Security & privacy

A new report from Trusteer has shown that phishing attacks are rarely successful, but still worth millions of dollars to the attackers.

Trusteer makes a browser plugin called Rapport which is given away for free to customers of certain banks (including some Canadian banks). The plugin monitors for phishing attacks and can detect when someone is submitting login information to a false banking site. Rapport has been installed on about 3 million computers in Europe and North America, and data collected by the plugin provides a valuable look into the damage caused by phishing attacks.

In the recent study, Trusteer monitored the data from the Rapport plugin during a three month period, and in that time it analyzed phishing attacks against 10 large banks in the US and Europe. The key findings were:

• each bank was targeted by an average of 16 phishing attacks per week (or about 832 attacks per year)
• out of every million bank customers, about 12 (0.00125%) are lured into visiting each false web site that was studied. This is a very low success rate, but…
• given that a bank experiences many phishing attacks in a year, about 1.04% of it customers were lured to one of the false web sites each year
• once people were lured to a false web site, about 50% of the time they entered and submitted their login information
• doing the math, this means that about 0.47% of a banks customers revealed their login information to criminals each year
• if the losses from stolen login information total $2,000 per case, then a bank with a million customers lost about $9.4 million per year
• …and that money is going to criminals

Whoever said that crime does not pay did not try phishing.

A Chinese woman managed to enter Japan illegally by having plastic surgery to alter her fingerprints, thus fooling immigration controls, police claim.

This is a case of a woman who underwent surgery to alter her fingerprints in order to get past Japanese immigration procedures. Apparently, the measures worked and she was only found out when arrested on an unrelated charge.

The surgery switched the fingerprints of the thumbs and index fingers between the two hands, presumably to allow the person to present the original or modified fingerprint when given the option of which hand to present to a scanner.

It makes me wonder if fingerprint transplants between people are also a viable threat. It is also not clear how 10-print systems that record fingerprints from all the fingers, such as those now used by US immigration, who handle such finger swapping.

Location-based technology (LBT) refers to equipment and methods for determining the geographic location of a device, such as a mobile phone. The technology is used to provide location-based services (LBS) that use the geographic information to customize a service in some way. A common example is a Geographic Positioning System (GPS) navigation device in a car that displays a user’s current location on a map and directions to a desired destination. Location-based technology is also appearing in consumer devices such as mobile phones and portable computers. Mobile location-based services provide information or entertainment that changes depending on the location of the device. A specialized location-based service for mobile phones is enhanced 911, where location information is passed from the telephone provider to the 911 call centre during an emergency call. Canadian mobile telephone providers are supposed to complete deployment of enhanced 911 services by Feb. 2010, and this requirement is helping to drive the availability of location-based technologies in telephone networks and mobile phones.

Location-based technology and services are becoming popular very fast. A recent Gartner report predicts that the number of LBT users will double in 2009 to 96 million people worldwide. Revenue from LBS is also expected to at least double to a worldwide total of 2.2 billion (U.S.) dollars. The importance of location-based services for mobile phones is illustrated by the recent purchase of Navteq (the leading digital mapping company) by Nokia (the leading mobile phone company).

Location-based technology relies on geographic data provided by some kind of infrastructure. For mobile phones, location information can be obtained from the cellular infrastructure. By measuring which cellular antennas are closest to a mobile phone, and knowing where those antennas are located, a mobile telephone provider can use triangulation to calculate a moderately accurate location. Many modern mobile phones are also being equipped with GPS capabilities. By receiving data from a collection of orbiting satellites, GPS devices are able to calculate location information to a high level of accuracy. Also, by tracking the location information over time, GPS devices can determine the speed and direction of travel.

Location information can also be obtained from local infrastructures. Information about nearby Wi-Fi or Bluetooth networks can be used to calculate approximate geographic locations. For example, while Apple’s IPhone uses GPS technology to provide accurate location information, the IPod Touch uses Wi-Fi information to calculate approximate locations. This type of local service is important indoors where GPS and cellular services may not work properly.

Location-based technology is being used in a number of application areas. Mapping and navigation has already been discussed. Real-time traffic and weather information that is sensitive to the current location and planned route can also be provided. LBT can also be used for commerce applications, such as providing information about the closest stores or restaurants. Advertisement can also be sent to a user’s mobile phone based on their current location. Purchases could also be completed using location-based technology and a form of electronic payment – a customer would point their phone at the desired object and then authorize electronic payment. Automatic tollbooth systems that rely on low-power transmitters attached to vehicles are an example of this kind of location-based transaction.

