Author Archives: privacynewshighlights

01-15 May 2011

Canada 

CA – Alberta’s Privacy Commissioner Stepping Down

The province’s Information and Privacy Commissioner Frank Work has decided to step down when his term expires at the end of the year. Work has been with the office for all 16 years of its existence, including the last nine years as commissioner. Among the highlights of his career was a major expansion of the office when the Health Information Act was passed in 2001 and the Personal Information Protection Act was passed in 2004. “I am particularly proud of Alberta for being one of four jurisdictions in Canada to pass a private sector privacy act,” Work said in a statement released Wednesday. “I am proud of the fact we were instrumental in making Alberta the only jurisdiction in Canada to have mandatory breach notification across the private sector. Ensuring that Alberta Netcare is as secure and accurate as possible is another source of pride.” The province is expected to strike a special committee to conduct a search for a new commissioner. [Source

CA – Privacy Commissioners Unveil Tool to Strengthen Personal Data Security

The federal, Alberta and British Columbia Privacy Commissioners launched a new online tool that will help businesses better safeguard the personal information of customers and employees. The new Securing Personal Information: A Self-Assessment Tool for Organizations is a detailed online questionnaire and analysis tool that helps organizations gauge how well they are protecting personal information, in keeping with the applicable private-sector privacy law. Developed jointly by the federal, Alberta and British Columbia privacy commissioners’ offices, the tool can be used by any private-sector organization, particularly small and medium-sized businesses. The tool is comprehensive and detailed, but also offers users the flexibility of focusing on areas most relevant to their own enterprise. The self-assessment and analysis process results in a framework that organizations can use to systematically evaluate and improve their data-security practices. The Securing Personal Information Self-Assessment Tool is available via the commissioners’ websites: www.priv.gc.ca; www.oipc.ab.ca; and www.oipc.bc.ca. [Source

CA – Clement Open to Large Fines for Massive Data Breaches

Industry Minister Tony Clement said he’s open to the idea proposed by Canada’s privacy watchdog to give her the power to slap corporations with huge fines if they don’t protect the personal information of their customers. Earlier this week, Privacy Commissioner Jennifer Stoddart said the federal government should update the country’s private-sector privacy law to include fines, given the “alarming trend toward ever-bigger” data breaches. The Conservative government’s most recent proposal to update the law – which died when the federal election was called – did not include any powers to impose fines. But the proposal stated a company would have to report a “material” data breach to the privacy commissioner if the company concluded that the breach indicated a systemic problem. [Source] [Data breach fines sought by privacy watchdog] SEE ALSO: [Geist: Tory majority gives Ottawa a crack at breaking the digital logjam] [Geist: Web surveillance legislation requires study, not speed] and [The Lawful Access Legislation: Does it Really Criminalize Linking & Anonymity?

CA – Ontario Appeal Court to Consider Privacy Tort

The Ontario Court of Appeal will soon have an opportunity to decide the vexing question of whether the common law recognizes the existence of a tort for invasion of privacy. Because PIPEDA doesn’t apply to individuals, the defendant will go free in the absence of a common law tort. The opportunity comes on an appeal from the December 2010 judgment of Superior Court Justice Kevin Whitaker in Jones v. Tsige. Christopher Du Vernet of Du Vernet Stewart in Mississauga, Ont., who represents plaintiff Sandra Jones, says the case has been making waves in legal circles. [Source]

Consumer 

WW – Study: Consumers Define Do-Not-Track More Broadly Than Web Companies

Initial results of a study of 200 Web users reveal that consumers might define the term “do not track” differently than Web companies. Preceding last week’s World Wide Web Consortium workshop, researcher Aleecia McDonald asked Internet users what kind of data would be collected after activating a do-not-track option. Nearly 40% of respondents felt that “nothing at all” would be collected. 51% of those polled indicated that they would not be surprised if nothing changed after they activated a do-not-track option. 81% said it was the first time they had heard the phrase do not track. [Source

CA – Most Canadians Unaware of Online Tracking: Privacy Watchdog

Canada’s privacy watchdog said many Canadians don’t know how closely companies are tracking their online activities — much less are they providing informed consent. “We have some serious concerns about online tracking, profiling and targeting — and the fact that many Canadians don’t know what’s happening behind their computer screens, let alone agree to it. Children — who are going online at younger and younger ages — are even less likely to understand,” Jennifer Stoddart told a privacy symposium in Toronto, where she released the final report of public consultations held last year on privacy issues in the online world. Stoddart looked at the rich trail of data scooped up by companies and marketers when people browse the Internet, use social networking site or use geo-location functions of their mobile devices. In addition to calling companies to be more upfront with their customers about their practices, her report also flags issues with the growing popularity of “cloud computing.” By storing information and services on shared remote computers and accessed via the Internet or the “cloud,” companies can reduce their storage requirements and costs. Noting that even small- and medium-sized enterprises are embracing cloud computing with varying levels of technological security, the Office of the Privacy Commissioner’s report calls for the development of strong standards to ensure the security of personal information stored or processed on cloud services. The findings in the final report were drawn from the consultations, which included public events in Toronto, Montreal and Calgary, as well as 44 written submissions from industry, academics and advocates. Many of the participants highlighted a specific challenge with obtaining meaningful consent, especially involving children. [Source

CA – Online Canadians Trust Information from Media More than Other Sources: Report

A survey suggests Canadian web users may not want to pay for news, but they still trust content from the mainstream media over other sources. The latest report from the Canadian Media Research Consortium states that about 90% of wired Canadians consider the information they get from newspapers, television, radio and online news sites to be reliable. The percentages were a few points lower among those aged 18 to 34. Only 26% believed information from social networks is reliable – although the trust rating jumped to 40% among daily social media users – and 65% said they thought news from family and friends was reliable. When asked how much they trusted information from governments or major corporations, only 42% and 38% respectively found them very trustworthy or trustworthy. [Source] See also: [US: Customers stay despite high-profile data breaches]

E-Government 

CA – Online Election Voting Approved by Vancouver

Vancouver city council has approved online voting in November’s municipal election — pending approval by the provincial government. If the pilot project gets the green light, eligible voters would have the option of voting in advance polls by home or mobile computer. Councillor Andrea Reimer believes the technological shift could improve voter participation, which has dipped to about 30% in Vancouver. Council voted 10-1 for the project, with the opposing vote coming from Councillor Suzanne Anton. Anton said she was concerned about the potential for voter fraud and wanted more public consultation. Voters would be given a personal identification number to pre-register and then would be given another PIN, in a process designed to minimize voter fraud, according to city staff. [Source]

E-Mail 

UK – Information Commissioner Gets New Powers to Fine for Spam Emails

Organisations that make unwanted marketing phone calls or send spam emails to consumers could face fines of up to £500,000, the Government has warned. Increased financial penalties will come into force later this month as part of amendments to the UK’s Privacy and Electronic Communications Regulations (PECR). Data protection watchdog the Information Commissioner’s Office (ICO will also be given greater investigatory and auditory powers). The changes to PECR will allow the ICO to fine businesses and other organisations for serious breaches of the regulations, including sending unwanted marketing emails and texts as well as making live and automated marketing phone calls. It can already administer fines of up to £500,000 for data protection offences. The ICO’s increased investigatory powers will allow the Commissioner to demand information from telecommunications companies and internet service providers (ISPs), to help with investigations into breaches of the regulations. Telecommunications companies and ISPs will also have to notify the ICO and their customers in certain circumstances if a personal data breach occurs. The ICO will be able to audit these companies and ISPs to ensure they comply with this requirement. Information Commissioner Christopher Graham welcomed the new powers and said guidance on the changes would be issued soon. The amended laws are being implemented to ensure the UK comes into line with new European data privacy laws. Under the EU’s Electronic Communications Framework, the ICO will also enforce new rules surrounding cookies and similar technologies which can be used to track user activity online. The Government indicated the plans as part of its response to the consultation around the Electronic Communications Framework, published last month. [ICO Statement] [Guidance] [Source] [Confusion Surrounds U.K. Cookie Guidelines] and [Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 - S.I. 2011 No. 1208 - United Kingdom]

Electronic Records 

UK – Scotland Awards £1.1m Privacy Breach Software Contract

Health boards in Scotland will get access to an IT system which aims to enhance the protection of their patient records. The Scottish government has awarded a £1.1m contract for privacy breach protection software to Northgate Managed Services, for use by all health boards in the country. It advertised the contract last October. “It is important that the procured service or product has been proved to be capable of interfacing and is compatible with all major electronic clinical systems used within NHS Scotland,” said NHS National Services Scotland in a notice published in the Official Journal of the European Union. It adds that the service or product provided by Northgate should be able to “interrogate” data provided in the form of audit logs from existing clinical systems and highlight areas where potential privacy breaches have occurred. The software will also be expected to have an extensive reporting capability, including reports that contain information based on access date, demographic data and system user ID. [Source

US – Allina Fires 32 Employees Over Patient Privacy Violations

Nearly three dozen employees of Allina Hospitals and clinics were fired after allegedly violating the privacy of patients involved in a recent mass overdose incident. Allina confirms that 32 employees were dismissed for what they termed “a HIPAA violation.” 28 of them were from Unity Hospital, and four worked at Mercy Hospital. The employees are accused of looking up electronic medical records of patients treated at Mercy and Unity hospitals after a mass drug overdose in Blaine last March. 11 people were hospitalized and one died. Allina says those employees did not have legitimate patient care reasons to look up the information.[Source]

EU Developments 

EU – Websites Should Notify European Users About Privacy Breaches

Europe-wide laws which require telecommunications companies to notify users if their data is at risk should be extended, the European justice commissioner has said. Privacy rules created under the EU’s Electronic Communications Framework should be extended to cover online banking, video games, shopping and social media, Viviane Reding said in a speech. Current rules, which are being implemented in the UK as part of amendments to the Privacy and Electronic Communications Regulations, require telecommunications companies and internet service providers to notify their customers and national regulators of personal data breaches immediately. “I think it is important that users are notified if someone has unlawful access to their data,” Reding said. “It is essential for consumer confidence that they know what happens to their data.” Reding said that in the upcoming review of data protection laws in Europe she would investigate the extension of the data breach notification process to more than just telecoms companies. [Source

UK – Law Attorney Fined for Violation of Data Protection Laws

The UK Information Commissioner’s Office (ICO) has fined ACS:Law £1,000 for failing to adhere to data protection laws. The company gained notoriety for accusing people of illegal filesharing based on their IP addresses. None of the cases ever came to court, and some questioned whether or not ACS:Law had the authority to bring the lawsuits in the first place. The company has ceased operations and would have been fined considerably more, but the judge in the case chose to fine Andrew Crossley as an individual rather than the company. The fine is being imposed because of a breach that was an after-effect of a distributed denial-of-service attack launched against the firm’s website. [The Register] [BBC

UK – ICO Launches Code for Sharing Personal Data

The Information Commissioner’s Office has launched a code of practice aimed at guiding private- and public-sector companies on data protection when it comes to legally sharing personal information. The code of practice, which incorporates input solicited during the consultation period, can be applied in all sectors, said Information Commissioner Christopher Graham. “…We can be confident that it not only makes sense on paper but will work in the real world,” he said. “I would encourage all businesses and public bodies that share personal data to get to grips with the code without delay so they can be sure they are getting it right.” [V3.co.uk]

Filtering 

UK – Judge Issues Gag Order for Twitter

A British judge has banned Twitter users from identifying a brain-damaged woman in one of the first attempts to prevent the messaging website from revealing sensitive information. The ruling follows the publication on Twitter of a list of celebrities alleged to have tried to cover up sexual indiscretions by obtaining court gag orders. The injunction, dated May 12 and seen by Reuters, includes Twitter and Facebook in the list of media prohibited from disclosing the information. It was issued in the Court of Protection in the case of a mother who wants to withdraw life support from her brain-damaged daughter. It prevents the identification of the woman and those caring for her. [Source] [Tweets spark media storm

UK – Ex-Formula One Chief Loses Newspaper Privacy Case

Max Mosley, the former head of Formula One, has lost a high profile case at the European Court of Human Rights that would have required newspapers to warn people in advance before publishing details of their private lives. Mr. Mosley, who won an earlier landmark privacy case in the English courts against the News of the World newspaper, said the UK failed to impose a legal duty on newspapers to notify subjects in advance of a story appearing. Pre-notification would allow subjects to then obtain a court injunction preventing publication, he argued. However, the ECHR in Strasbourg ruled unanimously that there had been no violation of the European Convention on Human Rights, and that to introduce a pre-notification requirement would have a “chilling effect” on journalism. [Source]

Finance 

CA – Insurers Must Inform Consumers that Credit Scores Will Be Used for Underwriting

B.C.’s Office of the Information and Privacy Commissioner has ruled that Economical Mutual Insurance Company must stop collecting and using credit scores until it provides customers with appropriate notification as required by the Personal Information Protection Act (PIPA). The May 6 order notes that The Economical did include a valid disclosure statement in its 2003 CSIO insurance application form but this was not adequate notice of the purposes of collection of credit information within the meaning of PIPA. “The consent statement on the complainant’s application form did not expressly say that credit information might be obtained for the purpose of underwriting,” the order reads. “In order to satisfy the notice requirements in ss. 7(1) and 10(1)(a) of PIPA, individuals must be informed that their credit information may be collected for the purpose of assessing future risk of loss in underwriting the policy. “Without this information, it is not reasonable to expect that a consumer would understand how Economical actually uses this information and therefore could not meaningfully consent to its collection for this purpose.” “Consumers are generally unaware of the use of credit scoring in risk assessment in the insurance industry,” B.C. Information and Privacy Commissioner Elizabeth Denham said in a statement. “This order underscores the need for organizations to obtain informed consent from their customers for the collection of their personal information.” [Full Order] [Source

US – Visa Pitches ‘Digital Wallet’

Visa is launching a centralized electronic payment system designed to make online shopping as easy as pulling out a wallet. Visa hopes its “digital wallet,” set to launch this fall in the U.S. and Canada, will make it possible for consumers to pay with any of their credit or debit cards using a single click or a tap of their cellphone and a single password, the company announced. “What that comes with is a place for customers to be able to centralize their credit, debit and pre-paid card information in a single secure location,” said Mike Bradley, head of products for Visa Canada. A customer could add any card they choose to the wallet, including competing cards. Unlike an old-fashioned wallet, Visa’s system won’t hold identification such as driver’s licences or health cards or photos of your loved ones – it’s not much more than a central customer account stored in Visa’s network that contains information about the customer’s payment card accounts. Merchants can sign up to link into an electronic system through their website so they can accept payment from the wallet. Bradley would not say what kind of fees would be involved for merchants, consumers or the institutions that issue cards placed in the wallet. If the merchant accepts both the digital wallet and the payment card that the customer wishes to use, the customer enters an email address or username and a password to pay. There is no need to enter a billing address and payment information. [Source] See also: [Stop ID thieves from stealing your kid’s credit]

FOI 

CA – Top Court Says PM, Ministers Not Subject to Info Law

The public does not have a right to access all documents in the offices of cabinet ministers or the prime minister, the Supreme Court of Canada ruled in a unanimous decision. The top court upheld a Federal Court of Appeal decision, and sided with the federal government in a decade-old legal battle with the information commissioner. Had the federal government lost its case Friday, it could have vastly expanded the scope of Canada’s access-to-information law. The case involved a number of legal issues related to the access-to-information law that stipulates what government documents can and cannot be made public. The Supreme Court rejected four different appeals from the information commissioner. But the decision does not mean that all records within the Prime Minister’s Office and the offices of ministers are off-limits to the public. Some records can be accessed if they are determined to be under the control of the government institutions that are led by the prime minister or a minister. What “control” means, however, is not defined in the access-to-information legislation. A lower court judge in this case developed a test to use when interpreting the meaning of the word and whether the access-to-information law would therefore apply. The Supreme Court, in its decision, accepted that test and slightly modified it. Physically locating a document in a minister’s office or the PMO does not provide protection for it, according to the courts. The first step in the test is to determine whether the record relates to a departmental matter. If it does, Step 2 then asks whether a senior staff member in the department, such as a deputy minister, should reasonably be able obtain a copy of the record. If the answer is yes, the record should be disclosed to anyone who requests it. [Source] See also: [Provincial NDP grills Grits over access]

Health / Medical 

US – Large PHI Data Breach Incidents Now at 265

The number of large health data breaches reported to the Office for Civil Rights (OCR) is now at 265. As a provision to the HITECH Act, the OCR now posts entities who have reported a breach of personal health information that affects more than 500 individuals. The single largest reported breach affected 1.9 million individuals. In the 15 months since the OCR began posting the breaches, there has been an average of nearly 18 per month, or slightly more than one every other day, the report states. [HealthLeaders Media]

Horror Stories 

US – Michaels Breach Affects Customers Across the Country

Craft store chain Michaels now says that point of sale terminals at stores across the country have been tampered with, compromising customers’ financial information. The thieves appear to have been after payment card data. The issue first arose in the Chicago area, but the company now says that compromised payment terminals have been found at stores across the US. Michaels discovered the situation after they were informed by authorities that fraudulent payment card transactions had been traced to cards used at certain of its stores. An official statement from Michaels says that fewer than 90 PIN pads were found to have been affected. [Krebs] [Press Release

WW – X Factor Contestants Warned After 250,000 Data Breach

Would-be contestants of Simon Cowell’s US X Factor might have got more public exposure than they bargained for with the news that the details of 250,000 of them have been lost after an attack on the TV show’s database. The records were stolen from TV network Fox Broadcasting and included personal information such as names, addresses, phone numbers and dates of birth, but not credit card details, said UK tabloid, the Daily Star, which broke the news. “This week, we learned that computer hackers illegally accessed information you and others submitted to us to receive information about The X Factor auditions,” read an email sent to those affected by the attack. The worry now is that criminals will use the data to mask social engineering or identity attacks.[Source] SEE ALSO: [Proposed class action suit filed against Sony] [Suit Seeks $1 Billion in Damages] [Sony May Offer Reward in PSN Attack | Source] [Sony PlayStation Network (PSN) Hack | Summarized] [Sony PlayStation Network Relaunch Delayed | Source | Source] [New York AG Subpoenas Sony Regarding How it Represented Site Security] [Sony Calls in Forensic Experts | Source | Source] [SOE Intrusion Discovered During PSN Breach Investigation] [Sony Declines to Testify at House Subcommittee Hearing on Breach | Source | Source | Source | Source | Sony’s Letter]

Identity Issues 

EU – ENISA Issues Report on Managing Multiple Electronic Identities

The risks to managing multiple identities (“IDs”) include an identity’s lifecycle (e.g. the longer the lifespan, the greater the challenge in keeping that ID secret), ensuring that policies agreed with an initial ID provider are respected by subsequent recipients of any ID data (e.g. when a company holding data is purchased by another company), revocation (e.g. failure to revoke means that defunct ID data makes it unclear which record relates to a particular subject, and increases the potential for a system to be compromised because it will continue to allow access), and attacks that rely on multiple IDs (e.g. whitewashing involves the creation of a new ID intended to subvert the system when an existing reputation falls below a tolerable level, and a sybil attack involves the creation of multiple IDs (sybils) to distort ratings within a reputation-based system). Priorities should include making digital IDs portable (so the user can choose both the ways in which they present themselves and the type of device on which their data is held), using partial IDs to protect privacy by respecting the principle of minimal disclosure (e.g. select attributes from a subject’s full collection of IDs that can be combined according to particular needs), using renewals (different IDs may need to be renewed or replaced several times throughout an individual’s lifetime due to changes in appearance or new types of attacks), clarifying the legal position (e.g. regarding anonymous data and revocation), and sufficient enforcement powers and increased penalties for deterrence on the part of data protection authorities. [Source] See also [Facebook restores other Mark Zuckerberg’s profile]

WW – Anonymous IDs on iPhones, iPads Can Reveal Your Identity

Security researcher Aldo Cortesi last week published his discovery of a flaw in the unique device identifier (UDID) stored on each iPhone, iPad and iPod Touch. While this device identifier is well-known, it’s not supposed to be connected to a person’s actual identity. But Cortesi discovered that some apps can link the identifier to the phone owner’s Facebook profile, which effectively puts a face behind that string of numbers and letters. “It’s like a permanent, unalterable tracking cookie that can’t be changed and that the user is not aware of,” Cortesi told Wired.com. “The UDID idea has got such deep flaws because it literally identifies the device.” Apple and iOS app programmers use the 40-character string of letters and numbers as a method to identify each device uniquely, and presumably anonymously. The UDID is permanently tagged to the device, and it can’t be erased or changed. [Source

US – California DMV Online Identity Service More Popular Than Expected

Some California drivers may cringe at the thought of going to a Department of Motor Vehicles field office to take care car or license issues. Now they can avoid that step with an on online tool at their disposal – the option to establish identities through the DMV website to access more Web-based services. Last fall, DMV set up an identity and access management system with its partner IBM to allow users to set up a user name and password on its website. Since then, more than 1 million users have created online identities. The rapid popularity is a surprise to the DMV, which didn’t anticipate the quick response. Once users create an identity for the site, they can access services such as driver record, vehicle registration information and registration renewal reminders. In the future, the DMV is slated to roll out more applications accessible through an online user identity. The California Employment Development Department (EDD) is in the process of developing a similar identification access management system. In the future, the DMV and the EDD will integrate their systems so that users can access services from both departments by using one identity, Soriano said. [Source

CA – Lac Carling: Belgian IT Ministry Shows Off Electronic IDs

Belgium is using electronic identity cards (eIDs) to manage all kinds of public services, from birth registration to getting beer out of a vending machine. FEDICT, which stands for Federal Government Information and Communications Technology Service connects’ citizen data to the relevant ministries through a fibre optic network called FEDMAN, with a federated service bus that governs who accesses information. The eID card is the common key. Belgium attempts to keep version control and security n part by not replicating databases, Leyman said, and those in the public service can only access the information for which they have clearance, which limits the potential for misuse. While some citizens may balk at the idea of having to swipe an eID card on a routine basis, Leyman said the government offers a simple online tool called mondossier.rrn.fgor.be, which keeps a record of all the information Belgium has collected about citizens through the card, and which civil servants have accessed specific pieces of information. Citizens can then inquire why certain personal details were accessed. “Almost nobody goes there,” he admitted, “but this stupid little Web site does a tremendous amount towards generating trust from our citizens.” FIDECT is also in talks with other EU countries about extending the functionality of the eIDS so they can be used outside of Belgium, Leyman said. [Source]

Intellectual Property 

US – Proposed Anti-Piracy Bill Increases Government Authority

Legislation introduced in the US Senate would increase the government’s authority to disrupt the availability of and close down websites that are “dedicated to [copyright] infringing activities.” The Protect IP Act, sponsored by 11 senators, would grant the government the power to bring lawsuits against the websites and obtain court orders prohibiting search engines from returning the sites in their results. [Source] [Source]

