3rd Circuit to Mull Privacy of Cell Phone Data, Shannon P. Duffy: "In a case that could prove to be one of the most important privacy rights battles of the modern era, the 3rd U.S. Circuit Court of Appeals will hear argument this week on the proper legal standard to apply when prosecutors demand cell phone location data. The data, which are recorded about once every seven seconds whenever a cell phone is turned on, effectively track the whereabouts and the comings and goings of every cell phone user. Justice Department lawyers argue that, by statute, they need only show "reasonable grounds" to believe that such records are "relevant and material to an ongoing criminal investigation." But a federal magistrate judge in Pittsburgh strongly disagreed in February 2008, issuing a 52-page opinion that said the prosecutors must meet the "probable cause" standard."
Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The Office of Management and Budget has released the federal budget for fiscal year 2011. The budget proposes funding for several new surveillance initiatives, including over $700 million to the Department of Homeland Security for "Passenger Aviation Security". The Department would like to purchase 500 body scanner machines for U.S. airports, bringing the projected total number of machines to 1,000 at a cost of over $200 million by the end of 2011. The new budget also includes several hundred million dollars for the Department of Justice's national security programs, which were recently the subject of a critical Inspector-General's report for improper use of authority."
Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence, Dennis C. Blair, Director of National Intelligence, February 2, 2010
"EPIC submitted comments to the FTC prior to the agency’s second privacy roundtable. EPIC warned of the ongoing privacy risks associated with cloud computing and social networking privacy, highlighting the Google cloud computing complaint and Facebook privacy complaint filed by EPIC in 2009. The comments note that the FTC has failed to take any meaningful action with respect to either complaint, demonstrating the Commission's “lack of leadership and technical expertise.” EPIC's comments also draw attention to the success of international privacy initiatives, in hopes of encouraging the FTC to take meaningful action to protect American consumers."
OPNAV NOTICE 5400, January 11, 2010: "Action will establish U. S. Fleet Cyber Command as an echelon II command to serve as the Navy Component Commander to United States Cyber Command upon its establishment. Interim reporting will be to United States Strategic Command. Command will provide for operational employment of the Navy's cyber, network operations, information operations, cryptologic and space forces, and serve as the Navy's Service Cryptologic Component Commander to the National Security Agency. U.S. Tenth Fleet. will be re-commissioned to control operations supporting U. S. Fleet Cyber Command.
"This 2009 Ponemon Institute 2009 Annual Study: Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventive Solutions examines the costs incurred by 45 organizations after experiencing a data breach. Results were not hypothetical responses; they represent the cost estimates of activities resulting from the actual data loss incidents. This is the fifth annual survey of this issues. Breaches included in the survey included ranged from approximately 5,000 records to more than 101,000 records from 15 different industry sectors."
News release: "The Federal Trade Commission today released the agenda for its second roundtable on consumer privacy issues scheduled for January 28, 2010. The second roundtable, hosted by the Berkeley Center for Law and Technology, will take place at the University of California, Berkeley, School of Law Booth Auditorium. The roundtable is the second of three public events designed to explore the privacy challenges that are posed by technology and business practices that collect and use consumer data. The agenda continues the public dialogue by focusing on how technology affects consumer privacy, including its potential to weaken and/or strengthen privacy protections. The roundtable will also explore privacy implications of several evolving technologies, including social networking and other platform services, cloud computing, and mobile computing."
A Review of the Federal Bureau of Investigation's Use of Exigent Letters and Other Informal Requests for Telephone Records, January 2010, Unclassified, Redacted.
Follow up to previous postings on government implementation of whole body scanning technology at airports, news that EPIC has posted more than 250 pages of documents it obtained in a Freedom of Information Act lawsuit concerning body scanners. The documents, released by the Department of Homeland Security, reveal that Whole Body Imaging machines can record, store, and transmit digital strip search images of Americans. This contradicts assurances made by the TSA. The documents include TSA Procurement Specifications, TSA Operational Requirements, TSA contract with L3, TSA contract with Rapiscan (1), and TSA contract with Rapiscan (2). The DHS has withheld other documents that EPIC is seeking."
The New York Review of Books - Who's in Big Brother's Database? By James Bamford - The Secret Sentry: The Untold History of the, National Security Agency, by Matthew M. Aid, Bloomsbury.
News release: "The Federal Trade Commission, as required by The Do-Not-Call Registry Fee Extension Act of 2007, has approved two reports to Congress: a biennial report focusing on the use of the Do Not Call Registry by both consumers and businesses, as well as the impact that new technologies have had on the Registry, and a one-time report on enforcement efforts and consumers’ perceptions of the Registry’s effectiveness. As detailed in the first report, the Do Not Call Registry now has more than 191 million active registrations, and more than 18 million new phone numbers were registered in Fiscal Year (FY) 2009. During that time, approximately 45,000 sellers, telemarketers, and exempt organizations such as charities subscribed to access the Registry, paying fees totaling more than $15.5 million. In addition, during FY 2009, the FTC implemented a new procedure for tracking disconnected and reassigned phone numbers, which addresses problems that may arise as a result of new telecommunications technologies and the ease of transporting numbers from one telephone service provider to another. According to the second report, since 2003 when the Do Not Call Registry was put in place, research has consistently shown widespread public awareness of the program and a steady increase in the number of phone numbers registered. Together, the FTC and the Federal Communications Commission have collected penalties totaling over $22 million from Registry violators, and due to these enforcement actions and the agencies’ consumer education campaigns, consumers who have joined the Registry have reported dramatic reductions in the number of unwanted calls they receive."
Follow up to previous postings on government implementation of whole body scanning technology at airports, see Presidential Report on Radiation Protection Advice: Screening of Humans for Security Purposes Using Ionizing Radiation Scanning Systems - A Report Prepared by the National Council on Radiation Protection and Measurements: "This Presidential Report from the National Council on Radiation Protection and Measurements (NCRP) presents radiation protection advice concerning ionizing radiation-producing devices that are being evaluated for various uses in screening of humans for the purpose of security. Chief among the devices being evaluated at the present time are scanning systems that utilize x rays. This report addresses systems utilizing ionizing radiation, but also describes briefly some systems under consideration that utilize nonionizing radiation sources."
News release: "The Federal Trade Commission today issued a Fraud Forum staff report that examines more effective ways to protect consumers from fraudulent schemes and focus the collective knowledge and experience of forum participants to fight fraud. The February 2009 Forum was attended by academics, consumer advocates, industry representatives, and state and federal law enforcers. The Fraud Forum Report summarizes information presented at the event during panel and small group discussions on a range of issues including: the psychology of scammers and their victims, fraud statistics, under-reported fraud, and the role of private industry in detecting and preventing fraud."
Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping, December 3, 2009: "Depending on one’s perspective, wiretapping and electronic eavesdropping are either “dirty business,” essential law enforcement tools, or both. This is a very general overview of the federal statutes that proscribe wiretapping and electronic eavesdropping and of the procedures they establish for law enforcement and foreign intelligence gathering purposes. Although the specifics of state law are beyond the scope of this report, citations to related state statutory provisions have been appended. The text of pertinent federal statutes and a selected bibliography of legal materials appear as appendices as well."
"...e-reader technology also presents significant new threats to reader privacy. E-readers possess the ability to report back substantial information about their users' reading habits and locations to the corporations that sell them. And yet none of the major e-reader manufacturers have explained to consumers in clear unequivocal language what data is being collected about them and why. As a first step towards addressing these problems, EFF has created a first draft of our Buyer's Guide to E-Book Privacy. We've examined the privacy policies for the major e-readers on the market to determine what information they reserve the right to collect and share."
News release: "EPIC has filed a complaint with the Federal Trade Commission, urging the FTC to open an investigation into Facebook’s revised privacy settings. The EPIC complaint, signed by nine other privacy and consumer organizations, states that the "changes violate user expectations, diminish user privacy, and contradict Facebook’s own representations." EPIC cites widespread opposition from Facebook users, security experts, bloggers, and news organizations. A previous EPIC complaint to the FTC, concerning the data broker industry, produced the largest settlement in the FTC's history. For more information, see EPIC: In re Facebook and EPIC Facebook Privacy."
Follow up to previous postings on government implementation of whole body scanning technology at airports, this news: On December 17, 2009, EPIC filed a lawsuit against the Department of Justice concerning the use of devices that capture images of individuals stripped naked. The Transportation Security Administration has confirmed the Whole Body Imaging machines are being used in at least one Virginia federal court by the US Marshall Service. EPIC submitted a FOIA request for information about these devices including the contracts with the manufacturer of the machines, and information about technical specifications and training materials. The Marshall Service failed to respond adequately to the request. EPIC filed suit, said that the agency had not performed a sufficient search and should disclose the documents requested."
News release: "A new booklet released today by the Federal Trade Commission and other government agencies helps parents and teachers steer kids safely through the online and mobile phone worlds. Net Cetera: Chatting with Kids About Being Online was unveiled...by FTC Chairman Jon Leibowitz, U.S. Secretary of Education Arne Duncan, and Federal Communications Commission Chairman Julius Genachowski."
"The Federal Trade Commission [is hosting] a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation." Via EPIC, The second privacy roundtable will be held on Data Privacy Day - January 28, 2010 - at the University of California, Berkeley School of Law.
News release: "Eight federal regulatory agencies today released a final model privacy notice form that will make it easier for consumers to understand how financial institutions collect and share information about consumers. Under the Gramm-Leach-Bliley Act (GLB Act), institutions must notify consumers of their information-sharing practices and inform consumers of their right to opt out of certain sharing practices. The model form issued today can be used by financial institutions to comply with these requirements. The Financial Services Regulatory Relief Act of 2006 amended the GLB Act to require the agencies to propose a succinct and comprehensible model form that allows consumers to easily compare the privacy practices of different financial institutions, and has an easy-to-read font...The final rule provides that a financial institution that chooses to use the model form obtains a "safe harbor" and will satisfy the disclosure requirements for notices. The rule also removes, after a transition period, the sample clauses now included in the appendices of the agencies’ privacy rules. The final model privacy form was developed jointly by the Board of Governors of the Federal Reserve System, Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Securities and Exchange Commission."
"The American Civil Liberties Union today released a new report, Enforcing Privacy: Building American Institutions to Protect Privacy in the Face of New Technology and Government Powers, November 2009, written by Jay Stanley, recommending steps Congress should take to create the vigorous privacy oversight institutions that are desperately needed in the United States to counterbalance the rush of new technologies and expanding government powers, and called for the Obama administration to move quickly to fill the seats on the Privacy and Civil Liberties Oversight Board (PCLOB)."
Follow up to previous postings on airport whole body imaging technology, "EPIC filed a Freedom of Information Act lawsuit challenging the Department of Homeland Security's failure to make public details about the agency's Whole Body Imaging program. The devices capture detailed naked images of air travelers in the United States. After the agency announced that the body scanners would become the primary screening device in US airports, EPIC demanded that the agency disclose records that describe the scanners' capacity to save and transmit images. In June, EPIC sent a letter to the Secretary of Homeland Security Janet Napolitano urging her to suspend the digital strip searches."
"CDT released a whitepaper highlighting policy issues related to responsible user-centric identification systems. The paper comes as the U.S. Government begins launching a series of pilot programs that will use third party user credentials to authenticate users to federal Web sites and discusses possible challenges to be considered as these activities are expanded in order to provide a better user experience."
"The American Constitution Society for Law and Policy (ACS) hosted an event exploring challenges to privacy in a growing digital age. The event featured a keynote address by Christopher N. Olsen, the Assistant Director in the Division of Privacy and Identity Protection at the Federal Trade Commission, which was followed by a diverse panel of experts who discussed the myriad issues surrounding the availability of information in cyberspace, including privacy concerns such as potential government dissemination of financial and health
records."
EPIC: "In a crisply worded declaration, over 100 civil society organizations and privacy experts from more than 40 countries have set out an expansive statement on the future of privacy. The Madrid Declaration affirms that privacy is a fundamental human right and reminds "all countries of their obligations to safeguard the civil rights of their citizens and residents." The Madrid Declaration warns that "privacy law and privacy institutions have failed to take full account of new surveillance practices." The Declaration urges countries "that have not yet established a comprehensive framework for privacy protection and an independent data protection authority to do so as expeditiously as possible." The civil society groups and experts recommend a "moratorium on the development or implementation of new systems of mass surveillance." Finally, the Declaration calls for the "establishment of a new international framework for privacy protection, with the full participation of civil society, that is based on the rule of law, respect for fundamental human rights, and support for democratic institutions." The Madrid Declaration was released at the Public Voice conference in Madrid on Global Privacy Standards."
Official Google Blog: "In an effort to provide you with greater transparency and control over their own data, we've built the Google Dashboard. Designed to be simple and useful, the Dashboard summarizes data for each product that you use (when signed in to your account) and provides you direct links to control your personal settings. Today, the Dashboard covers more than 20 products and services, including Gmail, Calendar, Docs, Web History, Orkut, YouTube, Picasa, Talk, Reader, Alerts, Latitude and many more. The scale and level of detail of the Dashboard is unprecedented, and we're delighted to be the first Internet company to offer this — and we hope it will become the standard. [Includes a quick video] to learn more and then try it out for yourself at www.google.com/dashboard."
New York Times: "In September 2008, the Bush administration changed domestic intelligence-gathering rules. The Federal Bureau of Investigation's interpretation of those rules was recently made public when the bureau released a redacted copy of its "Domestic Investigations and Operation Guide" in response to a Freedom of Information lawsuit. The new rules have given F.B.I. agents the most power in national security matters that they have had since the post-Watergate era."
"EPIC joined the Privacy Coalition letter sent to the House Committee on Homeland Security urging them to investigate the Department of Homeland Security's (DHS) Chief Privacy Office. DHS is unrivaled in its authority to develop and deploy new systems of surveillance. The letter cited DHS use of Fusion Center, Whole Body Imaging, funding of CCTV Surveillance, and Suspicionless Electronic Border Searches as examples of where the agency is eroding privacy protections."
News release: "The Federal Communications Commission (FCC) today released a Notice of Inquiry (NOI) asking how children can be served and protected and parents can be further empowered in the new digital media landscape. The NOI comes almost 20 years after enactment of the Children’s Television Act and follows the Commission’s recently issued Child Safe Viewing Act Report, which examined parental control technologies for video and audio programming. Children live in a dramatically different media environment from the one their parents and grandparents grew up in decades ago. From television to mobile devices to the Internet, electronic media today offer an array of opportunities to, among other things, access educational content, communicate with family and peers, and acquire the skills and technological literacy necessary to compete in a global economy. However, digital media can also pose risks of harm to children, including exposing them exploitative advertising, inappropriate content, and cyberbullying, as well as potentially contributing to childhood obesity and other negative health impacts. The NOI asks to what extent children are using electronic media today, the benefits and risks this presents, and the ways in which parents, teachers, and children can help reap the benefits while minimizing the risks of using these technologies."
Evaluation Report, The Department's Unclassified, Cyber Security Program - 2009. DOE/IG-0828 October 2009
Medicare Part D Plan Sponsor Electronic Prescribing Initiatives (OEI-05-08-00322), Otober 16, 2009
Follow up to previous postings on airport whole body imaging technology, this article from the Economist.com: "Much excitement in Manchester where trials have started of Britain’s first whole-body scanner. The machine takes X-ray photographs of passengers, and can reveal concealed threats without requiring the removal of clothing."
News release: "ChoicePoint, Inc., one of the nation’s largest data brokers, has agreed to strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order. This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft. ChoicePoint has now agreed to a modified court order that expands its data security assessment and reporting duties and requires the company to pay $275,000. In April 2008, ChoicePoint (now a subsidiary of Reed Elsevier, Inc.) turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention."
Legal Implications of Cloud Computing - Part Two (Privacy and the Cloud): As a follow-up to last month's article that provided an overview of cloud computing in the context of significant legal issues, this article by Tanya Forsheit reviews the issues of privacy and cross-border data transfers.
Who's in Big Brother's Database? By James Bamford - A review of The Secret Sentry: The Untold History of the National Security Agency by Matthew M. Aid.
Kate Mosher in The Recorder: "Under a bill signed into law by the governor this week and sponsored by San Francisco District Attorney Kamala Harris, prosecutors hope witnesses in the state's relocation program will be harder to find through Internet searching. Gang members have targeted witnesses through Internet search engines even when witnesses weren't aware their personal information was online, said Sen. Mark Leno, who authored SB 748, which was signed Sunday. The new law goes after people or agencies that disclose phone numbers, addresses or other identifying information of protected witnesses."
News release: "Increases in global contraceptive use have contributed to a decrease in the number of unintended pregnancies and, in turn, a decline in the number of abortions, which fell from an estimated 45.5 million procedures in 1995 to 41.6 million in 2003. While both the developed and the developing world experienced these positive trends, developed regions saw the greatest progress. Within the developing world, improvement varied widely, with Africa lagging behind other regions, according to Abortion Worldwide: A Decade of Uneven Progress, a major new Guttmacher Institute report released today."
National Identity Theft Prevention Week - UK's Fraud Prevention Service resources:
News release: "To promote cyber safety outreach and education, the FCC recently partnered with OnGuardOnline.gov, a joint effort of 12 federal agencies and 18 non-government organizations, developed and managed by the FTC. OnGuardOnline.gov provides practical and timely tips to help consumers be on guard against Internet fraud, secure their computers, and protect their personal information. Among the recommendations that consumers should follow:
FBI news release: "The largest number of defendants ever charged in a cyber crime case have been indicted in a multinational investigation conducted in the United States and Egypt that uncovered a sophisticated “phishing” operation that fraudulently collected personal information from thousands of victims that was used to defraud American banks. [October 7, 2009], authorities in several United States cities arrested 33 of 53 defendants named in an indictment returned last week by a federal grand jury in Los Angeles. Several defendants charged in the indictment are being sought this morning by law enforcement. Additionally, authorities in Egypt have charged 47 defendants linked to the phishing scheme. The United States government is extremely grateful for the extraordinary assistance provided by the Egyptian government in this matter."
