GovernmentExecutive.com

Richard Clarke, former special adviser on cybersecurity for President Bush and an outspoken critic of the Bush administration, recently criticized Bush's national electronic security initiative Bush signed in January. According to an article posted by InfoWorld today, Clarke raised the specter that Americans' privacy could be at stake because the imitative focuses on "securing the government's own computing and communications networks, and adopting a more proactive approach to engaging in cyber-warfare," according to the article.

If that is true, Clarke says:

There's the idea that somehow these are government networks that we're talking about, but they really aren't, all these government sites are running through the same network of routers and the same fiber channels as everything else, there's no segmentation on these carrier networks. This means that [the plan's authors] either don't know that and merely think they need to reinforce security on state-owned servers, or data in their own facilities, in which case thy are missing most of the problem, or that they plan to do monitoring of everything going through the carriers' systems.

U.S. News & World Report outlines in an article posted today five ways you use your PC can get you fired. Of course, there's the viewing of inappropriate content and playing games like Solitaire. (New York City Mayor Michael Bloomberg fired an employee after seeing the game on his computer monitor.) But also included on the list are some not-so-obvious uses, such as blogging, posting photos on your social network site and writing inappropriate or offensive emails. These offenses happen more than you may think: "Nearly one third of bosses have fired workers for misusing the Internet, according to a recent study by the American Management Association and the ePolicy Institute," U.S. News reports.

Concerns that the Total Information Awareness system (a network to sift through Americans' personal data) never truly was killed, was resurrected (again) by the Wall Street Journal in an article published March 10. "According to current and former intelligence officials, the spy agency [National Security Agency] now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records," according to the article. The Journal cites a Federal Bureau of Investigation program to track telecommunications data called the Digital Collection System, which has attracted the attention of Congress.

One of those speculating that this has been going on for some time has been National Journal's Shane Harris.

Revealing some of the inside frustration that comes with leaks to the press, John Grimes, chief information officer and assistant secretary of networks and information infrastructure at the Defense Department, said a “disloyal” person was to blame for disclosing information about President Bush’s Cyber Initiative, reportedly totaling several billion dollars.

It was unclear whether the disloyal individual Grimes referred to in his morning session at the Information Processing Interagency Conference was the person inside government that leaked the information or the reporter with The Wall Street Journal that decided to run with the story. Regardless, he seemed to take personally the release of details on the White House cybersecurity directive signed by President Bush in January.

“We did not want this public until we got [various issues] resolved,” including those relating to privacy, Grimes said, referencing the numerous hearings that have been scheduled since the story broke. each hearing requires executives at Defense, the departments of Homeland Security and State, and the Office of National Intelligence to prepare to testify.

“This comes down to political [culture] of decisions,” Grimes said. “Whether an attack is an act of war or criminal -- who makes that decision?”

Reports from news outlets seem to have prompted the release of some details – though not many – about the cybersecurity initiative. Most recently, DHS secretary Michael Chertoff released remarks made to a roundtable of bloggers.

"We are beginning our cyberstrategy," he said. "That will not be done this year, but I'm hoping we can get it, a cybercenter, up and running, and have a full set of plans and a funding budget to move forward over the next several years to get to the next level of cybersecurity."

The Billboard Liberation Front, a group of so-called "culture jammers" who, among other acts, alter the wording of billboard advertisements to make a political or anti-corporate message, have hit again. The group has claimed credit for altering an AT&T billboard in San Francisco to protest AT&T's collaboration with the National Security Agency's warrantless wiretapping of Americans' phones and Internet usage.





















The billboard was a bit too late to influence the telecoms, who've announced this past week to continue the surveillance program.

Hat tip: boingboing

This may not seem like an unusual news story, but an Oklahoma City woman was accused this month for violating the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the federal law that requires companies to properly secure personal medical records of patients and employees, or face fines or criminal prosecution. What's unusual about this story is that in the nearly 12 years HIPAA has been around, the number of HIPAA violations and criminal cases has been extremely low -- almost non-existent.

Consider that a large portion of American corporations -- as much as 40 percent back in 2006 -- were not in compliance with the law, a lone violation seems even more incredulous. The reason for the non-compliance, privacy and security experts say, is because it pays not to comply. The risk of being caught is so low compared with the cost of compliance, which is high, that the business case argues for not complying. The return on investment for securing private health data just isn't there. Privacy experts may have a different point of view.

Google engineering manager Alan Newberger blogged yesterday about the software giant’s pilot program with Cleveland Clinic, which integrates patients’ electronic health records with their Google accounts. The initiative seems the first step in a long-term goal to provide citizens with universal access to their medical histories, and the ability to quickly exchange information with insurance plans, medical groups, pharmacies and hospitals.

Patients don’t have to participate in the program. Those that opt in will give authorization via Google’s “AuthSub” interface. Still, the initiative is sounding the alarm bells for privacy rights groups – the same groups that have spoken out against a national health network and other government-sponsored electronic health efforts.

Maybe a watchful eye on how Google handles the situation, including the very real privacy and confidentiality concerns, will provide the federal government a clue on how to get their own initiatives moving. It certainly wouldn’t be the first time industry paved the road.

