Wednesday, December 23, 2009

Phillippine Supreme Court Wrestles With RFID for DMV

A public transport group has asked the Supreme Court sday to nullify the Land Transportation Office’s radio frequency identification system for being unconstitutional.


Tuesday, December 22, 2009

'' says 'trust us' with your medical records, personal contacts, insurance and exact physical location data

If you wonder how a private firm like Docvia can afford to intake, store, document, disburse, update and protect your medical history, personal emergency contacts, health insurance records and more for only $5. per year, don't. It doesn't really happen like that., or "iB" as the firm likes to call it, appears to have a profit model entirely different than they would have you believe from their very government-looking website. In press releases accommodatingly picked up verbatim by the AP, the Company appears benevolently intervening to assist the American Ambulance Association, among others, with the capability to virtually diagnose your medical problems, call your wife, text your kids and probably take out the trash, all while you are on the way to the hospital, in the capable hands of a paramedic to whom you have granted all this data.

The magic pill to perform this miracle is iB's online storage of your information, and its provision of documents to carry in your wallet to prove it. All for $5. per year.

Or not.

If you want to opt out, "[iB] stores all electronic communications...your health information, contact information and financial information for a period of at least ten years."

"Locator information is your name, electronic mailing address, physical address, and/or other data that allows someone to identify you."

"Docvia and your internet service provider (ISP) may use locator information as is necessary to enforce any of the terms of the Docvia Terms of Use."

"Docvia works with many business partners in making the iB service available to consumers."
"Certain features of the iB service may be used in conjunction with other Docvia products, and those features may share information..."

"Docvia may assign a Member's rights under the program with or without notice to such member."

"Aggregate information may be provided or sold to third parties."

Docvia and iB appear to be just another firm masquerading as a public service provider in an effort to gain valuable data under misleading marketing practices. This practice has itself come to be known as noncompetitive privacy policy.

Noncompetitive privacy policy is demonstrated whenever a company gathers valuable information from customers, for resale, without acknowledging the value gained, and obtaining the data under misleading circumstances.

Insurance companies and their investigators are certainly salivating to become 'partners' according to Docvia's privacy policy. This would allow them to track you using your IP address, mobile phone, and the mobile phones and contact numbers of those in your emergency contact list.

Customer lists, blinded as to specific health records, can easily be sold to insurers, health provider networks and more. The list goes on and on.

And they even get $5. from the consumer.

Has an RFID tracking chip been smuggled into your implants?

According to presenters of the 2009 RFID Journal's medical proposals, RFID chips have been implemented to track "implantable medical devices."

Questions arise concerning whether or not RFID chips, which broadcast an ID number or other data, remain in the chipped products when they are implanted into patients.

Journal Evidence:

The safeguards and disclosures regarding the practice have likely yet to be developed or considered. Potential HIPAA violations, in addition to other likely challenges, are lurking, yet nobody has spoken up. The RFID Journal trade group continues to quietly lobby for zero regulation on the matter.

Sunday, October 11, 2009

Auto License Plates With RFID: Sport-bike Outlaws Cited as National Cause

In one of the strangest, most reaching arguments for promoting RFID contractors, the RFID Journal has printed the argument that speeders riding sports motorcycles across the US are such a menace to society that we all must now broadcast an ID number from our license plates, from 30 feet away, to anyone who wants to read it.

Believe it or not, the article actually makes the case that if the speeding sport bikers across the US only had RFID chips in the license plates, which they routinely remove or "flip" to hide, then the stalwart police would not have to give high speed and winged persuit. The image is one of the officer in his crisp uniform, slowly shaking his head as the biker goes by at mach 2, returning to his latte secure in the knowledge that the biker would get his ticket and summons in the mail.

"Drat!" Says the biker when he gets the later uniformed knock on his door, "foiled again by the RFID chip!"

Needless to say, not only would the bikers remove the entire plate if they want, since the cops can't catch them anyway, they would also buy, borrow or steal other license plates to broadcast the wrong number to the idiot with the latte.

Here's the article: Please comment!

U.S. Department of Transportation Solicits Proposals From Small RFID Companies

In actuality, it doesn't need to be a motorcycle. What do they do when they are outrun by a bicycle?

