Privacy Advisor

Privacy News

August 1, 2007

White Paper: Biometric Encryption Technology Promises Privacy, Security and Personal Control
Information and Privacy Commissioner of Ontario Ann Cavoukian, Ph.D., and Alex Stoianov, Ph.D., an internationally recognized biometrics scientist, have published a joint research paper, Biometric Encryption: A Positive Sum Technology That Achieves Strong Authentication, Security AND Privacy.

The white paper sets out the privacy, security and trust problems of current biometric information systems, and explains how an emerging new technology, called Biometric Encryption, can address those concerns.

With Biometric Encryption (BE), instead of storing a sample of one's fingerprint in a database, a fingerprint can be used to encrypt or code some other information, like a PIN or account number, or cryptographic key, and only store the biometrically encrypted code, not the biometric itself. This removes the need for public or private sector organizations to collect and store actual biometric images in their database. The method addresses most privacy and security concerns associated with the creation of centralized databases.

The paper also lays out the privacy and personal control advantages for individuals over their own biometric data, and examines other possibilities for its use and how it can offer stronger information security and greater user confidence and trust in biometric identification systems.

The paper is available at www.ipc.on.ca

European Hotel Collection of Personal Information for Law Enforcement

The Chief Privacy Officer for the Department of Homeland Security (DHS), Hugo Teufel, CIPP/G, and the Chief Privacy and Civil Liberties Officer at the Department of Justice, Jane Horvath, an IAPP board member, have written to European data protection authorities to better understand the European practice of hotels collecting personally identifiable information from guests upon check-in.

The two senior privacy officials personally experienced this practice in Brussels last May when they were asked to complete hotel forms asking for home address, birth date, place of birth, passport number and home telephone number. The hotels explained that this information is collected for safety and security purposes to be shared with local law enforcement. The forms were marked with the notice "Police." 

To understand this practice, the U.S. privacy officers contacted the European Data Protection Supervisor and Article 29 Working Party seeking guidance on the authority for collection of this information, how is it used and safeguarded, how long it is retained and whether it is shared outside EU, non-Schengen countries.

—    Submitted by John Kropf, CIPP/G, DHS Deputy Chief Privacy Officer

Colombian Senate Approves Data Protection Bill
The Colombian Senate recently approved a data protection bill, which could be enacted this month. The bill still must go before the Constitutional Court for review. Colombia has tried unsuccessfully several times in the past to pass a data protection bill.

TRUSTe Has a New Look
TRUSTe, a nonprofit consumer privacy organization, recently launched a new identity for its family of seals as a statement of its continued and evolving focus on protecting consumers' privacy. Since the organization was founded 10 years ago, the TRUSTe seal has become the road sign for Internet users to identify trustworthy Web sites.

The new look is intended to reflect TRUSTe's expanded offerings and reach, including the growing adoption of the EU Safe Harbor Program, and the recent launch of the Trusted Download Program, a whitelist of software applications that are certified to be free of spyware and malware. In addition to monitoring sites for compliance, TRUSTe plays an active role in resolving more than 5,000 disputes per year to ensure trust is built between individuals and Web properties.

Ponemon Study: Nearly 40 Percent of Large Organizations Don't Monitor Databases for Suspicious Activity — Or Don't Know if They Do
Application Security, Inc. recently announced the results of a Ponemon Institute survey underscoring the serious challenges organizations face in securing sensitive data. With more than 150 million data records exposed in the past two years, the survey also highlights an organizational disconnect between the realization of the threat and the urgency in addressing it.

The Ponemon Institute surveyed 649 respondents in corporate information technology (IT) departments worldwide, and found that organizations are wrestling with how to protect data from misuse by external and internal forces while expanding access to the same data to drive business initiatives. Highlighting these challenges, the survey reveals that:

  • Forty percent said their organizations don't monitor their databases for suspicious activity, or don't know if such monitoring occurs. More than half of these organizations have 500 or more databases — and the number of databases is growing.
  • "Trusted" insiders' ability to compromise critical data was cited as the most serious concern — with 57 percent perceiving inadequate protection against malicious insiders and 55 percent for "data loss" by internal entities.
  • Seventy-eight percent believe that databases are either critical or important to their business. Customer data represents the most common data type contained within these databases.
  • Customer/consumer and employee data rank 3rd and 4th respectively in regard to organizations' prioritization of what must be protected.


The full report is available at: www.appsecinc.com/techdocs/whitepapers/2007-Ponemon -Database-Security-Study-Sponsored-by-Application-Security-Inc.pdf.

Websense Unveils Information Leak Prevention Software
Websense, Inc. has announced the development of the industry's first security software that integrates information leak prevention capabilities with Web categorization and filtering to provide organizations with a new level of information protection. According to Websense, this combination of content and destination awareness allows automated enforcement of who has access to what information, how the information can be used, and where it can be sent.

Websense Content Protection Suite v6 combines content and context awareness leveraging Web intelligence through integration with Websense's URL database and ThreatSeekerâ„¢ malicious content classification technology, as well as new context-based data recognition capabilities that increase detection accuracy and enable organizations to create and enforce powerful, user-specific data sharing policies.

The software is slated to be available this month.