Friday, March 10, 2006

CIOs cite IT security, privacy as top issues Federal chief information officers cite information technology security and privacy as their most important - and daunting - issue, according to a survey of CIOs across departments and agencies. The IT Association of America today released its 16th annual Federal CIO Survey, titled "Ten Years After Clinger-Cohen: Looking Back, Looking Forward." In the survey, the CIOs said they had made headway in IT security and privacy, but oversight and the vast space to protect against sophisticated perpetrators are "almost an overwhelming requirement they have," said Paul Wohlleben, a partner at Grant Thornton's Global Public Sector and program manager for the survey. CIOs are balancing securing information and giving people access to it, and that brings high stress and significant budget problems, the survey found. "The consensus seems to indicate that privacy needs to be elevated as an issue and was getting priority attention in only a few agencies where public concerns were driving the issue," the report states. Respondents also said that to improve system security, they would continue to mature their IT security programs, emphasizing risk and vulnerability assessments; monitoring, certifying and accrediting IT systems; and conducting Federal Information Security Management Act testing in a more coordinated effort with their agencies' CXOs. 11:55:59 PM  PermaLink   / trackback []

ElectricNews.net:News:RFID take-up growing despite privacy concerns Consumers will be willing to trade some of their privacy rights for the convenience and brand-loyalty discounts potentially on offer from RFID-tagged products. That's according to a new report from the Economist Intelligence Unit, entitled RFID Comes of Age, which found that the adoption rate of RFID is accelerating despite concerns that the technology could compromise consumers' privacy rights. However, the authors of the report say that consumers are sometimes willing to trade their privacy rights for the sake of convenience, efficiency and value. "The analogy that we make is that customers are already giving up some of their privacy rights when they sign up for supermarket loyalty cards," said Gareth Lofthouse, editor of the report, speaking to ElectricNews.Net. "Customers make the trade-off in exchange for personalised product promotions." With RFID, people who buy clothing in a particular shop could take advantage of a system that offered automatic discounts if they returned to the store wearing the shop's RFID-tagged clothing. These kinds of applications could not be offered if RFID tags were automatically removed or destroyed at the point of sale.  11:53:36 PM  PermaLink   / trackback []

FT.com / World / US - US issues biometric passports despite concerns The US has begun issuing passports that contain biometric information stored on remotely readable microchips, in spite of lingering security and privacy concerns. Supporters of the new passports say they enhance border security, reduce the possibility of identity fraud and impose minimal burdens on travellers - all goals the US has been working towards since the September 11 attacks. But civil liberties and privacy groups are uneasy about the formation of biometric information databases on US citizens and concerned that identity-theft rings, foreign government agents or even terrorist groups could "skim" information from the RFID chips or "eavesdrop" on the communication between official readers and the microchips. Last month, security concerns about the new passports arose anew after a Dutch television programme detailed how, in July 2005, the Dutch security laboratory Riscure successfully penetrated the encryption scheme planned for use in forthcoming Dutch electronic passports. 11:48:11 PM  PermaLink   / trackback []

Why Data Mining Won't Stop Terror. Why Data Mining Won't Stop Terror. The U.S. government puts a lot of stock in the theory that computers programmed to sift through mountains of private consumer data can spot terrorists hidden in our midst. Too bad it can't work. Commentary by Bruce Schneier. [Wired News: Security Blanket] 11:44:18 PM  PermaLink   / trackback []

European Commission to launch public inquiry into RFID. European Commission to launch public inquiry into RFID. New legislation may be required to regulate the widespread use of RFID tags, the European Commission said Thursday, announcing the beginning of a public inquiry to identify citizens' concerns about the technology. [Computerworld Privacy News] 11:42:22 PM  PermaLink   / trackback []

China to issue 1.3 billion RFID identification cards. China to issue 1.3 billion RFID identification cards. China's Ministry of Public Security plans to issue more than 1.3 billion second-generation resident identification cards based on RFID chips, according to an industry analyst at In-Stat China. [Computerworld Privacy News] 11:40:17 PM  PermaLink   / trackback []

Maryland House votes to oust Diebold machines. Maryland House votes to oust Diebold machines. Maryland's House of Delegates voted 137-0 to replace the state's Diebold voting machines, valued at $90 million, until the manufacturer adds the ability to create a paper trail of votes. [Computerworld Privacy News] 11:38:03 PM  PermaLink   / trackback []