Location-based technology can also be used for monitoring and tracking applications. Employees carrying mobile phones or vehicles in a corporate fleet can be tracked. Location-based tracking is already common for monitoring the movements of people under house arrest or other judicial restrictions. The same technology could be used to track children or senior citizens.

Although location-based services can be very valuable for the user, there are significant privacy implications. Location information is personal and private, and inappropriate use of the information can have significant negative consequences. Knowing that someone is out of town, for example, may be an invitation for criminals to rob their home. Being able to track a person’s movements may provide an opportunity for stalking. Because of these concerns, proper safeguards must be in place to protect any location information that is collected.

The most fundamental privacy issue is ownership and control of the location information. The current model is that, although it is the customer who owns with the mobile phone, the location information is owned and controlled by the telephone company. The location information is in effect sold back to the customer embedded in some kind of service. The customer then becomes subject to any agreements and terms of service that they have arranged with the telephone company, and their partners. If a customer is not happy with the service or any privacy policies involved, they may have few options. This is especially true in places where the choice of telephone companies is limited.

Another important issue for location-based services in mobile phones is consent to gather and use the information. Cellular-based location information can be collected and used by the network operator without the customer’s knowledge or consent. Also, GPS devices embedded in mobile phones are often enabled by default and, although it may be possible to turn them off, controlling the devices can be difficult. Moreover, the services enabled by the location devices can be intrusive and unwanted. For example, location-sensitive advertisements that are pushed to mobile phones and automatically displayed would raise issues of consent.

Limiting the use of location information is also a concern. A mobile telephone provider and its customers will need to reach an agreement about how the location information is used, to whom it will be disclosed, and how long it will be retained. Location information may be particularly important in legal cases where establishing a person’s location at a specific time is crucial to a case. Canadian lawmakers are currently discussing new lawful access rules and the privacy of location information records should be included in that debate.

As mentioned previously, location information can be used to monitor and control individuals and activities. Knowing where someone is at all times can be used as a method of controlling his or her life. Location information can also be used to trigger a remote control, such as disabling a device if it is moved beyond some boundary. Understanding the personal and social implications of these powers will be important as location-based technologies continue to develop.

The privacy implications of location-based services have not gone unnoticed by the mobile telephone providers. In 2008, CTIA – The International Association for Wireless Telecommunications published a set of best practices and guidelines for location-based services. These guidelines emphasized two privacy principles that should be adopted by all providers of location-based services: user notice and consent.

A number of alternative technologies and approaches are possible when considering location-based services on mobile phones. For example, the accuracy of the location information can be artificially decreased as a means to provide some level of privacy. Instead of a service provider or application knowing the exact address of a customer’s current location, knowing the general neighbourhood or city may be enough to provide a valuable service while protecting privacy. Changing the level of accuracy based on the service provider involved, the type of service, or the end-user of the location information can be a powerful technique. For example, a customer may want to let a family-tracking service know their exact location while a work-related application would only get information about their general area (e.g., what city).

Anonymity techniques can also be useful for increasing the privacy of location-based services. The technology can be configured such that a provider of location-based services gets information about a customer’s location without getting any identifying information. Thus, the service could provide directions to the nearest banking machine without knowing who the customer is. Aggregation techniques can also be used so location data is always grouped and the location of a group can be determined but not the location of individuals. This could be used, for example, in traffic alerting situations that rely on the locations and speeds of drivers on the highways. An operator of such a service does not need detailed identity, speed, and location information of each individual driver, just the aggregate information from a group near one another.

The range of location-based services that could emerge in the future is limited only by our imaginations. One use we are likely to see in the near future is digital coupons, where stores that are nearby send coupons to mobile phones. Obviously, issues about consent, intrusiveness, and privacy protections will be important in this application. Imagine receiving a graphic digital coupon as you pass a sex shop on a downtown street and then lending your phone to your children or spouse.

Location-based services will also be married with social networking applications, such as Facebook and MySpace. Such a service allows a customer to know if anyone in his or her social network is nearby geographically. One of the first instances of such a service is Google Latitude, and Google is already starting to wrestle with the privacy implications of their service. Currently, Google promises to never share location information with third parties without explicit permission. They also support privacy controls where the only people who can view location information are those explicitly included on a friends list. Google is also supporting an option to only share location information at the resolution of a city.

