News release: "CDT's Health Privacy Project released a paper advocating the need for stronger standards for "de-identified" personal health information when used for medial research, to promote public health, or other specialized purposes. The paper notes that stronger standards are needed to ensure the "de-identified" data cannot be re-identified in order to maintain patient privacy and build trust in the health care system. CDT's paper makes several policy recommendations on how to strengthen current de-identification standards found in the Health Insurance Portability and Accountability Act Privacy Act and increase the use of anonymized data for many health care purposes."

U.S. Department of Education, Office of Inspector General, Information Technology Audits Division - Incident Handling and Privacy Act Controls over External Web Sites, Final Audit Report, Redacted, ED-OIG/A11I0006, June 10, 2009.

"Corporate websites generally offer more innovative features than public-sector sites, largely because the private sector spends about a third more on websites, according to a Brookings Institution study, Comparing Technology Innovation in the Private and Public Sectors. The study, released in mid-June, compares the websites of leading U.S. corporations with state and national governments, grades their overall performance, and examines nearly two dozen features of digital innovation.

Using a 100-point scale, the study report concludes that corporations have the most innovative websites (65 points) and are trailed as a group by state government (54) and federal government (51). The top-rated site in the federal government category, USA.gov (92), equaled the score for the top-rated corporate site, WellsFargo.com. Other top-rated federal sites were USDA.gov, GSA.gov, USPS.com, IRS.gov, and ED.gov. Delaware.gov (83.7) was the top-rated state site, followed by the official websites of Georgia, Florida, California, Massachusetts and Maine. The report also revealed that public websites provide more security and are better at protecting privacy. Although federal government websites were the most accessible to users with disabilities, 75% percent of its websites were not completely accessible."

"The Federal Trade Commission today described its comprehensive efforts to combat identity theft before the U.S. House Subcommittee on Information Policy, Census, and National Archives of the Committee on Oversight and Government Reform. The FTC also recommended legislative remedies to enhance the effectiveness of these efforts. The testimony presented by Betsy Broder, Assistant Director of the FTC’s Division of Privacy and Identity Protection, highlighted the agency’s leadership role in developing a national strategy to combat identity theft as part of the President’s Identity Theft Task Force. The Task Force issued 31 recommendations that promoted an enhanced data security culture in the public and private sectors, launched victim assistance initiatives, and improved law enforcement’s ability to pursue and punish identity thieves."

Joshua Gomez, Travis Pinnick, and Ashkan Soltani, UC Berkeley, School of Information - KnowPrivacy - June 1, 2009

2009 Trust, Security & Passwords Survey Research Brief: "This global "snooping" survey is the third in a series of benchmark studies focused on identifying security and privacy trends among IT workers. Results are intended to raise awareness about the risks associated with powerful, and often unmanaged, privileged users and passwords. While seemingly innocuous, these accounts provide workers with "keys to the kingdom," allowing them to access critically sensitive information, no matter where it resides."

News release: "United States Customs and Border Protection (CBP) policy permits officials to search the laptops and other electronic devices of travelers without suspicion of wrongdoing, according to a Freedom of Information Act (FOIA) request filed today by the American Civil Liberties Union. The ACLU filed the FOIA request with CBP, a component of the Department of Homeland Security (DHS), to learn how CBP's suspicionless search policy, first made public in July 2008, is impacting the constitutional rights of international travelers."

Berkman Center for Internet & Society at Harvard University report: Enhancing Child Safety & Online Technologies: Final Report of the Internet Safety Technical Taskforce to the Multi-State Working Group on Social Networking of State Attorneys General of the United States in December of 2008.

News release: "A rogue Internet Service Provider that recruits, knowingly hosts, and actively participates in the distribution of spam, child pornography, and other harmful electronic content has been shut down by a district court judge at the request of the Federal Trade Commission. The ISP’s upstream providers and data centers have disconnected its servers from the Internet."

News release: "Terms of Service" policies on websites define how Internet businesses interact with you and use your personal information. But most web users don't read these policies -- or understand that the terms are constantly changing. To track these ever-evolving documents, the Electronic Frontier Foundation (EFF) is launching "TOSBack": a "terms of service" tracker for Facebook, Google, eBay, and other major websites...At www.TOSBack.org, you can see a real-time feed of changes and updates to more than three dozen polices from the Internet's most popular online services. Clicking on an update brings you to a side-by-side before-and-after comparison, highlighting what has been removed from the policy and what has been added."

• Defense Management: Observations on DOD's Fiscal Year 2010 Budget Request for Corrosion Prevention and Control, GAO-09-732R, June 01, 2009
• Privacy and Security: Food and Drug Administration Faces Challenges in Establishing Protections for Its Postmarket Risk Analysis System, GAO-09-355, June 01, 2009
• Federal Employees Health Benefits Program: Enrollee Cost Sharing for Selected Specialty Prescription Drugs, GAO-09-517R, April 30, 2009
• Hospital Emergency Departments: Crowding Continues to Occur, and Some Patients Wait Longer than Recommended Time Frames, GAO-09-347, April 30, 2009
• New Markets Tax Credit: Minority Entities Are Less Successful in Obtaining Awards Than Non-Minority Entities, GAO-09-536, April 30, 2009
• Nuclear Forensics: Comprehensive Interagency Plan Needed to Address Human Capital Issues, GAO-09-527R, April 30, 2009
• Crop Insurance: Opportunities Exist to Reduce the Costs of Administering the Program, GAO-09-445, April 29, 2009

Information Security and Privacy Advisory Board (ISPAB), Toward A 21st Century Framework for Federal Government Privacy Policy, May 2009

Government Technology: "University researchers have discovered vulnerabilities in NXP's MIFARE Classic card, which belongs to a family of smart cards with more than 1 billion units distributed worldwide. These smart cards are used to access buildings and public transportation systems. One example is the Oyster card, which Londoners use for citywide travel. Researchers from Radboud University in the Netherlands received the Best Practical Paper Award at the IEEE Symposium on Security and Privacy on Monday for their work demonstrating how to pickpocket the card wirelessly."

"EPIC announced a national campaign today to suspend the use of "Whole Body Imaging" -- devices that photograph American air travellers stripped naked in US airports. The campaign responds to a policy reversal by the TSA which would now make the the "virtual strip search" mandatory, instead of voluntary as originally announced. EPIC and others say that there are inadequate safeguards to prevent the misuse of the images. They are asking Homeland Security Secretary Janet Napolitano to suspend the program and to allow for public comment. For more information, see EPIC's Backscatter X-ray, Whole Body Imaging page."

New York Times Magazine: "Today companies are focusing on those customers most likely to honor their debts. And they are looking for ways to convince existing cardholders that if they only have enough money to pay one bill, it’s wiser to pay off their credit card than, say, the phone. Put another way, credit-card companies are becoming much more interested in understanding their customers’ lives and psyches, because, the theory goes, knowing what makes cardholders tick will help firms determine who is a good bet and who should be shown the door as quickly as possible."

Follow up to May 14, 2009 posting, FTC Files Suit to Stop Illegal Robocalls Pushing Vehicle “Warranty Extensions" - "Today Judge John F. Grady of the United States District Court for the Northern District of Illinois issued a temporary restraining order stopping telemarketing company Voice Touch, Inc., its principals James and Maureen Dunne, its business partner Network Foundations LLC, and Network Foundations principal Damian Kohlfeld from making any further calls in violation of the Do Not Call Registry and other provisions of the Telemarketing Sales Rule and the FTC Act. The FTC filed the case yesterday, charging that the defendants were operating a massive telemarketing scheme that used random, pre-recorded phone calls to deceive consumers into thinking that their vehicle’s warranty is about to expire."

• Depot Maintenance: Actions Needed to Identify and Establish Core Capability at Military Depots, GAO-09-83, May 14, 2009: "DOD, through its biennial core process, has not comprehensively and accurately assessed whether it has the required core capability to support fielded systems in military depots. Although DOD internally reported that its maintenance workload of 92.7 million hours in 2007 was “well over” the minimum of 70.5 million hours needed to fulfill core requirements at military depots and that the services were complying with their core capability requirements, this assessment did not show capability shortfalls identified by the services in their core computations."
• Aviation Security: TSA Has Completed Key Activities Associated with Implementing Secure Flight, but Additional Actions Are Needed to Mitigate Risks, GAO-09-292, May 13, 2009: "As of April 2009, TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program and had conditionally achieved 1 condition (TSA had defined plans, but had not completed all activities for this condition). Also, TSA’s actions completed and those planned have reduced the risks associated with implementing the program."

News release: "The Federal Trade Commission is asking a federal court to shut down a telemarketing campaign that has been bombarding U.S. consumers with hundreds of millions of allegedly deceptive “robocalls” in an effort to sell them vehicle service contracts under the guise that they are extensions of original vehicle warranties. In two related complaints filed in federal court, the Commission took action against both the promoter of the phony extended auto warranties, as well as the telemarketing company that it hired to carry out its illegal, deceptive campaign."

Review of the European Data Protection Directive, by Neil Robinson, Hans Graux, Maarten Botterman, Lorenzo Valeri

Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems, May 04, 2009

The Federal Bureau of Investigation's Terrorist Watchlist Nomination Practices, Audit Report 09-25, May 2009

News release: "The Federal Trade Commission today testified on the Commission’s efforts to promote better security for sensitive consumer information and to prevent the inadvertent sharing of consumers’ personal or sensitive data over Peer-to-Peer Internet file-sharing networks. As part of these efforts, the agency also announced that it had reached an agreement with one of the largest privately held lenders in the United States to resolve charges that the company violated federal law by failing to provide reasonable security for consumers’ sensitive information. In testimony before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer Protection, Acting Director of the Bureau of Consumer Protection Eileen Harrington said the agency strongly supports the goals of H.R. 2221, the Data Accountability and Trust Act, which would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The legislation also would give the Commission the authority to obtain civil penalties for violations."

"A total of 1,891 applications to federal and state judges for orders authorizing the interception of wire, oral or electronic communications were reported in 2008. No applications were denied. This is a 14 percent decrease in the total of applications reported, compared to 2007. Fewer states—22 states compared to 24 in 2007—reported wiretap activity and the number of applications approved by state judges, 1,505, was down 14 percent from 2007. Federal judges approved 386 applications, down 16 percent from 2007. Orders for 28 wiretaps were approved for which no wiretaps actually were installed. Additional data on applications for wiretaps for the period January 1 through December 31, 2008, is available online in the 2008 Wiretap Report."

• Legal Analysis of Religious Exemptions for Photo Identification Requirements, April 13, 2009.
• Federal Advisory Committees: An Overview, April 16, 2009.
• Piracy Off the Horn of Africa, April 21, 2009.
• FY2009 Spring Supplemental Appropriations for Overseas Contingency Operations, April 17, 2009.
• Organized Crime in the United States: Trends and Issues for Congress, April 16, 2009.
• Disconnected Youth: A Look at 16- to 24-Year Olds Who Are Not Working or In School, April 22, 2009. [all via FAS]

New York Review of Books: The Need to Roll Back Presidential Power Grabs, By Arlen Specter, April 16, 2009

The Subcommittee on Communications, Technology, and the Internet held a hearing titled, Communications Networks and Consumer Privacy: Recent Developments on April 23, 2009. The hearing focused on technologies that network operators utilize to monitor consumer usage and how those technologies intersect with consumer privacy. The hearing explored three ways to monitor consumer usage on broadband and wireless networks: deep packet inspection (DPI); new uses for digital set-top boxes; and wireless Global Positioning System (GPS) tracking."
Testimony and Statement for the Record of Marc Rotenberg, Executive Director, EPIC Adjunct Professor, Georgetown University Law Center: "we believe it is becoming clear that unregulated collection of consumer data is posing an increasing danger to online privacy and maybe even to the economic model itself. A small number of companies and large advertising networks are obtaining an extraordinarily detailed profile of the interests, activities and personal characteristics of Internet users. Users have little idea how much information is gathered, who has access to it, or how it is used. This last point is critical because in the absence of legal rules, companies that are gathering this data will be free to use it for whatever purpose they wish – the data for a targeted ad today could become a detailed personal profile sold to a prospective employer or a government agency tomorrow."

News release: "On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). This guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS)."

F.B.I. and States Vastly Expand DNA Databases, by Solomon Moore: "Law enforcement officials are vastly expanding their collection of DNA to include millions more people who have been arrested or detained but not yet convicted. The move, intended to help solve more crimes, is raising concerns about the privacy of petty offenders and people who are presumed innocent. Until now, the federal government genetically tracked only convicts. But starting this month, the Federal Bureau of Investigation will join 15 states that collect DNA samples from those awaiting trial and will also collect DNA from detained immigrants — the vanguard of a growing class of genetic registrants. the F.B.I., with a DNA database of 6.7 million profiles, expects to accelerate its rate of growth from 80,000 new entries a year to 1.2 million by 2012 — a 17-fold increase. F.B.I. officials say they expect DNA processing backlogs — which now stand at more than 500,000 cases — to increase."

"The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a one-year period. It covers Internet threat activities, vulnerabilities, malicious code, phishing, spam and security risks as well as future trends. The fourteenth version of the report, released April 14, 2009, is now available."

• Via FAS: Unclassified - Rightwing Extremism: Current Economic and Political Climate Fueling Resurgence in Radicalization and Recruitment, 7 April 2009. Prepared by the Extremism and Radicalization Branch, Homeland Environment Threat Analysis Division. Coordinated with the FBI.
• Via FOXNews: Unclassified - Leftwing Extremists Likely to Increase Use of Cyber Attacks over the Coming Decade, 26 January 2009, (U) Prepared by the Strategic Analysis Group, Homeland Environment and Threat Analysis Division.

"The Patient's Guide to HIPAA is the first comprehensive guide to medical privacy written expressly for patients with a practical eye as to how to use the law to protect privacy. It is a major privacy resource for patients, written directly and without legalese. The Patient's Guide to HIPAA is easy to navigate and digest; the guide is in the form of Frequently Asked Questions & Answers. All of the key points in HIPAA are included, from the 7 basic patient rights to how and when to get copies of health care records. Difficult situations that patients often encounter are included in the guide. The Patient's Guide to HIPAA was written by Robert Gellman, with assistance from Pam Dixon, John Fanning, and Dr. Lewis Lorton."

News release: "Organizations representing booksellers, librarians, publishers, and writers today launched the latest phase in their five-year campaign to restore the reader privacy safeguards that were stripped away by the USA Patriot Act. Since 2003, the Department of Justice has used its expanded power under the Patriot Act to issue more than 200 secret search orders under Section 215 and more than 190,000 National Security Letters (NSLs). Despite several efforts to reform the Patriot Act, the FBI can still search any records it believes are "relevant" to a terrorism investigation, including the records of people who are not suspected of criminal conduct."

Via EPIC: "A new study by leading scholars from the USA, Canada, UK, Netherlands and Italy has revealed that laws are reinforcing technology's ability to undermine the anonymity of citizens. The law reveals a preference for legislation requiring people to submit to identification and an increasing encroachment of rules into areas where there were previously no regulations prohibiting anonymity...The book is available for download under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Canada License, by chapter..."

Treasury Inspector General for Tax Administration, Progress Has Been Slow in Implementing Federal Security Configurations on Employee Computers, March 27, 2009, Reference Number: 2009-20-055

CDT: "A cybersecurity bill introduced April 01, 2009 in the Senate would give the federal government extraordinary power over private sector Internet services, applications and software. The Cybersecurity Act of 2009 would, for example, give the President unfettered power to shut down Internet traffic in emergencies or disconnect any critical infrastructure system or network on national security grounds. The bill would grant the Commerce Department the ability to override all privacy laws to access any information about Internet usage in connection with a new role in tracking cybersecurity threats. The bill, introduced by Sens. John Rockefeller and Olympia Snowe, would also give the government unprecedented control over computer software and Internet services, threatening innovation, freedom and privacy. CDT President and CEO Leslie Harris said, "The cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy."

"The Federal Trade Commission has launched a Web site to help entities covered by the Red Flags Rule design and implement identity theft prevention programs. The Rule requires “creditors” and “financial institutions” to develop written programs to identify the warning signs of ID theft, spot them when they occur, and take appropriate steps to respond to those warning “red flags.”

WSJ: "Protests over [traffic] cameras aren't new, but they appear to be rising in tandem with the effort to install more. Suppliers estimate that there are now slightly over 3,000 red-light and speed cameras in operation in the U.S., up from about 2,500 a year ago. The Insurance Institute for Highway Safety says that at the end of last year, 345 U.S. jurisdictions were using red-light cameras, up from 243 in 2007 and 155 in 2006. One traffic-cam seller, Arizona-based American Traffic Solutions Inc., recently reported it had installed its 1,000th camera, with 500 more under contract in 140 cities and towns. Rival Redflex Holdings Ltd. says it had 1,494 cameras in operation in 21 states at the end of 2008, and expects to top 1,700 by the end of this year."

Database State, Executive Summary and Full Report - By Ross Anderson, Ian Brown, Terri Dowty, Philip Inglesant, William Heath, Angela Sasse, Foundation for Information Policy Research (March 2009)

• Small Business Administration: Additional Guidance on Documenting Credit Elsewhere Decisions Could Improve 7(a) Program Oversight, GAO-09-228, February 12, 2009
• Defense Acquisitions: Production and Fielding of Missile Defense Components Continue with Less Testing and Validation Than Planned, GAO-09-338, March 13, 2009
• Department of State: Undercover Tests Reveal Significant Vulnerabilities in State's Passport Issuance Process, GAO-09-447, March 13, 2009

News release: "The American Civil Liberties Union released a comprehensive report today examining widespread abuses that have occurred under the USA Patriot Act, a law that was rushed through Congress just 45 days after September 11. In the almost eight years since the passage of the controversial national security law, the Patriot Act has led to egregious government misconduct."

Unclassified: Office of the Director of National Intelligence Data Mining Report, 15 February 2008.

Identity Theft Resource Center, 2009 Breach List, 3/3/2009 - Breaches: 89 Exposed: 1,140,146.

The Electronic Frontier Foundation (EFF) launched its Surveillance Self-Defense project today -- an online how-to guide for protecting your private data against government spying. EFF created the Surveillance Self-Defense site to educate Americans about the law and technology of communications surveillance and computer searches and seizures, and to provide the information and tools necessary to keep their private data out of the government's hands. The guide includes tips on assessing the security risks to your personal computer files and communications, strategies for interacting with law enforcement, and articles on specific defensive technologies such as encryption that can help protect the privacy of your data."

EPIC: "Homeland Security Secretary Janet Napolitano testified before the House Committees on Homeland Security, and said that DHS plans to connect governmental databases containing personal information, expand the government's employment tracking system, promote passenger screening, use e-passports, employ watchlists and utilize contactless identity verification cards. EPIC has opposed Fusion Centers, the E-Verify program and the use of Backscatter X-Ray devices. EPIC has also objected to the use of RFIDs in passports, in Air Travel and in driver's licences."