Viviane Reding, Member of the European Commission in charge of Information Society and Media, The Future of the Internet and Europe's Digital Agenda - Brussels, 6 October 2009
National Law Journal: "The economy has employers extra jittery about company secrets getting out, so nervous that they're hiring staff just to monitor outbound e-mails. That's the conclusion of a recent study by Proofpoint, an Internet security and data loss prevention company, which found that 38 percent of large U.S. employers are monitoring outbound e-mail to prevent data leaks, up from 29 percent in 2008."
News release: "Individuals’ genetic information will have greater protections through new regulations issued today by the U.S. Departments of Health and Human Services (HHS), Labor, and the Treasury. The interim final rule will help ensure that genetic information is not used adversely in determining health care coverage and will encourage more individuals to participate in genetic testing, which can help better identify and prevent certain illnesses."
New York Times: "About two-thirds of Americans object to online tracking by advertisers — and that number rises once they learn the different ways marketers are following their online movements, according to a new survey from professors at the University of Pennsylvania and the University of California, Berkeley."
Statement of Glenn A. Fine, Inspector General, U.S. Department of Justice before the Senate Committee on the Judiciary concerning Reauthorizing the USA Patriot Act, September 23, 2009
News release: "A judge ordered the government Thursday to release more records about the lobbying campaign to provide immunity to the telecommunications giants that participated in the NSA's warrantless surveillance program. U.S. District Judge Jeffrey S. White ordered the records be provided to the Electronic Frontier Foundation (EFF) by October 9, 2009. The decision is part of EFF's long-running battle to gather information about telecommunications lobbying conducted as Congress considered granting immunity to companies that participated in illegal government electronic surveillance. Telecom immunity was eventually passed as part of the FISA Amendments Act (FAA) of 2008, but a bill that would repeal the immunity -- called the JUSTICE Act -- was introduced in the Senate last week."
Sanitization and Disposal of Excess Information Technology Equipment (Report No. D-2009-104)
"A fast-growing FBI data-mining system billed as a tool for hunting terrorists is being used in hacker and domestic criminal investigations, and now contains tens of thousands of records from private corporate databases, including car-rental companies, large hotel chains and at least one national department store, declassified documents obtained by Wired.com show. Headquartered in Crystal City, Virginia, just outside Washington, the FBI’s National Security Branch Analysis Center (NSAC) maintains a hodgepodge of data sets packed with more than 1.5 billion government and private-sector records about citizens and foreigners, the documents show, bringing the government closer than ever to implementing the “Total Information Awareness” system first dreamed up by the Pentagon in the days following the Sept. 11 attacks."
EU Project INDECT - "The main objectives of the INDECT project are: to develop a platform for: the registration and exchange of operational data, acquisition of multimedia content, intelligent processing of all information and automatic detection of threats and recognition of abnormal behaviour or violence, to develop the prototype of an integrated, network-centric system supporting the operational activities of police officers, providing techniques and tools for observation of various mobile objects, to develop a new type of search engine combining direct search of images and video based on watermarked contents, and the storage of metadata in the form of digital watermarks, to develop a set of techniques supporting surveillance of internet resources, analysis of the acquired information, and detection of criminal activities and threats."
In following this January 9, 2009 memo, Legal Issues Relating to the Testing, Use and Deployment of an Intrusion-Detection System (EINSTEIN 2.0) to Protect Unclassified Computer Networks in the Executive Branch, this DOJ memo released September 18, 2009: Legality of Intrusion-Detection System To Protect Unclassified Computers Networks In Executive Branch - "Operation of the EINSTEIN 2.0 intrusion-detection system complies with the Fourth Amendment to the Constitution, title III of the Omnibus Crime Control and Safe Streets Act of 1968, the Foreign Intelligence Surveillance Act, the Stored Communications Act, and the pen register and trap and trace provisions of chapter 206 of title 18, United States Code, provided that certain log-on banners or computer-user agreements are consistently adopted, implemented, and enforced by executive departments and agencies using the system. Operation of the EINSTEIN 2.0 system also does not run afoul of state wiretapping or communications privacy laws."
News release and Fact Sheet: "U.S. Senators Russ Feingold (D-WI), Dick Durbin (D-IL), Jon Tester (D-MT), Tom Udall (D-NM), Jeff Bingaman (D-NM), Bernie Sanders (I-VT), Daniel Akaka (D-HI) and Ron Wyden (D-OR) have introduced legislation to fix problems with surveillance laws that threaten the rights and liberties of American citizens. The Judicious Use of Surveillance Tools In Counterterrorism Efforts (JUSTICE) Act would reform the USA PATRIOT Act, the FISA Amendments Act and other surveillance authorities to protect Americans’ constitutional rights, while preserving the powers of our government to fight terrorism. The JUSTICE Act reforms include more effective checks on government searches of Americans’ personal records, the “sneak and peek” search provision of the PATRIOT Act, “John Doe” roving wiretaps and other overbroad authorities. The bill will also reform the FISA Amendments Act, passed last year, by repealing the retroactive immunity provision, preventing “bulk collection” of the contents of Americans’ international communications, and prohibiting “reverse targeting” of innocent Americans. And the bill enables better oversight of the use of National Security Letters (NSLs) after the Department of Justice Inspector General issued reports detailing the misuse and abuse of the NSLs. The Senate Judiciary Committee will hold a hearing on Wednesday, September 23rd, on reauthorization of the USA PATRIOT Act."
"CDT told a congressional panel today that providing the public with direct, online access to complex government programs, such as TARP, would strengthen oversight. Media, watchdog groups, researchers and citizens could then better analyze the data for a wide variety of purposes. CDT asked the House Oversight and Investigations Subcommittee to ensure that legislation explicitly require that TARP resources be made available to the public on the Web. CDT also noted that more sophisticated data--such as location and mapping data--are being collected today by government agencies; however, aging federal privacy law needs to be updated to ensure these new types of information are protected as well."
News release: "Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., and Ranking Member Susan Collins, R-Me., Sunday said the latest trend in cybercrime is directed at small to medium sized companies that have been robbed of both data and dollars...The thieves steal in amounts under $10,000 to avoid triggering a bank report required by anti-money laundering law. The malware is so well written that the traffic seems to be coming from an authorized computer – and possibly is a legitimate computer that has been commandeered. The money is then transferred to “money mules” who may have been recruited over internet job boards or who have posted resumes on a job listing serviceThe Committee will hold a hearing September 14, 2009, Cyber Attacks: Protecting Industry Against Growing Threats, to examine this new trend, and the Senators plan to introduce broad cyber security legislation later this fall that will improve cyber security in the private sector."
Follow up to August 1, 2009 posting - Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks - today's news release: "An international computer hacker pleaded guilty today to multiple charges relating to hacking activity and credit card fraud, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of Massachusetts Michael Loucks, U.S. Attorney for the Eastern District of New York Benton J. Campbell and Director of the U.S. Secret Service Mark Sullivan. More than 40 million credit and debit card numbers were stolen from major U.S. retailers as a result of the hacking activity. Albert Gonzalez, 28, of Miami, pleaded guilty today to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into numerous major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. Gonzalez was indicted in August 2008 in the District of Massachusetts on charges related to these hacks."
"EPIC released the Privacy Report Card for the Obama Administration at a morning briefing held at the National Press Club. EPIC gave the Administration an “Incomplete” for Consumer Privacy, A- for Medical Privacy, C+ for Civil Liberties, and a B for Cyber Security. Privacy Coalition members participating in the event included US PIRG, Consumer Federation of America, the Liberty Coalition, Association of American Physicians and, Surgeons, and the Bill of Rights Defense Committee. In December 2008, the Privacy Coalition urged the new Administration to address growing public concerns about privacy protection."
"CDT filed a "friend of the court" brief in the Southern District of New York [September 4, 2009] requesting that key privacy requirements be included in the Court's approval of the class-action settlement that would dramatically expand Google Book Search. CDT previously released a report in July analyzing the privacy implications of this settlement and is urging the judge to guarantee strong privacy safeguards for the exciting new services Google will be able to offer. The brief asks that the court approve the proposed settlement of the copyright infringement lawsuit between Google and authors and publishers, but to retain oversight in order to monitor implementation of a privacy plan."
Google Books Privacy Policy, September 3, 2009
Online Behavioral Tracking and Targeting Concerns and Solutions, Legislative Primer September 2009 - from the Perspective of: Center for Digital Democracy, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, Privacy Lives, Privacy Rights Clearinghouse, Privacy Times, U.S. Public Interest Research Group, The World Privacy Forum.
"Tracking people’s every move online is an invasion of privacy. It’s like being followed by an invisible stalker – individuals aren’t aware that it’s happening, who is tracking them, and how the information will be used. They’re not asked for their consent and have no meaningful control over the collection and use of their information, often by third-parties with which they have no relationships."
News release: "Beginning September 1, 2009, prerecorded commercial telemarketing calls to consumers – commonly known as robocalls – will be prohibited, unless the telemarketer has obtained permission in writing from consumers who want to receive such calls, the Federal Trade Commission announced today...The new requirement is part of amendments to the agency’s Telemarketing Sales Rule (TSR) that were announced a year ago. After September 1, sellers and telemarketers who transmit prerecorded messages to consumers who have not agreed in writing to accept such messages will face penalties of up to $16,000 per call."
OIG-09-64 - Role of the No Fly and Selectee Lists in Securing Commercial Aviation (PDF, 63 pages] Redacted, July 2009.
"A new publication that recommends best practices for the next generation of portable biometric acquisition devices—Mobile ID—has been published by Commerce’s National Institute of Standards and Technology (NIST). Devices that gather, process and transmit an individual’s biometric data—fingerprints, facial and iris images—for identification are proliferating. Previous work on standards for these biometric devices has focused primarily on getting different stationary and desktop systems with hard-wired processing pathways to work together in an interoperable manner. But a new generation of small, portable and versatile biometric devices are raising new issues for interoperability."
News release: " The Federal Trade Commission has issued a final rule requiring certain Web-based businesses to notify consumers when the security of their electronic health information is breached. Congress directed the FTC to issue the rule as part of the American Recovery and Reinvestment Act of 2009. The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential."
News release: "Albert Gonzalez, 28, of Miami, Fla., was indicted today for conspiring to hack into computer networks supporting major American retail and financial organizations, and stealing data relating to more than 130 million credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of New Jersey Ralph J. Marra Jr. and U.S. Secret Service Assistant Director for Investigations Michael Merritt...The indictment, which details the largest alleged credit and debit card data breach ever charged in the United States, alleges that beginning in October 2006, Gonzalez and his co-conspirators researched the credit and debit card systems used by their victims; devised a sophisticated attack to penetrate their networks and steal credit and debit card data; and then sent that data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. The indictment also alleges Gonzalez and his co-conspirators also used sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims."
Federal Websites: Cookie Policy - Posted by Michael Fitzpatrick is Associate Administrator, OMB Office of Information and Regulatory Affairs, Vivek Kundra is Federal CIO: "During the Open Government Initiative outreach, Federal employees and the public have asked us questions about the federal government’s policy on cookies. As part of our effort to create a more open and innovative government, we’re working on a new cookie policy that we’ll want your input on."
"In response to an EPIC Freedom of Information Act Request, the Government Services Administration released several contracts between the federal government and web 2.0 companies, including agreements with Blip.tv, Blist, Google (YouTube), Yahoo (Flickr), and MySpace. EPIC also obtained amendments to agreements with Facebook, Slideshare.net, Vimeo.com, and AddThis.com. The contracts do not address the privacy obligations of social media companies. The GSA letter to EPIC explained that “no specific Web 2.0 guidance currently exists,” but provided EPIC with Training Slides that raise privacy issues. The GSA Agreement with Google actually states that, “to the extent any rules or guidelines exist prohibiting the use of persistent cookies in connection with Provider Content applies to Google, Provider expressly waives those rules or guidelines as they may apply to Google.” Some of the agreements also permit companies to track users of government web sites for advertising purposes."
News release: "The out-of-court settlement sought in the US civil proceedings against UBS has been reached. The details of the arrangement were worked out between Switzerland and the USA over the last few days. The judge was informed during a telephone conference on Wednesday. The settlement now has to be signed by both states."
New York Times, And You Thought a Prescription Was Private : "...in fact, prescriptions, and all the information on them — including not only the name and dosage of the drug and the name and address of the doctor, but also the patient’s address and Social Security number — are a commodity bought and sold in a murky marketplace, often without the patients’ knowledge or permission...
EPIC: "Senators Russ Feingold (D-WI) and Dick Durbin (D-IL) are drafting legislative reforms to revise the USA PATRIOT Act. The USA PATRIOT Act allows authorities to conduct surveillance without judicial review through the use of National Security Letters. The Senators asked the Attorney General and the Chairmen of the Senate Judiciary and Intelligence Committee to consider two previous bills that add protections to PATRIOT ACT. Pursuant to a EPIC lawsuit, a federal judge had ordered the Justice Department to provide for independent judicial inspection of documents relating to warrantless wiretapping. For more information, see EPIC USA PATRIOT Act, EPIC FISA, EPIC Wiretapping, and EPIC National Security Letters."
Fuchs, Christian. 2009. Social Networking Sites and the Surveillance Society. A Critical Case Study of the Usage of studiVZ, Facebook, and MySpace by Students in Salzburg in the Context of Electronic Surveillance. Salzburg/Vienna: Research Group UTI. ISBN 978-3-200-01428-2.
On Locational Privacy, and How to Avoid Losing it Forever, By Andrew J. Blumberg and Peter Eckersley, August 2009: "Over the next decade, systems which create and store digital records of people's movements through public space will be woven inextricably into the fabric of everyday life. We are already starting to see such systems now, and there will be many more in the near future...Locational privacy (also known as “location privacy”) is the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use. The systems discussed [in this report] have the potential to strip away locational privacy from individuals..."
wkyc.com: "TSA has revealed it is testing scanning technology at Cleveland Hopkins Airport that allows screeners to see through clothing. Despite public concern over what's viewed by some as invasive imagery, TSA is moving ahead with the advanced imagery technology it claims will improve security by allowing screeners to quickly scan passengers for weapons without a need for physical contact. Once testing and training are complete, the new scanners will go into full-time use at Hopkins."
Seeking Bypass: What Will Ultimately End Confidence in the Necessity of Parental Involvement Laws? - Public interest law advocate Diana Philip's commentary focuses specifically on the multifaceted, complex and challenging issues that encompass the dichotomy between reproductive health care and rights available to adult pregnant women and pregnant minors. Diana's position includes references to seminal legal cases as well as to selected scholarly literature in the field of juvenile reproductive health.
PASS ID Act Addresses Major Privacy Concerns in REAL ID: "CDT testified [July 15, 2009] before the Senate Committee on Homeland Security and Governmental Affairs hearing on reevaluating the REAL ID Act. CDT testified in support of the PASS ID Act, noting that it mitigates or corrects critical privacy and security flaws introduced by REAL ID, while still establishing minimum federal standards for the issuance of driver's licenses and ID cards. While the PASS ID Act does not address all flaws in the REAL ID program, merely repealing REAL ID does not address all of the underlying privacy and security risks posed by government identification programs, CDT said. PASS ID provides the opportunity to start building privacy guidance and protections into all state identification programs, addressing trends and issues that will exist regardless of REAL ID implementation."
News release: Javelin Strategy & Research released its Fifth Annual Card Issuers’ Identity Safety Scorecard, which analyzes the top 25 U.S. card issuers’ capabilities for protecting customers from identity fraud. To compile the report, Javelin incorporated data from annual household, consumer, and issuer surveys using Javelin’s Prevention, Detection and Resolution™ criteria to accurately reflect customer demands and trends in how issuers protect against fraud. The Javelin scorecard is a structured assessment of each issuer’s fraud protection services. The scorecard ranks features that best empower two major victims of the nation’s $48B identity fraud problem—cardholders and issuers—showing how to turn the tables on a worrying method of crime."
"Center for Democracy and Technology (CDT) today released a Policy Post discussing privacy implications for the federal data clearinghouse known as data.gov and de-identification considerations for the Open Government Directive. While this initiative signifies a step in the right direction towards a more open and transparent federal government, it must be done in concert with protecting the privacy of individuals. The Policy Post recommends specialized review procedures for each data set on data.gov. In addition, it says that different levels of data protections should be implemented in different contexts and that de-identification guidelines should be adaptable over time. This is essential in addressing consumer privacy risks associated with handling large data sets, as is the case with data.gov."
PBS.org FRONTLINE - Ghana, Digital Dumping Ground: "When containers of old computers first began arriving in West Africa a few years ago, Ghanaians welcomed what they thought were donations to help bridge the digital divide. But soon exporters learned to exploit the loopholes by labeling junk computers "donations"...[What is on the hard drives from this junk PCs'?] There is private financial data...credit card numbers, account information, records of online transactions the original owners may not have realized were even there. Ghana is listed by the U.S. State Department as one of the top sources of cyber crime in the world. And it's not just individuals who are exposed. One of the drives the team has purchased contains a $22 million government contract. It turns out the drive came from Northrop Grumman, one of America's largest military contractors. And it contains details about sensitive, multi-million dollar U.S. government contracts. They also find contracts with the defense intelligence agency, NASA, even Homeland Security."
