The transition site has been created for the incoming administration of President-Elect Barack Obama and Vice President-Elect Joe Biden. It contains a variety of information on plans for the future, including some that affect individual privacy. Here are a few items of interest under the Protecting America section.

 Defeat Terrorism Worldwide

• [...] New Capabilities to Aggressively Defeat Terrorists: Barack Obama and Joe Biden will improve the American intelligence apparatus by investing in its capacity to collect and analyze information, share information with other agencies and carry out operations to disrupt terrorist operations and networks. [...]

Strengthen American Biosecurity

• [...] Prevent Bioterror Attacks: Obama and Joe Biden will strengthen U.S. intelligence collection overseas to identify and interdict would-be bioterrorists before they strike.
• Build Capacity to Mitigate the Consequences of Bioterror Attacks: A well-planned, well-rehearsed, and rapidly executed epidemic response can dramatically diminish the consequences of biological attacks. Barack Obama will ensure that decision-makers have the information and communication tools they need to manage disease outbreaks by linking health care providers, hospitals, and public health agencies.

Protect Our Information Networks
As president, Barack Obama will lead an effort, working with private industry, the research community and our citizens, to build a trustworthy and accountable cyber infrastructure that is resilient, protects America’s competitive advantage, and advances our national and homeland security. [...]

• Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Nearly 10 million Americans are victims of identity theft each year, costing more than $55 billion. We must ensure that the privacy of personnel data in computer systems is better protected. The federal government must partner with industry and our citizens to secure personal data stored on government and private systems. An Obama administration will institute a common standard for securing such data across industries and will back strong legislation to protect the rights of individuals in the information age. [...] (more…)

Researchers at the University of Washington and EMC’s RSA Laboratories detail in a new report (pdf) that there are security and privacy vulnerabilities in the federal government’s “passport cards” and “enhanced driver’s licenses” that the federal government deploys in conjunction with some state motor vehicle departments. Such cards and licenses contain personal details, including an individual’s citizenship status. They are also equipped with radio frequency identification (RFID) technology, which transmits data wirelessly from a chip or tag to a reader.

The researchers found that they were able to counterfeit and disable the cards with easily obtainable off-the-shelf technology. From the researchers’ FAQ:

Our research confirms the vulnerability of Passport Cards and EDLs to copying attacks of their electronic RFID components. We have shown, in fact, that an anti-counterfeiting measure that the U.S. Department of Homeland Security appears to have contemplated is not present in its initial designs is not present in the Passport Card. Without this countermeasure, it is a technically straightforward matter to copy the data from a Passport Card’s RFID tag into another, off-the-shelf tag. An attacker does not have to resort to building an emulating device in order to create a radio-similar clone. [...]

The EPC tags in Passport Cards and EDL do not contain personally identifying information; they store what amounts to a database record pointer. Thus, concerns about read ranges revolve more around counterfeiting than privacy, though privacy is still an issue since repetitive reads of the same card can reveal travel patterns. (more…)

Last week, California Gov. Arnold Schwarzenegger vetoed legislation to implement the federal REAL ID national identification system. He also rejected several bills that would have strengthened the privacy rights of California residents, while approving a few that were privacy-protective.

The privacy-protective legislation Schwarzenegger signed was SB 31 and AB 2059.  SB 31 concerns radio frequency identification (RFID) technology, which transmits data wirelessly from a chip or tag to a reader. SB 31 reads:

(a) Except as provided in this section, a person or entity that intentionally remotely reads or attempts to remotely read a person’s identification document using radio frequency identification (RFID), for the purpose of reading that person’s identification document without that person’s knowledge and prior consent, shall be punished by imprisonment in a county jail for up to one year, a fine of not more than one thousand five hundred dollars ($1,500), or both that fine and imprisonment.
(b) A person or entity that knowingly discloses, or causes to be disclosed, the operational system keys used in a contactless identification document system shall be punished by imprisonment in a county jail for up to one year, a fine of not more than one thousand five hundred dollars ($1,500), or both that fine and imprisonment.

