01-15 April 2013

Biometrics

US – EPIC Sues FBI Over NGI Database

The Electronic Privacy Information Center (EPIC) has filed a Freedom of Information Act lawsuit against the Federal Bureau of Investigation (FBI) to get access to documents outlining the “Next Generation Identification” (NGI) database. The database contains biometric identifiers—including fingerprints, DNA profiles, iris scans, palm prints and voice identification profiles—of millions of American citizens. The complaint filed by EPIC stated, “When completed, the NGI system will be the largest biometric database in the world.” The FBI plans to use the database to match information with data gleaned from outlets such as CCTV. [EPIC press release]

CH – Swiss Researchers Investigate Unique Breathprints

Swiss researchers have discovered a way to identify humans through their unique breathprints. In a research paper titled, Human Breath Analysis May Support the Existence of Individual Metabolic Phenotypes, researchers conclude that individual signatures of breath composition exist, suitable enough to identify humans. [Source]

Canada

CA – Revelations Continue in Student Loan Incident

Information continues to trickle in, revealing the true import of the external hard drive loss that has exposed personal information about 583,000 Canadian student loan borrowers. This week the public has discovered the drive also contained business plans and financial information about the Canada Student Loan program, along with “investigative reports” on applicants whose eligibility was questionable. Privacy Commissioner Jennifer Stoddart continues to investigate the data loss, which also includes a missing USB stick, and that inquiry has grown to include the Department of Justice. [Ottawa Citizen]

CA – Ontario Embraces World-Class Standard of Privacy Protection

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, introduced an information centre designed to further educate and advise members of the Ontario Public Service (OPS) on the best privacy practices, thus ensuring excellence in the protection of personal information. The Privacy by Design Centre of Excellence is a joint project between the Office of Information and Privacy Commissioner and the Ministry of Government Services (MGS). This new centre will further engrain a culture of privacy offered as the default, in all new and existing Ontario government programs. It provides tips and guidance into best practices for privacy protection, as well as educational materials and additional resources. Example materials include white papers and case studies from various sectors including telecommunications, technology, healthcare, transportation, and energy. The centre is a resource for the numerous professionals in the Ontario Public Service responsible for project design, information management, architecture management, and customer service in a broad array of institutions ranging from provincial agencies to municipal boards and commissions, to police service boards, to school boards and many more. [Source]

CA – Nunavut MLAs Meet on Language, Privacy Reports

Regular members of Nunavut’s legislative assembly will hold hearings April 16 to 18 in Iqaluit to discuss the most recent annual reports of the languages commissioner and the privacy commissioner. The MLAs say they want the Government of Nunavut to “publicly account” for its actions to their recommendations and to those of the privacy commissioner’s recommendations “concerning the important issues of access to information and protection of privacy,” said Louis Tapardjuk, standing committee co-chairperson. Recently, the GN responded to privacy commissioner Elaine Keenan Bengts’ 2011-12 annual report, tabled last October in the Nunavut legislature, and some of its concerns. Those included concerns about a surveillance project that gathers health information about all Nunavut mothers and babies from before birth up to age five, which the report found could be highly invasive of personal privacy. In her response, Nunavut Premier Eva Aariak said “the use of personal information for this project did receive the proper authorization.” [Source]

Consumer

US – State AGs and Facebook Align to Educate Youth

The National Association of Attorneys General (NAAG) and Facebook are launching plans to educate children and their parents about privacy and online safety. NAAG President and Marlyland Attorney General Doug Gansler said, “There are more and more parents now who understand Facebook and how it works and how their children are using it but don’t necessarily understand the privacy settings and how they work.” The partnership will launch several different online tools, including a Facebook page featuring information on privacy settings, best practices and privacy control tips. [ABC News] 

CA – Canadians Anxious About Privacy In the Face of New Technology: Poll

A significant number of Canadians do not feel they understand the privacy risks posed by new technologies and are not confident in their ability to protect their personal information, a new poll commissioned by the Office of the Privacy Commissioner of Canada suggests. Further, such concerns are affecting consumer choices. The telephone survey of 1,513 residents across Canada found that 56% are not confident that they understand how new technologies affect their privacy, a number that has increased steadily since the year 2000. Seven in ten Canadians also reported feeling that they have less protection of their personal information in their daily lives than they did 10 years ago. The declining lack of confidence reflects a range of concerns Canadians have about sharing their personal information online. Many reported being very concerned about posting information about their location (55%) and contact information (51%). The majority (55%) said they have decided not to install, or have uninstalled, an app because of the amount of personal information they would have to provide, and 68% of Canadians say they have chosen not to use a site or a service because they were uncomfortable with the terms of the privacy policy. The Survey found that while individuals’ concerns about the protection of privacy are high—66% are very concerned, with 25% of them saying they are extremely concerned—they often don’t take advantage of privacy protection options or information. For example, half of Canadians rarely or never consult online privacy policies and 54% do not take steps to limit tracking of their Internet activities. Other findings from the survey include:

• 71% think protecting the personal information of Canadians will be one of the most important issues facing our country in the next 10 years.
• 21% of Canadians think the federal government takes its responsibility to protect personal information seriously while only 13% feel businesses are serious about this responsibility.
• 60% have asked an organization for an explanation of how it will use their information.
• 97% would want to be notified by an organization if their personal information was compromised.
• 73% who use the Internet are concerned about companies using their information to send them spam.
• 81% think it is very important that websites actively inform them about what kinds of personal information they are collecting and how they use it.[Source]

US – Acxiom to Unveil Transparency Service

Consumer data broker Acxiom plans to introduce a service allowing consumers to access data collected about them. In recent months, the U.S. FTC has placed the data broker industry under the microscope. Acxiom Chief Marketing and Strategy Officer Tim Suther said, “We live in an era when transparency is important,” adding, “We’re listening to that and trying to be even more transparent with people who are interested in understanding what companies like Acxiom do with information.” The company said the service may be available later this year, but it is working on identity theft protection and other logistical obstacles. [Financial Times]

WW – Why Consumer Privacy Decisions Aren’t Always Rational

The New York Times profiles the work of Carnegie Mellon behavioral economist Alessandro Acquisti. Acquisti’s research “has shown that despite how much we say we value our privacy—and we do, again and again—we tend to act inconsistently,” the report states. Policy-makers, his research has proposed, should learn more about how consumers actually behave because, as consumers, “we don’t always act in our own best interest”—suggesting that user control can sometimes be an illusion. Samford University Prof. Woodrow Hartzog said, “His work has gone a long way in trying to help us figure out how irrational we are in privacy-related decisions,” adding, “We have too much confidence in our ability to make decisions.” [New York Times]

WS – Samoa Air Introduces ‘Pay-As-You-Weigh’ Fare Policy

Samoa Air has become the first airline in the world to charge passengers by weight. Instead of a flat rate per seat, the airline will charge passengers a fixed price per kilogram, with the price varying depending on the route. The pay-as-you-weigh system was announced on the airline’s website. “We at Samoa Air are keeping airfares fair, by charging our passengers only for what they weigh. You are the master of your Air ‘fair’, you decide how much (or little) your ticket will cost. “No more exorbitant excess baggage fees, or being charged for baggage you may not carry. Your weight plus your baggage items, is what you pay for. Simple.” The airline posted the news on its Facebook page, getting mixed reaction. [Source]

