Encryption is great, especially in laptops that require a log-in to access and have a screen saver that requires a log-in, but encryption is not a panacea. If the applications developed to access the information are not secure, all the encryption in the world won't save you. Technology specifc federal policy is a mistake. Publishing reports of data mining would be a great idea, as long as there is adequate oversight and some teeth in the bill if you don't accurately publish your activities.
Congress Introduces New Privacy BillsSeveral new bills have been introduced this month, including the FederalAgency Data Privacy Protection Act in the House and the Federal AgencyData Mining Reporting Act of 2007 in the Senate.
The House bill requires the encryption of all "sensitive data" held by the federal government,such as social security numbers and medical, financial and criminalrecords, and limits the types and amounts of information that may beaccessed by federal government employees and contractors.
The Senatebill requires the head of each federal department or agency to publish areport on any use or development of data mining activities.
H.R.516, the Federal Agency Data Privacy Protection Act:
http://thomas.loc.gov/cgi-bin/bdquery/z?d110:h.r.00516:S.236
the Federal Agency Data Mining Reporting Act of 2007:
http://thomas.loc.gov/cgi-bin/bdquery/z?d110:S.236:
Privacy, Surveillance, and the Human Implications of New Technology
Wednesday, January 24, 2007
International Privacy rules
Some day, corporations will come together and realize they need to protect customer data. A start:
APEC 2007 news release: http://www.epic.org/redirect/apec12407.html
APEC Privacy Framework (pdf): http://www.epic.org/redirect/apf12407.html
Government of Australia Attorney-General's Office: Data Privacy at APEC2007: http://www.epic.org/redirect/austag12407.html
Privacy and Human Rights 2005: Transborder Data Flows and Data Havens: http://www.epic.org/redirect/phr12407.html
APEC 2007 news release: http://www.epic.org/redirect/apec12407.html
APEC Privacy Framework (pdf): http://www.epic.org/redirect/apf12407.html
Government of Australia Attorney-General's Office: Data Privacy at APEC2007: http://www.epic.org/redirect/austag12407.html
Privacy and Human Rights 2005: Transborder Data Flows and Data Havens: http://www.epic.org/redirect/phr12407.html
Watch list endangers everyone's liberty
Rather than change the process of a watch list, we'll make it easier for you to complain about the change from assumed innocence to assumed guilt.
From EPIC
========================================================================[4] DHS's Proposed Traveler Redress Program Does Not Help Passengers========================================================================The Department of Homeland Security recently announced that it willlaunch the Traveler Redress Inquiry Program on February 20, 2007. DHSdescribed the program as "a central gateway to address watch listmisidentification issues, situations where individuals believe they havefaced screening problems at immigration points of entry, or have beenunfairly or incorrectly delayed, denied boarding or identified foradditional screening at our nation's transportation hubs." There aresignificant problems with the current redress process for travelersmistakenly matched to watch lists, but EPIC's Spotlight on Surveillancereport explains that this system does not solve them.The Transportation Security Administration (TSA) administers two listsof names of individuals suspected of posing "a risk of air piracy orterrorism or a threat to airline or passenger safety": a "no fly" listand a "selectee" list. The lists are sent to the airlines, which runpassenger names against the lists. When a passenger checks in for aflight, he may be labeled a threat if his name matches an entry on oneof the watch lists, even if he is not the person actually on the list. Amatch to the "no fly" list requires the airline to notify TSA and tocall a law enforcement officer to detain and question the passenger. Inthe case of a Selectee, an "S" or special mark is printed on theindividual's boarding pass and the person receives additional securityscreening. Customs and Border Protection also uses the lists to screentravelers.There have been myriad stories about mistakes associated with the watchlists, with sometimes chilling results. An April 2006 report by theDepartment of Homeland Security's Privacy Office on the impact of thewatch lists explained that "individuals who are mistakenly put on watchlists or who are misidentified as being on these lists can potentiallyface consequences ranging from inconvenience and delay to loss ofliberty." The report described complaints "alleg[ing] misconduct ordisrespect by airline, law enforcement, TSA or CBP officials" towardpeople mistakenly matched. According to the