News release: Today’s release of a report by several agency inspectors general reinforces the National Security Archive’s argument in our Freedom of Information Act lawsuit that the Justice Department should declassify and release the legal justifications for the surveillance program authorized by President Bush after the terrorist attacks of September 11, 2001. The new report from the inspectors general of the Department of Defense, Department of Justice, Central Intelligence Agency, National Security Agency, and Office of the Director of National Intelligence, criticizes the OLC memoranda that were used to justify warrantless surveillance of US citizens, several of which remain secret and are subject to the Archive’s lawsuit. The IGs state that there were “deficiencies” in the OLC memos, drafted by Deputy Assistant Attorney General John Yoo, and that the memos “raise[d] serious concerns” at DOJ because they omitted analysis of key cases and legal provisions and were not subject to the ordinary “rigorous peer review process.”
News release: "The Pacific Research Institute (PRI) announced the release of a new report on Internet privacy and security. Click Confidential: A Privacy Primer for the Social Web, authored by Daniel Ballon, Ph.D., PRI senior fellow in technology studies, outlines the detrimental affects of government regulated privacy policy on emerging online businesses. He also provides effective strategies for empowering consumers while promoting choice and competition."
A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology - The Dawn of the Location Enabled Web
News release: "A group of the nation's largest media and marketing trade associations...released self-regulatory principles to protect consumer privacy in ad-supported interactive media that will require advertisers and Web sites to clearly inform consumers about data collection practices and enable them to exercise control over that information...This cross-industry self-regulatory task force represents the first time that representatives of the entire advertising ecosystem have come together to develop principles for the use and collection of data in this important area to the economy."
Predicting Social Security numbers from public data, Alessandro Acquisti1 and Ralph Gross, Carnegie Mellon University, Pittsburgh, PA, May 5, 2009 (received for review January 18, 2009)
News release: "The Electronic Frontier Foundation (EFF) filed suit against the Department of Justice [on June 24, 2009], demanding the public release of the surveillance guidelines that govern investigations of Americans by the Federal Bureau of Investigation (FBI). The FBI's Domestic Investigative Operational Guidelines went into effect in December of 2008 and detail the Bureau's procedures and standards for implementing the Attorney General's Guidelines on approved surveillance strategies...The FBI's general counsel has acknowledged that "the expansion of techniques available [to the Bureau] has raised privacy and civil liberties concerns." Investigations can include the electronic collection of information from online sources and computer databases, as well as the use of grand jury subpoenas to obtain telephone and email subscriber information. Other recent policy changes allow the FBI to engage in free-ranging investigation of Internet sites, libraries, and religious institutions." [Darlene Fichter]
News release: "CDT's Health Privacy Project released a paper advocating the need for stronger standards for "de-identified" personal health information when used for medial research, to promote public health, or other specialized purposes. The paper notes that stronger standards are needed to ensure the "de-identified" data cannot be re-identified in order to maintain patient privacy and build trust in the health care system. CDT's paper makes several policy recommendations on how to strengthen current de-identification standards found in the Health Insurance Portability and Accountability Act Privacy Act and increase the use of anonymized data for many health care purposes."
U.S. Department of Education, Office of Inspector General, Information Technology Audits Division - Incident Handling and Privacy Act Controls over External Web Sites, Final Audit Report, Redacted, ED-OIG/A11I0006, June 10, 2009.
"Corporate websites generally offer more innovative features than public-sector sites, largely because the private sector spends about a third more on websites, according to a Brookings Institution study, Comparing Technology Innovation in the Private and Public Sectors. The study, released in mid-June, compares the websites of leading U.S. corporations with state and national governments, grades their overall performance, and examines nearly two dozen features of digital innovation.
Using a 100-point scale, the study report concludes that corporations have the most innovative websites (65 points) and are trailed as a group by state government (54) and federal government (51). The top-rated site in the federal government category, USA.gov (92), equaled the score for the top-rated corporate site, WellsFargo.com. Other top-rated federal sites were USDA.gov, GSA.gov, USPS.com, IRS.gov, and ED.gov. Delaware.gov (83.7) was the top-rated state site, followed by the official websites of Georgia, Florida, California, Massachusetts and Maine. The report also revealed that public websites provide more security and are better at protecting privacy. Although federal government websites were the most accessible to users with disabilities, 75% percent of its websites were not completely accessible."
"The Federal Trade Commission today described its comprehensive efforts to combat identity theft before the U.S. House Subcommittee on Information Policy, Census, and National Archives of the Committee on Oversight and Government Reform. The FTC also recommended legislative remedies to enhance the effectiveness of these efforts. The testimony presented by Betsy Broder, Assistant Director of the FTC’s Division of Privacy and Identity Protection, highlighted the agency’s leadership role in developing a national strategy to combat identity theft as part of the President’s Identity Theft Task Force. The Task Force issued 31 recommendations that promoted an enhanced data security culture in the public and private sectors, launched victim assistance initiatives, and improved law enforcement’s ability to pursue and punish identity thieves."
Joshua Gomez, Travis Pinnick, and Ashkan Soltani, UC Berkeley, School of Information - KnowPrivacy - June 1, 2009
2009 Trust, Security & Passwords Survey Research Brief: "This global "snooping" survey is the third in a series of benchmark studies focused on identifying security and privacy trends among IT workers. Results are intended to raise awareness about the risks associated with powerful, and often unmanaged, privileged users and passwords. While seemingly innocuous, these accounts provide workers with "keys to the kingdom," allowing them to access critically sensitive information, no matter where it resides."
News release: "United States Customs and Border Protection (CBP) policy permits officials to search the laptops and other electronic devices of travelers without suspicion of wrongdoing, according to a Freedom of Information Act (FOIA) request filed today by the American Civil Liberties Union. The ACLU filed the FOIA request with CBP, a component of the Department of Homeland Security (DHS), to learn how CBP's suspicionless search policy, first made public in July 2008, is impacting the constitutional rights of international travelers."
Berkman Center for Internet & Society at Harvard University report: Enhancing Child Safety & Online Technologies: Final Report of the Internet Safety Technical Taskforce to the Multi-State Working Group on Social Networking of State Attorneys General of the United States in December of 2008.
News release: "A rogue Internet Service Provider that recruits, knowingly hosts, and actively participates in the distribution of spam, child pornography, and other harmful electronic content has been shut down by a district court judge at the request of the Federal Trade Commission. The ISP’s upstream providers and data centers have disconnected its servers from the Internet."
News release: "Terms of Service" policies on websites define how Internet businesses interact with you and use your personal information. But most web users don't read these policies -- or understand that the terms are constantly changing. To track these ever-evolving documents, the Electronic Frontier Foundation (EFF) is launching "TOSBack": a "terms of service" tracker for Facebook, Google, eBay, and other major websites...At www.TOSBack.org, you can see a real-time feed of changes and updates to more than three dozen polices from the Internet's most popular online services. Clicking on an update brings you to a side-by-side before-and-after comparison, highlighting what has been removed from the policy and what has been added."
Information Security and Privacy Advisory Board (ISPAB), Toward A 21st Century Framework for Federal Government Privacy Policy, May 2009
Government Technology: "University researchers have discovered vulnerabilities in NXP's MIFARE Classic card, which belongs to a family of smart cards with more than 1 billion units distributed worldwide. These smart cards are used to access buildings and public transportation systems. One example is the Oyster card, which Londoners use for citywide travel. Researchers from Radboud University in the Netherlands received the Best Practical Paper Award at the IEEE Symposium on Security and Privacy on Monday for their work demonstrating how to pickpocket the card wirelessly."
"EPIC announced a national campaign today to suspend the use of "Whole Body Imaging" -- devices that photograph American air travellers stripped naked in US airports. The campaign responds to a policy reversal by the TSA which would now make the the "virtual strip search" mandatory, instead of voluntary as originally announced. EPIC and others say that there are inadequate safeguards to prevent the misuse of the images. They are asking Homeland Security Secretary Janet Napolitano to suspend the program and to allow for public comment. For more information, see EPIC's Backscatter X-ray, Whole Body Imaging page."
New York Times Magazine: "Today companies are focusing on those customers most likely to honor their debts. And they are looking for ways to convince existing cardholders that if they only have enough money to pay one bill, it’s wiser to pay off their credit card than, say, the phone. Put another way, credit-card companies are becoming much more interested in understanding their customers’ lives and psyches, because, the theory goes, knowing what makes cardholders tick will help firms determine who is a good bet and who should be shown the door as quickly as possible."
Follow up to May 14, 2009 posting, FTC Files Suit to Stop Illegal Robocalls Pushing Vehicle “Warranty Extensions" - "Today Judge John F. Grady of the United States District Court for the Northern District of Illinois issued a temporary restraining order stopping telemarketing company Voice Touch, Inc., its principals James and Maureen Dunne, its business partner Network Foundations LLC, and Network Foundations principal Damian Kohlfeld from making any further calls in violation of the Do Not Call Registry and other provisions of the Telemarketing Sales Rule and the FTC Act. The FTC filed the case yesterday, charging that the defendants were operating a massive telemarketing scheme that used random, pre-recorded phone calls to deceive consumers into thinking that their vehicle’s warranty is about to expire."
News release: "The Federal Trade Commission is asking a federal court to shut down a telemarketing campaign that has been bombarding U.S. consumers with hundreds of millions of allegedly deceptive “robocalls” in an effort to sell them vehicle service contracts under the guise that they are extensions of original vehicle warranties. In two related complaints filed in federal court, the Commission took action against both the promoter of the phony extended auto warranties, as well as the telemarketing company that it hired to carry out its illegal, deceptive campaign."
Review of the European Data Protection Directive, by Neil Robinson, Hans Graux, Maarten Botterman, Lorenzo Valeri
News release: "The Federal Trade Commission today testified on the Commission’s efforts to promote better security for sensitive consumer information and to prevent the inadvertent sharing of consumers’ personal or sensitive data over Peer-to-Peer Internet file-sharing networks. As part of these efforts, the agency also announced that it had reached an agreement with one of the largest privately held lenders in the United States to resolve charges that the company violated federal law by failing to provide reasonable security for consumers’ sensitive information. In testimony before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer Protection, Acting Director of the Bureau of Consumer Protection Eileen Harrington said the agency strongly supports the goals of H.R. 2221, the Data Accountability and Trust Act, which would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The legislation also would give the Commission the authority to obtain civil penalties for violations."
"A total of 1,891 applications to federal and state judges for orders authorizing the interception of wire, oral or electronic communications were reported in 2008. No applications were denied. This is a 14 percent decrease in the total of applications reported, compared to 2007. Fewer states—22 states compared to 24 in 2007—reported wiretap activity and the number of applications approved by state judges, 1,505, was down 14 percent from 2007. Federal judges approved 386 applications, down 16 percent from 2007. Orders for 28 wiretaps were approved for which no wiretaps actually were installed. Additional data on applications for wiretaps for the period January 1 through December 31, 2008, is available online in the 2008 Wiretap Report."
New York Review of Books: The Need to Roll Back Presidential Power Grabs, By Arlen Specter, April 16, 2009
The Subcommittee on Communications, Technology, and the Internet held a hearing titled, Communications Networks and Consumer Privacy: Recent Developments on April 23, 2009. The hearing focused on technologies that network operators utilize to monitor consumer usage and how those technologies intersect with consumer privacy. The hearing explored three ways to monitor consumer usage on broadband and wireless networks: deep packet inspection (DPI); new uses for digital set-top boxes; and wireless Global Positioning System (GPS) tracking."
News release: "On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). This guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS)."
F.B.I. and States Vastly Expand DNA Databases, by Solomon Moore: "Law enforcement officials are vastly expanding their collection of DNA to include millions more people who have been arrested or detained but not yet convicted. The move, intended to help solve more crimes, is raising concerns about the privacy of petty offenders and people who are presumed innocent. Until now, the federal government genetically tracked only convicts. But starting this month, the Federal Bureau of Investigation will join 15 states that collect DNA samples from those awaiting trial and will also collect DNA from detained immigrants — the vanguard of a growing class of genetic registrants. the F.B.I., with a DNA database of 6.7 million profiles, expects to accelerate its rate of growth from 80,000 new entries a year to 1.2 million by 2012 — a 17-fold increase. F.B.I. officials say they expect DNA processing backlogs — which now stand at more than 500,000 cases — to increase."
"The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a one-year period. It covers Internet threat activities, vulnerabilities, malicious code, phishing, spam and security risks as well as future trends. The fourteenth version of the report, released April 14, 2009, is now available."
"The Patient's Guide to HIPAA is the first comprehensive guide to medical privacy written expressly for patients with a practical eye as to how to use the law to protect privacy. It is a major privacy resource for patients, written directly and without legalese. The Patient's Guide to HIPAA is easy to navigate and digest; the guide is in the form of Frequently Asked Questions & Answers. All of the key points in HIPAA are included, from the 7 basic patient rights to how and when to get copies of health care records. Difficult situations that patients often encounter are included in the guide. The Patient's Guide to HIPAA was written by Robert Gellman, with assistance from Pam Dixon, John Fanning, and Dr. Lewis Lorton."
News release: "Organizations representing booksellers, librarians, publishers, and writers today launched the latest phase in their five-year campaign to restore the reader privacy safeguards that were stripped away by the USA Patriot Act. Since 2003, the Department of Justice has used its expanded power under the Patriot Act to issue more than 200 secret search orders under Section 215 and more than 190,000 National Security Letters (NSLs). Despite several efforts to reform the Patriot Act, the FBI can still search any records it believes are "relevant" to a terrorism investigation, including the records of people who are not suspected of criminal conduct."
Via EPIC: "A new study by leading scholars from the USA, Canada, UK, Netherlands and Italy has revealed that laws are reinforcing technology's ability to undermine the anonymity of citizens. The law reveals a preference for legislation requiring people to submit to identification and an increasing encroachment of rules into areas where there were previously no regulations prohibiting anonymity...The book is available for download under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Canada License, by chapter..."
Treasury Inspector General for Tax Administration, Progress Has Been Slow in Implementing Federal Security Configurations on Employee Computers, March 27, 2009, Reference Number: 2009-20-055
CDT: "A cybersecurity bill introduced April 01, 2009 in the Senate would give the federal government extraordinary power over private sector Internet services, applications and software. The Cybersecurity Act of 2009 would, for example, give the President unfettered power to shut down Internet traffic in emergencies or disconnect any critical infrastructure system or network on national security grounds. The bill would grant the Commerce Department the ability to override all privacy laws to access any information about Internet usage in connection with a new role in tracking cybersecurity threats. The bill, introduced by Sens. John Rockefeller and Olympia Snowe, would also give the government unprecedented control over computer software and Internet services, threatening innovation, freedom and privacy. CDT President and CEO Leslie Harris said, "The cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy."
"The Federal Trade Commission has launched a Web site to help entities covered by the Red Flags Rule design and implement identity theft prevention programs. The Rule requires “creditors” and “financial institutions” to develop written programs to identify the warning signs of ID theft, spot them when they occur, and take appropriate steps to respond to those warning “red flags.”
WSJ: "Protests over [traffic] cameras aren't new, but they appear to be rising in tandem with the effort to install more. Suppliers estimate that there are now slightly over 3,000 red-light and speed cameras in operation in the U.S., up from about 2,500 a year ago. The Insurance Institute for Highway Safety says that at the end of last year, 345 U.S. jurisdictions were using red-light cameras, up from 243 in 2007 and 155 in 2006. One traffic-cam seller, Arizona-based American Traffic Solutions Inc., recently reported it had installed its 1,000th camera, with 500 more under contract in 140 cities and towns. Rival Redflex Holdings Ltd. says it had 1,494 cameras in operation in 21 states at the end of 2008, and expects to top 1,700 by the end of this year."
Database State, Executive Summary and Full Report - By Ross Anderson, Ian Brown, Terri Dowty, Philip Inglesant, William Heath, Angela Sasse, Foundation for Information Policy Research (March 2009)
News release: "The American Civil Liberties Union released a comprehensive report today examining widespread abuses that have occurred under the USA Patriot Act, a law that was rushed through Congress just 45 days after September 11. In the almost eight years since the passage of the controversial national security law, the Patriot Act has led to egregious government misconduct."
Unclassified: Office of the Director of National Intelligence Data Mining Report, 15 February 2008.
Identity Theft Resource Center, 2009 Breach List, 3/3/2009 - Breaches: 89 Exposed: 1,140,146.
The Electronic Frontier Foundation (EFF) launched its Surveillance Self-Defense project today -- an online how-to guide for protecting your private data against government spying. EFF created the Surveillance Self-Defense site to educate Americans about the law and technology of communications surveillance and computer searches and seizures, and to provide the information and tools necessary to keep their private data out of the government's hands. The guide includes tips on assessing the security risks to your personal computer files and communications, strategies for interacting with law enforcement, and articles on specific defensive technologies such as encryption that can help protect the privacy of your data."
EPIC: "Homeland Security Secretary Janet Napolitano testified before the House Committees on Homeland Security, and said that DHS plans to connect governmental databases containing personal information, expand the government's employment tracking system, promote passenger screening, use e-passports, employ watchlists and utilize contactless identity verification cards. EPIC has opposed Fusion Centers, the E-Verify program and the use of Backscatter X-Ray devices. EPIC has also objected to the use of RFIDs in passports, in Air Travel and in driver's licences."
News release: "Federal Trade Commission staff...issued a report describing its ongoing examination of online behavioral advertising and setting forth revisions to proposed principles to govern self-regulatory efforts in this area. The key issue concerns how online advertisers can best protect consumers’ privacy while collecting information about their online activities...The report discusses the potential benefits of behavioral advertising to consumers, including the free online content that advertising generally supports and personalization that many consumers appear to value. It also discusses the privacy concerns that the practice raises, including the invisibility of the data collection to consumers and the risk that the information collected – including sensitive information regarding health, finances, or children – could fall into the wrong hands or be used for unanticipated purposes. Consistent with the FTC’s overall approach to consumer privacy, the report seeks to balance the potential benefits of behavioral advertising against the privacy concerns it raises, and to encourage privacy protections while maintaining a competitive marketplace."