Credit unions' identity-management systems need work, study says. Credit unions' identity-management systems need work, study says. Credit unions are convinced that rolling out biometrics and other such identity-management systems is important, but most are still at the experimental stage, a new study finds. [Identity mangement news] 10:55:11 PM  PermaLink   / trackback []

Congress Approves Weak PATRIOT Renewal Bill. Congress Approves Weak PATRIOT Renewal Bill. The House approved a PATRIOT Act renewal bill on Tuesday that lacks meaningful privacy and civil liberties reforms. The Senate passed the bill last week. The bill will now go to President Bush for his signature. Senate Judiciary Committee Chairman Arlen Specter, who voted to renew the PATRIOT Act last week but vowed to continue fighting for reforms, co-sponsored a bill this week (S. 2369) with other Republican and Democratic Senators that contains the civil liberties protections that Congress failed to pass. CDT will urge other members to support Specter's bill. [Center for Democracy and Technology] 10:51:15 PM  PermaLink   / trackback []

UK plans to make driving licences biometric. UK plans to make driving licences biometric. Darling explains not-an-ID-card-link The British driving licence is to go biometric "at some stage" but, according to Transport Minister Alastair Darling, it will remain a distinct document from the planned UK identity card. Darling introduced the Road Safety Bill in the House of Commons this week, but said, "given that the same information will be required for both passports and driving licences, it makes sense to co-operate on them, but the two documents will be distinct". [The Register - Internet and Law: Digital Rights/Digital Wrongs] 10:48:39 PM  PermaLink   / trackback []

USACM Position on DRM. USACM Position on DRM. The USACM (U.S. Public Policy Committee of the Association for Computing Machinery) has recently issued a set of policy recommendations regarding DRM. They are sensible and make for good reading. It's good to see an association made up of technical professionals take a stance on the DRM-related issues pending in Congress, including the broadcast flag, analog hole, digital radio flag and DMCA reform. When it comes to these issues, Congress could use more sensible advice from engineers, rather than Hollywood lobbyists. Here are the USACM principles: Competition: Public policy should enable a variety of DRM approaches and systems to emerge, should allow and facilitate competition among them, and should encourage interoperability among them. No proprietary DRM technology should be mandated for use in any medium. Copyright Balance: Because lawful use (including fair use) of copyrighted works is in the public[base ']s best interest, a person wishing to make lawful use of copyrighted material should not be prevented from doing so. As such, DRM systems should be mechanisms for reinforcing existing legal constraints on behavior (arising from copyright law or by reasonable contract), not as mechanisms for creating new legal constraints. Appropriate technical and/or legal safeguards should be in place to preserve lawful uses in cases where DRM systems cannot distinguish lawful uses from infringing uses. Consumer Protection: DRM should not be used to interfere with the rights of consumers. Neither should DRM technologies interfere with any technology or use of consumer systems that are unrelated to the copyrighted items being managed. Policymakers should actively monitor actual use of DRM and amend policies as necessary to protect these rights and interests. Privacy and Consent: Public policy should ensure that DRM systems may collect, store, and redistribute private information about users only to the extent required for their proper operation, that they follow fair information practices, and that they are subject to informed consent by users. Research and Public Discourse: DRM systems and policies should not interfere with legitimate research, with discourse about research results, or with other matters of public concern. Laws and regulations concerning DRM should contain explicit provisions to protect this principle. Targeted Policies: Public policies meant to reinforce copyright should be limited to applications where copyright interests are actually at stake. Laws and regulations concerning DRM should have limited scope, applying only where there is a realistic risk of copyright infringement. [EFF: Deep Links] 10:30:20 PM  PermaLink   / trackback []