Late last year we blogged about a feature from CSO Magazine on the dos and don'ts of disclosure letters, those messages to customers and citizens informing them that their personal information may have been stolen. The feature compared how Monster.com and USA Jobs, the federal government’s site for job openings, informed the public when after a hacker infiltrated monster.com’s database of resumes in August. About 146,000 names and contact information of job seekers on the USA JOBS Web site were stolen.

At the time, CSO hadn't posted the article, but the site recently posted the comparison on line. The interesting take away here is that the federal government, according to public relations experts, did a better job in communicating to the public than Monster did.

The Web site for CSO (that's Chief Security Officer) Magazine recently gave out its "Privvy" awards for 2007 -- dubious recognition for people who utter the most provocative and/or telling statements about privacy. One of the winners is a federal government executive: Deputy Director of National Intelligence Donald Kerr, who won the "Doubleplusgood Newspeak of the Year" award for this quote:

"Too often, privacy has been equated with anonymity; and it’s an idea that is deeply rooted in American culture.... But in our interconnected and wireless world, anonymity—or the appearance of anonymity—is quickly becoming a thing of the past.... We need to move beyond the construct that equates anonymity with privacy and focus more on how we can protect essential privacy in this interconnected environment. Protecting anonymity isn’t a fight that can be won. Anyone that’s typed in their name on Google understands that." Privacy advocates seized on Kerr’s Orwellian attempt to singlehandedly change the definition of privacy because, hey, it’s really hard. (Source: Office of the Director of Naval Intelligence.)

Privacy and security has always been a tug-of-war issue: The argument is you have to give up some privacy to get some security. Mike McConnell, the director of national intelligence, is working on a cybersecurity plan that would ask Americans to give up a lot of privacy to get their security, according to a New Yorker article. (Subscription required.)

The proposal that is getting the most attention is giving the government the ability to search "the content of any email, file transfer or web search," according to an article on vnunet.com.

According to that article, the New Yorker author, Lawrence Wright:

suggested that this kind of monitoring is already going on. He spoke to an AT& T employee, Mark Klein, who claimed that he installed data switching systems in the company's exchange that copied all internet traffic to the National Security Agency.

"I know that whatever went across those cables was copied and the entire data stream was copied," said Klein. "We are talking about domestic as well as international traffic."

He added that previous claims by the Bush administration that only international communications were being intercepted are not accurate.

A Wisconsin government agency, like some companies, federal agencies and other organizations, has decided that the way to avoid accidentally exposing Social Security Numbers is to, well, not use them at all to identify citizens. The state's Department of Health and Family Services, which administers the state's Medicaid program, said this week that it would randomly generate ID numbers for the state's 800,000 Medicaid recipients instead of using their Social Security Number. The announcement immediately follows an incident in which EDS, which holds the contract to process the state's Medicaid claims, accidentally printed and mailed the Social Security Numbers of Wisconsin Medicaid recipients on newsletters. Another Wisconsin agency made a similar mistake last year.

Universities, companies and the state of California -- a leader in passing laws to protect personal information -- have issued rules and guidelines to limit the use of Social Security Numbers. The Office of Management and Budget has weighed in as well.

Ironically, Wisconsin was a pioneer in protecting privacy. In 1993, the state established the position of privacy advocate, whose job it was to make sure the state was following policies and procedures that protected Wisconsinites' private information. But just two years later, Wisconsin Gov. Tommy Thompson (R) (who served as secretary of the Department of Health and Human Services from 2001-2004) eliminated the privacy office in his 1995-1997 budget. Now the state's ability to protect privacy has eroded so much, that Carole Doeppers, Wisconsin's only privacy advocate, told the The Capital Times that the state government has no manageable way to protect data. "We've totally lost control of how government collects and uses and reuses and shares and disseminates information. We've just lost all control of that."

California has led the nation in passing laws to protect private data, and it continues to hold true to the role. This past Tuesday, a California law went into effect expanding the state's groundbreaking security breach notification law, the nation's first law requiring companies to notify customers if a cyberattack exposes personal financial information.

The law now applies to personal health records. Security breaches that expose unencrypted medical histories, information on mental or physical conditions, and medical treatments and diagnoses are covered under the law. The law also applies to the insurance industry. If unencrypted insurance policy or subscriber numbers, insurance applications, claims histories or appeals are exposed through a security breach, insurance companies or the medical facilities storing the data must notify the individuals whose records were possibly stolen or viewed.

The law becomes effective at an auspicious moment, notes the San Francisco Chronicle:

In July 2006, Republican Gov. Arnold Schwarzenegger issued an executive order to store medical records on computers, which probably will result in more data breaches, said Robert Herrell, a legislative assistant to Assemblyman Dave Jones, D-Sacramento, who wrote the bill.

In December, Sutter Lakeside Hospital in Lakeport (Lake County) notified 45,000 patients, doctors and employees after a contractor downloaded their records onto a hospital laptop, took it home and the machine was stolen."

The expanded law led editors of the SANS Institute's “newsbites” section to wonder when Congress will finally pass legislation that protects personal data for all Americans: "Other states will undoubtedly once again follow California's lead. A disturbing question, however, is why the U.S. government has not yet passed legislation with similar provisions."