In a generous handout to what will surely be picked up by both civil libertarians and ultra-right wing conspiracy nuts, the Federal Government has jumped into the fray by having the Departement of Transportation request bids by RFID contractors to submit solution bids.

Wednesday, September 23, 2009

Costing US Jobs: FBI’s Data-Mining System Sifts Airline, Hotel, Car-Rental Records, May Be Chasing Away Business

Competetive Privacy Policy is the new vernacular referring to companies and jurisdictions which demonstrate an understanding that personal security requires personal privacy, and that the sacrifice of privacy sometimes necessary to do business with a company, or to do business within a jurisdiction, has a monetary and social value to consider, to safeguard, and at times to trade.

Companies and organizations large and small are fleeing countries with privacy policy which does not recognize the value of personal and private business data gathered, or the responsibility of the holder of the data to protect it.

Case in point: US Loses SWIFT Wire Transfer System to Europe. Again.

Case in point: FBI invades tourism industry. Again.

FBI’s Data-Mining System Sifts Airline, Hotel, Car-Rental Records Threat Level

Case in point: Google Street View challenged in U.K.;title

Companies have choices as to where they operate from, where they base themselves, and where they pay taxes. Jurisdictions have to compete to get the 'customer'. Arrogance is not paying off. US lawmakers may need to get out more often to see what the competition is offering.

Saturday, September 19, 2009

FTC Under Heavy Pressure to Establish RFID Safeguards

Washington D.C. based, non-profit Electronic Privacy Information Center (EPIC) sets its successful sights on the FTC to establish RFID safeguards

In comments to the Federal Trade Commission, EPIC reiterated recommendations (pdf) it made in 2004 to the consumer protection agency to address the risks to consumer safety of the unregulated use of RFID tags that reveal personal data. The FTC is hosting a "Transatlantic RFID Workshop on Consumer Privacy and Data Security" to discuss consumer concerns. The workshop follows an event, organized by the US Department of Commerce, promoting the benefits of RFID. Comments on RFID may be submitted to the FTC until October 23. For more, see EPIC's RFID Privacy page. (Sept. 22, 2008).

Guidelines were issued back in 2004, and are gaining traction due to the new attention given RFID in the press. They would prevent, among other things, "Tracking, Snooping and Coersion" using RFID data.

Guidelines on Commercial Use of RFID Technology
(FINAL VERSION - July 9, 2004)


The guidelines are proposed to guide the use of RFID technology in order to protect both
private enterprise interests and consumer privacy interests. This means that these
guidelines do not address protection of consumer privacy from any governmental action.
Rather, they seek to protect consumer privacy from private enterprises. Further, these
guidelines focus on use in the retail and manufacturing industry where retailers and
manufacturers are beginning to implement item-level RFID tagging to facilitate supply
chain efficiency, inventory control, and similar applications.

These guidelines primarily address commercial, private applications which may use
RFID tags to draw conclusions about consumers without their knowledge or consent, or
that might generate data which could be used for entirely different purposes at a later

These guidelines are divided into three parts. Part A addresses the duties of private
enterprises that use RFID technology. It imposes minimum requirements on RFID users,
recognizing the advantages that RFID technology can provide while at the same time
addressing privacy concerns. Part B addresses practices in which the RFID Users
should never engage, including tracking, snooping, and coercing consumers to accept
live RFID tags or associate their personal data with an RFID application. Finally, Part C
states the rights of consumers who are exposed to RFID technology and incorporates
some of the Users' duties stated in Part A.

"RFID" means Radio Frequency Identification, i.e., technologies that use radio waves to
automatically identify individual items.
"Tag" means a microchip that is attached to an antenna and is able to transmit
identification information, i.e., capable of receiving data from, or transmitting data to, a
"Reader" means a device, capable of reading data from a tag or transmitting data to a
RFID tag.
"RFID Subject" or "Individual" means a consumer, customer, or any other such individual
that comes in contact with a product that has attached to it, or contains, an RFID tag.
"RFID User" means an RFID operator, such as a store, warehouse, hospital, and the
like, who employs RFID technology, including RFID readers and tags.
"Premises" means a store, a warehouse, a hospital, or any other such equivalent space
that encompass the tags and the readers that communicate with RFID tags.
"Consent": means the freely given, specific and informed indication of a RFID subject's
wish to have his/her personal information processed by the means of RFID technologies.
RFID Guidelines