Internet / WWW 

WW – Google to Appeal in Swiss Street View Privacy Battle

Google said that it will appeal to Switzerland’s highest court against a ruling ordering the Internet giant to ensure that all people and cars pictured on Street View are unrecognisable. The official Swiss data protection watchdog took Google to court in November 2009 after complaining on several occasions that the service’s coverage of Switzerland flouted privacy rules, following similar complaints elsewhere in Europe. Google warned that it might be forced to shut down the facility for Switzerland even though it was used by what it said was “half of the Swiss population.” Google’s global privacy counsel, Peter Fleischer said: “Ninety-nine percent of people are not identifiable.” “The decision of the Federal Administrative Tribunal requires us to guarantee that 100% of faces and licence plate are not identifiable. We simply cannot comply with that. [Source

WW – Google Services Prompt Questions, Investigation

The Center for Digital Democracy (CDD) is asking the FTC to require Google to remove statements in its privacy policy that its behavioral advertising program does not collect PII. Asking the FTC to include behavioral targeting restrictions in its proposed Buzz settlement, the CDD wrote, “the commission should require Google to revise its policies to reflect the inherently personal nature of cookies and related data targeting and collection applications.” Meanwhile, police in South Korea are investigating Google’s privacy policies over what one official said are concerns that the company’s “AdMob collected personal location information without consent or approval from the Korean Communication Commission.” [MediaPost] [South Korean police raid Google

US – White House Reveals Cyber Security Plan

A cyber security plan proposed by the Obama administration aims to protect individual privacy, federal computer networks and elements of national critical infrastructure. The proposal includes more stringent penalties for cyber criminals; mandatory data breach reporting for organizations; placing the responsibility for defending federal agency networks from attack in the hands of the Department of Homeland Security (DHS); and improving protection for elements of the country’s critical infrastructure. It also would establish guidelines for the government to help companies that suffer cyber incidents, and for information sharing about threats among businesses and state and local governments. [Source] [Source] [Source] [Source] [Whitehouse Fact Sheet]

Law Enforcement 

UK – Police Buy Software to Map Suspects’ Digital Movements

Britain’s largest police force is using software that can map nearly every move suspects and their associates make in the digital world, prompting an outcry from civil liberties groups. The Metropolitan police has bought Geotime, a security programme used by the US military, which shows an individual’s movements and communications with other people on a three-dimensional graphic. It can be used to collate information gathered from social networking sites, satellite navigation equipment, mobile phones, financial transactions and IP network logs. Police have confirmed its purchase and declined to rule out its use in investigating public order disturbances. Campaigners and lawyers have expressed concern at how the software could be used to monitor innocent parties such as protesters in breach of data protection legislation. Alex Hanff, the campaigns manager at Privacy International, called on the police to explain who will decide how this software will be used in future. [Source

CA – Alberta Police Access to Missing Persons’ Info Broadens

Alberta police can now access financial records to help locate missing people in the province. The Missing Persons Act, passed May 10 in the Alberta Legislature, allows officers to access personal information, including telephone and banking records, to help locate missing people, even if police determine a crime has not been committed. Previously, this information was only accessible if officers determined a crime had been committed. On average, Edmonton has 1,800 missing persons cases each year, many of which are youth, people with Alzheimer’s or people with mental disabilities. Sgt. Rod Appelt with the Missing Persons Unit says the new legislation eliminates some red tape associated with accessing vital information. “If it’s a youth or someone who we believe may be in trouble, we certainly would like to access their cell phone records, or banking records as quickly as possible,” says Appelt. Officers used to have to prove a crime had been committed to obtain a search warrant from a judge. Now no crime is needed to search for the necessary personal information. In the coming weeks, Olson says, ministry staff will be working in tandem with Alberta police forces to hammer out exactly how the act will be implemented. [Source]

Location 

US – DoJ Wants Providers to Store Location Data

The US Department of Justice wants wireless carriers to retain location data to be used in criminal investigations where that information would be crucial to solving the crime. Deputy Assistant Attorney General for the criminal division Jason Weinstein made the request at a hearing of the Senate Judiciary Committee Subcommittee of Privacy, Technology and the Law, which was called over concerns about iPhones storing location data without users’ permission. [InformationWeek] [CNET

US – Verizon to Put Location Warning Sticker on iPhones

Expect to peel off one more warning sticker when you buy an iPhone from Verizon Wireless. In a letter dated April 19, 2011, and addressed to U.S. congressmen Ed Markey and Joe Barton, Verizon detailed the processes it uses to protect customer privacy and revealed plans to begin adhering the warning sticker pictured here to any new device capable of tracking its owner’s location. [Source

WW – TomTom Announces Plan to Sell Data

Shortly after getting heat in the Netherlands for selling data that was used by police to set speed traps, TomTom Australia has announced plans to sell user data to third parties. The company’s vice president of marketing says they’ll have to figure out how to ensure the data won’t be used for speed traps but gave assurances that it cannot be tracked back to an individual. Australia Privacy Commissioner Timothy Pilgrim said companies that provide GPS devices should be clear about their practices, adding that he has concerns about data aggregation, “where pieces of individual data can be put together to build up a profile.” [The Sydney Morning Herald

WW – Apple iOS Update Addresses Location Data Issues

Apple has released iOS 4.3.3 to address three flaws associated with location information in iPhones, iPads and iPods. The update reduces the amount of location stored to one week’s worth. It also alters the operating system so that it will not back up the cache to computers while synching devices. Finally, the update deletes the cache from devices when users disable Location Services in iOS Settings. The update was released just a week after Apple said it would fix the problems. Apple says that the next major update for iOS will include encryption for location information on devices running the operating system. [BBC] [ComputerWorld] [The Register

EU – EU Advisory Board to Issue Geolocation Opinion

The Article 29 Working Party will publish an opinion this month announcing that location-based data must be handled like names, birthdays and other personal data. Mobile phone and Internet companies would likely have to get consent prior to data collection, delete the information in a timely manner and keep the information anonymous. The opinion will not be binding, but, the article suggests it would likely be used as a guiding principle by several national regulators. “Geolocation data has to be considered as personal data,” said an EU official. “The rules on personal data apply to them.” [The Wall Street Journal]

Offshore 

IN – New Indian Privacy Regulations Stricter Than EU, U.S. Provisions

In a client alert, Morrison & Foerster reports on a “dramatic transformation” in the privacy landscape for India with the issuing of final regulations for the protection of personal information. The Information Technology Rules 2011 “apply to all organizations that collect and use personal data and information in India,” the report notes, and represent the implementation of parts of the Information Technology Act. The rules include a provision for prior written consent for the collection and use of sensitive personal information in what the report’s authors, Miriam Wugmeister and Cynthia Rich, describe as much stricter provisions than current laws in the EU and U.S. As a result, “U.S. and European multinational businesses…may have to adjust their personal data collection practices to conform to Indian data protection rules,” the report states. Among the provisions in the regulations, organizations will be required to provide privacy policies and give individuals notice when information is collected, grant data subjects access and put in place the right to correct any personal data that has been collected. Information must also be secured, and a dispute resolution process must be put in place, the report states. “Given the scope of the Privacy Rules, it appears that every company in India and every company that sends data to a service provider in India will be affected by these new rules,” Wugmeister said. [Source] [Source]

Online Privacy 

WW – Facebook Apps Possibly Leaked User Information (Again)

Security researchers at Symantec reported that hundreds of thousands of Facebook apps have been inadvertently leaking user data to third party developers for years due to a programming error. Facebook acknowledged the issue, but claimed that information was never accessible thanks to contracts the social networking giant has with third parties and assured worried Facebook users that they had no evidence of information being used in ways that violated company policies. According to the Symantec report, a faulty API was accidentally transmitting access tokens to third parties like advertisers. This error allowed third parties access to users’ accounts, including profiles, chats, and pictures, as well as enabled the parties to mine personal data and even post messages on users’ walls. “We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.” Symantec offered some assurances, though, saying that they have worked with Facebook to fix the error since its discovery and that many of the third parties likely had no idea they had access to this information. They did advise users to change their passwords just in case, however, since this will lock out any third party who may have access to this information. Given that there is no way of knowing just how many access tokens were leaked since Facebook started releasing apps back in 2007 and there is a chance that the tokens are still being used by advertisers or available in log files in third party servers, all Facebook users should strongly considering changing their passwords in the near future. [Source] [ Congressmen Press Facebook on Privacy Security Flaw (Again) | letter

WW – Study: Most Apps Lack Policies

A Future of Privacy Forum (FPF) study examined some of the most popular mobile applications available for major platforms and found that 22 of the top 30 have no policy stating how the app treats personal data. “Without a privacy policy to review, consumers may not have the ability to understand and control the use of their personal data by the apps,” the FPF said in a blog post. The FPF is currently working with the Center for Democracy and Technology to come up with privacy improvements for app developers. The study comes on the heels of a senate hearing on mobile privacy challenges. [MediaPost News] [FPF Blog post

US – Facebook, Google, Yahoo Fight “Do Not Track” Privacy Measures

There’s a growing social and legal momentum behind the “do not track” initiative to protect online privacy, but now Facebook and Google are opposing the legislation, hinting that job losses and profit cuts could be the result. Are there slightly dirty tricks afoot? Californian legislators are slowly pushing ahead with a Do Not Track law introduced by Senator Alan Lowenthal, which would force Net companies to allow consumers to easily and effectively opt out of personal data being collected online–violators could face civil legal action. Lowenthal has noted that in his opinion legislation “is consistent with California’s long history of championing privacy issues.” But now Facebook, Google, Yahoo and other companies have written to Lowenthal to state their specific objections. “The measure would negatively affect consumers who have come to expect rich content and free services through the Internet” is one of their counter-arguments, along with an allegation that a no-track law would make the public “more vulnerable to security threats.” Also, forcing the law through would “prove costly to the state” and also “cumbersome for the Attorney General to figure out how to regulate under the bill and to enforce the law.” Essentially the letter’s signatories say the proposed law would deplete user experience of online services (and potentially stifle innovation), put them at risk from Net criminals in ill-determined ways (an allegation that could scare users), be expensive to enforce, and potentially spawn extra work and maybe legal cases at a governmental level. Oh, and as an extra point the firms note that Net-related businesses are the fastest growing source of jobs in California. Putting this at risk, they argue, would damage the state’s potential employment figures. That’s a broad list of reasons–each of which, by itself, could really affect the current model for how websites make money from users, or force lawmakers to reconsider. If they’re true. [Source] See also: [Facebook Busted in Clumsy Smear on Google

UK – ICO Publishes Advice on Cookie Law

Businesses should gain user consent for cookies that collect statistical information or remember user preferences, according to the UK privacy authority. The advice was included in the Information Commissioner’s Office’s (ICO) cookie law guidance, published this week. Businesses cannot yet rely on consent via browser settings, so must find alternative ways of gaining consent for cookies that store information on users’ machines, the advice stated. The cookie guidance is for compliance with UK regulations that will come into force on 26 May. The law will not be enforced right away, but businesses need to take steps now to ensure future compliance, the ICO said. [Source

US – Flash Cookie Lawsuit Against Specific Media Dismissed

A judge has dismissed a lawsuit alleging an ad network used Flash cookies to track users online. The seven users who filed the suit did not “adequately allege” economic losses, ruled U.S. District Court Judge George Wu. The plaintiffs alleged that their data has value, that they were not compensated when ad company Specific Media used it and that their privacy was violated when they were tracked. Specific Media has denied using Flash cookies, the report states. Last year, two companies paid a $2.4 million settlement in a similar case. [MediaPost News

WW – Flash Update Allows Simpler Management of Flash Cookies

Adobe has released an update for Flash Player to address a number of security issues and give users a more manageable way to control web tracking. Flash Player 10.3 allows users to manage Flash cookies either through a new control panel or in browser privacy settings. Flash cookies, also known as Local Stored Objects, have made the news several times in the last few years when researchers noted that they were being used to track users’ online behavior and that they have been difficult to remove. The use of persistent Flash cookies, however, may be waning. Adobe pointed to a January 2011 report from Carnegie Mellon University, commissioned by Adobe, which found that only two of the top 100 websites were using Flash cookies. [Internet Storm Center] [ComputerWorld] [InformationWeek] [Adobe blog post

CA – OPC Publishes Fact Sheet on Web Tracking with Cookies

Data about a user’s browsing habits are collected through methods such as third party cookies (used by advertising companies to build detailed profiles for targeted advertising), Flash cookies (often used to track preferences and websites visited), super cookies (e.g. HTML 5 technology that can store data permanently) and web bugs (small, invisible images placed on a web page or hidden in an e-mail message); third party cookies involve unknown third parties and data are often collected without the user’s knowledge or consent, Flash cookies are more hidden than traditional web cookies, are often not mentioned in privacy policy disclosures, and are not impacted by web cookie opt-outs, and where super cookies are used, users are often unaware that they exist and are not provided with tools to control the information that is stored. Web privacy tools include “private browsing mode”, and add-on applications (e.g. BetterPrivacy, NoScript and Targeted Advertising Cookie Opt-Out (“TACO”)) which clear all the different forms of web cookies and web storage programs. [Fact Sheet] [FAQs

US – Judge Rules Against IP Address Linkage

A U.S. judge has ruled that a copyright holder may not force Internet service providers to hand over subscribers’ personal details. Federal Judge Harold Baker said Canadian adult entertainment provider VPR Internationale cannot seek the personal information of illegal file sharers because an IP address–which, when linked with subscriber information, can identify the owner of the Internet connection line–could falsely identify the illegal file sharer, who could be a subscriber’s family member, friend or anyone using the subscriber’s IP address. The judge described trying to identify file-sharers by IP addresses as a “fishing expedition,” which he said wouldn’t be allowed for the “purpose and intention of class actions.” [OUT-LAW News]

Other Jurisdictions 

AU – Victoria Privacy Commissioner Issues Cloud Computing Guidelines

Victoria’s Privacy Commissioner Helen Versey has warned that the cost of addressing privacy and security issues may outweigh expected capital and operational savings for agencies wanting to shift to cloud computing. Ms Versey told state government organisations they should only use cloud service providers that agree to comply with Victoria’s information privacy laws, and preferably have locally-based data centres. “Where the provider is located offshore, or even outside of Victoria, taking reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure may be difficult or even impossible,” she said in a statement. “By using a cloud service, the government agency is relinquishing some — if not all — control over their data. “This includes being able to control security measures, and can present problems if something goes wrong.” There was a real problem of enforceability or remedying a breach if it occurred where data was stored in an offshore server, she concludes in an information sheet on cloud computing released today to guide agency decision-making on adopting cloud solutions. [Source

NZ – Commissioner Shroff Rolls Out Toolkit for Awareness Week

Privacy Commissioner Marie Shroff has released a toolkit for healthcare providers and consumers as part of Privacy Awareness Week. The kit contains brochures and fact sheets for consumers as well as an updated privacy reference guide, case notes and a training presentation for providers. Shroff said the patient-provider relationship is “based on confidentiality and trust,” and while providers do their best, it’s important for consumers to know their rights. “Consumers need the chance to participate in the conversation about how their health information can be appropriately managed. They need some control. And they can only do this if they know what’s going on,” she said. [Source

NZ – Survey: Organizations Need Guidance for Offshore Data Storage

Results from a survey conducted by New Zealand Privacy Commissioner Marie Shroff indicate that the public and private sectors need more guidance for the offshore storage of personal information. “The International Disclosures and Overseas ICT Survey” queried 50 businesses and government agencies about where they stored personal information; reasons for its use and storage overseas, and how it was protected. The article suggests that many organizations have controls for data in transit but no controls for information once it’s sent overseas. “If New Zealand businesses and government agencies are going to take advantage of the benefits the cloud can offer,” said Shroff, “it is imperative that privacy issues are tackled and got right.” [Source

AU – Australian Privacy Commissioner Calls For Online Security Laws

Privacy Commissioner Timothy Pilgrim is calling on companies to make sure their data protection efforts are “world standard.” Citing the breach notification laws in 40 U.S. states, the commissioner said the Australian Law Reform Commission is recommending similar regulations. Pilgrim says that while the onus is on companies to protect information online, users can do more by setting privacy settings to the strongest level. For those who feel their privacy has been breached, the commissioner will hear complaints, but, the report states, the Law Reform Commission is also asking for an “explicit right to privacy” so people can bring lawsuits. [ABC Sydney]

Privacy (US) 

US – Federal Court Endorses Warrantless GPS Tracking

The US Court of Appeals for the Seventh Circuit ruled in favor of police officers who attach GPS tracking devices to vehicles without first obtaining a warrant. The three-judge panel insisted searches of this sort do not violate the Fourth Amendment after considering the case of Juan Cuevas-Perez. On February 6, 2009, Phoenix, Arizona detective Matthew Shay attached a tracking device to Cuevas-Perez’s Jeep Laredo while it was parked on the street. He did not bother to ask a judge for a warrant. By February 8, the device had tracked the Jeep driving through Missouri. After sixty hours of use the GPS battery died so Shay had other law enforcement agencies track the Jeep to its ultimate destination in Illinois. After following Cuevas-Perez for forty miles, an Illinois State Police pulled him over for “remaining in the left-hand passing lane,” a violation almost never enforced by the department. A subsequent drug dog search uncovered nine packages of heroin. Seventh Circuit already ruled in a 2007 case that secretly installing a GPS device on a vehicle did not constitute a search because the unit provided the same information that could be had from an officer physically following the car. In light of the November US v. Maynard decision from the DC Circuit striking down GPS searches lacking judicial approval (view ruling), the Seventh Circuit judges re-examined the issue. The judges concluded that the twenty-eight-day surveillance in DC could not be compared to the sixty-hour tracking in the present case. “Unlike in Maynard, the surveillance here was not lengthy and did not expose, or risk exposing, the twists and turns of Cuevas-Perez’s life, including possible criminal activities, for a long period,” Judge Richard D. Cudahy wrote for the majority. “As the Maynard court noted, the chances that the whole of Cuevas-Perez’s movements for a month would actually be observed is effectively nil — but that is not necessarily true of movements for a much shorter period.” Lawyers for Cuevas-Perez also argued that the tracking device in this case was far more advanced than those used in prior precedents. The device was capable of sending real-time location updates every minute, whereas the systems in previous cases required physical retrieval of stored information. “We do not consider this particular advancement to be significant for Fourth Amendment purposes in general: real-time information is exactly the kind of information that drivers make available by traversing public roads,” Cudahy wrote. “The historical data gathered and stored on comparatively primitive GPS devices is actually less akin to the publicly-exposed information on which the Fourth Amendment permissibility of GPS tracking is based.” Judge Diane P. Wood disagreed with the majority’s interpretation, arguing it leaves open the possibility of mass surveillance restrained only by the financial resources of the police department. [Source

US – Spyware is Forever

Documents obtained from the FBI by the Electronic Frontier Foundation (EFF) under a Freedom of Information Act (FOIA) request say that software placed on suspects’ computers by the FBI to assist in gathering evidence in cyber crimes gathers information whenever the target’s computer is turned on. The documents obtained indicate that government officials are unclear as to the legal procedures for requesting permission to use the Computer and Internet Protocol Address Verifier software. EFF staff attorney Jennifer Lynch says the tool has proven valuable in identifying and capturing serious criminals and that in that regard “it’s an important tool to use [but] we need to get on the FBI about … using the proper authority” for installing the tool and for deactivating it once the investigation is complete. [NextGov] [US – As terrorism tips spike, collection of data raises privacy concerns

US – Google Supports Opposition to California Do Not Track Bill

Google has joined a number of other groups in opposing proposed legislation in California that would grant consumers the right to prevent companies from tracking, retaining or selling data about their online activity. The Bill passed the State Senate Judiciary Committee; it now goes before the Appropriations Committee before moving to the Senate and State Assembly. Those opposing the legislation say it places undue burden on businesses conducting online commerce. [PC World] [The Register

US – Two Companies Settle FTC Charges

The US Federal Trade Commission (FTC) said that two companies have settled changes the Commission brought against them for failing to implement adequate security controls to protect sensitive information. Ceridian, a payroll services provider, and Lookout Services, which provides immigration services software, both falsely claimed to offer adequate protection. Both companies experienced breaches that exposed sensitive personal information of consumers. The settlement agreements call for the companies to obtain third-party security audits every two years for the next 20 years. [InformationWeek

US – FTC Reaches $3 Million Settlement with Game Sites

The operator of 20 online gaming sites has agreed to a $3 million settlement with the FTC for violating the Children’s Online Privacy Protection Act (COPPA). The Playdom, Inc., settlement is the largest to date for a COPPA violation. The FTC complaint alleged that the defendants, Playdom, Inc., and its executive, Howard Marks, violated COPPA when, without notifying parents or receiving parental consent, they “collected children’s ages and e-mail addresses during registration and then enabled children to publicly post their full names, e-mail addresses, instant messenger IDs and location, among other information.” COPPA requires websites directed at children to obtain parental consent before collecting and using children’s personal information. FTC Chairman Jon Leibowitz said of the ruling, “Let’s be clear: Whether you are a virtual world, a social network or any other interactive site that appeals to kids, you owe it to parents and their children to provide proper notice and get proper consent. It’s the law, it’s the right thing to do and, as today’s settlement demonstrates, violating COPPA will not come cheap.” [Source]

RFID 

US – N.J. Unveils Enhanced Driver’s License

With the backdrop of airline passengers presenting driver’s licenses at security checkpoints to board airplanes, state officials unveiled the new Enhanced Digital Driver’s License that they say puts New Jersey among the top 10 states with the most secure document. The new license will once again allow drivers to renew their licenses by mail or online once during an eight-year renewal cycle, instead of having to do it in person at a Motor Vehicle agency. But that convenience will not be at the expense of security. Many of the security enhancements meet federal requirements and are undetectable by drivers, but can be spotted by law enforcement and other trained people, including Transportation Security Administration officers at airports, he said. The new license, which will be issued to drivers at their next license renewal, is now being implemented at the MVC’s 39 agencies through a computer upgrade and the MVC’s ability to use facial-recognition technology to fight fraud. It is the end result of a $19 million program to upgrade the MVC’s computer systems, agency hardware and software in order to roll out the new license. The new technology will be used to scan the MVC’s 16 million records for any duplicate licenses a person may hold and to detect fraud. Martinez said the new license meets federal standards and is considered in the top 10 for secure documents. Motorists will still need to present six pieces of identification when the apply for a license, but once those documents are in the database, a driver won’t need to present them at the next renewal. The new licenses are almost identical in appearance to the state’s original digital driver’s license, which was implemented in 2004. Dow said the enhanced license is a key tool to fight crime ranging from identity fraud to terrorism and gang activities because a valid driver’s license is a gateway document for identification and other purposes. [Source]

Security 

US – White House Issues International Cyberspace Strategy

The White House has released the text of its International Strategy for Cyberspace. Last week, the administration sent Congress a proposal for a reworking of securing domestic networks. The International Strategy says “The United States will pursue an international cyberspace policy that empowers the innovation that drives our economy and improves lives here and abroad. In all this work, we are grounded in principles essential not just to American foreign policy, but to the future of the Internet itself.” [NextGov] [Whitehouse.gov]

Surveillance 

US – FBI Reluctant to Identify ISPs Participating in Surveillance Programs

The FBI says it does not want to divulge the names of telecommunications and internet service providers that help US law enforcement agencies by supplying user information without warrants because customers would become angry with the companies and cancel their service or even file lawsuits. A top FBI official made the statement in a court declaration arguing against having to provide the information under a Freedom of Information Act (FOIA) request from the ACLU. The official also noted that the companies might also be upset if they were identified. [Source] [ACLU] [ACLU] [ACLU

US – PC Rental Company Used Webcam to Take Pictures of Customers Remotely

A Wyoming couple has filed a lawsuit against a store through which they had a rent-to-own computer agreement. The suit alleges that the store spied on them. Crystal and Brian Bird discovered that someone at the store had used remotely activated software to take a picture of Brian when a store employee came to their home and attempted to repossess the computer. The lawsuit also names the company that developed the software allegedly used to take the picture. Evidently a picture was taken each time the couple received a pop-up reminder to register their software. The Byrds are seeking class action status for their lawsuit. [Source] [Source] [Source

AU – Taxi Plan to Record Conversations to Boost Security Alarms Civil Libertarians

Every word uttered in a cab could soon be recorded and stored under proposed State Government changes to the operation of taxi security cameras. Simply opening the door or starting the meter would activate the recording of trips in an industry that claims to transport 90 million passengers in Queensland each year. The move has alarmed civil libertarians, the state Opposition and even concerned some members of the taxi industry. Queensland’s Privacy Commissioner Linda Matthews, who was not consulted about the proposal detailed in a Transport and Main Roads’ discussion paper, said there would be no such thing as “an anonymous taxi ride” once audio recordings were introduced. “The public would want to be reassured the record is used for genuine law enforcement purpose and the protections that are in place should be sufficient. I guess time will tell,” she said. [Source

KE – Kenya: NCIC Snooping on Your Text Messages

The Kenyan National Cohesion and Integration Commission (NCIC) has revealed that it has been snooping on Kenyans’ text messages for the past one year, looking out for hate speech. NCIC Commissioner Halakhe Waqo said the move was aimed at sustaining harmonious relationships among Kenyans as well preventing tribal conflicts in the future. He argued that the overriding need to facilitate integration in the country superseded the right to an individual’s privacy as it risked threatening national security. “Yes, we do recognise that privacy is very important for an individual but public security and safety is much more important. We want to pin down that breach in public safety and security,” he said. Commissioner Waqo further explained that NCIC had been partnering with mobile service providers as well as security agents in the country to facilitate the scrutiny. He added that the NCIC would also broaden its partnerships with other like-minded institutions in order to promote harmony. The NCIC further said that it would soon release a detailed report of its findings on the SMS survey. [Source

CA – Street Cams Get Committee’s Nod

Ten police cameras are on track to become permanent in Winnipeg’s core. Winnipeg police Chief Keith McCaskill told council’s protection and community services committee the closed-circuit television cameras have helped officers investigate serious crimes, including one homicide. Winnipeg police installed 10 closed-circuit television cameras in six high-crime locations downtown in January 2009 as part of a $440,000 pilot project to deter crime, collect video evidence and increase public safety. McCaskill said “it’s debatable” whether the cameras deter crime, but he noted they have been a valuable tool when officers need to collect video evidence. During the project, officers requested video for 39 events, and of those, 22 videos were downloaded and used as evidence in court. That’s just a fraction of the total number of violent-crime incidents, according to a report released last week that found 1,843 incidents were reported within 250 metres of cameras during the project. Council’s protection and community services committee voted in favour of making the closed-circuit cameras permanent and gave the Winnipeg Police Service the go-ahead to hire a technologist to maintain the equipment. Police will absorb the $129,898 cost of the technologist in their existing budget this year, but will request the additional amount on an ongoing basis, starting next year. Executive policy committee and city council still need to vote on the plan. [Source]

Telecom / TV 

US – Senate Panel Grills Apple, Google on Location Data

Executives from Apple and Google told lawmakers that users have control over information used to pinpoint the location of iPhones and smart phones running Google’s Android software. The hearing by the Senate Judiciary Subcommittee on Privacy, Technology and the Law follows Apple’s recent admission that its popular iPhone stores data used to help the device locate itself for up to a year. Apple also said that a software bug has caused iPhones to continue to send anonymous location data to the company’s servers even when location services on the device were turned off. Sen. Al Franken, D-Minn., who chairs the Senate Judiciary Subcommittee, challenged executives from both companies to require all outside apps developers that make programs for their mobile platforms to adopt formal privacy policies. Tribble said Apple believes that privacy policies alone are not enough. He explained that privacy needs to be baked into products — for instance, in the form of clear on-screen disclosures that notify users how their personal data is collected and tools to control that data collection. Davidson said he would bring the suggestion back to Google’s top executives. [Source] See also: [Google destroys Aussie Wi-Fi data

US – FTC Statement on Protecting Mobile Privacy

Several cases brought by the FTC demonstrate the applicability of section 5 of the FTC rules to the mobile area, e.g. a company was charged with deceptively endorsing mobile gaming applications by posting positive reviews of the apps and giving the impression that the reviews came from disinterested users (when in fact they came from the company itself), and the sender of over 5 million unsolicited text messages was found to have engaged in deceptive and unfair practices; the FTC has also brought allegations against companies for having deceptive privacy notices (e.g. a company collected information from mobile users to generate its social networking site and made associations with the users’ frequent email contacts, all without the users’ consent) and insufficient technical safeguards (e.g. a social networking site failed to secure its users data, allowing hackers to obtain unauthorized administrative control of the site and access to users’ mobile phone numbers). Mobile devices can facilitate data collection among many entities and allow companies to collect users’ data over time to reveal habits and patterns; to protect the privacy and security of users’ data on mobile phones, companies should provide stream-lined privacy choices (these should be readable and accessible on a mobile phone’s screen), and not collect or retain more data than needed to provide a requested service or transaction. [Source]

EU – Telecom KPN Denies Violating Privacy Rules By Using DPI

On Friday, Dutch telecommunications provider KPN denied it violated the terms and conditions of its contracts when it used deep packet inspections (DPI) to view the Internet activity of its customers. The company “came under fire” on Thursday after it revealed it uses DPI to find out if customers use instant messaging applications. A spokesman for a civil rights organization said it is “theoretically possible” to read the mail’s content when using DPI. KPN said an internal investigation “found no wrongdoing,” but the company would cooperate with an external investigation. [The Wall Street Journal]

US Government Programs 

US – California Utility Commission Proposes SmartMeter Privacy Rules

A proposed ruling by the California Public Utilities Commission would impose privacy rules on home device platforms that automatically use smart meter data. The ruling would require the state’s three big utilities to impose tariffs on third parties that request certain customer utility data, the report states, and would require them to impose CPUC’s privacy guidelines on those parties. Utilities using home device platforms that don’t automatically transfer utility data to a third party would be required to provide those customers with information on potential uses of their data. The utilities have three months to establish tariffs. [Source: GigaOM] See also: [European Commission - Communication From The Commission To The European Parliament, The Council, The European Economic And Social Committee And The Committee Of The Regions - Smart Grids: From Innovation To Deployment]

US Legislation 

US – Obama Offers Breach Notification Bill

The Obama administration has proposed adoption of a federal data breach notification policy that would supersede the divergent laws now in effect in most states. The policy is a component of a comprehensive cybersecurity legislative agenda that the White House unveiled this week. The proposed policy would not apply to healthcare organizations and their business associates that already must comply with the HITECH Act breach notification rule, which has similar requirements. Otherwise, the policy would apply to for-profit and not-for-profit business entities that engage or affect interstate commerce and use, access, transmit, store, dispose of or collect sensitive personally identifiable information about more than 10,000 individuals during any 12-month period. The policy would require the reporting of security breaches to the FTC, and the individuals affected, within 60 days unless there is no reasonable risk of harm or fraud. The FTC can grant a business entity an extension of up to 30 days to allow time for the entity to conduct further investigation. The proposal defines a breach as a “compromise of the security, confidentiality or integrity of, or the loss of, computerized data” that results in “unauthorized acquisition of sensitive personally identifiable information or access to that information that is for an unauthorized purpose.” The proposed policy would include two major exemptions, or safe harbors. A business would be exempt from the notification requirements if it conducted a risk assessment that concluded that there is no reasonable risk that a security breach has harmed individuals whose sensitive personally identifiable information was subject to the breach. Also, a breach would not have to be reported if the data were rendered unusable, unreadable or indecipherable through a security technology or methods generally accepted by IT security experts. The FTC would be responsible for enforcement, along with state attorneys general, who could take civil action against violators. Civil penalties would total up to $1,000 a day per individual affected by a breach, up to a maximum of $1 million a violation unless such conduct is found to be intentional. Besides notifying the FTC and individuals affected, businesses would have to notify the local news media if more than 5,000 individuals were affected by the breach within any state. For these larger breaches, businesses also would have to notify national credit reporting agencies. [Source] See also: [New Zealand Row brewing over privacy ‘crime’ ] [HHS - Office of the National Coordinator for Health Information Technology - Federal Health Information Technology Strategic Plan 2011-2015

US – Sen. Rockefeller Announces Anti-Online-Tracking Bill

The head of the Senate’s powerful commerce committee said he’ll introduce a bill that forces online advertising and tracking companies to let users easily opt out of online tracking. Chairman Jay Rockefeller (D-West Virginia) said the bill, to be introduced next week, will create a “universal obligation for all online companies” to not track people who set a browser flag or cookie saying they don’t want to be tracked. Rockefeller’s move complements a recent privacy bill introduced by Sens. John Kerry (D-Massachusetts) and John McCain (R-Arizona) that would enshrine a consumer bill on online rights, though it does not explicitly say that companies must obey the so-called ‘Do Not Track’ flag. According to Rockefeller, the bill will empower the FTC to go after companies that disobey the flag. Companies can collect info needed for their service to work from users who set the flag, but must destroy it or anonymize it once it’s no longer needed. While Rockefeller promises the bill will be universal, it’s not clear how any such legislation could apply to companies outside the United States. Critics of the Do Not Track idea argue that it’s still unclear what counts as tracking and that mass adoption of the setting will harm innovation on the web, as many services and publications rely on the higher payouts of targeted ads to provide free information and services to users. [Source] See also: [Innovation in online advertising: Mad Men are watching you

US – Do-Not-Track Bill Gets State Senate Hearing

California Sen. Alan Lowenthal (D-Long Beach) gave testimony to the Senate Judiciary Committee on his proposed do-not-track bill, SB 761. If passed, the bill would enable Internet users to opt out of being tracked by websites; require businesses to disclose how tracked data is being used, and subject violators to civil action for damages. Lowenthal was joined by three witnesses in support of the legislation, but several witnesses were present to oppose it, saying it would hurt business and the job market. [Source

US – Lawmakers Propose Expansion to COPPA

Reps. Ed Markey (D-MA) and Joe Barton (R-TX) have presented a draft of their Do Not Track Kids Online Bill that proposes to ban behavioral targeting to minors–users under 18—and limit the collection of teens’ information to those companies that adhere to Fair Information Practice Principles. The bill would also broaden the definition of personal information under the Children’s Online Privacy Protection Act (COPPA) to include “unique identifiers, IP addresses and anything that permits the identification of a computer.” A recent study by Carnegie Mellon researchers found that only 22 ad networks out of 58 that belong to the self-regulatory group Network Advertising Initiative stopped collecting tracking data after users opted out. [MediaPost News

US – Texas Bill Bans Patient Record Sales

Privacy advocates say that State Rep. Lois Kolkhorst’s (R-District 13) bill aiming to protect Texans’ healthcare privacy is a vast improvement over federal law. The bill would ban the sale of Texans’ healthcare records and notify them when their electronic health records have been transferred, the report states. Penalties for noncompliance would carry fines of up to $3,000 per violation with up to $1.5 million in legal damages. Opponents say the bill will stifle business. Kolkhorst says the bill, which will see a final vote in the house this week, “is to protect your health records as we move into the electronic age.” [The Texas Tribune

US – Calif. Bill Protects Customers’ Reading Records

Government agencies would have to get a warrant or court order to obtain customers’ reading records from bookstores and online booksellers, under a bill approved by the California Senate. The legislation by Sen. Leland Yee is patterned after similar privacy protections that currently are in place for library records. The bill, SB602, passed the Senate unanimously and without debate Monday. It now goes to the Assembly. Yee, a Democrat from San Francisco, says digital book services can collect details about the books readers browse, even the notes they write in the margins. His bill is supported by the American Civil Liberties Union, Electronic Frontier Foundation and Google, among others. There was no registered opposition. [Source]

+++

 

16-31 April 2011

Biometrics

EU – EU Parliament Issues Report on Biometrics and Human Rights

The broad scope of biometrics and member states’ rapid deployment of the technology for multiple purposes (e.g. immigration control, crime fighting and access control) requires that member states immediately address any legal issues relating to biometrics and increases the need for clarity in the existing European legal framework (e.g. there is no generally accepted definition of “biometric data” and “second generation” biometrics such as heart rate measurements, brain activity patterns and pupil dilation cloud the general understanding of “personal data”); two of the biggest challenges are the risk of falsification (e.g. due to technical imperfections, lighting conditions, insufficient training of operators, bodily growth or change) and security issues (e.g. identity theft, unauthorised modification, tampering, improper disclosure). Primary concerns include unnecessary collection, collection without the data subject’s consent, and scope creep (e.g. the opening of databases that would allow government monitoring of individuals; biometric technology is capable of revealing a person’s racial origin, medical status (e.g. iris scans can reveal diseases unknown to the individual), or identity (e.g. gender change), which can impact job opportunities or insurance coverage. [Source: Council of Europe Parliamentary Assembly - Report of the Committee on Legal Affairs and Human Rights - The Need for a Global Consideration of the Human Rights Implications of Biometrics

EU – French CNIL Approves Fingerprint Use on Computers

This single authorisation for fingerprint readers on notebook or laptop workstations enables companies who use such readers (with the same categories of data and recipients) to indicate a commitment to comply with the authorisation, rather than seeking an individual permit from the CNIL before processing the biometric data. The template shall be exclusively stored on the computer notebook workstation owned by that user and whose content cannot be read without his knowledge (the fingerprint can only be used for access control, and not to control working time of the user). Technical requirements include only storing an encrypted template of the fingerprint that cannot be retraced to the original biometric (an image or photograph of the fingerprint cannot be stored), only allow enrolment on the user’s workstation, never allowing the template to flow over a network, and systematic erasing of the templates during notebook maintenance operations. Only persons in the computer security department can receive personal data in the course of their responsibilities (personal data is limited to user ID, password and template), and the fingerprint template can only be retained for the duration of time that the user is entitled to access his workstation (other data can be kept for a maximum of 5 years after the user’s departure). [Source: Commission Nationale de L’informatique et des Libertes - Single Authorisation No. AU-027 - Decision No. 2011-074 of 10 March 2011 Authorizing Unique Implementation of Biometric Devices Based on Recognition of Fingerprints

US – NY Mayor: Put Fingerprints on Social Security ID

Mayor Michael Bloomberg says he’s in favor of putting people’s fingerprints on Social Security cards. Bloomberg says such biometric identification cards would make it easier for employers to judge whether someone has legal permission to work in the U.S. He says it would reduce the supply of work to illegal immigrants, leading fewer to enter the country. Critics have said that such a system would raise cost and privacy concerns. Bloomberg was one of several politicians who discussed immigration issues this week with President Barack Obama. Bloomberg’s immigration reform group, the Partnership for a New American Economy, supports bringing more immigrant workers and entrepreneurs into the country. [Source: Wall Street Journal]

E-Government 

US – Recent Govt. Data Breaches Pose Privacy Risk

The Social Security Administration continued making public the full names and SSNs of tens of thousands of people three years after it first learned it was putting citizens’ privacy at risk, according to a new report by the agency’s inspector general. The information, which also included the ZIP codes and dates of birth of 63, 587 living people, was erroneously included in the agency’s Death Master File (DMF). Nevertheless, the agency continued selling the file to the public. The agency “continued to publish the DMF with the knowledge its contents included the PII of living numberholders,” the report found. The inspector general recommended that the SSA take additional precautions to limit such privacy breaches in the future, but “the agency disagreed with both recommendations,” according to the office’s report. The report does not mention what those recommendations were because the version made available to the public was merely a summary. The full version was given to authorized officials only. [Source]

Electronic Records 

US – HHS Told to Standardize Consent, Privacy in E-Health Record Exchanges

A group of healthcare CIOs have said the Health and Human Services (HHS) Department’s plan for health IT “doesn’t go far enough in standardizing the ways in which patient consent for release of personal health information would be managed.” The college of Healthcare Information Management Executives has submitted a letter asking for “greater uniformity in healthcare data privacy laws from state to state” and standards for healthcare privacy to apply nationally. HHS released its Federal Health IT Strategic Plan in March. It calls for meaningful use of e-health record systems. Meanwhile, two Maine legislators recently proposed a bill to make Maine’s electronic records system opt-in. [Source] See also: [Is health care security in intensive care?] [US – Chicagoland Hospitals Plan Big Health Information Exchange]

Encryption 

WW – Hiding Files on Hard Drives Without Encryption

Researchers have devised a method of hiding data on hard drives without using encryption. The technique allows a 20-megabyte message to be hidden on a 160-gigabyte hard drive. The technique involves storing clusters of the file to be hidden in places on the disk determined by a code, which would need to be known by the person receiving they disk. To an inspector, the disk would look like any other disk on which data have been stored and deleted in the course of regular use. The technique works as long as none of the files on the disk are modified before it reaches its destination. There are instances in which encryption is not desirable, because the extra data it creates are a giveaway that there’s something to be found. This could be the case when someone is trying to smuggle information out of a country with a repressive government. [Source]

EU Developments 

EU – German Lawmakers Say Data Retention Directive May Be Illegal

The German Parliament said that the European Commission’s controversial Data Retention Directive may be illegal. The directive requires European communications service providers to retain data for up to two years identifying the source, destination, date, time and duration of communications, along with the equipment used, and, for mobile telephony, the location of the equipment. The directive applies to phone calls and e-mail or text messages, although not their contents. A report from the Bundestag’s Working Group on data retention said that it would be impossible to rephrase the directive to make it compatible with the E.U. Charter of Fundamental Rights. The legal experts said that the law is disproportionate in the measures it requires to fight crime, as data retention increases the crime clearance rate only slightly. “This marginal increase in the clearance rate by 0.006 percent could raise doubts about whether the provisions in their current form would stand their ground under a proportionality review,” said the report. European Data Protection Supervisor Peter Hustinx has described the directive, introduced in 2006, as “the most privacy invasive instrument ever adopted by the European Union.” “The principle of proportionality is binding on any state governed by the rule of law,” added Kai-Uwe Steffens of the Bundestag’s Working Group. “Therefore the Federal Republic of Germany must work towards outlawing data retention within the E.U.” “The E.U. must abort this experiment immediately and replace the completely disproportionate blanket collection of the entire population’s communications records with an instrument for preserving the data of suspects,” said Uli Breuer of the Bundestag’s Working Group. Later this year, the European Court of Justice (ECJ) will rule on the constitutionality of the principle of data retention, after a referral from the Irish High Court. [Source

EU – European Commission Issues Evaluation Report on the Data Retention Directive

The Data Retention Directive obliges Member States to adopt measures to ensure that data is retained and available for the purpose of investigating, detecting and prosecuting serious crime (as defined by each Member State in its national law) however, variations have emerged (e.g. Bulgaria and Estonia have defined “serious crimes” and other Member states e.g., Belgium and Denmark require data to be retained in relation to all criminal offences), it also specifies the categories of data to be retained (namely data necessary for identifying with respect to communication source, destination, date, time and duration, type, user’s equipment and location of mobile equipment) – twenty-one Member States provide for the retention of each of these categories of data in their transposing legislation (Belgium has not provided for the types of telephony data to be retained, does not have any provision for internet-related data) and the Directive requires that the categories of data must be retained for at least six months and not more than two years, but there is no consistent approach across the EU, e.g., fifteen jurisdictions specify a single period (e.g., Poland – 2 years, Latvia 1.5 years) and three specify six months (e.g. Bulgaria, Denmark, Estonia and Greece). The Romanian, German Federal Czech Constitutional Court annulled the laws transposing the Directive into their respective jurisdictions on the basis that they were unconstitutional (the Romania Court found the transposing law to be ambiguous in its scope and purpose, the German Federal Court said that data retention generated a perception of surveillance which could impair the free exercise of fundamental rights and the Czech Court held that the purpose limitation was insufficiently narrow given the scale and scope of the data retention requirement). The Article 29 Working Party criticizes data logging, periods of retention, the types of data retained and data security measures and the European Data Protection Supervisor has called on the EU to adopt a comprehensive legislative framework which regulates how Member States use the data for law enforcement purposes. A revision of the current data retention framework will be proposed and a number of options will be devised in consultation with law enforcement, the judiciary, industry and consumer groups, data protection authorities and civil society organisations. [Source

EU – Dutch Data Protection Watchdog Criticizes Google Over Wifi Info Collection

The Dutch data protection watchdog criticized Google for collecting data on private wireless networks, ordering it to contact 3.6 million Dutch WiFi owners and offer them a way to have their data deleted. The Dutch Data Protection Agency (DPA) slammed Google’s Street View service for collecting personal data from unencrypted WiFi networks, a practice Google has halted and apologized for. Peter Fleischer, Google’s Global Privacy Counsel, said in a statement that the company never inspected or used the data. But the bureau said Google’s current use of WiFi locations still amounts to gathering personal information. Google spokesman Mark Jansen denied that, saying that it can’t identify people from their WiFi alone. Jansen said Google was studying the Dutch decision. The company has three months to comply, appeal or face escalating fines. Last month, France’s privacy watchdog fined Google €100,000 ($143,000) for improperly gathering and storing data for its Street View application, which allows Internet users to virtually tour locations on a map at ground level. More than 30 countries have complained about such data-gathering by Google Inc. [Source] [Available in Dutch

EU – Article 29 WP Issues Opinion on Smart Metering

Directive 95/46/EC applies to personal data (“PD”) in a smart meter (e.g. the device enables an individual to be singled out from other consumers, information collected is used to make a decision, other than for billing purposes, affecting the individual, and achieving an objective of reducing energy consumption is dependent on the collection of large amounts of information about consumers’ behaviour); the numerous organisations involved in the processing of smart meter PD (e.g. energy suppliers and network operators, regulatory bodies, third party service providers and communications providers) can all, under certain circumstances, be defined as a data controller (e.g. when a regulatory body has access to data for policy setting and research purposes). Privacy by design must be utilized in terms of security measures (e.g. prevention of unauthorised disclosures or modification of PD and effective authentication of recipients), and minimising the amount of PD processed (e.g. through filtering or removal). Consent as a legitimate ground for data controllers’ PD processing is valid only when it is based on an informed decision by the data subject, and must be revocable; consumers could be allowed to make their own decisions regarding retention of PD (e.g. holding data on the meter itself or gateway device and being provided with “housekeeping” reminders). Consumers must be advised of the nature of smart meter operations and their privacy rights (e.g. one meter currently being tested does not have a display sufficient to be used for a subject access request as it will neither allow the customer to access the information already transmitted by the meter nor display the load graph stored inside the meter). [Source: Working Paper 183

