The SELinux module has been merged into the mainline kernel as of 2.6.0-test3. This release includes new kernel patches based on the 2.6.0-test3 kernel and a backport of the 2.6 SELinux module to the 2.4.21 kernel. The new API is consistent between 2.4 and 2.6. The old 2.4 API and user-space utilities are no longer actively maintained. There have been a number of bug fixes and cleanups to the library and utilities, as well as new contributions to the example policy.

Bingo Foo asks: "My company is in the process of reviewing replacements to our existing multi-platform VPN, which has now been discontinued. I was under the impression that every major vendor's OS ships with a VPN configuration solution. What gives? Are these not standard enough? Are they not secure enough? not flexible enough? Regardless, our IT department is leaning toward a clientless, web-based solution, which frankly sounds too good to be true. Can simply directing your browser at the portal allow X11, NFS, SMB, AFP, ssh, etc. transparently through the firewall? Anyone have experience with Neoteris and their VPN?"

Witnesses testified about proposed legislation to regulate unsolicited commercial electronic mail known as spam. Among the issues they addressed were ways to allow legitimate commercial uses of the Internet, methods by which spam is delivered, enforcement of regulations, and potential penalties for violations of any new rules.

A joint paper released by Canadian Information and Privacy Commissioner Ann Cavoukian and Deloitte & Touche LLP, provides corporate executives with suggestions for developing strategies for information security and privacy protection.

The Security-Privacy Paradox: Issues, Misconceptions and Strategies (ed. Link is a PDF file) examines the complex and often misunderstood relationship between the disciplines of information security and privacy protection.

"The evolution of the computer from a passive, mechanical record-keeper to an interactive, networked transaction manager has dramatically increased the volume and variety of personally identifiable information collected by organizations," said Commissioner Cavoukian. "This capability for high-speed, high-volume processing and dissemination of personal information creates the potential for substantial risks - as well as large-scale opportunities - associated with information security and privacy protection. However, you must address both - never just one. While information security and privacy do overlap, at times they may appear to contradict. In preserving one alone, companies can do serious damage to the other."

Metrosplash.com Inc., Lycos Inc. and Matchmaker.com Inc., which operated an Internet dating service under the name Matchmaker, are not liable for the invasion of privacy and identity theft of television star Christianne Carafano, who acts under the name Chase Masterson in television programs such as "Star Trek: Deep Space Nine," and "General Hospital," according to the Ninth U.S. Circuit Court of Appeals in San Francisco.

Critical information about Ms. Carafano's home address, movie credits, and the e-mail address that revealed her phone number were transmitted unaltered to profile viewers using Matchmaker. The information had been posted without her knowledge by someone in Berlin.

Sacramento is obviously feeling the heat of a populist revolt. An issue that has proved intractable for four years -- legislation to protect consumers' financial privacy -- is about to get wired for fast passage in the next week.

Representatives of major financial institutions are scheduled to announce their support for privacy legislation by Sen. Jackie Speier, D-Hillsborough, at a Capitol news conference today. The measure is almost identical to SB1, which the industry had fought so hard to defeat in an Assembly committee in June. Gov. Gray Davis, who had endorsed SB1, has listed resurrection of financial privacy as one of his top priorities.

Speier said "all the core principles are intact" in the latest version, which would give Californians control of the secondary use of their personal financial information. Banks, brokerages and insurance companies would be required to obtain customer permission before selling account balances, spending profiles or other sensitive data to telemarketers and other third parties. Consumers would also gain a limited right to stop some information sharing among affiliates.

[ ... ]

But privacy groups started protesting outside the Tesco store when it emerged the supermarket was automatically taking photographs of shoppers when they picked the blades up off the shelf and when they left the shop with any tagged product.

US-based group Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) is also urging a worldwide boycott against Gillette over the tagging concerns.

Caspian founder and director Katherine Albrecht said: "We want to send a clear message to Gillette and other companies that consumers will not tolerate being spied on through the products they buy."

But Gillette has hit back at the "misleading" claims, saying it only wants to use the RFID tags to improve the efficiency of its supply chain. The chips, when inserted into products, emit radio signals that allow them to be tracked.

Gillette spokesman Paul Fox told silicon.com: "Our intention is very much pallet and case application within our supply chain. We have never nor do we have any intention to track, photograph or videotape consumers."

Tesco's Cambridge trial finished at the end of July and it is now running a pilot with RFID tags in DVDs at its Sandhurst store.

A Tesco spokesman said the photographing of consumers was just part of a range of uses the supermarket chain is looking at for the tags.

A customer calls your company and a call-centre representative uses caller ID to pop up her electronic file and greet her by name. Bingo! The customer summons you to a closed-door review with the Privacy Commissioner of Canada.

She charges you with violating her privacy. She didn't identify herself on the call and had an unlisted number, so she assumed her identity would be anonymous. And her customer file was irrelevant: She had sought only general information when she phoned. You say you were just trying to provide good service. Your policy is that phone reps must be sure of a caller's identity before giving out confidential information. In this case, your phone rep only mentioned the customer's name.

Verdict: You lose. The commissioner rules that you violated the Personal Information Protection and Electronic Documents (PIPED) Act. You neither sought nor obtained the customer's permission to collect, use and disclose her personal information. She didn't speak about her account, so the rep had no reason to call it up.

Conclusions: You failed to apply appropriate security safeguards. Any procedures you had were not followed. Your company might disclose personal information to the wrong people. Fix this problem, or next time you may land up in court or, worse, in the newspapers.

This actually happened to a major Canadian bank in 2003. Today, the PIPED act applies only to federally regulated industries, such as banks, telcos and airlines, as well as federally chartered health organizations. But on Jan. 1, nearly every organization operating in Canada must comply with it or with provincial rules that are at least as tough. So if privacy isn't gaining space on your corporate radar, you could be risking trouble -- the embarrassing departure of George Radwanski as privacy commissioner and his replacement by Robert Marleau notwithstanding.