A. What RFID Users Must Do:

1. NOTICE. Give notice to a RFID Subject of:

a. Tag presence, whether through labels, logos, or equivalent means, or through
display, either at the place where a tagged item is stored, such as a shelf or counter, or
at point of sale, such as a cash register. The notice shall be reasonably conspicuous to
the individual and contain information that enables the individual to be reasonably aware
of the nature of the RFID system and the data processing in place.

b. Reader presence, whether through labels, logos, or equivalent means, or through
display, whenever tag readers are present. The notice shall be reasonably conspicuous
to the individual and contain information that enables the individual to be reasonably
aware of the nature of the RFID system and the data processing in place.
c. Reading activity. RFID Users must use a tone, light, or other readily observable and
recognized signal whenever a tag reader is in the act of drawing information from an
RFID tag anywhere on the sales floor.

2. REMOVAL. Attach tags to items in such a way as to allow for the easiest possible
removal of tags.

3. ANONYMITY PRIORITY. Any RFID user -- before linking RFID tags to personal
information -- should first consider alternatives which achieve the same goal without
collecting personal information or profiling customers. If personal information must be
collected and associated with tag data, the RFID user must satisfy the following five

a. Consent. Obtain written consent from an individual before any personally identifiable
information of the individual, including name, address, telephone number, credit card
number, and the like, is attached to, stored with, or otherwise associated with data
collected via the RFID System.

b. Purpose. Before obtaining written consent, the RFID User must inform the RFID
subject about the purpose of associating gathered data with personal information, and
specify that purpose before such attaching, storing, or association.
c . Use limitation. Before obtaining written consent, the RFID User must inform
individuals about the scope of use of gathered data, whether the use is limited to the
person's own interests or whether the data will be disclosed to third parties. Keep data
only as long as it is necessary for the purpose for which the data was associated with
personal information.

d. No third party disclosure. Not disclose, directly or through an affiliate, to a
nonaffiliated third party an individual's personally identifying information in association
with RFID tag identification information.

e. Data quality. Keep gathered data accurate, complete and up-to-date, as is necessary
for the purposes for which it is to be used.

4. SECURITY. Take reasonable measures to ensure that any data processed via an
RFID system is transmitted and stored in a secure manner, and that access to the data
is limited to those individuals needed to operate and maintain the RFID system.

5. OPENNESS. RFID Users must make readily available to individuals, through the
Internet or other equivalent means, specific information about their policies and practices
relating to its handling of personal information. Any personally identifiable information
itself shall be provided upon written request of the individual in a secure manner.

6. ACCOUNTABILITY. Designate someone who is accountable for the RFID User's
compliance with these guidelines.

B. What RFID Users Must NOT Do:

1. TRACK. Track the movement of RFID subjects at any time without their written
consent to all tag reading events. RFID users shall not track individuals via tagged items
on the premises or outside the premises where an RFID system is employed to obtain
individual shopping habits or any other such information obtainable through tracking,
even upon suspicion of such activities as fraud or shoplifting.

2. SNOOP. Record or store tag data from tags that do not belong to the RFID User for
any reason except for the processing of returns or warranty service and upon the
consumer's request. RFID users shall not collect RFID data from objects on, or carried
by, an individual person for the purpose of generating a consumer profile, even if the
profile is assigned anonymously.

3. COERCE. Coerce or force individuals to keep tags turned on after purchase for such
benefits as warranty tracking, loss recovery, or compliance with smart appliances; and
not require individuals to provide unnecessary personal information as a precondition of
a transaction. RFID Users must allow individuals who so desire to enroll anonymously in
any RFID data-gathering scheme.

C. RFID Subjects' rights:

1. ACCESS. RFID Subjects must have the right to access data containing personally
identifiable information collected through an RFID system, and have the opportunity to
make corrections to that information.

2. REMOVAL. RFID Subjects have the right to get tags removed from tagged items.

3. ACCOUNTABILITY. RFID Subjects have the right to challenge the compliance of
persons employing RFID systems when practice contradicts the guidelines set forth

Thursday, August 6, 2009 Site Accused of Government Takeover of PC's

Where is the "Privacy Czar"?

