There was language inserted into an omnibus spending bill that would have allowed two committee chairmen to view the tax returns of any American. The language was caught and is being revised before being sent to President Bush for his approval. What is concerning here, as Republican Senator John McCain points out, is that when budgets and bills are pushed through at the end of a session, noone has a chance to read them and virtually anything can be contained in the bill.

Obviously this is a serious invasion of privacy, but it makes one ponder how much legislation there may be in these hundreds of thousands of pages of leglislation that either explicitly or implicitly violates the privacy and rights of U.S. citizens.

More information can be found on this ongoing news story at this article on CNN.com.

The Privacy Place researchers have participated in a Transnational Digital Government project, which focuses on developing a prototype system for remote border control. Recently, I read an article that says new security technologies, which call for fingerprinting, photographing and running checks on suspicious visitors, are being tested at U.S. border crossings. Digital fingerscans and photos are matched with databases to determine if visitors might be wanted for immigration problems and crimes or are on lists barring them from entering the country because of suspected terrorist ties. The information will be stored indefinitely in a national database, but Homeland Security officials promised its use would be restricted to ensure privacy. By the end of 2005, the United States Visitor and Immigrant Status Indicator Technology program, or US-VISIT, is scheduled to be used at all 165 land border crossings.

The current issue of Mental Floss (http://www.mentalfloss.com/) has an interesting story about the origin of Social Security numbers and what the different parts of the number mean.

According to Mental Floss, the first three digits are assigned based on the zip code where you applied for the number, the second two digits are group numbers and are not assigned sequentially but rather according to a rather complicated sequencing scheme which goes something like, a) odd numbers between 01 and 01 b) even numbers from 10 to 98 c) even numbers from 02 through 08, and d) odd numbers from 11 through 99. The last for digits are simple sequence numbers

The Mental Floss article has an interesting story about accidental misuses of the social security numbers in the early days of the system . . .

Read the rest of this entry »

Apparently, there is a new x-ray machine to be used in airports in England that can see through peoples’ clothes. The machine produces an anatomically correct and detailed image in black and white. Civil liberties groups have labeled the machines as unjustified and intrusive. However, 98 percent of people who participated in the prelimary random “test run” gave positive feedback.

When I began reading this article, I was appalled at the idea of having to stand in front of an x-ray machine that will render me all but naked to some given individual. However, when I read further, it seems they address many privacy concerns. A spokesperson said that the machine images are not stored, it would be operated by a same sex operator, and that the operator would never see the actual individual. This anonymity is a bit more reassuring, but I still see the possibility of privacy invasions. The question is: Is this mild form of embarassment worth the protection the machines could provide?

Read more about this article, “Airport X-ray sees through clothes.”

Dozens of voters from Florida had to speak their ballot choice aloud to the poll people. They feel like they lost their right to a secret ballot as everyone in the line could hear their choice and this violated their privacy. By 2006, all counties in the state are required to provide voting machines accessible to to the blind.

Source

Law.com posted an article, entitled “Keeping Promises: Online Privacy Policies,” that describes a settlement between the FTC and Gateway Learning, the sellers of “Hooked on Phonics.” To summarize the complaint, Gateway Learning posted in its privacy policy that it would not share customer information with outside parties. Gateway Learning, despite these promises, began renting personal information to marketers — including names, address, phone numbers, ages, and information about consumers’ children.

This practice is alarming, but it is also interesting to note that, as part of the settlement provisions, the FTC prohibits Gateway Learning from sharing any personal information collected unless they receive an “opt-in” consent from the consumer. I’ve been an emphatic advocate for the notion of “opt-in” to be not only common practice, but implemented in the form of legislation. Presently, some companies allow consumers to “opt-out” of sharing information with third parties, most don’t give you a choice at all, and rarely do they ever have an “opt-in” policy. Privacy shouldn’t be the burden of the consumer, it should be the de facto standard.