EU – Article 29 WP Opines on EU Data Breach Framework and Future Policy Dev’ts

The Article 29 Working Party (“WP29”) provides recommendations for consideration in the area of data breach notification; it supports the introduction of a provision in the General Directive that extends personal data breach notification obligations to all data controllers (currently, the ePrivacy Directive only obligates providers of electronic communication services to provide such breach notification) and the European Commission should rely on the same core elements as in the ePrivacy Directive (it would be counterproductive to apply different ones to data controllers other than providers of electronic communication services, and the rules contained in the ePrivacy Directive reflect the views of the different stakeholders and represent a balance of interests). The WP29 notes that a harmonized framework should take into consideration experience being gained by national authorities already experimenting with personal data breaches; the Commission should, as soon as possible, conduct a survey of early practices that are being developed by competent authorities and propose implementing measures based on collected feedback (late intervention would increase risk of establishing permanent diverging approaches by Member States), standardize the circumstances under which a personal data breach should be notified, set forth the procedure to follow in case of a data breach (e.g. more concrete deadlines for notification of the breach to the authorities and concrete procedural steps, which could include a requirement to enlist forensic investigators in order to ascertain the facts and circumstances surrounding the breach), develop a standard EU format to be used when notifying (notifications to competent authorities should include, at the least, a description of the breach, effects of the breach and measures taken/proposed) and determine allowed modalities for serving notices to individuals (will notifications be permitted by means of email, telephone notification, newspapers etc.). The rules should allow space for the judgement of competent authorities in the light of the circumstances of each case; they should provide guidance as to the technological protection measures which, if applied and depending how they were applied, would create an exemption from notification. [Source: Working Paper 184

EU – Member States React to Commission Data Retention Ruling

MEPs are opposing the European Commission on its recent ruling against five member states that have not adequately adopted the Data Retention Directive of 2006. Under the current legislation, countries can retain “swathes” of telecommunications data for a period of six months to two years. MEPs from Germany, Austria and Sweden–all of which face fines—are pushing for shortened data retention periods, or “quick freezes,” and more targeted searches. Constitutional courts in the Czech Republic and Romania declared the directive violates Article 8 of the European Convention of Human Rights. One MEP from Germany explained, “There is no evidence that the far-reaching retention of data has led to any concrete results beyond compromising civil liberties.” [Source

EU – Interactive Advertising Bureau Issues Self-Regulation for Online Behavioural Ads

A self-regulatory online behavioural advertising (“OBA”) framework for Europe provides a set of 7 principles and use of a behavioural ad icon; principles include notice (e.g. for third parties and web site operators) to consumers regarding data collection and use practices for OBA, user choice (e.g. explicit consent must be obtained for data used for OBA that is collected and used via specific technologies that harvest data from URLs traversed by a particular computer across multiple web domains), data storage (e.g. retain data only for as long as necessary for business needs or as required by law), and sensitive segmentation (e.g. do not create data segments for OBA that target children); signatory companies (including Yahoo!, Google and Microsoft) and associations must comply with the framework by June 30, 2012, which includes provisions for an icon to be placed in or around an ad targeted using behavioural data and an opt-out mechanism for consumers. Members subject to the user choice over OBA principle must submit to independent audits of their self-certification to demonstrate their framework compliance (e.g. they must publish decisions of un-rectified non-compliance and findings of good compliance); consumer complaints handling programmes under the framework must be easily accessible and available in consumers’ local language. [Source] [Source] [FAQ and Framework] See also: [Submission on the Comprehensive Strategy on Data Protection in the European Union - Federation of European Direct and Interactive Marketing

EU – EU and U.S. Differ on Passenger Data Sharing

Bloomberg reports on the differing views between the EU and U.S. on the collection of air passenger data. “The U.S. wants to collect data on anyone suspected of crimes carrying sentences of more than a year,” while the “EU wants data to be handed over only in individual cases related to fighting terrorism and organized crime,” the report states. The amount of time data can be stored should be restricted, the EU says, as should third-party access. However, the U.S. wants the data stored for 15 to 20 years. The U.S. will have to enter agreements with individual member states if an agreement with the EU cannot be reached. [Source]

Facts & Stats 

US – Verizon 2011 Data Breach Investigations Report

According to Verizon’s 2011 Data Breach Investigations Report, the number of data breaches resulting from cyber attacks increased, but the total number of compromised records from breaches decreased. The number of records compromised in breaches dropped precipitously over the last two years from 361 million in 2008 to 144 million in 2009 down to just 3.8 million last year. The number of breaches in which these records were compromised, however, rose from just 141 in 2009 to 760 last year. One explanation for the apparent contradiction is that there have been fewer large breaches and more attacks on smaller companies. 92% of the attacks were launched by outsiders, an increase of 22% over statistic in last year’s report. The report notes a shift toward attacks on smaller companies that “haven’t taken basic security considerations into account,” according to Verizon. Also, the attackers appear to be stealing less information, perhaps in an effort to avoid attention. Physical attacks, like ATM and gas pump skimmers, made the top three methods of data theft for the first time. [Source] [Source] [Source] [Report

WW – IT Study Reveals Same Challenges, Accelerated Pace

A survey of 2,400 IT security specialists from around the world shows compliance, governance and information security management at the top of their priorities for the remainder of 2011. The study, conducted by not-for-profit IT security association ISACA, found that the complexities of the IT landscape are accelerating due to new technologies and regulations as well as an increase in data breaches. Tony Noble, a member of ISACA’s guidance and practice committee, notes that this year’s survey shows a need to better align “business with IT to unlock greater value,” adding that there’s a perception on the business side of organizations that “IT is managed in a silo.” [Source

US – Despite Breaches, Consumers Dish Out Data

Consumers continue to share their personal information with online retailers and social networks despite the frequency and size of breaches involving sensitive data, reports the Associated Press. Jim Dempsey of the Center for Democracy and Technology says that, as consumers, we are “schizophrenic” about technology in that, “We love it, we use it…we’ve woven it into our daily lives professionally, socially and personally. But we don’t really trust it, and we get upset when our data is lost or stolen.” According to the Privacy Rights Clearinghouse, more than half a billion records have been exposed in the past six years, the report states. [Source] [NYT Blog

UK – Numbers Show Many Data Breaches, Few Fines

Of the 2,565 data breaches identified by the Information Commissioner’s Office (ICO) since April 2010, “only 36 have resulted in a punishment–and only four have resulted in financial penalties,” according to The Guardian. An ICO spokesman said getting organizations to comply with the Data Protection Act “isn’t always best achieved by issuing organizations or businesses with monetary penalties.” Just this week, the ICO announced breaches at Norwich City College and NHS Birmingham East and North. A Christchurch nurse was also found guilty of misconduct for inappropriate access of medical records. The ICO’s acting head of enforcement said, “organizations have a legal responsibility to abide by the principles of the DPA.” [Source

EU – Kids Not Using Privacy Settings

Many children using social networking sites don’t employ privacy settings, making them vulnerable to stalkers and other risks, according to EU Commissioner for the Digital Agenda Neelie Kroes. EU data shows 77% of 13 to 16 year olds and 38% of nine to 12 year olds are on social networks, but 25% don’t use privacy settings, and many display phone numbers and addresses. “These children are placing themselves in harm’s way, vulnerable to stalkers and groomers,” Kroes said. She is urging social networking sites to make minors’ profiles accessible only to designated “friends” by default. [Source]

Finance 

WW – Poll: 67 Percent of PCI-Regulated Companies Not Compliant

In a survey conducted by the Ponemon Institute, 67% of PCI-regulated companies lack full compliance with the standard; 50% of security professionals view PCI as a burden, and 59% do not believe it helps with security. The survey also found an increase in the number of data breaches since 2009, with non-PCI compliant companies experiencing more data breaches than PCI-compliant ones. The study found little connection between PCI-related expenditures and compliance levels. Imperva’s director of security strategy noted, “In a somewhat counterintuitive manner, those organizations (that) suffered no breaches are not necessarily those who spent the biggest budget.” [Source

CA – Software Glitch Kills Electronic Stubs for Federal Workers’ Paycheques

A mysterious security breach has shut down the federal government’s online pay system, affecting some 320,000 public servants. The system was pulled offline for “urgent” repairs on April 4 after officials discovered the privacy of eight account-holders had been breached. Pay is still being deposited as scheduled in employees’ bank accounts. But electronic paystubs with information about basic salary, overtime, bonuses, reimbursement of travel expenses and other key data has been unavailable for more than two weeks. The glitch affects virtually every federal department, from Health Canada to Public Works itself, which operates the self-serve online system for all government employees. A spokesman said it’s still not known when the problem will be rectified. Last spring, Auditor General Sheila Fraser reported that Public Works had completed an internal risk assessment that found the department’s pay and pension systems “were close to imminent collapse, and compensation specialists were leaving as a result.” Fraser noted the department had begun a project to modernize its systems, though she did not audit them. On the other hand, Public Works last year completed a so-called privacy impact assessment on its online paystub service that found it was at low risk of breaching workers’ privacy. The assessment was approved by the privacy commissioner’s office. [Source]

FOI 

CA – IPC ON Issues Fact Sheet on Applying PHIPA and FIPPA/MFIPPA to PHI

Certain provisions within the Freedom of Information and Protection of Privacy Act (“FIPPA”) and its municipal counterpart, the Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”), apply to personal health information (“PHI”) in the control of an organization defined as both a health information custodian (“HIC”) under the Personal Health Information Protection Act (“PHIPA”) and as an institution under FIPPA or MFIPPA (e.g. hospitals); the head of an institution is required to disclose any record if there are reasonable grounds to believe it is in the public interest to do so (e.g. that present a grave environmental, health or safety hazard to the public). FIPPA and MFIPPA contain provisions for permitted disclosures (e.g. to aid a law enforcement investigation), mandatory exemptions from disclosure (e.g. cabinet records, confidential information from other governments, or a trade secret), and discretionary exemptions from disclosure (e.g. where a disclosure could prejudice the conduct of intergovernmental relations or the defence of Canada or an ally). PHIPA does not limit a person’s right of access to PHI under FIPPA or MFIPPA if all PHI is reasonably severed from the record; there are provisions within FIPPA and MFIPPA that permit a HIC to refuse access to a record (e.g. where records could interfere with a law enforcement matter, prejudice the economic interests of an institution, or are subject to solicitor-client privilege). [Source]

Health / Medical 

CA – Don’t Shred Documents, McGuinty Tells Hospitals

Hospitals should ignore a major law firm’s advice to “cleanse” sensitive documents from their files to prevent the emergence of spending scandals like the one at eHealth Ontario, Premier Dalton McGuinty says. The advice from Osler, Hoskin & Harcourt LLP was aimed at keeping hospitals out of trouble starting in January, when they become subject to freedom-of-information laws, but it ended up causing more problems for McGuinty’s Liberal government as it prepares for the Oct. 6 provincial election. The memo from the law firm went out Oct. 22 but after media reports exposed it this week, the Ontario Hospital Association issued a cautionary note to its members. “The first principle for the OHA — and for the law firms that are actually assisting us in preparing hospitals for FOIPPA (Freedom of Information and Protection of Privacy Act) — is that the spirit and the letter of FOIPPA must be adhered to at all times, period,” it said. “To do otherwise would undermine public confidence in hospitals and our health-care system.” In its controversial four-page memo, the law firm said hospitals face “significant reputational risks” from freedom-of-information law, specifically mentioning the eHealth example and advising hospitals to consider “cleansing existing files on or before Dec. 31, 2011, subject to legislative record-keeping requirements.” The memo also warned that hospital staff should be aware their expenses, procurement of supplies and services, decision-making and emails will be subject to freedom-of-information requests in the new year. Health Minister Deb Matthews said any inappropriate shredding would be “completely unacceptable.” [Source

EU – Swedish DPA Says Hospital Data-Sharing Unlawful

Sweden’s data protection authority has ruled that a hospital’s failure to provide patients with the choice to opt out of the sharing of their medical and other data via an electronic health records system violated the law. The Data Inspection Board ruled April 18 that the sharing of patient records requires consent by the Patient Data Law, and Stockholm’s Karolinska University Hospital’s method of consent did not meet those requirements. The hospital belongs to a data-sharing network that allows database access to both public- and private-sector healthcare providers. (Article in Swedish). 

US – Breach List Grows, Encryption is Key

The Office for Civil Rights’ (OCR) list of major healthcare breaches—those affecting at least 500 individuals—h s grown to 265 incidents affecting 10.8 million. In the past month, 16 breaches were added to the list, including the Health Net and Eisenhower Medical Center incidents that totaled 1.9 million and 514,000 individuals, respectively. The report suggests these cases have highlighted the need for encryption, which one security expert calls “the single best way to protect sensitive data.” Under HITECH, healthcare facilities with major breaches are required to report them to the OCR within 60 days; however, breaches of data encrypted “using a specific standard” do not need to be reported, the report states. [Source]

Horror Stories 

WW – Reports: 77 Million PlayStation Network Accounts Compromised

According to Sony, hackers obtained users’ names, addresses, e-mail addresses birthdates, and account login and password, and may have also taken users’ security questions and answers. If you set up a sub-account for your child, that information may also be in hackers’ hands. Reuters and other news outlets are reporting that in all, as many as 77 million accounts may have been hacked, based on the number of PSN accounts. Sony also states, “While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.” For the time being, Sony has temporarily disabled its PlayStation Network and Qriocity services so it can analyze these services for other security issues. Sony is advising its customers to watch for e-mail and postal mail scams orchestrated by data thieves, and to stay on the lookout for anything suspicious on your credit report or financial account statements. [Source] [Source] [Source] [Source] [Source] [Source] [Source] [Sony Executives ‘Deeply Apologize’ for Security Breach] [Sony Breach Ignites Phishing Fears / Are Consumers Suffering ‘Breach Fatigue?] [CA – Privacy Commissioner’s office looking into Sony PlayStation hack] [Change passwords, advises Alberta privacy commissioner]

Identity Issues 

US – US Proposes Online Identities for Americans

The US Government has published plans to create digital identities for Americans. The US Government wants to create a voluntary system that will allow Americans to access financial services online using one account. It hopes the new system will help protect against fraud and identity theft and reduce the barriers to trade that multiple accounts brings to businesses and consumers, the strategy said. Under the new plans users will be able to register for access to a network of government and businesses providing data and ways to pay for things online. The Government has called this the Identity Ecosystem, the National Strategy for Trusted Identities in Cyberspace (NSTIC) said. Users could pay taxes and phone bills by entering only minimal information about themselves in the Ecosystem, such as purely their age, the NSTIC document said. “The Identity Ecosystem will use privacy-enhancing technology and policies to inhibit the ability of service providers to link an individual’s transactions, thus ensuring that no one service provider can gain a complete picture of an individual’s life in cyberspace,” the NSTIC document said. The Ecosystem will improve privacy protection and efficiency it said. ‘Trustmarks’ will be used to help users identify organisations that have met security standards, it said. The US Government said that it was up to the private sector to develop technologies that make online identities secure and easy to use, safeguard transactions, and protect anonymity, but said that there are incentives for the industry to produce such a system. The Ecosystem benefits will also extend to individuals because the current process is bureaucratic, the NSTIC strategy said. Although the system proposed is voluntary, there is concern that some Government departments will adopt it, effectively forcing Americans to create a profile. The US Government is planning to host workshops to discuss the proposals with industry and the public between June and September to try to finalise details for NSTIC. [Source]

Internet / WWW 

WW – In Reversal, Yahoo Will Store User Search Data Longer

In a move that is unlikely to win it any new friends in the privacy community, Yahoo has announced that it will retain consumer search data for a substantially longer period of time than it does today. Starting sometime in mid-July, Yahoo will hold raw search log file data, including IP addresses, cookies and search-related information, for up to 18 months. It currently retains such data for 90 days. Yahoo’s chief trust officer, Anne Toth, said in a blog post that the change was designed to give consumers a more robust and personalized search experience while also bringing Yahoo into closer alignment with industry-wide data retention norms. Toth’s announcement marks an abrupt reversal of Yahoo’s current data retention policy which it put in place in 2008. Under its current policy, Yahoo stores most log file data for just 90 days, though in some cases the company holds raw data for as long as six months for what it calls fraud and security purposes, and to comply with legal requirements. In contrast, Google stores search data for nine months, while Microsoft retains it for six months. [Source

EU – Internet ‘Right to Be Forgotten’ Debate Hits Spain

In a case that Google Inc. and privacy experts call a first of its kind, Spain’s Data Protection Agency has ordered the search engine giant to remove links to material on about 90 people. The information was published years or even decades ago but is available to anyone via simple searches. Scores of Spaniards lay claim to a “Right to be Forgotten” because public information once hard to get is now so easy to find on the Internet. Google has decided to challenge the orders and has appealed five cases so far this year to the National Court. A final decision on Spain’s case could take months or even years because appeals can be made to higher courts. Still, the ongoing fight in Spain is likely to gain more prominence because the European Commission this year is expected to craft controversial legislation to give people more power to delete personal information they previously posted online. “This is just the beginning, this right to be forgotten, but it’s going to be much more important in the future,” said Artemi Rallo, director of the Spanish Data Protection Agency. “Google is just 15 years old, the Internet is barely a generation old and they are beginning to detect problems that affect privacy. More and more people are going to see things on the Internet that they don’t want to be there.” [Source] See also: [Foggy Thinking About the Right to Oblivion - Peter Fleischer

UK – More than Half Would ‘Delete Everything Ever Posted About Themselves Online’

More than half of British adults are so concerned about their online reputation they would erase everything they have ever posted on the Internet about themselves, a survey revealed. A staggering 35% believe they could never consider a career in politics due to damaging personal material online. And nearly a quarter of people admit to having posted a photo or personal information that they wouldn’t want an employer to see, according to a study by security firm Norton. Researchers questioned 1,004 people aged 18 and over about the amount of their personal information that is publicly available online and how it could affect them personally. The study reveals a sense of unease among Britons about their online reputation, with over 50% saying they would gladly hit the ‘reset’ button to delete all information about them online. Some 40% admitted to not actively protecting their reputation and personal information on the Internet. Of these, 59% ‘never thought it was an issue’, while 20% wouldn’t know where to start. [Source

WW – Amazon Provides Details About Cloud Outage

Amazon has apologized for the outage experienced in portions of its cloud services platform and has released a statement offering more detail about the cause of the incident. The problem arose because of a configuration error that was made during a network upgrade. The error caused traffic that should have been directed to a primary network to be routed to a lower-capacity network. Amazon also detailed steps it is taking to prevent a recurrence. [Source] [Source] [Source] [ Some Customer Data Permanently Destroyed in Amazon Cloud Crash | Report

WW – Web Standards Group to Discuss Do Not Track

The Web standards organization, World Wide Web Consortium (W3C), met this week to examine online privacy and the main issues surrounding a universal do-not-track mechanism, reports Media Post. Discussion topics included definitions for do not track and the mechanism’s operational feasibility. Nearly 60 position papers have been submitted by Web companies, academics and others prior to the conference. W3C Co-chair Lorrie Cranor added that the group “has not yet formally taken on the task of formalizing do not track or any of the other consumer protection technologies in the tracking space but are looking at it and trying to determine if there’s a role for them and, if so, what direction to go in.” [Source]

Law Enforcement 

US – ACLU Seeks Documents Regarding Police Use of Data Extraction Devices

When the American Civil Liberties Union (ACLU) made a Freedom of Information Act (FOIA) request for documents containing information to help them determine if Michigan State Police were violating Fourth Amendment rights, they were told it would cost more than half a million dollars. The issue centers on the use of a data extraction device used by police. The device is capable of scraping data from phones in less than two minutes. The ACLU of Michigan is trying to determine whether police violated people’s Fourth Amendment rights by taking those data without search warrants. The Michigan State Police has issued a statement regarding allegations of their abuse of data extraction devices. The statement says there have been no allegations of wrongdoing and that “the [Michigan State Police] only uses the [devices] if a search warrant is obtained or if the person possessing the mobile device gives consent, … [and they] are not being used to extract citizens’ personal information during routine traffic stops.” [Source] [Source

US – Federal Authorities Access Facebook Accounts

Stltoday.com reports that federal investigators in Detroit, MI, obtained search warrants allowing them access to the Facebook accounts of suspected criminals. Investigators were able to view photographs, e-mail addresses, phone numbers, lists of friends and GPS locations to disprove alibis. The practice raises many privacy concerns, including whether information gleaned from social media sites can be authenticated. In addition to Michigan, search warrants for Facebook accounts have been requested in an additional eight U.S. states. Facebook representative Andrew Noyes added, “We never turn over ‘content’ records in response to U.S. legal process unless that process is a search warrant reviewed by a judge.” [Source]

Location 

WW – Your iPhone 4 and iPad 3G Are Recording All of Your Movements

Your iPhone 4 or your iPad 3G are recording all of your movements and storing the information in easy-to-access files, two British scientists reveal. Alasdair Allan and Pete Warden stumbled upon the unencrypted data buried inside their iPhones while working on another project. “All iPhones appear to log your location to a file called ‘consolidated. db,” Allan explained in a video he and Warden prepared to answer questions about the discovery. “This contains latitude and longitude coordinated along with a time-stamp. The coordinates aren’t always exact, but they are pretty detailed.” The tracker is embedded inside Apple Inc.’s newest iPhone, the iOS 4, and on the iPad 3G. The data are stored in your devices, as well as on automatic backups when you synchronize them with iTunes. “Apple have (sic) made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movement,” Allan and Warden explained. The good news, said Allan, is that it appears the detailed trail only exists on the owner’s devices and is not stored by Apple. The bad news is that it would be easy to crack the code and recover all the data if an iPhone were lost or compromised. [Source] See also: in 2009, Green party politician Malte Spitz sued to have German telecoms giant Deutsche Telekom hand over six months of his GPS phone data and then folks created a graphic showing his travels

