debate has an echo in the world of education research. Now that Congress has rejected the idea of a national "unit-record tracking" system for student data, scholars and policy analysts are tantalized by the possibility that states will beef up their own education-data centers. The most celebrated example is Florida, which began in 2001 to assemble a "data warehouse" that allows officials to track a person's progress from kindergarten through graduate school and beyond, including postcollege wages and employment, military service, incarceration, and receipt of public assistance." [The Chronicle of Higher Education. Section: The Faculty, Volume 54, Issue 35, Page A10]

The Ultimate Little Black Book - One Firm Routes All Phone Calls in North America, by Ellen Nakashima, Washington Post.

Center for Democracy and Technology (CDT): "The long-range or "vicinity" Radio Frequency Identification (RFID) technology chosen by the Departments of Homeland Security and State for government-issued ID documents poses serious risks to personal privacy and security, CDT testified today before a Senate Homeland Security Subcommittee. CDT recommended that DHS and State abandon the technology, which was originally developed to track things, not people, and that encryption be used to protect a citizen's unique ID number. CDT also urged Congress to support legislation or regulations banning unauthorized "skimming" of RFID chips and prohibiting use of the passport card and Enhanced Driver's License beyond border security."

• Senate Committee on Homeland Security and Governmental Affairs , Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia, Hearing on The Impact of Implementation: A Review of the REAL ID Act and the Western Hemisphere Travel Initiative, 4/29/08
  
• CDT Prepared Statement, April 29, 2008
  
• CDT Written Testimony, April 29, 2008

"NIST announces the release of the public draft of Special Publication 800-66 Revision 1, An Introductory Resource Guide to Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Draft). This Special Publication (SP), which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself. Comments on Draft SP 800-66 Revision 1 will be accepted through June 13, 2008."

US Courts: "The number of intercepted wire, oral or electronic communications — also known as wiretaps — authorized by federal and state courts in 2007 was 20 percent higher than in 2006. Courts issued 2,208 such orders in 2007, compared to 1,839 in 2006, according to The 2007 Wiretap Report.

The complete report contains information on interceptions concluded between January 1, 2007 and December 31, 2007. A summary of the authorized intercepts reported for calendar years 1997-2007 is available in Table 7."

EPIC: "According to the 2007 FISA report, the Foreign Intelligence Surveillance Court approved 2,370 application to conduct electronic surveillance and physical searches in the United States in 2007, up from 2,176 applications approved in 2006. For the first time, the report includes information regarding the total number of requests made by the Department of Justice with National Security Letter authority for information concerning U.S. persons. in 2006, the government made approximately 12,583 NSL requests for information concerning 4,790 U.S. persons. The 2007 NSL statistics are expected later this year."

"The Center for Democracy and Technology applauds the Senate's passage of HR 493, the Genetic Information Nondiscrimination Act of 2007 (GINA) by unanimous consent. The House is expected to quickly pass the measure. The bill represents a significant step forward in protecting health privacy because it prohibits the use of genetic information by employers when making hiring decisions or by health insurers when making coverage decisions or adjusting premiums. Under GINA, employers and insurers also would not be allowed to impose genetic testing requirements. CDT is urging the President to quickly sign the bill into law."

• Senate Report 110-048 - Genetic Information Nondiscrimination Act og 2007
  
• House Reports: 110-28 Part 1, 110-28 Part 2, 110-28 Part 3, 110-28 Part 4
  
• EPIC Genetic Privacy Resource page

UK Guardian: "Airline passengers are to be screened with facial recognition technology rather than checks by passport officers, in an attempt to improve security and ease congestion..From summer, unmanned clearance gates will be phased in to scan passengers' faces and match the image to the record on the computer chip in their biometric passports. Border security officials believe the machines can do a better job than humans of screening passports and preventing identity fraud. The pilot project will be open to UK and EU citizens holding new biometric passports."

• UK Home Office: Consultation on the Delivery of the National Identity Scheme - "The purpose of this consultation is to help the Government to proceed with the implementation of National Identity Scheme, including the introduction of identity cards linked to a National Identity Register."
  