Location-based services can also be used to construct augmented reality systems. Here information about the local surroundings is combined with actual information to create a hybrid real/artificial display. For example, a user might wear a special pair of glasses that they look through to see the real world. At the same time, a computer system could detect their current location and overlay information about what they are looking at. For example, they might see historical information when looking at a national monument, or biographic information when looking at a statue. Such a service might also include real-time information, such as news stories about a protest that is currently taking place in a public park. The amount of detail provided by the augmented reality system and any records of what the customers look at will raise important privacy concerns.

Recently published in CIO Leadership

Stories about lost data and privacy breaches are all over the news: laptops are lost or stolen, data tapes and CDs go missing, and sensitive data is found on USB keys. While it is difficult to protect IT equipment from loss and theft, it is not difficult to protect the data stored on the equipment. Encryption is a key component in a data loss prevention strategy. When data is properly encrypted there can be no privacy or security breaches because the data will be unreadable without the proper keys to unlock it. And with the wide variety of encryption solutions available today, there can be no excuse for not encrypting your business data.

Protecting business data is becoming more and more important because organizations are collecting larger amounts of data and finding it valuable for a range of business functions. And it is not just customer data that is sensitive, but also business plans, customer lists, product information, pricing sheets, etc. Organizations with an online presence are also exposing themselves to greater risks from security vulnerabilities and hackers, not to mention inadvertent leakage from well-meaning employees. Strong data protection is also being mandated in certain business areas, such as healthcare, payment processing, and government services. The state of Nevada even requires encryption during the transmission of any personal data. Also, the costs of adopting an encryption solution are usually much less than the costs of recovering from a data breach.

7 out of 10 businesses have lost a laptop

There are a number of points of data vulnerability in a business, including desktop computers, servers and databases, online systems, backup media and services, and, more recently, online “cloud” services. Anywhere where sensitive data is processed and stored represents a potential source of loss. Perhaps the most serious vulnerabilities, and the most difficult to control, come from portable devices, such as laptop computers, PDAs, USB keys, and portable hard drives. These devices can be easily lost or stolen and yet, given the distributed nature of most businesses, they often contain large amounts of valuable data. Recent IDC research showed that 7 out of 10 businesses have experienced a laptop theft, and many could not determine the impact of the loss for their organization.

The process of encryption involves using some type of secret (such as a password) to form a key. The key is used in a transformation algorithm to make the information to be protected unreadable. Only when the key is used again (with the right password) in a process of decryption can the original information be read and used. There are a variety of key types and the length of a key is one factor that determines its protection strength. Key lengths of 128 bits are common and considered strong enough for most applications, but attack technologies are always improving and longer keys are sometimes recommended.

Focusing on portable devices, there are now a wide variety of encryption methods available to businesses. A recent Ponemon Institute study found that encryption in mobile devices is the top priority in a majority of organizations. Encryption solutions can be categorized in five main categories: (1) file encryption, (2) encrypted disk partitions, (3) encrypted containers, (4) whole-disk encryption, and (5) self-encrypting hard drives. For file encryption the transformation is done to individual files located on some storage device. This method is appropriate when there are only a few files to be protected (such as on USB keys). Encrypted disk partitions use a portion of a disk drive to create an encrypted store, protected by a secret. Any files placed into the partition are automatically encrypted and can only be read if the proper key is used again. Encrypted partitions are useful when there are large collections of files that need to be protected. Encrypted containers are similar to encrypted partitions, but a special container file is created on an existing partition and then mounted as a new drive. Once the proper key is provided, all files stored on the container drive are automatically encrypted. Encrypted containers are popular for applications where a large number of files need to be encrypted but the user does not want to repartition a hard drive.

In whole-disk encryption an entire disk is protected so none of the information can be read without the proper key. This is suitable for applications where all the data on a disk needs to be protected, even temporary files stored by the OS and applications, or in cases where users are not able to determine what information needs to be protected and what does not. Whole-disk encryption is an easy-to-use, automatic solution suitable for many business laptops. Self-encrypting hard-drives contain special encryption hardware that protects all of the information on the drive all of the time. The Trusted Computing Group has recently completed technical standards for these devices and manufactures such as Seagate are now offering drives with this capability. Self-encrypting USB keys with special encryption hardware are also available from companies such as IronKey and Sandisk.

