New York Times - free registration required Bush Acts to Drop Core Privacy Rule on Medical Data.

The Bush administration today proposed dropping a requirement at the heart of federal rules that protect the privacy of medical records. It said doctors and hospitals should not have to obtain consent from patients before using or disclosing medical information for the purpose of treatment or reimbursement.

The proposal, favored by the health care industry, was announced by Tommy G. Thompson, the secretary of health and human services, who said the process of obtaining consent could have "serious unintended consequences" and could impair access to quality health care.

The sweeping privacy rules were issued by President Bill Clinton in December 2000. When Mr. Bush allowed them to take effect last April, consumer advocates cheered, while much of the health care industry expressed dismay.

Today's proposal would repeal a provision widely viewed as the core of the Clinton rules: a requirement that doctors, hospitals and other health care providers obtain written consent from patients before using or disclosing medical information for treatment, the payment of claims or any of a long list of "health care operations," like setting insurance premiums and measuring the competence of doctors.

CNET NEWS.COM Perspectives - Web services: Security nightmare?

StreamTone CEO Ravi Razdan warns that in its rush to embrace Web services, the computer industry is unknowingly inviting hackers to waltz through gaping structural holes.

CNET NEWS.COM - Anti-piracy bill finally sees Senate.

A controversial bill that would ultimately require computer and consumer-electronics companies to build copyright-protection technology into their products was finally introduced in the U.S. Senate on Thursday.

The so-called Consumer Broadband and Digital Television Act--once known as the Security Systems Standards and Certification Act (SSSCA)--first saw daylight late last year, when a draft of the proposed legislation began making Capital Hill rounds. As one of the most far-reaching proposals yet seen for protecting movies, music and software against digital piracy, it immediately drew a firestorm of debate.

As a result, battle lines were drawn well before its introduction. Many big consumer-electronics and technology companies oppose the idea. Walt Disney is for it, along with sponsor Sen. Fritz Hollings, D-S.C. Most of the major studios and record labels like the idea of stronger copyright protection but are still wary of government mandate.

iWon - News - Feds Urge Medical Privacy Changes, Advocates Upset.

WASHINGTON (Reuters) - The Bush administration on Thursday proposed eliminating from U.S. medical privacy rules a requirement that patients give consent for disclosure of their health information prior to receiving care.

Instead, health officials suggested mandating that patients receive notice of how providers or insurers plan to use information and details about their privacy rights.

Privacy advocates said the change would devastate the rules, which aim to give patients more control over their medical records.

Newsbytes - Comdex Attendees' Personal Data Exhibited On The Web .

A security flaw in an online registration system for the world's biggest computer trade shows exposed the personal data of some users, Key3Media Events [NYSE:KME] officials acknowledged today.

The system, accessible from the company's Web site, enables visitors to register online for events produced by Key3Media Events, including Comdex, NetWorld+Interop, Seybold Seminars and JavaOne.

By slightly manipulating login data recently sent in a registration confirmation e-mail to some show attendees, users of the online system were able today to view the profiles and shopping carts of other users.

Newsbytes confirmed that it was possible to access profiles including those of the senior partners of a major high-tech law firm, the managing partner of a large venture capital firm, and the president of a Midwestern manufacturing company.

According to a Key3Media spokesperson, the privacy breach appears to be limited to "a few thousand" people who recently registered in person using a "legacy" system at the company's Comdex Chicago or Seybold New York shows.

eWEEK - IE, Apache Clash on Web Standard.

eWEEK Labs has discovered that Microsoft Corp.'s Internet Explorer Version 5.0 and higher--as well as the company's IIS Web server--has a significant security incompatibility with other major Web browsers and with the Apache Software Foundation's Apache HTTP Web server.

The incompatibility lies in how Microsoft has implemented digest access authentication, a World Wide Web Consortium standard (RFC 2617) that specifies how users can securely log in to Web servers. Digest authentication is widely acknowledged to be the best available Internet standard for this purpose.

The upshot is that IE cannot be used as a Web client for any Apache-based Web application that uses digest authentication. In addition, every non-IE browser we tested couldn't be used as a client for any Internet Information Services-based Web application that uses digest authentication. (We tested this with Mozilla.org's Mozilla 0.9.9, Opera Software ASA's Opera 6.01 and the W3C's reference browser implementation Amaya; Netscape Communications Corp.'s Navigator doesn't currently support digest authentication. Static Web pages are not affected by the problem.)

Declan McCullagh's Politech - Sen. Fritz Hollings' Consumer Broadband and Digital Television Promotion Act. Statements and press releases:

Sen. Fritz Hollings (D-SC) (3/21/02)
MPAA president Jack Valenti (3/21/02)
RIAA president Hilary Rosen (3/21/02)
Technology lobby groups (3/21/02)

digitalMass at Boston.com - News Corp., Disney push anti-piracy measures.