WW – Apple Responds to iPhone Tracking, Privacy Concerns

Apple says it is collecting “anonymous traffic data” for location-based services, not tracking iPhone owners. The company adds it will update the software to log only seven days worth of data, rather than several months. Apple has responded to the revelation that its iPhone and iPad products track their users’ movements across mobile phone networks and WiFi networks around the globe. Two British researchers last week described at a tech conference in California how this tracking data was being stored in an unencrypted file on the phone itself. They also wrote a data visualization program so that any iPhone owner could diagram their data on to an easy-to-understand map. In a statement published to Apple’s website, the company said users were “confused” about what exactly the company was doing with this data. “Apple is not tracking the location of your iPhone,” the statement went on to say the location data that the British pair found was not the precise location of the iPhone itself, “but rather the locations of Wi-Fi hotspots and cell towers surrounding the iPhone’s location, which can be more than one hundred miles away from the iPhone.” The company also explained that it is “collecting anonymous traffic data to build a crowd-sourced traffic database with the goal of providing iPhone users an improved traffic service in the next couple of years.” The statement also said the anonymous data it did have was used to help the phone find its location in regions where weak GPS signals could make the process take minutes rather than seconds. By using a log of WiFi networks and cell tower data, Apple noted that it could reduce this location time to “just a few seconds.” However, the US company called the months or years worth of data stored on each phone a “bug we uncovered,” and said that following a software update to be released in the coming weeks, the iPhone and iPad would only store seven days worth of such data and that this data would be encrypted. Requests for comment from the office of Peter Schaar, Germany’s federal data protection commissioner, and CNIL, the French national data protection authority, as well as to the Italian data protection authority, have so far gone unanswered. [Source] See also: [Smartphone privacy threats no surprise to security experts

WW – Apple Filed Patent Application for Tracking Technology

In 2009, Apple filed a patent application for technology to track users through smartphones. Apple has recently been the focus of attention because it was found that iPhones were tracking and storing user location data. Apple had said that it was not tracking users and that a bug was to blame for the retained data. The September 2009 patent application refers to “Location Histories for Location Aware Devices.” [Source] [Source

WW – TomTom Sorry for Giving Customer Driving Data to Cops

Navigation device maker TomTom has apologized for supplying driving data collected from customers to police to use in catching speeding motorists. The data, including historical speed, has been sold to local and regional governments in the Netherlands to help police set speed traps. As more smartphones offer GPS navigation service, TomTom has been forced to compensate for declining profit by increasing sales in other areas, including the selling of traffic data. On Wednesday, Europe’s biggest satnav device maker apologized, saying it sold the data believing it would improve traffic safety and reduce bottlenecks. TomTom has said that any information it shares has been anonymized, but customers shouldn’t take such assurances at face value. [Source] See also: [Google Tracks You Too, Internal E-mails Show

US – DOJ Wants Warrantless GPS Tracking Authority

The Justice Department wants the US Supreme Court to overturn an August 2010 lower court ruling that reversed the conviction and sentence of a drug dealer whose vehicle was tracked for a month through GPS without a warrant. DOJ wants the authority to place GPS tracking devices on suspects’ cars without warrants. Three other circuit courts of appeals have said that law enforcement authorities do not need warrants to use the devices, which have become more prevalent in investigations. A 1983 Supreme Court decision allowed the use of a tracking beacon placed on a container without a warrant. The circuit court that overturned the drug dealer’s conviction said that the difference in the cases is that the 1983 case involved tracking someone from one place to another, while the GPS devices provide continuous monitoring and noted that it “illustrates how the sequence of a person’s movements may reveal more that the individual movements of which it is composed.” [Source]

US – Most Mobile Apps Lack Privacy Policies: Study

TRUSTe’s survey of 1,000 smartphone users indicates privacy is a primary concern. The results indicate users are concerned about privacy and want more transparency and control over the collection and use of their personal information as well as choices about advertising and geolocation tracking. “This survey makes it crystal clear that privacy concerns are a huge stumbling block to consumer usage of applications and websites on smartphones,” said TRUSTe President and Executive Chair Fran Maier. Behavioral targeting was also cited as a key concern by respondents, with 85% wanting the chance to opt out of targeted ads. [Source] [Study]

Offshore 

NZ – Survey: Organizations Need Guidance for Offshore Data Storage

Results from a survey conducted by New Zealand Privacy Commissioner Marie Shroff indicate that the public and private sectors need more guidance for the offshore storage of personal information. “The International Disclosures and Overseas ICT Survey” queried 50 businesses and government agencies about where they stored personal information; reasons for its use and storage overseas, and how it was protected. The article suggests that many organizations have controls for data in transit but no controls for information once it’s sent overseas. “If New Zealand businesses and government agencies are going to take advantage of the benefits the cloud can offer,” said Shroff, “it is imperative that privacy issues are tackled and got right.” [Source] [Survey: International Disclosures and Overseas Information and Communication Technologies] [Media Release]

Online Privacy 

US – Congressmen Call for Mobile App Privacy Codes

House Bi-Partisan Privacy Caucus Co-Chairmen Edward Markey (D-MA) and Joe Barton (R-TX) have released the responses they’ve received from the nation’s four largest wireless carriers following their requests for information about how the companies collect, store and share customers’ PII. The Wall Street Journal reports that AT&T, Verizon Wireless, Sprint Nextel and T-Mobile have all responded that they seek subscribers’ consent for use of personal data, but “they can’t control how applications developed by third parties use location information that the carriers don’t provide.” Mobile device applications “shouldn’t have free reign over your location data and personally identifiable information. I believe it is time we hold third-party developers accountable,” Barton said. [Source] [Source

WW – Friendster to Erase Early Posts and Old Photos

Long before there was a Facebook, or even a MySpace, there was Friendster, a Web site that gave many people their first taste of the socially networked world to come. Friendster, which started in 2003, has long been eclipsed by younger, more nimble rivals, turning into something of a ghost town. But its current owners told users of plans to change its business strategy – and to wipe out the site’s trove of digital memories, including ancient dorm-room photos, late-night blog entries and heartfelt friend endorsements, known as “testimonials.” That set off a wave of nostalgia among Friendster members, even though most had stopped visiting the site long ago. [The New York Times] See also: [US: Hacked Facebook accounts, stolen photos posted on Sex Sites

US – Suit Seeks Class-Action Status

The Wall Street Journal reports on a lawsuit filed against the social network Myspace that alleges the company violated federal privacy law and its own privacy policy. The suit seeks class-action status. The plaintiffs allege that the company shares users’ personally identifiable information with advertisers despite a statement to the contrary in its privacy policy. The plaintiffs are seeking “$1,000 per person affected” in addition to other unspecified damages. [Source

US – Judge Says PII Loss Sufficient for Suit

A federal judge has allowed a lawsuit filed against a social media application developer for exposing 32 million users’ personally identifiable information (PII). Judge Phyllis Hamilton has allowed four causes of action by RockYou user Alan Claridge in U.S. District Court in the Northern District of California. RockYou wanted the case dismissed, alleging Claridge suffered no harm when his e-mail address and password were exposed. But the judge said that the “plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his personally identifiable information has caused him to lose some ascertainable but unidentified value and/or property right inherent in the PII.” [Source

UK – UK Law Will Require Consent

The United Kingdom’s final plan to implement the amended EU e-Privacy Directive (2009/136/EC) does not deviate from the directive’s requirement that effective consent be obtained from online users in order to place most cookies on their computers, according to the Department for Culture, Media and Sport report released last week. The plan does not use the phrase “opt-in consent,” but it is clear from the rules that it would amend the country’s Privacy in Electronic Communications Regulations to require that such consent be obtained from users. “Organizations running Web sites will need the user’s permission before a cookie can be used,” said Culture Minister Ed Vaizey. [Report]

Other Jurisdictions 

JP – Japan May Hold Individual Employees Liable for Violations of Data Protection Law

As part of an effort to increase penalties for violations of the country’s Personal Information Protection Act, officials in Japan plan to extend liability under that law to individual employees, according to recent reports in The Yomiuri Shimbun and The Japan Times. Currently, a company that violates the law may be fined or ordered to take remedial steps, and the company head may be imprisoned. The law revision would come as part of changes to the legal framework accompanying a proposed national identification number system. [Source]

Privacy (US) 

US – Committee to Hold Hearing on Mobile Phones

Senate Commerce Committee Chairman Jay Rockefeller (D-WV) has announced the committee will hold a hearing in May on mobile phone privacy, following announcements that certain smartphones have stored and shared users’ location data, The Hill reports. The announcement comes amid calls for investigations and hearings on such privacy concerns and the filing of lawsuits prompted by reports of mobile device tracking. Rockefeller has called the recent incidents “just the latest in a string of concerns raised in the mobile marketplace,” since it “collects and uses a wide range of personal information–often with inadequate or untimely disclosure.” [Source

US – Flash Cookie Lawsuit Against Specific Media Dismissed

A judge has dismissed a lawsuit alleging an ad network used Flash cookies to track users online. The seven users who filed the suit did not “adequately allege” economic losses, ruled U.S. District Court Judge George Wu. The plaintiffs alleged that their data has value, that they were not compensated when ad company Specific Media used it and that their privacy was violated when they were tracked. Specific Media has denied using Flash cookies, the report states. Last year, two companies paid a $2.4 million settlement in a similar case. [Source]

Security 

US – Unprotected Wi-Fi Network Bring False Accusations of Illegal Activity

A Buffalo, New York man found himself the object of a home raid by federal agents who accused him of downloading child pornography over his wireless network. Only after taking a desktop computer, iPads and iPhones from the home and examining them over a few days did federal agents clear the man of suspicion and pin the crime on a neighbor who had accessed the unprotected Wi-Fi network. The story is not unique; a similar incident occurred in Florida. The stories drive home the importance of home users securing their wireless routers. [Source] [Source] A poll conducted for the Wi-Fi Alliance, the industry group that promotes wireless technology standards, found that among 1,054 Americans age 18 and older, 32% acknowledged trying to access a Wi-Fi network that wasn’t theirs. An estimated 201 million households worldwide use Wi-Fi networks, according to the alliance. The same study, conducted by Wakefield Research, found that 40% said they would be more likely to trust someone with their house key than with their Wi-Fi network password. In Germany, the country’s top criminal court ruled last year that Internet users must secure their wireless connections to prevent others from illegally downloading data. The court said Internet users could be fined up to $126 if a third party takes advantage of their unprotected line, though it stopped short of holding the users responsible for illegal content downloaded by the third party. The ruling came after a musician sued an Internet user whose wireless connection was used to download a song, which was then offered on an online file sharing network. The user was on vacation when the song was downloaded. [Source

Google Wi-Fi Judge Asks if Packet Sniffing is Spying

The question of whether Google is liable for damages for secretly intercepting data on open Wi-Fi routers across the U.S. is boiling down to the definition of a “radio communication.” That appears to be the legal theory embraced by the Silicon Valley federal judge presiding over nearly a dozen combined lawsuits seeking damages from Google for eavesdropping on open Wi-Fi networks from its Street View mapping cars. The cars had been equipped with Wi-Fi–sniffing hardware to record the names and MAC addresses of routers to improve Google location-specific services. But those cars were also capturing the contents of internet packets that were sent over unencrypted Wi-Fi as they drove by, something the company said was an accidental leftover from testing. At the center of the legal flap is whether Google breached the Wiretap Act. The answer is important not only to Google, but to the millions who use open, unencrypted Wi-Fi networks at coffee shops, restaurants or any other business trying to cull customers. Google said it is not illegal to intercept data from unencrypted, or non-password-protected Wi-Fi networks. Plaintiffs’ lawyers representing millions of Americans whose internet traffic was sniffed by Google think otherwise, and are seeking unspecified damages. Judge Ware, however, suggested the answer to the far-reaching privacy dilemma lies in an unanswered question. He has asked each side to define “radio communication” as it applies to the Wiretap Act, and wants to know whether home Wi-Fi networks are “radio communications” under the Wiretap Act. In response, Google wrote last week that open Wi-Fi networks are akin to “radio communications” like AM/FM radio, citizens’ band and police and fire bands — and are “readily accessible” to the general public. Indeed, packet-sniffing software, such as Wireshark and Firesheep, is easily available online. Hence, because unencrypted Wi-Fi signals travel over the radio spectrum, they are not covered by the Wiretap Act, Google responded. “There can be no doubt that the transfer of any sign, signal, writing, images, sound, data, or intelligence of any nature transmitted over the radio spectrum constitutes a ‘radio communication.’ Indeed, there is nothing in the text or legislative history of the Wiretap Act that would exclude any transmission sent over the radio spectrum from the definition of ‘radio communication,’” Google wrote. The plaintiffs’ lawyers countered that the communications in question started on a computer and only briefly were relayed on radio waves “across the living room from the recipient’s router to her laptop.” “The fact that either the first or final few feet of the electronic communication may have gone via wireless transmission [‘Wi-Fi’] does not transform the communication into a ‘radio communication’ broadcast similar to an AM/FM radio or a CB.,” plaintiffs’ lawyer Elizabeth Cabraser wrote. “Nor is there anything in the statute to define ‘radio communications’ as synonymous with anything sent on a radio wave, however briefly and without regard to the entirety of the communication system at use.” Both sides agree, however, that it’s illegal to listen in on cordless phones. [Source]

Surveillance 

EU – Austrian Lower House Passes Data Retention Bill

The lower house of the Austrian parliament has passed a measure endorsing the storage of private phone call and e-mail data, and the upper house is expected to soon pass it into law. Data will be stored for six months under the measure, which the European Commission adopted in 2006. The information will be available to investigators and public prosecutors in criminal procedures. A spokesman for an Austrian organization that opposes data retention said he’s “very concerned” and that the “risk is that the data retained will not only be used for finding terrorists…but will be used against normal people.” [Source]

Telecom / TV 

US – Wireless Carriers Reveal Location Privacy Policies

The nation’s top wireless carriers say they all collect personal information, including location data, about subscribers and use much of that information to tailor marketing pitches for more services. In letters responding to lawmakers’ questions, they described varied policies on protecting data and how long they retain location and other sensitive information such as a user’s name, SSN, and address. The queries to the carriers by Reps. Edward Markey (D-Mass). and Joe Barton (R-Tex.) come amid increased scrutiny of privacy on mobile devices and questions about how Apple and Google store data on users’ locations. AT&T said it is in the process of encrypting all sensitive personal information about its users such as credit card numbers, date of birth and specific data on a person’s location. It said it disposes of location-based information within five years. T-Mobile was more vague about its data retention and security program. The company said only that it keep personal information “as long as we have a business need, or as applicable laws, regulations, or government order require.” It did not say whether personal information is encrypted. A spokesman did not immediately respond to a request for comment. [Source

Apple Facing Lawsuit Over Location Tracking Data

Two people have filed a lawsuit against Apple over location tracking data that are stored on iPhones without users’ consent. The suit was filed in the US District Court for the Middle District of Florida. The plaintiffs are seeking an injunction that would require Apple to disable the tracking mechanism. They allege that Apple violated the Computer Fraud and Abuse Act because the company is aware that the majority of users do not pore over the details of user license agreements. In a separate but related story, independent testing shows that the iPhone stores location data even after location services are turned off. [Source] [Source] [Source] [Source] [Source]

US – Colo. Supreme Court Hears Case on Privacy of Ritter’s Calls on Personal Phone

If the Colorado Supreme Court rules former Gov. Bill Ritter doesn’t have to release a list of business calls made on his personal cellphone while in office, it will provide a simple recipe for public officials to conduct government business in secret. “It will send a green light to governments across the state to do what Gov. Ritter did throughout his term . . . keep public business private by paying for their own phone,” lawyer Steven Zansberg told justices. The Denver Post has sought access to Ritter’s cellphone records since 2008, arguing it is the only way for the public to know with whom the governor spoke and when, and that the records should be available under the Colorado Open Records Act. The newspaper has limited its request to calls made during business hours, and agreed that the governor’s office should be allowed to redact information about personal calls. Ritter has acknowledged that he gave up his state-paid BlackBerry in 2008, and that the “vast majority” of calls made on his personal cellphone during his term were related to his work as governor. But his attorneys have argued that because Ritter paid for the phone himself, and the call logs were not made, maintained or kept by him for official business, records of the calls are not public. A district court and the Colorado Court of Appeals sided with Ritter. The Post then appealed to the state’s high court. [Source]

US Government Programs 

US – Sens. Question White House on Oversight Board

Members of congress continue to question the Obama Administration about the dormant Privacy and Civil Liberties Oversight Board. According to Congress.org, leaders of the Senate Homeland Security and Governmental Affairs Committee last week sent a letter saying, “It is inexcusable that, more than three years after the new board was meant to have begun its work, there is still no functional board at all.” The board was created in 2004 on the recommendation of the 9/11 Commission to oversee the protection of Americans’ privacy and civil liberties in the age of counterterrorism. The Obama Administration nominated two individuals to the five-member board in December. [Source

US – Privacy Advocates Question Proposed Supplemental Passport Form

Quick. Name where your mother was living and working when you were born. List who witnessed your birth. Now, name every residence where you’ve ever lived. And where you’ve worked. Don’t forget to give a list of all your current and former bosses, with a current phone number, if possible. A proposed supplemental form to U.S. passport applications could cause headaches for some and has drawn the ire of privacy advocates. But the U.S. State Department says the information requested on the form are questions that officials already ask when a person may lack proper documents to prove their citizenship when applying for a passport. The proposed form, DS-5513, likely would be given to passport applicants who may have questionable documents or insufficient proof of citizenship in the eyes of the government, said a State Department spokeswoman. Privacy advocate Edward Hasbrouk said the proposed form is too intrusive and “would be reintroducing the same kind of discriminatory practice” of rejecting applicants born to midwives. “Part of the settlement of that lawsuit was that they agreed to not make these kinds of inquiries of people unless there was a provision,” said Hasbrouk, spokesman for The Identity Project, which published a copy of the proposed form online. Obtaining passports became a high-profile issue across the Rio Grande Valley in 2009, when federal authorities began requiring U.S. citizens to show a passport to re-enter the country from Mexico. A flurry of denied and disputed passport applications emerged from many Valley residents who were born by midwives, casting doubt from the government about whether their birth certificates are valid. The American Civil Liberties Union filed a class action lawsuit against the State Department that was settled in June 2009, setting up a review panel for all denied applications requiring officials to list specific reasons for denying the passport application. Officials estimate the form would take about 45 minutes to complete and would be given to about 75,000 passport applicants — about one half of one percent of all applications processed each year. [Source

US – Audit Finds FBI’s Cyber Security Capabilities Not Maximized

According to an audit report from the US Department of Justice inspector general (IG), one-third of 36 agents interviewed lacked the necessary skills to investigate cyber intrusions. The audit examined the FBI’s ability to deal with the threat of national cyber security intrusions and finds major faults in the operations of the NCIJTF – the National Cyber Investigative Joint Task Force. Each of the FBI’s 56 field offices has at least one cyber squad but the report finds fault in the level of skills those field agents have. [Source] [Source] [Redacted report] [Justice

US – Papers Warns of Dangers of Alarmist Cyberthreat Rhetoric

A paper published by researchers at the Mercatus Institute at Virginia’s George Mason University says that the US government’s “alarmist rhetoric” about cyber threats facing the country’s critical infrastructure could result in the enactment of policy based on evidence that may not have a foundation in fact. The researchers, Jerry Brito and Tate Watkins, compared the dangerous possibilities of ill-informed policy to what happened in Iraq – a decision was made to invade the country based on rumors, not hard evidence, that the country’s political regime was connected to the September 11 attacks and that it possessed weapons of mass destruction. Decisions based on faulty information could lead to unnecessary regulation of network, and overspending on cyber security. [Source] [Source]

US Legislation 

US – Maine Passes Health Information Privacy Law

The bill requires a health information exchange (“HIE”) to obtain the consent of a patient prior to collecting, storing or disclosing that patient’s health care information and prohibits a health care practitioner from accessing that information without prior authorization (unless waived by the patient in an emergency); a HIE would be required to provide the patient with a website that permits the patient to view their health care information, identify who has accessed the records, select which records are to be included in the HIE system and which practitioners can access them (a non-electronic means must also be available for viewing health care information). The bill establishes a protocol for notification if a breach of the HIE system occurs and patient information is illegally accessed (requiring notice to both health practitioners and facilities that have access to the system and the affected patients within 60 days of discovering the breach). A patient may not be denied health care treatment, insurance coverage or insurance payment or reimbursement based on the failure of the patient or the health care practitioner to participate in a HIE system or charged a fee to access the health care information in the HIE system. [Source: LD 1337 - An Act to Ensure Patient Privacy and Control with regard to Health Information Exchanges - 125th Maine State Legislature – Text of Bill | Status Summary]

Workplace Privacy 

JP – Employees May Become Liable Under Law

Japanese officials plan to extend liability to individual employees under the Personal Information Protection Act, reports Hunton & Williams’ Privacy and Information Security Law Blog. The move is part of an effort to increase penalties for violations under Japan’s privacy law framework. Under current law, companies that violate the act can be fined, ordered to take remedial steps and a company head can face imprisonment, according to the report. The legal changes are part of the Japanese government’s planned introduction of a national identification system to help survivors of last month’s earthquake and tsunami. [Source]

+++

 

01-15 April 2011

Canada

CA – Amendments to PIPEDA Enable Pickier Privacy Commissioner Investigations

Legislative amendments proclaimed in force last week mean that the Privacy Commissioner of Canada may now be more selective about the complaints her office decides to investigate. The amendments in question, made to the Personal Information Protection and Electronic Documents Act (PIPEDA), were actually contained in Bill C-28, Canada’s Anti-Spam Legislation, which received Royal Assent last December. Although most of that statute is not yet in force, last week the Governor in Council proclaimed in force some of the consequential amendments in that bill that affect PIPEDA, leaving for proclamation at a later date those PIPEDA amendments that coordinate with new obligations in the Anti-Spam law itself. Previously, PIPEDA required the Privacy Commissioner to investigate all complaints submitted to her office, regardless of their nature or seriousness, although she had some discretion in not having to prepare a report in all cases. With these new amendments, the Commissioner is no longer required in all circumstances to conduct an investigation in respect of a complaint received. Complaints need not be investigated if the complainant has not exhausted other grievance or review procedures that may be available, if the complaint could be more appropriately dealt with under another Federal or Provincial law, or if the complaint was not filed within a reasonable time after subject matter of the complaint arose. In all cases, complainants must be notified that their complaint will not be investigated. The Commissioner retains the right to reconsider a decision not to investigate a particular complaint, if the complainant is able to provide compelling reasons to investigate. The new powers have long been sought by the Commissioner as a way to better manage the workload of the Office of the Privacy Commissioner, by weeding out complaints whose resolution would be of little public interest or significance, thereby allowing for the focus of resources on issues of a broader systemic nature. The authority to manage the processing of complaints in this way is already afforded to some degree to other tribunals, including the Canadian Human Rights Commission and the Privacy Commissioner for Alberta. Once the investigation of a compliant commences, the new amendments also give the Privacy Commissioner the power to discontinue investigation in certain circumstances. Investigations may be discontinued where:

  • there is insufficient evidence to pursue the complaint
  • the complaint is trivial, frivolous or vexatious or is made in bad faith
  • the organization that was the subject of the complaint has provided a fair and reasonable response
  • the subject matter is already the subject of a report by the Commissioner
  • the complainant has not exhausted other grievance or review procedures that may be available
  • the complaint could be more appropriately dealt with under another Federal or Provincial law
  • the complaint was not filed within a reasonable time after subject matter of the complaint arose
  • the matter is being or has already been addressed via another grievance or review process, or pursuant to a procedure under another Canadian law.