Privacy Office, "Somecomplaints alleged that officers [Š] told another traveler that he andhis wife and children were subjected to body searches because he wasborn in Iraq, is Arab, and Muslim."The watch lists, which the National Counterterrorism Center says include325,000 names, are rife with mistakes and "false positives". In December2005, the director of TSA's redress office revealed that more than30,000 people who are not terrorists have asked TSA to remove theirnames from the lists since September 11, 2001. Earlier this month, thehead of TSA said that the watch lists were being reviewed, and heexpected to cut the list of names in half.The watch list errors and "false positive" problems arise currently notbecause there are three agencies processing redress requests, butbecause the records themselves are not subject to the Privacy Act. Thelack of enforcement of Privacy Act obligations means that individualsare not given the opportunity to inspect, correct or limit thedissemination of inaccurate information. Greater transparency in thewatch list process would lead to greater accuracy of the liststhemselves.Department of Homeland Security Press Release about TRIP: http://www.dhs.gov/xnews/releases/pr_1169062569230.shtmDepartment of Homeland Security Privacy Office, Report (Apr. 27, 2006)(pdf): http://www.dhs.gov/xlibrary/assets/privacy/privacy_rpt_nofly.pdfGovernment Accountability Office, "GAO-06-1031: Terrorist Watch ListScreening: Efforts to Help Reduce Adverse Effects on the Public" (Sept.2006) (pdf): http://www.gao.gov/new.items/d061031.pdfEPIC's Spotlight on Surveillance on TRIP: http://www.epic.org/redirect/trip12407.htmlEPIC's page on Passenger Profiling: http://www.epic.org/privacy/airtravel/profiling.html
From EPIC
========================================================================[4] DHS's Proposed Traveler Redress Program Does Not Help Passengers========================================================================The Department of Homeland Security recently announced that it willlaunch the Traveler Redress Inquiry Program on February 20, 2007. DHSdescribed the program as "a central gateway to address watch listmisidentification issues, situations where individuals believe they havefaced screening problems at immigration points of entry, or have beenunfairly or incorrectly delayed, denied boarding or identified foradditional screening at our nation's transportation hubs." There aresignificant problems with the current redress process for travelersmistakenly matched to watch lists, but EPIC's Spotlight on Surveillancereport explains that this system does not solve them.The Transportation Security Administration (TSA) administers two listsof names of individuals suspected of posing "a risk of air piracy orterrorism or a threat to airline or passenger safety": a "no fly" listand a "selectee" list. The lists are sent to the airlines, which runpassenger names against the lists. When a passenger checks in for aflight, he may be labeled a threat if his name matches an entry on oneof the watch lists, even if he is not the person actually on the list. Amatch to the "no fly" list requires the airline to notify TSA and tocall a law enforcement officer to detain and question the passenger. Inthe case of a Selectee, an "S" or special mark is printed on theindividual's boarding pass and the person receives additional securityscreening. Customs and Border Protection also uses the lists to screentravelers.There have been myriad stories about mistakes associated with the watchlists, with sometimes chilling results. An April 2006 report by theDepartment of Homeland Security's Privacy Office on the impact of thewatch lists explained that "individuals who are mistakenly put on watchlists or who are misidentified as being on these lists can potentiallyface consequences ranging from inconvenience and delay to loss ofliberty." The report described complaints "alleg[ing] misconduct ordisrespect by airline, law enforcement, TSA or CBP officials" towardpeople mistakenly matched. According to the Privacy Office, "Somecomplaints alleged that officers [Š] told another traveler that he andhis wife and children were subjected to body searches because he wasborn in Iraq, is Arab, and Muslim."The watch lists, which the National Counterterrorism Center says include325,000 names, are rife with mistakes and "false positives". In December2005, the director of TSA's redress office revealed that more than30,000 people who are not terrorists have asked TSA to remove theirnames from the lists since September 11, 2001. Earlier this month, thehead of TSA said that the watch lists were being reviewed, and heexpected to cut the list of names in half.The watch list errors and "false positive" problems arise currently notbecause there are three agencies processing redress requests, butbecause the records