The Senate Judiciary Committee has approved a bill that would force suspects arrested or detained by federal authorities to provide samples of their DNA that would be recorded in a central database. This is a step to expand government collection of personal data, and maybe another step in expanding government intrusion. Currently, only people convicted of crimes must provide a DNA sample. Privacy advocates, including Jim Harper, director of Information Policy Studies at the Cato Institute, oppose the expansion of the FBI-run national DNA registry. Harper is a keynote speaker at the IAPP Privacy Academy 2005 Oct. 26-28 in Las Vegas.

North Carolina Governor Mike Easley signed into law Senate Bill 1048, “The Identity Theft Protection Act of 2005″ on September 21, 2005. Under this bill, businesses are prohibited from using Social Security numbers to identify customers. The measure requires businesses not to print Social Security numbers on documents, such as health insurance cards. The bill also restricts businesses from selling or displaying SSNs to a third party without an individual

There have been several stories regarding TSA’s Secure Flight program and no-fly lists over the past few days. The major news this week is that TSA has announced that they will not use commercial data brokers in the initial deployment of Secure Flight (news presented in a News.com article and confirmed at EPIC’s overview of Secure Flight). This announcement came just before a major report by the Secure Flight Privacy/IT Working Group [pdf] was released yesterday, in which the group was highly critical of the TSA’s actions regarding Secure Flight. Bruce Schneier discusses the report more in depth in a blog entry; he was a member of the working group.

Some other major stories regarding the TSA have come forward regarding people’s difficulties with the no-fly lists and the pains they endure in trying to remove themselves from the list, once mistakenly placed on it. Wired is running a story about several people who have had bad experiences with the system, including a nun who spent ninth months on the list, missing meetings and events, until an appeal was made to Karl Rove and the situation was rectified. Another person’s dilemma is described in this Boston.com article: a pilot was placed on the no-fly list and thus effectively unable to work, all because of what seems to be a data error. The pilot is fighting the situation in court. In this case, the government is maintaining that a person’s presence on the list and reasons for being there are so secret that even in court, they will not be disclosed to the defense.

In the Wired article, Secure Flight is presented by the TSA as the solution to these types of problems. However, with so many criticisms and concerns over privacy practices and data accuracy, there is much to be done before Secure Flight will have a chance to adequately address these issues.

Annie Antón was awarded the 2005 Women of Influence Award in the Public Sector Category. The awards are sponsored by CSO Magazine and the Executive Womens Forum.

Kevin Mitnick, a notorious serial hacker and security specialist, recounts his criminal hacking exploits. Mitnick looks back at his criminal past as detractors comment on his life then and now. Mitnick is the founder of Mitnick Security Counsulting, LLC and a speaker at IAPP

Researchers at Georgia Tech have developed a prototype system to cancel out a digital camera trying to take a picture aimed its way. The system, described in more detail in this news.com article, targets any detected digital camera lens with focused light to thwart successful picture-taking. Where the photographer might have tried to capture a private meeting or an inappropriate picture, they instead will have a “blurry picture of what looks like a flashlight beam.”

The technology works by actively detecting a digital camera lens based on its ‘retroreflective’ properties. Digital camera lenses are much more retroreflective than other surfaces, such as eyeglasses. The system is constantly putting out infrared light to find any spying cameras; after sensing a camera lens aimed towards the system, it immediately targets the origin with a “localized beam of light” to neutralize the attempted photograph. The researchers provide more detail at their page describing the project.

Security company Aladdin’s eSafe Content Security Response Team (CSRT) found that 15 percent of spyware threats succeed in copying a user’s passwords, usernames, hashes of an administrator’s passwords, instant messaging usage, email addresses and other sensitive information. The two-month analysis of top 2,000 known spyware threats shows that there is a growing amount of spyware specifically designed for identity theft. These spyware poses tremendous threats to both personal and commercial privacy, with potentially dangerous effects for large organizations in need of protecting proprietary information. Read a full article of this story.

Author’s recommendation:
For Windows users, please download ALL of the following three antispyware tools and run them once a WEEK on your personal computer. All these three tools are free for personal use:
Ad-Aware
Spybot Search and Destroy
Microsoft Windows AntiSpyware

Information sharing and integration are essential elements of today’s marketplace. Current information integration approaches are based on the assumption that all of the information in each database can be revealed to the other databases. This is a potential privacy concern in many applications, such as applications that involve medical information and national security. IBM Almaden Research Center’s Sovereign Information Integration (SII) technology allows companies to share and integrate data while complying with privacy policies and laws. The SSI technology employs an innovative double-encryption technique in which each party encrypts its own data and then sends it to the other party to encrypt again. Double-encrypted data can be compared without violating disclosure rules because nonmatching values are protected by the other party’s encryption and would be unreadable by either party. SII is the functional component of IBM’s Hippocratic Database, which ties into health care applications to let users indicate who should have access to certain patient data.

The Identity Theft Resource Center reports 102 data breaches in the U.S. since Jan. 1, 2005, potentially affecting more than 56.2 million individuals. Most of the incidents could have been prevented with safe data handling practices, for example, sending postcards with Social Security numbers on them or requiring students to place name and SSN on rosters that are passed through classrooms or placed on papers or tests. See a most updated list of 2005 Disclosures of U.S. Data Incidents (PDF). An interesting observation is that a lot of these incidents happened in universities.

The reports of devastation and tragedy coming out of the areas affected by Hurricane Katrina have dominated the news for the past week and a half now. Many of the stories have centered around the outpouring of aid and personal efforts to rescue and restore survivors to some semblance of normalcy. Amidst these efforts, however, have cropped up some stories about the risk of identity theft and the efforts of some to defraud the victims of the storm.

Last week, experts (such as the FTC ID theft program head) were already warning the public of the high risk of identity theft tied to the hurricane’s aftermath. An AP story noted that “Social Security cards, driver’s licenses, credit cards and other personal documents are literally floating around New Orleans.” The risk of credit card fraud and identity theft is clear, as the information leakage was certainly not the first thought of survivors escaping their homes and being rescued from rooftops.

The same article notes that some 2,000 web sites popped up related to Hurricane Katrina relief efforts, but about a dozen are under investigation for potential fraud. Not only is there a risk from completely fraudulent web sites, but also from phishers spoofing major relief efforts such as the Red Cross or Salvation Army. This article notes the email scams already observed and the risk of such phishing attacks increasing in the coming weeks. According to the article, VeriSign has gotten involved in hunting down such phishing efforts and took down two such sites already as of last week.

Some unscrupulous individuals have already been arrested for attempted ID theft. Three people in Mississippi went to a shelter and posed as FEMA officials in an effort to obtain personal information – such as names, birthdates, and SSNs – from evacuees. The AP broke this story on Saturday.