Incident: Sick Kids physician loses portable hard-drive with unencrypted personal health information

A physician from Sick Kids hospital who decided to travel with a portable hard-drive containing unencrypted health information on 3,300 patients lost the drive in Canada's busiest airport. This happened six weeks after the Information and Privacy Commissioner ordered that the hospital not allow electronic health information to leave the hospital unless it was encrypted. See: TheStar.com - living - Sick Kids doctor loses data on 3,300 patients.

US unveils more privacy-friendly no-fly list

Apparently the American government is about to implement its latest version of the no-fly list, without data mining using commercial sources. It looks a lot like the Canadian "Passenger Protect" program:

Even Bruce Schneier thinks it shows common sense.

Feds offer simpler flight screening plan on Yahoo! News

By MICHAEL J. SNIFFEN, Associated Press Writer

Thu Aug 9, 6:34 PM ET

The government proposed a new version of its airline passenger screening program Thursday, stripped of the data mining that aroused privacy concerns and led Congress to block earlier versions.

It's been three years since the Sept. 11 Commission recommended and Congress ordered that the government take over from the airlines the job of comparing passenger lists with watch lists of known terrorist suspects to keep them off flights. Even this new version of the Secure Flight program is open for public comment and will be tested this fall before it can be implemented fully in 2008.

The third version of the program, once known as CAPPS II, drew positive reviews from privacy advocates and members of Congress who had objected to more elaborate earlier versions. Congress enacted legislation blocking earlier plans to collect private commercial data — like credit card records or travel histories — about all domestic air travelers in an effort to predict which ones might be terrorists.

The new plan would require passengers to give their full name when they make their reservations — either in person, by phone or online. They also will be asked if they are willing to provide their date of birth and gender at that time to reduce the chance of false positive matches with names on the watch lists.

"Finally, this appears to have a coherent, narrow and rational focus," said James Dempsey of the Center for Democracy and Technology, a privacy advocacy group. "This is a vast improvement over what we've seen before."

Even Democrats in Congress were cautiously positive.

"They've been slow to admit that minimizing invasions and breaches of Americans' privacy is part of their job," said Senate Judiciary Committee Chairman Patrick Leahy, D-Vt. "We will evaluate these steps to see if they measure up."

House Homeland Security Chairman Bennie Thompson, D-Miss., said he hoped the administration would stay alert to privacy issues. "I am extremely disappointed it has taken three years and passage of several pieces of legislation to get us to step one."

Thompson added that he hoped it was a sign of foresight that the new plan was announced along with new screening arrangements for international travelers.

At a news conference at Reagan National Airport, Homeland Security Secretary Michael Chertoff also announced that starting six months from now airlines operating international flights will be required to send the government their passenger list data before the planes take off rather than afterward, as is now the case.

Earlier sharing of passenger information is designed to give U.S. authorities more time to identify terrorists like Richard Reid, who attempted to light a shoe bomb on a trans-Atlantic flight in December 2001, and keep them off planes.

"Now the airlines give us their manifests after the plane has left the ground and that is too late," Chertoff said.

The Homeland Security chief said he was unaware of any specific, credible threat against airlines. But based on recent car bomb attempts in Great Britain and public statements by terrorists, he repeated his view that "we are entering a period where the threat is somewhat heightened."

"Look at the history of al-Qaida," Chertoff said. "The airplane has been a consistent favorite target of theirs."

On the domestic side, transferring watch-list checks to Transportation Security Administration officers "should provide more security and more consistency, and thus reduce misidentifications" that have frustrated passengers, Chertoff said.

Existing screening has been widely ridiculed because people like Sen. Edward M. Kennedy, D-Mass., other members of Congress and even infants have been blocked from boarding or delayed because their names are similar to names on the lists.

Chertoff said the new domestic system will avoid activities envisioned earlier that raised privacy concerns.

"Secure Flight will not harm personal passenger privacy," Chertoff said. "It won't collect commercial data (about passengers). It will not assign risk scores and will not attempt to predict behaviors."

Such plans alarmed Congress so much that it barred implementing the program until it passed 10 tests to ensure privacy and accuracy. The Government Accountability Office, Congress' auditing arm, found the previous version failed almost all of them.

Currently, only a passenger's full name is required when reservations are made although date of birth and gender usually become known to transportation security officers later in the boarding process.

Transportation Security Administrator Kip Hawley said volunteering those two items earlier would reduce misidentifications in watch-list matching.

"With the full name, we can resolve 95 percent of the cases correctly. The date of birth adds 3.5 percent to that, and the gender adds another one percent," Hawley said.

Privacy advocates like Dempsey and Bruce Schneier, chief technology officer at the security company BT Counterpane, also were pleased with limits on how long most records will be kept. A check that produces no match — which will be the case for the vast majority of travelers — would be kept only seven days. A false positive match would be kept seven years. Confirmed matches would be kept 99 years.

"On the surface, it looks pretty good," Schneier said. "I'm cautiously optimistic. It's nice to see some common sense."

Transport minister responds to critical coverage of no-fly list

In the wake of some critical comments in recent news coverage, the Minister of Transportation has an op-ed piece in today's Chronicle Herald.

Nova Scotia News - TheChronicleHerald.ca

Program protects safety, respects rights

By LAWRENCE CANNON

In view of recent articles on the introduction of the Passenger Protect Program in Canada on Monday, I would like to clarify some issues.