WASHINGTON (Variety) -- News Corp. and Walt Disney Co. stepped up their high-profile campaign Wednesday to enlist Washington's help in stopping Internet thievery, with News Corp. president Peter Chernin likening the downloading of a pirated picture to burglarizing a video store.

Newsbytes - Sen. Hollings Introduces Digital Piracy Bill.

Senate Commerce Committee Chairman Ernest "Fritz" Hollings, D-S.C., today introduced a controversial bill that would require the entertainment, electronics and high-tech industries to craft standards for protecting digital content against piracy.

The long-awaited Consumer Broadband and Digital Television Promotion Act would give the content, electronics and high-tech sectors one year to devise standards that could be used in all digital media devices to prevent unauthorized copying of music or movies.

Political News from Wired News - Anti-Copy Bill Hits D.C..

Sen. Fritz Hollings has fired the first shot in the next legal battle over Internet piracy.

The Democratic senator from South Carolina finally has introduced his copy protection legislation, ending over six months of anticipation and sharpening what has become a heated debate between Hollywood and Silicon Valley.

The bill, called the Consumer Broadband and Digital Television Promotion Act (CBDTPA), prohibits the sale or distribution of nearly any kind of electronic device -- unless that device includes copy-protection standards to be set by the federal government.

Translation: Future MP3 players, PCs and handheld computers will no longer let you make all the copies you want.

"A lack of security has enabled significant copyright piracy, which drains America's content industries to the tune of billions of dollars every year," Hollings, the powerful chairman of the Senate Commerce committee, said in a statement on Thursday.

Hollings said that "any device that can legitimately play, copy or electronically transmit one or more categories of media also can be misused for illegal copyright infringement, unless special protection technologies are incorporated."

That's precisely why Hollings and the five senators who joined him want to embed copy-protection controls in all PCs and consumer electronic devices. Devices manufactured before the law takes effect can be resold legally.

Once known as the Security Systems Standards and Certification Act(SSSCA), the newly named CBDTPA says that all "digital media devices" sold in the United States or shipped across state lines must include copy-protection mechanisms to be defined by the Federal Communications Commission.

"Digital media device" is defined in a breathtakingly broad way: Any hardware or software that reproduces, displays or "retrieves or accesses" any kind of copyrighted work.

Slashdot | SSSCA Introduced in Senate.

Peter BG Shoemaker writes: "Wired is reporting that Hollings has officially submitted his newly renamed SSSCA, carrying the moniker Consumer Broadband and Digital Television Promotion Act (CBDTPA). It carries all the provisions we've been worrying about...there is a new battlefield folks..." Newsbytes has another story. Reuters has a story about News Corporation and Disney lobbying in support of the bill. I haven't seen the exact text of the bill as introduced; it will probably be in Thomas tomorrow. Update: 03/22 00:12 GMT by M: Declan McCullagh has collected several documents pertaining to the SSSCA, errr, CBDTPA. He's got a faxed copy of the bill (barely legible; read it on Thomas tomorrow), plus statements from Hollings (read it!), the MPAA, the RIAA, and several lobbying groups for the tech industry, who seem less enthralled about it.

Computerworld - by Dan Gillmor - Don't Deny Privacy for Security's Sake.

One of the more pernicious bits of propaganda to emerge in post-Sept. 11 America is the notion that security must trump liberty. The nation's founders are surely spinning in their graves to see their descendants sell out their heritage.

Now we're being told of the supposed incompatibility between security and privacy in the practice of everyday business. You won't be surprised to know that the major beneficiaries of this misinformation are the corporate busybodies themselves.

There's no doubt that security has been lacking. Our technology infrastructure is riddled with flaws, most of them the result of an architecture that wasn't designed with security in mind. Some are simply the result of poor programming practices.

But corporate America has never been a friend of privacy. Building dossiers on customers and regulating their behavior has always been something of a Holy Grail for businesses.

Computerworld - Hacker exposes financial information at Georgia Tech.

An undetermined number of employee financial records and university credit card numbers could have been exposed when the server was hacked into last week, institute spokesman Bob Harty said this afternoon.

Computerworld - FBI hints at dismantling NIPC.

A decision by FBI Director Robert Mueller is expected early next week on a plan to dismantle the FBI's cyberthreat warning arm, the National Infrastructure Protection Center (NIPC), possibly reversing years of progress made toward improving information sharing between the private sector and the government.

Mueller is poised to decide whether to break up the NIPC and transfer pieces of the organization to the bureau's criminal and counterterrorism/counterintelligence divisions.

The FBI wouldn't comment on the plan, which Mueller first outlined in February in private meetings with members of Congress.