The US Federal Government's site, which facilitates the Cash for Clunkers program, lets the government take over the using dealer's PC and everything in it. The dealer actually has to deem his PC government property, and assign its content. Does the consumer know his info has been turned over to the Treasury?

Few would take seriously anything reported by Glen Beck or Fox News, but they broke the story. Beck tries to make it seem like this applies to consumer use of the site, which it does not, but if you are a dealer, you are in danger for two reasons.

First, the feds have control of your computer and all of its content. Files, passwords, downloads, emails, web site surfed - theirs.

Second, the consumer surely isn't noticed that they are turning over all info given to the dealer - credit, references, income, deposits, etc. - to the feds. This will surely lead to privacy violation lawsuits from the consumers against the car dealers.

Here's Beck's story:

US Rates Poorly in Corruption Index has issued its latest Corruption Barometer, whereby citizens polled rate various categories of corruption in their countries.

In the categories of Political Parties, Legislature, and Private Sector the US rated worse then Russia, Moldova, Belarus, Azerbaijan and Armenia, among others.

See the entire report at:

Tuesday, August 4, 2009

Feds at DefCon Alarmed After RFID’s Scanned | Threat Level |

Those following the entry will be interested to in this update.

Feds get a taste of their own Medicine in Las Vegas annual hacker summit.

Feds at DefCon Alarmed After RFID’s Scanned Threat Level :

The security risks of RFID use have been visited on the very federal agent proponents of such devices. Fortunately for the feds, this surprise took place in the somewhat safer environment of the DefCon hacker convention in Las Vegas.

The amiable individuals who scanned the feds were nice enough to destroy the data in front of the feds, causing heartbeats to resume their regular rythm.

Another lesson in Las Vegas.

Monday, July 27, 2009

Bill Gates Demostrates Lack of Privacy Comprehension

Quotes from Gates make one wonder if the Microsoft founder comprehends the security problems posed by over-tracking of individuals. Indeed, he does not seem to grasp the basic problem of everyone around you knowing your name and health history before you even introduce yourself:

Gates Faults U.S. Policy on Data Privacy and Immigration -

It is little wonder that privacy advocates shy away from Microsoft. It will be interesting to see how they are able to compete with this inablity to comprehend the need for privacy or to act with best practices.

Privacy comprehension and practice have become a proving ground of international business, on which the US is, at least for now, failing miserably.


In the end, banking customers make the choice. For now, it seems that Europe's more individualist and consumer-friendly approach to privacy regulation has gained the upper hand. The US has a long way to go to regain its reputation as a defender of privacy rights.

The story is also that of the US losing its bid to house the massive, job-producing data center of SWIFT, by which virtually all banks transfer funds across borders. This loss is due entirely to the fact that the US is no longer a credible location for data, due to warrantless searches, seizures, spying, insider deals and a host of related accusations. Integrity and transparency have suffered in the wake of the implementation of the USA Patriot Act, standards of practice and other regulations put into place since 9/11/2001.

The US also lost the bid for storage and management of the ID data held by, the passport ID storage and delivery facility of the Consular Chamber of Commerce. This data was moved to Denmark for the privacy protection offered by the more comprehensive and transparent EU and Denmark regulation.

US Snooping Rights in Europe: Criticism Grows over Banking Data Deal - SPIEGEL ONLINE - News - International

The EU is about to enter talks with the US on giving it access to banking data in its fight against terrorism. German politicians from across the political spectrum are up in arms, and members of the European Parliament say they will try to scupper any deal that violates data privacy.

Sunday, July 26, 2009

Israeli Biometric ID - Israel National News

Israelis voice concern over biometric identification gathering by the Israeli government, including facial and fingerprint collection:

Opponents of Biometric Law: 'It's a Step to a True Police State' - Inside Israel - Israel News - Israel National News

Ethiopia Goes to Biometric Tax ID

Ethiopians are concerned about privacy in the face of required fingerprinting by the Country's national taxing authority:

Ethiopian Revenue and Custom Authority Collecting Fingerprints

Friday, July 17, 2009

U.S. vs. UBS: A Fight Over Secret Swiss Bank Accounts

Privacy showdown.