News release: "President Obama has directed the National Security and Homeland Security Advisors to conduct an immediate review of the plan, programs, and activities underway throughout the government dedicated to cyber security. This 60-day interagency review will develop a strategic framework to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector. "The national security and economic health of the United States depend on the security, stability, and integrity of our Nation’s cyberspace, both in the public and private sectors. The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties," said Assistant to the President for Counterterrorism and Homeland Security John Brennan. Melissa Hathaway, who has served as Cyber coordination Executive to the Director of National Intelligence, will lead the review and will serve as Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils during the review period."
News release: "...experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale. The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies."
The Top 25 Errors are listed below in three categories:
"Center for Democracy and Technology (CDT) released a new assessment tool to help online advertising companies develop strong, appropriate privacy protections for the users they serve. Released to coincide with Data Privacy Day 2009, the Threshold Analysis for Online Advertising Practices, is the result of extensive consultation among CDT, Internet companies and public interest advocates. It notes a series of simple tests companies can use to determine whether online advertising activities may trigger the need for additional privacy protections. The document also provides suggestions on how companies can begin putting those protections in place."
"The American Recovery and Reinvestment Act of 2009, adopted by the House this week, includes strong privacy provisions ("Subtitle D - Privacy") for the proposed medical health network. Among the key provisions: a ban on the sale of health information, audit trails, encryption, rights of access, improved enforcement mechanisms, and support for advocacy groups to participate in the regulatory process. Patient Privacy Rights has expressed support for the legislation. A similar bill, S. 336, is pending in the Senate. Senator Leahy has called for strong safeguards to protect America's health privacy. For more information, see EPIC's page on Medical Privacy."
Intel: "On January 28, 2009, the United States, Canada, and 27 European countries will celebrate Data Privacy Day together for the second time. Designed to raise awareness and generate discussion about data privacy practices and rights, Data Privacy Day activities in the United States have included privacy professionals, corporations, government officials, and representatives, academics, and students across the country. One of the primary goals of Data Privacy Day is to promote privacy awareness and education among teens across the United States. Data Privacy Day also serves the important purpose of furthering international collaboration and cooperation around privacy issues."
News release: "CDT today released a major policy paper intended to move the health privacy debate from its outdated focus on patient consent to a comprehensive framework that will provide more effective privacy protection. CDT is advocating for the inclusion of privacy protections in the President's economic stimulus bill, which contains at least $20 billion for a national health information technology network. CDT's paper argues that personal health information should easily flow for treatment, payment, and certain core administrative tasks without requiring patient consent, but that stricter limits need to be placed on marketing and other secondary uses."
"The IRS does not initiate communication with taxpayers through e-mail. Before identity theft happens, safeguard your information...IRS Identity Protection Specialized Unit, toll-free at 1-800-908-4490."
Final Report of the Internet Safety Technical Task Force to the Multi-State Working Group on Social Networking of State Attorneys General of the United States, Published January 14, 2009: "The Internet Safety Technical Task Force was created in February 2008 in accordance with the Joint Statement on Key Principles of Social Networking Safety announced in January 2008 by the Attorneys General Multi-State Working Group on Social Networking and MySpace. The scope of the Task Force's inquiry was to consider those technologies that industry and end users - including parents - can use to help keep minors safer on the Internet."
News release: "The Federal Financial Institutions Examination Council (FFIEC) issued guidance today for examiners, financial institutions, and technology service providers to identify risks, evaluate controls, and assess risk management practices related to remote deposit capture (RDC) systems. RDC enables customers to make deposits from their homes or businesses instead of taking the deposits to their financial institutions. Digital information captured at the home or business is transmitted to the financial institution or its service provider for clearing and settlement. Financial institutions might also use RDC in their branches and automated teller machines (ATMs) to facilitate deposit processing. When properly managed, RDC can reduce processing costs, support new and existing products by financial institutions, and accelerate the availability of customers’ funds. However, RDC also introduces new risks and increases existing risks in processing deposits originated by an institution’s commercial or retail customers, or by customers of other financial institutions domestically and abroad."
Nextgov: "The FBI released on [January 13, 2009] a detailed study of the advancement of different kinds of biometrics -- from fingerprints to ear scans -- to lay out how the bureau might pursue the identification of individuals in the future."
News release: "Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center's 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within the five groups that ITRC monitors. The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years. The Government/Military category has dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest."
Privacy Policy Guidance Memorandum 2008-01, The Fair Information Practice Principles: Framework for Privacy Policy at the Department of Homeland Security, December 29, 2008.
"The U.S. Department of Justice’s Global Justice Information Sharing Initiative (Global) has released a booklet highlighting key efforts supported by Global, including the vigilant preservation of privacy and civil liberties; fusion center partnerships; securing exchanged data and networks; and harnessing the power of the latest innovations so that new technology and standardized languages knock down barriers to information sharing."
News release: "The federal bank, credit union, and thrift regulatory agencies today announced publication of a revised identity theft brochure – You Have the Power to Stop Identity Theft – to assist consumers in preventing and resolving identity theft. The updated brochure focuses primarily on Internet "phishing" by describing how phishing works, offering ways to protect against identity theft, and detailing steps to follow for victims of identity theft. The brochure includes contact information for three major credit bureaus, where to report suspicious e-mails, and where to access additional information."
The Role of the United States Postal Service in Public Safety and Security - Implications of Relaxing the Mailbox Monopoly, By Lois M. Davis et al.
"Thirty privacy, consumer, and civil liberties organizations sent a letter to President-elect Barack Obama on the importance of protecting privacy in the next administration. The organizations support the incoming president’s expressed on privacy, consumer rights, and civil liberties. President-elect Obama stated support for strengthening of privacy protection by harnessing the power of technology to hold government and businesses accountable for violations of personal privacy. The coalition said that “[t]here is a clear need to address the spiraling problems of identity theft, security breaches, and the commercialization of personal information.” For more information visit EPIC’s A-Z Privacy Page."
CDT: "HHS Secretary Leavitt announced new key privacy principles for electronic health information exchange. In addition, HHS’s Office of Civil Rights published new HIPAA Privacy Rule guidance, which provides important clarifying information on how the Privacy Rule governs covered entities engaged in electronic health information exchange. For example, it clarifies when covered entities must enter into business associate agreements with health information exchanges; it also makes clear that HIPAA Privacy and Security Rules cover consumer personal health records offered by covered entities. However, the guidance merely encourages the adoption of stronger privacy and security policies consistent with the new principles. CDT calls on Congress and the new Administration to implement a comprehensive, enforceable framework of protections for personal health information that builds public trust and facilitates widespread adoption of health IT."
News release: "The Federal Trade Commission issued a report today recommending five measures to help prevent Social Security numbers from being used for identity theft. Principal among the report’s recommendations is that Congress consider taking action to strengthen the procedures that private-sector organizations use to authenticate their customers’ identities...The FTC report states that adopting nationwide standards for how businesses and other organizations verify the identity of new and existing customers would make it harder for identity thieves to use SSNs and other stolen information to consummate their fraud...The FTC report also recommends that steps be taken to reduce the unnecessary display and transmission of SSNs, but noted that such restrictions must be approached carefully. A number of important functions in the U.S. economy depend on use of and access to SSNs, and the report concluded that overly restrictive attempts to limit the availability of SSNs could unintentionally curtail those functions. Finally, the report recommends steps to improve data security, increase outreach to consumers and businesses on the protection of SSNs, and enhance coordination and information-sharing among organizations that routinely use SSNs."
Press release: "Today, Yahoo! Inc. announced a new global data retention policy that sets an industry-leading approach to user data privacy. This new policy strengthens Yahoo!'s relationship of trust with its 500 million users world-wide and enhances its longtime leadership on privacy. Under the new policy, Yahoo! will anonymize user log data within 90 days with limited exceptions for fraud, security and legal obligations. Yahoo! will also expand the policy to apply not only to search log data but also page views, page clicks, ad views and ad clicks."
2008 Network Advertising Initiative Principles: "Through the present 2008 revision to the NAI’s Self-Regulatory Code of Conduct, NAI members continue their commitment to respect appropriate fair information practices adapted for this medium and to their business models, maintaining self-regulation with respect to notice, choice, use limitation, access, reliability and security."
News release: "Privacy and information security research company Ponemon Institute along with TRUSTe, the most widely recognized Internet privacy trustmark, today announced the results of the Ponemon Institute’s fifth annual survey of Most Trusted Companies for Privacy. The study asked 6,486 adult-aged U.S. consumers which companies they thought were most trustworthy and which did the best job safeguarding personal information. A total of 706 companies were named by consumers; 211 made the final list of most trusted companies. American Express ranked as the Most Trusted Company for 2008 for Privacy, retaining its place from last year despite the current financial climate. eBay earned a ranking as the second most trusted company, while IBM, Amazon, and Johnson & Johnson rounded out the top five. While the financial services sector slipped amid industry-wide woes, the technology sector showed marked improvement as eBay Apple, Yahoo, Microsoft, and HP all bettered previous rankings. Also of note, Facebook moved into the top 20 for the first time, signifying an increased trust in social networking as a mainstream communications tool."
Follow up to previous postings on recovering data from discarded or resold computers and their hard drives, from the FTC: "Computers are a popular gift during the holiday season. People with a new computer often wonder about the best way to get rid of the old one. OnGuardOnline.gov, the computer safety Web site managed by the Federal Trade Commission, has some tips to make this task easier – and more secure. Passwords, health information, and other sensitive personal data should be saved elsewhere and erased off the old computer. This protects consumers’ privacy and safeguards them from identity theft. People who use their computers for work should check with their employers regarding the legal requirements businesses must comply with to secure and dispose of data. To learn more, including how to save and erase data, see Computer Disposal."
"The Center for Democracy and Technology (CDT) today released a series of papers [Transition Materials for President Obama] that outline Internet policy proposals for President-elect Obama's Transition Team in the areas of security and civil liberties; preserving free speech on the Internet; keeping the Internet an open platform; protection of consumer privacy; and promoting open government. The 2-3 page memos provide a concise overview of the issues and recommend practical, achievable actions the new administration can take to keep the Internet open, innovative and free. The Internet played an integral part in this election, making it the most participatory in history. CDT believes the Internet can play an equally critical role in other areas, including health care, economic development and education, given the right government policies."
White House Fact Sheet: Transforming Our Armed Forces To Face The Threats Of Today And Tomorrow - Following the attacks of 9/11, President Bush strengthened and reshaped our approach to national security. To harden our defense, President Bush: Created the Department of Homeland Security; Provided national security professionals with vital new tools like the Patriot Act and a program to monitor terrorist communications; Reorganized the intelligence community to better meet the needs of the war on terror; Deployed aggressive financial measures to freeze terrorist assets; and Launched diplomatic initiatives to pressure adversaries and attract new partners to our cause."
2008 Report to Congress - Data Mining: Technology and Policy The DHS Privacy Office. December 2008
You’re Leaving a Digital Trail. What About Privacy? by John Markoff: "Propelled by new technologies and the Internet’s steady incursion into every nook and cranny of life, collective intelligence offers powerful capabilities, from improving the efficiency of advertising to giving community groups new ways to organize. But even its practitioners acknowledge that, if misused, collective intelligence tools could create an Orwellian future on a level Big Brother could only dream of. Collective intelligence could make it possible for insurance companies, for example, to use behavioral data to covertly identify people suffering from a particular disease and deny them insurance coverage. Similarly, the government or law enforcement agencies could identify members of a protest group by tracking social networks revealed by the new technology."
Handbook for Safeguarding Sensitive Personally Identifiable: Information at DHS, October 2008 (PDF, 19 pages): The DHS Privacy Office Handbook for Safeguarding Sensitive PII at DHS applies to every DHS employee, contractor, detailee and consultant. The document sets minimum standards for how personnel should handle Sensitive PII in paper and electronic form during their everyday work activities at DHS."
"The Privacy Act Issuances contain descriptions of Federal agency systems of records maintained on individuals and rules agencies follow to assist individuals who request information about their records. The two sources of Privacy Act Notices are: the Privacy Act Issuances (Compilations 1995-Forward) and the Federal Register which has updates to the most recent Compilation."
The Future of Privacy Forum Agenda for Consumers and Businesses [See also: About the Forum]
"Following an EPIC complaint, a federal court has ordered CyberSpy Software to stop selling malicious computer software. In March, EPIC filed a complaint with the Federal Trade Commission alleging that the spyware purveyor engages in unfair and deceptive practices by: (1) promoting illegal surveillance; (2) encouraging "Trojan Horse" email attacks; and (3) failing to warn customers of the legal dangers arising from misuse of the software. The federal regulators agreed, and asked the court for a permanent injunction barring sales of CyberSpy's "stalker spyware," over the counter surveillance technology sold for individuals to spy on other individuals. The court entered a temporary restraining order on November 6, 2008. Further litigation is expected before the court rules on the government's request for a permanent ban. For more information, see EPIC's Personal Surveillance Technologies page and Domestic Violence and Privacy page."
Online Threats to Youth: Solicitation, Harassment, and Problematic Content, Literature Review by the Research Advisory Board of the Internet Safety Technical Task Force, Andrew Schrock and Danah Boyd, Berkman Center for Internet & Society, Harvard University, Draft Version. November 14, 2008
Washington Post: "Armed with millions of e-mail addresses and a political operation that harnessed the Internet like no campaign before it, Barack Obama will enter the White House with the opportunity to create the first truly "wired" presidency. Obama aides and allies are preparing a major expansion of the White House communications operation, enabling them to reach out directly to the supporters they have collected over 21 months without having to go through the mainstream media."
News release: "The total number of breaches in on the Identity Theft Resource Center’s 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event."
News release: "The Commission has approved the Report to Congress Under the Do Not Call Improvement Act of 2007 (2007 DNCIA) [Pub. L. No. 110-187, 122 Stat. 633 (2008)], signed into law on February 15, 2008. The report, which is mandated under the 2007 DNCIA, contains information on the Commission’s efforts to improve the accuracy of the National Do Not Call Registry. The report details the efforts that the FTC has taken in the nine months since the 2007 DNCIA was signed into law and describes the new procedure that will be used to remove disconnected and reassigned numbers from the National Registry."
"The 2008 International Mobility & Trade Corridor Project (IMTC) Passenger Intercept Survey was conducted to assess characteristics of cross-border travel in the Cascade Gateway and provide that information to regional and federal public and private agencies. Information includes who crosses the border, for what purposes, origins and destinations, trip frequency, and other details of cross-border travel. These data can be compared to matching information collected by IMTC in the year 2000 to see how cross-border travel demand has changed over the last seven years. [To complete this survey, the Whatcom Council of Governments (WCOG) and the Border Policy Research Institute (BPRI) at Western Washington University undertook a passenger origin-destination survey at all four Cascade Gateway border crossings.]"
"In EPIC v. DOJ, EPIC, the ACLU, and the National Security Archive are seeking government documents regarding the President's warrantless wiretapping program. Today, a federal court ordered the Department of Justice to provide for inspection copies of legal memos authored by government lawyers. The opinions, prepared by the Office of Legal Counsel, provided the legal basis for the President to wiretap US citizens in the United States without court approval. EPIC began the Freedom of Information Act lawsuit in December 2005, after the New York Times first reported the details of the wiretap program. For more information, see EPIC's EPIC v. DOJ page. (Oct. 31)"
"Today a diverse coalition of leading Internet companies, major human rights and free press organizations, investors and academics launched the Global Network Initiative to protect and advance freedom of expression and privacy in information and communications technologies. CDT and Business for Social Responsibility co-facilitated an 18-month effort by these groups to craft the key documents underlying this effort. The documents provide guidance for companies, NGOs, investors, academics and others working together to resist efforts by governments that seek to enlist companies in acts of censorship and surveillance that violate international standards. The documents also provide specific implementation commitments and outline a framework for accountability and learning."
DHS Issues Supplemental Final Rule with Guidance For Employers Who Receive Social Security 'No-Match' Letters: "Secretary Chertoff announced the issuance of the No-Match Supplemental Final Rule, which provides guidance to help businesses comply with legal requirements intended to reduce illegal employment of unauthorized workers, in his quarterly State of the Border address. The Secretary also outlined comprehensive efforts to secure the border, enforce national immigration laws, improve temporary worker programs, and legal migration."
Office of Science and Technology Policy (OSTP) in the Executive Office of the President, Biometrics in Government POST - 9/11, released September 2008: This report summarizes the research, applications and operation of the U.S. government's biometric systems since 2001.
Office of Science and Technology Policy (OSTP) in the Executive Office of the President - Identity Management Task Force Report 2008, released September 2008
News release: "The U.S. Department of Homeland Security (DHS) today announced the issuance of the Secure Flight Final Rule, which shifts pre-departure watch list matching responsibilities from individual aircraft operators to the Transportation Security Administration (TSA) and carries out a key recommendation of the 9/11 Commission. By bringing watch list matching responsibilities in-house, TSA can better remedy possible misidentifications when a traveler's name is similar to one found on a watch list."
News release: "Attorney General Michael B. Mukasey and Federal Trade Commission Chairman William E. Kovacic announced today the release of a report from the President’s Identity Theft Task Force on progress the federal government has made in addressing identity theft since the Task Force’s Strategic Plan was released last year. Highlights of the report include expansion of the Task Force’s data security and identity theft business and consumer education campaigns; exploring means of improving consumer authentication processes to prevent the use of stolen information to commit identity theft; launching new initiatives to help identity theft victims recover; and improving law enforcement tools to investigate and prosecute identity thieves."