• Download the Consultation document
  
• Download the National identity Scheme Delivery Plan 2008

EPIC: "The International Working Group On Data Protection in Telecommunications has released a report and guidance (pdf) on privacy in social networking services. The report identifies risks to privacy and security, and provides guidance to regulators, service operators and users to counter these risks. Risks include the large amount of data collection; the misuse of profile data by third parties; insecure infrastructure and application programming interfaces. Regulators should ensure openness, and oblige data breach notification. Providers must be transparent; live up to promises made to users; and use privacy friendly defaults. Privacy and consumer groups are also
recommended to raise the awareness of regulators, providers and the general public."

News release: "The U.S. Department of Homeland Security (DHS) announced today a notice of proposed rulemaking that will establish biometric exit procedures at all U.S air and sea ports of departure. The majority of non-U.S. citizens are already required to submit digital fingerprints and a digital photograph for admission into the country. The US-VISIT Exit proposal would require non-U.S. citizens who provide biometric identifiers for admission to also provide digital fingerprints when departing the country from any air or sea ports of departure."

"With stories surfacing on news channels regularly about lost or stolen data or the ability to recover data from discarded or resold computers and their hard drives, Computerworld decided to look at some cheap methods of removing that sensitive data from your hard drive permanently. And, what better place to look than YouTube?"

The Inspectors General, Journal of Public Inquiry Fall/Winter 2007/08 (96 pages, PDF)

Statement of Glenn A. Fine, Inspector General, U.S. Department of Justice before the House Committee on the Judiciary Subcommittee on the Constitution, Civil Rights, and Civil Liberties concerning “The FBI’s Use of National Security Letters and Section 215 Orders for Business Records”, April 15, 2008.

Legally eHealth: Putting eHealth in its European Legal Context. Legal and regulatory aspects of eHealth Study report March 2008.

News release: "Global EntryTM will be available for U.S. citizens or lawful permanent residents who are frequent international travelers, provided they have not been found guilty of a criminal offense, charged with a customs or immigration offense, or declared inadmissible to the U.S. under immigration legislation. Biometric fingerprint technology will be used to verify the passenger’s identity and confirm his or her status as a Global EntryTM participant."

News release: "Telephone numbers placed on the National Do Not Call Registry will remain on it permanently due to the Do-Not-Call Improvement Act of 2007, which became law in February 2008. More than 157 million phone numbers are on the National Do Not Call Registry. Under the Act, the Federal Trade Commission will continue to remove telephone numbers that have been disconnected and reassigned to other customers. Consumers can delete their telephone numbers from the registry at any time by calling 1-888-382-1222 (TTY 1-866-290-4236) – the call must be made from the telephone number they wish to delete."

Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer Information, March 26, 2008. Reference Number: 2008-20-071

EPIC: "European privacy officials have established "a clear set of responsibilities" on search engine companies regarding their handling of user data. The opinion, issued by the Article 29 Working Group, states that the European Union Data Protection Directive requires search engines to "delete or irreversibly anonymise personal data once they no longer serve the specified and legitimate purpose" for which they were collected. This requirement has particular significance for search engines, because European privacy rules classify Internet Protocol (IP) addresses as "personal data." The opinion further holds that European privacy laws generally apply to search engines "even when their headquarters are outside [Europe]," and requires that search engines must delete personal data within six months of collection. Earlier this year, EPIC urged the European Parliament to protect the privacy of search histories. For more information, see EPIC's Search Engine Privacy page."

"The World Privacy Forum filed extensive comments [April 4, 2008] regarding privacy protections for patients whose health care information will be shared with patient safety safety organizations under newly proposed Department of Health and Human Services regulations. After a landmark Institute of Medicine report on the prevalence of medical errors and their harmful impact on patients (To Err is Human), the U.S. Congress eventually passed the Patient Safety Act (2005). The Patient Safety Act allows extensive health care data of patients to go to patient safety organizations. The idea is to provide a form of quality control. The Agency for Heathcare Research and Quality (AHRQ), part of HHS, has published its proposed regulations implementing the Act. The World Privacy Forum has made 14 recommendations for substantive changes in the proposed rules to protect patient privacy. The World Privacy Forum asked the Agency to expressly mandate that all patient data be de-identified or anonymized to the greatest extent possible, that the proposed rule should expressly require data use agreements for any data sharing, that the patient information be labeled as subject to the Patient Safety Act, and strongly urged that patient safety organizations be required to maintain an accounting of disclosures at least equal to HIPAA, among other recommendations. The full set of recommendations is available in the WPF comments. The proposed rulemaking will be open for public comments until April 14, 2008."