themselves are not subject to the Privacy Act. Thelack of enforcement of Privacy Act obligations means that individualsare not given the opportunity to inspect, correct or limit thedissemination of inaccurate information. Greater transparency in thewatch list process would lead to greater accuracy of the liststhemselves.Department of Homeland Security Press Release about TRIP: http://www.dhs.gov/xnews/releases/pr_1169062569230.shtmDepartment of Homeland Security Privacy Office, Report (Apr. 27, 2006)(pdf): http://www.dhs.gov/xlibrary/assets/privacy/privacy_rpt_nofly.pdfGovernment Accountability Office, "GAO-06-1031: Terrorist Watch ListScreening: Efforts to Help Reduce Adverse Effects on the Public" (Sept.2006) (pdf): http://www.gao.gov/new.items/d061031.pdfEPIC's Spotlight on Surveillance on TRIP: http://www.epic.org/redirect/trip12407.htmlEPIC's page on Passenger Profiling: http://www.epic.org/privacy/airtravel/profiling.html
Genetic privacy bill
The only down side to this bill that I see is the continuation of the status quo - instead of an omnibus privacy bill that covers the basics (like the FIPS outlined by the HEW report prior to the privacy act of 1974), then we will continue to have a "patchwork".
========================================================================[2] Genetic Privacy Bill Introduced========================================================================In a statement at the National Institutes of Health, President Bushcalled on Congress to pass legislation to protect genetic privacy, sothat "medical research can go forward without an individual fearingpersonal discrimination". A genetic privacy bill, which passed theSenate in 2003 but died in the House, was reintroduced as the "GeneticInformation Nondiscrimination Act of 2007" in the House on January 16.The bill states that Congress finds that as advances in genetics opennew opportunities for medical progress, these advances will also giverise to the potential misuse of genetic information to discriminate,particularly in the areas of health insurance and employment. The billseeks to establish a national standard to prohibit geneticdiscrimination by health insurance providers and employers. Under thebill, these entities cannot require genetic testing, cannot determinepremiums or eligibility for insurance or employment based on geneticinformation, and are limited in their collection and use of geneticinformation.In the health insurance context, the bill prevents the collection ofgenetic information by group health plans and health insurance issuers,as well as requiring conformance with pre-existing confidentialitystandards. The genetic information protected extends to theindividually-identifiable genetic information of individuals and his orher family members, and includes information about requests for orreceipt of genetic services.The bill also prohibits employment discrimination on the basis ofgenetic information, making it unlawful for employers to use geneticinformation to refuse to hire, discharge or discriminate against anyemployee. Employers are also prohibited from collecting geneticinformation on employees. Exceptions exist for inadvertent collection,employer health or genetic services with employee consent, employerpurchase of commercially and public available documents that do notinclude medical databases or court records, and genetic monitoring ofbiological effects of toxic substances in the workplace. Importantly,any information collected under these exceptions may not violateemployment discrimination and confidentiality of genetic information.EPIC has filed several amicus briefs in several cases in which it hasargued for stronger privacy protection for genetic information.White House News and Policies: Press Release http://www.whitehouse.gov/news/releases/2007/01/20070117-1.htmlH.R. 493, the Genetic Information Nondiscrimination Act of 2007: http://thomas.loc.gov/cgi-bin/bdquery/z?d110:h.r.00493:EPIC's page on genetic privacy: http://www.epic.org/privacy/genetic/
========================================================================[2] Genetic Privacy Bill Introduced========================================================================In a statement at the National Institutes of Health, President Bushcalled on Congress to pass legislation to protect genetic privacy, sothat "medical research can go forward without an individual fearingpersonal discrimination". A genetic privacy bill, which passed theSenate in 2003 but died in the House, was reintroduced as the "GeneticInformation Nondiscrimination Act of 2007" in the House on January 16.The bill states that Congress finds that as advances in genetics opennew opportunities for medical progress, these advances will also giverise to the potential misuse of genetic information to discriminate,particularly in the areas of health