I just got back from IBM’s Security and Privacy Leadership conference and was thoroughly impressed at the depth of discussions. At events like this three years ago, we were talking about subjects like “is there really a difference between privacy and security?” Today, everyone is comparing notes on their Sarbanes-Oxley complaince efforts or sharing the pain of HIPAA compliance.

One of the keynote speakers mentioned in passing a project that should be on the radar screen of anyone developong privacy enhancing technologies. It’s a relatively new OASIS working group called “Legal XML“.

Their website describes the working group as follows:

LegalXML brings legal and technical experts together to create standards for the electronic exchange of legal data.

LegalXML is a member section within OASIS the not-for-profit, global consortium that drives the development, convergence and adoption of e-business standards. Members themselves set the LegalXML agenda, using the open OASIS technical process expressly designed to promote industry consensus and unite disparate efforts. LegalXML produces standards for electronic court filing, court documents, legal citations, transcripts, criminal justice intelligence systems, and others.

OASIS members participating in LegalXML include lawyers, developers, application vendors, government agencies and members of academia.

I’ve run several workshops in which we’ve analyzed privacy legislation and expressed the requirements in XML so that it can be related to access controls and, believe me, if was tough. Law writers are all about principles and (frankly) ambiguity. All too often they want to express goals and leave interpretation n how to achieve goals to the courts. On the other hand, IT people need very prcies, actionable items to follow. So bridging the gap between the legal world and IT world is no small taks.

But because privacy management is rooted in social expectations, I personally believe work efforts like Legal XML are gong to be an extremely important component of future privacy enhancing technologies.

California Governor Arnold Schwarzenegger vetoed three privacy bills on Wednesday September 29, 2004, including a bill that would have required employers to notify employees of e-mail monitoring, and two bills that would have restricted the outsourcing of medial and financial data services. Schwarzenegger said the bills were redundant to current law and would have only created more work for California businesses. Detailed story…

I’m afraid I do not agree with Governor Schwarzenegger. Of the three vetoed bills, one bill would have limited data that medical firms can send abroad for processing without a patient’s consent. If the current law is sufficient to protect patient privacy, how could this happen in October 7, 2003? A pakistan woman named Lubna Baloch, sent an email to UC San Francisco Medical Center to threaten she would disclose patient medical records if UCSF Medical Center do not help her get the money she was owed. In her email she said, “Just to make you believe that I am not bluffing I am attaching latest voice file and text of your hospital.” Baloch had included private discharge summaries for two UCSF patients. Detailed story…

The following quote is an excerpt from a recent news article:

The U.S. House of representatives will vote soon to crack down on spyware that hides in users computers and secretly monitors their activities. According to Microsoft, spyware was responsible for one-third of all computer crashes last year.

I have been a victim of spyware; and as a network administrator, I have dealt with numerous infected personal computers (PC). Spyware, in itís seemingly innumerable forms, has been responsible for PCs running sluggishly, the clandestine monitoring of activities, and complete system crashes. However, it is difficult to determine which is more alarming: the effects of spyware or the steadily increasing infection rates. As a researcher, I am interested in investigating the etiology behind both of these phenomena. While I believe that enacting new legislation is an appropriate step, I wager that it will prove insufficient to inhibit the increase in spyware activity. Furthermore, as I am firm believer that people value their privacy, I foresee a great deal of research and effort being dedicated to addressing this spyware assault.

For more information on this spyware legislation see: House Could Vote on Spyware Next Week

The new voting technology and polling practices certainly have an impact on the privacy rights of voters. Electronic Privacy Information Center (EPIC) has been asked to offer testimony on this impact. The committee is expected to make its recommendations to the full Election Assistance Commission board sometime next summer for adoption and implementation in 2006.
For more information see:
Voting Statement

The Patriot Act, passed shortly after 9/11, was designed in part to make it easier for the government to monitor suspected terrorists. However, it had been under a great deal of scrutiny by critics who think it gives the government too much power to gather information. One of those criticisms involved the ability to secretly search information ISPs (Internet service providers) and phone companies have about their customers. The American Civil Liberties Union sued, claiming that these expanded privileges violate the Forth Amendment. Yesterday a U.S. District Judge agreed, ruling the powers unconstitutional.

Read more here [CNN].

Army inspector general released findings on investigating Torch Concepts, a defense contractor, privacy violation on testing data-mining techniques on JetBlue Airline passenger records. According to the report, Torch Concepts did not violate the Privacy Act of 1974 because the personal data was collected from private sources and was never in the hands of the government. Compare this report with the Department of Homeland Security (DHS)’s Report to the Public on Events Surrounding JetBlue’s Data Transfer, in which the DHS privacy officer said TSA employees violated the spirit of the 1974 Privacy Act by asking JetBlue to provide data. More discussion can be found here.

Passenger information for those who flew in June of 2004 will be
turned over to the government to evaluate a new system designed to help identify terrorists. This data is certain to have anomalies which could potentially lead to innocent citizens being erroneously labeled as terrorists and placed on a perpetual watch-list. Additionally, the fact that the government is collecting data that includes, for example, special food requests opens the door for individuals to unfairly infer things about passengers.

The TSA has posted a Privacy Impacts Assessment (PIA) for the testing phase of the Secure Flight program. See Yahoo News Article for more information.

The U.S. Senate has unanimously approved an amendment to the 2005 Homeland Security Department spending bill. The amendment requires all federal agencies that use data-mining technologies to submit a privacy impacts report to Congress. For more information, see: Senate votes for privacy study on agencies’ data-mining use.