Security concerns prompt Safe Harbor Web site changes –

Because of security concerns, two features were removed last week from a U.S. government Web site designed to aid the flow of personal information and commerce between the U.S. and the European Union, according to a notice posted on the Web site.

A self-certification form and the "Safe Harbor list" were removed last Thursday from Safe Harbor, a Web site operated by the U.S. Department of Commerce, "in order to review the security of the information submitted to the Department by U.S. organizations," according to a posting on the site. The Department of Commerce did not return repeated calls seeking comment for this story.

Though the data in question was removed from the site when security questions were raised, "we haven't found any compromised data," said a Department of Commerce official.

Sensitive information that could potentially have been exposed includes sales levels and numbers of employees of member companies, said the official, adding that it's not clear yet whether that information did in fact become available. Seventy-two companies are involved in the Safe Harbor program including Microsoft Corp., Intel Corp. and Hewlett-Packard Co.

Despite sections of the Web site being offline, Safe Harbor is "still taking plenty of inquiries each day" via fax, the official said.

The Safe Harbor site was established to help smooth over differences in the way the E.U. and the U.S. regulate online privacy and to aid in cross-border commerce. In 1998, the E.U. passed the Directive on Data Protection which prohibits the transfer of personal information to non-European nations who don't meet with standards set out in the directive. In order to ensure continued flow of information, the U.S. created a "safe harbor" system -- implemented in the Safe Harbor Web site -- for U.S. companies doing business in Europe.

Companies involved in the Safe Harbor program include Microsoft Corp., Intel Corp. and Hewlett-Packard Co.

When agreeing to become a Safe Harbor member, a company pledges to make the information it has gathered about individuals accessible, changeable and secure. Companies must also notify users that information is being collected and why, give them the opportunity to opt out and may only pass the information on to other Safe Harbor or Directive on Data Protection-compliant bodies.

The two removed features are expected to be reintroduced soon, "hopefully by tomorrow," the Department of Commerce official said.

"We're not going to fast-track this," the official said. "We're going to look at this very carefully."

The Department of Commerce, in Washington, D.C., can be reached at +1-202-482-5151, or online at

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon