In an effort to fully exploit DNA databases, investigators in California are planning to look for partial matches from crime scenes. If a forensic sample partially matches a sample on file, it likely means that it was left by a relative of the person on file. Although the "match" isn't for a suspect, they'll be investigated to try to find the suspect in their family tree.

Critics are concerned about the privacy implications of this.

California takes lead on DNA crime-fighting technique - Los Angeles Times

Civil libertarians oppose using DNA databases to search for relatives of unknown offenders, saying it puts family members under "genetic surveillance" for crimes they did not commit. For now, all the people in the state's database are convicted offenders, but the state plans to expand the database next year to include arrestees, heightening concerns over privacy.

Critics say familial searching could expose sensitive and secret genetic relationships. A son, for example, could learn that his father was not his biological parent. DNA databases also reflect the racial and ethnic biases of the justice system, exposing minority communities to more surveillance than others, critics maintain.

FBI officials in charge of the national database network have also expressed concerns, making them unlikely allies of civil libertarians on familial searching. They urge a cautious approach, worrying that the courts will balk at this type of sleuthing. No law specifically authorizes it, and some legal scholars consider it unconstitutional because they say it amounts to an unreasonable search.

Brown called such objections hypothetical. The policy forbids the release of the names of relatives until genetic tests and analysis convince the state that the person is indeed a relative.

"It is still not going to be a fail-safe system, and we are going to make mistakes," said Simoncelli, the ACLU science advisor. "We are opening the door to using the database in such a fundamentally different way than the purpose for which it was established."

Labels: biometrics, privacy

Washtington Post columnist Al Kamen has picked up on the Canadian Privacy Commissioner's response to the Secretary of Homeland Security's statement that fingerprits are not "personal" (see: Canadian Privacy Law Blog: Privacy Commissioner's response to US Homeland Security Secretary's statement on biometrics). It's not clear whether he's being serious, but we certainly are wacky compared to the Americans.

Al Kamen - Wacky Canadians Still Believe in Privacy - washingtonpost.com

Wacky Canadians Still Believe in Privacy

By Al Kamen

Friday, April 25, 2008; A21

Homeland Security chief Michael Chertoff caused a little ruckus up north a couple weeks ago as he was pushing his plan to share databases of international air travelers' fingerprints with the Canadians, Brits and Aussies.

In an interview with an excessively squeamish Canadian reporter, Chertoff was told: "Some are raising that the privacy aspects of this thing, you know, sharing of that kind of data, very personal data, among four countries is quite a scary thing."

Nonsense, Chertoff responded. "Well, first of all, a fingerprint is hardly personal data because you leave it on glasses and silverware and articles all over the world. They're like footprints. They're not particularly private," he said, according to Canadian news reports and privacy lawyer Peter Swire, a senior fellow and guest blogger at the Center for American Progress.

Absolutely. But the old-fashioned Canadians seem to think otherwise. They even have someone who monitors privacy issues, Privacy Commissioner Jennifer Stoddart, who promptly wrote the minister of public safety and preparedness to object, noting that Canadian law "defines fingerprints as personal information" and that "fingerprints constitute extremely personal information for which there is clearly a high expectation of privacy." That's why, she wrote with a hint of huffiness, "Canadians rightly expect their government to respect their civil liberties and personal information from abuse."

Oh yeah? Well, our Supreme Court ruled in 1985 that you have to have probable cause before you haul someone off and fingerprint them. Justice Byron R. White wrote the opinion, joined by Warren E. Burger and William H. Rehnquist, no less.

But in wartime, maybe we have different expectations, okay? As Chertoff, who after all was recently a federal appeals judge, knows quite well, no one should expect privacy in a restaurant or anywhere else where a fingerprint might be left.

And we don't. That's why many diners here are beginning to use gloves when they eat at restaurants and some even wear those hospital booties. Others prefer just a discreet swipe of utensils and glassware with a Wet-Nap to ensure against DNA retrieval from saliva. (There is a growing -- and deplorable -- trend to bring personal cutlery, but that really seems excessive and, in finer establishments, downright disrespectful, especially if it's plastic.)

Is it possible the Canadians thought those signs at beachfront eateries -- "No shirt, no shoes, no service" -- were an effort to maintain appropriate attire? Everyone down here knows the restaurants just wanted to prevent the feds from trying to collect toe prints.