E-Government

US – Opinion: Increased Gov’t Data Sharing Mandates Increased Oversight

While it may be a “natural application of Big Data” for government agencies to search already collected information about U.S. citizens for suspicious patterns of behavior, Alex Howard, writing for O’Reilly Radar, says the expanded rules on government data sharing that went into effect last year are concerning. First reported by Julia Angwin at The Wall Street Journal, these new database search powers, Howard argues, are unlikely to be sufficiently checked by the privacy professionals who were bowled over when they objected to them in the first place. [O’Reilly Radar]

US – Report: Law Poses Security Risks, Could Violate Privacy

A report by the National Academy of Public Administration (NAPA) says a law requiring the personal financial information of 28,000 federal workers to be posted online poses a national security risk and could violate privacy. The STOCK Act requires the data be available online by April 15 for public searching, sorting and downloading. NAPA concludes that transparency “does not necessarily equate to unrestricted accessibility when it comes to thousands of federal employees’ sensitive financial information,” and “considerations must be made for balancing transparency and privacy needs appropriately and in a way that does not expose federal employees to unnecessary risk.” [USA TODAY]

E-Mail

US – IRS Claims It Can Read Your E-Mail Without A Warrant

According to Internal Revenue Service (IRS) documents obtained by the ACLU, Americans have “generally no privacy” in their e-mail and social media communications. A 2009 IRS handbook obtained by the ACLU says, “e-mails and other transmissions generally lose their reasonable expectation of privacy and thus their Fourth Amendment protection once they have been sent from an individual’s computer.” An ACLU spokesman said the IRS “should formally amend its policies” to require a warrant prior to accessing e-communications. There has been growing consensus of late to update the Electronic Communications Privacy Act to require warrants by law enforcement prior to accessing electronic communications. [CNET News] UPDATE: [IRS Refutes Breach of Privacy Claims]

US – After Searches, Harvard Orders E-Mail Policy Review

In the wake of a “secret search“ of e-mail accounts belonging to 16 of the university’s deans, Harvard President Drew Faust has ordered a review of e-mail privacy policies, describing the inconsistency across the university “highly inadequate.” Calling the lack of e-mail privacy policies an “institutional failure,” Faust plans to form a task force to develop recommendations on e-mail guidelines. Faust has also asked an independent attorney to investigate the e-mail searches “and to verify that the information provided so far is a full and accurate description of what actually happened,” the report states. [COMPUTERWORLD]

Electronic Records

WW – The Potentials and Risks of Data Science

Columbia University’s new Institute for Data Sciences and Engineering emphasizes the importance of educating a broader swath of society. Google Chief Information Officer Ben Fried expressed concern that “the technology is way ahead of society” and warned against only having an intellectual elite who understand the implications of Big Data—a situation that could cause “a runaway technology or a public rejection.” Fried added, “I think it is a mistake if conversations about this technology leave out the humanities.” Meanwhile, one consulting firm notes that Big Data could save U.S. citizens as much as $450 billion in healthcare costs. [The New York Times]

EU Developments

EU – WP29: Consent “Almost Always” Required

A new opinion issued by the Article 29 Working Party (WP) states that “free, specific, informed and unambiguous ‘opt-in’ consent” is almost always necessary when organizations want to use previously collected personal data in Big Data projects. The exception may be Big Data projects that involve detecting “trends and correlations.” The WP also said businesses should provide consumers with access to their “profiles,” knowledge of the underlying logic of how the profiles were created and allow consumers to correct and share the information in them. The opinion includes a four-factor criterion to help determine whether businesses’ processing activities are compatible with the purposes for which the data was first collected. [Out-law.com]

EU – Europe Launches Controversial Crime-Fighting Database

The Schengen Information System II (SIS II), after substantial delays, has launched. SIS II is a centralized database that aims to help security officials exchange information more quickly and efficiently within the Schengen zone, where people can move freely. “It’s important for member states to exchange data among one another more closely and join forces in fighting crime—as a counterbalance to the absence of border controls,” said a spokesman for Germany’s Federal Ministry of the Interior. But privacy authorities including Germany’s Federal Commissioner for Data Protection and Freedom of Information Peter Schaar have taken issue with the centralization of such data, and have called for uniform standards across Europe on how the data can be used and who has access. [Deutsche Welle]

EU – Reding and Holder Discuss Online Privacy Protection

EU Justice Commissioner Viviane Reding met with U.S. Attorney General Eric Holder to discuss a range of issues including data protection initiatives and other collaborative efforts between the European Commission (EC) and the U.S. Justice Department. Among more specific topics, the officials discussed online protections for children and ongoing data-sharing efforts. According to an EC press release, “Each noted recent progress made, and both sides were optimistic in reiterating their determination to finalize negotiations as rapidly as possible.” Meanwhile, the UK government is not backing efforts within the proposed EU data protection regulation to instill a “right to be forgotten.” [The Guardian]

EU – Euro Task Force Initiates Enforcement Measures Against Google

A taskforce of data protection agencies has begun follow-up measures against Google after the company failed to fix flaws in a new privacy policy. The taskforce is led by France’s data protection authority, the CNIL, and includes authorities from the UK, Germany, Italy, Spain and The Netherlands. The CNIL says it has notified Google of the inspection’s initiation, which follows a March 19 meeting between the company and the regulators that ended in deadlock. “The authorities’ goal is not to fine Google,” said a CNIL spokeswoman. “The goal is for Google to be in line with what we demand.” Meanwhile, the company’s forthcoming “Google Glass” is raising privacy concerns in the U.S. [CNIL] [CNET: Europe continues privacy tussle with Google]

UK – ICO Performance Report Is “Mixed Bag”

A recent report by the Commons Justice Select Committee on the performance of the Information Commissioner’s Office (ICO) includes both supportive and troubling news for the agency. The committee backed the ICO’s intention to place NHS bodies and local authorities under compulsory audits. The article suggests the ICO’s view of the committee’s report was accurate when the ICO said, “the picture that emerges (of the ICO) is of a regulator that is delivering, that is relevant and that is efficient” but cautions the ICO also faces funding issues and is “running out of road and cannot absorb further cuts to the FOI budget without adversely affecting performance.” [Mondaq]

Facts & Stats

WW – Opinion: Top Five Threats of 2013

Ccolumnist Melissa Riofrio lays out the top five online privacy threats in 2013, including the proliferation of cookies, law enforcement’s seizure of cloud data, the ease of locating users by their smartphones, facial recognition software and looming government concerns about cybersecurity. “This year’s online threats to privacy will continue to grow unless Congress and other decision-making bodies offer some meaningful support for privacy,” Riofrio writes, adding, “it all boils down to a matter of openness versus secrecy.” [PCWorld]

