Friday, June 30, 2006

Federal Commissioner polls Canadians on privacy attitudes

The Privacy Commissioner of Canada has commissioned a poll on Canadians' attitudes on privacy issues. It just came out, so I haven't reviewed it yet but the Commissioner's release is below:

CNW Group: "Poll says Canadians want personal information treated more responsibly

OTTAWA, June 30 /CNW Telbec/ - Canadians want the government and businesses to take their responsibility for safeguarding personal information more seriously, according to the Privacy Commissioner of Canada, Jennifer Stoddart, who released today the findings from a poll commissioned by her Office. The study reveals that most Canadians believe that neither the government nor businesses take their responsibility to protect their personal information very seriously. Only 14 per cent of Canadians believe that the federal government takes its responsibility to protect personal information very seriously and only 11 per cent are confident that businesses take this responsibility very seriously.

"The current government has pledged to make accountability a trademark of government operations, and I can't think of a better way to demonstrate this principle, than by holding it to account for the way in which it treats the personal information," says Privacy Commissioner Jennifer Stoddart. "Establishing sound privacy management frameworks would help organizations protect individuals' personal information by identifying the inherent privacy risks, and how best to mitigate those risks."

In March 2006, The Office commissioned a public opinion study by EKOS Research Associates to revisit benchmarks from the previous year and to better meet Canadians educational needs about privacy.

While Canadians do not consider privacy on par with priorities such as healthcare and education, they place updating privacy laws on similar footing to issues such as ethics and accountability, public security and taxation. In fact, according to the study, close to 90 per cent take it as a given that the rapid pace of technological innovation means that existing privacy legislation needs to be updated regularly and virtually no one believes there is little need to modernize the law. These findings support the Commissioner's calls for reform of the Privacy Act, which covers the personal information handling practices of federal departments and agencies. The Privacy Act is a first generation privacy law that has not been substantially amended since its inception in 1983. On June 5, 2006 the Commissioner tabled her proposals for reform of the Act with the House of Commons Standing Committee on Access to Information, Privacy and Ethics.

"The Privacy Act is an often inadequate public sector data protection law that is woefully out of date," says Ms. Stoddart. "Since my appointment, I have been urging the Government of Canada to reform the Privacy Act. My recommendations to Parliament call for strengthening the Act to address critical issues such as the transborder data flow of personal information."

According to the study, approximately two-thirds of Canadians surveyed are highly concerned about their government's transfer of individual personal information across borders, by outsourcing works to companies in the U.S. The privacy implications related to the USA PATRIOT Act has become the symbol of the increasing concern of Canadians about the security of their personal information when it leaves Canada. In fact, almost 90 per cent of those who are aware of the USA PATRIOT Act express some concerns about the law.

In late March 2006, the Treasury Board released a national strategy and guidelines to address the public's heightened concerns over the transborder flow and the possible privacy risks posed by foreign legislation such as the USA PATRIOT Act. Although the initiative was commended by the Privacy Commissioner as a welcome step toward addressing the concerns, a modernized Privacy Act would further strengthen the federal privacy regime.

Other key highlights of the 2006 EKOS survey:

  • The proportion of Canadians reporting that they have a good or very good understanding of their privacy rights has doubled since 2001, rising from 13 to 26 per cent, which suggests that Canadians may be taking more control over of their personal information. Perhaps this explains why more than 85 per cent of them want to be informed by companies about the privacy implications of products or services they buy.
  • Approximately 8 in 10 Canadians believe their country should be equipped with strong laws to protect their personal information. The inability to have strong privacy legislation will continue to undermine trust in their government to protect their personal information seriously.
  • Although Canadians are among the most technology savvy in the world and they understand that processing personal information is core to a modern and competitive economy, only 50 per cent of those polled say they have enough information to know the privacy implications of new technologies. In response to this need and to better serve Canadians, the Office is developing information and guidance to help individuals better understand the privacy risks and implications of new technologies such as radio frequency identification devices (RFID).

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.

For a copy of the 2006 EKOS Research Associates survey, please visit: Revisiting the Privacy Landscape a Year Later (www.privcom.gc.ca)

Canada prepares to roll out biometric passports

According to the Toronto Star, Canada is laying the regulatory groundwork to introduce biometric passports.

TheStar.com - Ottawa takes `big step' to biometric ID

... The latest issue of the Canada Gazette, the government's official notice paper, contains several proposed changes to the formal rules governing passports, including two specific provisions for biometric data.

"Passport Canada may convert any information submitted by an applicant into a digital biometric format for the purpose of inserting that information into a passport or for other uses," says one proposed change.

"Passport Canada may convert an applicant's photograph into a biometric template for the purpose of verifying the applicant's identity, including nationality, and entitlement to obtain or remain in possession of a passport," says another.

Passport Canada officials confirmed yesterday that this is a big step toward a large-scale debut of biometrics — the technology that allows citizens to be identified by physical characteristics, which is increasingly becoming a part of many countries' national ID systems.

In Canada's case, the biometrics will be facial-recognition technology, according to Passport Canada spokesperson Francine Charbonneau.

"There is no timeline yet. There's not even a ballpark figure of the timeline," she said. "But it is a good sign that we have the modification.... It's a big step."

Here is the relevant portion of the Canada Gazette notice about amendments to the Passport Order:

Canada Gazette - Order Amending the Canadian Passport Order - P.C. 2006-529 June 15, 2006

(2) Subsection 8.1(2) of the English version of the Order is replaced by the following:

(2) Passport Canada may convert an applicant's photograph into a biometric template for the purpose of verifying the applicant's identity, including nationality, and entitlement to obtain or remain in possession of a passport.

Thursday, June 29, 2006

Laptop with veterans' info found

According to the New York Times, the laptop stolen from an employee of the Department of Veterans' Affairs (containing information on more than twenty million veterans) has been recovered.

According to the FBI, the information has not been accessed. I'm enough of a propeller-head to know that you can't ever tell with certainty that information has not been accessed. A drive can be copied without altering the data in any way. (Please, correct me if I'm wrong.)

Here's part of the NYT's article:

Missing Laptop With Veterans' Data Is Found - New York Times:

WASHINGTON, June 29 - The government has recovered a stolen laptop computer and hard drive that contains sensitive information, including birthdates and Social Security numbers, for millions of veterans and military personnel, the Department of Veterans Affairs said today.

The Federal Bureau of Investigation said in a statement issued by its Baltimore field office that an initial examination had found that the data had not been copied or misused in any way.

'A preliminary review of the equipment by computer forensic teams has determined that the data base remains intact and has not been accessed since it was stolen,' the statement said....

Update (20060706): Over at Slashdot, those more knowledgeable than me tend to agree with my semi-informed observation: Slashdot | Forensic Analysis of the Stolen VA Database.

More fallout from Sympatico privacy upset

I reported earlier this week that some people are upset, seeing changes in the Bell Sympatico user agreement as a harbinger of wholesale monitoring of internet use by that service's users (Canadian Privacy Law Blog: Bell warns customers about privacy loss with lawful access). A bit more info is coming to the fore.

Bell has denied that this is the case. A Bell representative has weighed in on a chat hosted by the Globe & Mail:

globeandmail.com : Jack Kapica on who's watching your surfing

Hi Jack, Paolo here from Bell, I am following your online chat about yesterday's news regarding Sympatico user agreements.

Some facts that you should be aware of:

1) Reporter implies with his wire story that we are monitoring our customers - an absolute incorrect statement. Our official statement sent out last night to this reporter and several other as follows:

a. Bell Canada has a long and established history of protecting the privacy of its customers. Bell collaborates with law enforcement agencies only when presented with legitimate court-ordered warrants. To suggest that we are illegally or routinely monitoring our customers is inaccurate and false.

2) The Bell Sympatico user agreement is in no way connected to pending bill C-74 in front of the House, as suggested. This is a standard user agreement accepted by our customers.

For clarity, here is the full clause in the Sympatico User Agreement in which the reporter did not capture correctly and is referring to:

Clause 17 of the Sympatico Service Agreement reads as follows:

User Information; Other Information. Your messages may be the subject of unauthorized third party interception and review. An individual with Internet access can cause, among other things, damage, incur expenses and enter into contractual obligations while on the Internet. All such matters are your sole responsibility. Your Service Provider has no obligation to monitor the Service, any content or your use of Your Service Provider's networks. However, you agree that Your Service Provider reserves the right from time to time to monitor the Service electronically, monitor or investigate content or your use of Your Service Provider's networks, including without limitation bandwidth consumption, and to disclose any information necessary to satisfy any laws, regulations or other governmental request from any applicable jurisdiction, or as necessary to operate the Service or to protect itself or others.