Canadians probably still go to barbershops -- where a single hair in the right hands can provide DNA, general health info, recent drug use data and other information. Our cousins probably haven't read about the growing in-home trim movement here.

And there's an easy way to guard against theft of your secret mattress Sleep Number. Just change the setting every morning before you leave.

Labels: biometrics, health information, privacy

CityNews in Toronto is reporting that the city's chief of police is calling for forced DNA samples for a national database even before an individual is convicted, and the retention of those samples even if the individual is acquitted. See: CityNews: Toronto Police Chief Calls For Forced DNA Samples.

Labels: biometrics, dna, privacy, retention

Jennifer Stoddart has released a letter addressed to Minister of Public Safety Stockwell Day in response to remarks made by the U.S. Secretary of Homeland Security suggesting fingerprints are not “personal data”.

Letter to the Minister of Public Safety and Emergency Preparedness Canada

The Honourable Stockwell Day, P.C., M.P. Minister of Public Safety and Emergency Preparedness Canada Public Safety Canada Room: 19A-7400 269 Laurier Avenue West Ottawa, ON K1A 0P8

Dear Minister,

I am writing to express my concern about remarks U.S. Secretary of Homeland Security Michael Chertoff made yesterday while in Ottawa, suggesting fingerprints are not “personal data”.

As you know, Canadian privacy legislation defines fingerprints as personal information. In Canada, we have traditionally taken a more restrained approach to the collection of fingerprints, largely restricted to cases were individuals are charged with or convicted of certain criminal behaviour.

In contrast, the U.S. has increasingly relied upon the collection of biometric data, including fingerprints, from a broad range of individuals for border control purposes and in order to identify and track suspected terrorists. Fingerprints constitute extremely personal information for which there is clearly a high expectation of privacy. Canadian courts have held that, absent lawful authority, compelling persons to provide fingerprints may violate their rights under the Charter of Rights and Freedoms.

No one doubts the need to strengthen information-sharing among nations. We all share a common goal of ensuring our national security. However, as Privacy Commissioner, I strongly urge the Government of Canada to ensure that the privacy rights of individuals are respected and protected at all times.

Canadians rightly expect their government to respect their civil liberties and safeguard their personal information from abuse. The challenge lies in finding the balance between the protection of civil liberties and the need for national security.

As Privacy Commissioner, I certainly expect to be consulted if the Government of Canada is considering new programs to share biometric information – or any personal information – with foreign governments.

I expect your assurance that adequate oversight and control mechanisms are built into the collection, use and safeguarding of personal information that may be shared with other governments, and I expect the opportunity to review these mechanisms.

I know that our respective staffs have built a solid working relationship in matters of security and privacy, and expect that the concerns identified above will be addressed as programs are expanded or new programs are considered.

Sincerely,

Original signed by

Jennifer Stoddart Privacy Commissioner of Canada

Labels: biometrics, international travel, privacy

According to Information Age, privacy concerns have at least delayed the implementation of fingerprint biometrics at Heathrow's new Terminal 5 (For some background, see: Canadian Privacy Law Blog: A small step for biometrics; a giant leap for the UK surveillance state). See: Privacy fears delay Terminal 5 fingerprint biometrics | Information Age.

Labels: air travel, airlines, biometrics, europe, privacy, surveillance

Just in case you were starting to wonder about the benefits of a written constitution and bill of rights, the UK steps up to the plate: Authorities in England are proposing to collect the DNA of five year olds in case they grow up to be terrorists, thugs, or ne'er do wells. And if you have a transit card, your movements will be analyzed by the sercurity services in case you are a terrorist, thug or ne'er do well. See: Put young children on DNA list, urge police Society The Observer. Via Boing Boing.

Labels: biometrics, dna, privacy

Over the holidays, the US government published information about a new passport card to facilitate travel by Americans in North America. One "feature" is causing a lot of concern: the technology (presumably RFID) built into the card means they can be read over a distance of up to eight metres. The cards will be issued with protective sleeves for those who want to use them, but this doesn't assuage privacy advocates who think the technology is inherently flawed. See: globeandmail.com: U.S. 'vicinity-read' cards assailed by privacy experts.

Labels: biometrics, passports, privacy, rfid

FBI aims for world's largest biometrics database - Yahoo! News

... At an employer's request, the FBI will also retain the fingerprints of employees who have undergone criminal background checks, the paper said....