Finance

WW – Secret Files Expose Offshore’s Global Impact

A cache of 2.5 million files has cracked open the secrets of more than 120,000 offshore companies and trusts, exposing hidden dealings of politicians, con men and the mega-rich the world over. The secret records obtained by the International Consortium of Investigative Journalists lay bare the names behind covert companies and private trusts in the British Virgin Islands, the Cook Islands and other offshore hideaways. They include American doctors and dentists and middle-class Greek villagers as well as families and associates of long-time despots, Wall Street swindlers, Eastern European and Indonesian billionaires, Russian corporate executives, international arms dealers and a sham-director-fronted company that the European Union has labeled as a cog in Iran’s nuclear-development program. The leaked files provide facts and figures — cash transfers, incorporation dates, links between companies and individuals — that illustrate how offshore financial secrecy has spread aggressively around the globe, allowing the wealthy and the well-connected to dodge taxes and fueling corruption and economic woes in rich and poor nations alike. The records detail the offshore holdings of people and companies in more than 170 countries and territories. The hoard of documents represents the biggest stockpile of inside information about the offshore system ever obtained by a media organization. The total size of the files, measured in gigabytes, is more than 160 times larger than the leak of U.S. State Department documents by Wikileaks in 2010. To analyze the documents, ICIJ collaborated with reporters from The Guardian and the BBC in the U.K., Le Monde in France, Süddeutsche Zeitung and Norddeutscher Rundfunk in Germany, The Washington Post, the Canadian Broadcasting Corporation (CBC) and 31 other media partners around the world. Eighty-six journalists from 46 countries used high-tech data crunching and shoe-leather reporting to sift through emails, account ledgers and other files covering nearly 30 years.  [Huffington Post]

US – FTC Sends FCRA Warning Letters to Six Companies

The Federal Trade Commission (FTC) has sent letters to six companies warning them to “double-check” their Fair Credit Reporting Act (FCRA) responsibilities. The selected companies specifically collect information about the rental histories of tenants and share the data with potential landlords, the FTC press release states. “If you assemble or evaluate information on individuals’ rental histories,” the release states, “and provide this information to landlords so that they can screen tenants, you are a consumer reporting agency that is required to comply” with FCRA [FTC]

FOI

US – Industry Pushes Back on State’s Right to Know Act

There is an industry backlash against California’s proposed “Right To Know Act.” If the bill passes, it would require companies to disclose their data-use practices to California consumers upon request. A coalition of businesses and trade groups—including the Internet Alliance, TechNet and TechAmerica—have written to the bill’s sponsor, Assemblywoman Bonnie Lowenthal (D-Long Beach), urging that she “not move forward” with the bill, citing its “costly and unrealistic mandates.” Nicole Ozer of the ACLU—which co-sponsored the bill—said there is “real impact for individuals when they don’t know how their information is being collected and when it is being shared in ways they don’t want.” [The Wall Street Journal] [CSO Online] [CNET]

Genetics

US – DNA Project Aims to Make Public a Company’s Data on Cancer Genes

The New York Times reports on a privately owned database containing information on DNA mutations that increase cancer risk and a corresponding grassroots project aimed at making that data public. Owned, built and kept private by Myriad Genetics, the database contains millions of tests on genetic mutations—data to which several researchers want access. The project, Sharing Clinical Reports , asks cancer clinics and doctors around the country to share all Myriad data they have from patient tests, and, according to the report, none of the data contains patient identifiers. On Monday, the Supreme Court will also hear a case that may determine whether two patents of genes owned by Myriad are legal. [NYT]

Google

WW – Google Adds Cookie Notification to EU Search

Google has added cookie notification language on its search and results pages to users in the EU. The company has also reportedly switched from using the Digital Advertising Alliance icon to its own “i” icon information. AdWeek reports on the implications of third-party cookie blocking for large and small businesses. “In a cookieless world, publishers with business models that naturally collect strong names and addresses and other personally identifiable information (PII) are going to be able to…connect to CRM databases,” an Acxiom representative said, adding, “For publishers that have a weak PII story, they’ve been more heavily reliant on the cookie world.” [AdWeek]

WW – Google Privacy Chief Stepping Down

Google’s first director of privacy plans to retire. Alma Witten, named director of privacy in 2010 following controversy over Google’s Street View and Buzz services, was tasked with overseeing product development at the company to prevent against future privacy mishaps. She led the privacy team that saw the merging of Google’s 70-plus privacy policies into one. Whitten will be replaced by Google engineer Lawrence You, who will now take over a privacy team consisting of several hundred individuals. [Forbes]

WW – Google Rolls Out New Inactive Account Manager

Google announced a new service it’s calling Inactive Account Manager. What it essentially allows is for customers to designate “trusted contacts” to receive their Google data in the event of their death or inability to access their Google products. It also, however, allows users to decide to have their information deleted automatically following a specified period—three, six, nine or 12 months—of inactivity. Kashmir Hill notes in Forbes that some have already taken to calling the service “Google Death Manager” and wonders how you’ll use it. [Google Blog]

Health / Medical

US – Court: HIPAA Trumps Florida Disclosure Law

The 11th U.S. Circuit Court of Appeals has ruled unanimously that a federal law requiring licensed nursing homes to disclose deceased residents’ medical records only to a designated “personal representative” trumps a Florida state law allowing disclosure to individuals including spouses, guardians, surrogates or attorneys who request them. Judge Susan Black wrote in the court’s decision: “The unadorned text of the state statute authorizes sweeping disclosures, making a deceased resident’s protected health information available to a spouse or other enumerated party upon request, without any need for authorization, for any conceivable reason, and without regard to the authority of the individual making the request to act in a deceased resident’s stead.” [The Miami Herald]

US – Company Stores Doctors’ Records, Serves Patients Ads

A US company is offering doctors cloud-based electronic medical records software. Practice Fusion stores health data for 150,000 providers on 690 million patients. Its primary business is putting advertisements on those records via its relationships with testing and pharmaceutical companies. Ads are targeted to customers based on their medical records. Patient names and other identifiable information are not shared with advertisers, however. [The New York Times]

US – Groups Develop Trust Framework

The Texas-based Patient Privacy Rights Foundation, along with Microsoft and PricewaterhouseCoopers, has developed a “trust framework” for health IT systems. The framework includes 75 criteria based on 15 privacy principles to enable “objective measurement of how well health IT, platforms, applications, electronic systems and research projects protect data privacy and ensure patient control over the collection, use and disclosure of their health data,” the Patient Privacy Rights Foundation noted. The principles include elements available under current state and federal laws, the report states, as well as provisions indicating individuals should “decide who can access information” and “how and if sensitive information is shared.” [ModernHealthcare]

Horror Stories

WW – A Roundup of Recent Breaches

Following two recent breaches in Utah, one affecting 780,000 individuals, the state is taking steps to prevent future incidents. The health department is creating a data security office, and the governor recently signed a law that will see the implementation of security and privacy best practices there and in other government departments. In California, Kirkwood Community College officials say hackers accessed a database containing applicants’ names, Social Security numbers and other personal information. And the VA medical center has alerted 7,405 patients of a breach involving an unprotected laptop containing their personal information. [GovInfoSecurity]