insurance and employment. The billseeks to establish a national standard to prohibit geneticdiscrimination by health insurance providers and employers. Under thebill, these entities cannot require genetic testing, cannot determinepremiums or eligibility for insurance or employment based on geneticinformation, and are limited in their collection and use of geneticinformation.In the health insurance context, the bill prevents the collection ofgenetic information by group health plans and health insurance issuers,as well as requiring conformance with pre-existing confidentialitystandards. The genetic information protected extends to theindividually-identifiable genetic information of individuals and his orher family members, and includes information about requests for orreceipt of genetic services.The bill also prohibits employment discrimination on the basis ofgenetic information, making it unlawful for employers to use geneticinformation to refuse to hire, discharge or discriminate against anyemployee. Employers are also prohibited from collecting geneticinformation on employees. Exceptions exist for inadvertent collection,employer health or genetic services with employee consent, employerpurchase of commercially and public available documents that do notinclude medical databases or court records, and genetic monitoring ofbiological effects of toxic substances in the workplace. Importantly,any information collected under these exceptions may not violateemployment discrimination and confidentiality of genetic information.EPIC has filed several amicus briefs in several cases in which it hasargued for stronger privacy protection for genetic information.White House News and Policies: Press Release http://www.whitehouse.gov/news/releases/2007/01/20070117-1.htmlH.R. 493, the Genetic Information Nondiscrimination Act of 2007: http://thomas.loc.gov/cgi-bin/bdquery/z?d110:h.r.00493:EPIC's page on genetic privacy: http://www.epic.org/privacy/genetic/
Monday, January 22, 2007
subcommittee on privacy
http://www.fcw.com/article97422-01-19-07-Web&newsletter=yes
Subcommittee will examine information privacy, security Rep. Clay, the new chairman of the information policy subcommittee, plans to delve into problems highlighted by incidents of information breaches in 2006.
We'll see what comes of it...
Subcommittee will examine information privacy, security Rep. Clay, the new chairman of the information policy subcommittee, plans to delve into problems highlighted by incidents of information breaches in 2006.
We'll see what comes of it...
Cutting no fly list in half
Curious action to take:
http://www.informationweek.com/news/showArticle.jhtml?articleID=196902162
I hope it is becuase half of the people were actually terrorists and were caught. That would be an interesting oversight measure - if these people are terrorists, why have they been categorized that way and what progress are we making to clean up the list?
http://www.informationweek.com/news/showArticle.jhtml?articleID=196902162
I hope it is becuase half of the people were actually terrorists and were caught. That would be an interesting oversight measure - if these people are terrorists, why have they been categorized that way and what progress are we making to clean up the list?
pretexting illegal
Seems like it would make more sense to define when you CAN pretend to be someone else, instead of legislating to technology:
http://www.informationweek.com/news/showArticle.jhtml?articleID=196901982
http://www.informationweek.com/news/showArticle.jhtml?articleID=196901982
NSA surveillance program
In a reversal, the Bush administration is going to seek court approval for each wiretap in its domestic surveillance program. This doesn't change past actions, as pointed out in the article, and if I remember correctly, there IS no domestic surveillance program. Or there is but we are just focusing on foreign operatives. Or there is but we are not focusing on citizens, or we can't tell you who we are focusing on becuase of national security reasons, but it is all LEGAL, dammit! So stop asking.
http://www.informationweek.com/news/showArticle.jhtml?articleID=196902271
http://www.informationweek.com/news/showArticle.jhtml?articleID=196902271
Wednesday, January 17, 2007
Data Mining and Privacy-testimony
The Privacy Implications of Government Data Mining Programs Senate Judiciary Committee’s first hearing of the new Congress looked at the executive branch’s use of data-mining programs. (Senate Judiciary Committee hearing, January 10, 2007)
http://judiciary.senate.gov/hearing.cfm?id=2438
http://judiciary.senate.gov/hearing.cfm?id=2438
Tuesday, January 9, 2007
net neutrality debate continues
AT&T may have made some concessions to acquire BellSouth, but a two year moratorium is interesting. Why two years? What happens in two years that may change the landscape?