Most operating systems support encryption

Most computer operating systems offer some form of encryption. Microsoft Windows (including XP, Vista, and Windows 7) offers the Encrypted File System (EFS) in its premium editions (not the Home or Basic editions), and this can be used to protect individual files and folders. The secret used to create the encryption key is usually the user’s computer password, although other key methods are available. Microsoft also offers (in its premium editions of Vista and Windows 7) a form of whole-disk encryption called BitLocker. For Apple computers, OS X supports FileVault, which can be used to encrypt a user’s home folder. In addition the Disk Utility application can be used to create an encrypted container. Most of the popular Linux distributions also support whole-disk encryption, encrypted partitions, and encrypted containers.

There are also third party providers that offer powerful encryptions solutions. PGP Corporation offers a full range of enterprise products for desktop computers, servers, and mobile devices (such as Windows Mobile smart phones). TrueCrypt is another popular, free, open-source encryption solution that supports whole-disk encryption, encrypted partitions, and containers. TrueCrypt containers can also be used across different platforms, making it popular for businesses using multiple operating systems.

Even with all of these encryption methods, adoption of encryption technologies remains slow. Businesses may have a number of concerns when it comes to encryption. One unfounded concern is that encryption will slow down the performance of disks or applications. Although the initial encryption operations can be slow if there is a large amount of information to encrypt, once the files or partition are encrypted there is usually negligible impact on day-to-day operations. According to Tim Matthews, Senior Director of Product Marketing at PGP, the overhead caused by encryption is usually 1-3%.

Another concern is lost keys or forgotten passwords. Normally, encrypted data cannot be decrypted without supplying the proper key, and that key is usually protected with a secret password. If the key is lost or the password is forgotten (or an employee leaves the company), it will not be possible to decrypt the data. For laptop systems this may not be a serious concern since most data on a laptop should also be stored elsewhere in an organization. When data recovery is important, enterprise encryption solutions such as the PGP products provide a variety of ways to recover encrypted data. For example, PGP supports having multiple whole-disk encryption passwords, so an administrator could have a password in addition to the end user.

PGP also offers a comprehensive key management system where keys are produced and administered at a central server. This allows help desk staff to provide one-time recovery keys in the case of emergencies or managed key recovery procedures if an employee leaves a company. Tim Matthews states that one of the powerful features of PGP’s integrated solutions is that the organization can set policies about where encryption is to be used, and then it can become automatic and transparent. When a smart phone or a USB drive is introduced to the organization, for example, the policies and encryption technologies can ensure that any data copied to those devices are automatically encrypted.

Laptops will be lost and stolen. Storage media will go missing. Internet vulnerabilities will continue to happen. Businesses need to examine the variety of encryption technologies available to them. They have the option of deploying encryption in an ad-hoc fashion using one of the OS methods or perhaps the free TrueCrypt utility, or they can opt for a complete enterprise solution such as the ones offered by PGP. With all of the solutions available, there is really no excuse for businesses to be vulnerable to these events.

A number of technologies are used to collect personal information during airport security screening. First, identification documents are used, including citizenship cards and passports. These documents record a variety of personal information, such as name, address, age, gender, and citizenship. These documents might also contain electronic devices that store personal information, such as magnetic stripes and Radio-Frequency Identification (RFID) chips.

Identification documents are usually used in combination with one or more databases. These databases might be owned and operated by the airline, the security agency doing the passenger screening, or other government agencies. Information from the documents is matched with database records to retrieve further information about the passenger. This might include frequent flier account numbers, travel records, or assessments of security risks.

The boarding cards given to the passengers also record some personal information, such as the name and travel itinerary. Special codes can also be printed on the boarding cards to relay information about security risk assessments to the security screening staff so that a passenger can be given more attention. Electronic boarding cards, sometimes stored on smart phones as two-dimensional bar codes, are starting to appear.

Biometric information is sometimes collected during airport security screening. Frequent traveler programs, for example, can allow people to use shorter security screening lines. In order to qualify for such a program the traveler often has to provide biometric information (such as fingerprints and face images) and detailed personal information that is used during a background check.

The x-ray scanners used to examine carry-on luggage can also collect personal information related to the contents of the bags being scanned. People carrying items of a personal nature may be embarrassed if the contents of their bags are disclosed.