As with a case of declining to investigate, the Commissioner must notify a complainant and organization of the discontinuance of a complaint, giving reasons for the discontinuance. With other tribunals that have the power to decline to investigate complaints, there has understandably been a reluctance to exercise this authority, since doing so denies a complainant a full consideration on the merits of the complaint. As a result, the bar for refusing a complaint has tended to have been set fairly high, with complaints being declined or discontinued only in the clearest and most egregious of circumstances. [Source: Mondaq News]

E-Government

US – New York State Pursues Delinquent Taxes With Analytics Tool

New York state is among states that are deploying data analytics in the fight to collect delinquent taxes. In 2010, the state’s Department of Taxation and Finance implemented an IBM analytics tool to help recover $83 million in delinquent taxes – an 8% increase from 2009 and double the annual increase from previous years, according to an announcement from the company. IBM said the software inserts an algorithm into the department’s debt case management system. The software determines on a case-by-case basis the best course of action for collecting a delinquent tax given the department’s limited resources, while maximizing the amount of revenue collected. The department then develops an action plan for each case – delinquent or fraudulent taxes – based on the analytics data. The predictive modeling tool used in the IBM Tax Collections Optimizer is like what private-sector companies use for gathering predictive analytics. But the tool’s distinguishing feature is that it factors in budget and resource limitations in its decision-making, Barry said. New York isn’t the only state using analytics for tax collection. For example, last year Hawaii officials announced they had collected more than $100 million within a three-year period through a partnership between the Department of Taxation and CGI Technologies and Solutions. [Source

US – Texas Comptroller: Personal Records of 3 Million People Publicly Posted

The office of the Texas comptroller revealed on Monday that information of 3.5 million people were accessible on a public server for more than a year. The information includes names and mailing addresses, Social Security numbers, and for some people, birth dates and driver’s license numbers. These were inadvertently posted on a public server when three agencies transferred data. The information was not encrypted as required under state law. Moreover, personnel at the comptroller’s office did not follow internal procedures in posting such records. Comptroller Susan Combs said her office began publicly blocking after discovering the oversight on March 31. The state attorney general’s office is investigating what Combs described as a “serious issue.” The comptroller will begin sending notification letters on Wednesday to people with records involved in the security breach. Combs will be working with the Legislature to advance legislation to enhance information security as outlined in the Protecting Texans’ Identities report she released in December. This would include the designation of Chief Privacy Officers at each agency as well as the creation of an Information Security Council in the state. [Source]

Electronic Records 

WW – Iron Mountain to Shutter Cloud Storage Service

After only two years, Iron Mountain is planning to close its public cloud storage services , having already stopped accepting new customers as of April 1. The company will close its Virtual File Store services, which is targeted at archival of inactive file data and its Archive Service Platform , which allows software vendors to integrate the Iron Mountain API to leverage the company’s cloud architecture. Virtual File Store customers that stay with Iron Mountain will be transferred to a higher-value offering, File System Archiving (FSA) in 2012. The new offering will be a hybrid that leverages policy-based archiving on site and in the cloud with indexing and classification capabilities. Archive Service Platform customers have no migration path and are being terminated or moved to an alternative service provider. Iron Mountain’s announcement makes it the third public cloud infrastructure as a service (IaaS) provider to abandon the market over the past year, Gartner said. The others that have shut down are: Vaultscape, which launched its service in 2009 and closed in 2010, and EMC, which announced Atmos Online in 2009 and took it offline a year later. [Source]

Encryption 

RU – Russian Agency Says it’s Hard to Monitor Citizens Who Use Encrypted Services

The Kremlin will not ban Skype, Gmail and Hotmail, despite a recommendation to do so from the country’s Federal Security Service (FSB) because the services threaten national security. FSB says the services make it challenging to monitor citizens because they use encryption that is difficult to break. [Source] [Source]

EU Developments 

EU – Tech Companies Challenging France’s Data Retention Law

Several large technology companies are reportedly challenging the French government’s requirement that service providers, web mail providers, ecommerce companies and online video and music sites retain information about users for a year. The data they are required to store and to provide the government on demand include user names, passwords, IP addresses, and financial transaction information. The requirement was established by a February 25, 2011 decree that updates the Legal Regime for eCommerce Trust (LCEN). The decree is being challenged by the French Association of Community Internet Services (ASIC), whose members include eBay, Facebook and Google. LCEN says the decree was formulated without consulting the European Commission and that retaining the information poses a greater risk of data security breaches. [Source] [Source] [Source

EU – Annual Big Brother Awards Draw Attention to German Privacy Issues

Data protection and privacy are big topics in Germany today, but they weren’t always. The organizers of the Big Brother Awards like to think they had something to do with that. Late last week, this year’s BigBrotherAwards were handed out to organizations, businesses and individuals deemed to be undermining privacy and data protection using technology and information. The annual awards are bestowed by FoeBuD e.V., a German non-profit activist organization that was first formed in 1987 to protect civil rights and data security. The BigBrotherAwards include categories such as “Workplace,” “Politics” and “Consumer Protection.” This year a negative award was handed out to Facebook under the category of Communications for “systematically poking its nose into people and their relationships, behind the friendly facade of an ostensibly free service,” according to FoeBuD’s description of the award. According to the BigBrotherAwards website, the online social media platform is likened to a gated community “sprawling across the net in which people are monitored every step of the way. It is governed by the whims of a corporation that is earning billions with systematic privacy violations.” Other “winners” included the German auto manufacturer Daimler, for requiring blood tests of its employees, a practice FoeBud compared to vampirism, and Apple’s Munich branch, which the award accused of “taking their customers hostage by way of expensive hardware and subsequently blackmailing them into accepting a questionable privacy policy.” [Source]

Finance 

US – Limits Sought to Employers’ Use of Credit Reports

Battle lines are being drawn in state capitals over whether workers should be judged by their creditworthiness. In 25 states, 49 proposed bills are being debated. The majority of the bills are aimed at restricting when credit histories can be used in the hiring process, says Heather Morton, analyst at the National Conference of State Legislatures. Economic stress is the main trigger. “Legislators are responding to the impact the recession has had on employment.” There is also concern about fairness, says Beth Givens, director of the non-profit advocacy group Privacy Rights Clearinghouse. “Using a credit report to make a hiring decision is essentially making a value judgment,” says Givens. “The employer is saying, ‘I think you’re an irresponsible and careless person because you have a bad credit report.’” [Source]

Genetics 

EU – Dog DNA Database to Prevent Foul Play

A Spanish town has set up a DNA database to track down owners who allow their dogs to mess in streets and parks without clearing it up. The town council of Hernani in northern Spain approved the introduction of a bylaw that will force owners to register their pet’s DNA for a municipal dog census. Under the scheme, which residents have called “Canine CSI”, deposits in the street will be collected by a team and sent to laboratories at the University of the Basque Country for analysis. Owners of dogs whose DNA matches the samples will be tracked down through the database and will face fines of up to euros 300 (pounds 265). Those who refuse to provide DNA analysis of their dogs face similar fines. But local dog owners were furious at the proposal and set up a Facebook page in protest, arguing that it was “unfair, ineffective and very costly”. The cost of DNA analysis, carried was about euros 45 (pounds 40) and must be borne by the pet owner. [Source]

Horror Stories 

WW – Epsilon Breach Compromises Millions of eMail Addresses

A security breach at US marketing company Epsilon Data Management appears to have compromised millions of email addresses. Epsilon sends email on behalf of more than 2,500 clients. Many of the companies have contacted their customers to notify them of the breach and the possibility that they may receive spam or malicious email that attempts to get them to disclose more sensitive information. Epsilon said the only information taken was names and associated email addresses. Affected companies include American Express, Citibank, The College Board, and BestBuy. [Source] [Source] [Source] [Source] [Source] [Source] [Senator Calls for Investigation Into Epsilon Breach] [Canadian consumers among victims of massive email security breach

US – Epsilon Received Warning of Potential Breach Months Ago

The data breach at Epsilon was likely due to a spear phishing attack, something the company was warned about several months ago. An Epsilon technology partner, Return Path, sent out a warning in November 2010 after an employee fell for a phishing attack, exposing thousands of email addresses to the attackers. Ironically, the type of information stolen during the attack could be used to launch spear phishing attacks against customers of some of the 2,500 companies on whose behalf Epsilon sends out email. [Source] [Source] [Source] See also: [US: Company that services L.L. Bean Visa reports privacy breach

WW – WordPress.com Data Breach Puts Millions of Bloggers at Risk

WordPress.com, which hosts millions of blogs using the popular WordPress blogging software, announced that its servers had been breached and that sensitive data was likely taken. “We presume our source code was exposed and copied,” WordPress founder Matt Mullenweg said in a blog posting yesterday. “While much of our code is Open Source, there are sensitive bits of our and our partners’ code.” Mullenweg was unusually candid for a company president disclosing a major data breach. [Source

AU – BP Employee Loses Laptop With Unencrypted Claimant Information

BP’s acknowledgment that an employee lost a laptop containing unencrypted information of 13,000 people who have submitted claims associated with last year’s oil spill has prompted analysts to declare that failing to encrypt sensitive data on portable devices is inexcusable. The information compromised in the BP laptop breach includes names, Social Security numbers (SSNs) and dates of birth. Even a requirement for federal agencies to encrypt sensitive data on portable devices following a breach that compromised the security of records of more than 26 million veterans has not resulted in compliance. [Source

CA – Alberta School Board Loses Memory Stick With Employee Data

The private information of thousands of Edmonton Public School Board employees has been missing for more than three weeks. In a massive privacy breach, a USB memory stick containing information, including resumes and employment records of about 7,000 employees, was lost on March 22. The stick was used by a school board computer technician working in human resources to download the data, but then he lost it. The school board has recently sent out letters to the affected employees, advising them that their private information — possibly including banking data — may have gone astray. Provincial privacy commissioner Frank Work said the school board violated its own policies. “First of all, according to school board policy, you’re not supposed to use an unencrypted stick,” said Work. “They did.” “Second of all … they’re supposed to keep a list of what they download … onto a portable device, like a stick. They did not. And the third way they breached their own policy was they had kept too much information too long.” Work said he sees a privacy breach like this almost every month. But he said there is no point in penalizing the board financially because it has already spent thousands of taxpayer dollars to sort out the mess. [Source]

Identity Issues 

US – Obama Calls for Secure Online-Identity System

President Barack Obama unveiled an ambitious “National Strategy for Trusted Identities in Cyberspace“ proposal urging the private sector to create a trusted-identity system to boost consumer security in cyberspace. Digital rights groups cautiously welcomed the first-of-its-kind government proposal, calling it a blueprint for increased internet security and privacy. The latest plan, which distances itself from a national ID approach, calls on the private sector to develop methods by which consumers can create a secure, online identification to enable web transactions. The plan envisions replacing today’s reality of generally having to remember passwords for dozens of sites where consumers have already lodged their sensitive data, such as credit card numbers. The government is allotting up to five years for the “standardization of policy and technology” to come together. Implementation of the plan, the government said, “will not occur overnight.” [Source]

Intellectual Property 

NZ – New Zealand Passes Three-Strikes Anti-Piracy Law

Legislators in New Zealand have passed a three-strikes anti-piracy law. Vehemently opposed by members of the country’s Green Party and independent MPs, the Copyright and Infringing File Sharing bill provides for warning illegal filesharers twice; a third infringement would give rights holders the opportunity to bring the offender before a tribunal with the authority to impose fines of up to NZ $15,000 (US $12,000). Subsequent violations could result in a court order suspending the offender’s Internet account. Those opposing the law say that people could have their accounts suspended without sufficient proof of wrongdoing. [Source] [Source]

Internet / WWW 

EU – Microsoft launches StreetView rival in Europe

Microsoft is launching its own version of Google’s StreetView – dubbed Streetside – across Europe. Cars fitted with cameras have begun taking pictures around London and will start mapping major cities on the continent next month. The service is already available in 56 US towns and cities. Microsoft has been keen to avoid the privacy concerns that dogged Google’s service but said that it does plan to gather wi-fi data. Initially, Streetside will be on a smaller scale than Streetview, according to the company’s director of search, Dave Coplin. “We’re not setting out to record every street. We believe it is most valuable in urban centres where people want to find services,” he told BBC News. [Source

WW – Chrome Will Warn Users of Suspicious Downloads

Google plans to add a feature to its Chrome browser to warn users when they are downloading a file that is suspected to contain malware. The feature will rely on Google’s Safe Browsing service; if a user tries to download an EXE file with a URL that appears on the Safe Browsing blacklist, the user will receive a message that reads “This file appears to be malicious. Are you sure you want to continue?” Users will have the option of going ahead and downloading the questionable file if they choose. The new service will be tested with a subset of Chrome users running the dev version of the browser before being incorporated into the stable version of Chrome. [Source] [Source] [Source] [Source

EU – IAB Europe Releases Behavioural Advertising Framework

Google, Microsoft, AOL, Guardian News & Media and The Irish Times are among the companies that have signed up to a new cross-European self-regulatory framework for online behavioural advertising (OBA) that will see ads that target users based on previous internet activity being identified by a special icon. Developed by IAB Europe, the framework aims to improve transparency and consumer control when ads are delivered using OBA. By June 2012, all OBA-based display advertisements on the websites that have signed up to the framework will have an icon indicating that behavioural advertising is being used. If users click on the icon, which is currently being trialled in the UK, they’ll be directed to a company site with more information and they’ll have the ability to turn off OBA ads. They will also have the option of going to a new pan-European website, http://www.youronlinechoices.eu, which provides further information on OBA in the relevant language and a tool to manage data preferences, including turning off OBA with just a few clicks. According to IAB Europe, the major practical achievement of the framework is that it provides full transparency and control to users without limiting their browsing experience. IAB Europe said that as the obligations of the framework are only binding to signatory companies, it will be complemented by the European Advertising Standards Alliance’s (EASA) Best Practice Recommendations, also released today. According to IAB Europe, these recommendations are designed to “ensure that the entire advertising ecosystem adheres to rules that together guarantee that the value chain delivers the objective of enhanced control and consumer choice”. The companies that have signed up the OBA framework are: 24/7 Real Media, Adconion Media Group, AdGenie, Adnetik, AOL, ARBO Interactive, Audience Science, BBC Worldwide, BlueKai, Cognitive Match, CPX Interactive, Crimtan, Criteo, datvantage, Financial Times, Google, Guardian News & Media, Hi-Media, Independent Digital, Lotame, Media6degrees, Microsoft, Nugg.ad, Orange, PRISA, Profero, Sanoma, Specific Media, Struq, tectonic, The Irish Times, Tribal Fusion, Telegraph Media Group, United Internet Media, ValueClick Media, Vibrant Media, Weborama, Yahoo and Yell. A copy of the framework and FAQs is available here. [Source]

Law Enforcement 

US – Cameras Read License Plates, Helping City’s Police

The Manhattan’s Police Department’s growing web of license-plate-reading cameras has been transforming investigative work. Though the imaging technology was conceived primarily as a counterterrorism tool, the cameras’ presence has aided in all sorts of traditional criminal investigations. The latest example came last month with the arrest of Marat Mikhaylich, a suspect in 9 bank robberies in New York and New Jersey. Even though the FBI had identified Mr. Mikhaylich through surveillance photos, he had managed to avoid arrest — until he added car theft to his criminal history. One or more of the NYPD’s security cameras detected the stolen car’s license plates and directed federal agents to a block in Queens. The next morning, Mr. Mikhaylich was arrested there, as he was stopped at a traffic light. There are 238 license plate readers in use in New York City, said Paul J. Browne, the Police Department’s chief spokesman. Of those, 130 are mobile. They are mounted on the back of police cars assigned to patrol duties across the city’s five boroughs and to specialized units like the highway and counterterrorism divisions. The remaining 108 cameras are set up at fixed posts at city bridges and tunnels and above thoroughfares. Yet the strategy for the use of the license plate readers has raised questions about whether they represent a system for tracking driving patterns, said Donna Lieberman, the executive director of the New York Civil Liberties Union. She said it was hard to tell whether interest in “effective and efficient law enforcement” was being balanced with the “values of privacy and freedom.” “We don’t know how much information is being recorded and kept, for how long, and by which cameras,” Ms. Lieberman said. “It’s one thing to have information about cars that are stopped for suspicious activity, but it’s something else to basically maintain a permanent database of where particular cars go when there is nothing happening that is wrong and there is no basis for suspicion.” When it comes to car thefts, the value of the cameras seems clear, Mr. Browne said. In 2005, the year before the first license plate readers were put in place, there were 17,855 reports of stolen cars in the city, according to police statistics. Last year, there were 10,334, the statistics showed. [The New York Times 

CA – Body Upholds Order that Officer Resign

The Ontario Civilian Police Commission ruled Wednesday that a disciplinary tribunal was right to order Ottawa police Const. Harinderpal “Bob” Mamak “to resign within seven days” or be dismissed. In doing so, the OCPC upheld a July 29, 2010, decision by hearing officer Terence Kelly. In September 2009, Mamak was found guilty of insubordination and breach of confidence under the Police Services Act. The charges were laid by the professional standards section of the Ottawa police in December 2007, in relation to Mamak’s unlawful use of the Canadian Police Information Centre, a federal database of suspicious and stolen vehicles and bicycles. Mamak can appeal the decision before the Ontario Divisional Court. Ottawa police said he remains suspended from duty with pay. [Source

US – States Address Privacy Risks of Digital Copiers and Electronic Waste

On April 1, 2011, a New York law went in effect requiring retailers of certain electronic equipment to institute electronic waste collection programs and to provide information to consumers on how to “destroy all data on any electronic waste, either through physical destruction of the hard drive or through data wiping.” Manufacturers of devices that have hard drives capable of storing personal information or other confidential data must include instructions describing how consumers can destroy such data before recycling or disposing of the devices, and businesses that sell products with hard drives must inform customers at the point of sale where the data destruction information can be located. In addition, five other states are considering legislation to address the privacy risks associated with digital photocopiers that may store personal information on their hard drives.

  • Connecticut would require businesses that lease digital copiers to ensure that all data is erased from the machine’s memory when the lease expires.
  • Florida would require financial institutions to implement security polices to identify copiers under their control and ensure that the hard drives on the copiers are erased before returning any leased copiers to a lessor or selling the copiers.
  • Nevada would require any business or data collector that owns or possesses a copier, fax machine or multifunction device (collectively, “digital office equipment”) that uses a data storage device to ensure that any personal information stored on such digital office equipment is either (1) encrypted or (2) physically or technologically destroyed before giving up ownership, physical custody or control of the digital office equipment.
  • New Jersey would require businesses to destroy personal information stored on digital copiers before disposing of the machines.
  • Oregon would require sellers and distributors of copy machines to remove, erase or destroy and personal information in a data storage device on the machines.

These bills reflect an enhanced focus on the privacy risks associated with digital office equipment. Last year, the FTC was investigating this issue after an exposé showed that almost every digital copier produced since 2002 stores on its hard drive images of documents that are “scanned, copied or emailed by the machine” – including documents with sensitive personal information. The FTC eventually produced a report entitled “Copier Data Security: A Guide for Businesses” that offers businesses tips for securing data stored on digital copiers. [Hunton & Williams LLP, Security Law Blog]

Location 

CA – Abbotsford, Victoria Join Other Cities With Online Crime Maps

Police departments in Abbotsford and Victoria are following the example of several major Canadian cities and launching online crime maps. But while they are useful for police and the public to track clusters of auto theft or break and enters, one Vancouver homicide expert doesn’t believe they’ll have a significant impact on reducing crime. On Friday, the Abbotsford Police Department added a new crime-map feature to its website, abbypd.ca. And one day earlier the Victoria Police Department launched its own crime-map site at vicpd.ca. The system costs about $150 per month. Both maps employ CrimeReports software. Vancouver and West Vancouver, as well as other cities in Canada including Calgary, already use crime maps, databases that allow police to enter crime files, plot the type of call on a map and later analyze the data to identify criminals. Police agencies hope that posting the information online will encourage people to report crime, because they will be more aware of what is happening in their neighbourhoods. Neil Boyd, a professor at SFU’s school of criminology, said there is no way to know how well the databases are working, but he doesn’t believe they’ll have an immediate impact on reducing crime. He said the online maps could cause crime displacement, where criminals become aware that an area is being monitored by police and move elsewhere, but he added that it’s unlikely a criminal will use the maps. [Source]

Online Privacy 

EU – Court: Google Must Guarantee Anonymity of Street View Faces, License Plates

A Swiss court has ruled that Google must guarantee anonymity before publishing faces and license plates captured in Switzerland for the popular street view service. The Federal Administrative Court largely sided with Switzerland’s data protection commissioner who claimed that Google was breaching citizens’ right to personal privacy, according to the ruling published Monday. Google said it was disappointed by the verdict and is considering an appeal to the Swiss supreme court. The Bern-based court said Google needs to ensure that all faces and vehicle license plates are blurred before uploading pictures to the service that provides panoramic views from various positions along the world’s streets. It also ordered the company obscure other identifying features, such as skin colour and clothing, from people photographed in the vicinity of “sensitive establishments,” such as women’s shelters, retirement homes, prisons, schools, courts and hospitals. Google’s right to pursue its commercial interests does not outweigh Swiss privacy laws, the court said in an explanatory note. [Source

US – Free Pandora App Shares User Data

Online music service Pandora has acknowledged being served with a subpoena demanding documents related to information sharing practices. The subpoena appears to be connected to a federal grand jury investigation into information sharing practices of apps that run on Apple and Android mobile platforms. A report recently found that a Pandora smartphone app shares user information with advertisers. The shared data include age, gender, geographic location, birth date and device ID. [Source] [Source] [Source

WW – World’s First Personal Lifestyle Database System Released

The lifecentral group announced the immediate availability of the world’s first lifestyle database yesterday. The system allows any Internet user to reveal previously undiscoverable correlations between his or her activities, meals, moods, medications, and more. Lifecentral, available at lifecentral.info, provides users with an easy-to-use and intuitive interface for entering data about every aspect of their lives. In just five minutes per day, a user can enter everything he or she has done, eaten, felt, and taken during that day. After a sufficient amount of data has been entered, users can then produce reports to examine correlations between aspects of their lives that they had previously been unable to discover. These correlations are often more precise than the generalized advice offered by medical professionals that is not tailored to a person’s unique physiology. Accounts at lifecentral are free to any user over 13 years of age. Users may choose to keep their data private on secure servers, to share data with selected friends, or to make their data available to the world. lifecentral does not mandate the entry of personally identifiable information, so users may elect to track data anonymously. lifecentral will never reveal individual, nonaggregate data to anyone. Data is available to export to external software such as Microsoft Excel if users wish to generate reports that are not available on the lifecentral site. [Source

CA – Ontario Teachers Advised Not to ‘Friend’ their Students Online

The Ontario College of Teachers released a report outlining appropriate online conduct for educators. While the report acknowledges that social media plays an increasingly important role in young students’ lives, it cautions teachers against using it to communicate with their students. It also reminds teachers that anything they publish online – despite their privacy settings – could eventually be viewed by their employer or students. Teachers are advised to:

  • Communicate electronically with students at appropriate times of the day, but if it would be too late to call them at home, don’t send an email either.
  • Use “established education platforms,” creating websites and profiles intended for class use only.
  • Notify parents of any decision to use social media platforms in the classroom, and consider giving them access to the sites.
  • Maintain a formal, courteous professional tone at all times, across all platforms.
  • Remove any “inappropriate content” that either they or others post to private accounts and assume that anything posted online can be accessed and altered.