We think you, the technology manager in the federal government and industry, have a pretty good insight into just what are the hot issues and events that will unfold in 2008 for the federal IT market. Over the past few weeks we've invited you to take an online survey to let us know what you think; we just want to take this opportunity to invite you to take the survey again, if you haven’t.

We are conducting the survey in conjunction with our friends at Government Futures, which is also offering readers a chance to place bets on what’s going to happen in the federal IT community using the prediction markets on Government Future's Web site.

If you have taken the survey and placed your bets, thank you. If you haven't, please visit the site and give us your opinions. The questions cover a number of hot areas, including information security, the next-generation Internet and federal information technology spending.

In January, we’ll host a webinar to discuss the results of the survey and present an analysis of the predictions.

In the December issue of Government Executive, we discuss some trends that IT experts told us would be important. Now, we want your opinion. So, please take the survey and join the government futures market to help us figure it out.

This news item certainly will heap more suspicion on the Bush administration’s tactics for fighting terrorism.

A law firm in Vermont, which represents a client in Afghanistan and a prisoner at Guantanamo Bay, is accusing the federal government of tapping its phones and hacking into a computer used by one of the firm's partners, according to an article posted by the Burlington Free Press. Three partners in the law firm Gensburg, Atwell & Broderick recently sent a letter to clients telling them the firm "can't guarantee their communications were confidential," according to the article. The firm said it had found its phone lines crossed and that a computer forensic examination of the computer used by Robert Gensburg "found an application that disabled all security software and would have given someone access to all information on the computer," according to the article.

Gensberg said there may be an innocent explanation for the problems -- such as he may have accidentally downloaded some malware from the Internet -- but "we are quite confident that it is the United States government that has been doing the phone tapping and computer hacking," the lawyers wrote in their Oct. 2 letter to clients.

According to the article, there's no comment from U.S. officials or Verizon, which operates the phone lines for the law firm and is one of the telecommunication firms named in the Bush administration’s wiretapping program after 9/11:

U.S. Attorney Thomas D. Anderson, the federal government's top law enforcement official in Vermont, said Thursday that he couldn't comment. Verizon has consistently refused to comment on whether it is involved with national security issues, spokeswoman Beth Fastiggi said Thursday.

An article on a Web site operated by the Detroit Free Press about a driver's license fraud scheme in Michigan's Secretary of State's office raises an interesting question.

This month, a pair of Michigan state employees was caught selling fake driver's licenses, license plates and vehicle registration tags. The employees would identify a customer interested in obtaining the fake licenses and registration, would take the person's photo and then "use the name and personal information of an unwitting person already in the Secretary of State computer system" to produce the fake documents, according to the article.

This is the unnerving part: "The case broke after a sheriff's deputy noticed a fraudulent temporary license plate during a routine traffic stop," according to the article. The two employees' illegal activity on the state computer system was never flagged by the network. With the knowledge that most computer crimes come from within an organization, not from outside hackers, why wasn't the state system programmed to flag this unusual activity?

In addition, the article quotes Wayne County Sheriff Warren Evans musing about how "it is incredible in a post-Sept. 11 world that a government employee would provide anyone with picture identification under a false name." Maybe it's not that incredible, as illustrated by this Washington Post article. (As was the situation in the Michigan fraud case, this case was not broken by the state Department of Motor Vehicles but by the U.S. State Department's Bureau of Diplomatic Security.)

In the end, this Michigan case is what the Homeland Security Department can point to in its ongoing effort to enforce Real ID.

That’s just one of the messages delivered yesterday by Hugo Teufel III, chief privacy officer of the Department of Homeland Security, at a Radio Frequency Identification (RFID) conference in Washington.

Teufel said the privacy Web site, shows the agency is as serious about protecting privacy as it is about protecting borders. But Teufel wishes more people would visit the site; he said it may be one of the least visited federal Web sites out there.

Tuefel, who has the only privacy gig in any federal agency or department mandated by law, turns out to be a passionate advocate for privacy. DHS, Tuefel said, needs to ensure it protects privacy and civil liberties so it can succeed in its mission in combating terrorism. Teufel says this includes transparency, data minimization and accountability to make sure projects such as those that would use RFID for personal identification (like the planned Western Hemisphere Travel Initiative), don’t erode civil liberties through technology assessments such as last year’s paper on the use of RFID for human technology verification.

Teufel says he is well aware that the United States was founded by “people with a profound distrust of the government” and strives to insure that DHS policies and practices do not cause distrust today.

I admire his strong stance and position, but have to contrast it with DHS efforts to ram through the Real ID Act, which requires high-tech driver's licenses meet federal standards and which is opposed by an increasing number of states. This summer DHS Secretary Michael Chertoff told the National Conference of State Legislatures that residents of states who do not comply with the REAL ID Act by May 2008 will need to show their passports for all "federal purposes,” including, presumably, entering any federal building including local post offices.

Somehow, the thought of having to produce a passport to buy a stamp at the post office in my hometown of Las Vegas, N.M., (if New Mexico does not adopt Real ID driver's licenses) does not make me feel more secure, or that DHS really cares about privacy or that top DHS management understands citizens still have a deep distrust of government.

Scientists and engineers at the Jet Propulsion Laboratory are suing NASA and the California Institute of Technology, which manages JPL, over what they say are unwarranted and overly personal background checks under the governmentwide access cards required under Homeland Security Presidential Directive - 12, according to an article by the Associated Press.