You hereby acknowledge that Your Service Provider, its affiliates, agents and suppliers may retain and use any information, comments or ideas conveyed by you relating to the Service (including any products and services made available on the Service). This information may be used to provide you with better service.

Your Service Provider may send you Service related information on a regular basis via email addressed to your Sympatico parent email address. You agree to review and to familiarize yourself with all such Service related information, and Your Service Provider is not liable for any damage or detriment to you or your property resulting from your failure to do so. Your continued use of the Service following delivery of any such Service related information means that you accept and agree to comply with such information.

Paolo Pasquini, Associate Director

Bell Canada Media Relations

I write privacy policies and website terms of use agreements all the time. Like any contract, you need to be very careful with the words you use and the possible interpretations those words can bear. Even if Sympatico has no itent to start trolling users activities, that is a very poor choice of wording. With the level of paranoia out there, it was inevitable that this pargraph would be interpreted this way and would cause such an uproar.

More coverage:

Wednesday, June 28, 2006

Canadian Commissioner investigates whether Canadian banking records were reviewed by the CIA

The Privacy Commissioner of Canada is investigating whether banking records of Canadians were reviewed by US authorities as part of their sweep of the SWIFT database (for some background: Canadian Privacy Law Blog: US reviews international financial database):

CTV.ca | CIA may have accessed Cdn. banking records:

Canada's privacy commissioner is investigating whether United States officials have improperly received the banking records of Canadians.

The Toronto Star reports the investigation is also trying to determine if the Central Intelligence Agency was given unauthorized access to the confidential files.

"This is something we're looking into," Anne-Marie Hayden, spokesperson for the privacy commissioner's office, told the newspaper.

"Any time personal information of Canadians is obtained by a foreign government in circumstances that may not provide the same privacy protections that exist in Canada, we have concerns."

On Tuesday, a human rights group filed formal complaints in 32 countries, including Canada, against a Brussels-based banking consortium for providing the U.S. with confidential information about international money transfers, the International Herald Tribune reported.

The London-based Privacy International alleges the Society for Worldwide Interbank Financial Telecommunication, or SWIFT, has violated rules in numerous jurisdictions by handing over the data....

Alberta Commissioner issues important ruling on guardians versus mature minors

The Information and Privacy Commissioner of Alberta, Frank Work, has issued an order under the province's Health Informtion Act that will likely stand as a strong precedent for PIPEDA and other privacy laws.

In this particular case, the guardian of a "mature minor" was requesting information related to her daughter. The Commissioner concluded that if the minor "understands the nature of the right or power and the consequences of exercising the right or power" in the Act, the guardian cannot exercise those powers. This test comes directly from the Act:

104(1) Any right or power conferred on an individual by this Act may be exercised …..
(b) if the individual is under 18 years of age and understands the nature of the right or power and the consequences of exercising the right or power, by the individual,

(c) if the individual is under 18 years of age but does not meet the criterion in clause (b), by the guardian of the individual.

The decision inclues a thorough review of the evolving norms and standards in Canadian law related to "mature minors".

The Commissioner's press release on the Order is below:

Commissioner issues important ruling on the authority of a guardian versus a mature minor:

June 26, 2006

Edmonton... Alberta's Information and Privacy Commissioner has ruled that a parent who requested her daughter's medical records did not have the right to exercise the daughter's rights or powers under the Health Information Act (HIA).

Frank Work made the determination during an inquiry into a request from a parent for access to certain medical records regarding her daughter. The Commissioner has ruled that in this particular case, the minor was entitled to exercise her own rights or powers under the HIA because she was able to understand the nature and consequences of exercising those rights. Such an individual is also known as a mature minor.

The HIA allows a guardian to exercise the rights or powers of a minor if the guardian can show that the minor does not understand the nature or the consequences of exercising the right or power.

In making the ruling, Commissioner Work indicated that he did not have jurisdiction to hear other issues put forward at the inquiry.

The Order is Number F2005-017 and H2005-001.

Bell warns customers about privacy loss with lawful access

Bell Canada has changed its customer service agreement for its internet customers to let them know that lawful access is likey back on the agenda. According to the Canadian Press (I haven't been able to track down a copy of the new terms of service), the new agreement purports to give Bell the right to "monitor or investigate content or your use of your service provider's networks and to disclose any information necessary to satisfy any laws, regulations or other governmental request". See: CTV.ca | Sympatico's customers warned of privacy loss.

Tuesday, June 27, 2006

Ontario Commissioner tables her 2005 Annual Report

Anne Cavoukian has tabled her annual report for 2005 in the Ontario Provincial Parliament. I haven't had a chance to review it in detail, but it appears to be full of interesting information.

Here is the media release:

IPC - Government spending must be open to the public: Commissioner Cavoukian says greater transparency needed:

NEWS RELEASE : June 27, 2006

Government spending must be open to the public: Commissioner Cavoukian says greater transparency needed

While considerable gains have been made, government organizations nonetheless continue to use the Freedom of Information and Protection of Privacy Act as a shield to block the release of consultants’ contracts and the financial arrangements made with suppliers of goods and services, said Information and Privacy Commissioner Ann Cavoukian.

Since early 2005, the IPC has overturned 11 decisions made by provincial or municipal organizations that refused to disclose this type of information. The requesters seeking the information had to appeal those decisions to my office to obtain the desired records, said Commissioner Cavoukian. Other requesters may have just given up, not bothering to file an appeal. “This is a complete waste of the time and resources of all parties involved,” said the Commissioner, who is urging municipal and provincial government organizations in Ontario to make a concerted effort towards ensuring that the public has full access to government spending records.

In her 2005 annual report, which she released today, Commissioner Cavoukian is asking every government office planning to hire a consultant, contractor, or service provider to immediately make it clear to them that the information they submit will most likely be made available to the public. “The default position should be that financial and all other pertinent information related to a contract will be made publicly available,” said Commissioner Cavoukian. Only in exceptional circumstances will withholding the financial terms of government contracts be justified on the basis of prejudice to one’s competitive position or privacy.

“The right of citizens to access government-held information is essential in order to hold elected and appointed officials accountable to the people they serve,” said the Commissioner. “This is particularly true for details of government expenditures and the public’s right to scrutinize how tax dollars are being spent. When government organizations use the services of individuals or companies in the private sector, the public should not lose its right to access this information.”

The need for transparency and accountability for government spending goes beyond contractual arrangements. In Order MO-1947, the Commissioner ordered the disclosure of information relating to lawsuits settled by the City of Toronto with third parties, including the number of lawsuits, dates settled and dollar amounts. The Commissioner again emphasized the importance of the disclosure of this type of information based on the taxpayers’ right to know and the need to hold both politicians and bureaucrats accountable for their actions.

In her wide-ranging 84-page annual report, Commissioner Cavoukian identifies and addresses seven other key issues. Among these, the Commissioner:

  • dispells some of the common misconceptions about radio frequency identification (RFID) and addresses when privacy issues need to be considered. “ Users of RFID technologies and information systems should address the privacy and security issues early in the design stage, with a particular emphasis on data minimization,” said the Commissioner. “This means that wherever possible, efforts should be made to minimize the identifiability, observability and linkability of RFID data.” (Further to this issue, the Commissioner released new RFID Privacy Guidelines just last week. Here is a direct link to the Guidelines on the IPC’s website: www.ipc.on.ca/docs/rfidgdlines.pdf.);
  • outlines a highly successful collaboration between the Ontario College of Pharmacists, the Ontario Pharmacists’ Association and the IPC. Within days of a controversy erupting in the media over the screening of womenattempting to access the emergency contraceptive pill, commonly known as Plan B, the Ontario College of Pharmacists, after working with the Commissioner and the Association, issued new guidelines for pharmacists operating in Ontario;
  • examines the issue of the secure destructionof personal information, emphasizing that such information “must be permanently destroyed or erased in an irreversible manner that ensures the record cannot be reconstructed in any way, as reflected in the IPC Fact Sheet issued on secure destruction;”
  • advises that the IPC is closely watching the steps being taken towards the development of an interoperable electronic health record (EHR) system in Ontario. “Governance is a key issue in the implementation of an interoperable E HR,” said Commissioner Cavoukian. “One of the questions that needs to be addressed is how will accountability for patient privacy and information security be established in the context of a record that may eventually be shared throughout the entire health care system;”
  • stresses that privacy should not be used as a shield to minimize disclosure of essential information in emergency situations. “While access and privacy laws underline the importance of protecting the privacy of individuals, they also recognize that, in certain circumstances, privacy should not be an impediment to the sharing of vital – and, in some cases, life-saving – information, even in the absence of consent,” says the Commissioner;
  • addresses the issue of fingerprints, photos and other personal information of people who were charged with a crime, but never convicted, being kept by police. “Many people assume that when charges are dropped, stayed, withdrawn, or a finding of ‘not guilty’ is made, the name of the accused person is automatically cleared,” said the Commissioner. “However, while these and other non-conviction dispositions may leave a person without a criminal record, police services in Ontario retain most police records in perpetuity, even where a person is found not guilty by the courts. A fair expungement process must take into account both the legitimate interest of law enforcement and the fundamental rights of innocent citizens;” and
  • emphasizes the importance of building a culture of openness and transparency in all provincial and municipal government organizations. “Leadership on openness and transparency must come from the top,” said the Commissioner. “Public servants are more apt to disclose information without claiming inapplicable exemptions if they feel that their decisions will be supported by both the politicians and senior executives who lead their ministry, agency, board, commission or local government.”

The annual report also includes a detailed review of the impact of the Personal Health Information Protection Act (PHIPA) – Ontario’s first new privacy law in nearly 14 years – during its first full year.

Provincial ministries were praised by the Commissioner for a dramatic improvement in their 30-day-response compliance rate. Overall, ministries achieved an 80.1 per cent compliance rate – a significant increase from 68.7 per cent in 2004 and the highest provincial compliance rate in 17 years.

Elsewhere, the annual report includes statistical analysis of requests for information filed across Ontario in 2005 under FOI and PHIPA (34,957, the highest number ever), appeals to the IPC regarding some of the decisions government organizations made in response to FOI requests, and privacy complaints filed to the IPC under the provincial and municipal Freedom of Information and Protection of Privacy Acts, or under PHIPA.

Key IPC orders and privacy investigations are profiled, decisions rendered by the courts regarding Ontario access cases are cited, IPC educational efforts outlined, and information about the 25 publications the IPC issued in 2005 provided.

The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, and helping to educate the public about access and privacy issues.

Fraudster sentenced to jail for using modified terminal to collect debit card numbers and PINs

The Halifax (Nova Scotia) Chronicle Herald is reporting today that a 22 year old man originally from Ontario has been sentenced to two years in jail in connection with a debit card scam. The individual has been convicted of fraud after he set up a kiosk in a mall in the Annapolis Valley and used a modified debit-card machine to capture card numbers and PINs. He managed to scam $33,000 until he was caught. See: The ChronicleHerald.ca: Man jailed two years for debit card scam.

I don't know about you, but I've been taking a much closer look at card readers lately.

Monday, June 26, 2006

US reviews international financial database

The New York Times reported on Friday that in the days following the September 11, 2006 attacks, the United States subponaed the entire database of SWIFT, the international inter-bank transfer settlment organization. This database would contain the records of a vast quantity of international money movements, most of them legitimate. What started as an urgent and temporary measure has since become institutionalized without any congressional approval or oversight. Searches of the database are said to be targeted with justification required, but it is but a short hop to fishing expeditions. What is also troubling is that a large quantity of these transactions have no connection whatever to the United States, but the US government is able to compel their production from a Belgian cooperative. See: Bank Data Is Sifted by U.S. in Secret to Block Terror - New York Times.

Saturday, June 24, 2006

Incident: Personal info on thousands of US sailors found on website

Info on thousands of US Navy sailors somehow found their way onto a website, including names, addresses and social security numbers:

Navy Finds Data on Thousands of Sailors on Web Site

Navy officials discovered this week that personal information on nearly 28,000 sailors and family members was compromised when it appeared on a Web site, fueling more concerns about the security of sensitive information belonging to federal employees.

Five spreadsheet files of data -- including names, birth dates and Social Security numbers of sailors and their relatives -- were found exposed on a Web site Thursday night during routine internal sweeps of the Internet for sensitive material, said Lt. Justin Cole, a spokesman for the chief of naval personnel. He said the material was removed from the Web site within two hours....

Meanwhile, the Canadian navy has lost a torpedo.

Geist comments on Privacy Act annual report

As I reported here a little while ago (The Canadian Privacy Law Blog: Privacy Commissioner tables annual report to parliament on the Privacy Act), the Privacy Commissioner of Canada has tabled her annual report on the Privacy Act. Michael Geist has some comments on it and finds it A Discouraging Read.

Incident: FTC laptops stolen, along with personal data

The American Federal Trade Commission is usually at the forefront of slapping around companies who do not take adequate steps to secure personal information. So it is a bit ironic that two FTC laptops have been stolen from a locked car, along with personal information on around one hundred defendants in current FTC investigations. Check it out: FTC laptops stolen, along with personal data.

Thursday, June 22, 2006

Finding: Bank can't use employee's personal banking information

The Privacy Commissioner recently released her finding following a complaint brought by a bank employee about the bank directly withdrawing funds from the employee’s bank account. (Commissioner's Findings - PIPEDA Case Summary #327: Bank retrieves overpayment of wages from employee's account (February 2, 2006))

In this case, the Complainant had been receiving benefits under the bank’s disability policy. She had been receiving payments for several weeks when it was determined that she was not eligible for the benefits. The bank determined that it was necessary to stop the next payment but it was too late as the amounts had already been deposited in the employee’s account. The bank then placed a hold on the funds and subsequently withdrew them directly from the employee’s account.

The individual complained to the Office of the Privacy Commissioner and reference was made, either by the Complainant or by the bank, to Section 254.1(2)(d) of the Canada Labour Code which allows an employer to make deductions from wages for “overpayment of wages by the employer.” It was the bank’s argument that it was entitled to take the funds from the account based on this particular provision.

The Privacy Commissioner of Canada considered the complaint and the provisions of the Canada Labour Code, including that the bank might have been entitled to deduct such amounts from wages before they are paid it and the Personal Information Protection and Electronic Documents Act do not allow the bank to unilaterally retrieve a sum of money from her account. The Commissioner concluded “the bank had misused the Complainant’s personal information when it took advantage of its dual role as her employer and bank and retrieved money from her account, without her knowledge or consent, thereby breaching Principle 4.3”.

The Complaint was found to be “well founded and resolved” and the bank has committed to change its procedure for recovering funds due from the accounts of bank employees.

Australian bungle sees private documents sold

The Government of Queensland in Australia apparently has a procedure for dealing with excess paper: Shred then send to an outsourcer to recycle. Someone forgot the all-important "shred" step and, as a result, birth certificates, blank cheques and other bits of personal information were released into the wild, according to the Australian.

My favourite quote is at the end:

Bungle sees private documents sold | | The Australian:

June 22, 2006

THE Queensland Government is investigating how people's personal documents including birth certificates and wills were sold for paper recycling without being shredded first.

Public Works Minister Robert Schwarten said the Government was investigating reports that sensitive documents had turned up intact in a Brisbane man's workplace.

The documents reportedly came from various Government departments, including the Attorney-General's office, which declined to comment today.

Mr Schwarten said it took privacy breaches seriously.

"Any firm that compromises that will be on a one-way ticket out of business as far as we are concerned," Mr Schwarten said.

"We are not interested in doing business with people who do not honour the very stringent business conditions we set."

The documents, including blank bank cheques and wills, turned up in the workplace of a Brisbane man, whose wife spoke to the Ten Network.

"With the information that I have here, I could go to town," the woman told the network.

"I could assume someone else's identity. There's wills, there's blank bank cheques, there's birth certificates and marriage certificates.

"They are supposed to be shredded and then outsourced and sold as recycled paper but unfortunately, they have just been sold, not shredded."

Queensland Council of Civil Liberties (QCCL) vice-president Terry O'Gorman said the bungle showed the need for updated legislation and a privacy commissioner.

"Until those laws are introduced, this sort of gross invasion of privacy, including victims' details from the Department of Justice, will continue to occur," Mr O'Gorman said.

Opposition Leader Lawrence Springborg said the Government was at fault.

"I'm not sure even a privacy commissioner would be able to fix this, because it's the Government's basic bungling of fundamental issues," he said.

Incident: Laptop stolen with Equifax employee info

The Privacy Law Site is reporting that an employee of Equifax had his laptop stolen in Europ last month. The computer contained names and social security numbers for all of the company's US-based employees. See: The Privacy Law Site: Equifax Laptop Stolen.

Why would an employee need to travel with that information? I dunno.

See also: Chron.com | Equifax: Laptop With Employee Data Stolen.

Cops crack Canadian debit card fraud ring

In the last week, police in Quebec have made a number of arrests in a sophisticated debit card cloning scam. The scammers had modified point of sale devices installed at more than 40 stores in the Montreal area which captured and kept card data and PINS. Cloned cards could be created with the data and the fraudsters can then clean out the victim's accounts at the nearest ATM.

One of the people arrested works for a POS company, so the devices looked completely legit.

Cops crack debit card fraud ring:

Published: Tuesday, June 20, 2006

Nine people, including an employee of a subcontractor of a major financial institution, were arrested Tuesday morning as police dismantled what they described as a very sophisticated debit card fraud ring.

The ring is alleged to be tied to a Montreal-area street gang but was highly sophisticated and well connected. More than 100 SQ officers participated in Tuesday’s raids. Besides the arrests they executed 10 search warrants, seizing computers, electronic equipment and cash.

“The way that they proceeded was that they would give money to a cashier in a dépanneur or a store,” said Sûreté du Québec spokesperson Constable Chantal Mackels.

“They would then install their own equipment in the store. When you would pass your debit card in the machine you wouldn’t think anything was wrong, but it would record all the information on your debit card. But also it would record your PIN. They didn’t need someone to look over your shoulder to find out your number.”

Mackels said that among those arrested was someone described as an “inside person” who worked for a subcontractor to Mouvements Desjardins, a financial co-operative. The person is alleged to have supplied client information to the fraudsters, in particular their dates of birth.

Mackels said Desjardins ATMs request that clients enter their dates of birth when making withdrawals.

The investigation began in March after the SQ's financial crimes division received a complaint from the Mouvements Desjardins. “They told us they were the victims of a fraud of a couple of million dollars,” Mackels said.

“Every year millions of dollars are stolen because of identity theft or fraud. It gives a sense of insecurity to people. That’s why we hit hard on these organizations and unfortunately it takes a while to investigate them.

“They’re always evolving and so do we.”

The people arrested are expected to appear in court Wednesday to face charges of fraud and conspiracy to do the same.

There's more coverage here:

Wednesday, June 21, 2006

What will it take?

Ira Winkler, at Computerworld, asks what will it take for executives to pay attention to the privacy of personal information. He ends his opinion piece thusly:

Opinion: What will it take?

... Again, the problem isn’t that the laptops are getting stolen, but that the data is on the laptops to begin with. There is no legitimate work situation where tens of thousands, let alone millions, of personal records are required on an individual system. I can understand the need for backup tapes, but no individual should be entrusted with all this data.

At this point, given all of the attention to stolen laptops, every organization should IMMEDIATELY ban the bulk downloading of databases holding personally identifiable information. All copies of such data should immediately be deleted with a disk wiping program. Continued possession of such data should be cause for immediate dismissal.

But let's not stop with the users, since the problem certainly didn't start with them. After the dozens of incidents of the compromise of millions of records, any CIO or consulting or audit manager who doesn’t immediately ban the practice of downloading data and institute a program to minimize the exposure of personally identifiable information on portable media should be fired. Immediately. You can't guarantee that everyone will follow the policy, but if you don’t have a policy in the first place, only a very poor manager does not learn from the painful experience of others. There is no discussion about this.

So what more has to happen to get a CIO to realize this? Or will it take a few high-profile cannings to get my point across?

Incident: Visa says February ATM breach may have exposed data

Apparently, Visa has come clean (sort of) about a large debit-card breach from earlier this year:

Visa says ATM breach may have exposed data - Yahoo! News

SAN FRANCISCO - Visa USA on Tuesday confirmed an ATM security breakdown has exposed more consumers to potential mischief, the latest in a long line of lapses that have illuminated the often flimsy controls over the personal information entrusted to businesses, schools and government agencies.

The latest breach dates back to February when San Francisco-based Visa began notifying banks of a security problem affecting a U.S.-based contractor that processed automated teller machine transactions. Visa, one of the nation's largest issuer credit and debit cards, publicly acknowledged the trouble Tuesday in response to media inquiries prompted by Wachovia Bank's decision to replace an untold number of debit cards issued to its customers.

Charlotte, N.C.-based Wachovia issued the card replacements last week as an antifraud measure, said bank spokeswoman Mary Beth Navarro. She declined to explain the circumstances that triggered the action after several months. Visa also gave out few details about the incident. Thousands of banks have issued millions of debit cards bearing the Visa logo.

In a statement, Visa said it is working with its member banks and authorities "to do whatever is necessary to protect cardholders."...

Industry groups call for federal US privacy law

A coalition calling itself the Consumer Privacy Legislative Forum, which is composed of heavy-hitters like Google and eBay, is calling for a set of consistent privacy rules to replace the current mishmash of state laws. Their statement is here:

Consumer Privacy Legislative Forum Statement of Support in Principle for Comprehensive Consumer Privacy Legislation

Today we live in a digital economy where both beneficial and potentially harmful uses of personal information are multiplying. Information about individuals is used by businesses to: provide consumers with an unprecedented array of goods and services; increase productivity; promote access to financial products; and protect individuals, business and society from fraud and other bad acts. However, that same information can also be misused to harm individuals, with results such as identity theft, deception, unwarranted intrusion, embarrassment, and loss of consumer confidence.

The time has come for a serious process to consider comprehensive harmonized federal privacy legislation to create a simplified, uniform but flexible legal framework. The legislation should provide protection for consumers from inappropriate collection and misuse of their personal information and also enable legitimate businesses to use information to promote economic and social value. In principle, such legislation would address businesses collecting personal information from consumers in a transparent manner with appropriate notice; providing consumers with meaningful choice regarding the use and disclosure of that information; allowing consumers reasonable access to personal information they have provided; and protecting such information from misuse or unauthorized access. Because a national standard would preempt state laws, a robust framework is warranted.

About the Consumer Privacy Legislative Forum: The Consumer Privacy Legislative Forum was organized in the winter of 2006 to support a process to consider comprehensive consumer privacy legislation in the United States. The Forum began with a Steering Committee of companies eBay, Hewlett-Packard, and Microsoft, the consumer group Center for Democracy and Technology, and Professor Peter Swire of the Ohio State University. An expanded list of companies has now signed the Statement of Support in Principle for Comprehensive Consumer Privacy Legislation. In addition, the Forum has had detailed meetings with a diverse set of industry actors and consumer groups, in order to identify issues that need resolution as part of any eventual legislation. By providing a forum for discussion of these issues, the CPL Forum hopes to foster a more informed legislative debate, leading to privacy provisions that benefit both industry and consumers.

CPL Forum members signing the statement today are:

Eastman Kodak Co.

eBay Inc.

Eli Lilly and Co.

Google, Inc.

Hewitt and Associates

Hewlett-Packard Co.

Intel Corp.

Microsoft Corp.

Oracle Corp.

Procter & Gamble Co.

Sun Microsystems, Inc.

Symantec Corp.

More coverage here, too: Firms Seek Federal Privacy Rules.

Tuesday, June 20, 2006

How to Build a Low-Cost, Extended-Range RFID Skimmer

My kids just taught me that Darth Vader can read my mind. (It apppears to work even if you're wearing your tifoil hat.) I thought that was bad. Now Schneier and Boing Boing are telling me that any nerd with a soldering iron and directions to Radio Shack (or the Force, I guess) can read the RFIDs in my pocket. What is the world coming to? Check this out: How to Build a Low-Cost, Extended-Range RFID Skimmer.

Privacy Commissioner tables annual report to parliament on the Privacy Act

The Privacy Commissioner of Canada has tabled her Annual Report on the Privacy Act in Parliament. The report is here: Annual Report to Parliament 2005-2006 — Report on the Privacy Act (PDF format).

Here is the press release:

News Release: Tabling of Privacy Commissioner of Canada's 2005-06 Annual Report on the Privacy Act: Commissioner expresses concerns about public sector privacy protection (June 20, 2006)

Tabling of Privacy Commissioner of Canada's 2005-06 Annual Report on the Privacy Act: Commissioner expresses concerns about public sector privacy protection

Ottawa, June 20, 2006 – Considerably more could be done to protect Canadians’ personal information, especially with respect to information flowing across the border and a federal privacy law that simply isn’t up to standard, according to Privacy Commissioner of Canada Jennifer Stoddart, whose 2005-2006 Annual Report on the Privacy Act was tabled today in Parliament.

