The Senate Judiciary Committee has approved a bill that would force suspects arrested or detained by federal authorities to provide samples of their DNA that would be recorded in a central database. This is a step to expand government collection of personal data, and maybe another step in expanding government intrusion. Currently, only people convicted of crimes must provide a DNA sample. Privacy advocates, including Jim Harper, director of Information Policy Studies at the Cato Institute, oppose the expansion of the FBI-run national DNA registry. Harper is a keynote speaker at the IAPP Privacy Academy 2005 Oct. 26-28 in Las Vegas.

The New York Times ran an interesting article earlier this week contrasting American and European personal data protection practices. In Europe, the right to privacy is considered fundamental, and accordingly most European countries have passed extensive privacy laws and established governmental agencies to specifically deal with data protection. The United States government tends to treat privacy as an afterthought, enacting laws as a form of damage control. Americans tend to treat privacy as a consumer issue, placing their trust in business more often than they do the government. This has been a key factor in the growth of commercial databases such as ChoicePoint.

Those wishing to get a more in-depth look at international privacy laws and attitudes should take a look at EPIC and Privacy International’s joint 2003 Privacy and Human Rights report. Over fifty-five countries are included in the report, which also attempts to document the privacy-related responses to the September 11 terrorist attacks.

A recent Gartner survey of public opinion regarding identity theft revealed that many consumers, “half those polled, either weren’t aware they were entitled to a free credit report or considered them ‘not effective’ in fighting ID theft” (quoted from this MSNBC article). The article goes on to say that about one-third of those polled were “very concerned” about becoming ID theft victims themselves. Perhaps the clearest result from the survey - entitled “Increased Phishing and Online Attacks Cause Dip in Consumer Confidence” - is that the free credit reports are nowhere near enough protection for consumers against the increasing threat of identity theft.

Enter in new legislation from two U.S. Senators, which joins a slew of other proposed legislation aimed at tackling the ID theft epidemic. Senators Specter and Leahy have recently put forth their own bill, which would establish penalties for not disclosing data breaches nationwide, as well as limit the sales of SSNs and increase consumers’ abilities to access the information data brokers have on them. This Reuters article describes the bill in a bit more detail.

Read the rest of this entry »

Japan has passed new privacy laws that are cracking down on organizations who do not protect private information. The penalty can include a prison sentence of up to 6 months. The question is, will this be enough to motivate people to protect personal information. The results seem promising as shredder sales in Japan have gone through the roof. Read more about this here.

On October 5, 2004, I posted a blog entry about California Governor Arnold Schwarzenegger vetoing three privacy bills, including two bills that would have restricted the outsourcing of medial and financial data services. In that blog entry, I argued Governor Schwarzenegger’s decision is wrong.

Recently, a new report by the Information Security Forum shows that outsourcing and offshoring data processing and other business functions carries significant risk, particularly with regard to regulatory compliance. The report acknowledges that outsourcing is “here to stay,” and urges careful planning and management of outsource partners to minimize associated risks. Unfortunately, the full version of the report is available to ISF members only.

I just got back from IBM’s Security and Privacy Leadership conference and was thoroughly impressed at the depth of discussions. At events like this three years ago, we were talking about subjects like “is there really a difference between privacy and security?” Today, everyone is comparing notes on their Sarbanes-Oxley complaince efforts or sharing the pain of HIPAA compliance.

One of the keynote speakers mentioned in passing a project that should be on the radar screen of anyone developong privacy enhancing technologies. It’s a relatively new OASIS working group called “Legal XML“.

Their website describes the working group as follows:

LegalXML brings legal and technical experts together to create standards for the electronic exchange of legal data.

LegalXML is a member section within OASIS the not-for-profit, global consortium that drives the development, convergence and adoption of e-business standards. Members themselves set the LegalXML agenda, using the open OASIS technical process expressly designed to promote industry consensus and unite disparate efforts. LegalXML produces standards for electronic court filing, court documents, legal citations, transcripts, criminal justice intelligence systems, and others.

OASIS members participating in LegalXML include lawyers, developers, application vendors, government agencies and members of academia.

I’ve run several workshops in which we’ve analyzed privacy legislation and expressed the requirements in XML so that it can be related to access controls and, believe me, if was tough. Law writers are all about principles and (frankly) ambiguity. All too often they want to express goals and leave interpretation n how to achieve goals to the courts. On the other hand, IT people need very prcies, actionable items to follow. So bridging the gap between the legal world and IT world is no small taks.

But because privacy management is rooted in social expectations, I personally believe work efforts like Legal XML are gong to be an extremely important component of future privacy enhancing technologies.

California is the first state to enact the cell number privacy law supported by Gov. Arnold Schwarzenegger. Consumers should have the right to decide whether they want a privacy block on their number or whether they want to make it public. According to this law, a written consent would be required by the customer to make their number public and those who do not wish to indulge in this service would not be charged. For more information check out:

California is First to Enact Cell Phone Number Privacy Law

The Online Privacy Act of 2003 (Calif. AB 68) is a new law that is going into effect in the state of California on July 1, 2004. The law sets forth requirements for any online business collecting personally identifiable information from residents of California.

The following article from COMPUTERWORLD, and this one from About.com, briefly describe the law and some of its implications.

OnlineSecurity.com has created a guide to developing a AB 68 compliant privacy policy, which can be found here.