I must stress, in particular, that Passenger Protect relates to individuals who may pose an immediate threat to aviation security. The program will enable government law-enforcement and security organizations, working with Transport Canada, to alert air carriers to individuals who may pose a threat to a flight, in order to prevent boarding and unlawful interference during the flight that could endanger the general public, passengers and crew.

Such an individual is identified under strict guidelines. It can be someone who is or has been involved in a terrorist group, for example, or an individual who has been convicted of one or more serious and life-threatening crimes against aviation security.

The government began consulting with industry on passenger assessment in May 2004. The program was developed to include the privacy rights provisions needed and in consultations with different groups of the civil society: airlines, airports, police, labour representatives as well as civil liberties and ethnocultural groups. We continue to work with the Office of the Privacy Commissioner.

In short, the program has benefited from parliamentary and public scrutiny, and is based on public law. This government also has as a priority the privacy concerns of Canadians. To this end, we must be clear: Canada’s program has learned lessons from countries all over the world with respect to watch lists, and has taken necessary precautions. This is why the Canadians Specified Persons List took three years of parliamentary consideration, and two years of policy development.

In addition, Transport Canada has established an Office of Reconsideration to permit individuals to challenge a denial-of-boarding decision in a non-judicial, efficient manner. The office will be able to assist individuals to clear up ID issues, and provide a mechanism for review of a case by persons independent of those who made the original decision.

To address terrorism, we must learn from past events, assess evolving threats, and initiate efficient and effective programs that protect public safety and respect the rights of Canadians. Passenger Protect does just that.

I invite readers to get more information on the website http://www.passengerprotect.gc.ca, or by phoning 1-800-O-Canada (1-800-622-6232), ATS: 1-800-926-9105.

Lawrence Cannon is Canada’s minister of transport, infrastructure and communities.

No-fly list has an apparently smooth takeoff

With the no-fly list coming online in the last twenty-four hours, I haven't heard of any instances of people being excluded from flying on the first day. It will be interesting to see how it all shakes out.

I spoke with Chris Lambie of the Chronicle Herald yesterday morning and he spent part of the afternoon at the airport seeing how it went on. Here's his article:

Smooth lift-off for no-fly list - TheChronicleHerald.ca

Airline passengers seemed keen on heightened security

By CHRIS LAMBIE Staff Reporter

The federal no-fly list caused no problems Monday at Halifax Stanfield International Airport.

Passengers seemed keen on the idea of a list meant to screen out anyone who poses a potential threat to aviation security.

"As long as my name’s not on it, I’m happy," Mike Moir said as he waited for a flight back to Ontario.

"If the people are bad, I don’t want them on my plane."

The 67-year-old Hamilton, Ont., man was in Nova Scotia to work as an official for last weekend’s national canoe team trials on Lake Banook in Dartmouth.

The only dilemma he can see with the scheme to flag potentially dangerous flyers is if an innocent person has the same name as someone on the list.

"How many Smiths are there in the world?" Mr. Moir said. "If they just pick everybody with the same name, it could be a problem."

Still, he thinks the list is a necessity.

"With all the terrorism going on in this world nowadays, it’s a good measure."

Dawson Wentzell and his wife, Bethany, were waiting with their toy poodle, Bailey, to board a plane for Edmonton.

The list could prompt lawsuits against the federal government if people lose money because they couldn’t board flights due to name mix-ups, Ms. Wentzell said.

"If someone is delayed from work and this is the reason why, someone is going to get sued," she said.

They didn’t even think about the new security measure before checking in for their flight to Nova Scotia.

"We got up at 5 a.m. and believe me my mind wasn’t on lists," she said.

The couple from Daniel’s Harbour, N.L., wasn’t on the no-fly list and neither was their dog.

"God help us if he was," Ms. Wentzell said. "We’d really be in trouble then."

The no-fly list didn’t cause any problems at the facility, said airport spokesman Peter Spurway.

"If you didn’t know it was on, you wouldn’t know it was on," he said. "It has not made a single impact on our operations today or the operations of our partners in the airline business. I checked around a couple of times and it’s just been chugging along."

But David Fraser, a privacy lawyer in Halifax, won’t be surprised to hear from clients who suddenly discover their names are on the no-fly list.

"We’re likely to hear people are going to have some difficulty in Canada simply because of the way that these sorts of lists have to be structured in order to catch or include in them people with non-English or French names that have to be transliterated or made into English equivalents, and some of them can be common names," Mr. Fraser said. "So there’s probably a fair amount of wiggle room in the way that they match against peoples’ names."

The Specified Persons List, announced last fall, includes the name, birth date and gender of anyone who might pose an immediate threat to aviation security. Airlines that fly into and out of Canada must check the names of their passengers against the list.

"There’s really the opportunity that a whole bunch of people who aren’t actually on the list, just people who have similar names and similar birthdates and other identifying characteristics (as those) on the list," Mr. Fraser said.

"I think that there’s a good chance that people will be not allowed to fly based on that sort of confusion."

Travellers only find out their name is on the list when they try to check in and get a boarding card.

"Vacation plans can be ruined," Mr. Fraser said. "There’s no real accountability at that end for the real sort of negative impact that inclusion on this list might have."

Ottawa has refused to release the number of people on the list.

"There’s always a very delicate balance when you’re dealing with national security issues, Mr. Fraser said. "It’s a delicate balance between openness and necessary secrecy. I think the whole process needs to be done in sunlight.

"Everything related to the process of the inclusion criteria and how it’s actually applied and recourse that individuals might have to get off the list really needs to be completely open and transparent and subject to significant scrutiny.

