GE Snags Homeland Security Privacy Chief

GE Snags Homeland Security Privacy Chief
By Tony Kontzer InformationWeek

Sept. 29, 2005

Hiring of Nuala O'Connor Kelly could signal GE's intent to make privacy a competitive differentiator.


General Electric Co. has snatched up one of the highest profile privacy execs around, luring Nuala O'Connor Kelly away from her post as chief privacy officer at the Department of Homeland Security. The move brings Kelly back to the private sector after four years overseeing privacy compliance for federal agencies, first at the Department of Commerce, and then at DHS for the past two years.

Prior to joining the Commerce Department, Kelly established her reputation as a skilled privacy leader during a two-year stint as privacy chief at online media firm DoubleClick, helping to transform the company from a favorite target among privacy advocates into a pioneer in the areas of online privacy and data-protection policies.

Full article at Information Week

Nuala O'Connor Kelly's interview at Wired

EU Data Chief Press Release

As The Washington Post published last monday "EU Data Chief Warns About Privacy":

"BRUSSELS, Belgium -- The European Union's data protection supervisor Monday criticized EU plans to retain phone and e-mail data for use in anti-terrorism investigations, saying they failed to protect civil liberties and gave a free hand to national intelligence services.
Peter Hustinx said the proposals _ one drafted by EU governments, the other by the European Commission _ did not prove the need for EU-wide data retention rules"

EDPS PRESS REALESE

Data retention: EDPS presents his Opinion on the Commission proposal for a Directive
Retention of traffic data of telecommunications has been high on the political agenda during the last months. Two rivalling proposals for EU-legislation are on the table - a draft framework decision proposed by four Member States and a Commission proposal for a Directive.

Peter Hustinx, the European Data Protection Supervisor (EDPS), who today presents his Opinion on the Commission proposal observes: "This is an incredibly sensitive issue. The Directive has a direct impact on the protection of privacy of EU citizens and it is crucial that it respects their fundamental rights, as settled by the case law of the European Court of Human Rights. A legislative measure that would weaken the protection is not only unacceptable but also illegal".

Although not convinced of the necessity of the proposed Directive, the EDPS presents his view on its main elements. If the Council and the European Parliament decide that data retention is necessary for the purpose of serious crime investigation, the following criteria should be met, for the Directive to be acceptable:

• strictly limited retention periods - the periods must reflect the needs of law enforcement and they must be harmonised in the Member States, laying down maximum periods of retention. Longer periods than 6 and 12 months as proposed, are not acceptable.
• a limited number of data to be stored - the number must reflect the needs of law enforcement and ensure that access to content data is not possible.
• adequate safeguards - specific provisions on access to the retained data by competent authorities are needed to ensure that no one but the relevant law enforcement services can use the data in individual cases.
• adequate technical infrastructure must be put in place to ensure the security of the data, including financial incentives to this effect.
• data subjects must be able to exercise their rights and data protection authorities must be enabled to supervise effectively.

The Opinion of the EDPS contains a detailed analysis of the proposed Directive along these lines and puts forward a number of constructive and concrete proposals to ensure respect for fundamental rights. It also mentions that co-decision of Council and Parliament is the only acceptable way forward in this highly sensitive area.

Links:

Data Retention Directive European Commission Press Release

Data Retention: Privacy International

Talks by Latanya Sweeney

I have found at Data Privacy Lab (Carnegie Mellon), all these talks, slides and papers given by Dr. L. Sweenwy



Invited talk: "Privacy Technologies for Large Research Databases" Spectrum Health and Michigan State University, Grand Rapids, MI, September 23, 2005. Given by Lab Director, Latanya Sweeney. (Slides and Abstract)

Invited talk: "Biometrics Alone Won't Do: Developing Holistic Identity Management Solutions" Biometrics Symposium 2005, Arlington, VA, September 19, 2005. Given by Lab Director, Latanya Sweeney. (Slides and Abstract)

Invited talk: "Risk Assessments of PIN Technologies [unique personal identifiers] for Domestic Violence Shelters," National HMIS Conference, St. Louis, Missouri, September 13, 2005. Given by Lab Director, Latanya Sweeney. (Slides and Abstract)

Paper in IEEE Intelligent Systems about privacy and homeland security, entitled: Privacy-Preserving Surveillance using Selective Revelation. This paper describes an approach for sharing data for surveillance purposes while maintaining privacy. July 2005. Authored by Lab Director, Latanya Sweeney. (more)

Testimony: "Privacy Technologies for Homeland Security", Testimony before the Privacy and Integrity Advisory Committee of the Department of Homeland Security (“DHS”), Boston, MA, June 15, 2005. Testimony by Lab Director, Latanya Sweeney. (Testimony and Appendices)

Invited talk: "HIPAA Strategies for De-Identifying Patient Data for Research," American Association of Medical Colleges (AAMC), National Conference, Group on Information Resources, Philadelphia, PA. April 12, 2005. Given by Lab Director, Latanya Sweeney. (Slides and Abstract)

Invited talk: "Privacy Technology in the Face of Information Warfare", Guest Lecture in Course 19-601, Information Warfare, Carnegie Mellon University. Pittsburgh, PA. March 29, 2005. Given by Lab Director, Latanya Sweeney. (Slides and Abstract)

Invited talk: "Privacy Technology: Artificial Intelligence to Save the World", AAAI Spring Symposium. Stanford. Palo Alto, CA. March 23, 2005. Given by Lab Director, Latanya Sweeney. (Slides, References and Abstract).