News release: "Federal Trade Commission staff...issued a report describing its ongoing examination of online behavioral advertising and setting forth revisions to proposed principles to govern self-regulatory efforts in this area. The key issue concerns how online advertisers can best protect consumers’ privacy while collecting information about their online activities...The report discusses the potential benefits of behavioral advertising to consumers, including the free online content that advertising generally supports and personalization that many consumers appear to value. It also discusses the privacy concerns that the practice raises, including the invisibility of the data collection to consumers and the risk that the information collected – including sensitive information regarding health, finances, or children – could fall into the wrong hands or be used for unanticipated purposes. Consistent with the FTC’s overall approach to consumer privacy, the report seeks to balance the potential benefits of behavioral advertising against the privacy concerns it raises, and to encourage privacy protections while maintaining a competitive marketplace."

News release: "President Obama has directed the National Security and Homeland Security Advisors to conduct an immediate review of the plan, programs, and activities underway throughout the government dedicated to cyber security. This 60-day interagency review will develop a strategic framework to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector. "The national security and economic health of the United States depend on the security, stability, and integrity of our Nation’s cyberspace, both in the public and private sectors. The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties," said Assistant to the President for Counterterrorism and Homeland Security John Brennan. Melissa Hathaway, who has served as Cyber coordination Executive to the Director of National Intelligence, will lead the review and will serve as Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils during the review period."

News release: "...experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale. The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies."

The Top 25 Errors are listed below in three categories:

• Category: Insecure Interaction Between Components (9 errors)
  
• Category: Risky Resource Management (9 errors)
  
• Category: Porous Defenses (7 errors)

"Center for Democracy and Technology (CDT) released a new assessment tool to help online advertising companies develop strong, appropriate privacy protections for the users they serve. Released to coincide with Data Privacy Day 2009, the Threshold Analysis for Online Advertising Practices, is the result of extensive consultation among CDT, Internet companies and public interest advocates. It notes a series of simple tests companies can use to determine whether online advertising activities may trigger the need for additional privacy protections. The document also provides suggestions on how companies can begin putting those protections in place."

"The American Recovery and Reinvestment Act of 2009, adopted by the House this week, includes strong privacy provisions ("Subtitle D - Privacy") for the proposed medical health network. Among the key provisions: a ban on the sale of health information, audit trails, encryption, rights of access, improved enforcement mechanisms, and support for advocacy groups to participate in the regulatory process. Patient Privacy Rights has expressed support for the legislation. A similar bill, S. 336, is pending in the Senate. Senator Leahy has called for strong safeguards to protect America's health privacy. For more information, see EPIC's page on Medical Privacy."

• Homeland Defense: Actions Needed to Improve Management of Air Sovereignty Alert Operations to Protect U.S. Airspace, GAO-09-184, January 27, 2009
• Medicare: Callers Can Access 1-800-MEDICARE Services, but Responsibility within CMS for Limited English Proficiency Plan Unclear, GAO-09-104, December 29, 2008
• Electronic Health Records: DOD's and VA's Sharing of Information Could Benefit from Improved Management, GAO-09-268, January 28, 2009
• Military Training: Navy and Air Force Need to More Fully Apply Best Practices to Enhance Development and Management of Combat Skills Training, GAO-09-220R, January 28, 2009

Intel: "On January 28, 2009, the United States, Canada, and 27 European countries will celebrate Data Privacy Day together for the second time. Designed to raise awareness and generate discussion about data privacy practices and rights, Data Privacy Day activities in the United States have included privacy professionals, corporations, government officials, and representatives, academics, and students across the country. One of the primary goals of Data Privacy Day is to promote privacy awareness and education among teens across the United States. Data Privacy Day also serves the important purpose of furthering international collaboration and cooperation around privacy issues."

News release: "CDT today released a major policy paper intended to move the health privacy debate from its outdated focus on patient consent to a comprehensive framework that will provide more effective privacy protection. CDT is advocating for the inclusion of privacy protections in the President's economic stimulus bill, which contains at least $20 billion for a national health information technology network. CDT's paper argues that personal health information should easily flow for treatment, payment, and certain core administrative tasks without requiring patient consent, but that stricter limits need to be placed on marketing and other secondary uses."

"The IRS does not initiate communication with taxpayers through e-mail. Before identity theft happens, safeguard your information...IRS Identity Protection Specialized Unit, toll-free at 1-800-908-4490."

Final Report of the Internet Safety Technical Task Force to the Multi-State Working Group on Social Networking of State Attorneys General of the United States, Published January 14, 2009: "The Internet Safety Technical Task Force was created in February 2008 in accordance with the Joint Statement on Key Principles of Social Networking Safety announced in January 2008 by the Attorneys General Multi-State Working Group on Social Networking and MySpace. The scope of the Task Force's inquiry was to consider those technologies that industry and end users - including parents - can use to help keep minors safer on the Internet."

News release: "The Federal Financial Institutions Examination Council (FFIEC) issued guidance today for examiners, financial institutions, and technology service providers to identify risks, evaluate controls, and assess risk management practices related to remote deposit capture (RDC) systems. RDC enables customers to make deposits from their homes or businesses instead of taking the deposits to their financial institutions. Digital information captured at the home or business is transmitted to the financial institution or its service provider for clearing and settlement. Financial institutions might also use RDC in their branches and automated teller machines (ATMs) to facilitate deposit processing. When properly managed, RDC can reduce processing costs, support new and existing products by financial institutions, and accelerate the availability of customers’ funds. However, RDC also introduces new risks and increases existing risks in processing deposits originated by an institution’s commercial or retail customers, or by customers of other financial institutions domestically and abroad."

Nextgov: "The FBI released on [January 13, 2009] a detailed study of the advancement of different kinds of biometrics -- from fingerprints to ear scans -- to lay out how the bureau might pursue the identification of individuals in the future."

• State of the Art Biometrics Excellence Roadmap - Technology Assessment: Volume 1 (of 3) Fingerprint, Palm print, Vascular, Standards, October 2008; v1.2.
  
• Technology Assessment for the State of the Art Biometrics Excellence Roadmap - Volume 2 (of 3) Face, Iris, Ear, Voice, and Handwriter Recognition, October 2008; v1.2
  
• State of the Art Biometrics Excellence Roadmap, Certified Products List (CPL) Expansion: The Way Ahead, October 2008, v. 1.2, October 2008

• Information Technology: Demand for the Social Security Administration's Electronic Data Exchanges Is Growing and Presents Future Challenges, GAO-09-126, December 04, 2008: "Through more than 3,000 data exchanges with federal and state agencies, SSA both receives incoming data to support its own programs and provides outgoing data to support programs of other federal and state agencies. Most of these exchanges involve collecting incoming electronic data from other agencies, primarily to support the administration of Social Security benefits programs. The outgoing data from SSA to other federal and state agencies typically provide Social Security number verifications or are used to implement payment offsets in support of other agencies’ business operations. In this regard, the agency performs more than a billion transactions to verify Social Security numbers for federal and state agencies each year."
• National Marine Fisheries Service: Improvements Are Needed in the Federal Process Used to Protect Marine Mammals from Commercial Fishing, GAO-09-78, December 08, 2008: "Because marine mammals, such as whales and dolphins, often inhabit waters where commercial fishing occurs, they can become entangled in fishing gear, which may injure or kill them - this is referred to as “incidental take.” The 1994 amendments to the Marine Mammal Protection Act (MMPA) require the National Marine Fisheries Service (NMFS) to establish take reduction teams for certain marine mammals to develop measures to reduce their incidental takes. GAO was asked to determine the extent to which NMFS (1) can accurately identify the marine mammal stocks— generally a population of animals of the same species located in a common area — that meet the MMPA’s requirements for establishing such teams, (2) has established teams for those stocks that meet the requirements, (3) has met the MMPA’s deadlines for the teams subject to them, and (4) evaluates the effectiveness of take reduction regulations. GAO reviewed the MMPA, and NMFS data on marine mammals, and take reduction team documents and obtained the views of NMFS officials, scientists, and take reduction team members."

News release: "Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center's 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within the five groups that ITRC monitors. The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years. The Government/Military category has dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest."

Privacy Policy Guidance Memorandum 2008-01, The Fair Information Practice Principles: Framework for Privacy Policy at the Department of Homeland Security, December 29, 2008.

"The U.S. Department of Justice’s Global Justice Information Sharing Initiative (Global) has released a booklet highlighting key efforts supported by Global, including the vigilant preservation of privacy and civil liberties; fusion center partnerships; securing exchanged data and networks; and harnessing the power of the latest innovations so that new technology and standardized languages knock down barriers to information sharing."

News release: "The federal bank, credit union, and thrift regulatory agencies today announced publication of a revised identity theft brochure – You Have the Power to Stop Identity Theft – to assist consumers in preventing and resolving identity theft. The updated brochure focuses primarily on Internet "phishing" by describing how phishing works, offering ways to protect against identity theft, and detailing steps to follow for victims of identity theft. The brochure includes contact information for three major credit bureaus, where to report suspicious e-mails, and where to access additional information."

DHS Privacy Impact Assessment for the Department of Homeland Security State, Local, and Regional Fusion Center Initiative, December 11, 2008

The Role of the United States Postal Service in Public Safety and Security - Implications of Relaxing the Mailbox Monopoly, By Lois M. Davis et al.

"Thirty privacy, consumer, and civil liberties organizations sent a letter to President-elect Barack Obama on the importance of protecting privacy in the next administration. The organizations support the incoming president’s expressed on privacy, consumer rights, and civil liberties. President-elect Obama stated support for strengthening of privacy protection by harnessing the power of technology to hold government and businesses accountable for violations of personal privacy. The coalition said that “[t]here is a clear need to address the spiraling problems of identity theft, security breaches, and the commercialization of personal information.” For more information visit EPIC’s A-Z Privacy Page."

CDT: "HHS Secretary Leavitt announced new key privacy principles for electronic health information exchange. In addition, HHS’s Office of Civil Rights published new HIPAA Privacy Rule guidance, which provides important clarifying information on how the Privacy Rule governs covered entities engaged in electronic health information exchange. For example, it clarifies when covered entities must enter into business associate agreements with health information exchanges; it also makes clear that HIPAA Privacy and Security Rules cover consumer personal health records offered by covered entities. However, the guidance merely encourages the adoption of stronger privacy and security policies consistent with the new principles. CDT calls on Congress and the new Administration to implement a comprehensive, enforceable framework of protections for personal health information that builds public trust and facilitates widespread adoption of health IT."

News release: "The Federal Trade Commission issued a report today recommending five measures to help prevent Social Security numbers from being used for identity theft. Principal among the report’s recommendations is that Congress consider taking action to strengthen the procedures that private-sector organizations use to authenticate their customers’ identities...The FTC report states that adopting nationwide standards for how businesses and other organizations verify the identity of new and existing customers would make it harder for identity thieves to use SSNs and other stolen information to consummate their fraud...The FTC report also recommends that steps be taken to reduce the unnecessary display and transmission of SSNs, but noted that such restrictions must be approached carefully. A number of important functions in the U.S. economy depend on use of and access to SSNs, and the report concluded that overly restrictive attempts to limit the availability of SSNs could unintentionally curtail those functions. Finally, the report recommends steps to improve data security, increase outreach to consumers and businesses on the protection of SSNs, and enhance coordination and information-sharing among organizations that routinely use SSNs."

Press release: "Today, Yahoo! Inc. announced a new global data retention policy that sets an industry-leading approach to user data privacy. This new policy strengthens Yahoo!'s relationship of trust with its 500 million users world-wide and enhances its longtime leadership on privacy. Under the new policy, Yahoo! will anonymize user log data within 90 days with limited exceptions for fraud, security and legal obligations. Yahoo! will also expand the policy to apply not only to search log data but also page views, page clicks, ad views and ad clicks."

2008 Network Advertising Initiative Principles: "Through the present 2008 revision to the NAI’s Self-Regulatory Code of Conduct, NAI members continue their commitment to respect appropriate fair information practices adapted for this medium and to their business models, maintaining self-regulation with respect to notice, choice, use limitation, access, reliability and security."

News release: "Privacy and information security research company Ponemon Institute along with TRUSTe, the most widely recognized Internet privacy trustmark, today announced the results of the Ponemon Institute’s fifth annual survey of Most Trusted Companies for Privacy. The study asked 6,486 adult-aged U.S. consumers which companies they thought were most trustworthy and which did the best job safeguarding personal information. A total of 706 companies were named by consumers; 211 made the final list of most trusted companies. American Express ranked as the Most Trusted Company for 2008 for Privacy, retaining its place from last year despite the current financial climate. eBay earned a ranking as the second most trusted company, while IBM, Amazon, and Johnson & Johnson rounded out the top five. While the financial services sector slipped amid industry-wide woes, the technology sector showed marked improvement as eBay Apple, Yahoo, Microsoft, and HP all bettered previous rankings. Also of note, Facebook moved into the top 20 for the first time, signifying an increased trust in social networking as a mainstream communications tool."

Follow up to previous postings on recovering data from discarded or resold computers and their hard drives, from the FTC: "Computers are a popular gift during the holiday season. People with a new computer often wonder about the best way to get rid of the old one. OnGuardOnline.gov, the computer safety Web site managed by the Federal Trade Commission, has some tips to make this task easier – and more secure. Passwords, health information, and other sensitive personal data should be saved elsewhere and erased off the old computer. This protects consumers’ privacy and safeguards them from identity theft. People who use their computers for work should check with their employers regarding the legal requirements businesses must comply with to secure and dispose of data. To learn more, including how to save and erase data, see Computer Disposal."

"The Center for Democracy and Technology (CDT) today released a series of papers [Transition Materials for President Obama] that outline Internet policy proposals for President-elect Obama's Transition Team in the areas of security and civil liberties; preserving free speech on the Internet; keeping the Internet an open platform; protection of consumer privacy; and promoting open government. The 2-3 page memos provide a concise overview of the issues and recommend practical, achievable actions the new administration can take to keep the Internet open, innovative and free. The Internet played an integral part in this election, making it the most participatory in history. CDT believes the Internet can play an equally critical role in other areas, including health care, economic development and education, given the right government policies."

White House Fact Sheet: Transforming Our Armed Forces To Face The Threats Of Today And Tomorrow - Following the attacks of 9/11, President Bush strengthened and reshaped our approach to national security. To harden our defense, President Bush: Created the Department of Homeland Security; Provided national security professionals with vital new tools like the Patriot Act and a program to monitor terrorist communications; Reorganized the intelligence community to better meet the needs of the war on terror; Deployed aggressive financial measures to freeze terrorist assets; and Launched diplomatic initiatives to pressure adversaries and attract new partners to our cause."

2008 Report to Congress - Data Mining: Technology and Policy The DHS Privacy Office. December 2008

You’re Leaving a Digital Trail. What About Privacy? by John Markoff: "Propelled by new technologies and the Internet’s steady incursion into every nook and cranny of life, collective intelligence offers powerful capabilities, from improving the efficiency of advertising to giving community groups new ways to organize. But even its practitioners acknowledge that, if misused, collective intelligence tools could create an Orwellian future on a level Big Brother could only dream of. Collective intelligence could make it possible for insurance companies, for example, to use behavioral data to covertly identify people suffering from a particular disease and deny them insurance coverage. Similarly, the government or law enforcement agencies could identify members of a protest group by tracking social networks revealed by the new technology."

Handbook for Safeguarding Sensitive Personally Identifiable: Information at DHS, October 2008 (PDF, 19 pages): The DHS Privacy Office Handbook for Safeguarding Sensitive PII at DHS applies to every DHS employee, contractor, detailee and consultant. The document sets minimum standards for how personnel should handle Sensitive PII in paper and electronic form during their everyday work activities at DHS."

"The Privacy Act Issuances contain descriptions of Federal agency systems of records maintained on individuals and rules agencies follow to assist individuals who request information about their records. The two sources of Privacy Act Notices are: the Privacy Act Issuances (Compilations 1995-Forward) and the Federal Register which has updates to the most recent Compilation."

The Future of Privacy Forum Agenda for Consumers and Businesses [See also: About the Forum]

• "FPF will seek to bring transparency to online data practices. Our plan is to document practices, produce multi-media educational materials, and commission reports and studies that provide consumers and policy makers the real story about how their data is used.
  
• FPF will seek to bring true transparency and user control to behavioral targeting and will broaden the discussion of the ethics of what the online norms can be with regard to use of web browsing.
  
• FPF will seek to ensure that considerations around data retention, limitation, and deletion are a significant part of the consumer privacy debate.
  
• FPF will seek to drive practices that enhance consumer controls - ensuring that data use is obvious, useful, intuitive and used and for a benefit he values and controls - no matter the type of technology used..."

"Following an EPIC complaint, a federal court has ordered CyberSpy Software to stop selling malicious computer software. In March, EPIC filed a complaint with the Federal Trade Commission alleging that the spyware purveyor engages in unfair and deceptive practices by: (1) promoting illegal surveillance; (2) encouraging "Trojan Horse" email attacks; and (3) failing to warn customers of the legal dangers arising from misuse of the software. The federal regulators agreed, and asked the court for a permanent injunction barring sales of CyberSpy's "stalker spyware," over the counter surveillance technology sold for individuals to spy on other individuals. The court entered a temporary restraining order on November 6, 2008. Further litigation is expected before the court rules on the government's request for a permanent ban. For more information, see EPIC's Personal Surveillance Technologies page and Domestic Violence and Privacy page."

Online Threats to Youth: Solicitation, Harassment, and Problematic Content, Literature Review by the Research Advisory Board of the Internet Safety Technical Task Force, Andrew Schrock and Danah Boyd, Berkman Center for Internet & Society, Harvard University, Draft Version. November 14, 2008

Washington Post: "Armed with millions of e-mail addresses and a political operation that harnessed the Internet like no campaign before it, Barack Obama will enter the White House with the opportunity to create the first truly "wired" presidency. Obama aides and allies are preparing a major expansion of the White House communications operation, enabling them to reach out directly to the supporters they have collected over 21 months without having to go through the mainstream media."

News release: "The total number of breaches in on the Identity Theft Resource Center’s 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event."

News release: "The Commission has approved the Report to Congress Under the Do Not Call Improvement Act of 2007 (2007 DNCIA) [Pub. L. No. 110-187, 122 Stat. 633 (2008)], signed into law on February 15, 2008. The report, which is mandated under the 2007 DNCIA, contains information on the Commission’s efforts to improve the accuracy of the National Do Not Call Registry. The report details the efforts that the FTC has taken in the nine months since the 2007 DNCIA was signed into law and describes the new procedure that will be used to remove disconnected and reassigned numbers from the National Registry."

"The 2008 International Mobility & Trade Corridor Project (IMTC) Passenger Intercept Survey was conducted to assess characteristics of cross-border travel in the Cascade Gateway and provide that information to regional and federal public and private agencies. Information includes who crosses the border, for what purposes, origins and destinations, trip frequency, and other details of cross-border travel. These data can be compared to matching information collected by IMTC in the year 2000 to see how cross-border travel demand has changed over the last seven years. [To complete this survey, the Whatcom Council of Governments (WCOG) and the Border Policy Research Institute (BPRI) at Western Washington University undertook a passenger origin-destination survey at all four Cascade Gateway border crossings.]"

