The European Commission is investigating the Microsoft Passport online identification and authentication system. EPIC filed complaints with the Federal Trade Commission in July and August 2001 alleging that the system is designed to profile users and that the company engaged in unfair and deceptive trade practices. Testimony in the Microsoft antitrust trial demonstrated that the company intended to build
the largest databases of profiles on the planet for ad targeting.
Two weeks ago, numerous television studios persuaded a judge to issue an order requiring SONICblue to electronically monitor and record the TV uses of its customers. The ReplayTV 4000 is a personal video recorder (PVR) that allows users to digitally store television programming to hard disks for later viewing. SONICblue had never before collected viewing data from ReplayTV 4000 users because of privacy concerns. In an amicus brief civil liberties and consumer groups argue that the court order infringes on individuals' privacy rights and intellectual freedom. A federal court has put on hold the previously ordered product re-engineering of the ReplayTV pending a hearing on June 3rd, 2002.
Tsutomu Matsumoto, a Japanese cryptographer, recently decided to look at biometric fingerprint devices. These are security systems that attempt to identify people based on their fingerprint. For years the companies selling these devices have claimed that they are very secure, and that
it is almost impossible to fool them into accepting a fake finger as genuine. Matsumoto, along with his students at the Yokohama National University, showed that they can be reliably fooled with a little ingenuity and $10 worth of household supplies.
Interim results of a test of face-recognition surveillance
technology obtained by the American Civil Liberties Union from Palm Beach International Airport confirm previous results showing that the technology is ineffective.
According to documents released to the ACLU pursuant to a request under Florida's open-records law (the "Sunshine" law), the system failed to match volunteer employees who had been entered into the database 503 out of 958 times, or 53 percent of the time. Even with recent, high quality photographs and subjects who were not trying to fool the system, the face-recognition technology was less
accurate than a coin toss.
Ford Motor Credit Co. is warning 13,000 people that they may be vulnerable to identity theft because their credit reports were illegally accessed. FBI's Detroit office is investigating how computer-savvy thieves posed as Ford Credit personnel -- possibly using company pass codes -- to gain access to a database used by Experian, a credit reporting agency, and download the personal information of 13,000 consumers. Only about 400 of the 13,000 individuals were customers of Ford Credit, and about 610 of the victims lived in Michigan, the company said. The 13,000 customers were apparently targeted because they live in affluent areas and were likely to have good credit ratings. In some cases, the credit reports of every homeowner on a given street was downloaded, indicating the thieves were fairly sophisticated. The credit files included social security numbers, addresses, account numbers, creditor names and payment history -- everything needed to commit credit fraud.
The New York Times reports on data released by comScore on Yahoo�s privacy switcheroo. The data shows that Yahoo's changes got users' attention. In the four weeks from March 25 to April 21, nearly a million Internet users in the United States looked at Yahoo's new privacy policy (privacy.yahoo.com/privacy/us/ ). That figure represents 1 percent of Internet users in the United States and was up sharply from the preceding four weeks, when only 0.3 percent of Yahoo users read its privacy policy. Slightly more people, 1.1 million, visited the page Yahoo had set up where users could "opt out" by telling the site not to send e-mail or other messages (subscribe.yahoo .com/showaccount). That page did not exist before the portal's policy change. But only 73,000 users, comScore projects, considered ending their relationship with Yahoo by visiting the page (https://edit.yahoo.com /config/delete-user ) that actually cancels their Yahoo accounts, which can include e-mail and other services. That was fewer, even, than the month before, when 114,000 users went to the page. (ComScore is unable to tell if the visitors to the page actually do push the button to close out their Yahoo accounts.)
White & Case, a global law firm, has conducted a survey of national privacy laws in 15 commercially prominent jurisdictions around the world, which documents the rapid growth and diverse range of laws and regulations aimed at protecting privacy and controlling the use of data in the information economy. The survey aims to inform business interests about �[the] rising tide of legal and regulatory measures addressing how companies may aggregate and disseminate one of their most valuable commercial assets - business data.� The survey found that all 15 jurisdictions have some form of privacy law in place, and eight of them have active proposals for significant changes to their current laws. In only one jurisdiction - Hong Kong - have the privacy laws remained largely unchanged since 1996. �These survey results reflect the general feeling among consumers that they want more privacy and stronger legal protection of it, coupled with the perception among consumer-oriented companies that their businesses will thrive only if their customers feel secure,� says the lead author of the survey.
Two University of Cambridge computer security
researchers plan to describe on Monday an ingenious and inexpensive attack
that employs a $30 camera flashgun and a microscope to extract secret
information contained in widely used smart cards.
The newly discovered vulnerability is reason for alarm, the researchers
said, because it could make it cost-effective for a criminal to steal
information from the cards.
Smart cards are used for dozens of different applications, including
electronic identity protection, credit and debit cards and cellular phone
payment and identity systems. They are being touted by Representative Moran and Davis of Virginia for use in their national identification system.
New York State Attorney General Eliot Spitzer today announced a settlement with Juno, an Internet Service Provider, that requires the company to provide its subscribers with clear, conspicuous, and advance notice of all material changes to its service agreement. The Attorney General's investigation found that during February and March 2001, in an effort to establish a "Virtual Supercomputer Project" that would potentially link subscribers to a vast, distributive computing system, Juno failed to provide its subscribers with sufficient notice of several controversial and unorthodox amendments to its service agreement. Among these were terms stating that subscribers authorized Juno to download so-called "computational software" onto their computer, change the screen saver, and permit Juno to require subscribers to leave their computers on at all times to allow remote access by Juno. Likewise, according to the new contractual terms, consumers would be liable for all costs, expenses, and maintenance or technical issues resulting from continuous operation of the computer.
Researchers at North Carolina State University (NCSU) are conducting an online survey about privacy. The survey is supported by a National Science Foundation research grant.
The Denver County Vital Statistics Office recently discovered that it lost a large number of blank birth certificates, death certificates, and an electric city and county seal. This equipment could be used to create false breeder documents for the purposes of obtaining a National ID card. This theft illustrates why even a total overhaul of the state driver's license system would do little to increase security.