"We are talking about a potential infringement on an individual’s constitutional right to travel within Canada and also the right to leave Canada. It’s right there in the charter that you have those rights. And many of those rights, in a country as large as Canada, can only be exercised by air travel."

Imam Jamal Badawi, professor emeritus of religious studies at Saint Mary’s University, said Muslims, including himself, often have problems flying in the United States, where a similar list is already in place.

"I’ve heard of many horror stories where a child, for example, five years old, they say, ‘No, his name matches the potential terrorist to look for,’ and still they have to go through the clearance (process)," Mr. Badawi said.

The Canadian Council on American-Islamic Relations has called on Ottawa to scrap the no-fly list until it fixes fundamental flaws in the program.

"Some people suspect that the lists made here in Canada may not totally be homegrown," Mr. Badawi said. "It’s quite possible also that, because of the co-operation between the intelligence agencies in both countries, that some of the names on the watch list in the U.S. might end up here on our lists in Canada."

That could make some Canadian Muslims reluctant to fly, he said.

"It’s part of the very unfortunate trend in the post 9-11 era that, in the name of security, there is a great deal of encroachment on privacy, a great deal of encroachment on civil liberties," Mr. Badawi said.

He doubts the list will make flying safer.

"Anybody intent on wrongdoing, they probably will find some other way of carrying out their plans," Mr. Badawi said. "But even if there is some slight improvement in security, what is the price? The worst scenario, really, is that democratic countries would move toward totalitarian regimes in the name of security."

Privacy Commissioner subpoenaed to appear before Air India Inquiry

This is a bit odd. Jennifer Stoddart has been ordered to appear before the Air India Inquiry. Apparently she had informed the Commission of Inquiry that she had nothing further to say but subsequently gave a media interview that was critical of the Government's no-fly list.

It all sounds a little snarky:

Privacy chief called on carpet over no-fly list

Air India inquiry head John Major has ordered Canada's privacy commissioner to appear before him after she publicly criticized a no-fly list being implemented next week.

Mr. Major said yesterday that his Ottawa inquiry was earlier informed by the office of Jennifer Stoddart that she had nothing more to say related to the mandate of his commission into the June 23, 1985, Air India bombing and subsequent investigation.

But Mr. Major said Ms. Stoddart then gave a "free-wheeling" media interview in which she commented on testimony at the inquiry last week about the introduction on June 18 of a Canadian no-fly list.

Mr. Major said Ms. Stoddart should have made her comments in evidence at the Air India inquiry and not to a reporter. He issued a subpoena for her to appear today.

A lawyer for Ms. Stoddart responded by telling inquiry counsel later yesterday that the privacy commissioner would be happy to appear "willingly" but is on her way to Beijing.

An appearance date is expected to be determined this afternoon.

Ms. Stoddart's views on the controversial no-fly list appeared on June 8.

She said the list could become "quite a nightmare" for ordinary Canadians.

"Every time we go to the airport, do we expect to be challenged? That may be the new world," she said.

Ms. Stoddart also said she was surprised when an Transport Canada official testified before Mr. Major that the list could end up in the hands of foreign governments if their state-owned airlines pass it on to them.

"The commission could have benefited in preparing recommendations on air security from hearing from informed points of view with respect to that," she said.

Mr. Major said of Ms. Stoddart's comments: "She apparently had no hesitation in giving information to the public and the press that should have properly been given to this commission when the opportunity presented itself."

Mr. Major has expressed impatience several times during the inquiry when agencies or companies have expressed reluctance or declined entirely to testify.

He said yesterday that some people do not understand what a royal commission is and that he has the power to compel their testimony.

As for the subpoena for Ms. Stoddart, Mr. Major said: "This should not cause her much inconvenience as she appeared to have no difficulty last Friday in expressing publicly those thoughts to the press."

FRONTLINE: Spying on the home front

Update: The video of the full show is available online: http://www.pbs.org/wgbh/pages/frontline/homefront/view/.

Check out tonight's Frontline on PBS:

FRONTLINE: coming soon: spying on the home front PBS

Spying on the Home Front
coming May. 15, 2007 at 9pm (check local listings)

(60 minutes) FRONTLINE addresses an issue of major consequence for all Americans: Is the Bush administration's domestic war on terrorism jeopardizing our civil liberties? Reporter Hedrick Smith presents new material on how the National Security Agency's domestic surveillance program works and examines clashing viewpoints on whether the president has violated the Foreign Intelligence Surveillance Act (FISA) and infringed on constitutional protections. In another dramatic story, the program shows how the FBI vacuumed up records on 250,000 ordinary Americans who chose Las Vegas as the destination for their Christmas-New Year's holiday, and the subsequent revelation that the FBI has misused National Security Letters to gather information. Probing such projects as Total Information Awareness, and its little known successors, Smith discloses that even former government intelligence officials now worry that the combination of new security threats, advances in communications technologies, and radical interpretations of presidential authority may be threatening the privacy of Americans. (read the press release)

PRESS RELEASE

"So many people in America think this does not affect them. They've been convinced that these programs are only targeted at suspected terrorists. ... I think that's wrong. ... Our programs are not perfect, and it is inevitable that totally innocent Americans are going to be affected by these programs," former CIA senior attorney Suzanne Spaulding tells FRONTLINE correspondent Hedrick Smith in Spying on the Home Front, airing Tuesday, May 15, 2007, at 9 P.M. ET on PBS (check local listings) and available for viewing after broadcast at www.pbs.org/frontline.

