The Department of Homeland Security has finally announced the membership of its expert advisory committee for privacy issues. The good news for USACM is that Professor Lance Hoffman from George Washington University is one of the 20 appointees and is also a USACM member. Dr. Hoffman helped bring the Computers, Privacy, and Freedom conference under ACM’s conference umbrella. (more…)

“The recently disclosed privacy breach at the data collection giant ChoicePoint, in which con artists gained access to the Social Security numbers, addresses and other personal data of nearly 145,000 people, has exposed the shortcomings of the laws governing the data-mining industry and consumer privacy.

[…] But whatever the specific legal fallout of the ChoicePoint breach, the bigger effect may be its exposure of the patchwork of sometimes conflicting state and federal rules that govern consumer privacy and commercial data vendors. In recent days, state and federal regulators and lawmakers have started calling for an updating of those rules, which never envisioned the current power of data gatherers to amass and distribute vast digital dossiers on ordinary citizens. (more…)

“A major break-in at one of the nation’s largest information brokers could usher in regulation for companies that have trafficked in data unfettered for years, computer-security experts and privacy advocates say.

New York, Texas and Georgia are among states pressing for laws that mirror California’s breach law, which requires companies to notify residents if their personal information is compromised. The law, the only such one in the nation, forced ChoicePoint (CPS), an Alpharetta, Ga., data vendor, to disclose this week that personal data on about 145,000 people may have been stolen.

” If this is not an eye-opening threat to privacy, nothing is,” says Sen. Bill Nelson, D-Fla., who is readying legislation that would expand the powers of the Federal Trade Commission to oversee data brokers as it does companies that handle medical and financial records.

Last month, Sen. Dianne Feinstein, D-Calif., reintroduced a national version of the California law. Sen. Patrick Leahy, D-Vermont, on Tuesday called for congressional hearings on the matter […]”

SOURCE: USA Today

“A California woman has sued ChoicePoint Inc. for fraud and negligence after criminals gained access to a database of personal records compiled by the company.

The suit, which seeks class-action status, was filed in Los Angeles Superior Court last Friday and claims that for at least five months the company failed to adequately protect people’s financial records and confidential information […]”

SOURCE: Reuters

“[…] At America’s insistence, passports are about to get their biggest overhaul since they were introduced. They are to be fitted with computer chips that have been loaded with digital photographs of the bearer (so that the process of comparing the face on the passport with the face on the person can be automated), digitised fingerprints and even scans of the bearer’s irises, which are as unique to people as their fingerprints.

A sensible precaution in a dangerous world, perhaps. But there is cause for concern. For one thing, the data on these chips will be readable remotely, without the bearer knowing. And—again at America’s insistence—those data will not be encrypted, so anybody with a suitable reader, be they official, commercial, criminal or terrorist, will be able to check a passport holder’s details. To make matters worse, biometric technology—as systems capable of recognising fingerprints, irises and faces are known—is still less than reliable, and so when it is supposed to work, at airports for example, it may not. Finally, its introduction has been terribly rushed, risking further mishaps. The United States want the thing to start running by October, at least in those countries for whose nationals it does not demand visas […]”

SOURCE: The Economist

“One of the nation’s largest commercial information services said yesterday that thousands of Washington area residents were among those whose personal and financial details were sold to fraud artists apparently behind a nationwide identity theft scheme.

As many as 4,500 residents in the District, Maryland and Virginia were among up to 145,000 people whose names, addresses, Social Security numbers and, in some cases, credit files were electronically shipped by ChoicePoint Inc. of Alpharetta, Ga., to people posing as business officials in the Los Angeles area.

Investigators said they think the number of victims will continue to rise as officials learn more about the scheme. At least one lawmaker on Capitol Hill has called for stiffer regulation of commercial data services. This week, others are expected to push for hearings about the information industry […]”

SOURCE: Washington Post

Note: See our earlier posts regarding this case, here and here.