The Privacy Act governs how federal departments and agencies handle Canadians’ personal information.

Key to the report are the Commissioner’s findings from a major audit of the Canada Border Services Agency (CBSA). Upon her appointment in December 2003, the Commissioner immediately began raising concerns about the transborder flows of personal information. She called for an audit of the CBSA shortly thereafter. Worries about improper use of personal information became heightened following passage of the USA PATRIOT Act, which gives the United States government sweeping powers to seize information from American companies or Canadian companies operating in the U.S. The audit assessed the agency’s framework for controlling and protecting Canadians’ personal information as it flows to foreign governments.

Recent polling commissioned by the Commissioner’s Office suggests that 94% of Canadians express some concern about Canadian companies transferring customers’ personal information to companies in other countries. Furthermore, 85% of those Canadians with awareness of the privacy implications of the USA Patriot Act also express some concern over the issue.

“The overall issue of transborder dataflows has certainly caught the imagination of Canadians, and we have received inquiries and complaints which focus on it as a threat to privacy,” said Ms. Stoddart.

While the Commissioner found that the CBSA does have policies, procedures and systems in place for managing and sharing Canadians’ personal information with other countries, more must be done to mitigate risks, and achieve greater accountability and control over that information. The Commissioner made 19 recommendations to the CBSA and these have been accepted by the Agency. The findings include the following:

  • The CBSA needs a coordinated method of identifying and tracking all flows of its transborder data. The Agency cannot, with a reasonable degree of certainty, report on how much and how often it shares information with the U.S.
  • Information is often disclosed without first obtaining approval from a designated CBSA official, which contravenes the Agency’s policy. There are also weaknesses in the record keeping associated with disclosures of information.
  • Activities associated with sharing data across borders should be made more transparent.

Although the Commissioner found room for improvement in the CBSA audit, she also noted in her report that the federal government has already begun to address Canadians’ concerns about transborder data flows of personal information. In March 2005, Treasury Board Secretariat released a federal strategy and guidelines on how government institutions must protect personal information when outsourcing activities to private sector organizations.

“We see the federal strategy and guidelines as a positive step toward addressing Canadians’ concerns,” said Ms. Stoddart. “However, we also hope that they will be an integral part of a reformed Privacy Act.”

The Privacy Act has not been substantially amended since it came into effect in 1983. In early June 2006 the Commissioner tabled a report with the Standing Committee on Access to Information, Privacy and Ethics outlining her proposed reforms to the Act.

Also key to her Annual Report is the Commissioner’s observation that, at times, federal departments and agencies incorrectly interpret the Privacy Act in response to calls for disclosures of information in the public interest. The Act provides that the head of the institution may disclose personal information if the public interest clearly outweighs the privacy concerns of the individual involved—if, for example, the issue relates to health and safety, or public security. However, in certain instances where in the Commissioner’s view it could be invoked, it is not, and the Privacy Act is blamed by the institution as the reason important information cannot be provided to the public.

“This inaccurate explanation of the role of the Act paints the Act as the villain,” said Ms. Stoddart. “Our concern lies with the simplistic characterization of the Privacy Act as the barrier to disclosure.”

The Annual Report indicates that in 2005-2006 the Office prepared a Vision and Institutional Service Plan, and a Business Case for Permanent Funding – a blueprint for a stronger and more effective institutional role. Parliamentarians agreed with the Vision and the new House of Commons Advisory Panel on the Funding of Officers of Parliament was supportive of the request. The Office is now planning for a significant increase – close to 50% – in human and financial resources over the next two years.

“We are grateful that the government and Parliament have seen the wisdom in our proposals,” said Ms. Stoddart. “And we will now be in a better position to serve Canadians.”

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.

— 30 —

To view the report: Annual Report to Parliament 2005-2006 — Report on the Privacy Act (Adobe format) Audit of the Personal Information Management Practices of the Canada Border Services Agency — Trans-Border Data Flows

Europe to continue sharing passenger records with US

According to Computerworld, European authorities have supposedly found a way around European privacy laws to allow the continued sharing of air passenger personal information with American law enforcement:

Europe to continue sharing passenger records with US:

June 19, 2006 (IDG News Service) -- Two weeks after Europe’s highest court overturned a European Union agreement to share passenger data with American authorities, the European Commission has proposed a new law that does much the same as the one that was annulled.

The Commission, the Union’s executive body, agreed Monday to propose a new law that uses different legal grounds to have the same effect: it will allow European airlines to share personal information about their passengers flying to the U.S. with U.S. customs and security officials.

Normally it would be illegal under Europe-wide privacy laws for a company to share European citizens’ personal data with a country with weaker data protection laws such as the U.S. However, after the attacks of Sept.11, 2001, mounted using commercial airline flights, American authorities demanded the information.

Airlines would be fined or worse, denied landing slots by American aviation authorities if they failed to provide the information, which includes details such as name, address and credit card information. But they would be sued in Europe for breaking data protection law if they did provide the Americans with the information.

To avoid havoc in the airline industry and a potential disruption of transatlantic flights, the Commission and the 25 national governments passed a law allowing the handover of most of the information the U.S. demanded....

For a bit o' background, check out: The Canadian Privacy Law Blog: European court blocks passenger data sharing deal with US.

Discussion about data theft and corporate irresponsibility

An unlucky slashdotter has started a discussion thread on data thefts and possible consumer recourse. Unfortunately, some of the advice involves burning buildings to the ground and moving to Nigeria, both of which may not be the most prudent course of action. In any event, check it out:

Slashdot Data Theft and Corporate Irresponsibility?

"Today, I received a letter from a student loan provider notifying me that my name and social security number had been stolen along with a contractor's computer. This makes -four- agencies that have lost my personal information, in the last year. Today's letter was the most disappointing yet: the company, Texas Guaranteed, did not offer any credit report monitoring like the previous three had. Their advice? Send a letter to the credit bureaus. Gee, thanks. Clearly, mass identity theft is completely out of hand and there doesn't seem to be any government regulation for handling these situations, nor does there seem to be any punitive action against businesses that lose customers' data. Do we, as consumers, have any recourse against these businesses?"

Thanks to Rob Hyndman for passing along the link.

Monday, June 19, 2006

Fake Name Generator

Some people who are concerned about their privacy are understandably nervous about giving their names, addresses, and whatnot to random websites just to look at an article, etc. Many use fake info, but websites are catching on by trying verify the info by matching the address to the US ZIP code. If you are one of those people, you may be interested in the Fake Name Generator, which will produce a name, address, date of birth and mother's maiden name. It's all random. Here's what I got:

Joesph T. Villanvera
129 North Street
Grand Rapids, MI 49546

Phone: 231-394-0713
Mother's maiden name: Mogle
Birthday: March 18, 1964

But you can call me Joe.

Win fabulous prizes!

Sorry for the misleading headline, but if you are a student and you wrote a great paper on technology law issues this year (or ever), think about submitting it for the Canadian IT Law Association Student Writing Competition. The deadline is June 30, 2006 so you'd better hurry.

If you aren't a student, you're out of luck. Sorry.

Ontario Commissioner introduces RFID Guidelines

Ontario's Information and Privacy Commissioner has just produced a set of guidelines for implementing RFID technology to better protect privacy in its implementation. The guidelines are here and are being released along with a companion Practical Tips for Implementing RFID Privacy Guidelines. Earlier this month, the Commissioner released Worried about RFIDs? in video and paper form.

The Commissioner's press release is here:

Commissioner Cavoukian issues RFID Guidelines aimed at protecting privacy

TORONTO, June 19 /CNW/ - Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, today released privacy Guidelines for the growing field of radio frequency identification (RFID).

These Guidelines flow from her earlier work in 2003 when the Commissioner first identified the potential privacy concerns raised by RFID technology. Following a history of ground-breaking work on building privacy into the design of emerging technologies, these Guidelines are a natural progression of this pragmatic approach.

"I have always found it beneficial to assist those working on emerging technologies, and to be proactive whenever possible - to develop effective guidelines and codes before any problems arise," said Commissioner Cavoukian. "These made-in-Canada Guidelines provide guidance and solutions regarding item-level consumer RFID applications and uses."

EPCglobal Canada, an industry association that sets standards for electronic product codes, has been collaborating with the IPC in the development of these Guidelines, and will be seeking Board approval by its member companies to signify the association's endorsement of the Guidelines.