"In EPIC v. DOJ, EPIC, the ACLU, and the National Security Archive are seeking government documents regarding the President's warrantless wiretapping program. Today, a federal court ordered the Department of Justice to provide for inspection copies of legal memos authored by government lawyers. The opinions, prepared by the Office of Legal Counsel, provided the legal basis for the President to wiretap US citizens in the United States without court approval. EPIC began the Freedom of Information Act lawsuit in December 2005, after the New York Times first reported the details of the wiretap program. For more information, see EPIC's EPIC v. DOJ page. (Oct. 31)"

"Today a diverse coalition of leading Internet companies, major human rights and free press organizations, investors and academics launched the Global Network Initiative to protect and advance freedom of expression and privacy in information and communications technologies. CDT and Business for Social Responsibility co-facilitated an 18-month effort by these groups to craft the key documents underlying this effort. The documents provide guidance for companies, NGOs, investors, academics and others working together to resist efforts by governments that seek to enlist companies in acts of censorship and surveillance that violate international standards. The documents also provide specific implementation commitments and outline a framework for accountability and learning."

DHS Issues Supplemental Final Rule with Guidance For Employers Who Receive Social Security 'No-Match' Letters: "Secretary Chertoff announced the issuance of the No-Match Supplemental Final Rule, which provides guidance to help businesses comply with legal requirements intended to reduce illegal employment of unauthorized workers, in his quarterly State of the Border address. The Secretary also outlined comprehensive efforts to secure the border, enforce national immigration laws, improve temporary worker programs, and legal migration."

Office of Science and Technology Policy (OSTP) in the Executive Office of the President, Biometrics in Government POST - 9/11, released September 2008: This report summarizes the research, applications and operation of the U.S. government's biometric systems since 2001.

Office of Science and Technology Policy (OSTP) in the Executive Office of the President - Identity Management Task Force Report 2008, released September 2008

News release: "The U.S. Department of Homeland Security (DHS) today announced the issuance of the Secure Flight Final Rule, which shifts pre-departure watch list matching responsibilities from individual aircraft operators to the Transportation Security Administration (TSA) and carries out a key recommendation of the 9/11 Commission. By bringing watch list matching responsibilities in-house, TSA can better remedy possible misidentifications when a traveler's name is similar to one found on a watch list."

News release: "Attorney General Michael B. Mukasey and Federal Trade Commission Chairman William E. Kovacic announced today the release of a report from the President’s Identity Theft Task Force on progress the federal government has made in addressing identity theft since the Task Force’s Strategic Plan was released last year. Highlights of the report include expansion of the Task Force’s data security and identity theft business and consumer education campaigns; exploring means of improving consumer authentication processes to prevent the use of stolen information to commit identity theft; launching new initiatives to help identity theft victims recover; and improving law enforcement tools to investigate and prosecute identity thieves."

News release: "In keeping with the Patrick Administration’s commitment to protecting consumers, the Office of Consumer Affairs and Business Regulation (OCABR) last Friday issued a comprehensive set of final regulations establishing standards for how businesses protect and store consumers’ personal information. Additionally, Governor Patrick has signed an executive order requiring all state agencies to immediately take steps to implement security measures consistent with the requirements established by OCABR's regulations for private companies. The order calls for the adoption of uniform standards across government that protect the integrity of personal information and further the objectives of the identity theft prevention law."

FOX News: "The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned. It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July. In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.

In a frantic midnight e-mail to colleagues, the bank's senior technology manager referred to the situation as an "unprecedented crisis." In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public."

News release: "Online scammers are taking advantage of tough economic times. While e-mails phishing for sensitive data are nothing new, scammers are taking advantage of upheavals in the financial marketplace to confuse consumers into parting with valuable personal information. The Federal Trade Commission urges caution regarding e-mails that look as if they come from a financial institution that recently acquired a consumer’s bank, savings and loan, or mortgage. In fact, these messages may be from “phishers” looking to use personal information – account numbers, passwords, Social Security numbers – to run up bills or commit other crimes in a consumer’s name. Consumers are warned not to take the bait. The FTC has advice about how to stay on guard against this type of scam. To learn more, see the consumer alert Bank Failures, Mergers and Takeovers: A ‘Phish-erman’s Special.

News release: "All U.S. agencies with counterterrorism programs that collect or "mine" personal data -- such as phone, medical, and travel records or Web sites visited -- should be required to systematically evaluate the programs' effectiveness, lawfulness, and impacts on privacy, says a new report from the National Research Council. Both classified and unclassified programs should be evaluated before they are set in motion and regularly thereafter for as long as they are in use, says the report. It offers a framework agencies can use to assess programs, including existing ones. The report also says that Congress should re-examine existing law to assess how privacy can be protected in such programs, and should consider restricting how personal data are used. And it recommends that any individuals harmed by violations of privacy be given a meaningful form of redress."

Senate Committee on Commerce, Science, and Transportation - Hearing on: Broadband Providers and Consumer Privacy, September 25, 2008

Follow up to previous postings on the government's domestic surveillance program, today news that "The Electronic Frontier Foundation (EFF) filed a lawsuit [full complaint in Jewel v. NSA] against the National Security Agency (NSA) and other government agencies today on behalf of AT&T customers to stop the illegal, unconstitutional, and ongoing dragnet surveillance of their communications and communications records. The five individual plaintiffs are also suing President George W. Bush, Vice President Dick Cheney, Cheney's chief of staff David Addington, former Attorney General and White House Counsel Alberto Gonzales and other individuals who ordered or participated in the warrantless domestic surveillance."

House Committee on the Judiciary - Oversight Hearing on: The Federal Bureau of Investigation, September 16, 2008

News release: "The Federal Trade Commission today issued a complaint charging that Reed Elsevier Inc.’s (Reed Elsevier) proposed $4.1 billion acquisition of ChoicePoint Inc. (ChoicePoint) would be anticompetitive and in violation of the antitrust laws, as it would combine the two largest providers of electronic public record services to U.S. law enforcement customers.

To eliminate the anticompetitive effects of the proposed acquisition, the FTC will require Reed Elsevier to divest assets related to ChoicePoint’s AutoTrackXP and Consolidated Lead Evaluation and Reporting (CLEAR) electronic public records services to Thomson Reuters Legal Inc., within 15 days after the proposed acquisition is consummated.

Through its LexisNexis division, Reed Elsevier provides electronic public records services to law enforcement customers in direct competition with ChoicePoint’s AutoTrackXP and recently, ChoicePoint’s CLEAR, a new and advanced electronic public records service. Together, the two firms account for over 80 percent of the approximately $60 million U.S. market for the sale of electronic public records services to law enforcement customers."

Official Google Blog: "we're announcing a new logs retention policy: we'll anonymize IP addresses on our server logs after 9 months. We're significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users."

Cyber Security Tip ST05-018 - Understanding Voice over Internet Protocol (VoIP): "Because VoIP relies on your internet connection, it may be vulnerable to any threats and problems that face your computer. The technology is still new, so there is some controversy about the potential for attack, but VoIP could make your telephone vulnerable to viruses and other malicious code. Attackers may be able to perform activities such as intercepting your communications, eavesdropping, conducting effective phishing attacks by manipulating your caller ID, and causing your service to crash. Activities that consume a large amount of network resources, like large file downloads, online gaming, and streaming multimedia, will also affect your VoIP service."

News release: "Today, the total number of breaches in on the Identity Theft Resource Center’s (ITRC) 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event....Breaches: 449 Exposed: 22,091,338."

• ITRC 2008 Breach List
  
• 2008 ITRC Breach report
  
• 2008 ITRC Breach Stats Report broken down by categories which includes the percentages for each category (business, financial/credit, educational, governmental/military and health care).

The Third Branch: "To protect the privacy of litigants, the Federal Rules of Practice and Procedure require that certain personal data identifiers be modified or partially redacted from federal court case files. These identifiers are Social Security numbers, dates of birth, financial account numbers, and names of minor children, and in criminal cases, also home addresses. In all cases, it is the responsibility of the attorney and the parties in the case to redact personal identifiers...

Many courts, such as the District of Arizona and the Northern District of California, have posted information to their websites on effective redaction techniques. For a look at their tips, visit their websites at: https://ecf.cand.uscourts.gov/cand/faq/tips/redacting.htm or http://www.azd.uscourts.gov/azd/cm-ecf.nsf/docview/files/$file/redaction.pdf"

Surveillance made easy, NewScientist.com news service, Laura Margottini: "This data allows investigators to identify suspects, examine their contacts, establish relationships between conspirators and place them in a specific location at a certain time."

So said the UK Home Office last week as it announced plans to give law-enforcement agencies, local councils and other public bodies access to the details of people's text messages, emails and internet activity. The move followed its announcement in May that it was considering creating a massive central database to store all this data, as a tool to help the security services tackle crime and terrorism."

Related links:
• UK House of Commons, Communications Data Bill: "The purpose of the Bill is to: allow communications data capabilities for the prevention and detection of crime and protection of national security to keep up with changing technology through providing for the collection and retention of such data, including data not required for the business purposes of communications service providers; and to ensure strict safeguards continue to strike the proper balance between privacy and protecting the public.
• Siemens - Lawful Interception (Monitoring Center, Intelligence Platform) - "Authorized groups need to have direct access to communications between suspects, whether it is individuals, groups or organizations. Only then can they take appropriate action, detect, prevent and anticipate crimes and guarantee peace and security."

News release: "Secretary Chertoff spoke on the balance between privacy and secure identity August 13 at the University of Southern California National Center for Risk and Economic Analysis of Terrorism Events. He addressed crimes involving identity theft, and talked about identity validation and authentication, the associated financial costs, the effect on illegal workers, the universe of tools available for identity management, and possible solutions that address the concerns of privacy advocates."

News release: "State attorneys general received thousands of consumer complaints of online fraud and abuse in 2006 and 2007 and yet, with the exception of several notable standouts, brought few significant cases in response, according to a report released today from the Center for American Progress and the Center for Democracy and Technology, Online Consumers at Risk and the Role of State Attorneys General."

"As personal information becomes more widely available on blogs, MySpace, Facebook and other social networking Web sites, the Internet has become an important tool for jury consultants and trial lawyers. Such sites are a treasure trove of information about potential and seated jurors that can be used in picking the right jurors, bouncing potential jurors and even influencing jurors during trial and in closing arguments. Jury consultants have begun turning to private investigators, some of whom have started niche businesses offering Internet jury research and "personality profiling" of jurors." [National Law Journal, August 11, 2008 - subscription req'd]

"The Federal Bureau of Investigation said Friday that it had improperly obtained the phone records of reporters for The New York Times and The Washington Post in the newspapers’ Indonesia bureaus in 2004. Robert S. Mueller III, director of the F.B.I., disclosed the episode in a phone call to Bill Keller, the executive editor of The Times, and apologized for it. He also spoke with Leonard Downie Jr., the executive editor of The Washington Post, to apologize." [Link]

"In a July 31 amicus brief filed in a federal court in Pennsylvania, the Electronic Frontier Foundation, joined by CDT, ACLU and the ACLU of Pennsylvania, argued that cell phone location information is protected by the Fourth Amendment. The brief argues that a court should require the government to obtain a warrant based on probable cause in order to gain access to cell site location information stored by a cell phone company."

DOJ: Special Report to Congress on Implementation of Section 1001 of the USA PATRIOT Act, August 2008: "Section 1001 of the USA PATRIOT Act (Patriot Act), Public Law 107-56, directs the Office of the Inspector General (OIG) of the U.S. Department of Justice (DOJ or Department) to undertake a series of actions related to claims of civil rights or civil liberties violations allegedly committed by DOJ employees. It also requires the OIG to provide semiannual reports to Congress on the implementation of the OIG’s responsibilities under Section 1001. This report – the thirteenth since enactment of the legislation in October 2001 – summarizes the OIG’s Section 1001-related activities from January 1, 2008, through June 30, 2008."

News release: "Eleven perpetrators allegedly involved in the hacking of nine major U.S. retailers and the theft and sale of more than 40 million credit and debit card numbers have been charged with numerous crimes, including conspiracy, computer intrusion, fraud and identity theft, Attorney General Michael B. Mukasey, U.S. Attorney for the District of Massachusetts Michael J. Sullivan, U.S. Attorney for the Southern District of California Karen P. Hewitt, U.S. Attorney for the Eastern District of New York Benton J. Campbell and U.S. Secret Service Director Mark Sullivan announced today. The scheme is believed to constitute the largest hacking and identity theft case ever prosecuted by the Department of Justice."

EPIC: "Senior members of Congress have requested details of Internet companies' efforts to spy on their customers. The 33 targeted Internet companies, including AT&T, Time Warner, Microsoft, and Google, may be tracking the activities of Internet users. Congressman Edward J. Markey warned that "new technologies, such as ‘deep packet inspection' technologies, have the ability to track every single website that a consumer visits while surfing the Web." Charter Communications and Embarq previously came under fire for monitoring Internet users and suspended their activities. Members of Congress have now turned their attention to the leading telcos and Internet firms. For more information, see EPIC's page on Deep Packet Inspection and Privacy.

• Executive Order: Further Amendments to Executive Order 12333, United States Intelligence Activities -

  "1.1 Goals. The United States intelligence effort shall provide the President, the National Security Council, and the Homeland Security Council with the necessary information on which to base decisions concerning the development and conduct of foreign, defense, and economic policies, and the protection of United States national interests from foreign security threats. All departments and agencies shall cooperate fully to fulfill this goal.

• Background Briefing by Senior Administration Officials on the Revision of Executive Order 12333

  "I would say at the outset that this is an exceptionally complex executive order...It's a foundational document for the intelligence community...It has a daily and significant impact on the activities of the intelligence community and the relationships in that important community. At the highest level, of course, the aim here is to create a more effective intelligence community, where these 16 agencies can be better integrated, work more collaboratively with one another, and also share more information freely."

• Executive Order 12333: United States Intelligence Activities (as amended)
• Statement by the Press Secretary
• Fact Sheet: A Lasting Framework for United States Intelligence Activities
• Statement by the Director of National Intelligence, Mr. Mike McConnell, on Executive Order 12333

Follow up to March 27, 2008 posting, FTC Announces Settlement of Action Against Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers' Data, this August 1, 2008 FTC news release: "Following a public comment period, the Commission has approved the issuance of a final consent order and authorized the staff to respond to the commenters of record In The Matter of The TJX Companies, Inc...[and] In The Matter of Reed Elsevier Inc. and Seisint, Inc."

Related from EPIC: "The settlements arose from data breaches, which exposed the sensitive personal information of over 500,000 consumers and resulted in millions of dollars in financial fraud. Earlier this year, EPIC filed comments with the FTC urging the Commission to include civil penalties in the settlements. EPIC wrote that civil penalties are necessary to provide incentives for companies to safeguard personal data. EPIC also noted that the FTC imposed $10 million in civil penalties in the Choicepoint case. The final agreements impose security and audit responsibilities, but no financial penalties."

RE: Formal Complaint of Free Press and Public Knowledge Against Comcast Corporation for Secretly Degrading Peer-to-Peer Applications; Broadband Industry Practices, Petition of Free Press et al. for Declaratory Ruling that Degrading an Internet Application Violates the FCC’s Internet Policy Statement and Does Not Meet an Exception for “Reasonable Network Management,” File No. EB-08-IH-1518, WC Docket No. 07-52, Memorandum Opinion and Order.

News release: "Comcast Corp.’s management of its broadband Internet networks contravenes federal policies that protect the vibrant and open nature of the Internet, the Federal Communications Commission found [August 1, 2008]. Ruling on a complaint by Free Press and Public Knowledge as well as a petition for declaratory ruling, the Commission concluded that Comcast has unduly interfered with Internet users’ right to access the lawful Internet content and to use the applications of their choice. Specifically, the Commission found that Comcast had deployed equipment throughout its network to monitor the content of its customers’ Internet connections and selectively block specific types of connections known as peer-to-peer connections.

...The Commission’s action today is the result of an exhaustive examination of conduct that was first brought to light by Comcast subscribers who noticed that they had problems using peer-to-peer applications, such as BitTorrent, over their Comcast broadband connections...The Commission’s extensive investigation into this matter – which included two public hearings, substantial input from experts, and thousands of comments from companies, organizations, and the public at large – confirms that Comcast’s interference is far more invasive and widespread than the company first conceded."

Related news from the Electronic Freedom Foundation (FCC): "Hours before the Federal Communications Commission (FCC) is expected to take action against Comcast for violating the FCC's net neutrality principles, the Electronic Frontier Foundation (EFF) is releasing "Switzerland," a software tool for customers to test the integrity of their Internet communications."

• For more information and to download the Switzerland software:
• For more about EFF's "Test Your ISP" Project

Commentary: Immunity for Telecom Eavesdropping - Beth Wellington's commentary tracks the legislative path of retroactive immunity for telecom eavesdropping. Published July 30, 2008.

D-2008-114 Accountability for Defense Security Service Assets With Personally Identifiable Information, July 24, 2008 (Project No. D2007-D000LC-00042.000)

Evidence on the Costs and Benefits of Health Information Technology
July 24, 2008 - Testimony before the Subcommittee on Health, Committee on Ways and Means, U.S. House of Representatives.

M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 14, 2008) (43 pages)

"Agencies should also submit their most current documentation related to OMB Memorandum M-07-16, of May 22, 2007, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, This information should be provided in an appendix to your annual report and include the following items for your agency:

• Breach notification policy
  
• Implementation plan and progress update on eliminating unnecessary use of Social Security Numbers (SSN);
  
• Implementation plan and progress update on review and reduction of holdings of personally identifiable information (PII); and
  
• Policy outlining rules of behavior and identifying consequences and corrective actions available for failure to follow these rules."

"EPIC testified before the Senate Judiciary Committee [hearing: Passport Files: Privacy Protection Needed For All Americans], urging new protections for passport information privacy. The hearing, held at a time of increased information collection and dissemination by the government, addressed an Inspector General report [Review of Controls and Notification for Access to Passport Records in the Department of State’s Passport Information Electronic Records System (PIERS)]on data breaches at the State Department. EPIC's testimony recommended implementing the privacy protections of S. 495, the Personal Data Privacy and Security Act of 2007; limiting employee and contractor disclosures; increasing accounting requirements; and creating an independent privacy agency. In a FOIA request filed today, EPIC demanded the release of the complete Inspector General report, substantial portions of which have been withheld from the public."

News release: "The Commission has approved the issuance of a report to Congress regarding the Do Not Call Registry for Fiscal Year 2007. The report..has been submitted to the U.S. House of Representatives Committee on Energy and Commerce and the U.S. Senate Committee on Commerce, Science, and Transportation, as required by Section 4(b) of the Do Not Call Implementation Act. The report – the fourth and final submission required by the Act – contains information on the following topics: 1) the effectiveness of the Registry; 2) the number of consumers who have placed their telephone numbers on the Registry; 3) the number of entities paying fees to access the Registry and the amount of the fees; 4) the progress of coordinating the operation and enforcement of the Registry with similar registries maintained by the states; 5) the progress of coordinating the operation and enforcement of the Registry with enforcement activities of the Federal Communications Commission under the Telephone Consumer Protection Act; and 6) FTC enforcement of the Registry under the Telemarketing Sales Rule."