The lawsuit was filed by 28 plaintiffs, many of whom “have worked on such projects as the Mars rovers, the Galileo probe to Jupiter and the Cassini mission to Saturn, but none are involved in classified work, according to the suit,” AP reports. “It seeks class-action status to represent similar JPL employees.”

The Department of Commerce also has been named in the suit because the department promulgates federal identification standards. To obtain an identification card, which will give employees access to federal buildings and computers, employees must fill out a form asking them about employment history, past residences and any illegal drug use.

More from the article:

The suit claims the directive was concerned "exclusively with the establishment of a common identification standard" and "contemplates no additional background investigation or suitability determination beyond that already required by law."

But according to the lawsuit, the Commerce Department and NASA instituted requirements that employees and contractors permit sweeping background checks to qualify for credentials and refusal would mean the loss of their jobs.

NASA calls on employees to permit investigators to delve into medical, financial and past employment records, and to question friends and acquaintances about everything from their finances to sex lives, according to the suit. The requirements apply to everyone from janitors to visiting professors.

The suit is structured so that it can become a class action suit. Could this just be the tip of the iceberg?

It's one thing to have a hacker stealthily navigate past your firewall, slither by your intrusion detection software, and fiendishly gain access to a database to steal customers' personal information. It's another to have your operations department just send the information out through the mail.

That's exactly what the California Public Employees' Retirement System, better known as CalPERS, did this month when it sent about 400,000 brochures containing members' Social Security numbers clearly visible through the address window. A CalPERS spokesman downplayed the incident, saying the Social Security numbers printed on the brochure did not have hyphens, making it more difficult to identify the string of numbers as a Social Security number.

CalPERS sent a letter to members apologizing for the mistake and is conducting an investigation to find out why the SSNs were printed on the brochures. The organization also is providing privacy security awareness training for employees.

Hat tip: Pensions and Investments

Federal agencies increasingly have been the subject of phish scams this summer, and there seems to be no end to it. Below is an email I received late last night in my Outlook inbox. The email successfully eluded the spam filter.

The IRS confirms that the email is a fraud, making it part of the 161 phishing scams that the IRS has identified this year, an IRS spokeswoman says. The IRS has received 14,000 emails from individuals who have forwarded on suspicious looking emails to phishing@irs.gov, a mailbox the IRS set up last year for individuals to send emails that look like they may be scams.

IRS has issued a number of warnings in the past 18 months warning individuals about fraudulent emails coming form the IRS.

Phishers are also using the Justice Department and Federal Trade Commission to launch attacks designed to trick individuals to give up personal information or to download malware. The agencies report that emails look quite sophisticated. However, this email doesn't look professional enough to come from the IRS, although I would hazard to guess that many individuals would be fooled by the official IRS logo and the screened copyright statement at the bottom.

But I'm not too convinced that the IRS would use phrases such as "the last annual calculations of your fiscal activity," and the pedestrian Courier font gives the email more than a hint of illegitimacy.

Again, sadly, it must be working.

Police departments nationwide continue to push their local jurisdictions to provide more surveillance cameras mounted throughout cities to capture images of crowds and traffic in hopes of solving crimes. The latest request comes from Alameda Co., Calif., where the county seat is Oakland. County police chiefs have asked the Alameda County Congestion Management Agency to begin recording the traffic from about two dozen cameras that stream images of traffic on San Pablo Ave., a major thoroughfare through the county, according to an article in The Oakland Tribune.

The police say if the traffic on the avenue had been recorded (the congestion agency does not store traffic video streams), they could have identified cars used in crimes and then worked from there to identify suspects. Police Chief Scott Kirkland in El Cerrito, Calif., in Alameda Co. says the footage could have helped the police department solve the 2005 killings of a gas station clerk, a customer of a hamburger joint, a teenager, a restaurateur in 2007, and a robbery victim last month.

Ever since cameras in London helped police there identify and arrest in June the suspected plotters of the foiled car bomb attacks, many public policy experts have argued for more cameras in U.S. cities. Here's a recent Tech Insider post on the subject.

But privacy advocates have raised concerns, similar to the objections raised in Alameda Co. Privacy advocates there say that if the county's cameras stored the footage, and if the cameras were upgraded so that license plates and other details of the cars and traffic could be viewed, the police may be tempted to use the information for other purposes that infringe on our right to privacy.

An interesting note about the Oakland Tribune article is that no one in the article made the argument against the privacy advocates' position by saying that drivers and pedestrians who have nothing to hide shouldn't worry about the cameras. I bring up again a recent post about a compelling paper (access to paper here) written on that very subject by George Washington University law professor Daniel J. Solove. The paper, "'I've Got Nothing to Hide' and Other Misunderstandings of Privacy," is worth a read and its arguments are too detailed to go into here. One quick quote, however: "The key misunderstanding is that the 'nothing to hide' argument views privacy in a particular way – as a form of secrecy, as the right to hide things. But there are many other types of harm involved beyond exposing one’s secrets to the government."

To find out what those might be, read the paper.

We've all heard the argument before: "Why should you worry about the government looking into your personal records if you have nothing to hide?" Daniel J. Solove, an associate professor of law at The George Washington University Law School, analyzes that argument in a recently published paper titled "I've Got Nothing to Hide and Other Misunderstandings of Privacy."