News release: "In keeping with the Patrick Administration’s commitment to protecting consumers, the Office of Consumer Affairs and Business Regulation (OCABR) last Friday issued a comprehensive set of final regulations establishing standards for how businesses protect and store consumers’ personal information. Additionally, Governor Patrick has signed an executive order requiring all state agencies to immediately take steps to implement security measures consistent with the requirements established by OCABR's regulations for private companies. The order calls for the adoption of uniform standards across government that protect the integrity of personal information and further the objectives of the identity theft prevention law."
FOX News: "The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned. It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July. In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.
In a frantic midnight e-mail to colleagues, the bank's senior technology manager referred to the situation as an "unprecedented crisis." In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public."
News release: "Online scammers are taking advantage of tough economic times. While e-mails phishing for sensitive data are nothing new, scammers are taking advantage of upheavals in the financial marketplace to confuse consumers into parting with valuable personal information. The Federal Trade Commission urges caution regarding e-mails that look as if they come from a financial institution that recently acquired a consumer’s bank, savings and loan, or mortgage. In fact, these messages may be from “phishers” looking to use personal information – account numbers, passwords, Social Security numbers – to run up bills or commit other crimes in a consumer’s name. Consumers are warned not to take the bait. The FTC has advice about how to stay on guard against this type of scam. To learn more, see the consumer alert Bank Failures, Mergers and Takeovers: A ‘Phish-erman’s Special.
News release: "All U.S. agencies with counterterrorism programs that collect or "mine" personal data -- such as phone, medical, and travel records or Web sites visited -- should be required to systematically evaluate the programs' effectiveness, lawfulness, and impacts on privacy, says a new report from the National Research Council. Both classified and unclassified programs should be evaluated before they are set in motion and regularly thereafter for as long as they are in use, says the report. It offers a framework agencies can use to assess programs, including existing ones. The report also says that Congress should re-examine existing law to assess how privacy can be protected in such programs, and should consider restricting how personal data are used. And it recommends that any individuals harmed by violations of privacy be given a meaningful form of redress."
Senate Committee on Commerce, Science, and Transportation - Hearing on: Broadband Providers and Consumer Privacy, September 25, 2008
Follow up to previous postings on the government's domestic surveillance program, today news that "The Electronic Frontier Foundation (EFF) filed a lawsuit [full complaint in Jewel v. NSA] against the National Security Agency (NSA) and other government agencies today on behalf of AT&T customers to stop the illegal, unconstitutional, and ongoing dragnet surveillance of their communications and communications records. The five individual plaintiffs are also suing President George W. Bush, Vice President Dick Cheney, Cheney's chief of staff David Addington, former Attorney General and White House Counsel Alberto Gonzales and other individuals who ordered or participated in the warrantless domestic surveillance."
House Committee on the Judiciary - Oversight Hearing on: The Federal Bureau of Investigation, September 16, 2008
News release: "The Federal Trade Commission today issued a complaint charging that Reed Elsevier Inc.’s (Reed Elsevier) proposed $4.1 billion acquisition of ChoicePoint Inc. (ChoicePoint) would be anticompetitive and in violation of the antitrust laws, as it would combine the two largest providers of electronic public record services to U.S. law enforcement customers.
To eliminate the anticompetitive effects of the proposed acquisition, the FTC will require Reed Elsevier to divest assets related to ChoicePoint’s AutoTrackXP and Consolidated Lead Evaluation and Reporting (CLEAR) electronic public records services to Thomson Reuters Legal Inc., within 15 days after the proposed acquisition is consummated.
Through its LexisNexis division, Reed Elsevier provides electronic public records services to law enforcement customers in direct competition with ChoicePoint’s AutoTrackXP and recently, ChoicePoint’s CLEAR, a new and advanced electronic public records service. Together, the two firms account for over 80 percent of the approximately $60 million U.S. market for the sale of electronic public records services to law enforcement customers."
Official Google Blog: "we're announcing a new logs retention policy: we'll anonymize IP addresses on our server logs after 9 months. We're significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users."
Cyber Security Tip ST05-018 - Understanding Voice over Internet Protocol (VoIP): "Because VoIP relies on your internet connection, it may be vulnerable to any threats and problems that face your computer. The technology is still new, so there is some controversy about the potential for attack, but VoIP could make your telephone vulnerable to viruses and other malicious code. Attackers may be able to perform activities such as intercepting your communications, eavesdropping, conducting effective phishing attacks by manipulating your caller ID, and causing your service to crash. Activities that consume a large amount of network resources, like large file downloads, online gaming, and streaming multimedia, will also affect your VoIP service."
News release: "Today, the total number of breaches in on the Identity Theft Resource Center’s (ITRC) 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event....Breaches: 449 Exposed: 22,091,338."
The Third Branch: "To protect the privacy of litigants, the Federal Rules of Practice and Procedure require that certain personal data identifiers be modified or partially redacted from federal court case files. These identifiers are Social Security numbers, dates of birth, financial account numbers, and names of minor children, and in criminal cases, also home addresses. In all cases, it is the responsibility of the attorney and the parties in the case to redact personal identifiers...
Many courts, such as the District of Arizona and the Northern District of California, have posted information to their websites on effective redaction techniques. For a look at their tips, visit their websites at: https://ecf.cand.uscourts.gov/cand/faq/tips/redacting.htm or http://www.azd.uscourts.gov/azd/cm-ecf.nsf/docview/files/$file/redaction.pdf"
Surveillance made easy, NewScientist.com news service, Laura Margottini: "This data allows investigators to identify suspects, examine their contacts, establish relationships between conspirators and place them in a specific location at a certain time."
So said the UK Home Office last week as it announced plans to give law-enforcement agencies, local councils and other public bodies access to the details of people's text messages, emails and internet activity. The move followed its announcement in May that it was considering creating a massive central database to store all this data, as a tool to help the security services tackle crime and terrorism."
News release: "Secretary Chertoff spoke on the balance between privacy and secure identity August 13 at the University of Southern California National Center for Risk and Economic Analysis of Terrorism Events. He addressed crimes involving identity theft, and talked about identity validation and authentication, the associated financial costs, the effect on illegal workers, the universe of tools available for identity management, and possible solutions that address the concerns of privacy advocates."
News release: "State attorneys general received thousands of consumer complaints of online fraud and abuse in 2006 and 2007 and yet, with the exception of several notable standouts, brought few significant cases in response, according to a report released today from the Center for American Progress and the Center for Democracy and Technology, Online Consumers at Risk and the Role of State Attorneys General."
"As personal information becomes more widely available on blogs, MySpace, Facebook and other social networking Web sites, the Internet has become an important tool for jury consultants and trial lawyers. Such sites are a treasure trove of information about potential and seated jurors that can be used in picking the right jurors, bouncing potential jurors and even influencing jurors during trial and in closing arguments. Jury consultants have begun turning to private investigators, some of whom have started niche businesses offering Internet jury research and "personality profiling" of jurors." [National Law Journal, August 11, 2008 - subscription req'd]
"The Federal Bureau of Investigation said Friday that it had improperly obtained the phone records of reporters for The New York Times and The Washington Post in the newspapers’ Indonesia bureaus in 2004. Robert S. Mueller III, director of the F.B.I., disclosed the episode in a phone call to Bill Keller, the executive editor of The Times, and apologized for it. He also spoke with Leonard Downie Jr., the executive editor of The Washington Post, to apologize." [Link]
"In a July 31 amicus brief filed in a federal court in Pennsylvania, the Electronic Frontier Foundation, joined by CDT, ACLU and the ACLU of Pennsylvania, argued that cell phone location information is protected by the Fourth Amendment. The brief argues that a court should require the government to obtain a warrant based on probable cause in order to gain access to cell site location information stored by a cell phone company."
DOJ: Special Report to Congress on Implementation of Section 1001 of the USA PATRIOT Act, August 2008: "Section 1001 of the USA PATRIOT Act (Patriot Act), Public Law 107-56, directs the Office of the Inspector General (OIG) of the U.S. Department of Justice (DOJ or Department) to undertake a series of actions related to claims of civil rights or civil liberties violations allegedly committed by DOJ employees. It also requires the OIG to provide semiannual reports to Congress on the implementation of the OIG’s responsibilities under Section 1001. This report – the thirteenth since enactment of the legislation in October 2001 – summarizes the OIG’s Section 1001-related activities from January 1, 2008, through June 30, 2008."
News release: "Eleven perpetrators allegedly involved in the hacking of nine major U.S. retailers and the theft and sale of more than 40 million credit and debit card numbers have been charged with numerous crimes, including conspiracy, computer intrusion, fraud and identity theft, Attorney General Michael B. Mukasey, U.S. Attorney for the District of Massachusetts Michael J. Sullivan, U.S. Attorney for the Southern District of California Karen P. Hewitt, U.S. Attorney for the Eastern District of New York Benton J. Campbell and U.S. Secret Service Director Mark Sullivan announced today. The scheme is believed to constitute the largest hacking and identity theft case ever prosecuted by the Department of Justice."
EPIC: "Senior members of Congress have requested details of Internet companies' efforts to spy on their customers. The 33 targeted Internet companies, including AT&T, Time Warner, Microsoft, and Google, may be tracking the activities of Internet users. Congressman Edward J. Markey warned that "new technologies, such as ‘deep packet inspection' technologies, have the ability to track every single website that a consumer visits while surfing the Web." Charter Communications and Embarq previously came under fire for monitoring Internet users and suspended their activities. Members of Congress have now turned their attention to the leading telcos and Internet firms. For more information, see EPIC's page on Deep Packet Inspection and Privacy.
"1.1 Goals. The United States intelligence effort shall provide the President, the National Security Council, and the Homeland Security Council with the necessary information on which to base decisions concerning the development and conduct of foreign, defense, and economic policies, and the protection of United States national interests from foreign security threats. All departments and agencies shall cooperate fully to fulfill this goal.
"I would say at the outset that this is an exceptionally complex executive order...It's a foundational document for the intelligence community...It has a daily and significant impact on the activities of the intelligence community and the relationships in that important community. At the highest level, of course, the aim here is to create a more effective intelligence community, where these 16 agencies can be better integrated, work more collaboratively with one another, and also share more information freely."
Follow up to March 27, 2008 posting, FTC Announces Settlement of Action Against Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers' Data, this August 1, 2008 FTC news release: "Following a public comment period, the Commission has approved the issuance of a final consent order and authorized the staff to respond to the commenters of record In The Matter of The TJX Companies, Inc...[and] In The Matter of Reed Elsevier Inc. and Seisint, Inc."
Related from EPIC: "The settlements arose from data breaches, which exposed the sensitive personal information of over 500,000 consumers and resulted in millions of dollars in financial fraud. Earlier this year, EPIC filed comments with the FTC urging the Commission to include civil penalties in the settlements. EPIC wrote that civil penalties are necessary to provide incentives for companies to safeguard personal data. EPIC also noted that the FTC imposed $10 million in civil penalties in the Choicepoint case. The final agreements impose security and audit responsibilities, but no financial penalties."
RE: Formal Complaint of Free Press and Public Knowledge Against Comcast Corporation for Secretly Degrading Peer-to-Peer Applications; Broadband Industry Practices, Petition of Free Press et al. for Declaratory Ruling that Degrading an Internet Application Violates the FCC’s Internet Policy Statement and Does Not Meet an Exception for “Reasonable Network Management,” File No. EB-08-IH-1518, WC Docket No. 07-52, Memorandum Opinion and Order.
News release: "Comcast Corp.’s management of its broadband Internet networks contravenes federal policies that protect the vibrant and open nature of the Internet, the Federal Communications Commission found [August 1, 2008]. Ruling on a complaint by Free Press and Public Knowledge as well as a petition for declaratory ruling, the Commission concluded that Comcast has unduly interfered with Internet users’ right to access the lawful Internet content and to use the applications of their choice. Specifically, the Commission found that Comcast had deployed equipment throughout its network to monitor the content of its customers’ Internet connections and selectively block specific types of connections known as peer-to-peer connections.
...The Commission’s action today is the result of an exhaustive examination of conduct that was first brought to light by Comcast subscribers who noticed that they had problems using peer-to-peer applications, such as BitTorrent, over their Comcast broadband connections...The Commission’s extensive investigation into this matter – which included two public hearings, substantial input from experts, and thousands of comments from companies, organizations, and the public at large – confirms that Comcast’s interference is far more invasive and widespread than the company first conceded."
Related news from the Electronic Freedom Foundation (FCC): "Hours before the Federal Communications Commission (FCC) is expected to take action against Comcast for violating the FCC's net neutrality principles, the Electronic Frontier Foundation (EFF) is releasing "Switzerland," a software tool for customers to test the integrity of their Internet communications."
Commentary: Immunity for Telecom Eavesdropping - Beth Wellington's commentary tracks the legislative path of retroactive immunity for telecom eavesdropping. Published July 30, 2008.
D-2008-114 Accountability for Defense Security Service Assets With Personally Identifiable Information, July 24, 2008 (Project No. D2007-D000LC-00042.000)
Evidence on the Costs and Benefits of Health Information Technology
July 24, 2008 - Testimony before the Subcommittee on Health, Committee on Ways and Means, U.S. House of Representatives.
M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 14, 2008) (43 pages)
"EPIC testified before the Senate Judiciary Committee [hearing: Passport Files: Privacy Protection Needed For All Americans], urging new protections for passport information privacy. The hearing, held at a time of increased information collection and dissemination by the government, addressed an Inspector General report [Review of Controls and Notification for Access to Passport Records in the Department of State’s Passport Information Electronic Records System (PIERS)]on data breaches at the State Department. EPIC's testimony recommended implementing the privacy protections of S. 495, the Personal Data Privacy and Security Act of 2007; limiting employee and contractor disclosures; increasing accounting requirements; and creating an independent privacy agency. In a FOIA request filed today, EPIC demanded the release of the complete Inspector General report, substantial portions of which have been withheld from the public."
News release: "The Commission has approved the issuance of a report to Congress regarding the Do Not Call Registry for Fiscal Year 2007. The report..has been submitted to the U.S. House of Representatives Committee on Energy and Commerce and the U.S. Senate Committee on Commerce, Science, and Transportation, as required by Section 4(b) of the Do Not Call Implementation Act. The report – the fourth and final submission required by the Act – contains information on the following topics: 1) the effectiveness of the Registry; 2) the number of consumers who have placed their telephone numbers on the Registry; 3) the number of entities paying fees to access the Registry and the amount of the fees; 4) the progress of coordinating the operation and enforcement of the Registry with similar registries maintained by the states; 5) the progress of coordinating the operation and enforcement of the Registry with enforcement activities of the Federal Communications Commission under the Telephone Consumer Protection Act; and 6) FTC enforcement of the Registry under the Telemarketing Sales Rule."
On June 20, 2008 the House passed H.R. 6304, the FISA Amendments Act of 2008. Today the Senate passed the bill. Related commentary and articles as follows:
News release: "The Center for Democracy and Technology (CDT) today released an analysis questioning the legal standing of a new approach to online advertising being considered by Internet Service Providers and Internet advertising networks. Under the new scheme, an ISP allows an advertising network to copy the contents of the individual Web traffic streams of the ISP's subscribers. The advertising network creates a record of each individual's online behavior, which is used to target ads to the consumer. CDT concludes that the use of Internet traffic content from ISPs may run afoul of federal and state wiretap laws unless performed with the prior, express consent of the subscriber. Some state laws may pose higher burdens."
2008 Data Mining Letter Report (PDF, 46 pages): "This is the third report by the Privacy Office to Congress on data mining. This letter report identifies the data mining activities deployed or under development within DHS, as defined by the Data Mining Reporting Act, and describes the framework the Department will use to report on such activities in the future pursuant to Section 804 of the Implementing Recommendations of the 9/11 Commission Act of 2007, entitled, The Federal Agency Data Mining Reporting Act of 2007 (Data Mining Reporting Act)."
News release: "The Federal Trade Commission plans to study the experiences of identity theft victims by conducting a survey of consumers who contacted the FTC after they were victimized. The proposed survey will examine the remedies available to victims under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Among other things, the FACT Act gave consumers the right to place fraud alerts on their credit files if they are, or suspect they may become, victims of identity theft; block information on their credit reports that resulted from identity theft; and obtain copies of their credit reports free of charge. The survey will seek information from identity theft victims who contacted the FTC between January 1 and May 30, 2008, and will inquire about their experiences when they contacted one or more credit reporting agencies and when they sought to use their FACT Act rights. The survey results will help guide the FTC’s efforts to enforce the law and educate consumers and the consumer reporting industry about their rights and duties."
News release: "The ITRC Breach Report total has reached an all-time high. Between January 1st and June 27th, the total number of data breaches recorded by the ITRC is 342, more than 69% greater than the same time period in 2007. The actual number of breaches is likely even higher, due to underreporting and the fact that some of the breaches reported as a single event actually affected multiple businesses.
The ITRC Breach Report sub-divides all breaches into five categories. To date, the 2008 ITRC Breach Stats Report indicates the following: 17.0% government/military agencies, 21.3% from educational institutions, 36.8% from general businesses, 14.9% from health care facilities / companies, and 10% from banking / credit / financial services entities.
Click here for the 2008 ITRC Breach report. Click here for the 2008 ITRC Breach Stats Report broken down by categories which includes the percentages for each category (business, financial/credit, educational, governmental/military and health care). Please check regularly as this list is updated weekly.
Bryn Nelson, MSNBC, Giving biometrics a hand: "An electronic palm reader is helping one of the largest healthcare systems in the U.S. and several banks in Japan divine the true identities of their patients and customers. The key? A near-infrared camera that captures each person’s unique palm vein pattern, or template."
EPIC: "Today marks the 50th anniversary of the Supreme Court's decision in NAACP v. Alabama, one of the most important privacy cases of the last century. Professor Anita L. Allen, a leading privacy scholar, author of many books and articles, and a member of the EPIC Board of Directors, wrote an essay to celebrate the anniversary of the decision."