Ron Dick, the NIPC's director, said any news of a final decision is speculation. Dick said Mueller "is a strong supporter of the NIPC and has not made a final decision on what will be in the new cybercrime division nor how that will impact the NIPC, if at all."

Slashdot | Your Rights Online - Scientology Uses DMCA to Delist Critic's Website.

Business News from Wired News - Spam Showdown at Battle Creek.

The small city of Battle Creek, Michigan, wants to lock up an anti-spam activist who it believes crashed its mail server.

Never mind that the town government was using a buggy version of the Lotus Domino e-mail server, and that newer releases have fixed the problem. And never mind that anti-spammers may have been conducting a routine scan for possible sources of bulk e-mail.

[ ... ]

This new Battle of Battle Creek -- the first one in 1824 pitted local Indians against surveyors -- began when an Orbz computer allegedly connected to the town's mail server to see if it might be an anti-spammer bugaboo: A relay point for bulk e-mailers.

It wasn't. But it was running an old Lotus Domino version, and what would normally have been a routine test by Orbz allegedly caused the server to mail-bomb itself into a tizzy.

[ ... ]

More importantly, Orbz relies on the same connect-to-a-mail-server technique that's commonplace on the Internet. The Orbz queries -- phrased in the MAIL FROM syntax -- may have given a buggy Lotus Domino server fits, but they appear to be perfectly compliant with Internet standards.

Political News from Wired News - Google Yanks Anti-Church Sites.

Google used to include sites critical of the Church of Scientology. Now it doesn't, because Scientology is claiming copyright violations under the Digital Millennium Copyright Act.

[ ... ]

This isn't the first time Scientology has used copyright threats to stifle criticism.

As far back as August 1995, Scientology sued one of its former members for posting anti-church information to the Internet and persuaded a federal judge to permit the seizure of his computer. The church then sued The Washington Post for reporting on the computer seizure and quoting from public court records.

Tech News - CNET.com - The privacy imbroglio .

Former Network Solutions CTO David Holtzman warns against using legal restrictions and regulatory covenants to create a universal definition of a multisided issue like privacy.

[ ... ]

A privacy policy, unfortunately, does little to maintain customer intimacy. Relationships are based upon trust and trust is created based upon how expectations are met or not met over time. Consumer expectations are defined by the marketing message, not by the fine print in service agreements or privacy policies. This "implied contract" is the true relationship and should be managed at the profit-and-loss level.

The term "privacy," when applied to commerce, is too ambiguous and highly charged to use to describe a key element of a business' relationship with its customers. Developing a healthy, long-term relationship with customers enhances a company's reputation and the strength of its brands. But these valuable relationships are hardly the focus of today's litigious approach to privacy.

Usage of consumer data is one of the thorniest privacy issues on the table for businesses today. Companies associated with violating consumer privacy via third-party data sharing are finding just how thin the privacy policy veil is when it comes time to be accountable to customers.

Altogether, it's becoming increasingly obvious that privacy policies aren't satisfying long-term maintenance of customer relationships. Really, they're only prenuptial agreements that legally entitle corporations to a very one-sided marriage with customers.

Most opt-out privacy policies, for example, are effectively useless for the average consumer since most companies reserve the right to modify their policy by posting the change on the Web site. The idea that any but the most privacy-militant consumers would constantly "poll" Web sites of products and services that they use is ludicrous. Even if the policy has changed, the stated change will deal with potential activities, not actual ones, and as such will be hard to assess ("We may share this information with third parties"). Opting out takes determination because it usually requires written notification or an hour-long telephone call.

CNET NEWS.COM - Special Report - Companies taking desperate steps against spam.

Chris Lewis walks a tightrope every day as leader of a spam-eradication team at a major telecommunications company.

He is the guardian of roughly 45,000 employees' e-mail in-boxes, protecting against unsolicited commercial messages that are nearly doubling in number every five months--and costing an estimated $1 per piece in lost productivity. But perhaps just as important is Lewis' ability to field the bad mail without discarding the good, such as potential business leads.

New York Times - free registration required Finding Pay Dirt in Scannable Driver's Licenses.

In most states, driver's licenses now feature bar codes containing remarkable amounts of personal information. While this may help prevent identity fraud, it can also land a driver's name on databases in unexpected places.

[ ... ]

But most of the customers are not aware that it also pulls up the name, address, birth date and other personal details from a data strip on the back of the license. Even height, eye color and sometimes Social Security number are registered.

"You swipe the license, and all of a sudden someone's whole life as we know it pops up in front of you," said Paul Barclay, the bar's owner. "It's almost voyeuristic."

Mr. Barclay bought the machine to keep out underage drinkers who use fake ID's. But he soon found that he could build a database of personal information, providing an intimate perspective on his clientele that can be useful in marketing. "It's not just an ID check," he said. "It's a tool."