“After a second consecutive presidential election marred by significant flaws in the mechanics of voting, it’s time for Congress to take a hard look at fixing the system. Two Senate bills aim to do that. A Republican-sponsored bill is narrowly tailored around making electronic voting more reliable. A more ambitious bill, sponsored by the Democrats, would take on a broad array of problems, from long lines at the polls to odious maneuvers aimed at keeping people from voting. Both bills would greatly improve the functioning of American democracy.

The Republican bill, introduced by Senator John Ensign of Nevada, would focus on the most critical weakness in the system by requiring that electronic voting machines produce voter-verifiable paper records of the votes cast. The paper records would take precedence when there were inconsistencies. (more…)

By mid-February in any normal year a new Congress is completely organized. This is not a normal year as numerous changes in the Senate and organizational fights between the House of Representatives and Senate have delayed the process. Congress has finally (although not completely) organized itself enough to provide a picture of how it will deal with information technology (IT) and computing policy issues.

The major story is what changed in the Senate – arguably elevating IT policy – contrasted against the relative status quo in the House. Several key Senate chairmanships changed hands, which, in turn, led to two new IT related subcommittees. The opposite was true in the House, where key chairmen from the 108th Congress hold roughly the same power in the 109th. Below is a more detailed discussion of how these changes will impact issues relevant to USACM’s interests. (more…)

“In a rare move, the European Parliament demanded Thursday that a controversial proposal for a law on software patents be scrapped and that the debate begin anew.

The proposed law is intended to harmonize the patent rules of the 25 countries in the European Union. Current laws do not permit software patents, but some have been registered in recent years […]”

SOURCE: NY Times

“One of the nation’s biggest information services has begun warning more than 100,000 people across the country they may be targets of fraud, following disclosures the company inadvertently sold personal and financial records to fraud artists apparently involved in a massive identity theft scheme.

ChoicePoint Inc. electronically delivered thousands of reports containing names, addresses, Social Security numbers, financial information and other details to people in the Los Angeles area posing as officials in legitimate debt collection, insurance and check-cashing businesses.

At least 700 victims have had their mailing addresses changed, apparently by people connected to the scheme, authorities said […]

[…] “This is an issue that goes beyond ChoicePoint. They’re just one company,” said James X. Dempsey, executive director of the Center for Democracy and Technology, which advocates for privacy and computer security. “Both the industry and Congress need to pay attention to the security of personal information.”

Marc Rotenberg, executive director of the Electronic Privacy Information Center, said the case raises important questions about who is responsible when companies are tricked into releasing data. “Companies such as ChoicePoint are operating with too little oversight,” he said […]”

SOURCE: Washington Post

Note: Wired News also has an interesting article on this today.

“ACM, the Association for Computing Machinery, has named Vinton G. Cerf and Robert E. Kahn the winners of the 2004 A.M. Turing Award, considered the “Nobel Prize of Computing,” for pioneering work on the design and implementation of the Internet’s basic communications protocols.

[…] ACM President David Patterson said the collaboration of Cerf and Kahn in defining the Internet architecture and its associated protocols represents a cornerstone of the information technology field […]”

SOURCE: ACM

Note: Also see a related article in today’s NY Times.

Declan McCullagh has a new article about the Real ID Act, which (as we reported here) easily passed the House of Representatives last week.

Among other things, Declan reports on the opposition to the bill by Rep. Ron Paul (R-TX), one of “eight Republicans to object to the measure.” Declan also addresses the legislation’s chances in the U.S. Senate:

Also, today, the NY Times published an editorial urging the Senate to “defeat” the act.

“Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen, MSNBC.com has learned.

The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint aggregates and sells such personal information to government agencies and private companies.

Last week, the company notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by “unauthorized third parties,” according to ChoicePoint spokesman James Lee.

California law requires firms to disclose such incidents to the state’s consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area.

[…] ChoicePoint maintains a dossier on virtually every American consumer, according to Daniel J. Solove, George Washington University professor and author of “The Digital Person.”