AT&T's net-neutrality move may set precedent
By Jim PuzzangheraLos Angeles Times
WASHINGTON — Edward Whitacre Jr., then chief executive of SBC, ignited an impassioned online debate about creating toll lanes on the Internet in late 2005, when he called Google and Yahoo! "nuts" for expecting free use of his company's network to deliver their content.
A little more than a year later, Whitacre may have taken a big step toward dousing that debate.
As head of the muscular new AT&T — SBC took the name when it acquired the venerable long-distance giant — Whitacre surprisingly agreed last week that his company would not sell premium delivery of Web content for the next two years. His decision could spur Congress to extend the ban to all Internet providers.
AT&T's net-neutrality move may set precedent
By Jim PuzzangheraLos Angeles Times
WASHINGTON — Edward Whitacre Jr., then chief executive of SBC, ignited an impassioned online debate about creating toll lanes on the Internet in late 2005, when he called Google and Yahoo! "nuts" for expecting free use of his company's network to deliver their content.
A little more than a year later, Whitacre may have taken a big step toward dousing that debate.
As head of the muscular new AT&T — SBC took the name when it acquired the venerable long-distance giant — Whitacre surprisingly agreed last week that his company would not sell premium delivery of Web content for the next two years. His decision could spur Congress to extend the ban to all Internet providers.
government oversight
They will have a LOT to look at! Abuse of power comes as no surprise, and it is not specific to any one party:
FCW Insider: Let the oversight begin
The new chairman of the House Oversight and Government Reform Committee, Rep. Henry Waxman, was on ABC News' This Week Sunday and said the committee will hold a week of hearings early next month to look at waste, fraud and abuse of government programs.
http://www.fcw.com/blogs/archives/editor/2007/01/let_the_oversig.asp
FCW Insider: Let the oversight begin
The new chairman of the House Oversight and Government Reform Committee, Rep. Henry Waxman, was on ABC News' This Week Sunday and said the committee will hold a week of hearings early next month to look at waste, fraud and abuse of government programs.
http://www.fcw.com/blogs/archives/editor/2007/01/let_the_oversig.asp
the environment and the government
After pulling the funding for libraries that archive information from the EPA, this is a change in what seems to be a different direction:
Web portal could help manage ecosystems
HumanDimensions.gov will help natural resource managers better understand the relationship between people and the environment.
http://www.fcw.com/article97288-01-08-07-Web&newsletter=yes
Web portal could help manage ecosystems
HumanDimensions.gov will help natural resource managers better understand the relationship between people and the environment.
http://www.fcw.com/article97288-01-08-07-Web&newsletter=yes
DOD seeking encryption
With mobile computing on the upswing, we will see the need for biometrics, encryption at rest, and remote data cleaning increase over time. This article points to a positive recognition of this need:
DOD seeks commercial encryption software The department wants to protect data-at-rest on mobile computers and storage devices.
http://www.fcw.com/article97296-01-08-07-Web&newsletter=yes
DOD seeks commercial encryption software The department wants to protect data-at-rest on mobile computers and storage devices.
http://www.fcw.com/article97296-01-08-07-Web&newsletter=yes
Thursday, January 4, 2007
07 congress initiatives?
http://www.networkworld.com/news/2006/122206-congress-in-07-privacy-and.html?page=1
Privacy and data breach notificaiton, net neutrality, municipal wireless and h1b visas are supposedly on tap.
I find it particularly interesting that the FCC has streamlined the TV over IP franchise process, which could take the steam out of a general telecommunications reform bill, limiting progress on net neutrality. The language in the AT&T merger recently shows political will to move on net neutrality.
Privacy protections described in the article would bring us up to the level of other industrialized nations, if implemented.
Privacy and data breach notificaiton, net neutrality, municipal wireless and h1b visas are supposedly on tap.
I find it particularly interesting that the FCC has streamlined the TV over IP franchise process, which could take the steam out of a general telecommunications reform bill, limiting progress on net neutrality. The language in the AT&T merger recently shows political will to move on net neutrality.
Privacy protections described in the article would bring us up to the level of other industrialized nations, if implemented.