News release: "According to the 2007 Internet Crime Report, the Internet Crime Complaint Center (IC3) received 206,884 complaints of crimes perpetrated over the Internet during 2007. Of the complaints received, more than 90,000 were referred to law enforcement around the nation, amounting to nearly $240 million in reported losses. This represents a $40 million increase in reported losses from complaints referred to law enforcement in 2006. All complaints received by IC3 are accessible to federal, state, and local law enforcement to support active investigations, trend analysis, and public outreach and awareness efforts."

News release: "Finance Committee staff today released a bipartisan discussion draft of the President’s proposal to require information reporting by banks and other entities on reimbursements to merchants that accept electronic forms of payment, including credit and debit cards. The Finance Committee intends to use public comment to understand more about how payment reporting may affect the tax gap – the $345 billion in Federal taxes legally owed but uncollected each year – as well as to determine whether increased reporting requirements would unfairly burden merchant businesses or banks."

News release: "The Federal Trade Commission today reiterated that despite the claims made in e-mails circulating on the Internet, consumers should not be concerned that their cell phone numbers will be released to telemarketers in the near future, and that it is not necessary to register cell phone numbers on the National Do Not Call (DNC) Registry to be protected from most telemarketing calls to cell phones."

Implementation of the Communications Assistance for Law Enforcement Act by the Federal Bureau of Investigation, Audit Report 08-20, March 2008. Redacted for public release.

News release: "In the FTC’s action against data brokers Reed Elsevier (REI) and Seisint, the complaint alleges that REI - through its LexisNexis data broker business - and Seisint collect and store in databases information about millions of consumers, including names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers. They obtain information about consumers from credit reporting agencies and other sources, and sell products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords (or “user credentials”) to control customer access to consumer information in their databases."

National Committee on Vital and Health Statistics, 2005-2006. February 2008 37 pp. (PHS) 2008-1205

Follow up to State Department Acknowledges Unauthorized Access to Passport Records of Presidential Candidates, today's news release: "Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Ranking Member Arlen Specter (R-Pa.) today urged the Attorney General to take immediate action to investigate reported breaches of the passport files of the three presidential candidates at the State Department. Attorney General Michael Mukasey stated last week that the Justice Department would await the outcome of an internal investigation at the State Department before taking action.

“We both strongly believe that our government has a duty to protect the private information of its citizens,” wrote Leahy and Specter. “The Justice Department should not wait to be handed ‘a box full of evidence,’ as you said at your recent briefing, before determining whether Federal laws were broken.”

See also Personal Data Privacy and Security Act and Summary of the Leahy-Specter data privacy legislation.

RL34404 - Border Searches of Laptops and Other Electronic Storage Devices, March 05, 2008

2008 Data Mining Report (PDF, 46 pages), February 11, 2008. "This is the third report by the Privacy Office to Congress on data mining. This report identifies the data mining activities deployed or under development within DHS, as defined by the Data Mining Reporting Act, and describes the framework the Department will use to report on such activities in the future pursuant to Section 804 of the Implementing Recommendations of the 9/11 Commission Act of 2007, entitled, “The Federal Agency Data Mining Reporting Act of 2007” (Data Mining Reporting Act)."

Press release: "...AirTight® Networks, the global leader for wireless intrusion prevention systems...issued the findings from its study to assess information security risk exposure of laptop users at fourteen airports in the United States, Canada and Asia. The company set out to understand the risks to business travelers and their corporate networks of data leakage while those airline passengers are sending sensitive information using unsecured wireless access points while at the airports. It found surprising results, however, regarding the security posture of private Wi-Fi networks in these airports as well as the rapid spread of viral Wi-Fi networks.

One of the most surprising findings of this initial study was that some ticketing systems, baggage systems, shops and restaurants were using open or poorly secured wireless networks. Of the Wi-Fi networks detected by AirTight researchers, 77 percent were non-hotspot (i.e. private) networks and of those, 80 percent were unsecured or using legacy WEP encryption, a fatally flawed protocol. Based on detailed analysis of these access points, there is a high probability that some of these networks are used for critical airport logistics and operations. The consequences of this lack of security could result in disruption of baggage or passenger ticketing systems."