"This technology offers exciting benefits to consumers and businesses alike. As the trusted source for driving adoption of EPC/RFID technology for increased visibility within the supply chain, privacy is as important as anything else we are doing," said Art Smith, President and CEO, EPCglobal Canada. "We promote an environment that encourages ongoing innovation while respecting privacy issues."

RFID tags contain microchips and tiny radio antennas that can be attached to products. They transmit a unique identifying number to an electronic reader, which in turn links to a computer database where information about the item is stored. RFID tags may be read from a distance quickly and easily, making them valuable for managing inventory but pose potential risks to privacy if linked to personal identifiers. RFID tags are the next generation technology from barcodes.

Although RFID technology deployed in the supply chain management process poses little threat to privacy, item-level use of RFID tags in the retail sector, when linked to personally identifiable information, can facilitate the tracking and surveillance of individuals. The goal of these Guidelines is to alleviate concerns about the potential threat to privacy posed by this technology and to enhance openness and transparency about item-level use of RFID systems by retailers.

The Guidelines address key privacy issues regarding the use of RFID technology at an item-level in the retail sector, said Commissioner Cavoukian.

The Guidelines are based on three overarching principles, including:

  • Focus on RFID information systems, not technologies: The problem does not lie with RFID technologies themselves, but rather, the way in which they are deployed that can have privacy implications. The Guidelines should be applied to RFID information systems as a whole, rather than to any single technology component or function;
  • Build in privacy and security from the outset - at the design stage: Just as privacy concerns must be identified in a broad and systemic manner, so, too, must the technological solutions be addressed systemically. A thorough privacy impact assessment is critical. Users of RFID technologies and information systems should address the privacy and security issues early in the design stages, with a particular emphasis on data minimization. This means that wherever possible, efforts should be made to minimize the identifiability, observability and linkability of RFID data; and
  • Maximize individual participation and consent: Use of RFID information systems should be as open and transparent as possible, and afford individuals with as much opportunity as possible to participate and make informed decisions.

A companion piece to the Guidelines - Practical Tips for Implementing RFID Privacy Guidelines, is also being released by the Commissioner to help organizations put the Guidelines into practice.

The Guidelines and Practical Tips for Implementing RFID Privacy Guidelines are available on the IPC's website (www.ipc.on.ca).

Sunday, June 18, 2006

Incident: Laptop with D.C. workers' data stolen

There goes another one: Laptop with D.C. workers' data stolen - Yahoo! News.

Too many data breaches

It is increasingly difficult to stay on top of all the security/privacy breaches as of late. Thanks to the Privacy Rights Clearinghouse, all the latest are set out in a handy table at http://www.privacyrights.org/ar/chrondatabreaches.htm and includes these recent additions:

Ohio University

Innovation Center

(Athens, OH)

a server containing data including e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes was compromised.

A breach was discovered on a computer that housed IRS 1099 forms for vendors and independent contractors for calendar years 2004 and 2005.

A breach of a computer that hosted a variety of Web-based forms, including some that processed on-line business transactions. Although this computer was not set up to store personal information, investigators did discover files that contained fragments of personal information, including Social Security numbers. The data is fragmentary and it is not certain if the compromised information can be traced to individuals. Also found on the computer were 12 credit card numbers that were used for event registration.

330,000 [Updated 6/16/06]

June 11, 2006

Denver Election Commission (Denver, CO)

Records containing personal information on more than 150,000 voters are missing at city election offices. The microfilmed voter registration files from 1989 to 1998 were in a 500-pound cabinet that disappeared when the commission moved to new offices in February. The files contain voters' Social Security numbers, addresses and other personal information.

June 13, 2006

Minn. State Auditor (St. Paul, MN)

Three laptops possibly containing Social Security numbers and other personal information on some employees of local governments the auditor oversees have gone missing.

Oregon Dept. of Revenue (Portland, OR)

Electronic files containing personal data of Oregon taxpayers may have been compromised by an ex-employee's downloaded a contaminated file from a porn site. The "trojan" attached to the file may have sent taxpayer information back to the source when the computer was turned on.

U.S. Dept of Energy, Hanford Nucear Reservation

Current and former workers at the Hanford Nuclear Reservation that their personal information may have been compromised, after police found a 1996 list with workers' names and other information in a home during an unrelated investigation.

Encrypt it

ABC News could be accused of stating the obvious in Encryption Can Save Data in Laptop Lapses, but the article does have some interesting info on specific lessons that the VA, EDS and Ernst & Young have recently learned the hard way.

Friday, June 16, 2006

Incident: Porn-surfing employee compromises personal information on 2,300 Oregon taxpayers

Incident: Computerworld is reporting that an employee of the Oregon Department of Revenue downloaded trojan software along with porn videos, apparently compromising personal information about 2,300 Oregon taxpayers: Trojan horse captured data on 2,300 Oregon taxpayers from infected gov't PC.

Lesson: Practice safe surfing or you might get infected.

Tory backbencher introduces bill to criminalize pretexting

Conservative backbencher James Rajotte has introduced a private members' bill, Bill C-299: An Act to amend the Criminal Code, the Canada Evidence Act and the Competition Act (personal information obtained by fraud). It is intended to criminalize pretexting and obtaining personal information by fraud. Here's a summary:

SUMMARY

This enactment amends the Criminal Code to create the following criminal offences:

(a) obtaining personal information from a third party by a false pretence or by fraud;

(b) counselling a person to obtain personal information from a third party by a false pretence or by fraud; and

(c) selling or otherwise disclosing personal information obtained from a third party by a false pretence or by fraud.

It also amends the criminal offence of “personation with intent” to include fraudulent personation with intent to obtain any record containing personal information about a third party.

As well, the enactment amends the Canada Evidence Act to prohibit the admission into evidence of any personal information obtained by fraud, false pretence or fraudulent personation.

Finally, it amends the Competition Act to

(a) characterize the business of fraudulently obtaining personal information as an illegal trade practice;

(b) characterize the promotion of a product that is provided by means of fraud, false pretence or fraudulent personation as a false or misleading representation to the public; and

(c) provide for the recovery of damages from corporations within Canada affiliated with corporations outside Canada that have obtained personal information from third parties in Canada by fraud, false pretence, or personation.

Whether it will have any legs is anyone's guess.

Thanks to Michael Geist for the link:

Wednesday, June 14, 2006

Beware of hidden digital camera metadata

I've posted on a number of times about something called metadata. It is hidden information in different kinds of digital files that may reveal information about the document, its author or information that the distributor did not want to disclose. For example, Microsft Word is notorious for the metadata that can be hidden in documents but we've also seen information leakage through Adobe Acrobat files (See: The Canadian Privacy Law Blog: More on metadata, The Canadian Privacy Law Blog: Document meta-data FAQ and risk information, The Canadian Privacy Law Blog: Security problems with hidden data in Acrobat PDF files).

I've known for some time that most digital cameras generate metadata (in the EXIF format), such as information about when the photo was taken, whether a flash was used, the exposure, lens focal length, etc. Flickr shows most metadata associated with photos. Check this out for an example: Flickr: More detail about leave.

What I did not know until today is that digital cameras will often embed a small thumbnail image of the photo as originally taken. In many cases, if you subsequently edit the photo, the original thumbnail remains. If the image is edited to cut out someone who didn't want to be photographed or if you blur the face of someone to protect their privacy, that information may still be available to anyone who gets the image.

There is no better illustration of the problem than the website created by Tonu Samuel. His site pulls images off the 'net then shows the original thumbnail and the modified image. One image generated by Samuel's site is a very vivid demonstration of why this is an issue: Hidden EXIF thumbnail security problem (may not be safe for work - it shows a young woman in a bikini whose face was obscured but is clearly identifiable in the thumbnail).

In short: Be very careful when you distribute modified digital images.

Thanks to michaelzimmer.org - The Hidden Photos Within Photos for the link.

UPDATE: I was browsing some of the photos that hav been put through Tonu Samuel's EXIF extractor and came upon this great demonstration of why this can be a risk. The photos on this page are from the US Federal Bureau of Investigation (http://www.fbi.gov/wanted/seekinfo/erienote1.jpg). The published version shows a letter with significant portions blacked out. The embedded thumbnail is missing all the blacked out portions.

Tuesday, June 13, 2006

Ok. Somebody must be paying attention

When The Onion, America's Finest News Source makes fun of the Hotels.com breach, you know that these are getting widespread coverage:

Hotels.com Information Stolen The Onion - America's Finest News Source

Hotels.com Information Stolen

A laptop containing sensitive information about Hotels.com customers was recently stolen from an Ernst and Young employee's car. What do you think?