9/11 has indelibly altered America in ways that people are now starting to earnestly question: not only perpetual orange alerts, barricades and body frisks at the airport, but greater government scrutiny of people's records and electronic surveillance of their communications. The watershed, officials tell FRONTLINE, was the government's shift after 9/11 to a strategy of pre-emption at home--not just prosecuting terrorists for breaking the law, but trying to find and stop them before they strike.

President Bush described his anti-terrorist measures as narrow and targeted, but a FRONTLINE investigation has found that the National Security Agency (NSA) has engaged in wiretapping and sifting Internet communications of millions of Americans: The FBI conducted a data sweep on 250,000 Las Vegas vacationers, and along with more than 50 other agencies, they are mining commercial-sector data banks to an unprecedented degree, and they have even been assigning suspicion ratings to anyone who travels across a U.S. border.

Even government officials with experience since 9/11 are nagged by anxiety about the jeopardy that a war without end against unseen terrorists poses to our way of life, our personal freedoms. "I always said, when I was in my position running counterterrorism operations for the FBI, `How much security do you want, and how many rights do you want to give up?'" Larry Mefford, former assistant FBI director, tells correspondent Smith. "I can give you more security, but I've got to take away some rights. ... Personally, I want to live in a country where you have a common-sense, fair balance, because I'm worried about people that are untrained, unsupervised, doing things with good intentions but, at the end of the day, harm our liberties."

Although the president told the nation that his NSA eavesdropping program was limited to known Al Qaeda agents or supporters abroad making calls into the U.S., comments of other administration officials and intelligence veterans indicate that the NSA cast its net far more widely. AT&T technician Mark Klein inadvertently discovered that the whole flow of Internet traffic in several AT&T operations centers was being regularly diverted to the NSA, a charge indirectly substantiated by John Yoo, the Justice Department lawyer who wrote the official legal memos legitimizing the president's warrantless wiretapping program. Yoo told FRONTLINE: "The government needs to have access to international communications so that it can try to find communications that are coming into the country where Al Qaeda's trying to send messages to cell members in the country. In order to do that, it does have to have access to communication networks."

Spying on the Home Front also looks at a massive FBI data sweep in December 2003. On a tip that Al Qaeda "might have an interest in Las Vegas" around New Year's 2004, the FBI demanded records from all hotels, airlines, rental car agencies, casinos and other businesses on every person who visited Las Vegas in the run-up to the holiday. Stephen Sprouse and Kristin Douglas of Kansas City, Missouri, object to being caught in the FBI dragnet in Las Vegas just because they happened to get married there at the wrong moment. Says Douglas, "I'm sure that the government does a lot of things that I don't know about, and I've always been OK with that--until I found out that I was included."

A check of all 250,000 Las Vegas visitors against terrorist watch lists turned up no known terrorist suspects or associates of suspects. The FBI told FRONTLINE that the records had been kept for more than two years, but have now all been destroyed.

"To simply say, you know, `as a matter of national security we need to know the name of every single person checking into your hotel at any given moment,'" says Alan Feldman, vice president of MGM Mirage, "that seems extremely unusual and, I think, extremely troubling."

In the broad reach of NSA eavesdropping, the massive FBI data sweep in Las Vegas, access to records gathered by private database companies that allows government agencies to avoid the limitations provided by the Privacy Act, and nearly 200 other government data-mining programs identified by the Government Accounting Office, experienced national security officials and government attorneys see a troubling and potentially dangerous collision between the strategy of pre-emption and the Fourth Amendment's protections against unreasonable search and seizure.

Peter Swire, a law professor and former White House privacy adviser to President Clinton, tells FRONTLINE that since 9/11 the government has been moving away from the traditional legal standard of investigations based on individual suspicion to generalized suspicion. The new standard, Swire says, is: "Check everybody. Everybody is a suspect."

Spying on the Home Front is a FRONTLINE co-production with Hedrick Smith Productions, Inc. Hedrick Smith is correspondent and senior producer. The program is produced and directed by Rick Young. FRONTLINE is produced by WGBH Boston and is broadcast nationwide on PBS. Funding for FRONTLINE is provided through the support of PBS viewers. Additional funding for FRONTLINE is provided by The Park Foundation. Additional funding for Spying on the Home Front is provided by The JEHT Foundation. FRONTLINE is closed-captioned for deaf and hard-of-hearing viewers and described for people who are blind or visually impaired by the Media Access Group at WGBH. FRONTLINE is a registered trademark of WGBH Educational Foundation. The FRONTLINE executive producer for special projects for is Michael Sullivan. The executive producer for FRONTLINE is David Fanning.

Canada's No-fly list takes to the skies

Canada's new no-fly list is ready to take off:

CNW Group

Air security strengthened - Passenger Protect ready to take flight

OTTAWA, May 11 /CNW Telbec/ - The Honourable Lawrence Cannon, Minister of
Transport, Infrastructure and Communities, together with the Honourable
Stockwell Day, Minister of Public Safety, today announced new regulations that
will strengthen air passenger security screening. Once implemented, new
measures under a program known as Passenger Protect will prevent persons who
pose an immediate threat to aviation security from boarding a commercial
aircraft.

This made-in-Canada program was developed to provide an additional layer
of security for the aviation system and to enhance public safety in a way that
complies with the Canadian Charter of Rights and Freedoms and federal privacy
legislation.