Invited talk: "Beyond Ickiness is Risk: The Exasperation of Data Privacy Problems by Implanted RFIDs", The Concealed I Conference, University of Ottawa, Ontario Canada. March 4, 2005. Given by Lab Director, Latanya Sweeney. (Slides, References and Abstract).

Trust and Confidence in European Union

From European Commission.

Measures to increase trust and confidence of consumers in the Information Society
(22/09/2005) Consumer protection in the online area is a wide field. The study needs to show to what extent trust-related issues keep users out of the information society today. A clear definition of the covered field based on existing consumer protection regulation and definitions will be necessary in the study. The study will have to focus on issues of consumer protection as well as how they specifically affect trust in and willingness to use information society services. Trust is a notion that can encompass a number of factors such as confidence, awareness, identity protection, security, privacy etc, including subjective apprehension as well as practical experience of various situations.

Measures to increase trust and confidence of consumers in the Information Society

Reference: B-Brussels: measures to increase trust and confidence of consumers in the information society - Official Journal

Text from Tender Specifications " A STUDY ON MEASURES TO INCREASE TRUST AND CONFIDENCE OF CONSUMERS IN THE INFORMATION SOCIETY"

" Consumer protection in the online area is a wide field. A clear definition of the covered field based on existing consumer protection regulation and definitions will be necessary in the study. The study will have to focus on issues of consumer protection as well as how they specifically affect trust in and willingness to use information society services.

There are several specific areas of possible consumer concern that already present themselves for inclusion in the study, like protecting privacy online, reliability and liability of purchased products and product packages, language and usability problems as well as effects of spyware, spam and other forms of malware. There are reasons to believe some of these issues will have considerable effects on the real use of purchased products, and hence a mapping of actual effects on consumers’ ability and willingness to use computer and online products and services is needed. An example issue would be how a specific issue like spyware affects the ability to use a computer, how it affects the users’ trust, and what are the liabilities and protections involved when a user is rendered unable to use services due to such infections. A study of the areas which cause consumer problems, not limited to, but including the above, will be included in the study. Specific areas covered by other initiatives, like eAccessibility for groups with special needs and protection of minors, will be outside the scope of this study.

Trust is a notion that can encompass a number of factors such as confidence, awareness, identity protection, security, privacy etc, including subjective apprehension as well as practical experience of various situations. The lack of trust can also be seen as a barrier for e-inclusion in that it will keep users from participation, empowerment and involvement which is necessary for e-inclusion. The study needs to show to what extent trust-related issues keep users out of the information society today. In order to do this it will also be necessary for the study to clarify what is meant by trust in this context – a clear definition for the purposes of this study will be necessary.

User for the purposes of this study should cover consumers.
There are a number of surveys showing what kind of problems consumers have encountered when shopping online. To a large extent these problems are the same as the ones consumers encounter when purchasing through traditional channels, i.e. non-delivery and defective products, but also on-line payments give rise to complaints.[1] In the on-line environment, however, the same issues might have greater implications than in the traditional commerce environment, due to the special features of the internet (e.g. anonymity of the responsible people behind various services, physical distance, varying legislation and languages etc). There is a need to know to what extent these problems keep people from using not only on line services but also IT-products in general.

[1] E.g. Special Eurobarometer 60.0, European Union public opinion on issues relating to business to consumer e-commerce, March 2004 and European Consumer Centre Network; The European Online Marketplace; consumer complaints."

Privacy & Data Protection as Human Rights

FROM EPIC NEWS


Privacy commissioners from around the world called on governments and international organizations to establish data protection and privacy as fundamental human rights. At a privacy conference in Montreux, Switzerland, they also called for effective safeguards to limit the use of biometric passports and identity cards so that centralized database will not be established. They also urged greater cooperation with NGOs.

A day before the large privacy conference started, EPIC and other European and American civil liberties groups sponsored a conference entitled "Strategies for International Privacy Protection -- Issues, Actors, and Future Cooperation." Its principal aim was to debate one of the two most sensitive privacy issues governments are grappling with and to reinforce cooperation between non-governmental organizations and data protection authorities. Privacy officials, NGOs, and representatives from the industry all participated to the discussion.

In the first panel on data retention, a speaker pointed to the many security risks and high costs for the industry -- Internet Service Providers and telecommunications providers -- and police and security agencies that a regime of retention of traffic and location data would introduce. A high risk also exists for police agencies themselves, since their traffic and location data would be stored in one place, and create a tempting target for criminals. In the second panel on biometrics, the Swiss Privacy Commissioner Hanspeter Thur described the pilot biometric passports project Switzerland had launched that was ended because of the high privacy risks that are inherent in the central database of the biometric passports program. Speakers also discussed the lack of transparency and the absence of public debate that supra-national organizations and governments around the world showed when they introduced proposals for biometric passports.

In a resolution, a group of privacy commissioners called for effective safeguards to limit the risks inherent to biometrics. They sought to restrict the use of biometrics in passports and identity cards to verification purposes -- the biometric data in the document would be compared with the data provided by the holder when presenting the document -- thereby prohibiting any centralization of data. The privacy commissioners suggested that governments make a "strict distinction between biometric data collected and stored for public purposes," such as border patrol, "on the basis of legal obligations, and for contractual purposes on the basis of consent."

Declaration of Montreux (pdf):
http://www.edsb.ch/e/aktuell/konferenz/declaration-e.pdf

Resolution on Biometrics (pdf):
http://www.edsb.ch/e/aktuell/konferenz/biometrie-resolution-e.pdf

Privacy Conference 2005:
http://www.privacyconference2005.org/

"Strategies for International Privacy Protection - Issues, Actors, and Future Cooperation":
http://www.edri.org/panels