On June 20, 2008 the House passed H.R. 6304, the FISA Amendments Act of 2008. Today the Senate passed the bill. Related commentary and articles as follows:

• ACLU: Senate Passes Unconstitutional Spying Bill And Grants Sweeping Immunity To Phone Companies
  
• New York Times: Senate Approves Bill to Broaden Wiretap Powers
  
• WSJ Law Blog: "As the WSJ reports, the bill renews the legal backing for the federal government’s warrantless surveillance program, allowing the National Security Agency to listen in to Americans’ phone calls to people abroad and read emails sent to people overseas. It would also provide effective legal immunity for the telephone companies who agreed to government requests to access their customers’ phones and emails."
  
• Closing Statement Of Sen. Patrick Leahy (D-Vt.), Chairman, Senate Judiciary Committee, On Senate Consideration Of The FISA Amendments: "The bill, if adopted without amendment, seems intended to result in the dismissal of ongoing cases against the telecommunications carriers that participated in the warrantless wiretapping program, without allowing a court ever to review whether the program itself was legal. "

News release: "The Center for Democracy and Technology (CDT) today released an analysis questioning the legal standing of a new approach to online advertising being considered by Internet Service Providers and Internet advertising networks. Under the new scheme, an ISP allows an advertising network to copy the contents of the individual Web traffic streams of the ISP's subscribers. The advertising network creates a record of each individual's online behavior, which is used to target ads to the consumer. CDT concludes that the use of Internet traffic content from ISPs may run afoul of federal and state wiretap laws unless performed with the prior, express consent of the subscriber. Some state laws may pose higher burdens."

2008 Data Mining Letter Report (PDF, 46 pages): "This is the third report by the Privacy Office to Congress on data mining. This letter report identifies the data mining activities deployed or under development within DHS, as defined by the Data Mining Reporting Act, and describes the framework the Department will use to report on such activities in the future pursuant to Section 804 of the Implementing Recommendations of the 9/11 Commission Act of 2007, entitled, The Federal Agency Data Mining Reporting Act of 2007 (Data Mining Reporting Act)."

News release: "The Federal Trade Commission plans to study the experiences of identity theft victims by conducting a survey of consumers who contacted the FTC after they were victimized. The proposed survey will examine the remedies available to victims under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Among other things, the FACT Act gave consumers the right to place fraud alerts on their credit files if they are, or suspect they may become, victims of identity theft; block information on their credit reports that resulted from identity theft; and obtain copies of their credit reports free of charge. The survey will seek information from identity theft victims who contacted the FTC between January 1 and May 30, 2008, and will inquire about their experiences when they contacted one or more credit reporting agencies and when they sought to use their FACT Act rights. The survey results will help guide the FTC’s efforts to enforce the law and educate consumers and the consumer reporting industry about their rights and duties."

News release: "The ITRC Breach Report total has reached an all-time high. Between January 1st and June 27th, the total number of data breaches recorded by the ITRC is 342, more than 69% greater than the same time period in 2007. The actual number of breaches is likely even higher, due to underreporting and the fact that some of the breaches reported as a single event actually affected multiple businesses.

The ITRC Breach Report sub-divides all breaches into five categories. To date, the 2008 ITRC Breach Stats Report indicates the following: 17.0% government/military agencies, 21.3% from educational institutions, 36.8% from general businesses, 14.9% from health care facilities / companies, and 10% from banking / credit / financial services entities.

Click here for the 2008 ITRC Breach report. Click here for the 2008 ITRC Breach Stats Report broken down by categories which includes the percentages for each category (business, financial/credit, educational, governmental/military and health care). Please check regularly as this list is updated weekly.

Bryn Nelson, MSNBC, Giving biometrics a hand: "An electronic palm reader is helping one of the largest healthcare systems in the U.S. and several banks in Japan divine the true identities of their patients and customers. The key? A near-infrared camera that captures each person’s unique palm vein pattern, or template."

EPIC: "Today marks the 50th anniversary of the Supreme Court's decision in NAACP v. Alabama, one of the most important privacy cases of the last century. Professor Anita L. Allen, a leading privacy scholar, author of many books and articles, and a member of the EPIC Board of Directors, wrote an essay to celebrate the anniversary of the decision."

OIG, Social Security Administration, Benefit Payments in Instances Where the Social Security Administration Removed a Death Entry from the Beneficiary's Record, A-06-07-27156, 06/19/08: "The DMF [Death Master File] is a publicly available database maintained by SSA that contains detailed information on more than 82 million deceased numberholders. Each year, SSA receives death reports for more than 2.5 million individuals and adds the information to the DMF. As depicted on the chart below, SSA receives most death reports from funeral homes or friends/relatives of the deceased. SSA considers such first party death reports to be verified and immediately posts them to the DMF.

Other sources of death reports include States and other Federal agencies, as well as postal authorities and financial institutions. SSA posts nonbeneficiary information to the DMF without verification. However, if these reports indicate an SSA beneficiary died, SSA may perform additional verification before terminating benefits or posting the death entry to the DMF. Verification of death means that an acceptable reporter (usually someone in the person's home, a representative payee, a doctor, or hospital) agrees that the person is deceased and corroborates the date of death, if necessary.

The accuracy of death data is a highly sensitive matter for SSA. Erroneous death entries can lead to benefit termination and result in severe financial hardship and distress to the beneficiary/recipient. Conversely, the removal of legitimate death entries could allow for the authorization and payment of fraudulent benefits.

In instances when death reports are posted in error, SSA deletes the death entry from the DMF ("resurrect" the record) and, when applicable, reinstates benefit payments. SSA employees may only process transactions to resurrect a record when presented with proof the original death entry was posted in error. Unless the mistake resulted from an administrative error, the resurrection transaction should not be processed before completion of a face-to-face interview with the beneficiary or recipient. To validate the integrity of these transactions, SSA requires that two employees be involved in the process. SSA also requires that employees document the events leading to and facts supporting the transaction.

Since January 2004, SSA has provided us with electronic files containing updates made to the DMF, including instances when individual records were removed from the DMF. Preliminary analysis of these files indicated that, from January 2004 through April 2007, SSA deleted more than 44,000 individuals' death entries from the DMF. SSA records indicated 20,623 of these individuals were in current payment status on or after April 27, 2007 and received approximately $17.2 million in monthly SSA benefit payments."

Laptop Searches and Other Violations of Privacy Faced by Americans Returning from Overseas Travel, Senate Judiciary Committee
Subcommittee on the Constitution, Civil Rights and Property Rights, June 25, 2008.

"The framework below proposes a set of practices that, when taken together, encourage appropriate handling of personal health information as it flows to and from personal health records (PHRs) and similar applications or supporting services. Click on the individual documents below to read descriptions and to view or download them as PDF documents. Or, download the entire Common Framework in PDF. The Common Framework for Networked Personal Health Information: Overview and Principles provides background on the documents and how they relate to each other. All resources are available free of charge.

• Read policy brief
  
• Read technology brief
  
• See Flash illustration (Flash 8 required)
  
• Connecting for Health also has released a separate but related Common Framework of policy and technology resources for privacy and security in internet-based networks connecting medical professionals from different institutions and clinics.. Go to the Connecting Professionals Main Page"

News release: "Senate Intelligence Committee Chairman John “Jay” Rockefeller (WV), Senate Intelligence Committee Vice-Chair Kit Bond (MO), House Majority Leader Steny Hoyer (MD), and House Minority Whip Roy Blunt (MO) announced today that a bipartisan compromise has been agreed to that will modernize the Foreign Intelligence Surveillance Act. The FISA Amendments Act, H.R. 6304 (114 pages, PDF), will increase the nation’s security by strengthening the ability of the intelligence community to conduct lawful surveillance of terrorists, as well as protect constitutional rights by requiring warrants before the government can surveil any American."

• Afghanistan Security: Further Congressional Action May Be Needed to Ensure Completion of a Detailed Plan to Develop and Sustain Capable Afghan National Security Forces, GAO-08-661, June 18, 2008
• Afghanistan Security: U.S. Efforts to Develop Capable Afghan Police Forces Face Challenges and Need a Coordinated, Detailed Plan to Help Ensure Accountability, GAO-08-883T, June 18, 2008
• Architect of the Capitol: Progress in Improving Energy Efficiency and Options for Decreasing Greenhouse Gas Emissions, GAO-08-917T, June 18, 2008
• Financial Audit: Material Weaknesses in Internal Control over the Processes Used to Prepare the Consolidated Financial Statements of the U.S. Government, GAO-08-748, June 17, 2008
• Homeland Security: The Federal Protective Service Faces Several Challenges That Hamper Its Ability to Protect Federal Facilities, GAO-08-683, June 11, 2008
• Homeland Security: The Federal Protective Service Faces Several Challenges That Raise Concerns About Protection of Federal Facilities, GAO-08-914T, June 18, 2008
• Privacy: Agencies Should Ensure That Designated Senior Officials Have Oversight of Key Functions, GAO-08-603, May 30, 2008
• Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, GAO-08-536, April 19, 2008
• Privacy: Congress Should Consider Alternatives for Strengthening Protection of Personally Indentifiable Information, GAO-08-795T, June 18, 2008

A Guide to Protecting Your Identity Online, Rosemary Haworth, PC Advisor

Identity Theft: The Aftermath 2007. Conducted by the Identity Theft Resource Center® (ITRC) With comparisons to The Aftermath 2003, 2004, 2005, 2006 Surveys.

News release: "The Federal Trade Commission...told the Senate Committee on Commerce, Science, and Transportation that “legislation authorizing the Commission to seek civil penalties in spyware cases could add a potent remedy to those otherwise available to the Commission.” In testimony to the Committee, Eileen Harrington, Deputy Director of the FTC’s Bureau of Consumer Protection, said that when other enforcement options – seeking consumer redress or making the operators give up their ill-gotten gains – are not appropriate or sufficient remedies to deter spyware distributors, “a civil penalty may be the most appropriate remedy and serve as a strong deterrent.” The testimony states that the agency supports legislation that would provide “the Commission this valuable law enforcement tool.”

UK House of Commons, Home Affairs Committee, A Surveillance Society? Fifth Report of Session 2007–08 Volume I Report, together with formal minutes Ordered by The House of Commons to be printed 20 May 2008.

House of Commons Home Affairs Committee - A Surveillance Society? Fifth Report of Session 2007–08, Volume II, Oral and written evidence, Ordered by The House of Commons to be printed 20 May 2008.

OIG: The Social Security Administration's Internal Use of Employees' Social Security Numbers. A-13-07-27164 06/09/08

Do Data Breach Disclosure Laws Reduce Identity Theft? Sasha Romanosky, Rahul Telang, Alessandro Acquisti, Heinz School of Public Policy and Management, Carnegie Mellon University

DOJ OIG: The Federal Bureau of Investigation's Security Check Procedures for Immigration Applications and Petitions (Redacted for Public Release), Audit Report 08-24, June 2008.

White House: National Security Presidential Directive 59 and Homeland Security Presidential Directive 24, June 5, 2008

The ONC [Office of the National Coordinator for Health Information Technology] Coordinated Federal Health Information Technology Strategic Plan: 2008-2012 - Using the Power of Information Technology to Transform Health and Care.

"The Plan has two goals, Patient-focused Health Care and Population Health, with four objectives under each goal. The themes of privacy and security, interoperability, IT adoption, and collaborative governance recur across the goals, but they apply in very different ways to health care and population health."

Proofpoint’s Outbound Email and Data Loss Prevention in Today’s Enterprise, 2008 report - ["the survey was fielded in the US, UK, France, Germany and Australia to explore global concerns.]

"Email remains the most important medium for communications both inside and outside the enterprise. But the convenience and ubiquity of email as a business communications tool has exposed enterprises to a wide variety of legal, financial and regulatory risks associated with outbound email. Enterprises continue to express a high level of concern about creating, managing and enforcing outbound messaging policies (for email and other communication protocols) that ensure that messages leaving the organization comply with both internal rules, best practices for data protection and external regulations. In addition, organizations remain very concerned about ensuring that email (and other electronic message streams) cannot be used to disseminate confidential or proprietary information...The results show that data protection concerns are not confined to the US and that globally, email, webmail, FTP, blogs message boards, media sharing sites and social networking sites are a source of concern as well as real-world risk for IT professionals working in large enterprises."

Audit Initiated of the Web Applications Security in Air Traffic Control Systems, June 02, 2008. Project ID: 07F3018F000

"Summary: The Office of Inspector General is initiating an audit of web applications security in air traffic control (ATC) systems in response to a request made by the U.S. House of Representatives Committee on Transportation and Infrastructure. The objectives of this audit are to determine whether: (1) web applications used in supporting ATC operations are properly secured to prevent unauthorized access to ATC systems, and (2) FAA’s network intrusion–detection capability is effective in monitoring ATC cyber security incidents.

"...get access to and manage all of your personal health information online...This would help you keep your doctors and family members up-to-date on important medical conditions and current medications. Well, after a successful pilot with the Cleveland Clinic, we've opened up Google Health to everyone in the U.S. It's easy to sign up, and free to use. All you need is a Google username and password. You can import your medical records and prescription history from our partners — well-known brands such as Walgreens, Longs Drugs and Quest Diagnostics."

News release: "CDT today released a paper offering a set of principles for addressing potential privacy considerations when deploying digital watermarking technology. This technology embeds information within the content of digital media files in a form that is machine readable but often imperceptible to humans. Digital watermarking has a variety of applications and is increasingly being considered as a tool for deterring copyright infringement. CDT's paper is intended to provide guidance for companies that plan to use the technology to communicate information that is specific to individual consumers."

Guidance for Homeland Security Presidential Directive (HSPD) 12 Implementation (May 23 2008) (4 pages): "This document serves as a guideline to assist agencies in preparing or refining plans for incorporating the use of Personal Identity Verification (PIV) credentials, to the maximum extent practicable, with physical and logical access control systems."

Times Online: "Customers in shopping centres are having their every move tracked by a new type of surveillance that listens in on the whisperings of their mobile phones. The technology can tell when people enter a shopping centre, what stores they visit, how long they remain there, and what route they take as they walked around."

Secure web browsing with the OP web browser, Chris Grier, Shuo Tang, and Samuel T. King, Department of Computer Science, University of Illinois at Urbana-Champaign

"CDT's Health Privacy Project today released a paper urging policymakers and the private sector to develop and implement a comprehensive privacy and security framework to govern the wide range of computer and Internet-based systems being created to share sensitive health information. The paper examines the key issues confronting the adoption of information technology in the health care field and offers suggestions on policies and business practices that will protect patient rights while facilitating the kinds of information sharing that can reduce costs and improve care."

"At a REAL ID Workshop at the Berkman Center, EPIC today released a new report on the Department of Homeland Security’s national identification proposal, the REAL ID system. "May 11, 2008 is the statutory deadline for implementation of the REAL ID system. Yet on this date, not one State is in compliance with the federal law creating a national identification system. In fact, 19 States have passed resolutions or laws rejecting the national ID program. The Department of Homeland Security has faced so many obstacles with the REAL ID system that the agency now plans an implementation deadline of 2017." See EPIC page on National ID Cards and the REAL ID Act, and EPIC Comments on the Draft Regulations."

CDT Policy Post 14.5: National Security Letters: "Widespread errors in the use of National Security Letters requires legislative action, says a Center for Democracy and Technology (CDT) paper released today. The documents are used by the FBI when seeking records containing sensitive personal information. Successive Inspector General reports have uncovered abuses and mistakes by the FBI in issuing the NSLs. The CDT Policy Post says that FBI self-policing doesn't work. CDT believes there should be a more exacting standard for issuing NSLs and that prior judicial authorization should be required when sensitive personal information is sought."

News release: "The FBI has withdrawn an unconstitutional national security letter (NSL) issued to the Internet Archive after a legal challenge from the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF). As the result of a settlement agreement, the FBI withdrew the NSL and agreed to the unsealing of the case, finally allowing the Archive's founder to speak out for the first time about his battle against the record demand...The NSL was served on the Archive -- a digital library recognized by the state of California -- and its attorneys in November of 2007. The letter asked for personal information about one of the Archive's users, including the individual's name, address, and any electronic communication transactional records pertaining to the user. Kahle, who is also a member of EFF's Board of Directors, decided to fight the NSL because it exceeded the FBI's limited authority to issue such demands to libraries."

• For the newly unsealed documents (still partially redacted)
  
• For more information about this case
  
• Related postings on National Security Letters

Huge Databases Offer a Research Gold Mine — and Privacy Worries
As states create warehouses of information about students, scholars see opportunities to assess the effectiveness of education..The fusion-center debate has an echo in the world of education research. Now that Congress has rejected the idea of a national "unit-record tracking" system for student data, scholars and policy analysts are tantalized by the possibility that states will beef up their own education-data centers. The most celebrated example is Florida, which began in 2001 to assemble a "data warehouse" that allows officials to track a person's progress from kindergarten through graduate school and beyond, including postcollege wages and employment, military service, incarceration, and receipt of public assistance." [The Chronicle of Higher Education. Section: The Faculty, Volume 54, Issue 35, Page A10]

The Ultimate Little Black Book - One Firm Routes All Phone Calls in North America, by Ellen Nakashima, Washington Post.

Center for Democracy and Technology (CDT): "The long-range or "vicinity" Radio Frequency Identification (RFID) technology chosen by the Departments of Homeland Security and State for government-issued ID documents poses serious risks to personal privacy and security, CDT testified today before a Senate Homeland Security Subcommittee. CDT recommended that DHS and State abandon the technology, which was originally developed to track things, not people, and that encryption be used to protect a citizen's unique ID number. CDT also urged Congress to support legislation or regulations banning unauthorized "skimming" of RFID chips and prohibiting use of the passport card and Enhanced Driver's License beyond border security."

• Senate Committee on Homeland Security and Governmental Affairs , Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia, Hearing on The Impact of Implementation: A Review of the REAL ID Act and the Western Hemisphere Travel Initiative, 4/29/08
  
• CDT Prepared Statement, April 29, 2008
  
• CDT Written Testimony, April 29, 2008

"NIST announces the release of the public draft of Special Publication 800-66 Revision 1, An Introductory Resource Guide to Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Draft). This Special Publication (SP), which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself. Comments on Draft SP 800-66 Revision 1 will be accepted through June 13, 2008."

US Courts: "The number of intercepted wire, oral or electronic communications — also known as wiretaps — authorized by federal and state courts in 2007 was 20 percent higher than in 2006. Courts issued 2,208 such orders in 2007, compared to 1,839 in 2006, according to The 2007 Wiretap Report.

The complete report contains information on interceptions concluded between January 1, 2007 and December 31, 2007. A summary of the authorized intercepts reported for calendar years 1997-2007 is available in Table 7."