Newsweek: Unintended Consequences - Spitzer got snagged by the fine print of the Patriot Act

VOIP-News: "Email, IM (instant messaging) and even VoIP solutions like Skype and Vonage have taken over communications in both the business and social worlds. These systems work well because they're a much-needed solution for high phone bills, static-filled communications and dropped cell-phone calls. Internet-based communication methods also give users optimum remote access, since all one needs to use VoIP or send an IM is an Internet connection. But with this increase in popularity comes serious security issues. VoIP technology is still relatively new, and hackers are finding new ways to rip off service providers and their customers. Just who might be spying on your online communications? You might be surprised."

Department of Justice Office of Inspector General: A Review of the FBI’s Use of National Security Letters: Assessment of Corrective Actions and Examination of NSL Usage in 2006, March 2008, Unclassified, (187 pages, PDF)

Department of Justice Office of Inspector General: A Review of the FBI’s Use of Section 215 Orders for Business Records in 2006, March 2008, Unclassified (99 pages, PDF)

Follow up to March 11, 2008 posting, House Democrats Reject Telecom Immunity, "Today, House Judiciary Chairman John Conyers, Jr. (D-MI) and 19 members of the House Judiciary Committee issued a statement regarding telecommunications immunity, as the House prepares to consider the FISA Amendments Act of 2008. Following a review of classified information relating to the warrantless surveillance program and immunity for telecommunications companies, the members reported their conclusion that the administration has not established a valid and credible case to justify granting blanket retroactive immunity at this time."

Follow up to previous postings on TSA's Total Information Awareness surveillance program, this news release today from the ACLU: "...According to the new Wall Street Journal report [subscription req'd], the NSA was engaging in broad domestic spying operations that involve collecting and analyzing the personal information of Americans in ways that are "essentially the same" as TIA. The elements that reportedly make up the new spying encompass a variety of mass surveillance and data mining programs about which the ACLU has previously warned..."

"The Privacy Act of 1974 is in need of improvements to ensure its relevance into the future, CDT Deputy Director Ari Schwartz said in testimony before a congressional panel today. The Act’s limitations are particularly apparent with regard to government use of commercially compiled personal information, Schwartz told the Information Policy, Census, and National Archives Subcommittee. Commercial information plays a key role in important government functions, like law enforcement and national security. However, agencies relying on that data should have clear guidelines on its use. The role Privacy Impact Assessments play in protecting privacy is essential. Two bills help bolster PIAs: S.2341 lays out "best practices" guidelines and HR 4791 requires PIAs for government use of commercial databases. CDT believes Congress should create a Commission to review the Act and suggest possible reforms. March 11, 2008."

House Democratic Majority Leader/AP: "Locked in a standoff with the White House, House Democrats on Tuesday maintained their refusal to shield from civil lawsuits telecommunications companies that helped the government eavesdrop on their customers without a secret court's permission. But they offered the companies an olive branch: the chance to use classified government documents to defend themselves in court. House Democratic leaders unveiled a bill that they hoped would bridge the gap between the electronic surveillance bill passed by the Senate last month and a rival version the House approved last fall. Both bills are attempts to update the 1978 Foreign Intelligence Surveillance Act, the law that dictates when the government needs court permission to conduct electronic eavesdropping inside the United States. The law has taken on particular importance in the global effort to thwart terrorists since the 2001 attacks on the United States.

• Director of National Intelligence, March 11, 2008: "We understand that the leadership of the House of Representatives intends to introduce a new bill related to the Foreign Intelligence Surveillance Act of 1978 (FISA). Based on initial summaries of what the proposal contains, we are concerned that the proposal would not provide the Intelligence Community the critical tools needed to protect the country. The Senate already has passed a bipartisan bill that would give our intelligence professionals the tools they need to keep America safe. The bipartisan bill was carefully crafted to ensure important intelligence operations were not harmed by new legislation."


• ACLU - New FISA Compromise Is an Improvement, Still Raises Concerns: "While we still have concerns about aspects of the new House FISA bill, the American Civil Liberties Union is encouraged by the new draft – particularly the language on state secrets, which would allow the cases to go forward while allowing the telecommunications companies to assert any defenses. We commend House leadership for keeping the courthouse door open. And in particular, we applaud the House for refusing to adopt the overreaching FISA Amendments Act, which would give the executive branch carte blanche to wiretap on US soil and grant complete retroactive immunity to telecommunications companies that facilitated years of illegal surveillance. We are also heartened by the role retained by the FISA court in overseeing the program as well as the two-year sunset on the legislation."