"Canadians want to fly secure, and Passenger Protect is a significant
step forward. We must remember that Canada is not immune to the threat of
terrorism and we must remain vigilant," said Minister Cannon. "Passenger
Protect will not only make Canada's aviation system more secure, it will also
help keep the world's skies safe by reaching beyond Canadian borders to screen
everyone getting on a flight to Canada."

Under the new program, the Government of Canada is maintaining a list of
specified persons who may pose an immediate threat to aviation security should
they attempt to board a flight. Air carriers will be able to screen passengers
against the specified persons list through a secure online system. If the air
carrier identifies a person as a possible match with an entry on the list, the
air carrier will contact Transport Canada to confirm the passenger's identity,
and obtain a decision whether or not to allow him or her to board the flight.
"Canada has one of the best aviation systems in the world and is always
looking for ways to increase the safety and security of the travelling
public,"said Minister Day.

The Government of Canada has held discussions with airlines, airports,
and labour representatives, as well as civil liberties and ethno-cultural
groups in developing Passenger Protect, to create a program that enhances
security, respects the needs and realities of the aviation industry and
protects the rights of Canadians. As part of the consultations, Transport
Canada has established a reconsideration process to provide a non-judicial,
efficient way for any members of the public who have been denied boarding to
have their cases reviewed by persons independent of those who made the
original recommendation.

Transport Canada has worked closely with the Office of the Privacy
Commissioner in order to further strengthen the privacy provisions of the
program. Implementation for flights within Canada and international flights to
and from Canada will begin on June 18, 2007.

As of this date, new Identity Screening Regulations will require air
passengers within Canada who appear to be 12 years of age or older to present
one piece of government-issued photo identification (ID) that shows name, date
of birth and gender or two pieces of government-issued ID - one of which shows
name, date of birth and gender - before boarding an aircraft. The boarding
pass provided by the air carrier must match the name on the ID.

Canadians will not need a passport for travel within Canada but rather
can present a range of government-issued ID to the air carriers including a
health card, a birth certificate, a driver's licence and a social insurance
card. Current requirements for international travel will remain in place.
This practice is consistent with procedures currently in use by most
major airlines, and will allow the air carrier and Transport Canada to confirm
the identity of a passenger who is a possible match with an entry on the
specified persons list.

These proposed regulations were first published in the Canada Gazette,
Part I on October 28, 2006, after which a 75-day period followed to enable
interested parties and the public to provide comments.

The final regulations will be published in the Canada Gazette, Part II on
May 16, 2007.

A backgrounder with more information on the Passenger Protect program and
the new Identity Screening Regulations is attached.

<<
-------------------------------------------------------------------------

BACKGROUNDER

-------------------------------------------------------------------------

PASSENGER PROTECT PROGRAM

-------------------------

The Government of Canada began consulting with industry on passenger
assessment in May 2004, and expanded consultations on a program proposal for
Passenger Protect in the summer of 2005. Consultations with air carriers,
airports, labour representatives, civil liberties and ethno-cultural groups as
well as the Office of the Privacy Commissioner were essential to the
successful design and implementation of a program that enhances security,
respects the needs and realities of the aviation industry, and ensures that
the privacy and human rights of Canadians are protected.

The Passenger Protect program adds another layer of security to Canada's
aviation system to help address potential threats. Terrorist groups continue
to target civil aviation, and seek means to defeat existing safeguards and
measures.

Under the program, the Government of Canada is maintaining a list with the
name, date of birth and gender of each specified person that will be provided
to airlines in secure form. The airlines will compare the names of individuals
intending to board flights with the names on the specified persons list, and
will verify with the individual's government-issued identification when there
is a name match. Identification will be verified in person at the airport
check-in counter. When the airline verifies that an individual matches in
name, date of birth and gender with someone on the list, the airline will be
required to inform Transport Canada.

A Transport Canada officer will be on duty 24 hours a day, every day, to
receive calls from airlines when they have a potential match with a specified
person on the list. Transport Canada will verify information with the airline,
confirm whether the individual poses an immediate threat to aviation security
and inform the airline, if required, that the individual is not permitted to
board the flight. The Royal Canadian Mounted Police (RCMP) would be notified
immediately in the event of a match, and police of jurisdiction at the airport
would be informed and take action as required.

The Passenger Protect program will be implemented for Canadian domestic
flights and international flights to and from Canada on June 18, 2007.
Creating the Specified Persons List

The Minister of Transport, Infrastructure and Communities has the
authority under the Aeronautics Act, to specify an individual who is a threat
to aviation security and to require airlines to provide information about the
specified person.

A Transport Canada-led Advisory Group will assess individuals on a
case-by-case basis using information provided by the Canadian Security
Intelligence Service and the RCMP, and will make recommendations to the
Minister of Transport, Infrastructure and Communities concerning their
designation as specified persons or the removal of that designation. The
Advisory Group includes a senior officer from the Canadian Security
Intelligence Service and a senior officer from the RCMP (as advised by the
Department of Justice), with input from representatives from other Canadian
government departments and agencies.

Individuals are added to the specified persons list based on their
actions, which lead to a determination that they may pose an immediate threat
to aviation security, should they attempt to board an aircraft. Guidelines in
making that determination are focused on aviation security, and may include:

• an individual who is or has been involved in a terrorist group, and
  who, it can reasonably be suspected, will endanger the security of any
  aircraft or aerodrome or the safety of the public, passengers or crew
  members;
  
• an individual who has been convicted of one or more serious and
  life-threatening crimes against aviation security; and
  
• an individual who has been convicted of one or more serious and
  life-threatening offences and who may attack or harm an air carrier,
  passengers or crew members.