EPIC: "According to the 2007 FISA report, the Foreign Intelligence Surveillance Court approved 2,370 application to conduct electronic surveillance and physical searches in the United States in 2007, up from 2,176 applications approved in 2006. For the first time, the report includes information regarding the total number of requests made by the Department of Justice with National Security Letter authority for information concerning U.S. persons. in 2006, the government made approximately 12,583 NSL requests for information concerning 4,790 U.S. persons. The 2007 NSL statistics are expected later this year."

"The Center for Democracy and Technology applauds the Senate's passage of HR 493, the Genetic Information Nondiscrimination Act of 2007 (GINA) by unanimous consent. The House is expected to quickly pass the measure. The bill represents a significant step forward in protecting health privacy because it prohibits the use of genetic information by employers when making hiring decisions or by health insurers when making coverage decisions or adjusting premiums. Under GINA, employers and insurers also would not be allowed to impose genetic testing requirements. CDT is urging the President to quickly sign the bill into law."

• Senate Report 110-048 - Genetic Information Nondiscrimination Act og 2007
  
• House Reports: 110-28 Part 1, 110-28 Part 2, 110-28 Part 3, 110-28 Part 4
  
• EPIC Genetic Privacy Resource page

UK Guardian: "Airline passengers are to be screened with facial recognition technology rather than checks by passport officers, in an attempt to improve security and ease congestion..From summer, unmanned clearance gates will be phased in to scan passengers' faces and match the image to the record on the computer chip in their biometric passports. Border security officials believe the machines can do a better job than humans of screening passports and preventing identity fraud. The pilot project will be open to UK and EU citizens holding new biometric passports."

• UK Home Office: Consultation on the Delivery of the National Identity Scheme - "The purpose of this consultation is to help the Government to proceed with the implementation of National Identity Scheme, including the introduction of identity cards linked to a National Identity Register."
  
• Download the Consultation document
  
• Download the National identity Scheme Delivery Plan 2008

EPIC: "The International Working Group On Data Protection in Telecommunications has released a report and guidance (pdf) on privacy in social networking services. The report identifies risks to privacy and security, and provides guidance to regulators, service operators and users to counter these risks. Risks include the large amount of data collection; the misuse of profile data by third parties; insecure infrastructure and application programming interfaces. Regulators should ensure openness, and oblige data breach notification. Providers must be transparent; live up to promises made to users; and use privacy friendly defaults. Privacy and consumer groups are also
recommended to raise the awareness of regulators, providers and the general public."

News release: "The U.S. Department of Homeland Security (DHS) announced today a notice of proposed rulemaking that will establish biometric exit procedures at all U.S air and sea ports of departure. The majority of non-U.S. citizens are already required to submit digital fingerprints and a digital photograph for admission into the country. The US-VISIT Exit proposal would require non-U.S. citizens who provide biometric identifiers for admission to also provide digital fingerprints when departing the country from any air or sea ports of departure."

"With stories surfacing on news channels regularly about lost or stolen data or the ability to recover data from discarded or resold computers and their hard drives, Computerworld decided to look at some cheap methods of removing that sensitive data from your hard drive permanently. And, what better place to look than YouTube?"

The Inspectors General, Journal of Public Inquiry Fall/Winter 2007/08 (96 pages, PDF)

Statement of Glenn A. Fine, Inspector General, U.S. Department of Justice before the House Committee on the Judiciary Subcommittee on the Constitution, Civil Rights, and Civil Liberties concerning “The FBI’s Use of National Security Letters and Section 215 Orders for Business Records”, April 15, 2008.

Legally eHealth: Putting eHealth in its European Legal Context. Legal and regulatory aspects of eHealth Study report March 2008.

News release: "Global EntryTM will be available for U.S. citizens or lawful permanent residents who are frequent international travelers, provided they have not been found guilty of a criminal offense, charged with a customs or immigration offense, or declared inadmissible to the U.S. under immigration legislation. Biometric fingerprint technology will be used to verify the passenger’s identity and confirm his or her status as a Global EntryTM participant."

News release: "Telephone numbers placed on the National Do Not Call Registry will remain on it permanently due to the Do-Not-Call Improvement Act of 2007, which became law in February 2008. More than 157 million phone numbers are on the National Do Not Call Registry. Under the Act, the Federal Trade Commission will continue to remove telephone numbers that have been disconnected and reassigned to other customers. Consumers can delete their telephone numbers from the registry at any time by calling 1-888-382-1222 (TTY 1-866-290-4236) – the call must be made from the telephone number they wish to delete."

Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer Information, March 26, 2008. Reference Number: 2008-20-071

EPIC: "European privacy officials have established "a clear set of responsibilities" on search engine companies regarding their handling of user data. The opinion, issued by the Article 29 Working Group, states that the European Union Data Protection Directive requires search engines to "delete or irreversibly anonymise personal data once they no longer serve the specified and legitimate purpose" for which they were collected. This requirement has particular significance for search engines, because European privacy rules classify Internet Protocol (IP) addresses as "personal data." The opinion further holds that European privacy laws generally apply to search engines "even when their headquarters are outside [Europe]," and requires that search engines must delete personal data within six months of collection. Earlier this year, EPIC urged the European Parliament to protect the privacy of search histories. For more information, see EPIC's Search Engine Privacy page."

"The World Privacy Forum filed extensive comments [April 4, 2008] regarding privacy protections for patients whose health care information will be shared with patient safety safety organizations under newly proposed Department of Health and Human Services regulations. After a landmark Institute of Medicine report on the prevalence of medical errors and their harmful impact on patients (To Err is Human), the U.S. Congress eventually passed the Patient Safety Act (2005). The Patient Safety Act allows extensive health care data of patients to go to patient safety organizations. The idea is to provide a form of quality control. The Agency for Heathcare Research and Quality (AHRQ), part of HHS, has published its proposed regulations implementing the Act. The World Privacy Forum has made 14 recommendations for substantive changes in the proposed rules to protect patient privacy. The World Privacy Forum asked the Agency to expressly mandate that all patient data be de-identified or anonymized to the greatest extent possible, that the proposed rule should expressly require data use agreements for any data sharing, that the patient information be labeled as subject to the Patient Safety Act, and strongly urged that patient safety organizations be required to maintain an accounting of disclosures at least equal to HIPAA, among other recommendations. The full set of recommendations is available in the WPF comments. The proposed rulemaking will be open for public comments until April 14, 2008."

News release: "According to the 2007 Internet Crime Report, the Internet Crime Complaint Center (IC3) received 206,884 complaints of crimes perpetrated over the Internet during 2007. Of the complaints received, more than 90,000 were referred to law enforcement around the nation, amounting to nearly $240 million in reported losses. This represents a $40 million increase in reported losses from complaints referred to law enforcement in 2006. All complaints received by IC3 are accessible to federal, state, and local law enforcement to support active investigations, trend analysis, and public outreach and awareness efforts."

News release: "Finance Committee staff today released a bipartisan discussion draft of the President’s proposal to require information reporting by banks and other entities on reimbursements to merchants that accept electronic forms of payment, including credit and debit cards. The Finance Committee intends to use public comment to understand more about how payment reporting may affect the tax gap – the $345 billion in Federal taxes legally owed but uncollected each year – as well as to determine whether increased reporting requirements would unfairly burden merchant businesses or banks."

News release: "The Federal Trade Commission today reiterated that despite the claims made in e-mails circulating on the Internet, consumers should not be concerned that their cell phone numbers will be released to telemarketers in the near future, and that it is not necessary to register cell phone numbers on the National Do Not Call (DNC) Registry to be protected from most telemarketing calls to cell phones."

Implementation of the Communications Assistance for Law Enforcement Act by the Federal Bureau of Investigation, Audit Report 08-20, March 2008. Redacted for public release.

News release: "In the FTC’s action against data brokers Reed Elsevier (REI) and Seisint, the complaint alleges that REI - through its LexisNexis data broker business - and Seisint collect and store in databases information about millions of consumers, including names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers. They obtain information about consumers from credit reporting agencies and other sources, and sell products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords (or “user credentials”) to control customer access to consumer information in their databases."

National Committee on Vital and Health Statistics, 2005-2006. February 2008 37 pp. (PHS) 2008-1205

Follow up to State Department Acknowledges Unauthorized Access to Passport Records of Presidential Candidates, today's news release: "Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Ranking Member Arlen Specter (R-Pa.) today urged the Attorney General to take immediate action to investigate reported breaches of the passport files of the three presidential candidates at the State Department. Attorney General Michael Mukasey stated last week that the Justice Department would await the outcome of an internal investigation at the State Department before taking action.

“We both strongly believe that our government has a duty to protect the private information of its citizens,” wrote Leahy and Specter. “The Justice Department should not wait to be handed ‘a box full of evidence,’ as you said at your recent briefing, before determining whether Federal laws were broken.”

See also Personal Data Privacy and Security Act and Summary of the Leahy-Specter data privacy legislation.

RL34404 - Border Searches of Laptops and Other Electronic Storage Devices, March 05, 2008

2008 Data Mining Report (PDF, 46 pages), February 11, 2008. "This is the third report by the Privacy Office to Congress on data mining. This report identifies the data mining activities deployed or under development within DHS, as defined by the Data Mining Reporting Act, and describes the framework the Department will use to report on such activities in the future pursuant to Section 804 of the Implementing Recommendations of the 9/11 Commission Act of 2007, entitled, “The Federal Agency Data Mining Reporting Act of 2007” (Data Mining Reporting Act)."

Press release: "...AirTight® Networks, the global leader for wireless intrusion prevention systems...issued the findings from its study to assess information security risk exposure of laptop users at fourteen airports in the United States, Canada and Asia. The company set out to understand the risks to business travelers and their corporate networks of data leakage while those airline passengers are sending sensitive information using unsecured wireless access points while at the airports. It found surprising results, however, regarding the security posture of private Wi-Fi networks in these airports as well as the rapid spread of viral Wi-Fi networks.

One of the most surprising findings of this initial study was that some ticketing systems, baggage systems, shops and restaurants were using open or poorly secured wireless networks. Of the Wi-Fi networks detected by AirTight researchers, 77 percent were non-hotspot (i.e. private) networks and of those, 80 percent were unsecured or using legacy WEP encryption, a fatally flawed protocol. Based on detailed analysis of these access points, there is a high probability that some of these networks are used for critical airport logistics and operations. The consequences of this lack of security could result in disruption of baggage or passenger ticketing systems."

Newsweek: Unintended Consequences - Spitzer got snagged by the fine print of the Patriot Act

VOIP-News: "Email, IM (instant messaging) and even VoIP solutions like Skype and Vonage have taken over communications in both the business and social worlds. These systems work well because they're a much-needed solution for high phone bills, static-filled communications and dropped cell-phone calls. Internet-based communication methods also give users optimum remote access, since all one needs to use VoIP or send an IM is an Internet connection. But with this increase in popularity comes serious security issues. VoIP technology is still relatively new, and hackers are finding new ways to rip off service providers and their customers. Just who might be spying on your online communications? You might be surprised."

Department of Justice Office of Inspector General: A Review of the FBI’s Use of National Security Letters: Assessment of Corrective Actions and Examination of NSL Usage in 2006, March 2008, Unclassified, (187 pages, PDF)

Department of Justice Office of Inspector General: A Review of the FBI’s Use of Section 215 Orders for Business Records in 2006, March 2008, Unclassified (99 pages, PDF)

Follow up to March 11, 2008 posting, House Democrats Reject Telecom Immunity, "Today, House Judiciary Chairman John Conyers, Jr. (D-MI) and 19 members of the House Judiciary Committee issued a statement regarding telecommunications immunity, as the House prepares to consider the FISA Amendments Act of 2008. Following a review of classified information relating to the warrantless surveillance program and immunity for telecommunications companies, the members reported their conclusion that the administration has not established a valid and credible case to justify granting blanket retroactive immunity at this time."

Follow up to previous postings on TSA's Total Information Awareness surveillance program, this news release today from the ACLU: "...According to the new Wall Street Journal report [subscription req'd], the NSA was engaging in broad domestic spying operations that involve collecting and analyzing the personal information of Americans in ways that are "essentially the same" as TIA. The elements that reportedly make up the new spying encompass a variety of mass surveillance and data mining programs about which the ACLU has previously warned..."

"The Privacy Act of 1974 is in need of improvements to ensure its relevance into the future, CDT Deputy Director Ari Schwartz said in testimony before a congressional panel today. The Act’s limitations are particularly apparent with regard to government use of commercially compiled personal information, Schwartz told the Information Policy, Census, and National Archives Subcommittee. Commercial information plays a key role in important government functions, like law enforcement and national security. However, agencies relying on that data should have clear guidelines on its use. The role Privacy Impact Assessments play in protecting privacy is essential. Two bills help bolster PIAs: S.2341 lays out "best practices" guidelines and HR 4791 requires PIAs for government use of commercial databases. CDT believes Congress should create a Commission to review the Act and suggest possible reforms. March 11, 2008."

House Democratic Majority Leader/AP: "Locked in a standoff with the White House, House Democrats on Tuesday maintained their refusal to shield from civil lawsuits telecommunications companies that helped the government eavesdrop on their customers without a secret court's permission. But they offered the companies an olive branch: the chance to use classified government documents to defend themselves in court. House Democratic leaders unveiled a bill that they hoped would bridge the gap between the electronic surveillance bill passed by the Senate last month and a rival version the House approved last fall. Both bills are attempts to update the 1978 Foreign Intelligence Surveillance Act, the law that dictates when the government needs court permission to conduct electronic eavesdropping inside the United States. The law has taken on particular importance in the global effort to thwart terrorists since the 2001 attacks on the United States.

• Director of National Intelligence, March 11, 2008: "We understand that the leadership of the House of Representatives intends to introduce a new bill related to the Foreign Intelligence Surveillance Act of 1978 (FISA). Based on initial summaries of what the proposal contains, we are concerned that the proposal would not provide the Intelligence Community the critical tools needed to protect the country. The Senate already has passed a bipartisan bill that would give our intelligence professionals the tools they need to keep America safe. The bipartisan bill was carefully crafted to ensure important intelligence operations were not harmed by new legislation."


• ACLU - New FISA Compromise Is an Improvement, Still Raises Concerns: "While we still have concerns about aspects of the new House FISA bill, the American Civil Liberties Union is encouraged by the new draft – particularly the language on state secrets, which would allow the cases to go forward while allowing the telecommunications companies to assert any defenses. We commend House leadership for keeping the courthouse door open. And in particular, we applaud the House for refusing to adopt the overreaching FISA Amendments Act, which would give the executive branch carte blanche to wiretap on US soil and grant complete retroactive immunity to telecommunications companies that facilitated years of illegal surveillance. We are also heartened by the role retained by the FISA court in overseeing the program as well as the two-year sunset on the legislation."

Electronic Frontier Foundation: "Three powerful House Commerce Committee Chairmen strongly urged their colleagues Thursday to defer acting on requests for retroactive immunity and to demand more information from the White House and the telecommunications companies in the wake of disclosures by another whistleblower that the government apparently has been granted an open gateway to customer information and calls by a major telecommunications company."

• March 6, 2008 Dear Colleague letter, written by John Dingell, Chairman of the House Committee on Energy and Commerce; Ed Markey, Chairman of the House Subcommittee on Telecommunications and the Internet; and Bart Stupak, Chairman of the Subcommittee on Oversight and Investigations: "..Yesterday another whistleblower stepped forward with troubling charges that at least one major wireless telecommunications giant may have given a Congressional entity access to every communications coming through that company's infrastructure, including every e-mail, Internet use, document transmission, video and text message, as well as the ability to listen in on any phone call."


• Related postings on domestic surveillance program

HSS Office of Inspector General Privacy Act of 1974; Revisions to OIG’s Privacy Act System of Records: Criminal Investigative Files, Federal Register, March 4, 2008.

"CDT today released a set of privacy principles to help guide the development of software tools related to online behavioral targeting. Developed in consultation with members of CDT's Internet Privacy Working Group (IPWG), the principles aim to bolster the development of tools for Web browsers and other software that empower users with the ability to manage their privacy and control online behavioral tracking activities. The document is a result of meetings with IPWG, sparked by renewed interest in behavioral targeting at the FTC, in the private sector and among consumer groups."

2007 Electronic Monitoring & Surveillance Survey - Over Half of All Employers Combined Fire Workers for E-Mail & Internet Abuse, February 28, 2008

Chris Hoofnagle, Measuring Identity Theft at Top Banks (Version 1.0) February 26, 2008. Berkeley Center for Law and Technology. Law and Technology Scholarship (Selected by the Berkeley Center for Law & Technology). Paper 44.

Data Breach Notification Laws, State By State, by Scott Berinato, "More than five years after California's seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. Eleven states still have not passed laws mandating that companies notify consumers when that company has lost the consumer's personal data. One state, Oklahoma, does have a breach notification law, but it only applies to state entities that have lost data. That leaves 38 states that have enacted some sort of breach disclosure law. This map will help you sort them out."

"The Safer Internet plus programme aims to promote safer use of the Internet and new online technologies, particularly for children, and to fight against illegal content and content unwanted by the end-user, as part of a coherent approach by the European Union."

The World Privacy Forum - A Legal and Policy Analysis - Personal Health Records: Why Many PHRs Threaten Privacy, Prepared by Robert Gellman for the World Privacy Forum, February 20, 2008

Secrecy News: "The Office of the Director of National Intelligence provided an overview of U.S. intelligence data mining development programs in...Data Mining Report,” ODNI Report to Congress, February 15, 2008. Data mining is used by intelligence agencies to search through databases in order to discern patterns of activity that could indicate a threat to national security."

Press release: "Reed Elsevier to acquire ChoicePoint for a total cost of $4.1 billion (£2.1 billion/€2.8 billion) payable in cash. This comprises an equity value of $3.5 billion and the assumption of $0.6 billion of net debt. Combination of ChoicePoint with the LexisNexis Risk Information and Analytics Group will create a risk management business with $1.5 billion in revenues and a leading position in the fast growing risk management marketplace...ChoicePoint has a leading position in providing unique data and analytics to the attractive insurance sector (over 50% of Choicepoint's $982 million revenue and 80% of its business operating income from continuing operations in 2007) and highly complementary products and new capabilities in the screening, authentication and public records areas."

Your Guide to Online Privacy, by Mark Glaser

"The FTC today released the list of top consumer fraud complaints received by the agency in 2007. The list, contained in the publication Consumer Fraud and Identity Theft Complaint Data January-December 2007, showed that for the seventh year in a row, identity theft is the number one consumer complaint category. Of 813,899 total complaints received in 2007, 258,427, or 32 percent, were related to identity theft.

The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and the 50 metropolitan areas reporting the highest incidence of identity theft.

The report states that credit card fraud was the most common form of reported identity theft at 23 percent, followed by utilities fraud at 18 percent, employment fraud at 14 percent, and bank fraud at 13 percent.

Consumers reported fraud losses totaling more than $1.2 billion; the median monetary loss per person was $349, the report states.