Labels: biometrics, law enforcement, privacy

A comment in the Guardian by Henry Porter decries preceived intrusions into the private lives of the British and suggests that Canada is a good model to follow. He agrees strongly with what Pierre Trudeau said, that the Government has no business in the bedrooms of the nation.

Our sex lives are our own business Comment Guardian Unlimited Politics

... A few years ago, this sentence appeared at the beginning of a bill: 'Her Majesty by and with the advice of the House of Commons enacts as follows: rules to govern the collection, use and disclosure of personal information in a manner that recognises the right of privacy of individuals with respect to their personal information.'

The only words I have missed out are the 'senate' and 'of Canada'. Same queen, but different country and one which has placed the respect for privacy at the heart of its national life. It seems extraordinary that two countries which used to share so many political values have taken such different directions. There's a lot that Canada can teach the Mother of Parliaments, especially the opposition, which has lost the habit of thinking outside the terms that Labour has set for the national agenda.

There are two important acts which serve as good templates for the sorts of reforms Liberty calls for. The first is the Privacy Act which took effect in 1983 and which imposes obligations on some 150 government and federal departments and agencies to respect the privacy rights by limiting the collection, use and disclosure of personal information. It gives the individual a right to access and correction of personal information held by agencies. The second act is the Personal Information Protection and Electronic Documents Act (Pipeda), a law which means a company like Tesco, which accumulates enormous amounts of personal data, must have consent from its customers. Underlying these is the Canadian charter of rights and freedoms which states: 'Everyone has the right to be secure against unreasonable search and seizure', a guarantee which I would like to see in a British bill of rights.

It is argued that we have the Data Protection Act and the information commissioner, but despite the latter's agitation, nothing has stopped the 500,000 interceptions of private communication each year, the total surveillance of motorways, the building of the ID card data base, the creepy children's database and expansion of the police DNA database.

The Canadian system hasn't worked perfectly, especially since 9/11, but Canadians shudder at what is happening in the UK, at the abandon with which we allow government more and more control over our lives and our futures....

Labels: biometrics, dna, europe, privacy, surveillance, uk

In a preliminary letter to the complainant, the Office of the Privacy Commissioner of Canada has concluded that the Law School Admissions Council violates PIPEDA by requiring candidates to submit to fingerprinting at the time the LSAT test is taken:

CIPPIC News « CIPPIC

In a decision released earlier this month, the Privacy Commissioner of Canada found that the requirement for Canadian students to provide a finger/thumb print in order to take the Law School Admission Test (LSAT) is an unnecessary infringement of privacy.

Copy of letter decision sent to Complainant

One of the most interesting aspects of the letter is the conclusion that the non-profit LSAC is engaged in commercial activities sufficient to have PIPEDA apply in the first place.

Also, the Assistant Commissioner's conclusion turned on the four point test applied in the past to video surveillance:

• Is the measure demonstrably necessary to meet a specific need?
• Is it likely to be effective in meeting that need?
• Is the loss of privacy proportional to the benefit gained?
• Is there a less privacy-invasive way of achieving the same end?

Labels: biometrics, patriot act, privacy, surveillance, video surveillance

Yesterday's New York Times ran an interesting article on the increasing application of biometrics to drivers' licenses in the United States, and the collateral use of this technology. For example, photos from state databases are run against the rest of the database to identify those who have multiple licenses (to try to thwart a license suspension) or against photos of wanted felons. This practice has privacy advocates upset:

Driver’s License Emerges as Crime-Fighting Tool, but Privacy Advocates Worry - New York Times

“What is the D.M.V.?” asked Lee Tien, a lawyer with the Electronic Frontier Foundation and a privacy advocate. “Does it license motor vehicles and drivers? Or is it really an identification arm of law enforcement?”

Anne L. Collins, the Massachusetts registrar of motor vehicles, said that people seeking a driver’s license at least implicitly consent to allowing their images to be used for other purposes.

“One of the things a driver’s license has become,” Ms. Collins said, “is evidence that you are who you say you are.”

Labels: biometrics, privacy

Labels: biometrics, privacy, rfid

Last year I blogged about a company called Riya that was going to bring facial recognition technology to the masses (With facial recognition available to the masses, privacy through anonymity may go out the window). I haven't heard much about Riya since then, but recently a company called Polar Rose has been in the news for a similar product.