I love it when the US flexes diplomatic muscle. This, however, is not the proper purpose or venue. The US can't win this. Obama needs to reign in the Treasury. If the accounts were in the US, the IRS likley would not be able to get the data with the same methods.

U.S. vs. UBS: A Fight Over Secret Swiss Bank Accounts

Individuals the world over - including in the US - are siding with Switzerland 9-1. It's not the way to keep improving our standing in the world.

If the US has the names, they can pressure the individuals by other means, as we all know. They are instead looking for UBS to do their work for them. Treasury boys need to do their own homework, stick to legal methods. Yes, even if there are tax evaders in the bunch (which has yet to be determined).

Kaiser Bellflower is fined $187,500 for privacy breach [Updated] | L.A. Now | Los Angeles Times

State of California deserves congratulations for catching this one:

Kaiser Bellflower is fined $187,500 for privacy breach [Updated] L.A. Now Los Angeles Times

If the State protects the medical privacy even of idiot reality show clowns, we can all be pretty confident.

I wonder how CA caught the accessing of the medical records. The article gives us no clues. Anyone got any feedback?

Twitter Hack Raises Flags on Security of Web Tools -

Don't Twitter your life away.

It's social engineering, actually, not hacking. The invasion is done by someone who figures out your password because your entire life is public.

They got the CEO of Twitter, and his wife. They got his Paypal account, and his credit cards. Here's how:

Twitter Hack Raises Flags on Security of Web Tools -

Tuesday, July 14, 2009

Deal Sought in Swiss Bank Suit -

Deal Sought in Swiss Bank Suit -

US cools threats against UBS when Swiss government backs decision not to allow US 'fishing expedition'. Negotiations back under way.

Saturday, July 11, 2009

Chips in official IDs raise privacy fears - Yahoo! News

Nightmare security issues with the new US Passport and e-Passport (Passport Card) call into question the compliance of these documents with even the most basic security issues.

Chips in official IDs raise privacy fears - Yahoo! News

The Dept. of Homeland Security did much to avoid risk of hackers getting in to the database, by making the number a mere pointer to their own files grounded in DHS computers. But the very function of the RFID chip, broadcasting an ID number, is easily co-opted by the private sector (retailers), and combined with the other information the retailer collects.

No need to obtain the government's data file, just about anyone can buy the data collected by the retailer, including your identity, all of your buying habits and payment options, demographics information, etc. The data then is neatly wrapped up and tied together with your RFID number, then sold, legally, to any number of buyers.

Now you walk through the mall, with your new drivers license, passport or passport card in your wallet, and that Israeli chick at the kiosk with the Dead Sea soap calls you by name - from 30 feet away.

Worse, some creepy guy likes what he sees when you pull up next to him in traffic. He inputs your RFID on his mobile, and gets everything about you, including address. He may even add your license plate number to the database app on his iphone.

Worse again, you can be completely watched on cameras which turn on only when you are within 30 feet, anywhere in the world. You might not be worried about that at home, but what about when you are at a foreign airport, or in a foreign city? How about when you are crossing between two foreign countries?

It seems that RFID has no redeeming value. Please comment.

Friday, July 10, 2009

Report: Bush surveillance program was massive - Yahoo! News

Watch your back...

Report: Bush surveillance program was massive - Yahoo! News: "'President's Surveillance Program' did not have any connection to terrorism"

- Team of 5 US Inpectors General, July 10, 2007.

Is this what they mean by "less government?"
Maybe this is this the example we set when we say we are "spreading democracy."
Is the "freedom" our soldiers fight for?

Social-networking site Tagged accused of massive invasion of privacy traffic - San Jose Mercury News

Social-networking site Tagged accused of massive invasion of privacy traffic - San Jose Mercury News

Never, never, never give any social networking site access to your email address book. Big mistake. Huge.

Virtually every social networking site attempts to gain access to your email address book right off the bat. Best practice is not to let them in to it.

Thursday, July 9, 2009

Privacy breach shocker | Alberta | News | Edmonton Sun


Edmonton Sun

The liability of holding this information on local hard drives far outweighs any benefit. The people who's information has been breached can be blackmailed, fired, divorced or worse when this information goes to those in their communities. The class actions will cost American companies, many of which have had the same problem and not let it hit the news, billions.