Solove argues that "the question assumes faulty assumptions about privacy and its value." Those who make the "nothing to hide" argument fail to understand the chilling effect that surveillance has on public discourse, the fact that small bits of private data (which an individual may not object to being uncovered) when put together form a larger and more intimate profile (which an individual may object to), and the mistake of having one's profile mistakenly associated with a group that is labeled as threatening.

Here's an excerpt from the paper, which was published in the latest issue of the San Diego Law Review:

[T]he problem with the “nothing to hide” argument is that it focuses on just one or two particular kinds of privacy problems – the disclosure of personal information or surveillance – and not others. It assumes a particular view about what privacy entails, and it sets the terms for debate in a manner that is often unproductive.

It is important to distinguish here between two ways of justifying a program such as the NSA surveillance and data mining program. First is to not recognize a problem. This is how the “nothing to hide” argument works. It denies even the existence of a problem. The second manner of justifying such a program is to acknowledge the problems but contend that the benefits of the NSA program outweigh the privacy harms. The first justification influences the second, for the low value given to privacy is based upon a narrow view of the problem.

The key misunderstanding is that the “nothing to hide” argument views privacy in a particular way – as a form of secrecy, as the right to hide things. But there are many other types of harm involved beyond exposing one’s secrets to the government.

British Prime Minister Gordon Brown has proposed new legislation that would relax the United Kingdom's strict privacy laws (as compared with U.S. laws) to allow for greater information sharing among British authorities, according to Intergovworld.com. Brown's predecessor, Tony Blair, also called for similar legislation, but a significant difference, the article points out, is that Blair called for relaxation of the laws to allow for greater efficiency in administering welfare programs. Brown's proposals are unabashedly embedded in proposed new laws to fight terrorism and to support education, in which "data sharing powers would 'help report on whether the system as a whole is delivering economically valuable skills' - a statement that may suggest the government will seek to check individuals' employment status or income after training," according to the article. Foiled car bomb attacks make political sensitivities less so, it would seem.

You've heard your fair share of scary stories about how the lack of proper security processes and equipment can make personal information an easy target for criminals, rogue hackers or just the plain curious. We've got another one for you; this one having to do with voice over Internet Protocol (VoIP), which an increasing number of government agencies (federal, state and local) have installed or are considering installing to reduce telecommunications costs.

Law.com posted an article today by Todd Nugent, a chief technology officer for a law firm in Chicago, who related his experiences with the firm's VoIP system. Here's one of the more scary discoveries he made:

In the process of installing the conference room system, our programmers found that not only could they place conference room calls, they could also arrange to place the call silently, by muting the speaker on the calling phone. This could effectively turn any speakerphone in the firm into a clandestine monitoring device. In other words, running this program would cause any selected speakerphone in the firm to call the conference room, monitoring what was being said in the other room.

Nugent offers this advice: "As with any network connected computer, it is important to change default passwords, apply security updates in a timely way and install security firewalls, intrusion detection and prevention."

As a side note, Nugent cites the National Institute of Standards and Technology's Special Publication 800-50, which specifies "security guidelines for the installation of IP phones" and "is the basis for many government IP phone procurements." The NIST publication advises agencies to separate data and voice networks for IP phones. But Nugent writes that, "of course, one of the attractions for IP phones is the cost savings associated with eliminating dedicated phone wiring, so this is not a welcome recommendation."

The list of states rebelling against the Real ID Act continues to increase. The Tennessee legislature last night voted to not comply with the Real ID Act of 2005 unless it is fully funded, according to a press release issued today by the American Civil Liberties Union of Tennessee.

Tennessee becomes the 16th state to pass a resolution saying it will not comply with the law because the act requires each state to spend millions of dollars on upgrading computer systems to meet the law's requirements, which include adding security features to driver's licenses such as bar codes and digital photographs to make it harder to obtain a fraudulent driver's license. The federal government will eventually require that Americans use the new licenses to gain entry to federal buildings, nuclear power plants and commercial airlines.

The resolution "urges the Tennessee congressional delegation to support measures to repeal the Real ID Act, and states that 'there be no implementation of the Real ID Act until full funding is provided by the federal government,'" according to the ACLU press release.

California tends to lead the nation in many instances, signaling trends that can eventually head east. The state was the first to enact a security breach notification law, which required organizations to notify customers if a security breach could have exposed personal information such as Social Security, credit card and driver's license numbers.

Now California is considering a bill that would require organizations that accept credit and debit cards to follow some of the Payment Card Industry (PCI) Data Security Standard or face paying the costs associated with any security breach. The standard, developed by the five big credit card companies, are rules organizations should follow in protecting credit card transactions, such as installing a firewall and encrypting the transmission of sensitive information across public networks, among other requirements.

The rules are not mandatory, although credit card companies can levy fines or suspend the credit card processing services for merchants who do not follow the rules. Still, the vast majority of organizations that accept credit-card payments do not fully comply with the standard. Visa reported last month that of the largest merchants in the United States (those accepting more than 6 million credit-card transactions a year), only 35 percent are compliant. That's why the California legislature is considering a bill, known as AB 779, which would make the standard mandatory.