SB 31 include some exceptions for law enforcement and medical personnel, among others.

AB 2059 requires marketers who send postal mail solicitations to disclose their identities and inform consumers they are waiving their do-not-call rights if they accept the marketers’ offers to receive phone calls about products. Also, with exceptions, “A violation of this section shall not be a crime [...] However, all available civil remedies that are applicable to a violation of this section may be employed.”

The privacy-protective legislation vetoed included: 

• AB 1906, which would have “add[ed] identity theft to the [...] list of insurance classes [in California]. The bill would provide that identity theft insurance includes insurance against costs associated with reestablishing credit, reclaiming financial identity, and communicating with banks, credit agencies, and other financial institutions, as specified.” (more…)

The latest issue of Scientific American magazine is all about technology and privacy. Included in the issue:

• Katherine Albrecht, How RFID Tags Could Be Used to Track Unsuspecting People
• Steven Ashley, Digital Surveillance: Tools of the Spy Trade
• Peter Brown, Privacy in an Age of Terabytes and Terror
• Whitfield Diffie and Susan Landau, Internet Eavesdropping: A Brave New World of Wiretapping
• Esther Dyson, How Loss of Privacy May Mean Loss of Security
• Simson L. Garfinkel, Data Fusion: The Ups and Downs of All-Encompassing Digital Profiles
• Anil K. Jain and Sharath Pankanti, Beyond Fingerprinting: Is Biometrics the Best Bet for Fighting Identity Theft?
• Anna Lysyanskaya, Cryptography: How to Keep Your Secrets Safe
• Mark A. Rothstein, Tougher Laws Needed to Protect Your Genetic Privacy
• Dan Solove, Do Social Networks Bring the End of Privacy?

Found via Cryptome.

In two Federal Register notices published on July 15, the Department of Homeland Security’s Privacy Office announced 26 Privacy Impact Assessments for various Homeland Security Programs. Oddly, the Privacy Office announces, "The Privacy Impact Assessments will be available on the DHS Web site until September 15, 2008, after which they may be obtained by contacting the DHS Privacy Office (contact information below)." I have never seen this sort of announcement before. Currently, the agency’s site has PIAs from 2003 (when the Department of Homeland Security was created) through the current month.

The 26 PIAs are for:

1. Whole Body Imaging (Transportation Security Administration)
2. Federal Flight Deck Officer Program (TSA)
3. REAL-ID Final Rule (DHS-wide)
4. Personnel Security Activities Management System/Integrated Security Management System Update (DHS-wide)
5. USCIS Person Centric Query Service Supporting the Verification Information System (Citizenship and Immigration Services) (more…)

"The Federal Trade Commission and the Technology Law and Public Policy Clinic at the University of Washington will host a Town Hall meeting on July 24, 2008, to explore the growth of contactless payment systems and their implications for consumer protection policy. This Town Hall, titled “Pay on the Go: Consumers and Contactless Payment“ follows up on the FTC‘s November 2006 hearings, “Protecting Consumers in the Next Tech-ade,“ which examined key technological and business developments that will shape consumers‘ experiences over the next ten years.

This Town Hall meeting will bring together industry members, technologists, academicians, consumer protection officials, and consumer advocates to explore the current state of the art for contactless payment systems, which use radio frequency identification (“RFID“) technology to allow consumers to make low dollar-value purchases by holding an RFID-enabled device (such as a smart card, key fob, or mobile device) in proximity to a reader. The event will explore the extent to which contactless payment is being deployed domestically and around the world, along with potential benefits and risks to consumers of its use.

Participants will examine the increasing prevalence of contactless payment devices in everyday consumer transactions, including credit card purchases and public transit use; consumer awareness and education initiatives regarding these developments; security and privacy threats and proposed solutions; and emerging technologies and practices that may shape the contactless payment marketplace over the coming years. (more…)