Identity Screening Regulations

As of June 18th 2007, new Identity Screening Regulations will require
airlines to screen each person's name against the specified persons list
before issuing a boarding pass, for any person who appears to be 12 years of
age or older. The regulations take into account the various ways in which the
boarding pass may be obtained: at a kiosk, through the Internet, or at an
airport check-in counter.

Where there is check-in via Internet or kiosks, airlines will not allow
printing of the boarding pass when there is a name match with the specified
persons list. Passengers refused a boarding pass at a kiosk or through the
Internet will be directed to the airline agent for in-person verification of
government-issued identification (ID). ID verification will determine whether
the name, date of birth and gender match those of a listed person.

The regulations also require air carriers to screen individuals at the
boarding gate by comparing the name on government-issued ID with the name on
the boarding pass. If the name on the ID is not the same as the name on the
boarding pass, the air carrier will be required to check the name on the ID
against the list.

Transport Canada will work with air carriers to provide training for
agents and staff who will be involved in implementing the ID verification
requirement, and establish procedures that respect the rights of passengers.

The ID requirement under the Passenger Protect program is for one piece of
valid government-issued photo ID that shows name, date of birth and gender,
such as a driver's licence or a passport, or two pieces of valid
government-issued ID, at least one of which shows name, date of birth and
gender, such as a birth certificate. The verification of passengers' ID is
already a practice followed by most major air carriers in Canada.

The regulations will be published in the Canada Gazette, Part II on
May 16, 2007.

Reconsideration and Appeals

The Passenger Protect program also includes a reconsideration process for
individuals who wish to contest the denial of boarding. An individual who has
been denied boarding under the Passenger Protect program will be able to apply
to Transport Canada's Office of Reconsideration (OOR), which may arrange for
an independent assessment of the case and make a recommendation. The goal is
to provide a non-judicial, efficient mechanism for any member of the public to
have their case reviewed by persons independent of those who made the original
recommendation to the Minister. Individuals have the further option of making
application to Federal Court for judicial review.
Privacy and Human Rights

The protection of privacy and human rights is a core element of the
Passenger Protect program. In developing the program, Transport Canada worked
with stakeholders and consulted with civil liberties and ethno-cultural
groups, and the Office of the Privacy Commissioner on privacy aspects.

A summary of the Privacy Impact Assessment conducted on the Passenger
Protect program is available on the Transport Canada website at
www.tc.gc.ca/vigilance/sep/passenger_protect/executive_summary/menu.htm.
In addition, the Office of the Privacy Commissioner of Canada posed a
series of questions to Transport Canada about the Passenger Protect program in
August 2005. The questions and the answers shed light on the privacy
protection features of the program and are available on the Web at
www.tc.gc.ca/vigilance/sep/passenger_protect/Q&A/menu.htm.

More details on the Passenger Protect program and the new Identity
Screening Regulations are available on Transport Canada's website at
www.tc.gc.ca/vigilance/sep/passenger_protect/menu.htm.

May 2007

Privacy fears delay UK airport fingerprint biometrics

According to Information Age, privacy concerns have at least delayed the implementation of fingerprint biometrics at Heathrow's new Terminal 5 (For some background, see: Canadian Privacy Law Blog: A small step for biometrics; a giant leap for the UK surveillance state). See: Privacy fears delay Terminal 5 fingerprint biometrics | Information Age.

A small step for biometrics; a giant leap for the UK surveillance state

Passengers flying through Heathrow Airport, Terminal 5, will be photographed and fingerprinted twice before being permitted to board domestic flights. The British Airport Authority, which runs the new terminal through which all British Airways passengers will travel say this measure is "necessary to prevent criminals, terrorists and illegal immigrants trying to bypass border controls."

The only reason why this may be necessary is that the design of the new terminal permits international and domestic passengers to mingle in the secure area. Theoretically, transiting international passengers would be able to swap boarding passes with a domestic passenger circumventing border controls. On balance, it just makes sense to ramp up the big brother factor if it means the BAA doesn't have to follow the non-intrusive but universal designs used by every other airport I have ever been through.

The BAA also says the fingerprints will be discarded after 24 hours, unless -- of course -- they are of interest to the police. See: Heathrow airport first to fingerprint - Telegraph. Via the ever vigilant Boing Boing: Heathrow Terminal 5 to fingerprint domestic passengers - Boing Boing.

Schneier on Security vs. Privacy

Here's a really great read from Bruce Schneier:

Schneier on Security: Security vs. Privacy

If there's a debate that sums up post-9/11 politics, it's security versus privacy. Which is more important? How much privacy are you willing to give up for security? Can we even afford privacy in this age of insecurity? Security versus privacy: It's the battle of the century, or at least its first decade.

In a Jan. 21 New Yorker article, Director of National Intelligence Michael McConnell discusses a proposed plan to monitor all -- that's right, all -- internet communications for security purposes, an idea so extreme that the word "Orwellian" feels too mild.

The article (now online here) contains this passage:

In order for cyberspace to be policed, internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer or Web search. "Google has records that could help in a cyber-investigation," he said. Giorgio warned me, "We have a saying in this business: 'Privacy and security are a zero-sum game.'"

I'm sure they have that saying in their business. And it's precisely why, when people in their business are in charge of government, it becomes a police state. If privacy and security really were a zero-sum game, we would have seen mass immigration into the former East Germany and modern-day China. While it's true that police states like those have less street crime, no one argues that their citizens are fundamentally more secure.