Now, for any given night or hour, he can break down his clientele by sex, age, ZIP code or other characteristics. If he wanted to, he could find out how many blond women named Karen over 5 feet 2 inches came in over a weekend, or how many of his customers have the middle initial M. More practically, he can build mailing lists based on all that data -- and keep track of who comes back.

Bar codes and other tracking mechanisms have become one of the most powerful forces in automating and analyzing product inventory and sales over the last three decades. Now, in a trend that alarms privacy advocates, the approach is being applied to people through the simple driver's license, carried by more than 90 percent of American adults.

Already, about 40 states issue driver's licenses with bar codes or magnetic stripes that carry standardized data, and most of the others plan to issue them within the next few years.

[ ... ]

The devices have already proved useful for law enforcement. Police departments have called bars to see if certain names and Social Security numbers show up on their customer lists.

The electronic trails created by scanning driver's licenses are raising concerns among privacy advocates. Standards and scanning, they say, are a dangerous combination that essentially creates a de facto national identity card or internal passport that can be registered in many databases.

"Function creep is a primary rule of databases and identifiers," said Barry Steinhardt, associate director of the American Civil Liberties Union, citing how the Social Security number, originally meant for old-age benefits, has become a universal identifier for financial and other transactions. "History teaches us that even if protections are incorporated in the first place, they don't stay in place for long."

[ ... ]

Under current standards, the magnetic stripe and bar codes essentially contain the same information that is on the front of the driver's licenses. In addition to name, address and birth date, the machine-readable data includes physical attributes like sex, height, weight, hair color, eye color and whether corrective lenses are required. Some states that put the driver's Social Security number on the license also store it on the data strip.

[ ... ]

Newer, two-dimensional bar codes that can store more data have been adopted by almost 30 states, including New York. Some states are already using this extra storage capacity to pack in biometric information. Georgia stores two digital fingerprints as well as the person's signature. Tennessee stores a facial recognition template. Kentucky recently became the first state to embed a black-and-white electronic version of the photograph in the bar code.

Macintouch - Reader Report: Spam. Reader letters on how to fight SPAM.

LendingIntelligence.com - FTC Requests $20.5M Budget Hike to Bolster Privacy Protection .

The Federal Trade Commission has requested a $20.53 million budget increase, a large portion of which would help fund privacy-protection initiatives.

MBusinessDaily -- Privacy Guidelines Proposed For Mobile Devices .

The mobile communications industry is making a pre-emptive strike against unwanted spam E-mails on mobile phones and portable devices. The Mobile Marketing Association proposed guidelines Tuesday to protect subscribers against unscrupulous marketers using location-based targeting technology.

With location-based targeting, marketers can send messages to consumers in a particular area, such as broadcasting an ad for a lunch special at a nearby restaurant. While such information might be useful at times, the association is afraid the same marketers who fill up consumers' E-mail systems at work and home with spam will do the same with mobile systems using location-based targeting.

The guidelines were prepared by the association to "raise awareness and spur debate" among mobile system operators and marketers, according to the organization.

PCWorld.com - EBay Privacy Policy Draws Fire--Again. Auction site has agreed to post a simplified version of its policy online, so why are privacy advocates still complaining?

EBay may have partially solved one issue privacy advocates had with proposed changes in its privacy policy. But another concern still remains.

Under the old policy, San Jose-based eBay would share user information only with law enforcement officials or in the case of disputes over intellectual property, according to eBay spokesperson Kevin Pursglove. That has now been changed to allow the company to share user information with other users who are involved in legal action.

John Robb's Radio Weblog - Are you being tracked while online?

The first generation of firms that tracked Web usage took a panel-based approach (like Nielsen TV ratings) -- Media Metrix, NetRatings, and PC Data.  The people in the panels knew they were being tracked.  These next gen firms do it on the sly.

Financial Applications Security Weblog. Another link found via John Robb's Radio Weblog

Newsbytes - Spammer Sues E-mail List Providers.

An e-mail marketing firm on Tuesday said it has filed lawsuits against two e-mail list providers, alleging the lists it bought from the companies were full of non-existent addresses and people who hadn't asked to receive commercial marketing messages.

Kansas City, Mo.-based direct marketing firm Virtumundo is seeking damages from Mindset Interactive Inc. and Inurv Inc., alleging the two companies "misrepresented" the nature of consumer data which Virtumundo purchased.

Virtumundo also said it intends to be more careful about the data it purchases from third-party list providers in the future.

The company said it used the Mindset Interactive and Inurv lists to send messages to thousands of e-mail account holders. It claims the companies said the data were collected with the consent of the owners and could be used for direct marketing.

Slashdot | Spammer Sues List Broker.