Old Man

Doodles McKennan, Costume Designer "Great, now everyone at work will know about my thing for amenities."

Young Woman

Tina Garland, Lens Grinder "Dogs, toddlers, laptops with credit-card information—this list of things not to leave locked in a car on a hot day just keeps getting longer and longer."

Asian Man

Chris Benning, Receptionist "Forget the confidential client information. Have you ever seen so much Rick Astley on a single iTunes collection?"

Vendors sync up IP wiretapping tools

I'm sure it warms the hearts of many to see two vendors of IP wiretapping software holding hands and working on interoperability and compatibility: Vendors sync up IP wiretapping tools.

Incident: Massive personal information leak at Japanese telco

Japan's second largest mobile phone operator has reported that personal information on almost four million subscribers has been compromised. Two arrests have been made in the breach, which was apparently an inside job and an attempt to blackmail the company.

KDDI reports massive personal data leak - Yahoo! News

Tue Jun 13, 7:53 AM ET

TOKYO (AFP) - KDDI Corp, Japan's number two mobile operator, said that private information on nearly four million subscribers to its Internet service had been leaked.

Police said extortionists tried to sell the data which included the names, addresses, contact numbers, sex, birthdate and e-mail addresses of those who applied for KDDI's Dion Internet service by December 18, 2003.

But information such as their passwords, bank account information and communications logs has not released, the company said.

Tadashi Onodera, KDDI president and chairman, offered a public apology at a press conference.

'We consider that this will hurt our company's credibility. We will do our best to restore customers' trust by explaining the issue,' Onodera told reporters, although he said there were no plans for compensation.

Information seems to have been leaked by KDDI employees or a vendor who had access to the system because it is impossible to access it from the outside, Onodera said.

Police said they arrested two men who attempted extortion in the case, reportedly demanding KDDI pay five million to 10 million yen (43,700 to 87,000 dollars) for the data.

Onodera declined to comment on the issue as it is under police investigation.

KDDI learned about the leak through an anonymous phone call on May 30 and the next day a person handed a CD-ROM with data from 400,000 customers to its headquarters' reception desk, he said.

Incident: Files Of 150,000 Voters Missing

Whatever you do, don't let that 500 pound cabinet out of your sight.

Apparently a half-ton filing cabinet containing records of 150,000 voters in Colorado has "gone missing". It didn't walk away, but might have been misplaced when the Denver Election Commission moved offices. So if you see a lonely, lost filing cabinet, give them a call.

All Headline News - Files Of 150,000 Voters Missing - June 13, 2006:

Files Of 150,000 Voters Missing

June 11, 2006 8:38 a.m. EST

Mary K. Brunskill - All Headline News Contributor

Denver, Colorado (AHN) - Police were notified Saturday that records containing personal information on over 150,000 voters are missing at Denver election offices, and officials are investigating to find whether the files were lost, moved or stolen.

A 500-pound cabinet containing microfilmed voter registration files from 1989 to 1998, which contained voters' Social Security numbers, addresses and other personal information, disappeared in February when the commission moved to new offices.

Officials were not aware the records were missing until June 1 and the Denver Election Commission is trying to determine why officials did not learn the files were missing earlier, the AP reports.

Commission spokesman Alton Dillard told the Rocky Mountain News in Saturday's edition, 'We will get to the bottom of it.'

Dillard said staffers are searching the commission's new and old offices and its warehouse and employees of the moving company are being questioned.

Thanks to a correspondent from Vancouver, who led me to Interesting People, which linked to Hard To Do Any Worse, which in turn persuaded me to click on All Headline News.

Americans increasingly concerned about privacy and outsourcing

The Ponemon Institute has undertaken a very interesting survey of Americans' attitudes toward outsourcing and privacy. What I find particularly interesting is that the survey revealed that Canada is the most trusted outsourcing destination. (India came in third, though the Indian media has been putting an interesting spin on it: US consumers give top trust ranking to India - The Times of India).

Here's the press release about the survey:

Survey Finds Americans Increasingly Concerned About Outsourcing Personal Data:

Up to 83% of Respondents Don't Want Sensitive Data Sent Off Shore

NEW YORK, June 6 /PRNewswire/ -- A new survey sponsored by global law firm White & Case LLP, and developed by independent privacy think tank Ponemon Institute, found that the majority of American consumers do not want US companies sharing personal information with outsourcing companies overseas.

Fifty-one percent of those US adults surveyed said that they did not want a US organization to send sensitive personal information such as social security or driver's license numbers to a local company in another country. Opposition was higher when it came to sharing even more sensitive information: 60 percent didn't want their credit or debit card account numbers shared with an offshore company; 64 percent opposed having their employee records shared; 73 percent opposed having their banking or home mortgage information shared; and a whopping 83 percent opposed having their health records shared with a local company in another country.

"That so many Americans are concerned about sensitive personal data going overseas isn't surprising given the growing threat of identity theft and general misperceptions about outsourcing itself," said White & Case partner Steve Betensky, who regularly advises companies on outsourcing issues. "But what makes this so challenging for US companies is that while consumers don't want their information sent oversees, 73 percent of US adults surveyed also said they are unwilling to pay higher prices for products or services if that would ensure that their personal information would not be outsourced offshore."

Betensky adds that the problem is further compounded by the fact that 82 percent of survey respondents felt that new US regulations were needed to ensure that offshore companies had adequate security and privacy safeguards in place -- despite the fact that many industries such as healthcare and financial services are already strongly regulated.

"When customers aren't willing to pay more for security safeguards, they automatically turn to government for relief. That leads to increased regulations, which generally leads to higher costs for companies in order to comply or risk fines. So the real message I take away from this survey is that companies better be prepared to pay more one way or the other. The best thing that companies can to do is negotiate their outsourcing contracts carefully so that the offshoring entity assumes some of the risk and costs associated with privacy safeguards and takes responsibility for ensuring that those privacy safeguards are effective," said Betensky.

Larry Ponemon, CEO and founder of Ponemon Institute, said that the survey also revealed that Americans do not view all countries equally when it comes to offshoring. When asked to select from 47 countries where outsourcing operations occur, US adults felt most comfortable with Canada, Ireland and India, giving them highest overall trust rankings with respect to local companies taking steps to protect or safeguard personal information. Philippines, Mexico, Haiti and Russia received the lowest trust rankings.

"Those statistics seem to confirm what we see in the global market place. India and Ireland have increasingly become some of the most attractive places for outsourcing ventures -- not only due to a well-educated workforce and lower salaries, but because those jurisdictions have made an active effort to establish strong regulations when it comes to outsourcing issues, including privacy," said Ponemon.

The study randomly surveyed 11,729 US adults via the Internet. In total, 1421 respondents completed the survey during an 8 day-research period. Of those, 127 were rejected because of incomplete or inconsistent responses -- results were thus drawn from a total of 1,294 people from every region of the United States.

A complete copy of the survey can be obtained at http://www.whitecase.com/outsourcingandprivacy

About White & Case

White & Case LLP is a leading global law firm with nearly 2000 lawyers practicing in 36 offices in 24 countries. White & Case's Privacy practice operates at the forefront of privacy issues and data protection laws. We advise clients on how to adopt sound privacy practices, avoid privacy risks, and protect their competitive advantage, including in relation to developing outsourcing contracts and policies. We also represent clients in privacy- related litigation. Each year we host an annual Global Privacy symposium, write articles and publish or sponsor surveys related to complex privacy issues. Visit http://www.whitecase.com.

About the Ponemon Institute, LLC

Ponemon Institute is a "think tank" dedicated to advancing responsible information management practices in business and government. To achieve this objective, Ponemon Institute conducts independent research on privacy and information security, educates leaders from the private and public sectors, and verifies the privacy and data protection practices of organizations. The Institute is headquartered in Michigan. For more information, visit http://www.ponemon.org or contact (800) 887.3118.

Monday, June 12, 2006

Privacy protection paramount with RFID

David Canton's latest column is all about RFID and privacy. Check it out on his great glog: Privacy protection paramount with RFID.

ACLU v NSA in the battle over warrantless wiretaps

The US Government's warrantless wiretap program is going under the judicial microscope today in Detroit:

Battle over wiretaps to begin today:

The opening salvo of what is sure to be a closely watched and potentially landmark case over whether the U.S. government has the right to eavesdrop on thousands -- and potentially millions -- of telephone and e-mail communications will be fired in federal court in Detroit today.