DHS press releases, February 1, 2008: "The U.S. Department of Homeland Security (DHS) announced today that it has begun collecting additional fingerprints from international visitors arriving at Chicago O'Hare International Airport (O'Hare), Hartsfield-Jackson Atlanta International Airport (Hartsfield), and George Bush Houston Intercontinental Airport (Bush Intercontinental). The change is part of the department's upgrade from two- to 10-fingerprint collection to enhance security and facilitate legitimate travel by more accurately and efficiently establishing and verifying visitors' identities."

Educational Security Incidents (ESI) Year in Review - 2007: "By Adam Dodge - Posted on February 10, 2008: "The ESI Year in Review - 2007 examines all of the information security incidents occurring at colleges and universities around the world as reported in the news during 2007. 2007 marked a significant change for information security incidents reported in the news. Among the changes are an increase in both the number of incidents reported and the number of institutions reporting a breach as well as the addition to new categories such as incident type "Employee Fraud" and information type "Username and Password".

Press release: "In connection with the 5th Safer Internet Day1 on 12 February 2008, Eurostat, the Statistical Office of the European Communities, presents a selection of statistics concerning internet activities, security concerns and virus attacks. The Safer Internet Day is part of a global drive to promote a safer Internet for all users, in particular younger people, and is organised by Insafe, a European internet safety network co-funded by the European Commission...In the EU27 in 2007, nearly a quarter of internet users had had a computer virus in the preceding 12 months, which resulted in a loss of information or time. Virus attacks were most frequent in Lithuania (41% of users), Slovenia (35%) and Malta (34%) and least common in the Czech Republic (7%), Estonia (15%) and Sweden (16%)."

Press release: "The California State Senate passed a bill Friday that would allow prosecution for identity theft cases in the county where the victim resides. State Sen. Joe Simitian, D-Palo Alto, co-authored Senate Bill 612 and praised fellow senators Friday for voting 40-0 in favor of the legislation. Current law permits prosecution in the county where the theft occurred, or where the information was illegally used, even when both locations are hundreds of miles from the victim’s home, according to Simitian’s office." Simitian also sponsored Senate Bill 364, that passed by a vote of 30-7.

CDT: "The Senate yesterday gave final congressional approval to legislation making "Do Not Call" listings permanent. Without the legislation, consumers' phone numbers would have been automatically removed from the FTC controlled list after five years. CDT applauds the decision to eliminate the list's current expiration policy, which would require consumers who want to remain on the list to sign up again every five years. The bill, H.R. 3541, has already passed the House and is likely to be enacted into law soon."

Central Intelligence Agency Freedom Of Information Act Annual Report for Fiscal Year 2007, Unclassified.

News.com: "Real ID's scope is surprisingly broad. Jurors could potentially be denied entrance to federal courthouses. So could prospective students visiting the U.S. Naval Academy in Annapolis or the U.S. Military Academy at West Point. Tours of federal buildings such as the Pentagon and the Treasury Department could be affected, as could public hearings, conferences, and even concerts. And some Americans could be denied entrance to the U.S. Capitol building, the iconic heart of the nation's democracy...Starting May 11, unless your home state agrees to comply with the federal Real ID Act or unless it asks for an extension, you might have trouble getting into federal buildings. Click a state [interactive map include in this article] to see what that state has told us about whether or not its ID cards will meet Real ID requirements."

In a statement to the House of Commons, the PM said that the Government would look at ways of using intercept evidence as advised by the Chilcot Report. Guidelines would be drawn up to ensure that the interests of national security were never compromised, he said. The PM said:

"The use of intercept in evidence characterises a centraldilemma we face as a free society - that of preserving our liberties and the rule of law, while at the same time keeping our nation safe and secure. [The Chilcot Report - see text below] concludes that it should be possible to find a way to use some intercept material as evidence, provided - and only provided - that certain key conditions can be met. These conditions relate to the most vital imperative of all - that of safeguarding our national security. The Government accepts this recommendation - and takes the accompanying conditions very seriously."

Use of Commercial Independent Risk Analysis Services Blanket Purchase Agreements (BPA) (February 4, 2008) (4 pages, PDF)

REAL ID: What Should Congress Do Now? - CDT Analysis of the REAL ID Act and the Department of Homeland Security’s Final Regulations, February 1, 2008.

Second Annual Report to Congress, January 30, 2008 (36 pages, PDF): "As the efforts of the current Board come to a close, the Members wish to acknowledge and thank the many thousands of dedicated men and women in the Federal government whose responsibility it is to protect the homeland against terrorism consistent with the Constitution. We have been privileged to observe their training on the importance of privacy and civil liberties and witness their work first hand. The development of a privacy and civil liberties oversight infrastructure within the Federal government, as envisioned by IRTPA, is important. But nothing can substitute for the uncompromising daily commitment these individuals make to their jobs and Constitutional principles."

Solove, Daniel J., "The Future of Reputation: Gossip, Rumor, and Privacy on the Internet". The Future of Reputation: Gossip, Rumor, and Privacy on the Internet, Daniel J. Solove, Yale University Press, October 2007 Available at SSRN: http://ssrn.com/abstract=1019177

Follow up to January 27, 2007 notice, DHS Posts Annual Report on Congress After Delay, DHS posted the Annual Privacy Report to Congress, July 2006 to July 2007 (PDF, 58 pages).

A Chronology of Data Breaches, updated January 30, 2008

EPIC: "In a report that will appear in IEEE Security & Privacy, leading experts in computer security warn that legislation now under consideration in the Senate could make the United States vulnerable to attack. The paper Risking Communications security: Potential hazards of the Protect America Act warns that warrantless wiretapping creates creates serious security risks, including "danger of exploitation of the system by unauthorized users, danger of criminal misuse by trusted insiders, and danger of misuse by government agents."

"In this Top Ten Opt Outs list, some opt outs can be done by phone, some have to be sent in a letter via postal mail, and some can be accomplished online. Some opt outs last forever, some have time limits, and others can be changed at will. If an opt out is on this list, it is because we thought it might be important enough to be worth whatever annoyance it may pose. Not every opt out is right for everyone, and not everyone will necessarily want to opt out. It is a personal choice. Take a look at the list...and see if any of the opt outs appeal to you, or might make a difference to you in some way."

Bush Order Expands Network Monitoring - Intelligence Agencies to Track Intrusions, by Ellen Nakashima, Washington Post: "President Bush signed a directive this month that expands the intelligence community's role in monitoring Internet traffic to protect against a rising number of attacks on federal agencies' computer systems. The directive, whose content is classified, authorizes the intelligence agencies, in particular the National Security Agency, to monitor the computer networks of all federal agencies -- including ones they have not previously monitored."

Press release: "A federal judge has barred the illegal operation of an information broker who advertised and sold confidential consumer telephone records to third parties without the consumers’ knowledge or consent. In entering summary judgment for the Federal Trade Commission, Judge William F. Downes of the U.S. District Court for the District of Wyoming also required the defendants to give up nearly $200,000 in ill-gotten gains derived from the consumer phone records they sold, and ordered that the individuals whose records were sold be notified."

"The aim of the Data Protection Day is to give European citizens the chance to understand what personal data is collected and processed about them and why, and what their rights are with respect to this processing. They should also be made aware of the risks inherent and associated with the illegal mishandling and unfair processing of their personal data. The objective of the Data Protection Day is therefore to inform and educate the public at large as to their day-to-day rights, but it may also provide data protection professionals with the opportunity of meeting data subjects."

Press release: "Congresswoman Betty McCollum (MN-04), has sent a letter to the Government Accountability Office asking that it reopen its investigation of the privacy and national security risks posed by government agencies reselling used magnetic data tapes that may once have contained large amounts of sensitive personal and government information. Researchers working for Imation, an Oakdale, MN-based corporation that produces magnetic data tapes, were able to recover a wide range of sensitive information from used data tapes that were supposedly wiped clean before being re-sold. Using readily available equipment and information, Imation investigators found out where the tapes originated and recovered bank account numbers, expense reports, employee tax and benefit information, and other sensitive data."

Coalition for Patient Privacy: "Our mission is to ensure that Americans control all access to their health records."

DHS: Privacy Impact Assessment for the Use of Radio Frequency Identification (RFID) Technology for Border Crossings, January 22, 2008.

Federal Times: "The administration last week told agencies not to use federal employees’ Social Security numbers as primary identifiers for data processing purposes. The Office of Personnel Management said in a Jan. 18 notice that agencies must not print the numbers on paper or display on computer screens except in secure areas. And only employees whose official duties require access to the numbers can have access to them. Lastly, agencies can only collect employees’ Social Security numbers when an employee joins the agency for human resources and payroll purposes. OPM hopes the new rules will decrease the risk of identity theft."

CDT Comments to DHS on Developing CCTV Best Practices, January 18, 2008: "As the December 17-18, 2007 workshop on Closed Circuit Television (CCTV) made clear, there are many good CCTV “best practices” that have been developed by organizations such as The Constitution Project, ACLU, the American Bar Association, the governments of Canada and the United Kingdom, and even the U.S. Park Police. CDT supports these efforts but believes an equally important question is, how can the public be assured that video surveillance “best practices” are being implemented in localities where federal homeland security funds are spent?"

"In comments filed [January 15, 2008]with the Department of Homeland Security, EPIC detailed its "Framework for Protecting Privacy & Civil Liberties If CCTV Systems Are Contemplated." EPIC explained that it "does not support the creation nor the expansion of video surveillance systems, because their limited benefits do not outweigh their enormous monetary and social costs." EPIC's guidelines explain that (1) alternatives to CCTV are preferred; (2) there must be a demonstrated need for the system; (3) the public and privacy and security experts must be consulted before the system is created; (4) Fair Information Practices Privacy Act of 1974, the 1980 OECD Privacy Guidelines and the Video Voyeurism Act. See EPIC's page on Video Surveillance."

Press release, January 11, 2009: "One of the biggest concerns we’ve had for the last several years, one we continue to have at the Department of Homeland Security, is how do we promote a secure form of identification across America? And Congress has spoken to this by passing the REAL ID Act several years ago, which provides that we have the obligation to set uniform security standards for the issuance of state driver’s licenses. When we went back and investigated the 9/11 attacks, one of the things which we found, and which the 9/11 Commission found, was that all but one of the hijackers carried a government-issued identification form – mostly driver’s licenses. And this government-issued ID helped the hijackers board airplanes, or remain in the country illegally. That’s why the 9/11 Commission recommended that we enhance the security of our driver’s licenses as a counterterrorism measure. And that’s why Congress set higher standards for driver’s licenses in the REAL ID Act. That’s also why the American people overwhelmingly support more security for driver’s licenses."

Press release: "The U.S. Department of Homeland Security (DHS) announced today a final rule establishing minimum security standards for state-issued drivers’ licenses and identification cards. The rule sets uniform standards that enhance the integrity and reliability of drivers’ licenses and identification cards, strengthen issuance capabilities, and increase security at drivers’ license and identification card production facilities. The final rule also dramatically reduces state implementation costs by roughly 73 percent."

REAL ID Requirements

• Read the Final Rule


• Read the Questions & Answers


• Read the Privacy Impact Assessment

Press release: "In October 2006, the Transportation Security Administration launched a website to help travelers whose names were erroneously listed on airline watch lists. This redress website had multiple security vulnerabilities: it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. These deficiencies exposed thousands of American travelers to potential identity theft. After an internet blogger identified these security vulnerabilities in February 2007, the website was taken offline and replaced by a website hosted on a Department of Homeland Security domain. At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a website that violated basic operating standards of web security and failed to protect travelers’ sensitive personal information. As this report describes, these security breaches can be traced to TSA’s poor acquisition practices, conflicts of interest, and inadequate oversight."

The Federal Bureau of Investigation’s Management of Confidential Case Funds and Telecommunication Costs, Audit Report 08-03, January 2008, For Public Release.

"...the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) provides that United States citizens and nonimmigrant aliens may enter the United States only with passports or such alternative documents as the Secretary of Homeland Security may designate as satisfactorily establishing identity and citizenship... The vicinity RFID electronic chip contains only one item of information--a unique identifying number that has meaning only inside the secure CBP computer system. No other form of personally identifiable information, such as name, date of birth, SSN, place of birth etc., will be electronically stored on the passport card or transmitted through RFID. All personal information will be contained in DHS systems and will only be accessible by authorized personnel through secure networks. Upon receipt of the passport card number, the border crosser's personal information will be downloaded from the CBP system and provided to the CBP officer. The CBP officer will then interview the individual, verify their identities, and determine the appropriate action to take. The WHTI passport card approach was not designed to be an automated system, and the use of vicinity RFID technology in this final rule reflects this reality. Rather, the RFID-based approach allows the CBP officers to do their jobs better and faster." [Federal Register: December 31, 2007 (Volume 72, Number 249)][Rules and Regulations][Page 74169-74173]

Washington Post, Online Records May Aid ID Theft, Government Sites Post Personal Data, By Bill Brubaker: "Social Security numbers are readily available in many courthouses -- in land records and criminal and civil case files -- as well as on many government Web sites that serve up public documents with a few clicks of a mouse. From state to state, and even within states, there is little uniformity in how access to the private information in these records is controlled."

"Today, the Department of State released a final rule for the new "Passport Card," which is intended to be used by American citizens who frequently travel by land or sea to Canada, Mexico, the Caribbean, and Bermuda. The new rule calls for the use of "vicinity read" RFID technology without the use of encryption. This means the card will be able to be read remotely, at a long distance. CDT strongly objected to the use of this technology--developed for tracking inventory, not people--because it is inherently insecure and poses threats to personal privacy, including identity theft, location tracking by government and commercial entities outside the border control context, and other forms of mission creep."

"Each year since 1997, the US-based Electronic Privacy Information Center and the UK-based Privacy International have undertaken what has now become the most comprehensive survey of global privacy ever published. The Privacy & Human Rights Report surveys developments in 70 countries, assessing the state of surveillance and privacy protection. The most recent report published in 2007 is probably the most comprehensive single volume report published in the human rights field. The report runs over 1,100 pages and includes 6,000 footnotes. More than 200 experts from around the world have provided materials and commentary. The participants range from eminent privacy scholars to high-level officials charged with safeguarding constitutional freedoms in their countries. Academics, human rights advocates, journalists and researchers provided reports, insight, documents and advice. In 2006 Privacy International took the decision to use this annual report as the basis for a ranking assessment of the state of privacy in all EU countries together with eleven non-EU benchmark countries."

Ponemon 2007 Annual Study: U.S. Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventitive Solutions: This study "was derived from a detailed analysis of 35 data breach incidents. According to the study, the cost per compromised customer record increased in 2007, compared to 2006. Lost business opportunity, including losses associated with customer churn and acquisition, represented the most significant component of the cost increase. Companies analyzed were from 16 different industries, including communications, consumer goods, education, entertainment, financial services, gaming, health care, hospitality, internet, manufacturing, marketing, media, retail, services, technology, and transportation."

"The Department of Homeland Security released grant guidance and application kits for two grant programs totaling more than $35 million to help states prepare to implement REAL ID provisions that require a standard format for state-issued driver's licenses. The REAL ID Demonstration Grant Program will provide $31.3 million in grants to the states to check motor vehicle records in other states to ensure drivers don't have multiple licenses, and to verify immigration status against federal records. It will help standardize methods by which states may seamlessly verify an applicant's information with another state and deploy verification capabilities that can be used by all states, while protecting personal identification information."

Press release: "The Federal Trade Commission today told the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security that identity theft remains one of the highest priorities for the Commission, and that the agency is playing a lead role in preventing identity theft and helping those who are victimized."

Press release: "Forty-seven percent of internet users have searched for their own name online, but few monitor their online presence with great regularity. Fifty-three percent of internet users have searched online for information about personal and business contacts. These findings represent a significant change from when the Pew Internet Project first reported on this activity in 2002, at which time 22% of internet users had searched online for their own name."

Press release: "As merchants get busier with holiday shopping, the Federal Trade Commission reminds them to be sure the credit and debit card receipts they give customers comply with federal law. To reduce the risk of fraud and identity theft, the electronically printed credit and debit card receipts given to consumers must not include more than the last five digits of the card number, and must not show the expiration date."

Consumer Information:

• Slip Showing? Federal Law Requires All Businesses to Truncate Credit Card Information on Receipts


• Protecting Personal Information: A Guide for Business


• Fighting Back Against Identity Theft
Permanent Link

Press release: "The widespread use and availability of Social Security numbers puts Americans at risk for identity theft and should be restricted, according to Consumers Union, nonprofit publisher of Consumer Reports. The group urged policymakers to take action to protect consumers as part of a public forum on the issue organized by the Federal Trade Commission in conjunction with the President’s Identity Theft Task Force. Social Security numbers are particularly sensitive information because they can provide the key to unlocking a consumer’s financial identity... Jeannine Kenney, Senior Policy Analyst with Consumers Union...presented findings of a Consumer Reports National Research Center poll at the FTC forum showing that 89 percent of Americans want state and federal lawmakers to restrict the use and availability of Social Security numbers by businesses and government agencies. The poll also found that nearly all consumers want the right to freeze access to their credit files to prevent new account fraud. Currently 39 states and the District of Columbia give consumers the right to a security freeze and the three major credit bureaus have made the freeze available to consumers in the remaining states."

"The Electronic Frontier Foundation (EFF) has received a second set of records from the Office of the Director of National Intelligence (ODNI) detailing behind-the-scenes briefings for lawmakers working to make substantial changes to the Foreign Intelligence Surveillance Act (FISA). EFF requested release of the records under the Freedom of Information Act (FOIA) earlier this year...Last month, a federal judge ordered ODNI to release all documents by December 10. The first batch of records, made public on November 30, detailed contentious negotiations between Director of National Intelligence Mike McConnell and members of Congress that resulted in the passage of the Protect America Act...The second set of records contains more correspondence between McConnell and members of Congress, as well as heavily redacted versions of classified testimony delivered to the Senate Select Committee on Intelligence, and an FAQ detailing how the National Security Agency performs electronic surveillance. Withheld records include ODNI presentation slides used to brief Congress on foreign intelligence issues, and other classified documents."

"Protecting the personal information of customers, clients, and employees is good business. The Federal Trade Commission has a new online tutorial to alert businesses and other organizations to practical and low- or no-cost ways to keep data secure. The tutorial, “Protecting Personal Information: A Guide for Business,” at www.ftc.gov/infosecurity, takes a plain-language, interactive approach to the security of sensitive information. Although the specifics depend on the type of company and the kind of information it keeps, the basic principles are the same: any business or office that keeps personal information needs to take stock, scale down, lock it, pitch it, and plan ahead. The tutorial explains each of these principles, and includes checklists of steps to take to improve data security."

Legislative Text of the Foreign Intelligence Surveillance Substitution Act of 2007, S. 2402, introduced by Arlen Specter, December 3, 2007.

Awareness of Security Freeze Legislation and Use of Security Freezes by Consumers Age 18+ Research Report, Jennifer H. Sauer, M.A., AARP Knowledge Management, Neal Walters, AARP Public Policy Institute, November 2007

Press release: "The Division of Privacy and Identity Protection of the Commission’s Bureau of Consumer Protection has issued a summary of information it has obtained in preparation for an upcoming FTC workshop on private-sector use of Social Security numbers (SSNs)...In July 2007, FTC staff invited interested parties to comment on the issues surrounding private sector usage of SSNs. More than 300 individuals and entities provided comments. The staff summary of the public comments and the information the staff obtained through its interviews can be found here. The issues will be addressed at an FTC workshop on December 10-11, 2007. More information about the workshop can be found here."