What seems to make their technology different is an internet explorer and firefox plugin that allows people to collectively identify individuals in photos on the 'net and tag them in the company's database.

The privacy concerns are pretty obvious, but it gets even more troubling when you think about the increasing amount of surveillance, webcams and other photos of individuals that are appearing on the internet without the knowledge or consent of the individuals in the photos. Combine this technology and Microsoft's new "street sweeper" photo trucks (Windows Live Local Virtual Earth and Privacy in Public), and there'll be records of where you've been from time to time.

The company's blog has some interesting things to say on their software and privacy:

On Privacy and Polar Rose

In the wake of the coverage of our upcoming launch, there’s been a natural discussion about what effect Polar Rose will have on privacy. We’re conscious of this issue and have been so from the very start; when founding the company, when first introducing the idea to Nordic Venture Partners (our investors), and with colleagues before and after they were hired.

It should come as little surprise that we believe that Polar Rose adds tremendous value to the photo web. We think we’re as harmful to the photo web, as Altavista, Yahoo!, and Google have been to the text web. By sorting the text web, these search engines exposed the wonderful resource of public documents that web had already become. The side-effect was that information which was not meant for public consumption, but which was kept private by obscurity, was suddenly exposed and searchable.

So is the photo web today. Hundreds of millions of photos that are screaming to be sorted, viewed, and searched are not being so because no one took the time – or had a facility like Flickr or other photo-sharing sites – to add descriptions, names, or tags. We want to sort this photo web to make each photo more valuable to the viewer, but also to the person who shot it. Tell the story, make it discoverable.

We’ll end up finding photos that the published never really thought of as being public. The trick, however, is not to turn off the technology, just like Altavista or any of the subsequent search engines weren’t shut down or otherwise censored. The challenge is to facilitate a way to make sure that photos that shouldn’t be in our database, aren’t. This can be by restricting access or by telling us not to pick them up.

• We don’t index private photos; photos behind a firewall, login, or on a user’s desktop computer. (We’ll do some partnerships where private photos will be indexed, but thus only for the individual user’s viewing)
• We honor robots.txt and subsequent requests by a site owner to remove photos from our database.
• We’ll never engage Polar Rose in the application of the technology in security or surveillance. It’s explicitly stated in the contracts we enter with partners.

While we believe we have a good grip of the privacy issues at hand, more are going to pop up. I and others from within the company will continue to post on this subject here and anywhere else the discussion happens – by email, phone or on other blogs. Privacy will always, always stay top-of-mind.

See: Better photo search could reduce privacy (AP).

Labels: biometrics, google, privacy, surveillance, video surveillance

Privacy is not always about identity theft and widespread eavesdropping. Sometimes it's a bit weird.

According to the Associated Press, a hospital in Baton Rouge, LA is about to spend $25,000 to test the DNA of a bunch of employees to figure out who peed in another employee's toolbox. Since nobody has stepped forward, there's no smoking gun and the trail has gone cold, the hospital administration is forcing 25 employees to provide a DNA sample or be terminated. Not surprisingly, some think it's an invasion of privacy.

DNA Tests Ordered for Urine Toolbox Prank - Yahoo! News:

'We checked with our legal counsel first and this is the next step in using technology to help solve a workplace incident,' hospital supervisor Stan Shelton said Monday.

The DNA testing, to be conducted by ReliaGene Technologies of New Orleans, will cost the hospital $25,000, he said.

Attorney Jill Craft worked with litigation involving swabs taken during the investigation into the South Louisiana serial killer cases. Craft fought for the rights of those swabbed during the probe that eventually resulted in the arrest of Derrick Todd Lee.

Craft said she believed the employees' rights are being violated. 'It's the intrusion by finding out what your DNA looks like, your unique pattern, which in my opinion, violates someone's right to privacy,' she said.

Technorati tags: Privacy :: Personal Information :: DNA :: Pranks

Labels: biometrics, dna, identity theft, information breaches

Lawrence Lessig recently observed a poster on a train in the UK reminding riders that spitting on railway staff is assault and that the UK's national DNA database will be used to track down offenders. I'm not sure that was the kind of offense that was pointed to when the database came into being, but shows how versatile that sort of info really is! See: Lawrence Lessig.

Labels: biometrics, dna, europe, information breaches, uk