Unfortunately, most of the sites we analyzed in the healthcare domain have nearly identical policies to that of Gateway Learning. You can read more about this analysis in our paper: An Analysis of Web Site Privacy Policy Evolution in the Presence of HIPAA.

Privacy advocates are raising concerns over the collection and storage of data on homeless people. Department of Housing and Urban Development is collecting such data saying that it will help homeless people and battered women in the long run. What they do not realize is that there is potential risk that someone might get acces to information on a victim of domestic violence and find them and hurt them more.
For more information read:
Tussling over victims’ privacy

EWeek has a great editorial titled “The Governance Edge” in the current edition which does a great job of drawing the connection between between controls in IT infrastructure and corporate ethics. As they put it:

“Without information management, there can be no corporate governance of any kind, good or bad.”

and later in the same editorial:

IT people will have to take part in the good governance of their own companies, through helping to implement Sarbanes-Oxley, the Patriot Act, SEC 17a-4 and HIPAA compliance solutions. The tools that vendors are offering IT managers to meet these compliance guidelines give IT managers the power to preserve data and audit it when need be. IT managers need to harness this technology to make good governance a day-to-day practice within their companies.

The problem we face as an industry is that we have to work governance issues into software engineering practices and eventually good governance principles need to be “baked in” to the products and services that are offered to customers.

What does this have to do with privacy management? Everything. Privacy management, financial data controls (Sox), HIPAA (medical privacy), COPPA (child protection), are all about placing controls on how and when data can be used, all of which fall under the umbrella term, “Data Governance.”

I just got back from IBM’s Security and Privacy Leadership conference and was thoroughly impressed at the depth of discussions. At events like this three years ago, we were talking about subjects like “is there really a difference between privacy and security?” Today, everyone is comparing notes on their Sarbanes-Oxley complaince efforts or sharing the pain of HIPAA compliance.

One of the keynote speakers mentioned in passing a project that should be on the radar screen of anyone developong privacy enhancing technologies. It’s a relatively new OASIS working group called “Legal XML“.

Their website describes the working group as follows:

LegalXML brings legal and technical experts together to create standards for the electronic exchange of legal data.

LegalXML is a member section within OASIS the not-for-profit, global consortium that drives the development, convergence and adoption of e-business standards. Members themselves set the LegalXML agenda, using the open OASIS technical process expressly designed to promote industry consensus and unite disparate efforts. LegalXML produces standards for electronic court filing, court documents, legal citations, transcripts, criminal justice intelligence systems, and others.

OASIS members participating in LegalXML include lawyers, developers, application vendors, government agencies and members of academia.

I’ve run several workshops in which we’ve analyzed privacy legislation and expressed the requirements in XML so that it can be related to access controls and, believe me, if was tough. Law writers are all about principles and (frankly) ambiguity. All too often they want to express goals and leave interpretation n how to achieve goals to the courts. On the other hand, IT people need very prcies, actionable items to follow. So bridging the gap between the legal world and IT world is no small taks.

But because privacy management is rooted in social expectations, I personally believe work efforts like Legal XML are gong to be an extremely important component of future privacy enhancing technologies.

California Governor Arnold Schwarzenegger vetoed three privacy bills on Wednesday September 29, 2004, including a bill that would have required employers to notify employees of e-mail monitoring, and two bills that would have restricted the outsourcing of medial and financial data services. Schwarzenegger said the bills were redundant to current law and would have only created more work for California businesses. Detailed story…

I’m afraid I do not agree with Governor Schwarzenegger. Of the three vetoed bills, one bill would have limited data that medical firms can send abroad for processing without a patient’s consent. If the current law is sufficient to protect patient privacy, how could this happen in October 7, 2003? A pakistan woman named Lubna Baloch, sent an email to UC San Francisco Medical Center to threaten she would disclose patient medical records if UCSF Medical Center do not help her get the money she was owed. In her email she said, “Just to make you believe that I am not bluffing I am attaching latest voice file and text of your hospital.” Baloch had included private discharge summaries for two UCSF patients. Detailed story…