OIG, Social Security Administration, Benefit Payments in Instances Where the Social Security Administration Removed a Death Entry from the Beneficiary's Record, A-06-07-27156, 06/19/08: "The DMF [Death Master File] is a publicly available database maintained by SSA that contains detailed information on more than 82 million deceased numberholders. Each year, SSA receives death reports for more than 2.5 million individuals and adds the information to the DMF. As depicted on the chart below, SSA receives most death reports from funeral homes or friends/relatives of the deceased. SSA considers such first party death reports to be verified and immediately posts them to the DMF.
Other sources of death reports include States and other Federal agencies, as well as postal authorities and financial institutions. SSA posts nonbeneficiary information to the DMF without verification. However, if these reports indicate an SSA beneficiary died, SSA may perform additional verification before terminating benefits or posting the death entry to the DMF. Verification of death means that an acceptable reporter (usually someone in the person's home, a representative payee, a doctor, or hospital) agrees that the person is deceased and corroborates the date of death, if necessary.
The accuracy of death data is a highly sensitive matter for SSA. Erroneous death entries can lead to benefit termination and result in severe financial hardship and distress to the beneficiary/recipient. Conversely, the removal of legitimate death entries could allow for the authorization and payment of fraudulent benefits.
In instances when death reports are posted in error, SSA deletes the death entry from the DMF ("resurrect" the record) and, when applicable, reinstates benefit payments. SSA employees may only process transactions to resurrect a record when presented with proof the original death entry was posted in error. Unless the mistake resulted from an administrative error, the resurrection transaction should not be processed before completion of a face-to-face interview with the beneficiary or recipient. To validate the integrity of these transactions, SSA requires that two employees be involved in the process. SSA also requires that employees document the events leading to and facts supporting the transaction.
Since January 2004, SSA has provided us with electronic files containing updates made to the DMF, including instances when individual records were removed from the DMF. Preliminary analysis of these files indicated that, from January 2004 through April 2007, SSA deleted more than 44,000 individuals' death entries from the DMF. SSA records indicated 20,623 of these individuals were in current payment status on or after April 27, 2007 and received approximately $17.2 million in monthly SSA benefit payments."
Laptop Searches and Other Violations of Privacy Faced by Americans Returning from Overseas Travel, Senate Judiciary Committee
Subcommittee on the Constitution, Civil Rights and Property Rights, June 25, 2008.
"The framework below proposes a set of practices that, when taken together, encourage appropriate handling of personal health information as it flows to and from personal health records (PHRs) and similar applications or supporting services. Click on the individual documents below to read descriptions and to view or download them as PDF documents. Or, download the entire Common Framework in PDF. The Common Framework for Networked Personal Health Information: Overview and Principles provides background on the documents and how they relate to each other. All resources are available free of charge.
News release: "Senate Intelligence Committee Chairman John “Jay” Rockefeller (WV), Senate Intelligence Committee Vice-Chair Kit Bond (MO), House Majority Leader Steny Hoyer (MD), and House Minority Whip Roy Blunt (MO) announced today that a bipartisan compromise has been agreed to that will modernize the Foreign Intelligence Surveillance Act. The FISA Amendments Act, H.R. 6304 (114 pages, PDF), will increase the nation’s security by strengthening the ability of the intelligence community to conduct lawful surveillance of terrorists, as well as protect constitutional rights by requiring warrants before the government can surveil any American."
A Guide to Protecting Your Identity Online, Rosemary Haworth, PC Advisor
Identity Theft: The Aftermath 2007. Conducted by the Identity Theft Resource Center® (ITRC) With comparisons to The Aftermath 2003, 2004, 2005, 2006 Surveys.
News release: "The Federal Trade Commission...told the Senate Committee on Commerce, Science, and Transportation that “legislation authorizing the Commission to seek civil penalties in spyware cases could add a potent remedy to those otherwise available to the Commission.” In testimony to the Committee, Eileen Harrington, Deputy Director of the FTC’s Bureau of Consumer Protection, said that when other enforcement options – seeking consumer redress or making the operators give up their ill-gotten gains – are not appropriate or sufficient remedies to deter spyware distributors, “a civil penalty may be the most appropriate remedy and serve as a strong deterrent.” The testimony states that the agency supports legislation that would provide “the Commission this valuable law enforcement tool.”
UK House of Commons, Home Affairs Committee, A Surveillance Society? Fifth Report of Session 2007–08 Volume I Report, together with formal minutes Ordered by The House of Commons to be printed 20 May 2008.
House of Commons Home Affairs Committee - A Surveillance Society? Fifth Report of Session 2007–08, Volume II, Oral and written evidence, Ordered by The House of Commons to be printed 20 May 2008.
OIG: The Social Security Administration's Internal Use of Employees' Social Security Numbers. A-13-07-27164 06/09/08
Do Data Breach Disclosure Laws Reduce Identity Theft? Sasha Romanosky, Rahul Telang, Alessandro Acquisti, Heinz School of Public Policy and Management, Carnegie Mellon University
DOJ OIG: The Federal Bureau of Investigation's Security Check Procedures for Immigration Applications and Petitions (Redacted for Public Release), Audit Report 08-24, June 2008.
White House: National Security Presidential Directive 59 and Homeland Security Presidential Directive 24, June 5, 2008
The ONC [Office of the National Coordinator for Health Information Technology] Coordinated Federal Health Information Technology Strategic Plan: 2008-2012 - Using the Power of Information Technology to Transform Health and Care.
"The Plan has two goals, Patient-focused Health Care and Population Health, with four objectives under each goal. The themes of privacy and security, interoperability, IT adoption, and collaborative governance recur across the goals, but they apply in very different ways to health care and population health."
Proofpoint’s Outbound Email and Data Loss Prevention in Today’s Enterprise, 2008 report - ["the survey was fielded in the US, UK, France, Germany and Australia to explore global concerns.]
"Email remains the most important medium for communications both inside and outside the enterprise. But the convenience and ubiquity of email as a business communications tool has exposed enterprises to a wide variety of legal, financial and regulatory risks associated with outbound email. Enterprises continue to express a high level of concern about creating, managing and enforcing outbound messaging policies (for email and other communication protocols) that ensure that messages leaving the organization comply with both internal rules, best practices for data protection and external regulations. In addition, organizations remain very concerned about ensuring that email (and other electronic message streams) cannot be used to disseminate confidential or proprietary information...The results show that data protection concerns are not confined to the US and that globally, email, webmail, FTP, blogs message boards, media sharing sites and social networking sites are a source of concern as well as real-world risk for IT professionals working in large enterprises."
Audit Initiated of the Web Applications Security in Air Traffic Control Systems, June 02, 2008. Project ID: 07F3018F000
"Summary: The Office of Inspector General is initiating an audit of web applications security in air traffic control (ATC) systems in response to a request made by the U.S. House of Representatives Committee on Transportation and Infrastructure. The objectives of this audit are to determine whether: (1) web applications used in supporting ATC operations are properly secured to prevent unauthorized access to ATC systems, and (2) FAA’s network intrusion–detection capability is effective in monitoring ATC cyber security incidents.
"...get access to and manage all of your personal health information online...This would help you keep your doctors and family members up-to-date on important medical conditions and current medications. Well, after a successful pilot with the Cleveland Clinic, we've opened up Google Health to everyone in the U.S. It's easy to sign up, and free to use. All you need is a Google username and password. You can import your medical records and prescription history from our partners — well-known brands such as Walgreens, Longs Drugs and Quest Diagnostics."
News release: "CDT today released a paper offering a set of principles for addressing potential privacy considerations when deploying digital watermarking technology. This technology embeds information within the content of digital media files in a form that is machine readable but often imperceptible to humans. Digital watermarking has a variety of applications and is increasingly being considered as a tool for deterring copyright infringement. CDT's paper is intended to provide guidance for companies that plan to use the technology to communicate information that is specific to individual consumers."
Guidance for Homeland Security Presidential Directive (HSPD) 12 Implementation (May 23 2008) (4 pages): "This document serves as a guideline to assist agencies in preparing or refining plans for incorporating the use of Personal Identity Verification (PIV) credentials, to the maximum extent practicable, with physical and logical access control systems."
Times Online: "Customers in shopping centres are having their every move tracked by a new type of surveillance that listens in on the whisperings of their mobile phones. The technology can tell when people enter a shopping centre, what stores they visit, how long they remain there, and what route they take as they walked around."
Secure web browsing with the OP web browser, Chris Grier, Shuo Tang, and Samuel T. King, Department of Computer Science, University of Illinois at Urbana-Champaign
"CDT's Health Privacy Project today released a paper urging policymakers and the private sector to develop and implement a comprehensive privacy and security framework to govern the wide range of computer and Internet-based systems being created to share sensitive health information. The paper examines the key issues confronting the adoption of information technology in the health care field and offers suggestions on policies and business practices that will protect patient rights while facilitating the kinds of information sharing that can reduce costs and improve care."
"At a REAL ID Workshop at the Berkman Center, EPIC today released a new report on the Department of Homeland Security’s national identification proposal, the REAL ID system. "May 11, 2008 is the statutory deadline for implementation of the REAL ID system. Yet on this date, not one State is in compliance with the federal law creating a national identification system. In fact, 19 States have passed resolutions or laws rejecting the national ID program. The Department of Homeland Security has faced so many obstacles with the REAL ID system that the agency now plans an implementation deadline of 2017." See EPIC page on National ID Cards and the REAL ID Act, and EPIC Comments on the Draft Regulations."
CDT Policy Post 14.5: National Security Letters: "Widespread errors in the use of National Security Letters requires legislative action, says a Center for Democracy and Technology (CDT) paper released today. The documents are used by the FBI when seeking records containing sensitive personal information. Successive Inspector General reports have uncovered abuses and mistakes by the FBI in issuing the NSLs. The CDT Policy Post says that FBI self-policing doesn't work. CDT believes there should be a more exacting standard for issuing NSLs and that prior judicial authorization should be required when sensitive personal information is sought."
News release: "The FBI has withdrawn an unconstitutional national security letter (NSL) issued to the Internet Archive after a legal challenge from the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF). As the result of a settlement agreement, the FBI withdrew the NSL and agreed to the unsealing of the case, finally allowing the Archive's founder to speak out for the first time about his battle against the record demand...The NSL was served on the Archive -- a digital library recognized by the state of California -- and its attorneys in November of 2007. The letter asked for personal information about one of the Archive's users, including the individual's name, address, and any electronic communication transactional records pertaining to the user. Kahle, who is also a member of EFF's Board of Directors, decided to fight the NSL because it exceeded the FBI's limited authority to issue such demands to libraries."
Huge Databases Offer a Research Gold Mine — and Privacy Worries
As states create warehouses of information about students, scholars see opportunities to assess the effectiveness of education..The fusion-center debate has an echo in the world of education research. Now that Congress has rejected the idea of a national "unit-record tracking" system for student data, scholars and policy analysts are tantalized by the possibility that states will beef up their own education-data centers. The most celebrated example is Florida, which began in 2001 to assemble a "data warehouse" that allows officials to track a person's progress from kindergarten through graduate school and beyond, including postcollege wages and employment, military service, incarceration, and receipt of public assistance." [The Chronicle of Higher Education. Section: The Faculty, Volume 54, Issue 35, Page A10]
The Ultimate Little Black Book - One Firm Routes All Phone Calls in North America, by Ellen Nakashima, Washington Post.
Center for Democracy and Technology (CDT): "The long-range or "vicinity" Radio Frequency Identification (RFID) technology chosen by the Departments of Homeland Security and State for government-issued ID documents poses serious risks to personal privacy and security, CDT testified today before a Senate Homeland Security Subcommittee. CDT recommended that DHS and State abandon the technology, which was originally developed to track things, not people, and that encryption be used to protect a citizen's unique ID number. CDT also urged Congress to support legislation or regulations banning unauthorized "skimming" of RFID chips and prohibiting use of the passport card and Enhanced Driver's License beyond border security."
"NIST announces the release of the public draft of Special Publication 800-66 Revision 1, An Introductory Resource Guide to Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Draft). This Special Publication (SP), which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself. Comments on Draft SP 800-66 Revision 1 will be accepted through June 13, 2008."
US Courts: "The number of intercepted wire, oral or electronic communications — also known as wiretaps — authorized by federal and state courts in 2007 was 20 percent higher than in 2006. Courts issued 2,208 such orders in 2007, compared to 1,839 in 2006, according to The 2007 Wiretap Report.
The complete report contains information on interceptions concluded between January 1, 2007 and December 31, 2007. A summary of the authorized intercepts reported for calendar years 1997-2007 is available in Table 7."
EPIC: "According to the 2007 FISA report, the Foreign Intelligence Surveillance Court approved 2,370 application to conduct electronic surveillance and physical searches in the United States in 2007, up from 2,176 applications approved in 2006. For the first time, the report includes information regarding the total number of requests made by the Department of Justice with National Security Letter authority for information concerning U.S. persons. in 2006, the government made approximately 12,583 NSL requests for information concerning 4,790 U.S. persons. The 2007 NSL statistics are expected later this year."
"The Center for Democracy and Technology applauds the Senate's passage of HR 493, the Genetic Information Nondiscrimination Act of 2007 (GINA) by unanimous consent. The House is expected to quickly pass the measure. The bill represents a significant step forward in protecting health privacy because it prohibits the use of genetic information by employers when making hiring decisions or by health insurers when making coverage decisions or adjusting premiums. Under GINA, employers and insurers also would not be allowed to impose genetic testing requirements. CDT is urging the President to quickly sign the bill into law."
UK Guardian: "Airline passengers are to be screened with facial recognition technology rather than checks by passport officers, in an attempt to improve security and ease congestion..From summer, unmanned clearance gates will be phased in to scan passengers' faces and match the image to the record on the computer chip in their biometric passports. Border security officials believe the machines can do a better job than humans of screening passports and preventing identity fraud. The pilot project will be open to UK and EU citizens holding new biometric passports."
EPIC: "The International Working Group On Data Protection in Telecommunications has released a report and guidance (pdf) on privacy in social networking services. The report identifies risks to privacy and security, and provides guidance to regulators, service operators and users to counter these risks. Risks include the large amount of data collection; the misuse of profile data by third parties; insecure infrastructure and application programming interfaces. Regulators should ensure openness, and oblige data breach notification. Providers must be transparent; live up to promises made to users; and use privacy friendly defaults. Privacy and consumer groups are also
recommended to raise the awareness of regulators, providers and the general public."
News release: "The U.S. Department of Homeland Security (DHS) announced today a notice of proposed rulemaking that will establish biometric exit procedures at all U.S air and sea ports of departure. The majority of non-U.S. citizens are already required to submit digital fingerprints and a digital photograph for admission into the country. The US-VISIT Exit proposal would require non-U.S. citizens who provide biometric identifiers for admission to also provide digital fingerprints when departing the country from any air or sea ports of departure."
"With stories surfacing on news channels regularly about lost or stolen data or the ability to recover data from discarded or resold computers and their hard drives, Computerworld decided to look at some cheap methods of removing that sensitive data from your hard drive permanently. And, what better place to look than YouTube?"
The Inspectors General, Journal of Public Inquiry Fall/Winter 2007/08 (96 pages, PDF)
Statement of Glenn A. Fine, Inspector General, U.S. Department of Justice before the House Committee on the Judiciary Subcommittee on the Constitution, Civil Rights, and Civil Liberties concerning “The FBI’s Use of National Security Letters and Section 215 Orders for Business Records”, April 15, 2008.
Legally eHealth: Putting eHealth in its European Legal Context. Legal and regulatory aspects of eHealth Study report March 2008.
News release: "Global EntryTM will be available for U.S. citizens or lawful permanent residents who are frequent international travelers, provided they have not been found guilty of a criminal offense, charged with a customs or immigration offense, or declared inadmissible to the U.S. under immigration legislation. Biometric fingerprint technology will be used to verify the passenger’s identity and confirm his or her status as a Global EntryTM participant."
News release: "Telephone numbers placed on the National Do Not Call Registry will remain on it permanently due to the Do-Not-Call Improvement Act of 2007, which became law in February 2008. More than 157 million phone numbers are on the National Do Not Call Registry. Under the Act, the Federal Trade Commission will continue to remove telephone numbers that have been disconnected and reassigned to other customers. Consumers can delete their telephone numbers from the registry at any time by calling 1-888-382-1222 (TTY 1-866-290-4236) – the call must be made from the telephone number they wish to delete."
Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer Information, March 26, 2008. Reference Number: 2008-20-071
EPIC: "European privacy officials have established "a clear set of responsibilities" on search engine companies regarding their handling of user data. The opinion, issued by the Article 29 Working Group, states that the European Union Data Protection Directive requires search engines to "delete or irreversibly anonymise personal data once they no longer serve the specified and legitimate purpose" for which they were collected. This requirement has particular significance for search engines, because European privacy rules classify Internet Protocol (IP) addresses as "personal data." The opinion further holds that European privacy laws generally apply to search engines "even when their headquarters are outside [Europe]," and requires that search engines must delete personal data within six months of collection. Earlier this year, EPIC urged the European Parliament to protect the privacy of search histories. For more information, see EPIC's Search Engine Privacy page."