Electronic Frontier Foundation: "Three powerful House Commerce Committee Chairmen strongly urged their colleagues Thursday to defer acting on requests for retroactive immunity and to demand more information from the White House and the telecommunications companies in the wake of disclosures by another whistleblower that the government apparently has been granted an open gateway to customer information and calls by a major telecommunications company."

• March 6, 2008 Dear Colleague letter, written by John Dingell, Chairman of the House Committee on Energy and Commerce; Ed Markey, Chairman of the House Subcommittee on Telecommunications and the Internet; and Bart Stupak, Chairman of the Subcommittee on Oversight and Investigations: "..Yesterday another whistleblower stepped forward with troubling charges that at least one major wireless telecommunications giant may have given a Congressional entity access to every communications coming through that company's infrastructure, including every e-mail, Internet use, document transmission, video and text message, as well as the ability to listen in on any phone call."


• Related postings on domestic surveillance program

HSS Office of Inspector General Privacy Act of 1974; Revisions to OIG’s Privacy Act System of Records: Criminal Investigative Files, Federal Register, March 4, 2008.

"CDT today released a set of privacy principles to help guide the development of software tools related to online behavioral targeting. Developed in consultation with members of CDT's Internet Privacy Working Group (IPWG), the principles aim to bolster the development of tools for Web browsers and other software that empower users with the ability to manage their privacy and control online behavioral tracking activities. The document is a result of meetings with IPWG, sparked by renewed interest in behavioral targeting at the FTC, in the private sector and among consumer groups."

2007 Electronic Monitoring & Surveillance Survey - Over Half of All Employers Combined Fire Workers for E-Mail & Internet Abuse, February 28, 2008

Chris Hoofnagle, Measuring Identity Theft at Top Banks (Version 1.0) February 26, 2008. Berkeley Center for Law and Technology. Law and Technology Scholarship (Selected by the Berkeley Center for Law & Technology). Paper 44.

Data Breach Notification Laws, State By State, by Scott Berinato, "More than five years after California's seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. Eleven states still have not passed laws mandating that companies notify consumers when that company has lost the consumer's personal data. One state, Oklahoma, does have a breach notification law, but it only applies to state entities that have lost data. That leaves 38 states that have enacted some sort of breach disclosure law. This map will help you sort them out."

"The Safer Internet plus programme aims to promote safer use of the Internet and new online technologies, particularly for children, and to fight against illegal content and content unwanted by the end-user, as part of a coherent approach by the European Union."

The World Privacy Forum - A Legal and Policy Analysis - Personal Health Records: Why Many PHRs Threaten Privacy, Prepared by Robert Gellman for the World Privacy Forum, February 20, 2008

Secrecy News: "The Office of the Director of National Intelligence provided an overview of U.S. intelligence data mining development programs in...Data Mining Report,” ODNI Report to Congress, February 15, 2008. Data mining is used by intelligence agencies to search through databases in order to discern patterns of activity that could indicate a threat to national security."

Press release: "Reed Elsevier to acquire ChoicePoint for a total cost of $4.1 billion (£2.1 billion/€2.8 billion) payable in cash. This comprises an equity value of $3.5 billion and the assumption of $0.6 billion of net debt. Combination of ChoicePoint with the LexisNexis Risk Information and Analytics Group will create a risk management business with $1.5 billion in revenues and a leading position in the fast growing risk management marketplace...ChoicePoint has a leading position in providing unique data and analytics to the attractive insurance sector (over 50% of Choicepoint's $982 million revenue and 80% of its business operating income from continuing operations in 2007) and highly complementary products and new capabilities in the screening, authentication and public records areas."

Your Guide to Online Privacy, by Mark Glaser

"The FTC today released the list of top consumer fraud complaints received by the agency in 2007. The list, contained in the publication Consumer Fraud and Identity Theft Complaint Data January-December 2007, showed that for the seventh year in a row, identity theft is the number one consumer complaint category. Of 813,899 total complaints received in 2007, 258,427, or 32 percent, were related to identity theft.

The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and the 50 metropolitan areas reporting the highest incidence of identity theft.

The report states that credit card fraud was the most common form of reported identity theft at 23 percent, followed by utilities fraud at 18 percent, employment fraud at 14 percent, and bank fraud at 13 percent.

Consumers reported fraud losses totaling more than $1.2 billion; the median monetary loss per person was $349, the report states.