The Atlanta-based company says it has 10 billion records on individuals and businesses, and sells data to 40 percent of the nation’s top 1,000 companies. It also has contracts with 35 government agencies, including several law enforcement agencies […]

SOURCE: MSNBC

Yesterday House Judiciary Committee Chairman James Sensenbrenner’s (R-WI) immigration bill, the Real ID Act (H.R. 418), was passed by the U.S. House of Representatives. The bill is intended to disrupt terrorist travel and bolster U.S. border security and includes much of the immigration reform language that was dropped from last year’s intelligence overhaul legislation (discussed in our Dec. 2004 Update).

The act requires the Department of Homeland Security to develop federal driver’s license standards and (more…)

” Voting machines must include a verifiable paper trail and audit capability in time for the 2006 elections, according to a bill introduced this week in Congress.

[…] Called the Voting Integrity and Verification Act, the bill says states must allow the “voter to review an individual paper version of the voter’s ballot before the voter’s ballot is cast and counted.” The paper ballot, typically viewed under glass, would become a “permanent paper record” that must be preserved in case of a recount.

[…] Computer scientists such as those represented by the Association for Computing Machinery have flagged potential security problems and have called for electronic voting machines to produce a “physical record.” The Information Technology Association of America has opposed mandatory paper trails […]”

SOURCE: CNET News.com

Note: View ACM’s statement on e-voting from 2004 here.

“SUTTER, Calif. (AP) – The only grade school in this rural town is requiring students to wear radio frequency identification badges that can track their every move. Some parents are outraged, fearing it will take away their children’s privacy.

The badges introduced at Brittan Elementary School on Jan. 18 rely on the same radio frequency and scanner technology that companies use to track livestock and product inventory. Similar devices have recently been used to monitor youngsters in some parts of Japan.

[…] The system was imposed, without parental input, by the school as a way to simplify attendance-taking and potentially reduce vandalism and improve student safety. Principal Earnie Graham hopes to eventually add bar codes to the existing ID’s so that students can use them to pay for cafeteria meals and check out library books […]

SOURCE: AP via Washington Times

Note: EPIC, EFF, and ACLU or Northern California have written to the Brittan Board of Trustees expressing alarm at the Brittan School District’s use of the mandatory ID badges that include an RFID device to tracks students’ movements.

“The Internet rated only a footnote in the landmark 1996 Telecommunications Reform Act. Now, the Net is such serious competition for the telecom industry that many legislators favor at least “tinkering with” the 1996 act, said Sen. Conrad Burns (R-Mont.), speaking at today’s Washington conference sponsored by the Congressional Internet Caucus Advisory Committee.

Burns said he thinks the act needs rewriting after only nine years because technology is moving so much faster than in the past—it was three decades before the 1934 telecom law was rewritten […]”

SOURCE: GCN

The President’s budget hit the Hill yesterday with the predictable media attention. With the focus on deficits and Social Security, some of the subtler details have gone overlooked. Particularly those related to funding for IT research and development. Peter at the Computing Research Association has given us a great analysis of the overall funding picture. USACM has taken a particular interest in the National Institutes of Standards and Technology (NIST), which is a small, but important, component of the story.

Depending on where you sit, there is good news and bad news about NIST’s funding. (more…)

Showing just how serious the music industry takes the current copyright debate:

“Over the next few months, the Supreme Court and–likely–Congress will resume a debate over rules that could determine whether consumers will continue to enjoy the benefits of many of the gadgets CNET covers.

The debate is specifically about what kind of legal liability–if any–technology manufacturers, financiers, Internet service providers, journalists and others should have if their actions “induce” another to commit copyright infringement.

[…] Congressional action this year will largely be shaped by what the Supreme Court does in the pending case involving Grokster, the peer-to-peer software used by millions. While the case may appear to be simply about illegal file trading, its implications are far deeper […]”

SOURCE: CNET News.com

“Former federal prosecutor Michael Chertoff is expected to be confirmed this week as homeland security secretary, and one of the first items in his in-tray will be how to deal with the question of cyber-security.

Mr. Chertoff was questioned about the issue at his confirmation hearing last week, and undertook to appoint a special adviser on the issue as a member of his personal staff.