There are many of other surveillance technologies that can be used during airport security screenings, and these may or may not collect personal information. Explosives residue detection tests that involve swabbing a passenger’s belongings, usually laptop computers, are commonly used. More advanced “puffer” machines, where nozzles direct air bursts at the passenger and sniffers then sample the air for explosives-related particles, have been tried by they have proven to be unreliable and they are being abandoned. Advanced x-ray technology is also being introduced. Millimeter wave scanners (also called backscatter x-ray machines) are able to scan a passenger’s entire body and view within clothing to the skin, allowing hidden objects (and body parts) to be seen. Such technology has obvious privacy implications.

Video surveillance cameras and face recognition systems can also be used for passenger surveillance. Modern technology is able to scan the faces of people without their knowledge as they move through the security lines. The faces can be matched to a watch list and, although historically the performance rates have not been ideal, the matching technology is improving all the time.

Behavioural monitoring and profiling technologies are also being developed. Traditionally, trained human experts do behavioural monitoring but automatic technologies are starting to appear. These technologies use surveillance cameras and algorithms to automatically detect suspicious behaviours and typical profiles of interest. The profile information might include age, gender, and ethnicity. The behavioural monitoring might scan for signs of nervousness, profuse sweating, attempts to have covert conversations, etc. Such behavioural technology is in its infancy and it is not clear how successful it will be.

Personal information can be shared between security systems. As mentioned above, information from risk assessment databases is already transferred to boarding cards so that some passengers can be subjected to more detailed screenings. Information could also be shared between x-ray systems and explosive residue tests, such that suspicions raised by one test would lead to a more detailed screening in the other test. Similarly, profile information and face recognition technology could be used to feed information to behavioural monitoring systems.

The sharing of personal information can also go beyond local security systems. Travel records and the results of security scans can be entered into databases, for example, and this information could determine the level of screening to be done on future trips. The databases could be local in scope or they could be national databases. International databases are also in place, so that people of interest can be identified regardless of where they travel. Canada and the United States, for example, seem to at least partially share a no-fly list.

Personal information can be accessible to unauthorized users in a number of ways. This might occur if security personnel act outside of their assigned roles and positions, proceeding to access personal information that they don’t require for their job, either out of curiosity or for malicious purposes. Security staff could also borrow (or steal) other users’ passwords or tokens in order to gain access to systems or places. Outsiders might also be able to access personal information if the workplace and electronic systems are not kept secure. If people are able to physically enter the security zones of an airport they could gain access to personal information by reading documents or operating machines. Outsiders might also gain electronic access by breaking into data networks and systems.

Identity theft, the misuse of someone’s personal identity to commit fraud, is a large and growing economic and legal problem. Identity theft has become the most prevalent form of fraud resulting in billions of dollars in losses.

ID theft is often considered a “white-collar” crime because it is committed during the course of normal employment duties (e.g., a bank employee gathering personal information), or the crime does not usually involve any physical harm. Identity thieves are often portrayed as sophisticated computer specialists, hackers, or organized networks. But, is this the reality?

A recent research report by Heith Copes (U Alabama at Birmingham) and Lynne Vieraitis (U Texas at Austin) has shed some light on this issue. Copes and Vieraitis searched federal court records in the US for people convicted of identity theft and then tried to find out where they were serving their sentences. They were able to find 297 inmates, from which they sampled 59 inmates in 14 prisons across the country. The convicts agreed to do detailed interviews, in private, to talk about themselves and their crimes, and the results are reported in a recent issue of Criminal Justice Review.

It turns out that identity theft is an equal-opportunity crime. The thieves were just about equally often men or women, black or white, from poor backgrounds or from middle/upper class families. The ages ranged from 23 to 60. About 52% of the criminals were employed at the time of their crimes, and only 35% used their employment status to facilitate their crime (most often mortgage fraud). Most of the ID thieves had been arrested for other crimes before, but some said they stopped doing other crimes because they could make more money stealing identities.

The most common method for obtaining identity information was to buy it, often from employees of banks, mortgage companies, and government agencies. Identity information could also be bought off the street from petty criminals often fuelling drug habits. Other methods of obtaining IDs were robbing mailboxes and going through trashcans. Sometimes, victims willingly gave up their IDs in exchange for a portion of the fraud profits.

The most common method of converting identities into cash was to apply for credit cards using the false identity. These cards were then used to buy goods to be kept, returned for cash, or sold on the street. Buying gift cards was very popular because they could be quickly sold. Instant credit offers from big box stores were also a favourite.

