CNet News reports on a discussion at the RSA security conference on privacy in online banking. 

A widely used technology to authenticate users when they log in for online banking may help reduce fraud, but it does so at the expense of consumer privacy, a civil liberties attorney said during a panel at the RSA security conference on Thursday.

When logging into bank Web sites, users are typically asked for their user name and password. But that’s not all that is happening. Behind the scenes, the server is taking measures to identify the device being used in an attempt to verify that the person logging in is the person whose account is being accessed under the assumption that most people use the same computer for banking. Read more »

At TechCrunch, Jason Kincaid writes about the privacy problems associated with “cloud computing” (when you upload and store your data at an online service owned or operated by others). (The World Privacy Forum released a report (pdf) in February on cloud computing, “Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing.” It’s one of the few reports to look closely at the issues.) 

Kincaid writes: 

The Cloud is looming large, offering us ways to store and share our data in ways that were never before possible. We can effortlessly share our documents and photos with our families and friends, while maintaining control over their spread using powerful granular privacy controls. But it’s quickly becoming clear that the cloud isn’t ready for us. Because the services we rely on are letting us down with a frequency that is simply unacceptable.

I’ve been putting this post off for a while, mostly because I didn’t want to point to a single breach and call it a trend. But in only the last two months, we’ve covered at least three major web services that suffered security lapses tied to software bugs or scaling issues. 

(In this case, “scaling issue” means coverage is expanded, but the service was unable to handle the expansion and problems arose. For example, if demand for a Web site increased by a factor of 10 and the Web site increased the number of servers also by a factor of 10 but still can’t meet the demand or handle the increased security risks because of design issues, then the site was unable to scale properly. Wikipedia has more info on scalability.) Read more »

The Calgary Herald has a story about the Alberta, Canada, privacy commissioner supporting a proposed bar/club blacklist of patrons. The bars would define what actions would deem a person a “problem patron”; the person does not need to be arrested, charged or convicted of a crime committed at a bar to be put on the list. 

Alberta’s information and privacy commissioner supports a proposal allowing bars to collect information on “problem patrons” and share it with other licensed establishments.

But commissioner Frank Work does worry changes to the Gaming and Liquor Act could lead to some customers being unfairly banned from clubs and bars.

He’s concerned that some bars will become overzealous– designating customers who get a little unruly or don’t pay a tab as problem patrons, and then pass on that designation to bars that will also ban them. [...]

The amendment would allow a bar to record a person’s name and age (but not their birthdate) and take a photograph, says Rob Anderson, parliamentary assistant to Fred Lindsay, the solicitor general and minister of public safety.

As I was contemplating writing a post on future prospects for the federal REAL ID program, Stateline.org reported, “Proposed legislation being circulated on Capitol Hill would give states more time, flexibility and money to meet federal Real ID requirements. [...] The bill, which is still being negotiated but could be introduced by the end of the month in the U.S. Senate, is known as the Pass ID Act (Providing for Additional Security in States’ Identification Act).” This is good news, especially the fact that the current proposal would “scrap[] the program’s current rules and creat[e] a new rule-making process.” (The REAL ID Act of 2005 mandates that state driver’s licenses and ID cards follow federal technical standards and verification procedures issued by the Department of Homeland Security.)

I hope that the REAL ID program is scrapped. It cannot be fixed. I believe that (pdf) the REAL ID system creates a fundamentally flawed national ID system. It enables tracking, surveillance, and profiling of the American public through the proposed interlinking of the motor vehicle databases of all 56 states and territories, the use of an unencrypted machine-readable zone on the state ID cards and driver’s licenses, and the ability for the system to be used for much more than the few purposes set out by the 2005 law. There is also the problem that a national ID system is not good security. You should not have one national ID card for the same reason that you do not have one key to open the locks on your home, car, office or safe deposit box. You do not put all of your trust in one key, and you should not put all of your trust in one ID card.

The Department of Homeland Security and Secretary Chertoff spent a lot of time pushing the REAL ID national identification system as a savior for false identification problems. In a January 2008 opinion column written by Secretary Chertoff, he urged states, companies, and the general public to embrace the national identification system because he says it is trustworthy. Secretary Chertoff said “embracing REAL ID” would mean using the one ID card to “cash a check, hire a baby sitter, board a plane or engage in countless other activities.”

Chertoff has deflected questions about the massive security hole created by embedding so much trust in one national identification card — people will trust the criminals who hand them forged cards. However, in an August 2008 speech Chertoff agreed that the fact that REAL ID and other identification cards can be forged is a security problem: Read more »

The Wall Street Journal has an interesting article about privacy in the workplace

A case brewing in federal court in New Jersey pits bosses against two employees who were complaining about their workplace on an invite-only discussion group on MySpace.com, a social-networking site owned by News Corp., publisher of The Wall Street Journal. The case tests whether a supervisor who managed to log into the forum — and then fired employees who badmouthed supervisors and customers there — had the right to do so.

The case has some legal and privacy experts concerned that companies are intruding into areas that their employees had considered off limits. [...]

The legal landscape is murky. For the most part, employers don’t need a reason to fire nonunion workers. But state laws in California, New York and Connecticut protect employees who engage in lawful, off-duty activities from being fired or disciplined, according to a report prepared by attorneys at the firm Proskauer Rose LLP. While private conversations might be covered under those laws, none of the statutes specifically addresses social networking or blogging. Thus, privacy advocates expect to see more of these legal challenges.

As the United States continues its expansion of DNA collection by gathering data from those arrested but not convicted of crimes, as well as those convicted of petty crimes, the debate is continuing in other countries. The Canberra Times reports:

The man overseeing the national DNA database wants to expand the bank of criminal profiles, after the eight-year quest to link all jurisdictions finally ended.

CrimTrac, the agency which maintains the database, said yesterday a recent link-up between the Northern Territory and NSW was the last piece in the nation’s cross-jurisdiction puzzle.

The puzzle has taken eight years to complete because of policy and legislative differences. Read more »