US – Potentially Massive Class-Action Moves Forward

A federal court has granted class-action status to a lawsuit claiming online tracking firm comScore secretly collected and sold Social Security numbers and credit card numbers as well as passwords and other personal data from consumer systems. The lawyer representing the two plaintiffs said this could be the largest privacy case to go to trial by way of class size and potential damages, the report states. ComScore says it captures approximately 1.5 trillion user interactions monthly—or nearly 40% of Internet page views. [COMPUTERWORLD]

US – Hannaford Breach Class-Action Decision

U.S. District Court Judge Brock Hornby has denied a plaintiff’s motion to certify a class action seeking damages stemming from a data breach at Hannaford Bros. The March 20 decision by Hornby noted that proving damages “required highly individualized determinations that could not be tried through proof common to the class as a whole,” and the article states that the “Hannaford case illustrates how damages issues, even in cases articulating a viable common damages theory, can still frustrate class certification.” Though Hornby denied an argument that a voluntary refund program offered by the company “provides a defense against class certification, such programs still provide a way to mitigate class damages, reduce potential overall exposure and retain customer goodwill.” [National Law Review]

US – Breach Roundup; Supreme Court Upholds Strict Harm Requirements

Oregon Health and Science University has sent data breach notification letters to 4,022 patients following the theft of a surgeon’s unencrypted laptop. The University of Mississippi Medical Center reports a password-protected laptop containing personal information on adult patients has gone missing, and Utah’s Granger Medical Clinic has notified patients of a potential breach after 2,600 medical appointment records scheduled to be shredded went missing. Meanwhile, Wilson Elser attorneys report on the recent Supreme Court ruling that upheld requirements for plaintiffs to prove harm that is “certainly impending” in order to have standing to sue in privacy cases. [HealthITSecurity]

US – GSA Reports Breach; VA Holds BYOD Plans

The U.S. General Services Administration recently alerted users of its System for Award Management that personal information was exposed due to a security vulnerability. The notice said registrants using Social Security numbers as identifiers may be at greater risk for identity theft. Meanwhile, InformationWeek reports the Department of Veterans Affairs has put on hold plans to allow employees to use their own mobile devices for work purposes. The department said it must resolve legal issues on confiscation and investigation of such devices before moving forward. [CNET News]

Identity Issues

US – Actress Loses Privacy Lawsuit Against IMDb.com

A jury has rejected claims by an actress that IMDb violated its own privacy policy by disclosing her date of birth. “It’s not known why the jury rejected actress June Hoang’s claim,” the report states. “But the trial did make at least one thing very clear: Lying about your age isn’t easy in the era of Big Data.” Hoang sued IMDb.com in 2011, alleging the company violated its privacy policy by allegedly accessing her credit card data— which was supposed to remain confidential. IMDb.com countered that the “fine print in its privacy policy gave it cover,” the report states. [Source]

WW – Mozilla Brands Persona as Password Killer

Mozilla’s Web site log-in alternative known as Persona unveiled a Beta 2 version. Now you can sign in to any Web site supporting Persona using a Yahoo Mail account. Persona, which is still in development, is an open authentication system that works on desktops and mobile devices. In addition to being able to log in using either your Persona ID or your Yahoo credentials, today’s release introduces support for Firefox OS, which means you can expect to use Persona to log in to any Firefox OS devices that launch later this year. It also includes back-end changes that make the log-in system work twice as fast as before, Mozilla says. The company boldly claims that Persona will also be a “password killer.” “Facebook and Twitter sign-in conflate the act of signing into a Web site with sharing access to your social network, and often granting the site permission to publish on your behalf. Sometimes this is what a user wants, but far too often it’s absolutely not,” said Lloyd Hilaiel, the technical lead for the project, in a post explaining Persona Beta 2. [Source]

US – Court Rejects 1^st Amendment Balancing Test for Online Anonymous Speech

A Michigan appellate court ruled last week that state discovery rules provide adequate safeguards for anonymous online speech. The opinion is a significant deviation from the rulings of other state courts, which have applied a First Amendment balancing test to determine whether to grant discovery requests for the identities of anonymous online speakers. [Source]

CA – Feds Launched Wide-Scale Search in Hunt for Lost Student-Loans Data

The disappearance of an external hard drive in November triggered a sweeping search at the Human Resources and Skills Development Canada building where it was last seen, with cubicles swept, folders checked one-by-one, and cabinets moved around to leave no nook unchecked. Similar looking hard drives were collected and scanned to see if they contained personal information on 583,000 student loan borrowers, but the missing drive couldn’t be located. The details are contained in emails and a security report about the loss of personal information, including names, addresses and social insurance numbers of Canada Student Loan recipients. The hard drive was used to back up information about the loan recipients, including HRSDC investigation reports, but wasn’t encrypted or password protected, a violation of federal policies on information management. As well, the security report notes the drive was stored in a secure cabinet that was not locked all the time — another violation of federal policies. “Two employees had access to the cabinet…the cabinet was not locked 100 per cent of the time,” reads the security report, filed on Nov. 29, 2012. The documents were released to Postmedia News under access to information law. [Source]

Internet / WWW

US – DHS Warns Personal Data on Public Websites Used in Phishing Attacks

The US Department of Homeland Security (DHS) is warning organizations not to post business and personal information on publicly accessible web pages because the data could be exploited in spear phishing attacks. The alert grew out of an incident last fall in which spear phishing campaigns targeted energy sector organizations. The attacks used information from a list of conference attendees that included names, email addresses, and organizational affiliation, that had been posted on a public website. [COMPUTERWORLD]

WW – Hackers Steal Passwords from Scribd User Database

Document-sharing website Scribd says that hackers compromised as many as one million user passwords. The data were stored with an old hashing algorithm. A Scribd software engineer said that no accounts had been compromised. The company has contacted affected users and instructed them about how to change their passwords and make them more secure. [ZDnet] [NBC News]

WW – Privacy Focus Remains in Microsoft’s Ad Campaign

The third phase of Microsoft’s marketing campaign targeting Google’s privacy practices suggests Google is “more interested in increasing profits and power than protecting people’s privacy and providing unbiased search results.” The story suggests the ads, which one observer calls typical of an industry underdog, ”say as much about the dramatic shift in the technology industry’s competitive landscape as they do about the animosity between the two rivals.” The new “Scroogled” ads, which began this week, criticize Google for sharing personal information gathered about purchasers of apps “designed to run on smartphones and tablet computers powered by Google’s Android software,” the report states. [The Boston Globe]

WW – EBay To Open Data to Marketers

EBay will now allow advertisers access to data on what products a consumer has bought in order to send targeted ads. The company has used such data to promote products to users, but it will now commercialize “that capability for the benefit of other marketers who want to reach shoppers,” said an eBay spokesman. “That’s something new this year.” But eBay risks alarming consumers who might have been okay with eBay showing them related products but who “expect eBay not to tell anybody else who they are.” [AdWeek]