Teachers are cautioned against:

  • Exchanging private texts, phone numbers, personal e-mail addresses with students.
  • Accepting students’ “friend” requests, or issuing “friend” requests to students.
  • Enabling any students to post to teachers’ social media accounts.
  • Creating an alter ego. (Courts can compel disclosure of your true identity, the report advises, so be transparent and authentic.)
  • Divulging student information
  • Criticizing students, colleagues and superiors and making “impulsive, inappropriate or heated comments.” [Source]

 

Other Jurisdictions 

AU – Right to Sue if Online Privacy Violated: New Law Recommended

A Senate Committee Report into the online privacy of Australians using the internet recommends giving all Australians a legislated right to online privacy, something which does not presently exist, Committee Chair Senator Mary Jo Fisher said. “This would mean a person could take legal action if his or her online privacy were seriously invaded,” Senator Fisher said. “The Report also recommends allowing an individual online user to dictate the amount of personal data that a web service provider can collect and use to target them with advertisements, through a ‘Do Not Track’ model,” she said. “The Committee recommends increasing the scope for the Office of the Privacy Commissioner to handle complaints about the use of online privacy consent forms. [Source

IN – Indonesian Lawmaker Resigns After Being Caught Watching Porn in Parliament

An Indonesian lawmaker who helped pass a tough anti-pornography law resigned Monday after he got caught watching sexually explicit videos on his computer during a parliamentary debate. The scandal has transfixed this predominantly Muslim nation since a local photojournalist filmed Arifinto, a member of the staunchly Islamic Prosperous Justice Party, gazing at the downloaded porn sites. [Source

MX – Update on Mexico’s New Privacy Law: No Immediate Enforcement

Mexico’s data protection authority will not rush to carry out compliance inspections or take enforcement actions when rules implementing the country’s new data protection law begin taking effect in July, the head of the DPA, the Instituto Deral De Acceso a la Información Pública (IFAI), said March 10 at a conference. As soon as the final rules are published in July, the government expects businesses and other covered entities to begin following the basic requirements that they appoint an individual to be in charge of data protection and establish written data security and privacy policies, IFAI President Commissioner Jacqueline Peschard Mariscal said. [Source

NZ – Juror Privacy to be Tightened

Legislation that will enhance the privacy, safety and security of jurors has been introduced to the New Zealand Parliament. Justice Minister Simon Power said the Juries Amendment Bill included a provision to remove the addresses of potential jurors from jury panel lists. The move comes after convicted murderer George Baker wrote to a juror whose name he saw on a list while he was representing himself in a trial. Currently, a jury list must contain the name, occupation, date of birth and full address of potential jurors. Since 2008, self-represented defendants have been prohibited from keeping a copy of the jury list or taking notes, but they can inspect it under supervision. In addition, where there is a real risk that an accused may intimidate jurors, the prosecutor can apply for a judge-alone trial. Mr Power said those changes were made to protect the privacy of jurors, but the Baker incident highlighted the need to further restrict access to the information. The proposed changes in the bill will:

  • remove the addresses of potential jurors from jury lists;
  • allow the prosecution, defence lawyer, or the court-appointed adviser to defendants representing themselves to have automatic access to all address information on request;
  • prevent the accused from ever seeing potential jurors’ addresses by prohibiting the defence lawyer or court-appointed adviser from showing the addresses to the accused;
  • extend the section of the Juries Act which makes it clear that misconduct in relation to jury lists may be treated as contempt of court to include the act of showing the accused, or any other person, jurors’ addresses; and
  • bar people from serving on a jury if they have, in the previous five years, been sentenced to home detention for three months or more. This puts them in the same category as those sentenced to a short term of imprisonment. [Source]

 

Privacy (US) 

US – US Judge Trying to Determine if Google Breached Wiretap Law

A federal judge presiding over combined lawsuits against Google over its inadvertent collection of packets sent over unprotected wireless networks is trying to decide if Google breached the Wiretap Act. US District Judge James Ware is seeking a definition of “radio communication” under the Wiretap Act to determine whether or not home Wi-Fi networks fall under this purview. Google says they do, while the plaintiffs’ legal team says that the data were only sent over radio waves while traveling between a home router and a laptop. Both parties agree that eavesdropping on cordless phones is illegal. [Source

US – Google Settles With FTC Over Buzz Privacy Charges

On Wednesday, March 30, Google settled deceptive privacy practice charges from the Federal Trade Commission regarding its social networking tool, Buzz. The terms of the settlement call for Google to launch a privacy program and undergo regular third-party audits for 20 years. The settlement does not impose a fine, but Google could face fines if it violates the terms of the settlement. The settlement is the first in which the FTC has ordered a company to implement a comprehensive security policy. On the same day, Google launched a new social networking tool called +1; it allows users to annotate search results to recommend pages to friends. [Google must undergo privacy reviews for next 20 years] [Source] [Source] [Source] [Source

US – Infra-Red Camera Scheme Put On Hold Over Privacy Concerns

A project in Boston designed to educate home owners about energy efficiency has been put on hold due to privacy concerns. The city was due to have a number of infrared cameras installed that would take aerial and street-level photos across approximately four miles in order to show heat loss in homes during the winter months. Boston officials planned on sharing the photos and analysis with home owners and were hoping the findings would increase enrolment in efficiency programs and also create business opportunities. The cameras were similar to the van-mounted cameras that take street view photos for Google maps and were built by researchers at the Massachusetts Institute of Technology. Besides just helping the average consumer, it was thought the technology offered by a company called Sagewell, could benefit larger groups, businesses and cities that want to save energy and money. Officials had planned to scan every building this way. But the project has been put on hold after the ACLU of Massachusetts raised concerns that the infra-red cameras would reveal information about what is going on inside the homes as they can take up to 20,000 images of homes per day. [Source]

RFID 

EU – EU Commission, Firms Sign Privacy Deal On Smart Tags

The European Commission signed a voluntary agreement with companies that make or use smart tags, establishing privacy guidelines over the rapidly growing use of the identification chips. The new voluntary rules, to take effect before the end of the year, require companies to conduct a privacy risk assessment before putting a smart tag product on the market. About 1 billion smart tags – also called radio frequency identification devices or RFIDs – are expected to be used in Europe this year. The number of smart tags used worldwide is predicted to rise to 50 billion by 2020 from an estimated 2.8 billion this year, according to industry forecasts. Risk assessments would have to take into account the possible damage from personal data falling into the wrong hands, as well as suggest steps to prevent or mitigate any impact. [Source

US – ‘Ready Lane’ Opening at Peace Arch Crossing

It soon should be easier for motorists with an enhanced driver license to pass through Peace Arch border crossing into Canada at Blaine. U.S. Customs and Border Protection opens a “ready lane” next week to expedite travelers with radio frequency identification (RFID) documents. In addition to the Washington enhanced driver license, they include the NEXUS card, new permanent resident card and U.S. passport card. Customs and Border Protection spokesman Thomas Schreiber says the ready lane should be 10-to-15 seconds faster per car, which can make a big difference over time in a line of traffic. The agency is demonstrating the ready lane Thursday. It goes into operation next week. [Source]

Security 

US – SEC Fines Three for Failing to Protect Customer Data

The US Securities and Exchange Commission (SEC) has fined former employees of broker-dealer GunnAllen Financial for failing to adequately protect customer data. The company was liquidated in November 2010; the SEC maintains that GunnAllen former president Frederick O. Kraus and former national sales manager David C. Levine broke privacy rules when Kraus authorized Levine to take information about 16,000 clients with him to his new job; the data were transferred on a thumb drive. Kraus and Levine were fined US $20,000 each. Former chief compliance officer Mark A. Ellis was fined US $15,000 for failing “to ensure that the firm’s policies and procedures were reasonably designed to safeguard confidential customer information.” The case is the first in which people have been fined solely for violating the SEC’s Safeguard Rule, or Regulation S-P, which requires financial advisers and institutions under SEC jurisdiction to protect customer data and give customers the opportunity to opt out of having their information shared with unaffiliated third parties. [Source] [Source

US – FBI, DoJ Act to Block International Botnet

The Justice Department and FBI have taken what they characterize as the most complete and comprehensive action ever by American authorities to disable an international botnet known as Coreflood, which is believed to have been operating for nearly a decade and infected more than 2 million computers worldwide. The U.S. attorney in Connecticut filed a civil complaint against 13 John Doe defendants, alleging that they engaged in wire fraud, bank fraud and illegal interception of electronic communications. Authorities also seized five command and control servers that remotely controlled hundreds of thousands of infected computers as well as 29 domain names used by the Coreflood botnet to communicate with the control and command servers. The government said it replaced the illegal servers with substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties. The government also obtained a temporary restraining order, authorizing the government to respond to signals sent from infected computers in the United States to stop the Coreflood software from running, which they contend would prevent further harm to hundreds of thousands of unsuspecting users of infected computers. Authorities said Coreflood records keystrokes and private communications on a computer. Once a computer is infected with Coreflood, it can be controlled remotely from another computer, Coreflood steals usernames, passwords and other private personal and financial information allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts. In one example described in court filings, through the illegal monitoring of Internet communications between the user and the user’s bank, Coreflood was used to take over an online banking session and caused the fraudulent transfer of funds to a foreign account. [Source]

Surveillance 

US – Requests for Stored Communication Data Not Reported

While US law requires reporting of requests to intercept communications data in real-time, no such requirement exists for requests for stored communications data. Christopher Soghoian, in his research article “The Law Enforcement Surveillance Reporting Gap,” says that law enforcement agencies have made tens of thousands of requests for stored data from companies like Facebook and AOL. Not only is it easier for law enforcement to get their hands on the information once it has become stored communication, but it is considerably less expensive, too. At one US service provider, wiretaps can run into the thousands of dollars, while account information is provided for US $40. [Source] [Source] [Read full article

CA – B.C. Transit Tests Security Cameras on Victoria Buses

B.C. Transit is using Victoria as a testing ground for security cameras on its buses. Closed circuit television cameras have been installed on three vehicles as part of a year-long trial. In addition to monitoring security, they will also record traffic incidents. Information gathered will help charter policy on the use of security cameras in B.C. Transit properties throughout the province, said Transit spokeswoman Joanna Linsangan. “It won’t just impact Victoria itself but also province-wide,” she said. The trial will show how well the system performs, where cameras can be best placed and how they affect operations. It will also identify any support or infrastructure needs. “Every camera has audio,” said Stephen Anderson, B.C. Transit senior manager corporate safety and security. “We can isolate audio from every camera and understand what happened — what communications happened between the driver and the member of the public during and after an incident.” Notices on each bus inform passengers of the video surveillance. Information is stored on a hard drive for one week before being over-written. It will only be accessed if an incident is reported, Anderson said. The Information and Privacy Commissioner’s Office has been consulted on the plan. [Source]

Telecom / TV 

US – Justice Department Opposes Digital Privacy Reforms

The U.S. Justice Department has offered what amounts to a frontal attack on proposals to amend federal law to better protect Americans’ privacy. James Baker, the associate deputy attorney general, warned that rewriting the 1986 Electronic Communications Privacy Act, or ECPA, privacy law to grant cloud computing users more privacy protections and to require court approval before tracking Americans’ cell phones would hinder police investigations. This appears the first time that the Justice Department has publicly responded to a set of digital privacy proposals unveiled last year by a coalition of businesses and advocacy groups including AT&T, Google, Microsoft, eBay, the American Civil Liberties Union, and Americans for Tax Reform. The Digital Due Process coalition hopes to simplify the wording while requiring police to obtain a search warrant to access private communications and the locations of mobile devices–which is not always the case today. A group of conservative and libertarian groups sent a letter to Leahy and Grassley urging them to move “immediately” to “extend the Fourth Amendment’s protections against the unreasonable search and seizure of digital documents and other electronic information.” It was signed by groups including TechFreedom, the Competitive Enterprise Institute, FreedomWorks, and the Liberty Coalition. “The current standards are messy, inconsistent, and unclear,” says Julian Sanchez, a research fellow at the libertarian Cato Institute, which is not part of either group. “I think DOJ has realized is that this is largely severable from the question of whether you…establish consistency in favor of uniformly protecting privacy–or uniformly permitting easier government access.” Baker, the associate deputy attorney general, also offered two suggestions: that any ECPA rewrite might include “the disclosure by service providers of customer information for commercial purposes,” and that the practice of telecommunications companies charging fees for the time it takes to process routine police requests should be curbed. The second suggestion, Sanchez suggested, might end up being used by the Justice Department as a bargaining chip “to splinter the telecom-civil libertarian coalition.” As for the first suggestion, Marc Rotenberg, director of the Electronic Privacy Information Center, said his group never joined the Digital Due Process coalition because it was “unwilling to address that issue which, we believe, for users is straightforward and obvious.” “ECPA amendments should cover commercial use of user data,” Rotenberg said. [Source]

US Government Programs 

US – Appeals Court Upholds Warrantless Laptop Border Searches

A 2-1 decision from the 9th US Circuit Court of Appeals says that US government authorities may seize digital devices at US borders without warrants and keep them for days while searching their contents. The case in question involves a man whose laptops and camera contained child pornography images. ICE agents seized the devices and transported them 170 miles to be searched. [Source] [Source] [6,500 warrantless searches since 2008].

US Legislation 

US – Sens. Kerry, McCain Introduce Online ‘Privacy Bill of Rights’

Sens. John Kerry and John McCain have teamed up to introduce a bill that would provide Internet users with a commercial privacy bill of rights. The Commercial Privacy Bill of Rights Act of 2011 is intended to create a framework to protect the personal information of all Americans. Customers should have the right to security and accountability, the right to know how their information is being used, and right to have the smallest amount of data collected about them as possible, the senators said. Kerry, a Massachusetts Democrat, said in a statement, that “Our bill makes fair information practices the rules of the road, gives Americans the assurance that their personal information is secure, and allows our information driven economy to continue to thrive in today’s global market.” McCain, an Arizona Republican, said the bill allows companies to continue marketing and advertising to consumers, but “does not allow for the collection and sharing of private data by businesses that have no relationship to the consumer for purposes other than advertising and marketing.” Specifically, the bill states that:

  • Collectors of information must implement security measures to protect the information they collect and maintain.
  • Collectors of information must provide clear notice to individuals on the collection practices and the purpose for such collection.
  • Collectors of information would be required to collect only as much information as necessary to process or enforce a transaction or deliver a service, but allow for the collection and use of information for research and development to improve the transaction or service and retain it for only a reasonable period of time.

Companies must provide users with the ability to opt-out of data collection unauthorized by the bill and opt-in to the collection of personally identifiable information. This requires a “robust and clear notice” about data collection, and the ability of users to access and correct their information. The bill would be enforceable by state attorneys general and the FTC, though not at the same time. It also bans private rights of action. The FTC would also be able to approve nongovernmental organizations to oversee safe harbor programs that would have “the ability to be exempt from some requirements of the bill.” The Department of Commerce can weigh in on these exemptions, which it will submit to the FTC. The bill comes several weeks after the Obama administration gave its seal of approval to a “consumer privacy bill of rights” intended to allow consumers to avoid unwanted online tracking or data collection. Microsoft, HP, Intel, and eBay released a joint statement in support of Kerry and McCain’s bill. The Center for Democracy & Technology said the bill “contains many strong elements.” [Source

US – Critics Say Proposed Online Privacy Law Does Not Go Far Enough

US lawmakers have proposed legislation that would allow Internet users the right to demand that their online activity not be tracked. The Commercial Privacy Bill of Rights, sponsored by Senators John Kerry (D-Massachusetts) and John McCain (R-Arizona), requires that consumers deliberately opt out of tracking practices through links on websites, drawing criticism from some groups who say the proposed law does not go far enough. Some critics would like to have a universal opt-out capability so consumers do not have to perform the cumbersome task of opting out on every site they visit. The bill does require that websites provide clear information about their data collection practices and that the organizations collect only as much information as necessary to conduct transactions or render services. The bill does not apply to data mining, surveillance or other actions used by governments to collect personal data. Local, state and federal law enforcement agencies are exempt, as are government agencies. [Source] [Source] [Source] [Bill]

Workplace Privacy 

CA – Good News For Employers: Right to Manage Sets Limits on Employee Privacy

Three arbitration decisions have been released that support an employer’s right to manage the safety, security and efficiency of its operations through the introduction of policies relating to workplace technology, periodic police record checks, and cell phone records checks, even though these may affect employee privacy rights. 

  • In the 2010 decision of International Union of Elevator Constructors, Local 1 v. Otis Canada Inc. [2010] B.C.C.A.A.A. No. 121 (QL), Arbitrator John Steeves ruled that telematic devices in its company vehicles did not violate employee privacy rights. Otis Canada Inc. had installed devices in its cars that used satellite technology to provide information about the start, stop and idle time of each vehicle, along with the name of the employee driving the vehicle. The information was available to managers and was used to evaluate fuel efficiency, determine if regular maintenance was being done, and whether there was any unauthorized use of the vehicle (the company had a strict policy prohibiting personal use of company vehicles). The devices did not have GPS technology, so they could not provide detailed information about the location of the cars. The union representing the employees filed a policy grievance alleging that the employer was collecting personal information (the employee’s location) through the telematic devices, and thereby violating the collective agreement and British Columbia’s Personal Information Protection Act (PIPA). The employer argued that the information being collected was related to its business, and therefore did not constitute “personal information” under PIPA. Further, if the information was “personal information,” then both the collection and the use were reasonable. The grievance was dismissed. Arbitrator Steeves found that the devices were used to record the working time of employees and that this formed part of the company’s general management rights to know what its employees are doing when they are working and when they are using company vehicles. He also found that the only personal information being collected was the employee’s name, and that this did not violate PIPA. There was the potential to use the information to investigate and discipline an employee, but the data being collected by the devices itself did not meet the definition of “personal information,” and therefore there was no violation of employee privacy in the circumstances. 
  • A second policy grievance relating to employee privacy rights was dismissed by Arbitrator Wayne Moore in Vancouver Firefighters’ Union, Local 18 v. Vancouver (City) [2010] B.C.C.A.A.A. No. 81 (QL). In this case, the union grieved a policy introduced by the City of Vancouver requiring those employees in its Fire & Rescue Services Department who held “designated positions of trust” to submit to police record checks every five years. These positions were identified primarily as those that have ongoing or significant relationships with vulnerable people or where the main duties involve protecting the security of people and/or material assets. Employees who failed to comply with the policy ran the risk of being disciplined or discharged. The union did not object to the employer’s practice of requiring police record checks at the time of hire, but argued that the ongoing requirement to disclose information about an employee’s police record, and the requirement that record checks be provided at five-year intervals, breached employee’s statutory and common law rights to privacy and exceeded the employer’s management rights under the collective agreement. The employer asserted that the policy was in furtherance of its legitimate interest in providing safe and effective services to the public. Arbitrator Wayne Moore upheld the policy with slight modifications. He noted that it was necessary for the employer to determine the suitability of employees, considering its interests in protecting the safety of the public and the security of the public’s property, as well as in ensuring the integrity of its operations and employees. In reaching his decision, Arbitrator Moore noted that in light of the need to maintain public trust and the integrity of its operations, the employer should not have to wait for complaints of misconduct before ensuring that the employees who hold designated positions are appropriate for the job. In his decision, Arbitrator Moore noted that this was not a blanket requirement of a criminal record check on all employees, but was limited to particular employees who had some degree of choice in deciding whether to apply for designated positions.
  • The third decision in this employer-friendly trilogy is that in the case of Teamsters Canada Rail Conference v. Canadian Pacific Railway Company (Case No. 3900, Canadian Railway Office of Arbitration & Dispute Resolution). After a number of serious collisions in the railway industry in North America, the Canadian Pacific Railway Company adopted a policy of asking employees to provide copies of their personal wireless telephone records as a routine part of investigations where a significant accident or incident remained otherwise unexplained. In the policy grievance that ensued, the union argued that the company’s request was unreasonably intrusive and violated employee privacy rights, and pointed to a decision by the Privacy Commissioner of Canada in which it was held that telephone records are “personal information” within the meaning of the federal Personal Information Protection and Electronic Documents Act (PIPEDA). After emphasizing the highly safety-sensitive nature of railway operations in Canada, Arbitrator Michel Picher dismissed the grievance and found that the company’s policy was compliant with the requirements of PIPEDA. In his decision, he noted that given the particular nature of railway operations, “There must be an inevitable balancing of interests between the privacy rights of employees and the interests of a railway employer to ensure safe operations.” In addition, Arbitrator Picher was influenced by the fact that the infringement was very narrow and that the company was not seeking any information beyond whether a cell phone had been used in close proximity to a railway accident. There was no attempt to go “behind the privacy” into the contents of any wireless communication. This finding is comparable to the Otis Canada Inc. finding; in that case, the information from the telematic devices only collected the name of the mechanic/driver and no other information personal to the individual, so it was found to be a narrow infringement on privacy. 

Key Points for Employers:

  • Employers have a right to ensure the efficient, safe and secure operation of their business. In some circumstances, the exercise of management rights will permit a reasonable intrusion upon employee privacy.
  • The implementation of technology, policies or practices that permit employers to collect, use and disclose personal information should be as narrow as possible in the circumstances, and should focus on legitimate interests such as ensuring the safe and effective operation of the business.
  • In order to minimize the likelihood of a successful complaint or grievance as a result of the introduction of new technology or policies in the workplace, consider providing notice of the changes and informing employees of the objectives behind implementing the technology or policy. [Source: Mondaq news

IS – Israel Monitoring Employees Email Severely Restricted

In a 91 page opinion, the National Labor Court laid down a clear set of rules on employers right to monitor their employees email messages. The rules impose severe restrictions on that right and employers should consider reforming their workplace policies accordingly. The issue that was brought before the court was whether an employer may access employees email messages and submit them as evidence in the course of court proceedings brought by the employee against the employer. Typically, the employer wishes to present evidence obtained from the employee’s email account, in an effort to dismiss the employee’s claim for unlawful termination. However, a “Fruit of the poisonous tree” evidential rule under the Privacy Protection Act, prohibits submission of evidence obtained through invasion to privacy. Chief Judge Nili Arad delivered the National Labor Court’s opinion on two appeals from District Labor Courts that reached inconsistent decisions related to the employers’ rights in that respect. The court laid down the following principles:

  • In light of the employer’s proprietary interest in the workplace and managerial prerogative, the employer should set a balanced policy for use of the corporate IT and email systems. The employer must bring the policy to the attention of the employees and must incorporate the policy into their personal employment contracts.
  • A clear line should be drawn between an email account allocated by the employer to an employee and an employee private email account, such as a webmail account.
  • An employer may allocate accounts to employees and designate them for work related purposes only (‘professional purpose accounts’), or for personal purposes as well (‘dual purpose accounts’), or for the employer’s personal purpose only (‘personal purpose account’).
  • If the employer makes the employees aware of the e-mail monitoring policy, then the employer may monitor the traffic data and contents of professional purpose accounts. However, if an employee uses the mailbox for personal e-mail exchange, even if in violation of the corporate policy, then the employer may access the personal messages in that account only subject to the employee’s explicit, informative and freely given consent and only if the contents of such personal messages are unlawful or abusive.
  • The employer may monitor and access personal messages in dual purpose and personal accounts, subject to the following terms: (1) There are unusual circumstances that justify access to the messages; (2) The employer first uses less invasive tools that reveal the monitored employee’s misconduct; (3) The employee gives explicit, informative and freely given consent to the corporate policy and specifically to the monitoring of or access to his personal (not work related) messages; (4) The employee provides specific consent to each access by the employer to the contents of personal messages in a dual purpose account, or specific consent for any surveillance activity by the employer which include access to a personal account, and to personal content in such account.
  • An employer may not monitor or access an employee private email account, even if the employee uses the workplace IT system to access the account and even if the employee consented to such access. An employee’s private account may be accessed only subject to an appropriate court order, that courts grant on rare occasions.
  • Based on the above laid down principles, the court granted the employees’ motion to suppress the evidence in both cases, because the employers obtained the evidence while unlawfully invading the privacy of their employees.