The bill has the support of the California Credit Union League. Banks typically have to shoulder the financial cost of notifying customers that their credit card numbers could have been stolen and the cost of replacing the cards -- all of which can cost more than $1 million per breach, according to a California State Senate report.

The bill would apply only to California residents, but because one out of 10 Americans live in California, the law would become a defacto standard for the nation. If any organization wants to do business with a California resident (and in today's online business world, the chances are high that that would happen), then they would have to follow the law. Minnesota passed a similar law earlier this year.

Because so few private-sector companies follow the PCI standard, it is most likely that government agencies that accept credit-card payments do not follow the standard as well. As it has happened with past state information security and privacy bills, a similar federal bill that could apply to federal agencies may be in the future.

As expected, New Hampshire will soon join a dozen other states that refuse to comply with a federal law requiring security features to driver's licenses, Reuters reported last week.

New Hampshire Gov. John Lynch says he plans to sign the New Hampshire law that the state Senate passed last week banning implementation of the Real ID Act of 2005, which will require states to invest billions of dollars into upgrading information systems to add security features to driver's licenses such as bar codes and digital photographs. The federal government will eventually require that Americans use the new licenses to gain entry to federal buildings, nuclear power plants and commercial airlines.

In March, the New Hampshire House Transportation Committee, in passing the one-page bill opposing the Real ID Act, called the federal law "repugnant." New Hampshire estimated it would cost the state $10 million to comply with the Real ID Act, of which the federal government would have paid $3 million, according to a ComputerWorld report.

The strong opposition has Sen. Patrick Leahy, D-Vt., chairman of the Judiciary Committee, considering introducing legislation to repeal the provisions of the Real ID Act pertaining to driver's license requirements.

Most of the press accounts about a security and privacy memo that the Office of Management and Budget issued this month focused on OMB's request that agencies reduce the use of Americans' Social Security numbers as much as possible.

The memo, written by OMB Deputy Director for Management Clay Johnson, also gave agencies 120 days to come up with a security breach notification policy. That particular issue has been a sore point for privacy and security advocates.

The memo had four attachments to guide agencies when creating a notification policy. The memo stated:

In formulating a breach notification policy, agencies must review their existing requirements with respect to Privacy and Security (see Attachment 1). The policy must include existing and new requirements for Incident Reporting and Handling (see Attachment 2) as well as External Breach Notification (see Attachment 3). Finally, this document requires agencies to develop policies concerning the responsibilities of individuals authorized to access personally identifiable information (see Attachment 4).

Both federal and state governments have been criticized for not developing security breach notification policies while they either have passed legislation or are considering bills that require the private sector to do so.

Johnson also suggests to agencies that the "greatest benefit" in dealing with security breaches is to be proactive by "reducing the volume of collected and retained information to the minimum necessary; limiting access to only those individuals who must have such access; and using encryption, strong authentication procedures, and other security controls to make information unusable by unauthorized individuals."

Just two months ago, the Cyber Security Industry Alliance criticized President Bush's Identity Theft Task Force for not recommending in its report that agencies be required, as is the private sector, to notify individuals whose private data may have been stolen or compromised during a security breach.

Johnson's memo lays out five factors -- with a number of vague contingencies -- that agencies consider to determine the level of risk that a particular security breach poses to personal data before notifying the public, including considering the sensitivity of the data elements in their context and how likely the data was stolen or breached.

Hat tip: ComputerWorld

It was just a matter of time before Google and the tough privacy laws in the European Union bumped heads. An independent European Union panel has sent a letter to Google asking it to address numerous concerns, including storing personal data of its users for up to two years, the Associated Press reported Friday. The EU has some of the strictest privacy laws on the books, much more so than U.S. privacy laws. Google's privacy officer says Google stores user information to protect it from hackers.

The Associated Press reported yesterday that the Office of Management and Budget has asked agencies to limit the use of Social Security numbers when collecting information from Americans so that it can reduce the chance of identity theft.

The small step -- OMB is asking agencies to limit the use of Social Security numbers to the "minimum necessary for the proper performance" of their duties -- is still behind what some states and companies did five years ago to eliminate all together the use of Social Security numbers as unique identifiers. A California law, which took effect in 2002, prohibited companies from using California residents' Social Security numbers as an identifier. Universities, such as Stanford, Wisconsin and Arizona, instituted policies years ago that prohibited the use of Social Security numbers, and the movement picked up steam in 2002 when students at other universities began to demand that their schools not use their Social Security numbers. The next year, IBM required its more than 100 health insurance providers to stop printing Social Security numbers on medical ID cards, claims forms and other documents or risk losing its business.

But as in the case of IBM, limiting the policy to just a narrow part of operations will not do much to eliminate the risk of losing personal information. In March IBM announced it had lost computer tapes containing the Social Security numbers of current and former IBM employees.

The following item was posted by Bob Brewin.

Here's more news on health networks.

The Agency for Healthcare Research and Quality, another arm of the Department of Health and Human Services, issued May 21 a request for proposals
for a Network of Patient Safety Databases, which will house information on aggregated patient safety information. The data will not have any personally identifiable information.