McAfee Virtual Criminology Report - Cybercrime: The Next Wave - The annual McAfee global cyber trends study into organized crime and the Internet in collaboration with leading international security experts, November 2007.

Press release: "Late Tuesday, the Electronic Frontier Foundation (EFF) won the speedy release of telecom lobbying records from the Office of the Director of National Intelligence (ODNI). The agency was ordered to comply with a new December 10 deadline -- in time for the documents to play a role in the congressional debate over granting amnesty for telecommunications companies taking part in illegal electronic surveillance. The ruling by U.S. District Judge Susan Illston vacates a hearing on the matter previously scheduled for Friday."

US Courts: "New rules providing privacy protection for case files posted online in the federal district, bankruptcy and appellate courts are scheduled to take effect December 1, 2007. Some of the rules represent a change in Judicial Conference policy. Meanwhile, a Judicial Conference committee is studying a related privacy issue: Whether courts should restrict Internet access to plea agreements in criminal cases, which may contain information identifying defendants who are cooperating with law enforcement investigations. The new rules were proposed by the Judicial Conference in accordance with the E-Government Act of 2002, which requires that each court make publicly available online any document filed electronically. The rules require parties to redact certain personal information from each filing. The Act required the Supreme Court to prescribe rules “to protect privacy and security concerns related to electronic filing of documents and the public availability..of documents filed electronically.” The new privacy rules include Civil Procedure Rule 5.2, Criminal Rule 49.1 and Bankruptcy Rule 9037. Appellate Rule 25 was amended to incorporate the new privacy directive. The rules can be found here."

Press release: "The Federal Trade Commission today released a survey showing that 8.3 million American adults, or 3.7 percent of all American adults, were victims of identity theft in 2005. Of the victims, 3.2 million, or 1.4 percent of all adults, experienced misuse of their existing credit card accounts; 3.3 million, or 1.5 percent, experienced misuse of non-credit card accounts; and 1.8 million victims, or 0.8 percent, found that new accounts were opened or other frauds were committed using their personal identifying information."

Press release: "With public concern over online fraud, new research, funded by the Economic and Social Research Council, has revealed that internet users will reveal more personal information online if they believe they can trust the organisation that requests the information. 'Even people who have previously demonstrated a high level of caution regarding online privacy will accept losses to their privacy if they trust the recipient of their personal information' says Dr Adam Joinson, who led the study. The findings of the study are vital for those aiming to create online services that pose a potential privacy threat, such as Government agencies involved in developing ID cards. The project found that even those people who declared themselves unconcerned about privacy would soon become opposed to ID cards if the way that they were asked for information made them feel that their privacy was threatened...56 percent of internet users stated that they have concerns about privacy when they are online. The central issue was whether websites were seen as particularly trustworthy - or untrustworthy - causing users to alter their behaviour. When a website is designed to look trustworthy, people are willing to accept privacy violations. But, the same actions by an untrustworthy site leads to people behaving in a much more guarded manner."

• Privacy and Self-Disclosure Online


• The Privacy and Self-Disclosure Online Project website


• Buchanan, T., Paine, C.B, Joinson, A.N and Reips, U-D. (2007) Development of measures of online privacy concern and protection for use on the Internet. Journal of the American Society for Information Science and Technology, 58, p.157-165.
Permanent Link

"...the Identity Theft Resource Center (ITRC) has been tracking security breaches for the past three years, looking for patterns, new trends and any information that may help us better protect data and assist companies in their activities...In 2006, there were in excess of 315 publicized breaches affecting nearly 20 million individuals. Based on ITRC’s categorization, the breaches break down as follows: 29% government/military agencies; 28% from educational institutions; 22% from general businesses; 13% from health care facilities / companies; and 8% from banking / credit / financial services entities. In 2005, there were 158 incidents affecting more than 64.8 million people."

DHS Leadership Journal" "DHS posts its System of Record Notices and Privacy Impact Assessments on our website. These documents inform the public what personal information the government is collecting; how it will be used and shared; what consent, access and redress rights the individual may have; how the information will be protected; and how compliance with these protections is audited. Privacy is enhanced by revealing what the government is doing, and security is enhanced by DHS supporting systems intended to protect the public."

US Courts: New rules providing privacy protection for case files posted online in the federal district, bankruptcy and appellate courts are scheduled to take effect December 1, 2007. Some of the rules represent a change in Judicial Conference policy.

Meanwhile, a Judicial Conference committee is studying a related privacy issue: Whether courts should restrict Internet access to plea agreements in criminal cases, which may contain information identifying defendants who are cooperating with law enforcement investigations.

The new rules were proposed by the Judicial Conference in accordance with the E-Government Act of 2002, which requires that each court make publicly available online any document filed electronically. The rules require parties to redact certain personal information from each filing.

The Act required the Supreme Court to prescribe rules “to protect privacy and security concerns related to electronic filing of documents and the public availability...of documents filed electronically.”

The new privacy rules include Civil Procedure Rule 5.2, Criminal Rule 49.1 and Bankruptcy Rule 9037. Appellate Rule 25 was amended to incorporate the new privacy directive. The rules can be found at http://www.uscourts.gov/rules/congress0407.htm."

20 November 2007, Statement to the House of Commons by Chancellor of the Exchequer, Alistair Darling, MP, on HMRC

Engaging Privacy and Information Technology in a Digital Age, James Waldo, Herbert S. Lin, and Lynette I. Millett, Editors, Committee on Privacy in the Information Age, National Research Council.

Follow up to Undercover GAO Investigation Exposes Vulnerabilities in Airport Security, DHS OIG Report - Information Technology Management Needs to Be Strengthened at the Transportation Security Administration, October 26, 2007 (PDF, 48 pages) - New 11/15/2007.

Press release, November 15, 2007: "IT security and control firm Sophos has revealed new research into the use of other people's Wi-Fi networks to piggyback onto the internet without payment. The research, carried out by Sophos on behalf of The Times, shows that 54 percent of computer users have admitted breaking the law, by using someone else's wireless internet access without permission. According to Sophos, many internet-enabled homes fail to properly secure their wireless connection with passwords and encryption, allowing freeloading passers-by and neighbours to steal internet access rather than paying an Internet Service Provide (ISP) for their own. In addition, while businesses often have security measures in place to protect the Wi-Fi networks within their offices from attack, Sophos experts note that remote users working from home could prove to be a weak link in corporate defenses."

OIG-08-06 - Better Administration of Automated Targeting System Controls Can Further Protect Personally Identifiable Information (Redacted) (PDF, 22 pages) - New 11/09/2007

AP: "Privacy no longer can mean anonymity, says Donald Kerr, the principal deputy director of national intelligence. Instead, it should mean that government and businesses properly safeguard people's private communications and financial information...Kurt Opsahl, a senior staff lawyer with the Electronic Frontier Foundation...said Kerr ignores the distinction between sacrificing protection from an intrusive government and voluntarily disclosing information in exchange for a service."

Privacy and Civil Liberties Oversight Board Letter to the Attorney General on the Use of National Security Letters by the FBI, September 14, 2007.

• Military Personnel: Federal Agencies Have Taken Actions to Address Servicemembers' Employment Rights, but a Single Entity Needs to Maintain Visibility to Improve Focus on Overall Program Results, GAO-08-254T, November 08, 2007
• Terrorist Watch List Screening: Recommendations to Promote a Comprehensive and Coordinated Approach to Terrorist-Related Screening, GAO-08-253T, November 08, 2007.
  • Related posting: Complaints Mount as Errors in Terror Watch List Grow
  Permanent Link

USA Today: "More than 15,000 people have appealed to the government since February to have their names removed from the terrorist watch list that delayed their travel at U.S. airports and border crossings, the Homeland Security Department says."

Related government documents:

Press release: "The Federal Trade Commission today announced a law enforcement crackdown on companies and individuals accused of violating the requirements of the National Do Not Call (DNC) Registry, resulting in six settlements collectively imposing nearly $7.7 million in civil penalties, along with an additional complaint that will be filed in federal district court. The actions, brought by the Department of Justice (DOJ) on the FTC’s behalf, are against companies ranging from adjustable bed seller Craftmatic Industries, Inc. (Craftmatic) to alarm-monitoring provider ADT Security Services (ADT) and lender Ameriquest Mortgage Company (Ameriquest), and bring to 34 the number of cases filed by the FTC to enforce the DNC Rule, which was implemented in 2003. To date, more consumers have put more than 145 million numbers on the Registry, indicating they do not want to receive calls from telemarketers at home."

Follow up to previous postings on the domestic surveillance program and AT&T's alleged participation, today's article in the Washington Post, A Story of Surveillance - Former Technician 'Turning In' AT&T Over NSA Program, by Ellen Nakashima: "...Mark Klein, a former AT&T technician...alleged that the NSA set up a system that vacuumed up Internet and phone-call data from ordinary Americans with the cooperation of AT&T. Contrary to the government's depiction of its surveillance program as aimed at overseas terrorists, Klein said, much of the data sent through AT&T to the NSA was purely domestic."

Optimizing Investments in Security Countermeasures: A Practical Tool for Fixed Budgets, by Jonathan Caulkins and Nancy R. Mead, September/October 2007 edition of IEEE Security and Privacy Magazine. "In the article, the team presents a tool and methodology they developed for software engineers and their clients to help them make security decisions when resources are limited."

Press release: "A federal judge today ruled on a preservation motion filed by the Electronic Frontier Foundation (EFF), ordering that telecommunications companies must preserve any evidence of collaborating with the government in illegal spying on ordinary Americans. In his ruling, U.S. District Court Judge Vaughn Walker ordered the telecommunications companies to halt any routine destruction of documents or to arrange for the preservation of accurate copies. On December 14, each party must provide the court with confirmation that the court's order has been carried out. The court order did not require the government or the carriers to reveal whether or not they had any relevant evidence."

Audit of Security and Controls Over the National Driver Register, October 29, 2007, Project ID: FI-2008-003 (32 pages, PDF)

"A credit freeze (sometimes called a security freeze) lets you stop the disclosure of your credit report by a credit bureau. As of November 1, 2007, the three credit bureaus are allowing all consumers nationwide to set a security freeze. Some states have specific security freeze laws; a list of states with security freeze laws may be found here. However, even if you live in a state without a security freeze law, you can still set a security freeze."

Press release: "Starting November 1, consumers in all 50 states will be able to freeze access to their credit files at all three major credit bureaus to prevent identity thieves from opening fraudulent accounts in their names. By that date, all three major credit bureaus will offer “security freeze” protection to all consumers living in the eleven states that have not passed laws requiring it and the five states that currently limit this protection to identity theft victims. To help consumers learn how to take advantage of this powerful identity theft safeguard, Consumers Union, the nonprofit publisher of Consumer Reports, is making available online an updated Guide to Security Freeze Protection."

Senate Committee on Homeland Security and Governmental Affairs hearing, The Role of Local Law Enforcement in Countering Violent Islamist Extremism, October 30, 2007.

"President George W. Bush has issued the first National Strategy for Information Sharing to prioritize and unify the United States' efforts to advance the sharing of terrorism-related information. The strategy sets forth a plan to build upon the progress that has been made in improving information sharing since the September 11, 2001, attacks and establishes an integrated national information sharing capability. It was developed using a collaborative process and based on significant input provided by members of the Federal Information Sharing Council, as well as state, local, tribal, and private sector officials from across the nation. The new strategy presents a vision for the 58 fusion centers that have been--or are in the process of being--established nationwide. It calls for fusion centers to achieve a baseline of capability and pursue the goal of establishing a 'national, integrated network of fusion centers to enable the effective sharing of terrorism-related information' The strategy also promises to support the centers through grant funding and training. Additionally, the document lists core privacy principles that administration officials say require agencies to comply with privacy laws and be proactive in balancing privacy and security concerns."

• Cultural Challenges in Cross Border Mediation, by Vikrant Singh Negi
• Persuading Judges in Writing: Tips for Lawyers (And how technology can help), by Troy Simpson
• Competitive Intelligence on a Shoestring, by Susan Armstrong and Sabrina I. Pacifici
• E-Discovery Update: Discovery of Employee-Owned Computer Equipment, by Conrad J. Jacoby
• The Government Domain: Journalists and Government Information: SLA-DGI/GODORT Joint Meeting, by Peggy Garvin
• FOIA Facts - FOIA Litigation: When A Loss Isn't Always A Loss, by Scott A. Hodes
• LLRX Book Review by Heather A. Phillips - Nation of Secrets and Presidential Secrecy and the Law
• CongressLine by GalleryWatch.com: Lobbying and Ethics Rules, by Paul Jenks
• After Hours: Recommended Reading, by Kathy Biehl
• Rule the Web, by Julia Wotipka
• Commentary: Congress Looks Again at FISA, by Beth Wellington

Press release: "CDT joined with a coalition of privacy advocates on Wednesday to recommend an ambitious set of proposals intended to give consumers greater control over their personal data and to offset the impact of pervasive behavioral tracking. Included in the recommendations is a call to create a national "Do Not Track List" that would provide consumers with a simple tool for opting out of behavioral tracking. CDT joined with Consumer Action, the Consumer Federation of America, the Electronic Frontier Foundation, Privacy Activism, Public Information Research, Privacy Journal, Privacy Rights Clearinghouse, and the World Privacy Forum in crafting the proposal, which is timed to coincide with the start Thursday of a two-day Federal Trade Commission workshop on behavioral targeting."

OCLC press release and related links: "The practice of using a social network to establish and enhance relationships based on some common ground—shared interests, related skills, or a common geographic location—is as old as human societies, but social networking has flourished due to the ease of connecting on the Web. This OCLC membership report explores this web of social participation and cooperation on the Internet and how it may impact the library’s role, including: The use of social networking, social media, commercial and library services on the Web; How and what users and librarians share on the Web and their attitudes toward related privacy issues; Opinions on privacy online; Libraries’ current and future roles in social networking."

Statement of Glenn A. Fine, Inspector General, U.S. Department of Justice before the Senate Committee on Homeland Security and Governmental Affairs concerning Watching the Watchlist: Building an Effective Terrorist Screening System, October 24, 2007. Available in either PDF or HTML.

Related government documents:

CDT: "As it seeks models to address the mounting issues surrounding online behavioral targeting, the Federal Trade Commission (FTC) should begin by applying the principles it developed to guide its anti-spyware enforcement efforts, CDT said today. In comments submitted to the FTC in advance of its upcoming "town hall" meeting on behavioral advertising, CDT pointed out that the FTC's principles -- which center around the core concept that consumers should have ultimate control over their computers -- are directly applicable to behavioral advertising. In addition to filing its own comments, CDT also joined with other public interest advocates in offering a list of important questions the FTC must address over the course of the two-day meeting."

Press release, October 18, 2007: "Senator Jay Rockefeller and Senator Kit Bond, Chairman and Vice Chairman of the Senate Intelligence Committee...announced that the Senate Intelligence Committee passed legislation to modernize FISA. The bill, which passed by a strong bipartisan vote, will improve the recently enacted Protect America Act that aimed to fix collection problems related to foreign intelligence surveillance."

Reporters Committee for Freedom of the Press: "For the first time ever, the U.S. House of Representatives overwhelmingly passed legislation that will protect journalists from being compelled to testify or reveal sources in court. The shield law grants a qualified privilege to reporters to prevent them, in most cases, from being compelled to testify or to identify sources to federal investigators. The bill [Free Flow of Information Act of 2007, H.R. 2102], which passed on a 398-21 vote, provides for a number of exceptions though, including circumstances where disclosure is necessary to prevent and act of terrorism or imminent death or significant bodily harm, where disclosure is necessary to identify a person who has released some categories of private business and medical information, and where the reporter witnesses criminal or tortious conduct."

FCW.com: "Defense Department officials have released new guidelines that govern the monitoring of employees’ phone calls and the mock penetration of military network defenses to identify potential security risks to DOD information. DOD Chief Information Officer John Grimes on Oct. 9 signed Instruction 8560.01, titled Communications Security Monitoring and Information Assurance Readiness Testing. The document replaces language from 1981 that regulated the circumstances under which DOD officials could listen in on employees’ telephone conversations for security reasons."

Press release, October 16, 2007: "Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Ranking Member Arlen Specter (R-Pa.) today introduced the bipartisan Identity Theft Enforcement and Restitution Act of 2007 to give federal prosecutors important new tools to combat the growing problem of identity theft and cyber crime.

The Identity Theft Enforcement and Restitution Act of 2007 would:

Press release: "Three telecommunications companies have provided responses to inquiries by the Committee on Energy and Commerce about their involvement with the National Security Agency warrantless wiretapping program. On October 2, Rep. John D. Dingell (D-MI), Chairman of the Committee, Rep. Ed Markey (D-MA), Chairman of the Subcommittee on Telecommunications and the Internet, and Rep. Bart Stupak (D-MI), Chairman of the Subcommittee on Oversight and Investigations, sent letters to AT&T, Verizon and Qwest, requesting that the telecommunications companies provide details on the reported efforts by government agencies to obtain information about customers’ telephone and Internet use."

Press release: "The Federal Trade Commission today reiterated that despite the claims made in e-mails circulating on the Internet, consumers should not be concerned that their cell phone numbers will be released to telemarketers in the near future, and that it is not necessary to register cell phone numbers on the National Do Not Call (DNC) Registry to be protected from most telemarketing calls to cell phones."

Press release: "With a full twelve months under our belt, today OpenDNS published the first-ever PhishTank annual report. The report looks at the more than 300,000 phishes you’ve submitted and helped verify over the course of one year. While some of the report’s findings come as no surprise (e.g., PayPal and eBay round out the top of the list of most spoofed brands), some are alarming. Perhaps the most important finding, and the one that drove us to come up with a fix, is that U.S. telecoms are hosting more phishes than telecoms in any other country."

Follow up to October 9, 2007 posting, Conyers, Reyes Introduce FISA Revision Legislation, today's press release: "The House Permanent Select Committee on Intelligence voted 12-7 today to send the RESTORE Act (H.R. 3773) to the floor of the U.S. House of Representatives for consideration."

Press release: "Today, House Judiciary Committee Chairman John Conyers, Jr. (D-MI) and Intelligence Committee Chairman Silvestre Reyes (D-TX) introduced The Responsible Electronic Surveillance that is Overseen, Reviewed, and Effective Act of 2007 – the RESTORE Act,in an effort to address concerns about civil liberty protections in the hastily-enacted Protect America Act that was signed into law in early August. The RESTORE ACT restores court oversight of intelligence gathering by requiring that electronic surveillance programs be approved by the Foreign Intelligence Surveillance Act (FISA) Court, mandating that FISA warrants be obtained when the government wants to undertake surveillance of persons in the US, and authorizing continued oversight of programs by the Court, Congress, and independent auditors."