We've been told we have to trade off security and privacy so often -- in debates on security versus privacy, writing contests, polls, reasoned essays and political rhetoric -- that most of us don't even question the fundamental dichotomy.

But it's a false one.

Security and privacy are not opposite ends of a seesaw; you don't have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it's based on identity, and there are limitations to that sort of approach.

Since 9/11, approximately three things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and -- possibly -- sky marshals. Everything else -- all the security measures that affect privacy -- is just security theater and a waste of effort.

By the same token, many of the anti-privacy "security" measures we're seeing -- national ID cards, warrantless eavesdropping, massive data mining and so on -- do little to improve, and in some cases harm, security. And government claims of their success are either wrong, or against fake threats.

The debate isn't security versus privacy. It's liberty versus control.

You can see it in comments by government officials: "Privacy no longer can mean anonymity," says Donald Kerr, principal deputy director of national intelligence. "Instead, it should mean that government and businesses properly safeguard people's private communications and financial information." Did you catch that? You're expected to give up control of your privacy to others, who -- presumably -- get to decide how much of it you deserve. That's what loss of liberty looks like.

It should be no surprise that people choose security over privacy: 51 to 29 percent in a recent poll. Even if you don't subscribe to Maslow's hierarchy of needs, it's obvious that security is more important. Security is vital to survival, not just of people but of every living thing. Privacy is unique to humans, but it's a social need. It's vital to personal dignity, to family life, to society -- to what makes us uniquely human -- but not to survival.

If you set up the false dichotomy, of course people will choose security over privacy -- especially if you scare them first. But it's still a false dichotomy. There is no security without privacy. And liberty requires both security and privacy. The famous quote attributed to Benjamin Franklin reads: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." It's also true that those who would give up privacy for security are likely to end up with neither.

This essay originally appeared on Wired.com

X-ray cameras 'see through clothes'

I just checked my calendar to see if I accidentally slept in and woke up on April 1. According to Yahoo News, the British government is considering taking all encompassing surveillance to the next level by installing cameras in public places that can see through clothes. According to a memo obtained by the Sun, the measure will make the detection of weapons and explosives easier.

X-ray cameras 'see through clothes' - Yahoo! News UK:

However, officials acknowledged that it would be highly controversial as the cameras can "see" through clothing.

"The social acceptability of routine intrusive detection measures and the operational response required in the event of an alarm are likely to be limiting factors," the memo warned.

"Privacy is an issue because the machines see through clothing."

The Sun reported that the memo, dated January 17, was drawn up by the Home Office for the Prime Minister's working group on security crime and justice.

It noted that some technologies used for airport security had already been used in police operations searching for drugs and weapons in nightclubs.

"These and other could be developed for a much more widespread use in public places," it said.

"Street furniture could routinely house detection systems that would indicate the likely presence of a gun for example."

A Home Office spokeswoman said: "We don't comment on leaked documents".

More info on the Canadian "no fly list"

CanWest News Service is running a very interesting feature-length report on the upcoming Canadian "no fly" list. Read the entire article ...

Canadian airline passengers will be kept under close scrutiny

Canadian airline passengers will be kept under close scrutiny

Don Butler

CanWest News Service

Tuesday, January 23, 2007

OTTAWA - The RCMP and the Canadian Security Information Service will be able to examine up to 34 pieces of information about everyone who flies in Canada under a comprehensive passenger screening program being developed by Public Safety and Emergency Preparedness Canada.

Among other things, the program will require airlines to gather and share the full legal name, date of birth, citizenship or nationality and gender of all passengers - information they don't currently collect for domestic flights.

The new program will affect about 90 million passenger trips a year, two-thirds of which are purely domestic.

The program is authorized under Section 4.82 of the Aeronautics Act, which gives CSIS and the RCMP the right to receive and analyse Advance Passenger Information (API) and Passenger Name Record (PNR) data from air carriers and operators of aviation reservation systems without a warrant.

API data is collected at check-in and include name, date of birth, gender, citizenship or nationality and travel document information. PNR data is collected at the time of booking and includes information relating to a traveller's reservation and itinerary.

Section 4.82, added to the Aeronautics Act in 2004 when the Public Safety Act was passed but not yet in force, also authorizes CSIS and the RCMP to match passenger information against any other data under their control.

The Section 4.82 program ''is envisioned as the next step'' in a two-pronged strategy to use airline passenger information to combat terrorist threats, said Philip McLinton, a spokesman for Public Safety and Emergency Preparedness Canada.

The first step - Canada's new no-fly list - will be introduced in March for domestic flights and in June for international flights.

McLinton said it's ''impossible to speculate how 4.82 would impact the no-fly list. It's just too early to say.''

Since 2002, airlines flying to Canada from abroad have had to provide API and PNR data to the Canadian Border Services Agency, which analyses and risk-scores it to identify passengers who require further review on arrival in Canada. The agency doesn't get the information until flights have departed for Canada.

Under the Section 4.82 program, the collection and analysis of passenger information will dramatically expand. Airlines and operators of reservation systems will have to send passenger information to the RCMP and CSIS for all domestic and international flights. And they'll have to do so before flights depart.

The no-fly program, known as Passenger Protect, obliges airlines to vet the names of passengers against the no-fly list and notify Transport Canada is there is a match. That responsibility will shift to the RCMP and CSIS under the Section 4.82 program.

...