Health service providers are notoriously cavalier in the security of data and in HIPAA practices. Data security is everything here, and they's better take notice.

Tuesday, July 7, 2009

Court: IP Addresses Are Not 'Personally Identifiable' Information 07/07/2009

MediaPost Publications Court: IP Addresses Are Not 'Personally Identifiable' Information 07/07/2009

Watch your back! Ip addresses are now considered public. The judge who decided this probably does not realize that anyone now can pull his IP address off of his email, and come to his home.

Is it Personally Identifiable Information then?

If you would rather mask your IP address, go to

Monday, July 6, 2009

The Management of Privacy

It is amazing how much information is available regarding personally identifiable information. The consumer slander sites are providing easy dissemination of libelous material under the guise of free speech. Free speech does not protect speech that hurts others and damages people.

Whats just as scary are the data brokers like Intellius, US Search, People Finder among many others that culminate information into a neat file that anyone can pay nominal fee to ascertain past addresses, phone numbers, income, real assets, tax liens, civil suits, criminal charges or convictions, schools attended, etc. Is anything safe?
Well there is a service from that provides privacy protection. Part of their service includes getting much of your personal data removed from these data brokers on the Internet.

Your County Assessor may have information publicly available you may want to hide such as your signature. Go to your local County Assessor website and look up your homes information and see there is any sensitive information displayed about you. You may be able to redact or remove this information with a written request.

Hire someone knowledgeable that knows where to find and snuff out your private information from public distribution.

Google Street View Pitfalls

Google's Streetview product, a free service seems to be more controversial in Europe, where the dangers are more commonly understood:

Want to scare yourself? Google your home phone number, in this format: xxx-xxx-xxx. See if it produces your address anywhere. If it does, google the address. Check Street view.

A single woman showed me how her un-listed phone number directs anyone who cares directly to her home. It also showed her car in the driveway.

The liability here is tremendous. Not only is her phone number on the FTC do-not-call list, but combining it with such information as a photo of her home may be tantamount to trading in her Personally Identifiable Information, an FTC violation.

Eliminate these risks at

Wife of Sir John Sawers, the future head of MI6, in Facebook security alert - Times Online

Wife of Sir John Sawers, the future head of MI6, in Facebook security alert - Times Online

Unbelievable! Sir John and his wife could use a briefing from,, Violate FTC Regs


Newly formed complaint sites have sprung up in several incarnations. Each is designed to take the Better Business Bureau model to a new, for-profit extreme., (formerly until they lost their domain name), and are happy to take any complaint about any person or business. Any gripe will do, true or not. The sites then generate a URL which includes the name of the "defendant" (read "victim") of the complaint. Complainants have learned to place the name of their adversary in the complaint line, making the complaint pop up whenever anyone executes a google search on that person or business.

High maintenance customers of small business have married themselves to these sites, using them bully retailers of all sorts into capitulation.

Search the rolls of complaints, and you will find that everyone from the President to your corner deli has hatemail posted.

How do you remove it? Generally speaking, you don't. Lawsuits have been pursued fruitlessly, with few exceptions (see The sites hide behind freedom of speech, while using the traffic generated by your name to sell ads. And they don't just sell ads. Inquire about removal and you will quickly learn about their "Reputation Management" programs. Lucky you, now you can pay a few grand to have these anonymous gutter vermin "manage your reputation", which really means pay-to-remove-your-complaint. Yes, that's probably a form of blackmail. Tell some one who cares.


Slander sites may have a serious problem. Many people who want to attack a person or business will post their victim's name, address, phone number or more on the site. These pieces of information, taken together, are considered Personally Identifiable Information by the Federal Trade Commission.

By federal privacy regulations, you must have an option to remove your personally identifiable information from nearly any publication. Even worse for these blackmail sites, they trade in your information by selling ads to place in font of viewers seeking your information. Without your data, they don't have advertisers.

That amounts to trading your personally identifiable information. That's an FTC violation.


Anyone with personally identifiable information posted on any of these slander sites could therefore file a simple complaint with the FTC at There is a wizard to help you quickly file your complaint at

If need help filing your complaint, I will be happy to help you myself. You can contact me at