Wednesday, January 3, 2007
track everyone, there is a criminal out there!
http://www.washingtonpost.com/wp-dyn/content/article/2006/12/25/AR2006122500483_pf.html
This article from the Washington Post is about the OneDOJ database that allows the DOJ to share case files with local law enforcement. These files include information on people that have not been arrested or charged with a crime.
This article from the Washington Post is about the OneDOJ database that allows the DOJ to share case files with local law enforcement. These files include information on people that have not been arrested or charged with a crime.
land warrior system
http://www.fcw.com/article97100-12-13-06-Web&defnewsletter=yes
Getting more information to the soldiers in the field is a great thing, and some way to monitor and record decisions would be helpful for accountability and improved training. But, imagine the possibilities for misuse if these tools get into "the wrong hands" (today's right hands are tomorrow's wrong hands), get hacked - imaginary enemies, wrong coordinates for a target etc. This is when we start talking about embedding chips in soldiers...
Getting more information to the soldiers in the field is a great thing, and some way to monitor and record decisions would be helpful for accountability and improved training. But, imagine the possibilities for misuse if these tools get into "the wrong hands" (today's right hands are tomorrow's wrong hands), get hacked - imaginary enemies, wrong coordinates for a target etc. This is when we start talking about embedding chips in soldiers...
VA turn around plans
http://www.fcw.com/article97072-12-11-06-Web&secnewsletter=yes
I hope these changes come to fruition, but the statement that the VA laptop theft was a wake-up call for all of government is not born out by the evidence of continuing data thefts.
I hope these changes come to fruition, but the statement that the VA laptop theft was a wake-up call for all of government is not born out by the evidence of continuing data thefts.
privacy risks
http://www.fcw.com/article97075-12-11-06-Web&secnewsletter=yes
an example of implementing technology before understanding the real-world implications or instituting appropriate policies - one million passports with hackable rfid tags isn't a sign of progress.
an example of implementing technology before understanding the real-world implications or instituting appropriate policies - one million passports with hackable rfid tags isn't a sign of progress.
traveler information and privacy
http://www.eweek.com/article2/0,1895,2077595,00.asp?kc=EWGOVEMNL010307EOAD
One of the Fair Information Practices outlined by the health, Education and welfare committee prior to the 1974 privacy act was for information to only be used for the purposes for which it was collected. Many European contries have taken this practice to heart, the US hasn't and this article demonstrates the risk.
One of the Fair Information Practices outlined by the health, Education and welfare committee prior to the 1974 privacy act was for information to only be used for the purposes for which it was collected. Many European contries have taken this practice to heart, the US hasn't and this article demonstrates the risk.
genetic database of veterans
http://www.fcw.com/article96946-12-27-06
the article points out the need to address the ethical and privacy issues raised. These issues should be addressed PRIOR to collecting this information, and handing over your genetic information to an agency that recently had a massive security breach is asking for a disaster.
the article points out the need to address the ethical and privacy issues raised. These issues should be addressed PRIOR to collecting this information, and handing over your genetic information to an agency that recently had a massive security breach is asking for a disaster.
federal info security spending
Security is only 10% of the budget, some day that will mean that it is integrated into every purchase and business decision. Until Security is the concern of each individual, not just the CIO, we will continue to see these massive data breaches on a regular basis:
http://www.fcw.com/article97197-01-02-07-
http://www.fcw.com/article97197-01-02-07-
ATT&T and Bell South Merger
The FCC has approved the AT&T / Bell South merger. Net neutrality advocates seem to be happy with the strong language related to Net neutrality, but this language seems unenforceable. We'll have to wait and see whether the prinicple behind the language is followed, or some interpretation of:
a neutral network and neutral routing in its wireline broadband Internet access service
and
any service that privileges, degrades or prioritizes any packet transmitted over AT&T/BellSouth's wireline broadband Internet access service based on its source, ownership or destination.
http://arstechnica.com/news.ars/post/20061230-8523.html
a neutral network and neutral routing in its wireline broadband Internet access service
and
any service that privileges, degrades or prioritizes any packet transmitted over AT&T/BellSouth's wireline broadband Internet access service based on its source, ownership or destination.
http://arstechnica.com/news.ars/post/20061230-8523.html
Subscribe to:
Posts (Atom)