NJ Bills Would Chill Online Anonymous Speech. NJ Bills Would Chill Online Anonymous Speech. A proposed New Jersey bill would eliminate online anonymous speech by requiring every Internet service provider, blog, and website that allows reader comments or provides open forums to demand user identification from every participant. Assemblyman Peter Biondi's A1327 would also require that service providers record your "legal name," and reveal your identity to anyone claiming to have been defamed, on pain of crippling liability. A similar bill, A2623, sponsored by Assemblymen Wilfredo Caraballo and Upendra J. Chivukula, would require ISPs to disclose user identities, as well as allow anyone to demand removal of published content, based on a mere defamation allegation. Not only are these bills bad policy, but they're also clearly prevented by the New Jersey and US Constitutions as well as federal law. Curbing defamation online is a worthy goal, but most courts are already handling these claims well. EFF and others have worked hard to develop a set of tests for courts to use when deciding how to balance a speaker's anonymity rights with claims of defamation. These new bills present "cures" that are far worse than the disease. Whistleblowers revealing corporate malfeasance, citizens complaining about political figures, assault victims seeking support groups, patients asking about controversial medical information [^] in these and many more instances, people need assurances that speaking online won't open them up to harassment. EFF has been involved in numerous cases in which companies, employers, politicians, and others have filed bogus defamation claims simply to learn someone's identity and intimidate him or her. A1327 and A2623 would give these tactics a free pass, chilling speech online. And that's why federal law (namely, Section 230 of the Communications Decency Act of 1996) already preempts such state laws. Moreover, it is well-settled that the First Amendment shelters the right to speak anonymously. Even if the litany of US Supreme Court precedents rejecting this sort of law were not enough, New Jersey courts have held that attempts to unmask online speakers require strict procedural safeguards [base "]as a means of ensuring that plaintiffs do not use discovery procedures to ascertain the identities of unknown defendants in order to harass, intimidate or silence critics in the public forum opportunities presented by the Internet.[per thou] These bills are simply a waste of time and taxpayer money. EFF hopes they will be nipped in the bud and will continue to monitor them. For more information about your legal rights, see our Legal Guide for Bloggers. [EFF: Deep Links] 10:17:14 PM  PermaLink   / trackback []

EFF - DMCA Subpoena Provision Still Endangers Privacy. DMCA Subpoena Provision Still Endangers Privacy. News.com reports that American Airlines has subpoenaed Google and YouTube, demanding the name of someone who posted an airline training video online. This is yet another abuse of DMCA 512(h), which allows copyright holders to unmask an Internet user's identity based on a mere allegation of infringement without any due process. You might recall that EFF helped Verizon limit the scope of this dangerous statute when the RIAA attempted to attain the identities of P2P file sharing users. The D.C. Circuit Court of Appeals held that the provision doesn't apply to content residing on individuals' own computers. But it still does apply to content on an online service provider's computer. So when you upload content to your website or blog, your privacy is still at risk. Someone could claim copyright infringement, and, without the notice, time, and information necessary to respond, you won't be able to protect your anonymity. Until the law is changed to reinstate traditional due process protections, online service providers should voluntarily notify users to the best of their ability. Google regularly gives notice and apparently will do so in this case, while YouTube has already turned over the user's name, according to the News.com article. Internet users can also take privacy protection into their own hands by using tools like Tor. [EFF: Deep Links] 10:13:41 PM  PermaLink   / trackback []

House panel approves bill banning sale of phone records. House panel approves bill banning sale of phone records. A U.S. House of Representatives committee today approved a bill that would make it illegal for online companies to sell phone records they obtained by posing as account holders. [Computerworld Data Mining News] 10:04:52 PM  PermaLink   / trackback []

EFF - Stop the RIAA's Radio Interference! Stop the RIAA's Radio Interference! What's even worse than the MPAA's TV broadcast flag? The RIAA's proposed flagfor radio. A new bill introduced into Congress would saddle new digital radioswith government-enforced restrictions, including prohibiting legal homerecording that wasn't "authorized" by the RIAA, saddling all receivers withDRM, and limiting any future innovation in radio to existing "customary" uses.Tell your representative to keep the entertainment industry's hands off newtechnology and to oppose the audio flag! [EFF Action Alerts] 10:01:28 PM  PermaLink   / trackback []

Wired News: Porn Billing Leak Exposes Buyers Editor's note: Since publication of this article, iBill has spoken with Wired News. The company now says that the purportedly stolen database did not originate with iBill, and only three of the more than 17 million entries match past iBill customers. Asked to respond, Secure Science says it no longer believes that iBill was the source of the data. Read the full story. Seventeen million customers of the online payment service iBill have had their personal information released onto the internet, where it's been bought and sold in a black market made up of fraud artists and spammers, security experts say. The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included. The breach has broad privacy implications for the victims. Until it was brought low by legal and financial difficulties, iBill was a top credit-card processor for adult entertainment websites -- providing billing services for such outlets as DominaBDSM and Top-Nude.com. The transactions documented in the database are dated between 1998 and 2003, spanning a period at the height of iBill's success. 9:55:52 PM  PermaLink   / trackback []