[…] “One thing I would like to do actually, in terms of my own staffing of the front office, is make sure I bring somebody on board who really understands computers and these issues,” Mr. Chertoff told Mr. Bennett […]”

SOURCE: Washington Times

“A popular radio-frequency ID system that is used to deter car thefts and as a convenience device for the purchase of gasoline can be defeated with low-cost technology, computer scientists from Johns Hopkins and RSA Laboratories have determined.

Their findings, described in a new research paper [available here], indicate that the encryption in RFID microchips in some newer car keys and wireless payment tags may not keep thieves at bay. Using a relatively inexpensive electronic device, criminals could wirelessly probe a car key tag or payment tag in close proximity, and then use the information obtained from the probe to crack the secret cryptographic key on the tag, the scientists said. By obtaining this key, lawbreakers could more easily circumvent the auto theft prevention system in that person’s car or potentially charge their own gasoline purchases to the tag owner’s account […]”

SOURCE: JHU Gazette

“Garret the Ferret is one hip copyright crusader. The cartoon character urges young cybercitizens toward ethical downloading and - in baggy jeans and a gold “G” medallion - reminds them that copying and sharing software is uncool.

He is also a byproduct of the long-roiling public relations battle between copyright owners, who say they are threatened by digital piracy, and technology advocates opposed to strict controls on the copying of digital media, and on the kinds of software that make piracy so easy.

With the Supreme Court scheduled next month to hear a pivotal case pitting copyright holders (represented by MGM Studios) against the makers of file-sharing software (Grokster and StreamCast Networks), some participants are putting their message machines into high gear.

But winning hearts and minds - of teenagers, consumers and lawmakers - has never been a simple matter […]”

SOURCE: NY Times

“Homeland Security Department officials today released DHS’ first annual privacy report [full report here] to Congress, outlining work done in numerous areas, including technology.

A primary goal of the department’s privacy office, which is the first Congressionally mandated one for a federal agency, is ensuring that technologies sustain “privacy protections relating to the use, collection, and disclosure of personal information,” according to the 112-page report.

The office, led by Nuala O’Connor Kelly, chief privacy officer, is examining use of biometric technology, some of which is used in the U.S. Visitor and Immigrant Status Indicator Technology program for tracking foreign visitors. Kelly’s organization is also looking at radio frequency identification devices, such as those being tested in two airports to track baggage through the security process […]”

SOURCE: FCW

“Two powerful House committee chairmen are locked in a standoff over how to handle a federal driver-licensing standard, the first in what could be a number of intraparty Republican squabbles about immigration reform.

Judiciary Committee Chairman James Sensenbrenner (R-Wis.) introduced a bill Wednesday to create a federal standard for state driver’s licenses. That same afternoon, Government Reform Committee Chairman Tom Davis (R-Va.) announced [here] that he would offer legislation establishing almost identical standards.

The difference is that Sensenbrenner’s bill, the Real ID Act [summary], also includes provisions to tighten asylum abuse, close a fence along the Mexican border near San Diego and expand the grounds for deportation in terrorism-related cases. Davis’s bill, on the other hand, focuses solely on the creation of a federal standard for state driver’s licenses […]”

SOURCE: The Hill

“ACM has named Cameron Wilson, a veteran of Capitol Hill, as its new Director of Public Policy […]

Wilson will head the ACM Public Policy Office in Washington, DC. Previously, he was Deputy Chief of Staff and Legislative Director for Congressman Vernon Ehlers of Michigan, where he navigated the murky policy waters of Washington. Congressman Ehlers, the first research physicist in Congress, chairs the Environment, Technology and Standards Subcommittee of the House Science Committee, and is a strong supporter of “substantial and stable” science funding. Wilson also worked for the Subcommittee, managing technical standards and other technology issues […]”

SOURCE: ACM Membernet

“The National Institute of Standards and Technology has released specifications that will firm up biometric plans for governmentwide personal-identity-verification cards.

[…] Among other things, the draft discusses data flows, card architecture, the client application programming interface and command interface, construction of the card edge, use for physical and logical access, embedding X.509 certificates and using acceptable encryption algorithms.

NIST will accept public comments on the draft until Feb. 14 […]”

SOURCE: GCN