The network will contain information submitted by physicians on a confidential basis about “close calls” in clinical procedures. The RFP does not define a “close call," but I imagine it can range from prescribing the wrong drug to surgically removing a healthy, rather than a diseased, organ. The close calls will be reported to Patient Safety Organizations, which are just now being created. The PSOs will use the aggregated information to improve the quality of care.

The network contract will run for three years, and although the Agency for Healthcare Research and Quality did not provide a value for the contract, it probably is big enough to attract the attention of a wide range of systems integrators.

You know you may have a policy problem when one of your own departmental committees questions a departmental program.

That's what has happened at the Homeland Security Department, which just closed this week taking public comments on the department's proposed rules for implementing the Real ID Act of 2005. Among the comments is DHS' own Data Privacy and Integrity Advisory Committee, which "called the Real ID Act 'one of the largest identity management undertakings in history' and said it raises serious privacy, security and logistical concerns," according to a ComputerWorld article. "'These include, but are not limited to, the implementation costs, the privacy consequences, the security of stored identity documents and personal information,' the committee noted. It also cited other concerns such as mission creep, redress and fairness issues."

Opposition to the Real ID law has been strong, with states claiming it will cost billions to implement and many states have either passed laws or are considering bills asking the federal government to repeal Real ID or fully fund it. Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., supports a repeal of the Real ID Act.

We first reported about this dichotomy this week in an article about the heavy criticism that the Real ID law has received.

The federal government should create a position for a federal privacy czar, who would oversee federal employees' information management practices and policies to ensure they do not compromise Americans' privacy, according to a report released last week by the National Research Council.

The recommendations, laid out in a 456-page report that the NRC worked on for seven years, are similar to how some European nations and Australia approach privacy protections, according to an article posted by ars technica.

The report's authors also recommend the federal government undertake a broad and deep review of all national privacy laws and regulations to find gaps in privacy protections and to determine the social and economic impacts of the laws and regulations. The report, "Engaging Privacy and Information Technology in the Digital Age," also recommends Congress to oversee agencies' outsourcing practices to private-sector companies to manage or process Americans' private information.

The State Department today issued its final rule requiring anyone applying for a U.S. visa to provide 10 electronically scanned fingerprints instead of the two it previously required.

The State Department began last month delivering the fingerprint scan systems to all visa issuing posts and expects to complete roll out of the hardware by the end of this year as part of its Biometric Visa program.

In March, Tony Edson, deputy assistant secretary of State for Visa Services, told the Senate Subcommittee on Interstate Commerce, Trade and Tourism that 10 fingerprints provide a greater number of data points and more accurate identification than the two fingerprint system.

Edson added that two fingerprint scans provide a limited amount of data, and yield a large number of “false positive” results, which can delay the visa process and inconvenience legitimate travelers.

James Ziglar, president of Cross Match Technologies, the company that is providing the department with the fingerprint scanning gizmos, told Tech Insider that it will not take any longer to scan 10 fingerprints than two fingerprints – about 15 seconds – thanks to improvements in the underlying software.

That may not provide much solace to foreign visitors to the United States, who view the fingerprinting process as an intrusion on their privacy. Thomas Hartung, editor of German travel magazine Travel One told the Los Angeles Times last month that he did not know of any other country that requires a 10 fingerprint scan and asked, "How would you feel as an American if you came to Germany and the first thing you were asked is to give all 10 fingerprints?"

Ziglar said his company has already delivered 200 of its 10 fingerprint scanners to the State Department, has another 400 on order and expects more. Edson said the department tested the 10 fingerprint scanners this year in London; San Salvador; Riyadh and Dhahran, Saudi Arabia; and Asuncion, Paraguay. -- Bob Brewin

If a hacker gains access to a company's database of customers' personal information, that company is required by many state laws to inform those customers that their personal information was exposed. Now federal agencies may be required to do the same, if a bill introduced today is eventually passed.

Rep. Tom Davis, R-Va., ranking member on the House Committee on Oversight and Government Reform, introduced The Federal Agency Data Breach Protection Act (HR 2124), which would amend the Federal Information Security Management Act of 2002 to require "the executive branch establish procedures to be followed in the event of a data breach," according to a press release from Davis' office. The bill also would:

-- clarify the authority that an agency head could delegate to the CIO;
-- require agencies to establish data breach notification procedures consistent with OMB policies, procedures and standards;
-- authorize agencies to establish polices and procedures for accounting for all federal personal property assigned to departing employees; and
-- define sensitive personal information.

The bill is identical to one Davis introduced last year (HR 6163), which was incorporated into The Veterans Identity and Credit Protection Act and passed in September. That law requires the Veterans Affairs Department to promptly notify vets of data breaches, to centralize IT management and to report VA's adherence to federal information security standards.

Google and four state governments have teamed up to make public documents more easily retrievable when citizens conduct online searches, according to an article by the Associated Press.

"Google plans to announce Monday that it has already partnered with four states - Arizona, California, Utah and Virginia - to remove technical barriers that had prevented its search engine, as well as those of Microsoft Corp. and Yahoo Inc., from accessing tens of thousands of public records dealing with education, real estate, health care and the environment," the newswire reports.

The way state government computer networks are programmed has made it difficult for users to find public documents stored in state databases, but Google, working with state technology officers, have built "virtual road maps" to the databases where the documents are stored, the AP reports.