Section 4.82 also authorizes CSIS and the RCMP to disclose passenger information to other organizations or individuals to promote public safety. They include the minister of Transport, the Canadian Air Transport Security Authority, air carriers, airport operators and police officers.

...

It is unclear how, or even whether, the passenger information gathered under the Section 4.82 program would be shared with the U.S. and other allies.

The feasibility study cites two issues with the PNR data that would be collected and shared under the section 4.82 program.

...

Another issue is passenger information that is currently not collected during the reservation process, but is essential for the new Section 4.82 program to operate effectively.

Most important is full name, date of birth and gender, which the study says is ''widely viewed as the core set of information required'' to match existing law enforcement records. That information is not currently collected for domestic passengers, so regulations may be needed to make provision of that information mandatory.

''For domestic flights, if the government regulates a requirement for passengers to provide full name, date of birth and gender, the air carriers' view is that passengers would comply, and that air carriers would provide this data,'' the feasibility study says.

To avoid causing delays to the travelling public, the study also says swift and timely information flow is required that can take account of last-minute changes such as no-shows.

...

Ottawa Citizen

Here's the list of 34 pieces of information to be collected by airlines on everyone who travels on domestic or international flights flying in or out of Canada:

1. Surname, first name and initial or initials.

2. Date of birth.

3. Citizenship or nationality or, if not known, the country that issued the travel documents for the person's flight.

4. Gender.

5. Passport number and, if applicable, visa number or residency document number.

6. The date on which passenger name was first recorded with airline.

7. If applicable, a notation the person arrived at the departure gate with a ticket but without a reservation for the flight.

8. If applicable, the names of the travel agency and travel agent who made the person's travel arrangements.

9. Date airline ticket was issued.

10. If applicable, a notation the person exchanged their ticket for another flight.

11. The date, if any, by which a ticket for a flight had to be paid to avoid cancellation of the reservation; or the date, if any, on which the request for a reservation was activated by the air carrier or travel agency.

12. Airline ticket number.

13. Whether the flight is a one way.

14. If applicable, a notation the person's ticket for the flight is valid for one year and is issued for travel between specified points with no dates.

15. The city or country where the flight begins.

16. All points where a passenger will embark or disembark.

17. The name of airline.

18. The names of all airlines to be used on trip.

19. The aircraft operator's code and flight ID number.

20. The person's destination.

21. The travel date for the person's flight.

22. Any seat assignment on the person's flight selected for the person before departure.

23. Number of pieces of baggage checked by the person.

24. The baggage tag numbers

25. Class of service (first class, business class, economy).

26. Any specific seat request.

27. The passenger name record number.

28. Phone numbers of the person and, if applicable, of the travel agency that made the arrangements.

29. Passenger's address and, if applicable, that of the travel agency.

30. How the passenger paid for the ticket.

31. If applicable, a notation the ticket was paid for by another person

32. If applicable, a notation there are gaps in the passenger's itinerary that necessitate travel by an undetermined method.

33. Departure and arrival points, codes of the aircraft operators, stops and surface segments.

34. If applicable, a notation the ticket is in electronic form and stored in an aviation reservation system.

The state has no business in the bathroom stalls of the nation

The ACLU in the US is supporting Senator Craig's withdrawal of his guilty plea, arguing that there is a reasonable expectation of privacy for those who are (or are not) having sex in bathroom stalls. See:

ACLU: Sex in restroom stalls is private - Yahoo! News

ST. PAUL, Minn. - In an effort to help Sen. Larry Craig, the American Civil Liberties Union is arguing that people who have sex in public bathrooms have an expectation of privacy.

Craig, of Idaho, is asking the Minnesota Court of Appeals to let him withdraw his guilty plea to disorderly conduct stemming from a bathroom sex sting at the Minneapolis airport.

The ACLU filed a brief Tuesday supporting Craig. It cited a Minnesota Supreme Court ruling 38 years ago that found that people who have sex in closed stalls in public restrooms "have a reasonable expectation of privacy."

That means the state cannot prove Craig was inviting an undercover officer to have sex in public, the ACLU wrote.

The Republican senator was arrested June 11 by an undercover officer who said Craig tapped his feet and swiped his hand under a stall divider in a way that signaled he wanted sex. Craig has denied that, saying his actions were misconstrued....

If you touch personal information, act like a privacy officer

Thanks to David Canton for leading me to this interesting article from IT Business. It discusses the recent breach in which unencrypted health information on a portable hard drive was lost in Toronto's airport. Looking at the issue from a practical angle, it concludes that all employees who touch personal information have to take responsibility for it.

IT Business: Everyone's a CPO: Why privacy needs to spread across every line of business

...Departmental executives need to do a couple of things. First, they need to perform an inventory on the devices they personally own but which may be used for work. What level of security is already in place and what might need to be upgraded? Are there technologies that could be added to help easily recover a device if it goes missing for some reason? Are there organization-wide guidelines or procedures with which personal devices need to comply before they can be used for work purposes? This is where a dialogue with IT should probably begin, and it may lead some IT managers to reject requests that such devices be able to access a corporate network.

A potentially bigger challenge will be for line of business executives to think in "big picture" terms of what kind of data they are managing, and what kind of responsibilities they have towards protecting the privacy of that information. We usually tackle these cases by looking at what kind of safeguards IT departments or senior management could have put in place from the beginning. As time goes on, the focus will be much more on what individual employees are doing to bolster those safeguards. No one is merely a VP of marketing, finance or HR anymore. If you touch customer or employee data in any way, shape or form, you're a chief privacy officer, too.