DHS press releases, February 1, 2008: "The U.S. Department of Homeland Security (DHS) announced today that it has begun collecting additional fingerprints from international visitors arriving at Chicago O'Hare International Airport (O'Hare), Hartsfield-Jackson Atlanta International Airport (Hartsfield), and George Bush Houston Intercontinental Airport (Bush Intercontinental). The change is part of the department's upgrade from two- to 10-fingerprint collection to enhance security and facilitate legitimate travel by more accurately and efficiently establishing and verifying visitors' identities."

Educational Security Incidents (ESI) Year in Review - 2007: "By Adam Dodge - Posted on February 10, 2008: "The ESI Year in Review - 2007 examines all of the information security incidents occurring at colleges and universities around the world as reported in the news during 2007. 2007 marked a significant change for information security incidents reported in the news. Among the changes are an increase in both the number of incidents reported and the number of institutions reporting a breach as well as the addition to new categories such as incident type "Employee Fraud" and information type "Username and Password".

Press release: "In connection with the 5th Safer Internet Day1 on 12 February 2008, Eurostat, the Statistical Office of the European Communities, presents a selection of statistics concerning internet activities, security concerns and virus attacks. The Safer Internet Day is part of a global drive to promote a safer Internet for all users, in particular younger people, and is organised by Insafe, a European internet safety network co-funded by the European Commission...In the EU27 in 2007, nearly a quarter of internet users had had a computer virus in the preceding 12 months, which resulted in a loss of information or time. Virus attacks were most frequent in Lithuania (41% of users), Slovenia (35%) and Malta (34%) and least common in the Czech Republic (7%), Estonia (15%) and Sweden (16%)."

Press release: "The California State Senate passed a bill Friday that would allow prosecution for identity theft cases in the county where the victim resides. State Sen. Joe Simitian, D-Palo Alto, co-authored Senate Bill 612 and praised fellow senators Friday for voting 40-0 in favor of the legislation. Current law permits prosecution in the county where the theft occurred, or where the information was illegally used, even when both locations are hundreds of miles from the victim’s home, according to Simitian’s office." Simitian also sponsored Senate Bill 364, that passed by a vote of 30-7.

CDT: "The Senate yesterday gave final congressional approval to legislation making "Do Not Call" listings permanent. Without the legislation, consumers' phone numbers would have been automatically removed from the FTC controlled list after five years. CDT applauds the decision to eliminate the list's current expiration policy, which would require consumers who want to remain on the list to sign up again every five years. The bill, H.R. 3541, has already passed the House and is likely to be enacted into law soon."

Central Intelligence Agency Freedom Of Information Act Annual Report for Fiscal Year 2007, Unclassified.

News.com: "Real ID's scope is surprisingly broad. Jurors could potentially be denied entrance to federal courthouses. So could prospective students visiting the U.S. Naval Academy in Annapolis or the U.S. Military Academy at West Point. Tours of federal buildings such as the Pentagon and the Treasury Department could be affected, as could public hearings, conferences, and even concerts. And some Americans could be denied entrance to the U.S. Capitol building, the iconic heart of the nation's democracy...Starting May 11, unless your home state agrees to comply with the federal Real ID Act or unless it asks for an extension, you might have trouble getting into federal buildings. Click a state [interactive map include in this article] to see what that state has told us about whether or not its ID cards will meet Real ID requirements."

In a statement to the House of Commons, the PM said that the Government would look at ways of using intercept evidence as advised by the Chilcot Report. Guidelines would be drawn up to ensure that the interests of national security were never compromised, he said. The PM said:

"The use of intercept in evidence characterises a centraldilemma we face as a free society - that of preserving our liberties and the rule of law, while at the same time keeping our nation safe and secure. [The Chilcot Report - see text below] concludes that it should be possible to find a way to use some intercept material as evidence, provided - and only provided - that certain key conditions can be met. These conditions relate to the most vital imperative of all - that of safeguarding our national security. The Government accepts this recommendation - and takes the accompanying conditions very seriously."

Use of Commercial Independent Risk Analysis Services Blanket Purchase Agreements (BPA) (February 4, 2008) (4 pages, PDF)

REAL ID: What Should Congress Do Now? - CDT Analysis of the REAL ID Act and the Department of Homeland Security’s Final Regulations, February 1, 2008.