Law Enforcement

US – Court Case Reveals FBI Stingray Details

Details of how the FBI uses cellphone surveillance technology have been revealed in a court case involving a suspected identity theft ringleader. Court documents note that Verizon reprogrammed the suspect’s air card to respond to silent incoming calls from the FBI causing the device to disclose its location. The government did not dispute the claims during a March 28 hearing in a U.S. District Court in Arizona. Electronic Frontier Foundation Staff Attorney Hanni Fakhoury said, “It shows you just how crazy the technology is…This is more than just (saying to Verizon) give us some records…This is reconfiguring and changing the characteristics of the (suspect’s) property, without informing the judge what’s going on.” [WIRED]

US – Google Fights U.S. National Security Probe Data Demand

Just a few weeks after U.S. District Judge Susan Illston created a bit of legal limbo around the U.S. federal government’s so-called National Security Letters (NSLs) by declaring them unconstitutional and putting her ruling on hold to allow for appeal, Google has stepped into the breach by refusing to comply with an FBI-issued NSL. According to a Bloomberg report, Google has challenged a demand by the FBI for private user information in what the Electronic Frontier Foundation believes is the first time a “major communications company” has decided not to comply with an NSL. Google outlines its policy toward NSLs here . The law allows judges to set aside requests by the FBI if they are “unreasonable, oppressive or otherwise unlawful.” [Bloomberg]

US – FAA to Host Online Drone Privacy Session

The Federal Aviation Administration (FAA) will host an “online public engagement session” on Wednesday to allow the public to express privacy concerns stemming from domestic use of drones. The FAA is seeking specific comments on a privacy protocol that would be implemented at its six drone testing sites. Public comments “are not intended to predetermine the long-term policy and regulatory framework under which commercial (drones) would operate,” the FAA has said, adding, “Rather, they aim to assure maximum transparency of privacy policies.” [The Washington Times]

US – Fed Appeals Court Restricts Phone Searches

The U.S. Court of Appeals for the Sixth Circuit has ruled that a school may not search a student’s phone, even if the student has a history of troubled behavior. G.C. v. Owensboro Public Schools also more specifically defined under what circumstances a student’s phone may be searched, and, according to the report, it is one of the “more significant rulings on student privacy rights.” [The Wall Street Journal]

Location

EU – Studies Say Mobile Apps View Too Much Data

France’s data protection authority, the CNIL, says mobile phone apps are accessing and processing an unnecessary amount of private data. The CNIL studied 189 apps on six smartphones. The aim was to analyze the nature of the apps, not to put blame on app developers, CNIL President Isabelle Falque-Pierrotin said. Meanwhile, security researchers at a Romanian-based firm are warning that mobile apps are becoming increasingly intrusive. Nearly 13% of apps disclose user phone numbers without the user’s consent. [PCWorld]

Online Privacy

PL – New Cookie Rules Make Opt-Out OK with Proper Info

According to SSW privacy lawyer Joanna Tomaszewska, changes to Poland’s telecoms laws mean a “very strict information duty” requiring website operators to inform consumers of cookie use and ways they can alter their cookie settings; however, if properly informed users do not change default settings, inaction will constitute “explicit consent.” The Office of Electronic Communications (OEC) has also been given the power to issue financial penalties of up to three percent of the previous year’s profits to companies that breach the rule. While noting that “it is too early to know how the OEC will impose penalties,” Tomaszewska said it is “rather unlikely” the OEC will levy a fine amounting to three percent of annual profits. [Out-Law]

US – Franken: Company’s Opt-Out Tracking Unsatisfactory

Sen. Al Franken (D-MN) has said that the opt-out policy used by Euclid Analytics is unsatisfactory because it requires consumers to go to the company’s website instead of asking consumers for permission. Franken sent Euclid a letter last month looking for more information about its privacy practices and on Monday released the organization’s response . “I am pleased that privacy is a priority for Euclid,” Franken said, “but their continued use of opt-out technology underscores the need for Congressional action to protect consumer location privacy.” Euclid CEO Will Smith said the company does not collect personal information, only provides metrics to its retailer clients and does “not have any plans to sell, rent or disclose” its data to any third parties. [The Hill]

AU – Report: Law Would Put Small ISPs at Disadvantage

Proposed data retention legislation may have impacts on small Internet service providers (ISPs). While the comments had not been made public previously, the government was cautioned a year ago by a Department of Broadband Communications and the Digital Economy adviser that small ISPs “faced the heaviest financial burden under data retention laws being sought by law enforcement bodies,” the report states. The proposed legislation is the subject of an inquiry by the Joint Parliamentary Committee on Intelligence and Security. Law enforcement officials have said they are not attempting to extend their powers, but advocates caution the laws are “too intrusive on privacy of innocent civilians,” the report states. [Australian IT]

Other Jurisdictions

US – Gov’t Report: IRS PIAs Need Improvement

A government report has revealed that the U.S. Internal Revenue Service (IRS) has not yet installed appropriate processes ensuring Privacy Impact Assessments (PIAs) are executed in a timely manner. The Treasury Inspector General for Tax Administration (TIGTA) report made a total of 11 recommendations to the IRS. The IRS agreed with nine of the recommendations but noted it has already implemented two of them, the report states. TIGTA Inspector General J. Russell George said, “The privacy of taxpayer information is essential to taxpayer confidence in the fairness and integrity of the American system of tax administration,” adding, “It is imperative that the IRS adopt our recommendations to ensure the effectiveness of this important initiative.” [Accounting Today]

MX – Mandatory Notice Guidelines to Go Into Effect

Littler Mendelson’s Javiera Medina Reza outlines Mexico’s new Privacy Notice Guidelines, which go into effect April 17. The mandatory guidelines bring requirements for data privacy notices and obtaining consent prior to collecting personal data in accordance with the Federal Law on the Protection of Personal Data Held by Private Parties , enacted in 2010. The Federal Institute for Access to Information and Data Protection (IFAI) may impose sanctions for noncompliance, and Reza writes that a recent IFAI decision leading to a fine of more than $162,000 for a company’s failure to fix problems with its privacy notice underscores the importance of complying with the guidelines. [Mondaq]

HK – PCPD Condemns Deceitful Octopus Card Marketing Practices

The Office of Privacy Commissioner for Personal Data (PCPD) has found that an insurance broker and a body-check service obtained personal information through deceitful means for direct marketing purposes. After receiving complaints from consumers, the PCPD investigated the companies and found that Hong Kong Preventive Association Limited had collected personal data from about 360,000 people under false pretenses, which it then sold to Aegon Direct for direct marketing. Privacy Commissioner Allan Chiang Yam-wang said while he hoped Octopus’s contraventions would serve as a “wake-up call…in many recent investigation cases, including this one, it was found that the data users still fell short of meeting customer expectations and compliance with the requirements of the ordinance.” [The Standard]

AU – Company to Launch Data Breach Insurance

Australian insurer Beazley Group plans to roll out data breach insurance in Australia at the end of this year. “There is certainly growing interest in this sector,” said Beazley Chief Executive Andrew Horton, noting data breach notification laws could get tougher. He added that data breaches happen in forms other than cyber threats, including when data is simply lost when a business moves from one location to another. The company launched the product in the U.S. five years ago and in the UK earlier this year. [Australian Financial Review]