The American Civil Liberties Union, which filed the lawsuit in January, will ask U.S. District Judge Anna Diggs Taylor to abolish the Bush administration's program of intercepting international phone calls in its fight against terrorism, saying it violates Americans' free speech and privacy rights.

The Justice Department, which represents the National Security Agency, is expected to argue that the program is legal and a key weapon in the administration's war on terror.

Although neither side expects Taylor to rule today, courtroom observers said she might reveal hints on how she will decide the case....

It is probably also safe to assume that this one will be appealed, regardless of the outcome. Stay tuned!

Sunday, June 11, 2006

Beware of strangers bearing USB drives

The fact that Microsoft Windows will automatically run software from a USB drive with no user intervention is a well-known security vulnerability. For example, the autorun function is the way that the infamous Sony rootkit gets its hooks into your system. With this feature enabled (or, rather, not blocked) on PCs, its an easy way for malware to be installed on your desktops via USB. Read this chilling example:

Dark Reading - Host security - Social Engineering, the USB Way - Security:

... Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.

I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software.

After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.

Of all the social engineering efforts we have performed over the years, I always had to worry about being caught, getting detained by the police, or not getting anything of value. The USB route is really the way to go. With the exception of possibly getting caught when seeding the facility, my chances of having a problem are reduced significantly.

You’ve probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn’t unique or special. All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.

Disagree? Sprinkle your receptionist's candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.

Also read Bruce Schneier on this avenue of attack: Schneier on Security: Hacking Computers Over USB.

Saturday, June 10, 2006

The Practical Nomad on the Expedia/Hotels.com data breach

The Practical Nomad has a very interesting post on the recent Expedia/Hotels.com privacy and security breach resulting from the loss of an auditor's laptop. (For my previous comments, including the fact that my data may have been on the laptop in question, see: The Canadian Privacy Law Blog: Incident: Hotels.com customer info on laptop stolen from auditor in February.)

The Practical Nomad blog: Expedia auditors lose laptop with customer credit card numbers:

...

Notably, Expedia has not said whether it had in place the contractual privacy commitments from Ernst & Young that would be required under Canadian (and other countries') laws -- although not under USA law -- as a precondition to allowing Erndst & Young to access personal information in customer or reservation records.

Hotels.com operates one of the world's largest travel Web site affiliate networks , many of whose members (in addition to the other Expedia divisions in the USA, Canada, and Europe), hide the Hotels.com service behind their own "private label". Many Hotels.com customers may never have realized they were dealing with Hotels.com rather than the company that operates the "private label" Web site. In the past, this lack of transparency has been one of the major themes of customer compliants against Hotels.com, especially when customers had problems at check-in and didn't knom whom to call. And customers of Expedia divisions in Canada and Europe may not have known that their personal data was being passed on to Hotels.com in the USA.

So, I asked, (1) does Hotels.com attempt to identify, or keep a record of, the country from which personal information was collected, and (2) are the actions being taken the same for all people whose data may have been on the stolen laptop, or are any different or additional actions being taken with respect to people from whom data may have been collected while they were in Canada or the European Union (e.g. as potentially identifiable from the IP address or the origination of the transaction through Expedia.ca or Expedia.uk), in light of the differences in Canadian and European Union data protection law?

The response on behalf of Expedia? "We do not track or capture geographies aside from the address customers provide for the transaction."

In other words, the word's largest Internet travel agency -- even though it requires cookie acceptance for purchases, and undoubtedly logs IP addresses and tracks referrals by affiliate -- make no attempt to keep track of the jurisdiction and legal conditions under which personal information is provided, or ensure that those restrictions accompany the data whenit is passed on. Even if they wanted to comply with the law in Canada and the EU, where they operate entire divisions, their current data structures aren't adequate to support compliance with the laws in those jurisdictions.

From what I've seen of industry norms, Expedia is no exception. Neither computerized reservation systems nor the AIRIMP (more on the latest AIRIMP revisions in a forthcoming post) support transmitting or recording the jurisdiction or rules under which any portion of the data in a passenger name record (which typically includes data entered in multiple jurisdictions, so a single field for the entire PNR would not suffice). But if Expedia can get away with ignoring data protection laws in countries where they do billions of dollars a year in busisness, so can the little guys.

This should be the test case of whether USA-based travel companies that do business in, and/or accept personal data from affiliates in, Canada and the EU need to track the jurisdiction and conditions governing use of that data, and ensure that those jusirsdictional and usage-restriction notes follow the data wherever it goes.

If you reserved a hotel through Hotels.com, and you were in Canada or the EU at the time, demand an explanation from the company, and complain to your national privacy commissioner or other national data protection authorities.

Friday, June 09, 2006

Incident: Security clearance info on nuclear contractors compromised by hacker

Not a good couple of weeks for information security in the US Government. It is now being reported that a hacker penetrated a computer system of the Department of Energy's Nuclear Weapons Agency in September, but the Secretary of Energy was not informed until last week. Here's a bit more info:

DOE computers hacked; info on 1,500 taken - Yahoo! News:

Although the compromised data file was in the NNSA's unclassified computer system -- and not part of a more secure classified network that contains nuclear weapons data -- the DOE officials would provide only scant information about the incident during the public hearing.

Brooks said the file contained names, Social Security numbers, date-of-birth information, a code where the employees worked and codes showing their security clearances. A majority of the individuals worked for contractors and the list was compiled as part of their security clearance processing, he said.

Tom Pyke, DOE's official charged with cyber security, said he learned of the incident only a few days ago. He said the hacker, who obtained the data file, penetrated a number of security safeguards in obtaining access to the system.

Canadian government to revive wiretap bill

According to the Globe & Mail, the Consevative government is planning to revive the previous Liberal government's proposal that would require all telcos, ISPs and VoIP providers to design in and implement tecnologies to facilitate wiretapping. The biggest issue is that internet-based communications aren't inherently tappable and snoops are trying to make the new technology compatible with their techniques:

globeandmail.com: Wiretap access bill to be revived:

... E-mails and Web surfing usually cannot be monitored by physically tapping into a wire, and new telephone technologies such as voice-over-Internet can make tapping calls more difficult, meaning access at the service providers' facilities is sometimes the only way to conduct surveillance....

Thursday, June 08, 2006

Incident: IRS employee loses laptop with personal info on 291 employees and job applicants

From the Washington Post:

IRS Laptop Lost With Data on 291 People:

The IRS's Terry L. Lemons said the employee checked the laptop as luggage aboard a commercial flight while traveling to a job fair and never saw it again. The computer contained unencrypted names, birth dates, Social Security numbers and fingerprints of the employees and applicants, Lemons said. Slightly more than 100 of the people affected were IRS employees, he said. No tax return information was in the laptop, he said.

'The data was not encrypted, but it was protected by a double-password system,' Lemons said. 'To get in to this personal data on there, you would have to have two separate passwords.'...

Wednesday, June 07, 2006

Incident: Info on 300K+ CPAs goes missing along with hard-drive

If you don't need (really, really need) a particular type of personal information and it is at all sensitive, do not collect it. Do not keep it. If you have it, securely destroy it.

Privacy best practices world wide are pretty clear that you should only collect and retain personal information that is necessary for a clearly articulated purpose. In the CSA Model Code for the Protection of Personal Information, it is articulated thusly:

4.4 Principle 4 - Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

This goes hand-in-hand with the principle that you should only keep information for as long as is reasonably necessary to fulfil those clearly articulated purposes. Take it away, CSA Code:

4.5 Principle 5 - Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

Generally Accepted Privacy Principles produced by the Canadian Institute of Chartered Accountants in Canada and the American Institute of Certified Public Accountants include variations on these general rules:

4. Collection. The entity collects personal information only for the purposes identified in the notice.

5. Use and Retention. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes.

So I guess you can draw from these examples that you should not collect or keep someone's social security number or social insurance number unless you really need it.

Interestingly and ironically, this lesson has just been learned the hard way by the American Insitute of Certified Public Accountants. The AICPA has just reached the conclusion that it should apply at least a portion of its own Generally Accepted Privacy Principles with respect to the personal information about its members that it collects and retains. It appears that a hard-drive containing personal information on 330,000 members, including social security numbers, has gone missing while in the custody of an overnight courier. While it is very easy to blame the courier, it is clear that the AICPA has no compelling reason to collect SSNs. In fact, there's no reason that even roughly corresponds to the risk associated with keeping such data around, let alone couriering it to a service provider.

To read more, check out: CPA group says hard drive with data on 330,000 members missing.