Second Annual Report to Congress, January 30, 2008 (36 pages, PDF): "As the efforts of the current Board come to a close, the Members wish to acknowledge and thank the many thousands of dedicated men and women in the Federal government whose responsibility it is to protect the homeland against terrorism consistent with the Constitution. We have been privileged to observe their training on the importance of privacy and civil liberties and witness their work first hand. The development of a privacy and civil liberties oversight infrastructure within the Federal government, as envisioned by IRTPA, is important. But nothing can substitute for the uncompromising daily commitment these individuals make to their jobs and Constitutional principles."

Solove, Daniel J., "The Future of Reputation: Gossip, Rumor, and Privacy on the Internet". The Future of Reputation: Gossip, Rumor, and Privacy on the Internet, Daniel J. Solove, Yale University Press, October 2007 Available at SSRN: http://ssrn.com/abstract=1019177

Follow up to January 27, 2007 notice, DHS Posts Annual Report on Congress After Delay, DHS posted the Annual Privacy Report to Congress, July 2006 to July 2007 (PDF, 58 pages).

A Chronology of Data Breaches, updated January 30, 2008

EPIC: "In a report that will appear in IEEE Security & Privacy, leading experts in computer security warn that legislation now under consideration in the Senate could make the United States vulnerable to attack. The paper Risking Communications security: Potential hazards of the Protect America Act warns that warrantless wiretapping creates creates serious security risks, including "danger of exploitation of the system by unauthorized users, danger of criminal misuse by trusted insiders, and danger of misuse by government agents."

"In this Top Ten Opt Outs list, some opt outs can be done by phone, some have to be sent in a letter via postal mail, and some can be accomplished online. Some opt outs last forever, some have time limits, and others can be changed at will. If an opt out is on this list, it is because we thought it might be important enough to be worth whatever annoyance it may pose. Not every opt out is right for everyone, and not everyone will necessarily want to opt out. It is a personal choice. Take a look at the list...and see if any of the opt outs appeal to you, or might make a difference to you in some way."

Bush Order Expands Network Monitoring - Intelligence Agencies to Track Intrusions, by Ellen Nakashima, Washington Post: "President Bush signed a directive this month that expands the intelligence community's role in monitoring Internet traffic to protect against a rising number of attacks on federal agencies' computer systems. The directive, whose content is classified, authorizes the intelligence agencies, in particular the National Security Agency, to monitor the computer networks of all federal agencies -- including ones they have not previously monitored."

Press release: "A federal judge has barred the illegal operation of an information broker who advertised and sold confidential consumer telephone records to third parties without the consumers’ knowledge or consent. In entering summary judgment for the Federal Trade Commission, Judge William F. Downes of the U.S. District Court for the District of Wyoming also required the defendants to give up nearly $200,000 in ill-gotten gains derived from the consumer phone records they sold, and ordered that the individuals whose records were sold be notified."

"The aim of the Data Protection Day is to give European citizens the chance to understand what personal data is collected and processed about them and why, and what their rights are with respect to this processing. They should also be made aware of the risks inherent and associated with the illegal mishandling and unfair processing of their personal data. The objective of the Data Protection Day is therefore to inform and educate the public at large as to their day-to-day rights, but it may also provide data protection professionals with the opportunity of meeting data subjects."

Press release: "Congresswoman Betty McCollum (MN-04), has sent a letter to the Government Accountability Office asking that it reopen its investigation of the privacy and national security risks posed by government agencies reselling used magnetic data tapes that may once have contained large amounts of sensitive personal and government information. Researchers working for Imation, an Oakdale, MN-based corporation that produces magnetic data tapes, were able to recover a wide range of sensitive information from used data tapes that were supposedly wiped clean before being re-sold. Using readily available equipment and information, Imation investigators found out where the tapes originated and recovered bank account numbers, expense reports, employee tax and benefit information, and other sensitive data."

Coalition for Patient Privacy: "Our mission is to ensure that Americans control all access to their health records."

DHS: Privacy Impact Assessment for the Use of Radio Frequency Identification (RFID) Technology for Border Crossings, January 22, 2008.

Federal Times: "The administration last week told agencies not to use federal employees’ Social Security numbers as primary identifiers for data processing purposes. The Office of Personnel Management said in a Jan. 18 notice that agencies must not print the numbers on paper or display on computer screens except in secure areas. And only employees whose official duties require access to the numbers can have access to them. Lastly, agencies can only collect employees’ Social Security numbers when an employee joins the agency for human resources and payroll purposes. OPM hopes the new rules will decrease the risk of identity theft."

CDT Comments to DHS on Developing CCTV Best Practices, January 18, 2008: "As the December 17-18, 2007 workshop on Closed Circuit Television (CCTV) made clear, there are many good CCTV “best practices” that have been developed by organizations such as The Constitution Project, ACLU, the American Bar Association, the governments of Canada and the United Kingdom, and even the U.S. Park Police. CDT supports these efforts but believes an equally important question is, how can the public be assured that video surveillance “best practices” are being implemented in localities where federal homeland security funds are spent?"

"In comments filed [January 15, 2008]with the Department of Homeland Security, EPIC detailed its "Framework for Protecting Privacy & Civil Liberties If CCTV Systems Are Contemplated." EPIC explained that it "does not support the creation nor the expansion of video surveillance systems, because their limited benefits do not outweigh their enormous monetary and social costs." EPIC's guidelines explain that (1) alternatives to CCTV are preferred; (2) there must be a demonstrated need for the system; (3) the public and privacy and security experts must be consulted before the system is created; (4) Fair Information Practices Privacy Act of 1974, the 1980 OECD Privacy Guidelines and the Video Voyeurism Act. See EPIC's page on Video Surveillance."

Press release, January 11, 2009: "One of the biggest concerns we’ve had for the last several years, one we continue to have at the Department of Homeland Security, is how do we promote a secure form of identification across America? And Congress has spoken to this by passing the REAL ID Act several years ago, which provides that we have the obligation to set uniform security standards for the issuance of state driver’s licenses. When we went back and investigated the 9/11 attacks, one of the things which we found, and which the 9/11 Commission found, was that all but one of the hijackers carried a government-issued identification form – mostly driver’s licenses. And this government-issued ID helped the hijackers board airplanes, or remain in the country illegally. That’s why the 9/11 Commission recommended that we enhance the security of our driver’s licenses as a counterterrorism measure. And that’s why Congress set higher standards for driver’s licenses in the REAL ID Act. That’s also why the American people overwhelmingly support more security for driver’s licenses."

Press release: "The U.S. Department of Homeland Security (DHS) announced today a final rule establishing minimum security standards for state-issued drivers’ licenses and identification cards. The rule sets uniform standards that enhance the integrity and reliability of drivers’ licenses and identification cards, strengthen issuance capabilities, and increase security at drivers’ license and identification card production facilities. The final rule also dramatically reduces state implementation costs by roughly 73 percent."

REAL ID Requirements

• Read the Final Rule


• Read the Questions & Answers


• Read the Privacy Impact Assessment

Press release: "In October 2006, the Transportation Security Administration launched a website to help travelers whose names were erroneously listed on airline watch lists. This redress website had multiple security vulnerabilities: it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. These deficiencies exposed thousands of American travelers to potential identity theft. After an internet blogger identified these security vulnerabilities in February 2007, the website was taken offline and replaced by a website hosted on a Department of Homeland Security domain. At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a website that violated basic operating standards of web security and failed to protect travelers’ sensitive personal information. As this report describes, these security breaches can be traced to TSA’s poor acquisition practices, conflicts of interest, and inadequate oversight."

The Federal Bureau of Investigation’s Management of Confidential Case Funds and Telecommunication Costs, Audit Report 08-03, January 2008, For Public Release.

"...the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) provides that United States citizens and nonimmigrant aliens may enter the United States only with passports or such alternative documents as the Secretary of Homeland Security may designate as satisfactorily establishing identity and citizenship... The vicinity RFID electronic chip contains only one item of information--a unique identifying number that has meaning only inside the secure CBP computer system. No other form of personally identifiable information, such as name, date of birth, SSN, place of birth etc., will be electronically stored on the passport card or transmitted through RFID. All personal information will be contained in DHS systems and will only be accessible by authorized personnel through secure networks. Upon receipt of the passport card number, the border crosser's personal information will be downloaded from the CBP system and provided to the CBP officer. The CBP officer will then interview the individual, verify their identities, and determine the appropriate action to take. The WHTI passport card approach was not designed to be an automated system, and the use of vicinity RFID technology in this final rule reflects this reality. Rather, the RFID-based approach allows the CBP officers to do their jobs better and faster." [Federal Register: December 31, 2007 (Volume 72, Number 249)][Rules and Regulations][Page 74169-74173]

Washington Post, Online Records May Aid ID Theft, Government Sites Post Personal Data, By Bill Brubaker: "Social Security numbers are readily available in many courthouses -- in land records and criminal and civil case