AU – Advertisers Face Privacy Timebomb, Warns ADMA

Advertisers and agencies do not understand the significant fines they face under major new changes to the Privacy Act set to take force within the next 12 months, says the Association of Data Driven Marketing and Advertising. The organisation said there is still little industry focus on how the changes will impact advertiser interactions with consumers with breaches due to attract major fines of up to $1.1m. The association argues the changes will dramatically impact on both agencies and advertisers, especially those marketing online using demand-side platforms and social media. Technology driven by demand-side platforms is allowing online advertisers to be increasingly sophisticated about how they target messages at users based on individuals’ browsing behaviour. Under the new laws, which begin in March 2014, this definition will broaden so that any information which identifies an individual, regardless of whether their name is included, will be classed as personal information and subject to the new regime. One group of marketers who are likely to be impacted by the changes is the not-for-profit organisations which may lack resources when it comes to legal compliance but generate funding through interactions with the public. [Source]

SL – Commissioner Challenges New Data Law as Unconstitutional

Andrej Tomsic, deputy information commissioner for the Republic of Slovenia, writes for EDRi-gram that his boss, Commissioner Natasa Pirc Musar, challenged on March 19 the national implementation of the Act on Electronic Communications before the Constitutional Court. Musar believes the new data retention provisions, which were enacted January 15, “do not respect the principle of proportionality and that they have been transposed into the national law in contrast with the provisions of the Data Retention Directive 2006/24/EC.” This will broaden data retention to all criminal offenses and anything in the “interests of the state,” along with civil litigations and labor law disputes. Musar hopes to have enforcement of the act suspended and the new provisions declared unconstitutional, which could take as much as a year. [EDRI]

SA – Bill Aims to Protect South Africans from Prying Eyes

Amid the vocal protest and fury over the “secrecy bill” another protection of information bill has been crafted to protect South Africans from identity theft and unwanted electronic marketing. The Protection of Personal Information Bill has been a number of years in the making in Parliament’s justice committee. It has been approved by the National Assembly and awaits processing by the National Council of Provinces. The bill seeks to create a regime by which institutions such as banks, insurance companies and other businesses must manage the personal information of their clients. A key provision is the removal of the so-called negative approval under which electronic marketers operate. At present they can send SMSses and e-mails requiring the individual to “opt out” for the unwanted messages to stop. The new provision will allow one message to be sent and if the recipient does not respond positively they may not send another.[Source]

Privacy (US)

US – IAB Asks FTC for Delay on New COPPA Implementation

Changes to the privacy rules within the Children’s Online Privacy Protection Act (COPPA), slated to be published by the FTC in the form of FAQs “sometime this month,” have prompted an industry advertising group to ask the FTC for a six-month delay on implementation. “It’s a complete makeover and that will take time,” said Interactive Advertising Bureau Senior VP and General Counsel Mike Zaneis, adding, “They’ll need time to determine if they can bear the burden of a strict liability regime or convert to a pay-for-content model.” Morrison Foerster Partner D. Reed Freeman, Jr., noted the changes are “a market-altering event…It won’t be the end of the world, but there will be a lot of fallout first.” [Source]

US – SCOTUS Refuses E-mail Privacy Case; Senate to Take Up ECPA Reform

The Supreme Court has declined to hear a case that could test the boundaries of federal protection of e-mail privacy. An appeal in Jenning v. Broome asked the court to resolve differing lower court rulings by a California appeals court and the South Carolina Supreme Court. Meanwhile, the U.S. Senate is prepared to mark up legislation that would mandate police obtain warrants prior to searching citizens’ e-mails, The Hill reports . Bill co-sponsor Sen. Patrick Leahy (D-VT) said, “Safeguarding Americans’ privacy rights is not a Democratic issue or a Republican issue—it is something that is important to all Americans, regardless of political party or ideology.” [Christian Science Monitor]

US – FTC Chairwoman Releases 2013 Annual Highlights

Newly appointed Federal Trade Commission (FTC) Chairwoman Edith Ramirez released the agency’s 2013 Annual Highlights, calling attention to several of its initiatives including protecting consumer privacy, challenging deceptive advertising and safeguarding children online. Ramirez said, “As we head into our second century, the FTC is dedicated to advancing consumer interests while encouraging innovation and competition in our dynamic economy.” [Source]

US – FTC Approves Computer Spying Final Order

The Federal Trade Commission (FTC) has approved nine final orders settling charges against seven companies and a software design firm, including two principles accused of using the software and computers to spy on customers. According to the FTC press release, “the respondents will be prohibited from using monitoring software and banned from using deceptive methods to gather information from consumers.” The settlements will also require the companies to get consent from users prior to using geophysical location tracking and to maintain records for the next 20 years to enable the FTC to assess compliance. [FTC]

US – Supreme Court Asked To Hear NebuAd Case

Two subscribers of Internet service provider (ISP) Embarq have asked the Supreme Court to determine whether the company violated existing privacy law when it partnered with NebuAd. Embarq was one of six ISPs that used NebuAd’s behavioral targeting services in 2007 and 2008, but some consumers have claimed the partnership violated federal wiretap laws. In a petition to the Supreme Court, two former Embarq subscribers wrote, “The present case illustrates the significant harm to societal interests in communications privacy if an ISP is considered to be permitted, in the ordinary course of its business, to sell its customers’ private communications to the highest bidder.” [MediaPost News]

Privacy Enhancing Technologies (PETs)

WW – Product Stops Third-Party Tracking

A California start-up’s product allows individuals to view which companies are tracking them online. The browser extension, Disconnect, aims to help users safeguard browsing history. First-party trackers are still permitted to follow a user, but the data won’t be shared with third-party websites, and ads won’t be served based on such data. “We are stopping that flow of data as you bounce around the web,” said the company’s co-founder. “Third-party retargeters are not going to have information about you.” The filters are distinct from Do-Not-Track signals. [NYT]

WW – Tech Firms Unveil Ad-Blocking Tools

Two tech companies have started offering ad-blocking tools for mobile users. Evidon is delivering the Ad Choices icon and the opt-out system for users, while TRUSTe has upgraded its real-time bidding system so that advertisers know prior to bidding that the user cannot be targeted for behavioral data, the report states. The moves come before the Digital Advertising Alliance (DAA) has published any mobile guidelines . DAA Counsel Stu Ingis said those guidelines could come “this spring—a few weeks to a couple of months.” TRUSTe’s Kevin Trilli said, “That is why we didn’t wait, and why we just started to build.” [AdAge]

WW – Mozilla Readies Third-Party Cookie Blocker

In a preview version of its Firefox 22 web browser, Mozilla has included an automatic third-party cookie blocker, putting the company “on a collision course with the online ad industry.” Some trade groups say the new feature, called Aurora, is “dangerous and highly disturbing” and warn that users will experience more ads as a result. Stanford University graduate student Jonathan Mayer, creator of the code, tweeted, “The new Firefox cookie policy has migrated to Aurora!” Firefox 22 is expected to fully release in late June. [COMPUTERWORLD]

WW – Firefox Announces More DNT Options

Seth Rosenblatt reports on Firefox’s “more nuanced approach” to implementing its Do-Not-Track (DNT) setting and efforts to provide additional user choice. Firefox engineers describe the past practice of “on” or “off” DNT implementation in light of what they describe as the “three states of Do Not Track.” Firefox’s Tom Lowenthal explains, “DNT:0 means, ‘I consent to being tracked.’ DNT:1 means, ‘I object to being tracked.’…When DNT is off, it doesn’t mean ‘please track me.’ It means that the user hasn’t told the browser their choice yet.” Rosenblatt notes, “What’s not clear is how sites react to that.” [CNET]

US – New Tool Encrypts Online Photos So They’re Only Visible to Friends

A team of researchers from USC has developed an encryption tool that makes your photos grey and unrecognizable to everyone but your (Facebook) friends. With a new cloud-based photo-encryption service, you won’t have to trust Facebook or any other online service to keep your photos private. A team of researchers at the University of Southern California developed the tool, dubbed “P3” for “Privacy-Preserving Photo Sharing,” which pulls a small amount of data out from digital photos and encrypts it into a key that can be shared with friends. The unencrypted, but unrecognizable part of the photo is posted online as a grey image that doesn’t have any clear detail and can only be viewed by those with whom the encrypted key is shared. It’s not only made for Facebook, but for any cloud-based service like DropBox, Flickr or any other way people share photos, even chat services and forums.While they have a prototype, they haven’t yet decided how it will be marketed, but hope to have a company set up by the summer. So those estimated 250 million photos uploaded to Facebook each day will have to remain unencrypted and arguably unsecure, for the time being. [Source]

Security

UK – Device Losses Lead to Inquiry

The Information Commissioner’s Office (ICO) is looking into the BBC’s recently reported loss of 785 devices. An ICO spokesperson said the office had not been informed of the incident, but it will “be making further enquiries into the loss of this equipment to find out the full details.” A freedom of information request revealed 399 laptops, 347 mobiles and 39 tablets lost or stolen at the BBC, which the report states is “probably low” for an organization of its size. The BBC told V3 that it has no official figures on how many devices have been issued to staff. [v3.co.uk]

US – 93% Knowingly Breach Company Data Policies

A recent breach affecting St. Louis-based Schnucks supermarket chain was exacerbated by the company’s inability to detect the source. As a result, the number of credit and debit cards exposed continued to grow, capping at about 2.4 million. The company has hired a third party to investigate. Meanwhile, Global Payments, Inc., says it is closing its investigation of a March 2012 breach that exposed 1.5 million debit and credit cards. The breach cost the company $92.7 million in expenses. And Financial Times reports on a recent survey of 165,000 employees indicating nine out of 10 knowingly breach employers’ data policies. [ComputerWorld]

US – Hotel Data Security Issues on the Rise

There are data security issues within the hospitality industry and an alleged rise in identity thefts and malware attacks. One attorney specializing in hospitality law said, “Data security is becoming an issue of significant importance in the hospitality industry.” Hackers now attack hotel systems and data in third-party reservation systems not only for credit card data but for additional personal information, including address, license plate number and date of birth, all of which aid in identity theft. [Chicago Tribune]

Surveillance

US – Case May Determine Text Message Privacy Rights

The Washington State Supreme Court is expected to hear two cases next month involving the privacy of text messages in criminal proceedings. In both cases, alleged drug users were arrested after police intercepted their text messages without a warrant. An earlier appellate court case ruled the expectation of privacy of text messages “terminates upon delivery.” Calling text messaging “the 21st-century phone call” in an amicus brief, the Electronic Frontier Foundation has argued the lower court’s decision to uphold the warrantless case “ignored the technological realities of text messaging and threatened to erode privacy protection to a ubiquitous form of communication in the United States.” The high court will hear arguments on May 7. Meanwhile, customers suing Apple for privacy violations are seeking monetary sanctions in a pretrial discovery dispute. [Courthouse News Service]

US – Tracking Study Habits: “It’s Big Brother, Sort of, But With a Good Intent”

Professors at nine colleges are testing technology that allows them to get detailed reports of their students’ study habits through digital textbooks. While students’ digital textbook use has been tracked for a while now, CourseSmart individually packages information on all the students in a professor’s class. The start-up says that surveys indicated few privacy concerns, but one student who uses non-tracked forms of studying worries, ““If he looks and sees, ‘Hillary is not really reading as much as I thought,’ does that give him a negative image of me?” More than 3.5 million students and educators currently use CourseSmart textbooks, and the program is expected to be introduced broadly in the fall. [The New York Times]

US – NYC Awareness System Raises Privacy Concerns

New York City’s Domain Awareness System (DAS), which combines police know-how with computer algorithms, is reportedly making the city money and making it safer, but some worry it is also invading people’s personal privacy. The system combines more than 3,500 publicly placed cameras, license-plate readers “at every major Manhattan entry point,” radiation detectors and real-time 911 alerts with “a trove” of police data. The success of the DAS has generated interest from other municipalities, but others worry the invasion of privacy will be “much greater than anything we have seen so far.” In another surveillance story, the Office of Naval Research aims to use autonomous technology to patrol and map the ocean. [The New York Times]

Telecom / TV

US – California AG Harris Urges App Developers to Respect Users’ Privacy

The wealth of personal data that mobile apps collect on their users needs to be conspicuously stated to consumers or developers could face legal heat, California attorney general Kamala D. Harris said. Rather than resorting to subpoenas and enforcement actions, the California attorney general’s office is in the midst of a crusade of sorts built around encouraging app developers, and Internet services firms in general, to become compliant with state privacy laws on their own accord. Last year, for instance, the office reached an agreement with a number of major tech companies, including Facebook and Google, to make the privacy policies for those companies’ mobile apps available to consumers in the Apple App Store and Google Play Store before the download process rather than after. The idea is to encourage technology companies that have access to users’ personal identifiable information such as geolocation and contact lists to better inform consumers how that information is used so consumers can make better decisions about using the app in the first place. A major law at the center of the issue in California is the Online Privacy Protection Act, which requires operators of websites and online services, including mobile and social apps that collect personally identifiable information from Californians, to clearly post a privacy policy. The state has already sued Delta Airlines for failing to comply with the law; that case is ongoing. [Source]

WW – Android Apps Found To Have Breached User Privacy: Study

Android phone users have been warned to check app permissions after it was found that some popular apps upload mobile numbers to third-party entities without notification. According to a new study by Bitdefender, 12.87% of 130,000 free Android apps sent user phone numbers to third-party servers. The researchers found that Texas Poker by Kama Games and Paradise Island by Game Insight International accessed user data. Location and personal email addresses were also distributed to third parties by 12.03%  and 7.72% of the apps analysed. Approximately 6% of apps accessed browsing history. According to Bitdefender chief security strategist Catalin Cosoi, the line between third-party advertisers and malware is becoming more blurred. “While malware may steal passwords and other credentials, aggressive advertisers may collect everything else,” he said. “Although violating user privacy raises serious concerns, the risk of having collected data used for malicious purposes is greater than most people imagine.” [Source]

WW – Opinion: Facebook’s ‘Not-A-Phone-But-More-Than-An-App’ Home

Facebook released a mobile thing today. It’s not a Facebook phone. But it’s more than an app. It’s like a digital skin that you slide your phone into so that it’s covered in sticky Facebook goodness. It’s a thing that you will be able to get pre-installed on some Android phones or download from Google Play. It will basically turn your phone’s face into a slideshow version of the Facebook News Feed — photos, check-ins and status updates will flip past and you will be able to “like” them by tapping your phone. It will make frictionless sharing EVEN MORE FRICTIONLESS as you will be able to have mobile apps open inside of Facebook and share instantly. Most importantly, Facebook is bringing us a new bit of terminology with the new Home which Facebook describes as “[not] a phone or operating system [but] more than just an app”: “Chat Heads.” When you get a message from a friend, their head appears on your phone and it will follow you around from screen to screen until you read their message or swipe them away. I suspect the term “Facebook Friends” is about to be replaced by this one, as in, “I don’t really know him that well, he’s just a Chat Head.” Home could be a GPS jackpot for Facebook. If users actually take to Home, Facebook has come up with an excellent way to get people to have Facebook running on their phones all the time. That means Facebook will be able to constantly collect location information from them, making Facebook even more attractive to advertisers looking to deliver ads based on who you are, where you are and what you’re doing. The privacy issues were not missed by Om Malik at GigaOm: The phone’s GPS can send constant information back to the Facebook servers, telling it your whereabouts at any time. So if your phone doesn’t move from a single location between the hours of 10 p.m. and 6 a.m. for say a week or so, Facebook can quickly deduce the location of your home. Facebook will be able to pinpoint on a map where your home is, whether you share your personal address with the site or not. It can start to build a bigger and better profile of you on its servers. It can start to correlate all of your relationships, all of the places you shop, all of the restaurants you dine in and other such data. The data from accelerometer inside your phone could tell it if you are walking, running or driving. As Zuckerberg said — unlike the iPhone and iOS, Android allows Facebook to do whatever it wants on the platform, and that means accessing the hardware as well. [Forbes]

US Government Programs

US – EPIC Urges Distinction between Cybercrime and Cyberterrorism

The Electronic Privacy and Information Center (EPIC) wants the US National Institute of Standards and Technology (NIST) to make clear distinctions between cyber crime and cyber terrorism. NIST is developing a cybersecurity platform as part of the president’s executive order on cybersecurity, and asked for public comments on the development of that platform. In its comments, EPIC notes that “the overwhelming majority of cybersecurity incidents do not fall within the ‘national security’ designation.” [Source]

US Legislation

US – White House: CISPA Not Doing Enough for Privacy

The Obama administration has issued a statement indicating it is unlikely to support the Cyber Intelligence Sharing and Protection Act (CISPA) in the form passed this week by the House Intelligence Committee. “While stopping short of an outright veto threat that many privacy activists may have wanted, the statement made clear that the administration does not believe the bill in its current form does enough to safeguard personal information,” the report states. The committee voted 18-2 in support of CISPA after removing four amendments aimed at increased privacy protections. [Los Angeles Times]

US – Revamped CISPA to Go to Committee Vote

The House Intelligence Committee this week will discuss the Cyber Intelligence Sharing and Protection Act (CISPA), which would provide companies “lawsuit immunity in the case of data exchange.” Changes to the proposal haven’t been announced yet, but some say it will require stronger data anonymization and use restrictions in hopes of allaying the Obama administration’s privacy concerns—which lead to threats of a veto last year. “We need to get a little more specific in terms of what type of information we’re sharing and under what circumstances,” said George Washington University Homeland Security Policy Institute Director Frank Cilluffo. CISPA is slated for a committee vote April 10 in a closed session.” [ZDNet]

US – Rep to Propose CISPA Amendment; Franken to Reintroduce Bill

Rep. Adam Schiff (D-CA) will propose an amendment to the Cyber Intelligence Sharing and Protection Act (CISPA) to address privacy advocates’ major concerns. Schiff’s amendment would require companies to strip any information “that can be used to identify a specific person unrelated to a cyber threat” before sharing the data with the government or other third parties, the report states. The bill is to be discussed in a closed-door meeting of the House Intelligence Committee next week. Meanwhile, Sen. Al Franken (D-MN) plans to reintroduce his Location Privacy Protection Act and recently admonished retail analytics firm Euclid for the opt-out nature of its data collection practices. [The Hill]

US – Advocates Want House to Debate CISPA Openly

Privacy groups are calling on U.S. lawmakers to make significant changes to the Cyber Intelligence Sharing and Protection Act (CISPA). The 41 groups include the Center for Democracy and Technology, the ACLU and the Electronic Frontier Foundation, and they want the House Intelligence Committee to debate the bill publicly rather than behind closed doors. While Rep. Mike Rogers (R-MI) said recently that concerns with CISPA are due to bad PR, the ACLU says everyone, “from the privacy community to the president, agrees that CISPA is bad on privacy.” Meanwhile, a recent survey indicates data security concerns from American Chamber of Commerce members operating in China are on the rise. [COMPUTERWORLD]

US – The Challenges of Geography-Based Regulations

San Francisco Chronicle explores the challenges that come with geographically differing regulations for online privacy. California, for example, has more defined privacy laws than other U.S. states, but non-California-based Internet companies accessed by California residents are still required to follow California law. Developer Jonathan Nelson says, “The thought of an ‘international boundary’ when it comes to data is really silly to me,” adding, “It’s archaic.” But the EU is also considering regulations that say any online business used by EU citizens is subject to EU privacy laws. Parker Higgins of the Electronic Frontier Foundation adds, “The best approach isn’t necessarily legislating every situation” but “giving consumers the information they need to make choices for themselves.” [Source]

US – Idaho Passes Drone Privacy Law

Amid growing concerns over privacy, Idaho Governor C.L. “Butch” Otter signed a law restricting the use of unmanned aerial aircraft (UAV) by law enforcement and other public agencies. Idaho now becomes the second state, after Virginia, to pass legislation limiting UAV use. To use the burgeoning technology, law enforcement will need to obtain a warrant prior to collecting evidence on suspects, unless the criminal activity involves illegal drugs or if the UAV is being used for public emergencies or rescue missions, the report states. Idaho Assistant Majority Leader Chuck Widner said, “We’re trying to prevent high-tech window-peeping.” [Chicago Tribune]

Workplace Privacy

US – Retailers Track Employee Thefts in Vast Databases

The New York Times reports on databases created by retailers across the nation that track employees accused of workplace theft. Retailers tap into the databases in order to avoid applicants who have been accused of such crimes by previous employers. In many cases, the report states, employees “have no idea that they admitted to committing a theft or that the information will remain in databases.” Presently legal, the databases are being scrutinized by the Federal Trade Commission for potential violations of the Fair Credit Reporting Act. One lawyer familiar with the system said such a database is a “secret blacklist” and added, “The employees don’t know about it until they have already been hurt.” [Source]

+++