"The World Privacy Forum filed extensive comments [April 4, 2008] regarding privacy protections for patients whose health care information will be shared with patient safety safety organizations under newly proposed Department of Health and Human Services regulations. After a landmark Institute of Medicine report on the prevalence of medical errors and their harmful impact on patients (To Err is Human), the U.S. Congress eventually passed the Patient Safety Act (2005). The Patient Safety Act allows extensive health care data of patients to go to patient safety organizations. The idea is to provide a form of quality control. The Agency for Heathcare Research and Quality (AHRQ), part of HHS, has published its proposed regulations implementing the Act. The World Privacy Forum has made 14 recommendations for substantive changes in the proposed rules to protect patient privacy. The World Privacy Forum asked the Agency to expressly mandate that all patient data be de-identified or anonymized to the greatest extent possible, that the proposed rule should expressly require data use agreements for any data sharing, that the patient information be labeled as subject to the Patient Safety Act, and strongly urged that patient safety organizations be required to maintain an accounting of disclosures at least equal to HIPAA, among other recommendations. The full set of recommendations is available in the WPF comments. The proposed rulemaking will be open for public comments until April 14, 2008."
News release: "According to the 2007 Internet Crime Report, the Internet Crime Complaint Center (IC3) received 206,884 complaints of crimes perpetrated over the Internet during 2007. Of the complaints received, more than 90,000 were referred to law enforcement around the nation, amounting to nearly $240 million in reported losses. This represents a $40 million increase in reported losses from complaints referred to law enforcement in 2006. All complaints received by IC3 are accessible to federal, state, and local law enforcement to support active investigations, trend analysis, and public outreach and awareness efforts."
News release: "Finance Committee staff today released a bipartisan discussion draft of the President’s proposal to require information reporting by banks and other entities on reimbursements to merchants that accept electronic forms of payment, including credit and debit cards. The Finance Committee intends to use public comment to understand more about how payment reporting may affect the tax gap – the $345 billion in Federal taxes legally owed but uncollected each year – as well as to determine whether increased reporting requirements would unfairly burden merchant businesses or banks."
News release: "The Federal Trade Commission today reiterated that despite the claims made in e-mails circulating on the Internet, consumers should not be concerned that their cell phone numbers will be released to telemarketers in the near future, and that it is not necessary to register cell phone numbers on the National Do Not Call (DNC) Registry to be protected from most telemarketing calls to cell phones."
Implementation of the Communications Assistance for Law Enforcement Act by the Federal Bureau of Investigation, Audit Report 08-20, March 2008. Redacted for public release.
News release: "In the FTC’s action against data brokers Reed Elsevier (REI) and Seisint, the complaint alleges that REI - through its LexisNexis data broker business - and Seisint collect and store in databases information about millions of consumers, including names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers. They obtain information about consumers from credit reporting agencies and other sources, and sell products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords (or “user credentials”) to control customer access to consumer information in their databases."
National Committee on Vital and Health Statistics, 2005-2006. February 2008 37 pp. (PHS) 2008-1205
Follow up to State Department Acknowledges Unauthorized Access to Passport Records of Presidential Candidates, today's news release: "Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Ranking Member Arlen Specter (R-Pa.) today urged the Attorney General to take immediate action to investigate reported breaches of the passport files of the three presidential candidates at the State Department. Attorney General Michael Mukasey stated last week that the Justice Department would await the outcome of an internal investigation at the State Department before taking action.
“We both strongly believe that our government has a duty to protect the private information of its citizens,” wrote Leahy and Specter. “The Justice Department should not wait to be handed ‘a box full of evidence,’ as you said at your recent briefing, before determining whether Federal laws were broken.”
See also Personal Data Privacy and Security Act and Summary of the Leahy-Specter data privacy legislation.
RL34404 - Border Searches of Laptops and Other Electronic Storage Devices, March 05, 2008
2008 Data Mining Report (PDF, 46 pages), February 11, 2008. "This is the third report by the Privacy Office to Congress on data mining. This report identifies the data mining activities deployed or under development within DHS, as defined by the Data Mining Reporting Act, and describes the framework the Department will use to report on such activities in the future pursuant to Section 804 of the Implementing Recommendations of the 9/11 Commission Act of 2007, entitled, “The Federal Agency Data Mining Reporting Act of 2007” (Data Mining Reporting Act)."
Press release: "...AirTight® Networks, the global leader for wireless intrusion prevention systems...issued the findings from its study to assess information security risk exposure of laptop users at fourteen airports in the United States, Canada and Asia. The company set out to understand the risks to business travelers and their corporate networks of data leakage while those airline passengers are sending sensitive information using unsecured wireless access points while at the airports. It found surprising results, however, regarding the security posture of private Wi-Fi networks in these airports as well as the rapid spread of viral Wi-Fi networks.
One of the most surprising findings of this initial study was that some ticketing systems, baggage systems, shops and restaurants were using open or poorly secured wireless networks. Of the Wi-Fi networks detected by AirTight researchers, 77 percent were non-hotspot (i.e. private) networks and of those, 80 percent were unsecured or using legacy WEP encryption, a fatally flawed protocol. Based on detailed analysis of these access points, there is a high probability that some of these networks are used for critical airport logistics and operations. The consequences of this lack of security could result in disruption of baggage or passenger ticketing systems."
Newsweek: Unintended Consequences - Spitzer got snagged by the fine print of the Patriot Act
VOIP-News: "Email, IM (instant messaging) and even VoIP solutions like Skype and Vonage have taken over communications in both the business and social worlds. These systems work well because they're a much-needed solution for high phone bills, static-filled communications and dropped cell-phone calls. Internet-based communication methods also give users optimum remote access, since all one needs to use VoIP or send an IM is an Internet connection. But with this increase in popularity comes serious security issues. VoIP technology is still relatively new, and hackers are finding new ways to rip off service providers and their customers. Just who might be spying on your online communications? You might be surprised."
Department of Justice Office of Inspector General: A Review of the FBI’s Use of National Security Letters: Assessment of Corrective Actions and Examination of NSL Usage in 2006, March 2008, Unclassified, (187 pages, PDF)
Department of Justice Office of Inspector General: A Review of the FBI’s Use of Section 215 Orders for Business Records in 2006, March 2008, Unclassified (99 pages, PDF)
Follow up to March 11, 2008 posting, House Democrats Reject Telecom Immunity, "Today, House Judiciary Chairman John Conyers, Jr. (D-MI) and 19 members of the House Judiciary Committee issued a statement regarding telecommunications immunity, as the House prepares to consider the FISA Amendments Act of 2008. Following a review of classified information relating to the warrantless surveillance program and immunity for telecommunications companies, the members reported their conclusion that the administration has not established a valid and credible case to justify granting blanket retroactive immunity at this time."
Follow up to previous postings on TSA's Total Information Awareness surveillance program, this news release today from the ACLU: "...According to the new Wall Street Journal report [subscription req'd], the NSA was engaging in broad domestic spying operations that involve collecting and analyzing the personal information of Americans in ways that are "essentially the same" as TIA. The elements that reportedly make up the new spying encompass a variety of mass surveillance and data mining programs about which the ACLU has previously warned..."
"The Privacy Act of 1974 is in need of improvements to ensure its relevance into the future, CDT Deputy Director Ari Schwartz said in testimony before a congressional panel today. The Act’s limitations are particularly apparent with regard to government use of commercially compiled personal information, Schwartz told the Information Policy, Census, and National Archives Subcommittee. Commercial information plays a key role in important government functions, like law enforcement and national security. However, agencies relying on that data should have clear guidelines on its use. The role Privacy Impact Assessments play in protecting privacy is essential. Two bills help bolster PIAs: S.2341 lays out "best practices" guidelines and HR 4791 requires PIAs for government use of commercial databases. CDT believes Congress should create a Commission to review the Act and suggest possible reforms. March 11, 2008."
House Democratic Majority Leader/AP: "Locked in a standoff with the White House, House Democrats on Tuesday maintained their refusal to shield from civil lawsuits telecommunications companies that helped the government eavesdrop on their customers without a secret court's permission. But they offered the companies an olive branch: the chance to use classified government documents to defend themselves in court. House Democratic leaders unveiled a bill that they hoped would bridge the gap between the electronic surveillance bill passed by the Senate last month and a rival version the House approved last fall. Both bills are attempts to update the 1978 Foreign Intelligence Surveillance Act, the law that dictates when the government needs court permission to conduct electronic eavesdropping inside the United States. The law has taken on particular importance in the global effort to thwart terrorists since the 2001 attacks on the United States.
Electronic Frontier Foundation: "Three powerful House Commerce Committee Chairmen strongly urged their colleagues Thursday to defer acting on requests for retroactive immunity and to demand more information from the White House and the telecommunications companies in the wake of disclosures by another whistleblower that the government apparently has been granted an open gateway to customer information and calls by a major telecommunications company."
HSS Office of Inspector General Privacy Act of 1974; Revisions to OIG’s Privacy Act System of Records: Criminal Investigative Files, Federal Register, March 4, 2008.
"CDT today released a set of privacy principles to help guide the development of software tools related to online behavioral targeting. Developed in consultation with members of CDT's Internet Privacy Working Group (IPWG), the principles aim to bolster the development of tools for Web browsers and other software that empower users with the ability to manage their privacy and control online behavioral tracking activities. The document is a result of meetings with IPWG, sparked by renewed interest in behavioral targeting at the FTC, in the private sector and among consumer groups."
2007 Electronic Monitoring & Surveillance Survey - Over Half of All Employers Combined Fire Workers for E-Mail & Internet Abuse, February 28, 2008
Chris Hoofnagle, Measuring Identity Theft at Top Banks (Version 1.0) February 26, 2008. Berkeley Center for Law and Technology. Law and Technology Scholarship (Selected by the Berkeley Center for Law & Technology). Paper 44.
Data Breach Notification Laws, State By State, by Scott Berinato, "More than five years after California's seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. Eleven states still have not passed laws mandating that companies notify consumers when that company has lost the consumer's personal data. One state, Oklahoma, does have a breach notification law, but it only applies to state entities that have lost data. That leaves 38 states that have enacted some sort of breach disclosure law. This map will help you sort them out."
"The Safer Internet plus programme aims to promote safer use of the Internet and new online technologies, particularly for children, and to fight against illegal content and content unwanted by the end-user, as part of a coherent approach by the European Union."
The World Privacy Forum - A Legal and Policy Analysis - Personal Health Records: Why Many PHRs Threaten Privacy, Prepared by Robert Gellman for the World Privacy Forum, February 20, 2008
Secrecy News: "The Office of the Director of National Intelligence provided an overview of U.S. intelligence data mining development programs in...Data Mining Report,” ODNI Report to Congress, February 15, 2008. Data mining is used by intelligence agencies to search through databases in order to discern patterns of activity that could indicate a threat to national security."
Press release: "Reed Elsevier to acquire ChoicePoint for a total cost of $4.1 billion (£2.1 billion/€2.8 billion) payable in cash. This comprises an equity value of $3.5 billion and the assumption of $0.6 billion of net debt. Combination of ChoicePoint with the LexisNexis Risk Information and Analytics Group will create a risk management business with $1.5 billion in revenues and a leading position in the fast growing risk management marketplace...ChoicePoint has a leading position in providing unique data and analytics to the attractive insurance sector (over 50% of Choicepoint's $982 million revenue and 80% of its business operating income from continuing operations in 2007) and highly complementary products and new capabilities in the screening, authentication and public records areas."
Your Guide to Online Privacy, by Mark Glaser
"The FTC today released the list of top consumer fraud complaints received by the agency in 2007. The list, contained in the publication Consumer Fraud and Identity Theft Complaint Data January-December 2007, showed that for the seventh year in a row, identity theft is the number one consumer complaint category. Of 813,899 total complaints received in 2007, 258,427, or 32 percent, were related to identity theft.
The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and the 50 metropolitan areas reporting the highest incidence of identity theft.
The report states that credit card fraud was the most common form of reported identity theft at 23 percent, followed by utilities fraud at 18 percent, employment fraud at 14 percent, and bank fraud at 13 percent.
Consumers reported fraud losses totaling more than $1.2 billion; the median monetary loss per person was $349, the report states.
DHS press releases, February 1, 2008: "The U.S. Department of Homeland Security (DHS) announced today that it has begun collecting additional fingerprints from international visitors arriving at Chicago O'Hare International Airport (O'Hare), Hartsfield-Jackson Atlanta International Airport (Hartsfield), and George Bush Houston Intercontinental Airport (Bush Intercontinental). The change is part of the department's upgrade from two- to 10-fingerprint collection to enhance security and facilitate legitimate travel by more accurately and efficiently establishing and verifying visitors' identities."
Educational Security Incidents (ESI) Year in Review - 2007: "By Adam Dodge - Posted on February 10, 2008: "The ESI Year in Review - 2007 examines all of the information security incidents occurring at colleges and universities around the world as reported in the news during 2007. 2007 marked a significant change for information security incidents reported in the news. Among the changes are an increase in both the number of incidents reported and the number of institutions reporting a breach as well as the addition to new categories such as incident type "Employee Fraud" and information type "Username and Password".
Press release: "In connection with the 5th Safer Internet Day1 on 12 February 2008, Eurostat, the Statistical Office of the European Communities, presents a selection of statistics concerning internet activities, security concerns and virus attacks. The Safer Internet Day is part of a global drive to promote a safer Internet for all users, in particular younger people, and is organised by Insafe, a European internet safety network co-funded by the European Commission...In the EU27 in 2007, nearly a quarter of internet users had had a computer virus in the preceding 12 months, which resulted in a loss of information or time. Virus attacks were most frequent in Lithuania (41% of users), Slovenia (35%) and Malta (34%) and least common in the Czech Republic (7%), Estonia (15%) and Sweden (16%)."
Press release: "The California State Senate passed a bill Friday that would allow prosecution for identity theft cases in the county where the victim resides. State Sen. Joe Simitian, D-Palo Alto, co-authored Senate Bill 612 and praised fellow senators Friday for voting 40-0 in favor of the legislation. Current law permits prosecution in the county where the theft occurred, or where the information was illegally used, even when both locations are hundreds of miles from the victim’s home, according to Simitian’s office." Simitian also sponsored Senate Bill 364, that passed by a vote of 30-7.
CDT: "The Senate yesterday gave final congressional approval to legislation making "Do Not Call" listings permanent. Without the legislation, consumers' phone numbers would have been automatically removed from the FTC controlled list after five years. CDT applauds the decision to eliminate the list's current expiration policy, which would require consumers who want to remain on the list to sign up again every five years. The bill, H.R. 3541, has already passed the House and is likely to be enacted into law soon."
News.com: "Real ID's scope is surprisingly broad. Jurors could potentially be denied entrance to federal courthouses. So could prospective students visiting the U.S. Naval Academy in Annapolis or the U.S. Military Academy at West Point. Tours of federal buildings such as the Pentagon and the Treasury Department could be affected, as could public hearings, conferences, and even concerts. And some Americans could be denied entrance to the U.S. Capitol building, the iconic heart of the nation's democracy...Starting May 11, unless your home state agrees to comply with the federal Real ID Act or unless it asks for an extension, you might have trouble getting into federal buildings. Click a state [interactive map include in this article] to see what that state has told us about whether or not its ID cards will meet Real ID requirements."
In a statement to the House of Commons, the PM said that the Government would look at ways of using intercept evidence as advised by the Chilcot Report. Guidelines would be drawn up to ensure that the interests of national security were never compromised, he said. The PM said:
"The use of intercept in evidence characterises a centraldilemma we face as a free society - that of preserving our liberties and the rule of law, while at the same time keeping our nation safe and secure. [The Chilcot Report - see text below] concludes that it should be possible to find a way to use some intercept material as evidence, provided - and only provided - that certain key conditions can be met. These conditions relate to the most vital imperative of all - that of safeguarding our national security. The Government accepts this recommendation - and takes the accompanying conditions very seriously."
Use of Commercial Independent Risk Analysis Services Blanket Purchase Agreements (BPA) (February 4, 2008) (4 pages, PDF)
REAL ID: What Should Congress Do Now? - CDT Analysis of the REAL ID Act and the Department of Homeland Security’s Final Regulations, February 1, 2008.
Second Annual Report to Congress, January 30, 2008 (36 pages, PDF): "As the efforts of the current Board come to a close, the Members wish to acknowledge and thank the many thousands of dedicated men and women in the Federal government whose responsibility it is to protect the homeland against terrorism consistent with the Constitution. We have been privileged to observe their training on the importance of privacy and civil liberties and witness their work first hand. The development of a privacy and civil liberties oversight infrastructure within the Federal government, as envisioned by IRTPA, is important. But nothing can substitute for the uncompromising daily commitment these individuals make to their jobs and Constitutional principles."
Solove, Daniel J., "The Future of Reputation: Gossip, Rumor, and Privacy on the Internet". The Future of Reputation: Gossip, Rumor, and Privacy on the Internet, Daniel J. Solove, Yale University Press, October 2007 Available at SSRN: http://ssrn.com/abstract=1019177
Follow up to January 27, 2007 notice, DHS Posts Annual Report on Congress After Delay, DHS posted the Annual Privacy Report to Congress, July 2006 to July 2007 (PDF, 58 pages).
EPIC: "In a report that will appear in IEEE Security & Privacy, leading experts in computer security warn that legislation now under consideration in the Senate could make the United States vulnerable to attack. The paper Risking Communications security: Potential hazards of the Protect America Act warns that warrantless wiretapping creates creates serious security risks, including "danger of exploitation of the system by unauthorized users, danger of criminal misuse by trusted insiders, and danger of misuse by government agents."
"In this Top Ten Opt Outs list, some opt outs can be done by phone, some have to be sent in a letter via postal mail, and some can be accomplished online. Some opt outs last forever, some have time limits, and others can be changed at will. If an opt out is on this list, it is because we thought it might be important enough to be worth whatever annoyance it may pose. Not every opt out is right for everyone, and not everyone will necessarily want to opt out. It is a personal choice. Take a look at the list...and see if any of the opt outs appeal to you, or might make a difference to you in some way."