Press release: "Today the National Security Archive publishes a collection [links to 41 documents accompany this release] of documents concerning U.S. policy with regard to acknowledging the "fact of" U.S. satellite reconnaissance operations – particularly satellite photoreconnaissance. It was 29 years ago today that President Jimmy Carter, in a speech at the Kennedy Space Center, acknowledged that the U.S. was operating photoreconnaissance satellites...The documents published include memos stating the positions of various individuals and institutions on the issue in both the Nixon and Carter administrations, assessments of the risks and benefits of declassification, an assessment of the reactions to President Carter’s disclosure, and presidential directives from the Carter, Reagan and Clinton administrations specifying the classification associated with the "fact of" different types of satellite reconnaissance."

Government Technology: "Chicago's Office of Emergency Management and Communications (OEMC) will implement an advanced citywide intelligent security system as part of Chicago's Operation Virtual Shield, a project that encompasses one of the world's largest video security deployments."

9/27/2007 Senate Judiciary Committee, Subcommittee on Antitrust, Competition Policy and Consumer Rights, An Examination of the Google-DoubleClick Merger and the Online Advertising Industry: What Are the Risks for Competition and Privacy?

EFF: "Today, Judge Ann Aiken of the Oregon Federal District Court ruled that two provisions of the Foreign Intelligence Surveillance Act (FISA), "50 U.S.C. §§ 1804 and 1823, as amended by the Patriot Act, are unconstitutional because they violate the Fourth Amendment of the United States Constitution."

Jane Horvath, Senior Privacy Counsel at Google, has posted links to two YouTube videos providing users with details about privacy practices and personalizing your search.

Press release: "Attorney General Andrew Cuomo announced today that his office is investigating Facebook over representations the company makes about safety measures in place on its website. In a letter accompanying a subpoena for documents, Cuomo warned the company that a preliminary review conducted by his office revealed significant defects in the site’s safety controls and the company’s response to complaints - deficiencies that stand in contrast to the reassuring statements made on the website and by company officials."

Social Security Administration OIG Audit: Assessment of F-1 Students' Use of Social Security Numbers, A-08-07-17085, 09/12/07, 19 pages, PDF.

FTC Consumer Alert - Q&A: The National Do Not Call Registry
How long does my phone number stay registered?
"Your phone number will remain on the registry for five years from the date you register (unless you choose to take it off the registry or your phone number is disconnected). If you register online, you may want to print the Web page for your records when your registration is accepted."

Press release: "Electronic Frontiers Australia (EFA) today slammed a Bill introduced into the Senate which would give members of the Australian Federal Police powers to ban access to Internet content. The Communications Legislation Amendment (Crime or Terrorism Related Internet Content) Bill 2007 would, if enacted, give senior members of the Australian Federal Police powers to ban access to Internet content which they "have reason to believe": encourages, incites, or induces the commission of a Commonwealth offence; or was published in part to facilitate the commission of such an offence; or that it is likely to have the effect of facilitating the commission of such an offence."

EPIC: "The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security held a series of panel discussions on the topic of "information fusion centers." EPIC's statement to the committee made specific recommendations on the need to create accountability, oversight, and greater transparency on the work of fusion centers. So far DHS has awarded over $380 million in grants to local and state law enforcement to build 43 of the planned 70 interconnected computer networks. The domestic surveillance project is compiling, analyzing, and disseminating detailed personal information for intelligence and other purposes. DHS says it wants to use fusion centers to prevent terrorism, but local and state police want the centers to support their efforts to anticipate, identify, prevent, and/or monitor crime. See EPIC's page on Fusion Centers and Spotlight on Surveillance."

Newsweek, Michael Isikoff and Mark Hosenball, Sept. 20, 2007 - "The nation’s biggest telecommunications companies, working closely with the White House, have mounted a secretive lobbying campaign to get Congress to quickly approve a measure wiping out all private lawsuits against them for assisting the U.S. intelligence community’s warrantless surveillance programs. The campaign—which involves some of Washington's most prominent lobbying and law firms—has taken on new urgency in recent weeks because of fears that a U.S. appellate court in San Francisco is poised to rule that the lawsuits should be allowed to proceed. If that happens, the telecom companies say, they may be forced to terminate their cooperation with the U.S. intelligence community—or risk potentially crippling damage awards for allegedly turning over personal information about their customers to the government without a judicial warrant."

EPIC: "The United States Senate Judiciary Committee will hold a hearing entitled An Examination of the Google-Doubleclick Merger and the Online Advertising Industry: What Are the Risks for Competition and Privacy on Thursday, September 27. Dave Drummond of Google, Brad Smith of Microsoft, Scott Cleland of Precursor, Tom Lenard of the Progress & Freedom Foundation, and Marc Rotenberg of EPIC are expected to testify. See EPIC's page on the proposed Google-Doubleclick merger."

House Judiciary Committee Hearing on Warrantless Surveillance and the Foreign Intelligence Surveillance Act: The Role of Checks and Balances in Protecting Americans’ Privacy Rights (Part II). Statements of Mike McConnell, Director of National Intelligence and Kenneth Wainstein, Assistant Attorney General for National Security, United States Department of Justice.

Heise Online: "The world's number one search engine Google is calling for international standards for data protection. "Three quarters of the countries in the world have no privacy regimes at all", Peter Fleischer, Google's Privacy Chief, explained at a conference organized by UNESCO, the UN's Education, Science, and Culture Organization, on the topic of "Internet Ethics". What's worse, Fleischer pointed out that even the countries in Europe and the OECD (Organization for Economic Collaboration and Development) that do have such laws wrote them up back when the Internet did not have the impact it currently does."

Google Calls for Global Online Privacy Standard: "Google envisions the policy to be a product of self-regulation by companies, improved laws and possible new ones."

Via EFF - "How National Security Letters Violate Our Privacy: The 26-minute video, also available on DVD, explores the repercussions of the FBI's power to demand hundreds of thousands of Americans' private records without any oversight by a court or Congress. Two former Department of Justice (DOJ) officials, Lisa Graves [bio] and Bruce Fein [bio], share their views on how the expanded, unchecked power threatens Americans' privacy and diverts resources from genuine threats. George Christian of Library Connection gives his unique perspective as an NSL recipient who challenged the letter he received and the accompanying, permanent gag order. Christian and three of his colleagues are the only people, out of thousands of NSL recipients, who can legally talk about that experience. The video opens a window onto one of several controversial post-9/11 expansions of executive branch powers. BORDC hopes local showings of the video will open a dialogue nationwide about whether the power needs to be curbed to protect U.S. residents' constitutional rights."

Press release: "The FTC today told the Senate Committee on Commerce, Science & Transportation Subcommittee on Interstate Commerce, Trade and Tourism that it has a robust record in protecting consumers and preserving competition in the marketplace...Speaking for the Commission, Chairman Deborah Platt Majoras said that much of the work of the FTC’s Bureau of Consumer Protection has been devoted to data security and identity theft, technology risks to consumers, fraud in the marketing of health care products, financial practices, telemarketing fraud, and enforcement of the National Do Not Call Rule."

Press release: "The federal Judiciary is seeking comment on the privacy and security implications related to public Internet access to certain documents in criminal case files. The Court Administration and Case Management Committee of the Judicial Conference of the United States is studying these issues so the Conference can develop policy guidance for the federal courts. The committee is interested in comments on a proposal to restrict public Internet access to plea agreements in criminal cases, which may contain information identifying defendants who are cooperating with law enforcement investigations. The request for public comment addresses both the privacy and security implications of Internet access to such files and potential policy alternatives."

Senate Committee on Homeland Security and Governmental Affairs, Confronting the Terrorist Threat to the Homeland: Six Years After 9/11, September 10, 2007.

Witnesses Testimony

House Committee on Homeland Security, Turning Spy Satellites on the Homeland: the Privacy and Civil Liberties Implications of the National Applications Office [Links to Witness Statements] Thursday, September 06, 2007

Department of Justice, Office of the Inspector General, Audit Division: Follow-Up Audit of the Terrorist Screening Center, Audit Report 07-41, September 2007, Redacated for Public Release, (106 pages, PDF)

ACLU press release: "A federal court today struck down the amended Patriot Act's National Security Letter (NSL) provision. The law has permitted the FBI to issue NSLs demanding private information about people within the United States without court approval, and to gag those who receive NSLs from discussing them. The court found that the gag power was unconstitutional and that because the statute prevented courts from engaging in meaningful judicial review of gags, it violated the First Amendment and the principle of separation of powers."

"As Congress and federal regulators consider proposals aimed at reducing the risk of identity theft, a national poll by the Consumer Reports National Research Center reveals that an overwhelming majority of Americans want lawmakers to restrict the use and availability of Social Security numbers by businesses and government agencies. According to the poll, 89 percent of Americans agree that state and federal lawmakers should pass laws restricting the use of Social Security numbers. Social Security numbers are particularly sensitive information because they can provide the key to unlocking a consumer’s financial identity...Consumers Union released the poll results in comments filed with the Federal Trade Commission (FTC), which is studying the collection and use of Social Security numbers by the private sector. Several pending congressional proposals would restrict the sale, purchase, and display of Social Security numbers. Consumers Union recommends that the sale and purchase of the numbers be tightly restricted and that solicitation be prohibited except where required by law or where needed for credit, employment, tax compliance, or investment purposes."

Analysis of Loss of Control Over Sensitive Personally Identifiable Information and Follow-up Actions to Strengthen its Protection, August 28, 2007. Correspondence (23 pages, PDF)

Washington Post: Terror Suspect List Yields Few Arrests - 20,000 Detentions in '06 Rile Critics: "The government's terrorist screening database flagged Americans and foreigners as suspected terrorists almost 20,000 times last year. But only a small fraction of those questioned were arrested or denied entry into the United States, raising concerns among critics about privacy and the list's effectiveness...The database is maintained by the Terrorist Screening Center, a joint operation between the FBI and the Department of Homeland Security. Rick Kopel, the TSC's deputy director, called it "one of the best things the government has been able to accomplish since 9/11."

The Wall Street Journal today reported that House Homeland Security Committee Chairman Bennie Thompson sent a letter to Homeland Security Secretary Michael Chertoff stating the intention to conduct careful oversight over the fall 2007 launch of the National Applications Office (NAO). This program's use of "spy satellites for domestic homeland security and law enforcement purposes" has raised civil liberties and privacy issues.

Press release: "DoD’s Counterintelligence Field Activity (CIFA) will close the TALON Reporting System effective Sept. 17, 2007, and maintain a record copy of the collected data in accordance with intelligence oversight requirements. To ensure there is a mechanism in place to document and assess potential threats to DoD resources, the Assistant Secretary of Defense for Homeland Defense and Americas’ Security Affairs will propose a system to streamline such threat reporting and better meet the Defense department’s needs."

Follow up to August 20, 2007 posting, White House Fails to Comply With Subpoenas on Domestic Surveillance Program - additional related government documents and news:

Technology Review - Searching for Humans - Various websites are trying to make it easier to find friends and colleagues online: "Jaideep Singh, cofounder of the new people-search engine Spock, says he wants to build a profile for every person in the world. To do this, he plans to combine the power of search algorithms with online social networks."

Follow up to previous posting on the government's domestic surveillance program, today's Statement of Senator Patrick Leahy, Chairman, Senate Judiciary Committee, On The Bush Administration’s Failure To Comply With Subpoenas For Warrantless Wiretapping Documents, August 20, 2007: "Today was the deadline for the Administration to comply with the Judiciary Committee’s subpoenas for documents related to the legal justifications for and President’s authorization of the warrantless wiretapping program. The Administration failed to adequately comply, despite our granting an extension of more than a month past the original return date. The Administration has produced no documents, no adequate basis for noncompliance, no privilege claims, and no complete privilege log."

Related news and government documents:

EPIC: "The biometrics program manager in Iraq this week expressed concern that the database containing biometrics and secret files on thousand of Iraqis could "become a hit list if it gets in the wrong hands." According to Lt. Col. Velliquette, the Iraqi system has approximately 750,000 records in its database. Earlier, EPIC, Privacy International, and Human Rights Watch wrote to the US Defense Secretary to warn that the system will lead to reprisals and further killings. For more information, see Transcript of "The Role of Biometrics in Counterinsurgency," blogs at Harpers and Wired, and the EPIC Iraq Biometric Identification System page."

Press release: "The U.S. Department of Homeland Security’s (DHS) National Applications Office (NAO) is the executive agent to facilitate the use of intelligence community technological assets for civil, homeland security and law enforcement purposes within the United States. The office will begin initial operation by fall 2007 and will build on the long-standing work of the Civil Applications Committee, which was created in 1974 to facilitate the use of the capabilities of the intelligence community for civil, non-defense uses in the United States...As a principal interface between the Intelligence Community and the Civil Applications, Homeland Security and Law Enforcement Domains, the National Applications Office will provide more robust access to needed remote sensing information to appropriate customers.."

WSJ: "The U.S.'s top intelligence official has greatly expanded the range of federal and local authorities who can get access to information from the nation's vast network of spy satellites in the U.S. The decision, made three months ago by Director of National Intelligence Michael McConnell, places for the first time some of the U.S.'s most powerful intelligence-gathering tools at the disposal of domestic security officials. The move was authorized in a May 25 memo sent to Homeland Security Secretary Michael Chertoff asking his department to facilitate access to the spy network on behalf of civilian agencies and law enforcement."

Understanding Privacy -- and the Real Threats to It, August 4, 2007 (20 pages, PDF), by Jim Harper, the editor of Privacilla.org and director of information policy studies at the Cato Institute.

Erickson, K., & Howard, P. (2007). A case of mistaken identity? News accounts of hacker, consumer, and organizational responsibility for compromised digital records. Journal of Computer-Mediated Communication, 12(4), article 5.

UK House of Lords, Science and Technology Committee, 5th Report of Session 2006-2007: Personal Internet Security, August 10, 2007 (121 pages, PDF)

AP: "Of the 12 states in the Northeast and Midwest that are part of the E-ZPass system, agencies in seven states provide electronic toll information in response to court orders in criminal and civil cases, including divorces, according to an Associated Press survey."

ACLU press release: "The U.S. security establishment is rapidly increasing its ability to monitor average Americans by hiring or compelling private-sector corporations to provide billions of customer records. The explosive growth in surveillance by government and business is creating a Surveillance-Industrial Complex (PDF) that threatens all of our privacy."

"Consumers can take many measures to make their laptop secure from hackers, viruses, and other potential threats, such as installing firewalls, updating antivirus software, and using strong passwords. Now, the Federal Trade Commission is offering tips for protecting laptops from theft."

Press release: "In a trend that could substantially benefit Internet users, the largest Internet search companies are beginning to aggressively compete with one another to offer stronger privacy protections, according to a report published today by the Center for Democracy and Technology (CDT). Until recently, most of the major Internet search engines kept detailed -- and potentially personally identifiable -- records of their customers' searches for as long as they deemed them useful, which generally meant indefinitely. In a string of recent announcements, the companies announced steps they were taking to delete old user data, strip the personally identifiable information out of stored search records, and, in one case, give users the option to have all of their search records deleted. CDT's Search Privacy Practices report details and compares the revamped privacy policies of the five largest search providers and offers recommendations for both the industry and lawmakers for how to strengthen privacy protections even further."

Press release: "The Federal Emergency Management Agency (FEMA) is launching an effort to contact up to 2.2 million applicants for federal disaster assistance to inform them that a federal appellate court ruling requires FEMA to release certain personally identifiable information. This information would normally be protected under the Privacy Act and the exemption for personal privacy under the Freedom of Information Act (FOIA)...The order affects up to 2.2 million persons in eight states who applied for federal assistance in connection with disasters that include hurricanes Charley, Frances, Ivan and Jeanne in Florida in 2004 and 27 additional Presidentially declared disasters."

"The risk associated with using the Internet remains high. Our State of the Net assesses the likelihood and impact of four leading online hazards, listed in order of incidence, based on the survey by the Consumer Reports National Research Center and our follow-up investigation."

Follow-up to August 5, 2007 posting - Bill to Amend Foreign Intelligence Surveillance Act Ready for President's Signature - today's FAQ: How far does the new wiretap law go? by Declan McCullagh - "Over strong objections from civil liberties groups and many Democrats, legislators voted over the weekend to temporarily rewrite a 1978 wiretapping law that the Bush administration claimed was hindering antiterrorism investigations."

Related government documents:

Report to Congress on Implementation of Section 1001 of the USA PATRIOT Act (as required by Section 1001(3) of Public Law 107-56), Special Report, August 3, 2007- Office of the Inspector General [PDF or HTML]

Press release: "The Department of Homeland Security has posted on its web site, and will publish on Aug. 6, 2007, in the Federal Register, four Privacy Act records involving the Automated Targeting System (ATS). The records are an updated System of Records Notice (SORN), the Discussion of Public Comments Received on the SORN, a Notice of Proposed Rulemaking for Privacy Act Exemptions, and a Privacy Impact Assessment (PIA). In doing so, the department has strengthened privacy protections for all individuals traveling in to and out of the United States."

Online Snooping Gets Creepy, By Anita Hamilton: "...An estimated 30% of all Web searches are aimed at finding people, according to industry statistics, and upstarts like PeekYou, Pipl, Spock, and Wink are vying for a piece of this potentially huge market. These free sites work by scouring the Web for any virtual footprints you might have on MySpace, Facebook, Friendster, Yahoo!, Flickr and elsewhere, and then creating a fresh profile that organizes all that information on one page."

House Judiciary Committee, Subcommittee on Commercial and Administrative Law - Oversight Hearing on Privacy in the Hands of the Government: The Privacy and Civil Liberties Oversight Board and the Privacy Officer for the U.S. Department of Homeland Security, July 27, 2007. [links to witness statements]

M-07-19, FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 25, 2007) (43 pages, PDF)

"The World Privacy Forum has filed public comments with the Department of Health and Human Services requesting that its new National Disaster Medical System protect all patient information to at least the baseline protections that HIPAA affords, including the HIPAA security and privacy protections. Currently, the new system does not do this, even though the system is housed at HHS, the agency which promulgated the HIPAA standards. The National Disaster Medical System currently contains overbroad routine uses which could potentially result in significant privacy and even public health issues. For example, public health information will not be able to be disclosed under the National Disaster Medical System as the system is currently organized. Additionally, some of the current routine uses in the system would authorize disclosures that would be illegal under HIPAA. For example, Congressional disclosure of a HIPAA record requires a written authorization, something the new system does not require. Read the comments (PDF)."

Press release: "Secretary Michael Chertoff made the following statement: "I am pleased to have signed an important agreement with the European Union today that will allow the Department of Homeland Security to continue using Passenger Name Record (PNR) data as an essential screening tool for detecting potentially dangerous transatlantic travelers."

Oversight Hearing on Privacy in the Hands of the Government: The Privacy and Civil Liberties Oversight Board and the Privacy Officer for the U.S. Department of Homeland Security, July 24, 2007

Senate Committee on Commerce, Science, and Transportation hearing, Protecting Children on the Internet, July 24, 2007.

Press re