But privacy experts are worried that better access to public documents runs the risk of exposing private information, such as Social Security numbers. Many public documents in state databases contain Americans' Social Security numbers and other personal information.

German intelligence agencies have stopped for now accessing via the Internet suspected terrorists' computers after the practice was publicly disclosed last week.

The Federal Office for the Protection of the Constitution, a German interior intelligence agency, had been accessing via the Internet the private information and communications on suspects' personal computers since June 2005, Deutsch Welle reported today. German Interior Minister Wolfgang Schäuble came under heavy criticism from privacy experts and from some in his own political party, the Social Democratic Party, that the practice violated "Article 13 of the German basic law, which governs privacy," according to the article.

"Schäuble has called for a change in the law, saying the monitoring is an important intelligence tool and that the practice should continue," according to the article. The German government is considering rewriting the law to allow the surveillance.

Since 9/11, intelligence agencies in the United States have sought an expansion of powers governing how agents collect data and monitor computer habits and electronic communications. The Associated Press reported this month that newly appointed National Intelligence Director Mike McConnell has circulated a draft bill that would amend the Foreign Intelligence Surveillance Act to make it easier to monitor email accounts and phone calls.

A leading cybersecurity association says a report released yesterday by the President's Identity Theft Task Force falls short of adequately protecting Americans' privacy because the report's recommendations for the public sector are less stringent than those recommendations for the private sector.

According to a statement by the Cyber Security Industry Alliance:

[The report] offers several key data security measures for both the public and private sectors. Related to the public sector, the report calls for decreasing the unnecessary use of Social Security Numbers, educating federal agencies on how to protect data, monitor their compliance with existing guidance and ensure effective, risk-based responses to data breaches. For the private sector, the report states that national standards should be established for private sector data protection and breach notifications, better education on the safeguarding of data should be offered among private sector entities and to the general public, investigations should be initiated for data security violations and an online clearinghouse for current educational resources should be developed.

[Liz Gasster, general counsel for CSIA, said], "While the recommendations to limit the unnecessary use of Social Security Numbers, establish a National Identity Theft Law Enforcement Center and execute additional public awareness campaigns are important and necessary measures, one critical element is clearly missing the report stops short of requiring a national standard for the public sector that would mirror the mandatory data protection requirements and breach notification requirements suggested for the private sector. Merely re-issuing data security guidance to agencies is inadequate. Government agencies should be accountable to citizens for safeguarding their data, and compliance should not be optional."

Hat Tip: ComputerWorld

A White House board tasked to oversee possible infringements on privacy and civil liberties from government information systems and programs designed to fight terrorism has ruled that many programs have not compromised Americans' privacy, according to a report the board released yesterday and a brief posted by Wired.com.

In its first annual report to Congress, the Privacy and Civil Liberty Oversight Board ruled that controversial programs such as government watchlists and the National Security Agency's warrantless wiretapping of Americans' phone calls did not impose on privacy or civil liberties, Wired reports.

Next year, the board, the members of which were chosen by the White House, plans to investigate the Automated Targeting System (also here), which will give international travelers a threat level rating and data mining efforts by the federal government.

Chinese police officers are trying out cap-mounted video cameras, reports the online news service Ananova.

The flashlight-shaped cameras, which weigh less than two ounces, have 1 gigabyte of storage, enough to record about 1 hour of video, according to the article, which cites Xinhua, the official China state news agency. About 100 policemen in the city of Chongquing have been outfitted with the cameras.

The police chief for Chongquing said the cameras could gather evidence to refute lawsuits against the police and could be edited for television, according to Ananova.

Hat tip: Pasta and Vinegar

Education Department officials are considering temporarily shutting down access to a student loan database due to some users accessing students' private data without permission, The Washington Post reports.

Some student loan companies have allowed marketing firms, collection agencies and loan brokerages to mine the database to collect information from the 60 million records in the system, the Post reports. The database, part of the National Student Loan Data System, stores sensitive financial information on students such as family income, Social Security numbers, addresses and other information.

In a recently released white paper, Information and Privacy commissioner of Ontario, Canada, Ann Cavoukian, and biometrics scientist Alex Stoianov, argue that a new biometric technology removes the privacy risks and concerns leveled at traditional biometric technology. Biometrics, which uses personal characteristics such as digital fingerprints and iris scans to identify individuals, has been criticized for its vulnerability to abuse by governments and to identity theft. Some U.S. agencies rely on digital fingerprints for identification, such as the U.S. VISIT program, which fingerprints visiting foreigners entering the United States. Those fingerprints are stored in a database.

In their white paper, Cavoukian and Stoianov acknowledge that "done poorly, biometric technologies can be highly privacy-invasive. Biometric data, once collected, can be stored, shared and used for numerous secondary purposes, inviting potential discrimination and identity theft."

But an emerging technology called Biometric Encryption dispenses with the need to store an image of, say, a fingerprint in a database in favor of using "the fingerprint [image] to encrypt or code some other information, like a PIN or account number, or cryptographic key, and only store the biometrically encrypted code, not the biometric itself. This removes the need for public or private sector organizations to collect and store actual biometric images in their database."

The technology, however, may not be enough to assuage fears in the European Union, which is facing strong opposition from citizens in all 27 EU countries to a proposed central fingerprint database, the London Times Online reports.