Bush Order Expands Network Monitoring - Intelligence Agencies to Track Intrusions, by Ellen Nakashima, Washington Post: "President Bush signed a directive this month that expands the intelligence community's role in monitoring Internet traffic to protect against a rising number of attacks on federal agencies' computer systems. The directive, whose content is classified, authorizes the intelligence agencies, in particular the National Security Agency, to monitor the computer networks of all federal agencies -- including ones they have not previously monitored."
Press release: "A federal judge has barred the illegal operation of an information broker who advertised and sold confidential consumer telephone records to third parties without the consumers’ knowledge or consent. In entering summary judgment for the Federal Trade Commission, Judge William F. Downes of the U.S. District Court for the District of Wyoming also required the defendants to give up nearly $200,000 in ill-gotten gains derived from the consumer phone records they sold, and ordered that the individuals whose records were sold be notified."
"The aim of the Data Protection Day is to give European citizens the chance to understand what personal data is collected and processed about them and why, and what their rights are with respect to this processing. They should also be made aware of the risks inherent and associated with the illegal mishandling and unfair processing of their personal data. The objective of the Data Protection Day is therefore to inform and educate the public at large as to their day-to-day rights, but it may also provide data protection professionals with the opportunity of meeting data subjects."
Press release: "Congresswoman Betty McCollum (MN-04), has sent a letter to the Government Accountability Office asking that it reopen its investigation of the privacy and national security risks posed by government agencies reselling used magnetic data tapes that may once have contained large amounts of sensitive personal and government information. Researchers working for Imation, an Oakdale, MN-based corporation that produces magnetic data tapes, were able to recover a wide range of sensitive information from used data tapes that were supposedly wiped clean before being re-sold. Using readily available equipment and information, Imation investigators found out where the tapes originated and recovered bank account numbers, expense reports, employee tax and benefit information, and other sensitive data."
Coalition for Patient Privacy: "Our mission is to ensure that Americans control all access to their health records."
DHS: Privacy Impact Assessment for the Use of Radio Frequency Identification (RFID) Technology for Border Crossings, January 22, 2008.
Federal Times: "The administration last week told agencies not to use federal employees’ Social Security numbers as primary identifiers for data processing purposes. The Office of Personnel Management said in a Jan. 18 notice that agencies must not print the numbers on paper or display on computer screens except in secure areas. And only employees whose official duties require access to the numbers can have access to them. Lastly, agencies can only collect employees’ Social Security numbers when an employee joins the agency for human resources and payroll purposes. OPM hopes the new rules will decrease the risk of identity theft."
CDT Comments to DHS on Developing CCTV Best Practices, January 18, 2008: "As the December 17-18, 2007 workshop on Closed Circuit Television (CCTV) made clear, there are many good CCTV “best practices” that have been developed by organizations such as The Constitution Project, ACLU, the American Bar Association, the governments of Canada and the United Kingdom, and even the U.S. Park Police. CDT supports these efforts but believes an equally important question is, how can the public be assured that video surveillance “best practices” are being implemented in localities where federal homeland security funds are spent?"
"In comments filed [January 15, 2008]with the Department of Homeland Security, EPIC detailed its "Framework for Protecting Privacy & Civil Liberties If CCTV Systems Are Contemplated." EPIC explained that it "does not support the creation nor the expansion of video surveillance systems, because their limited benefits do not outweigh their enormous monetary and social costs." EPIC's guidelines explain that (1) alternatives to CCTV are preferred; (2) there must be a demonstrated need for the system; (3) the public and privacy and security experts must be consulted before the system is created; (4) Fair Information Practices Privacy Act of 1974, the 1980 OECD Privacy Guidelines and the Video Voyeurism Act. See EPIC's page on Video Surveillance."
Press release, January 11, 2009: "One of the biggest concerns we’ve had for the last several years, one we continue to have at the Department of Homeland Security, is how do we promote a secure form of identification across America? And Congress has spoken to this by passing the REAL ID Act several years ago, which provides that we have the obligation to set uniform security standards for the issuance of state driver’s licenses. When we went back and investigated the 9/11 attacks, one of the things which we found, and which the 9/11 Commission found, was that all but one of the hijackers carried a government-issued identification form – mostly driver’s licenses. And this government-issued ID helped the hijackers board airplanes, or remain in the country illegally. That’s why the 9/11 Commission recommended that we enhance the security of our driver’s licenses as a counterterrorism measure. And that’s why Congress set higher standards for driver’s licenses in the REAL ID Act. That’s also why the American people overwhelmingly support more security for driver’s licenses."
Press release: "The U.S. Department of Homeland Security (DHS) announced today a final rule establishing minimum security standards for state-issued drivers’ licenses and identification cards. The rule sets uniform standards that enhance the integrity and reliability of drivers’ licenses and identification cards, strengthen issuance capabilities, and increase security at drivers’ license and identification card production facilities. The final rule also dramatically reduces state implementation costs by roughly 73 percent."
REAL ID Requirements
Press release: "In October 2006, the Transportation Security Administration launched a website to help travelers whose names were erroneously listed on airline watch lists. This redress website had multiple security vulnerabilities: it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. These deficiencies exposed thousands of American travelers to potential identity theft. After an internet blogger identified these security vulnerabilities in February 2007, the website was taken offline and replaced by a website hosted on a Department of Homeland Security domain. At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a website that violated basic operating standards of web security and failed to protect travelers’ sensitive personal information. As this report describes, these security breaches can be traced to TSA’s poor acquisition practices, conflicts of interest, and inadequate oversight."
"...the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) provides that United States citizens and nonimmigrant aliens may enter the United States only with passports or such alternative documents as the Secretary of Homeland Security may designate as satisfactorily establishing identity and citizenship... The vicinity RFID electronic chip contains only one item of information--a unique identifying number that has meaning only inside the secure CBP computer system. No other form of personally identifiable information, such as name, date of birth, SSN, place of birth etc., will be electronically stored on the passport card or transmitted through RFID. All personal information will be contained in DHS systems and will only be accessible by authorized personnel through secure networks. Upon receipt of the passport card number, the border crosser's personal information will be downloaded from the CBP system and provided to the CBP officer. The CBP officer will then interview the individual, verify their identities, and determine the appropriate action to take. The WHTI passport card approach was not designed to be an automated system, and the use of vicinity RFID technology in this final rule reflects this reality. Rather, the RFID-based approach allows the CBP officers to do their jobs better and faster." [Federal Register: December 31, 2007 (Volume 72, Number 249)][Rules and Regulations][Page 74169-74173]
Washington Post, Online Records May Aid ID Theft, Government Sites Post Personal Data, By Bill Brubaker: "Social Security numbers are readily available in many courthouses -- in land records and criminal and civil case files -- as well as on many government Web sites that serve up public documents with a few clicks of a mouse. From state to state, and even within states, there is little uniformity in how access to the private information in these records is controlled."
"Today, the Department of State released a final rule for the new "Passport Card," which is intended to be used by American citizens who frequently travel by land or sea to Canada, Mexico, the Caribbean, and Bermuda. The new rule calls for the use of "vicinity read" RFID technology without the use of encryption. This means the card will be able to be read remotely, at a long distance. CDT strongly objected to the use of this technology--developed for tracking inventory, not people--because it is inherently insecure and poses threats to personal privacy, including identity theft, location tracking by government and commercial entities outside the border control context, and other forms of mission creep."
"Each year since 1997, the US-based Electronic Privacy Information Center and the UK-based Privacy International have undertaken what has now become the most comprehensive survey of global privacy ever published. The Privacy & Human Rights Report surveys developments in 70 countries, assessing the state of surveillance and privacy protection. The most recent report published in 2007 is probably the most comprehensive single volume report published in the human rights field. The report runs over 1,100 pages and includes 6,000 footnotes. More than 200 experts from around the world have provided materials and commentary. The participants range from eminent privacy scholars to high-level officials charged with safeguarding constitutional freedoms in their countries. Academics, human rights advocates, journalists and researchers provided reports, insight, documents and advice. In 2006 Privacy International took the decision to use this annual report as the basis for a ranking assessment of the state of privacy in all EU countries together with eleven non-EU benchmark countries."
Ponemon 2007 Annual Study: U.S. Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventitive Solutions: This study "was derived from a detailed analysis of 35 data breach incidents. According to the study, the cost per compromised customer record increased in 2007, compared to 2006. Lost business opportunity, including losses associated with customer churn and acquisition, represented the most significant component of the cost increase. Companies analyzed were from 16 different industries, including communications, consumer goods, education, entertainment, financial services, gaming, health care, hospitality, internet, manufacturing, marketing, media, retail, services, technology, and transportation."
"The Department of Homeland Security released grant guidance and application kits for two grant programs totaling more than $35 million to help states prepare to implement REAL ID provisions that require a standard format for state-issued driver's licenses. The REAL ID Demonstration Grant Program will provide $31.3 million in grants to the states to check motor vehicle records in other states to ensure drivers don't have multiple licenses, and to verify immigration status against federal records. It will help standardize methods by which states may seamlessly verify an applicant's information with another state and deploy verification capabilities that can be used by all states, while protecting personal identification information."
Press release: "The Federal Trade Commission today told the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security that identity theft remains one of the highest priorities for the Commission, and that the agency is playing a lead role in preventing identity theft and helping those who are victimized."
Press release: "Forty-seven percent of internet users have searched for their own name online, but few monitor their online presence with great regularity. Fifty-three percent of internet users have searched online for information about personal and business contacts. These findings represent a significant change from when the Pew Internet Project first reported on this activity in 2002, at which time 22% of internet users had searched online for their own name."
Press release: "As merchants get busier with holiday shopping, the Federal Trade Commission reminds them to be sure the credit and debit card receipts they give customers comply with federal law. To reduce the risk of fraud and identity theft, the electronically printed credit and debit card receipts given to consumers must not include more than the last five digits of the card number, and must not show the expiration date."
Consumer Information:
Press release: "The widespread use and availability of Social Security numbers puts Americans at risk for identity theft and should be restricted, according to Consumers Union, nonprofit publisher of Consumer Reports. The group urged policymakers to take action to protect consumers as part of a public forum on the issue organized by the Federal Trade Commission in conjunction with the President’s Identity Theft Task Force. Social Security numbers are particularly sensitive information because they can provide the key to unlocking a consumer’s financial identity... Jeannine Kenney, Senior Policy Analyst with Consumers Union...presented findings of a Consumer Reports National Research Center poll at the FTC forum showing that 89 percent of Americans want state and federal lawmakers to restrict the use and availability of Social Security numbers by businesses and government agencies. The poll also found that nearly all consumers want the right to freeze access to their credit files to prevent new account fraud. Currently 39 states and the District of Columbia give consumers the right to a security freeze and the three major credit bureaus have made the freeze available to consumers in the remaining states."
"The Electronic Frontier Foundation (EFF) has received a second set of records from the Office of the Director of National Intelligence (ODNI) detailing behind-the-scenes briefings for lawmakers working to make substantial changes to the Foreign Intelligence Surveillance Act (FISA). EFF requested release of the records under the Freedom of Information Act (FOIA) earlier this year...Last month, a federal judge ordered ODNI to release all documents by December 10. The first batch of records, made public on November 30, detailed contentious negotiations between Director of National Intelligence Mike McConnell and members of Congress that resulted in the passage of the Protect America Act...The second set of records contains more correspondence between McConnell and members of Congress, as well as heavily redacted versions of classified testimony delivered to the Senate Select Committee on Intelligence, and an FAQ detailing how the National Security Agency performs electronic surveillance. Withheld records include ODNI presentation slides used to brief Congress on foreign intelligence issues, and other classified documents."
"Protecting the personal information of customers, clients, and employees is good business. The Federal Trade Commission has a new online tutorial to alert businesses and other organizations to practical and low- or no-cost ways to keep data secure. The tutorial, “Protecting Personal Information: A Guide for Business,” at www.ftc.gov/infosecurity, takes a plain-language, interactive approach to the security of sensitive information. Although the specifics depend on the type of company and the kind of information it keeps, the basic principles are the same: any business or office that keeps personal information needs to take stock, scale down, lock it, pitch it, and plan ahead. The tutorial explains each of these principles, and includes checklists of steps to take to improve data security."
Legislative Text of the Foreign Intelligence Surveillance Substitution Act of 2007, S. 2402, introduced by Arlen Specter, December 3, 2007.
Awareness of Security Freeze Legislation and Use of Security Freezes by Consumers Age 18+ Research Report, Jennifer H. Sauer, M.A., AARP Knowledge Management, Neal Walters, AARP Public Policy Institute, November 2007
Press release: "The Division of Privacy and Identity Protection of the Commission’s Bureau of Consumer Protection has issued a summary of information it has obtained in preparation for an upcoming FTC workshop on private-sector use of Social Security numbers (SSNs)...In July 2007, FTC staff invited interested parties to comment on the issues surrounding private sector usage of SSNs. More than 300 individuals and entities provided comments. The staff summary of the public comments and the information the staff obtained through its interviews can be found here. The issues will be addressed at an FTC workshop on December 10-11, 2007. More information about the workshop can be found here."
McAfee Virtual Criminology Report - Cybercrime: The Next Wave - The annual McAfee global cyber trends study into organized crime and the Internet in collaboration with leading international security experts, November 2007.
Press release: "Late Tuesday, the Electronic Frontier Foundation (EFF) won the speedy release of telecom lobbying records from the Office of the Director of National Intelligence (ODNI). The agency was ordered to comply with a new December 10 deadline -- in time for the documents to play a role in the congressional debate over granting amnesty for telecommunications companies taking part in illegal electronic surveillance. The ruling by U.S. District Judge Susan Illston vacates a hearing on the matter previously scheduled for Friday."
US Courts: "New rules providing privacy protection for case files posted online in the federal district, bankruptcy and appellate courts are scheduled to take effect December 1, 2007. Some of the rules represent a change in Judicial Conference policy. Meanwhile, a Judicial Conference committee is studying a related privacy issue: Whether courts should restrict Internet access to plea agreements in criminal cases, which may contain information identifying defendants who are cooperating with law enforcement investigations. The new rules were proposed by the Judicial Conference in accordance with the E-Government Act of 2002, which requires that each court make publicly available online any document filed electronically. The rules require parties to redact certain personal information from each filing. The Act required the Supreme Court to prescribe rules “to protect privacy and security concerns related to electronic filing of documents and the public availability..of documents filed electronically.” The new privacy rules include Civil Procedure Rule 5.2, Criminal Rule 49.1 and Bankruptcy Rule 9037. Appellate Rule 25 was amended to incorporate the new privacy directive. The rules can be found here."
Press release: "The Federal Trade Commission today released a survey showing that 8.3 million American adults, or 3.7 percent of all American adults, were victims of identity theft in 2005. Of the victims, 3.2 million, or 1.4 percent of all adults, experienced misuse of their existing credit card accounts; 3.3 million, or 1.5 percent, experienced misuse of non-credit card accounts; and 1.8 million victims, or 0.8 percent, found that new accounts were opened or other frauds were committed using their personal identifying information."
Press release: "With public concern over online fraud, new research, funded by the Economic and Social Research Council, has revealed that internet users will reveal more personal information online if they believe they can trust the organisation that requests the information. 'Even people who have previously demonstrated a high level of caution regarding online privacy will accept losses to their privacy if they trust the recipient of their personal information' says Dr Adam Joinson, who led the study. The findings of the study are vital for those aiming to create online services that pose a potential privacy threat, such as Government agencies involved in developing ID cards. The project found that even those people who declared themselves unconcerned about privacy would soon become opposed to ID cards if the way that they were asked for information made them feel that their privacy was threatened...56 percent of internet users stated that they have concerns about privacy when they are online. The central issue was whether websites were seen as particularly trustworthy - or untrustworthy - causing users to alter their behaviour. When a website is designed to look trustworthy, people are willing to accept privacy violations. But, the same actions by an untrustworthy site leads to people behaving in a much more guarded manner."
"...the Identity Theft Resource Center (ITRC) has been tracking security breaches for the past three years, looking for patterns, new trends and any information that may help us better protect data and assist companies in their activities...In 2006, there were in excess of 315 publicized breaches affecting nearly 20 million individuals. Based on ITRC’s categorization, the breaches break down as follows: 29% government/military agencies; 28% from educational institutions; 22% from general businesses; 13% from health care facilities / companies; and 8% from banking / credit / financial services entities. In 2005, there were 158 incidents affecting more than 64.8 million people."
DHS Leadership Journal" "DHS posts its System of Record Notices and Privacy Impact Assessments on our website. These documents inform the public what personal information the government is collecting; how it will be used and shared; what consent, access and redress rights the individual may have; how the information will be protected; and how compliance with these protections is audited. Privacy is enhanced by revealing what the government is doing, and security is enhanced by DHS supporting systems intended to protect the public."
US Courts: New rules providing privacy protection for case files posted online in the federal district, bankruptcy and appellate courts are scheduled to take effect December 1, 2007. Some of the rules represent a change in Judicial Conference policy.
Meanwhile, a Judicial Conference committee is studying a related privacy issue: Whether courts should restrict Internet access to plea agreements in criminal cases, which may contain information identifying defendants who are cooperating with law enforcement investigations.
The new rules were proposed by the Judicial Conference in accordance with the E-Government Act of 2002, which requires that each court make publicly available online any document filed electronically. The rules require parties to redact certain personal information from each filing.
The Act required the Supreme Court to prescribe rules “to protect privacy and security concerns related to electronic filing of documents and the public availability...of documents filed electronically.”
The new privacy rules include Civil Procedure Rule 5.2, Criminal Rule 49.1 and Bankruptcy Rule 9037. Appellate Rule 25 was amended to incorporate the new privacy directive. The rules can be found at http://www.uscourts.gov/rules/congress0407.htm."
Engaging Privacy and Information Technology in a Digital Age, James Waldo, Herbert S. Lin, and Lynette I. Millett, Editors, Committee on Privacy in the Information Age, National Research Council.