Taking out new loans and mortgages was also a common form of cashing. ID thieves sometimes depositing bad cheques into newly opened accounts, using the false ID. After a couple of days, the cash would be withdrawn before the cheques could bounce. ID thieves would even create additional documents to complete a false identity, sometimes forging realistic copies and sometimes paying agency employees to issue the documents.

So, how do we understand identity theft? According to Copes and Vieraitis, “it is best categorized as an economic crime committed by a wide range of people from diverse backgrounds through a variety of legitimate (e.g., mortgage broker) and illegitimate (e.g., burglar) occupations.”

As to the issue of whether these are white-collar criminals: “Despite public perceptions of identity theft being a high-tech, computer driven crime, it is rather mundane and requires few technical skills. Identity thieves do not need to know how to hack into large, secure databases. They can simply dig through garbage or pay insiders for information. No particular group has a monopoly on the skills needed to be a capable identity thief.”

Reference
Copes, H., and Vieraitis, L.M. (2009). Understanding identity theft: Offenders’ accounts of their lives and crimes. Criminal Justice Review, 34(3), 329-349

Lawful access refers to the requirement by telecommunication providers, including IPSs, to allow law enforcement agencies to track and monitor communications (e.g., wire tapping). Canada has been considering changes to its lawful access laws for some time and the latest attempt is a a new set of legislation currently being debated. The new rules would require the release of customer information (name, telephone, IP address) without court oversight (i.e., without a warrant). In this article Michael Geist digs into the case being held up as an example of the need for new legislation and finds that no ISP records were even requested, and yet an arrest was made using the current laws. Interesting reading…

Van Loan’s Misleading Claims: Case for Lawful Access Not Closed

Last June, current Public Safety Minister Peter Van Loan tabled the latest lawful access legislative package. Much like its predecessors, the bill establishes new surveillance requirements for Internet service providers. In an about-face from the Day commitment however, it also features mandatory disclosure of customer information, including name, address, IP address, and email address upon request and without court oversight.

I was interviewed for an article on the InfoExecutive web site about the effect of trust marks on ecommerce transactions. The article is commenting on a recent study by McAfee reporting a 10% increase in completed transactions when their trust mark appeared on an ecommerce web site. It is an interesting study because they used an A/B design where half the visitors saw a site with the trust mark while half did not. The interesting questions is whether a 10% increase in completion rates is a good finding or a weak one. Also, would any old trust mark have had the same effect, even one the website made up?

Consumers look for e-commerce ‘trustmarks’ – McAfee

Digital window shoppers wandering through cyberspace may be click-happy, but turning browsers into buyers is just as difficult on the World Wide Web as it is in the bricks and mortar marketplace. And sometimes, the determining factor in making the sale is simple security cue, according to a recent study by McAfee Inc.

The report looked at the behaviour of 163 million online shoppers and found that when a security cue like McAfee’s SECURE trustmark was shown to online consumers, sales conversions were 10.85 per cent higher in that group compared to those who were not exposed.

Sun Media has learned that Canada is installing backscatter x-ray machines at airports. These scanners, which use extremely high frequency millimeter waves, are able to see under clothes to reveal anything hidden within the clothes, including all body parts. The resulting scans are very revealing, with all the body parts visible.

There are a couple of noteworthy quotes from the article that suggest that the deployment has not been fully thought out:

“The scanner took much more time to process travellers than a regular pat-down or metal detector.” The machine was actually able to scan 10% of target number of passengers per hour. I look forward to waiting in line for this one.

Concerning whether to include optional software to blur the genital regions, a CATSA spokesman said: “Once we purchase the technology, then we will see how we will use it and deploy it.” Would it not make more sense to figure this out before money is spent and the machines are used, especially since this is a fundamental privacy issue?

Apparently, a privacy impact report has been submitted to Canada’s Privacy Commissioner. It will be interesting to see what the response is.

Green light for scanners

The Canadian Air Transport Security Authority is charging ahead with plans to buy seven controversial virtual strip search scanners, but has decided against genital blurring software to go with them.

According to documents obtained by Sun Media under Access to Information, CATSA is recommending Transport Canada accept the scanner for use in Canada even though a seven-month trial at Kelowna International Airport showed the machine didn’t meet the security agency’s expectations.