European Union Data Protection Supervisor Peter Hustinx writes an editorial for ZDNet UK about data breach notification laws, criticizing exemptions that allow some breaches to go unreported.

Thus, the proposal to set up a security-breach reporting mechanism put forward by the European Commission and endorsed by the European Parliament and Council, in the context of the review of the EU E-Privacy Directive, should be well received by European citizens and stakeholders in general.

Unfortunately, if the Council and Commission approach prevails, European citizens will be disappointed to learn that the only organisations obliged to disclose breaches would be providers of publicly available electronic communications services.

That restriction means European citizens would only be alerted if their internet access or telephone company suffers security breaches. If their online bank is hacked or its security systems are cracked, enabling the unauthorised access to bank account information, citizens might not be notified. Read more »

Super Bowl XLIII will be the first time that federal behavior-detection agents will be used at a major event, reports USA Today.

At the Tampa Police request, the TSA is sending dozens of its behavior officers to Tampa to watch spectators entering 75,000-seat Raymond James Stadium on Sunday, said Tampa Police spokeswoman Laura McElroy. [...]

Behavior observation is used daily by 2,600 specially trained TSA officers at more than 160 airports. Officers look for obvious signs of nervousness or other behavioral flags, such as sweating, avoiding eye contact or talking evasively.

There are a lot of privacy and civil liberty questions surrounding behavior detection programs. There are any number of innocent reasons why an individual would be nervous or agitated at an airport or the Super Bowl. Wouldn’t you presume nervousness from someone who spent that much money and time to go to the Super Bowl to watch his or her team play?

What would the error rate of this technology be? How many false positives leading to the harassment of innocent people and the diversion of investigators’ attention and resources from actual criminals? Read more »

Over at the ACLU blog, staff attorney Chris Hansen discusses First Amendment issues related to Internet filters, software to block access to certain Web sites, usually ones with sexual content. Here’s an excerpt, but you should go read the full post and watch the video interview with Hansen.

People are talking about internet content filtering, especially since the ACLU won its case against the Child Online Protection Act (COPA), which tried to censor all speech about sex from the internet. [...]

Filtering has been shown to be quite successful in blocking sexual sites, but at a price — it over-blocks. As much as 20 percent of all internet content can be over-blocked by some filters, including valuable nonsexual material. Reports by the Kaiser Family Foundation (PDF), Consumer Reports, and the Free Expression Policy Project (PDF) have all found that filters improperly block important web sites about health, sex education, civil rights, and politics.

A European Commission study shows that, “In the 15 to 24 age group, only 33% were aware of their rights in relation to their own personal data. Only 18% knew of the existence of national data protection supervisory authorities,” says Jacques Barrot, a vice president of the European Union. He says that young people are should be educated about online privacy protections because they “increasingly use[] new technologies to communicate, exchange information and socialize through the online social networking sites, such as Facebook.” 

The International Herald Tribune reports, “The alarm comes amid an outpouring of concern from parents and privacy advocates about the potentially negative effects of posting personal details and photographs to popular Web sites accessible from virtually any computer.” Also, “EU officials also are concerned that information collected from such sites could be used by companies to flood consumers with unsolicited advertising or used by government agencies to compromise citizens’ civil liberties.”

Barrot also says, “They are exposing their every day life online without being aware of the risks the online activities could entail now and in the future for their own privacy.”

I agree that people need to be more aware of what it means to post such personal data online, whether in social networking sites, blogs or other forums. I have written about how data from social networking sites are being used against job applicants, applicants to colleges and graduate schools, various current employees, and in criminal trials. Once data is published online, it’s difficult to control who sees it and how the data is used.

PBS will air a program about the National Security Agency and its surveillance of American citizens, based on James Bamford’s book, “The Shadow Factory.” There have been numerous questions raised about the legality of the NSA’s warrantless wiretapping programs since the New York Times revealed one program in December 2005. Last week, a whistleblower reported that the NSA (possibly in a separate program) gathered all the domestic communications of Americans (phone calls, faxes and more), and the agency combined its phone data with financial records, such as credit card info.

In October, reports that the Inspector General for the National Security Agency began investigating allegations by whistleblowers of abuse in the NSA’s warrantless wiretapping program revealed by the New York Times. Two former intercept operators said that the agency listened in on intimate calls from American citizens stationed abroad (soldiers, journalists, relief workers) even though the individuals were not suspected of any crimes.

Many (including I) were angry when the House and Senate, including Senator Obama, approved the  FISA Amendments Act in July, because the Act unreasonably and unnecessarily authorizes broad surveillance of Americans’ international communications without meaningful Fourth Amendment protections. (Statements from: the American Civil Liberties Union, Center for National Security Studies (pdf), and Electronic Frontier Foundation. A letter (pdf) to Congress from Privacy Lives and other groups urging against passage of the FISA Amendments Act.)

Hopefully, the continuing accusations of misuse of power by the NSA will push Congress and the president to investigate and more closely oversee the agency’s surveillance programs. Allowing a federal agency the unrestricted power of investigating and creating dossiers on innocent Americans will only raise the specter and problems of publicly condemned domestic surveillance program COINTELPRO. From 1956 to 1971, the FBI abused its investigatory powers to harass and disrupt political opponents, and the truth was learned when Congress investigated in 1975.

From the PBS Web site:

In this program, an eye-opening documentary on the National Security Agency (NSA) by best-selling author James Bamford and Emmy Award-winning producer Scott Willis, NOVA exposes the ultra-secret intelligence agency’s role in the failure to stop the 9/11 attacks and the subsequent eavesdropping program that listens in without warrant on millions of American citizens. Read more »

Computerworld sits down with Department of Homeland Security Chief Privacy Officer Hugo Teufel and chats with him about the issues he has faced at DHS.

I have worked often with Teufel and the DHS Privacy Office staff. We do not always agree, but I respect them and the difficult job they have. They work hard to ensure privacy issues are on the table when programs are discussed, though strong privacy protections often are not included in DHS programs.

From Computerworld:

In your speech, you said U.S. CPOs would be wise to understand how the European Union treats privacy differently within its “first pillar” commercial policy and “third pillar” security areas. Can you elaborate? The rules covering the same personally identifiable information appear to be different for security services than they are for businesses operating in the EU. Security services may make demands of businesses for certain data, which by law the businesses are not allowed to collect. The businesses can refuse, risking the wrath of the security service, or they can comply, risking punishment from the data-protection authority, which may not have competence over the security service collection and use of that data. It’s a real catch-22.

What was your top lesson learned from the U.S.-EU compromise on the sharing of airline passenger name records? Sadly, that politics sometimes took precedence over the security and privacy of Americans and Europeans. [...] Read more »