Employers should carefully study the opinion and make all necessary adjustments to comply with its requirements. Specific attention should be given to the corporate policies, employment contracts, adequate consent processes and to harmonizing the corporate information security system and policies with a new pro-privacy workplace environment. [Source]

+++

16-31 March 2011

Biometrics 

EU – NL Court Upholds Passport Fingerprint Demand

The Hague city council is within its rights to refuse to issue a passport to a woman who refused to give her fingerprints, a court has ruled. The court backed the council because fingerprints are required by law. The woman refused to comply because they will be stored in a database and used to track criminals. The woman argued this infringed her right to privacy and her human rights. In February, the Volkskrant reported a majority of MPs oppose plans to store fingerprint details from new biometric passports in a central data bank which will be accessible to police. The plan has already been attacked by lawyers and privacy experts. Even the security service AIVD warned that the data bank would be vulnerable to hackers and identity theft. [Source

EU – EDPS Issues Opinion on Turbine (TrUsted Revocable Biometric IdeNtitiEs) Project

The European Data Protection Supervisor finds that the Turbine biometrics project is implementing “privacy by design” as a key principle in its research (e.g. by complying with the data protection legislation in Norway and Italy for both the proprietary and public databases used, and by notifying the data protection authorities in Germany and Greece for the “real-life” scenario demonstrations that were conducted); the implementation of 2 features, irreversibility and revocability of biometric identification, were acceptable privacy compliant solutions (e.g. they met the Regulation 45/2001 requirements of legitimate, not excessive, and relevant collection and accuracy). A list of 10 best practices in the context of the use of biometric data was developed (e.g. user control over biometric data by default, credential check, deletion of samples and original templates, and fall back procedures). Volunteers provided written consent for the collection of their biometric data; those involved in the enrollment process were provided with training that emphasised the important of data protection both prior to and during the enrollment phase. [Source

CA – OPC Issues Paper on Biometrics and the Challenges to Privacy

The privacy challenges of biometrics include covert collection (e.g. gathering images of people’s eyes from a distance), cross-matching (e.g. collecting a fingerprint for one purpose and using it for a different purpose without the person’s knowledge and consent), and secondary information (e.g. iris images used for authentication can divulge health information). Organisations looking to deploy a biometric system should do the following – build privacy solutions into all stages of the lifecycle of the initiative, conduct a privacy impact assessment, and administer a 4-part test of necessity (e.g. what specific problem is being solved), effectiveness (e.g. some biometrics may not be counted on for identification because they are neither permanent nor unique), proportionality (e.g. the loss of privacy may not be appropriate if the benefit is minor and some biometrics are more privacy-sensitive than others), and alternatives (e.g. some forms of authentication that do not collect biometrics may work for certain tasks). Privacy principles to be considered are recording just the summary information of biometric data (e.g. using biometric encryption, cancellable biometrics or biometric tokens), verification rather than identification (e.g. a “one-to-one” match versus a “one-to-many” match), and using local storage (e.g. individual computers systems or smart cards) rather than centralized storage. [Data At Your Fingertips: Biometrics and the Challenges to Privacy

EU – Wolverton: ‘Eye Tracking’ May Be Coming to Your Computer

A Swedish company has unveiled a new system to track what users are viewing on a computer screen based on eye movement. Though eye-tracking technology has existed for some time now, it has primarily been used for academic and market research, for example, and has required people to wear special equipment. Tobii Technology plans to build eye-tracking—which beams low levels of infrared light into the user’s eye to work in tandem with sensors to track the reflection of the light and gauge a user’s point of focus—to the average computer. Still at the prototype development stage, the mainstream system is expected within a few years. [Source

Canada 

CA – Air-Travel Bill Flies in Senate

An air-travel security bill that critics initially slammed as an infringement on passenger privacy and a surrendering of Canadian authority to the U.S. Department of Homeland Security has passed third reading in the Senate, winning support for an amended version of the legislation from both Conservative and Liberal members. The passage of Bill C-42 means personal information about Canadian passengers travelling to the U.S. or through U.S. airspace -including name, gender and birthdate —can now be shared with American authorities to determine whether any individual poses a threat to U.S. national security. Conservative Sen. Michael MacDonald said during a recent debate that the bill “will allow Canadian air carriers to comply with the law of another country —a law which, I might add, all nations, including the United States and Canada, are perfectly within their rights to implement.” Liberal Sen. Wilfred Moore said that while the bill initially sparked “great concerns” among Liberals, subsequent amendments to limit the use of passenger information and how long it will be kept by U.S. authorities have allayed such worries. [Source

CA – Court Says There’s No Tort of Invasion of Privacy in Ontario

The Ontario Superior Court of Justice has released a decision in Jones v. Tsige, 2011 ONSC 1475, which states, clearly and without ambiguity that there is no free-standing tort of invasion of privacy in Ontario. The facts involve a claim against an employee of a bank who reviewed the plaintiff’s confidential banking records on at least 174 occasions. Whitaker J. canvassed a number of authorities, including the well-known case of Somwar v MacDonalds, but concluded that there is no such tort. The Court notes that the plaintiff had a remedy under PIPEDA. [Source] [Source] [Decision

CA – OIPC BC Investigation Report F11-01 – British Columbia Lottery Corporation

The Commissioner determines that the BCLC security breach (individuals able to view the personal information (‘PI”) of other customers when they logged into the online platform) was not one that it could have reasonably prevented. An investigation into the online gaming platform revealed data collection issues (BCLC collected PI from potential customers to verify identity and sensitive registration information once the account is created which is transmitted unencrypted), information systems security policy deficiency (the policy had not been formally reviewed since 2005), policy training inadequacy (the individuals who attended the sessions were not formally tracked and a number had not attended training), access control problems (a small number of users’ accounts were found on the production systems where those users who no longer required access), no patch management (no patches since the environment was frozen in 2010 during the launch of casino games) and inadequate third party contracts (these do not require the service providers to adhere to BCLC security policies and procedures, including privacy requirements). BCLC took steps to resolve security issues. [Press Release] [Investigation Report

CA – Powers and Functions of the Ombudsman in PIPEDA: An Effectiveness Study

In this research document commissioned by the Office of the Privacy Commissioner of Canada, the authors recommend (1) extending the limits of the Ombuds Model to small and medium businesses – the current model does not appear to be well suited to the small and medium business sector where compliance rates are lower and where the risks to personal information is greater, and (2) granting limited order-making powers – compliance levels with PIPEDA remain too low, and the risk that consumers face with their personal information in the hands of small and medium sized businesses is too high, however, the OPC at this point does not need broad and intrusive powers, such as cessation orders. [Source

CA – OPC Tables Report on Privacy Implications of Street-Level Imaging Applications

The Canadian Federal Privacy Commissioner has tabled a study before the Report of the Standing Committee on Access to Information, Privacy and Ethics: Recommendations for technological innovators are to implement “privacy by design” into the development of new products and consult with the Privacy Commissioner to ensure privacy rights are protected; privacy protection needs to be a core consideration at the development stage, and two companies that deployed street-level imaging technology are moving in the right direction by appointing a Director of Privacy, mandating privacy training for employees and incorporating audits for projects under development. The Privacy Commissioner has made recommendations regarding street-level imaging technology including notifying citizens in advance that images are being taken and why, blurring faces and license plates to anonymize individuals (this technology needs to be improved), effective and quick take-down processes (so individuals can have their images removed), and not retaining raw data indefinitely (one company agreed to delete unblurred imagery after one year). [Report

CA – CAPAPA Appoints New Board Members

CAPAPA (Canadian Association of Professional Access and Privacy Administrators) Canada’s leading association of privacy and access professionals, has announced the appointment of four new directors to its Board. The CAPAPA Board of Directors now includes Dr. Teresa Scassa, who currently holds a Canada Research Chair in Information Law at the University of Ottawa; Marc Gagné, President of ATIPshop and Senior Consultant with Citizenship and Immigration Canada; Lawyer, consultant and author Michael Power; and Paulette Lacroix, Senior Privacy Consultant and Certified Management Consultant at PC Lacroix Consulting Inc. CAPAPA is now represented by a most distinguished group of Directors, from British Columbia to Newfoundland and Labrador:

1.       Robert Doherty, Privacy lawyer and consultant

2.       Marc Gagné, President of ATIPshop and Senior Consultant with Citizenship & Immigration Canada

3.       Paulette Lacroix, Senior Privacy Consultant and Certified Management Consultant at PC Lacroix Consulting Inc.

4.       Eric Lawton, Senior Privacy Specialist, Risk Management & Information Security, City of Toronto and Director of Professional Certification, CAPAPA

5.       George Michelau, Assistant Director of Education, Labrador School Board

6.       Sharon Polsky, President, Amina Corporation and National Chair, CAPAPA

7.       Michael Power, LL.B., Barrister and Solicitor

8.       Dr. Teresa Scassa, who currently holds a Canada Research Chair in Information Law at the University of Ottawa [Source]

Consumer 

US – Research: Users Read Labels, Not Policies

Kashmir Hill writes in Forbes about the work of a team of Carnegie Mellon researchers to come up with a new format for informing Internet users about their privacy. Quoting recent comments by Lawrence Strickling of the Department of Commerce that privacy policies that are “lengthy, dense and legalistic…do not appear to be effective in informing consumers of their online privacy choices,” Hill examines the researchers’ “nutrition label” approach to online privacy. Citing a 2009 study, the researchers “found that people demonstrated a better grasp of a company’s treatment of their data based on a ‘privacy label’ than a text version of a privacy policy,” the report states. [Source] [Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach]

E-Government 

CA – Federal Government Launches Pilot Open Data Portal

The Government of Canada has launched a one-stop shop for federal government datasets, which might inspire provinces to join the open data space. But the licence agreement may present obstacles for individuals, businesses and organizations. The GC Open Data Portal, available at data.gc.ca, launched as a 12-month pilot project that promises a catalogue of over 260,000 datasets from 10 federal departments. The government plans to increase the number of datasets and the number of participating departments over the 12-month pilot phase, according to a Treasury Board press release. “The GC Open Data Portal is a catalogue of federal government datasets that are available for users, developers and data suppliers to find, evaluate, access, visualize and reuse federal government data,” states the online FAQ. The catalogue can be searched with keywords or browsed by categories. The data is available free of charge to the public for commercial and non-commercial use, under certain licensing conditions. Section 3 of the licence agreement prohibits the use of data for identifying individuals, businesses and organizations. “That whole clause is unprecedented … it can’t be found anywhere on other open data portals and I think it pretty much renders a lot of the data useless,” said Public policy entrepreneur and open government activist David Eaves. Eaves’ other concerns are two clauses in Section 4, which stipulate attribution notices. The government is also encouraging feedback from the public, noted Eaves. This provides an opportunity for developers, for example, to let the government know what data sets they want added to the catalogue, what formats are frustrating to work with and which datasets aren’t updated often enough. The 10 departments participating in the pilot phase include: Agriculture and Agri-Food Canada, Citizenship and Immigration Canada, Environment Canada, Department of Finance Canada, Fisheries and Oceans Canada, Library and Archives Canada, Natural Resources Canada, Statistics Canada, Transport Canada and the Treasury Board Secretariat. [Source

US – 2 years Open Records Order, Agencies Still Use Baffling Delays and Denials

One government agency is still trying to find correspondence for a political reporter between federal officials there and prospective presidential candidates — from the 2008 election. Another censored 194 pages of internal e-mails about President Barack Obama’s new rules on open government. Another agreed to hand over records of travel expenses then changed its mind and refused to turn them over. Two years after Obama pledged to reverse the Bush administration’s penchant for secrecy and comply more closely with the U.S. Freedom of Information Act, The Associated Press grapples with many of the same frustrating roadblocks and head-scratching inconsistencies. Exasperating delays and denials also affect ordinary citizens, researchers and businesses, and they frustrate the administration’s goal to be the most transparent in history. [Source]

E-Mail 

WW – Google Make Ads Relevant by “Learning” on Gmail – Concerns For Privacy?

Google will begin trying out a new intelligent ad system which “reads” from your emails, learning from your messaging habits and interests to generate useful ad content, special offers and deals local to the individual Gmail-er. The plan is currently in effect, starting this month on a small scale, and Google plan to take this worldwide within a short space of time. Gmail users will receive a prompt informing them of the change, which is made without a choice, but the possibility to opt out of the new “personalised” ads will be available in the account settings. It’s likely many people will indeed choose to opt out for concern of privacy. However, Google do claim the ads will be generated from an automated system and no human eyes will be privy to your personal emails. Google also say no third-party advertiser will receive private information. [Source] Se also: [Spam Volume Drops by One-Third Following Rustock Takedown]

Electronic Records 

CA – Manitoba Launches E-Health Records

The Government of Manitoba has officially launched the first phase of its new e-health record system at seven health centres and hospitals across the province. The initial rollout of the eChart Manitoba system gives doctors the ability to view demographic, immunization and drug information. It also gives physicians access to select lab results. Over the next 18 months, up to 30 sites will be phased into the project with a second phase of eChart expected to go live before the end of 2011. With that update, doctors will be able to get access to diagnostic imaging reports, allergy information and more lab data sources will be added. The second phase will also allow doctors already running approved e-health software to integrate with eChart. [Source] See also: [FTC: Medical Identity Theft - FAQs for Health Care Providers and Health Plans]

Encryption 

WW – Fraudulent Certificates Issued for Major Websites

Nine valid but fraudulent certificates have been issued for major Internet sites – including Google mail, Microsoft Live, and Yahoo – raising the possibility of undetectable phishing, man-in-the-middle and drive-by download attacks, multiple advisories stated. The secure sockets layer (SSL) certificates, issued by root certificate authority Comodo, allow the attackers to sign fraudulent sites and content. The certificates were issued because of a compromise at a registration authority (RA) using stolen log-in credentials for one of Comodo’s European partners, according to the company’s report on the incident. [Source] Comodo has revoked the stolen certificates. [Internet Storm Center] [Internet Storm Center] [eWeek] [CNET]Update: [Comodo Says Two More Registration Authorities Were Compromised] [Iranian hacker claims he acted alone in stealing digital SSL certificates

WW – Twitter Offers Automatic Secure Connection Option

Twitter now offers users the option of always connecting to Twitter.com with HTTPS, which encrypts communication between the users’ computers and Twitter’s servers and helps prevent attackers from stealing sensitive data. Before the change, users who wanted to connect to Twitter securely had to enter HTTPS manually in the browser bar, but now they can configure their accounts so they are automatically connected with HTTPS. It is an especially good idea for people who access their twitter accounts over unsecured wireless connections. Twitter’s mobile website still requires users to manually enter HTTPS. Twitter hopes eventually to make HTTPS the default setting. [Source] [Source] [Source] [Source] [Source]

EU Developments 

EU – Reding Outlines Data Privacy Plans for Companies in Europe

European information society and media commissioner Viviane Reding has warned companies operating in the EU that they will face court action if they break forthcoming European data laws. Reding, who is currently preparing the new laws, warned that the EU would not hesitate to take action against non-EU companies that broke local laws on data collection and retention. “To enforce the EU law, national privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU consumers,” she said. She explained that EU law would be based on four central principles. Firstly, citizens had to have a “right to be forgotten”, to opt out of data collection and for those companies collecting it to prove a need to store the information. Second, companies will have to be transparent on what data they are collecting and with whom it is shared. This was particularly important for young people on social networking sites she said. “The third pillar is ‘privacy by default’. Privacy settings often require considerable operational effort in order to be put in place,” she said. Finally, these laws must protect all EU citizens no matter where they are in the world. For example, third-party telecommunications companies would be bound by them whenever they processed data from an EU account. The other area that needs attention is law enforcement. Reding proposed that these same rules should apply to law enforcement organisations that were seeking to access commercial data as part of ongoing investigations. Legislative proposals on the new data protection rules would be released this summer, she said. [Source] See also: [EU Consultation document] [Google, Internet Companies Face Too Many Privacy Rules, U.S. Official Says] [Wall Street Journal: US, EU Seek To Guard Personal Data Exchanged During Crime, Terror Efforts]

UK – UK Responds to Call for Evidence on the Data Protection Legislative Framework

Responses to the call for evidence included confusion regarding whether anonymous data, IP addresses, and energy consumption are classified as personal data (“PD”); advancements in technology have led to uncertainties about whether certain data should be treated as sensitive PD (e.g. biometric information that could reveal race or health condition). Most respondents took compliance with subject access requests (“SARs”) seriously (e.g. through the use of “in-house specialists”, ensuring SARs were dealt with in a timely manner and keeping a log of SAR complaints); much of the organisational burden dealing with SARs relates to locating the information requested, the expense of redacting the relevant information from multiple audio, video and digital data sources, and the legislative requirement to retain PD for a specific period. Many data controllers thought that mandatory data breach notification would lead to “notification fatigue” (e.g. when data subjects no longer take notice of data breaches due to the volume of notifications); respondents had difficulty in quantifying mandatory breach notification costs, citing that it would depend on the type of breach and number of different costs (e.g. drafting and sending of notices, using data protection experts and establishing help lines). Many respondents would like to see clearer guidance from the ICO regarding consent in relation to certain disciplines (e.g. employment and medicine); it is generally thought that data subjects do not read fair processing notices in detail (e.g. they are too long and difficult to understand), which should use simple, plain language and be placed at the top of form. [Source

EU – French Regulator Fines Google Over Street View Data Collection

France’s National Commission for Information Freedom (CNIL) has fined Google 100,000 Euros (US $142,000) for the company’s inadvertent collection of personal data from unprotected Wi-Fi networks. (Google collected the data while gathering information for its Street View maps feature.) CNIL called Google’s activity an “unfair collection” of data and maintains that Google benefitted financially from the information it collected. [Source] [Source] [Source] [Source]

EU – German Court Rules Google Street View is Legal

Perhaps no Google product has spawned a better blend of quirkiness and scandal than Google Street View–cameras pranked with staged sword battles, naked men emerging from car trunks, unsavory snapshots of dead bodies, and the ire of multiple governments, primarily in Europe, who believe that it’s an invasion of privacy. But in one of those countries, Germany, Google Street View has had a victory of sorts. A Berlin court has ruled, according to Deutsche Welle, that it’s legal for Google to take the street-level pictures, striking down a lawsuit brought on by a German woman who sued Google over Street View and cited privacy and property rights. The case is complicated, because the woman who sued did so out of the possibility that her privacy might be invaded–e.g. if Google Street View happened to take photos of the front of her house, and that the camera on top of the Google Street View vehicle would see over the hedge in front of it. So the decision’s scope may be limited, and subsequently may not be evoked as frequently in property rights cases. The German lawsuit is certainly not the most bizarre one that Google Street View has produced: Last year, a Japanese woman sued Google and claimed that Street View had exposed her underwear drying on a clothesline, something which she then said caused her to lose her job. [Source]

EU – German Government Budgets 10 Million EUR to Set Up Data Protection Foundation

Federal DPA Issues Concept Paper: On February 8, 2011, the German Federal Commissioner for Data Protection and Freedom of Information issued a concept paper setting forth concrete suggestions for the creation of a Data Protection Foundation (the “Foundation”); among its tasks, the Foundation will test products and services for data protection compliance, educate citizens to help improve “self” data protection, conduct research activities, and establish a data protection seal. [Hunton & Willams LLP

EU – Czech Court Bans Telephone Data Retention

The Czech Republic’s Constitutional Court has overturned parts of a law that force telephone operators to retain data on telephone calls and Internet traffic. The court said the practice is unconstitutional. It says the provisions ordering data on all calls, faxes, text messages and e-mail exchanges to be retained for six months enabled a “massive” invasion into citizens’ rights and were not in line with the rule of law. Fifty-one lawmakers of Parliament appealed to the court to overturn the law, which was passed as part of anti-terrorism efforts. Germany’s Federal Constitution Court issued a similar ruling last year. The law stems from an European Union directive. [Source]

Facts & Stats 

US – OMB Report on Federal Agency FISMA Compliance

According to the Fiscal Year 2010 Report to Congress on the Implementation of the Federal Information Security Management Act of 2002, cyber attacks against federal networks increased 40% in 2010. Agencies reported nearly 42,000 cyber incidents in 2010; in 2009, 30,000 incidents were reported. The report from the Office of Management and Budget (OMB) details agency compliance with Federal Information Security Management Act (FISMA) mandates. The report notes that agencies are beginning to deploy real-time scanners to monitor anomalies. The report says that 66% of IT assets at major federal agencies have automated surveillance tools. Most of the agencies are not using smart cards for system access, despite it being a requirement. As of October 1, 2011, agencies that have not installed electronic ID card readers on facilities and systems will have funds for other projects denied. [Source] [Report]

Filtering 

WW – Google Claims Chinese Government is Interfering with Gmail

Google says that Chinese authorities are interfering with its Gmail service. Gmail users are reporting difficulty using the webmail service in that country. Google says the interference appears to have been designed to make it look like the problems are in Google’s own systems, but the company has conducted thorough checks and found no problems on its side. [Source] [Source

WW – Facebook Traffic on AT&T Servers Detoured Through China

Internet traffic from AT&T servers bound for Facebook detoured through servers in China and South Korea, according to researcher Barrett Lyon. Lyon discovered the traffic’s path using traceroute. In his blog, Lyon calls the detour a routing mistake, and notes that the incident raises a number of questions, including whether the events constitute a privacy breach, whether Facebook should have notified users that their information was being sent over a network that might not be trustworthy, and whether Facebook should enable SSL by default on all accounts. [Source] [Source]

Finance 

US – FTC Issues Annual Report 2011 on the Fair Debt Collection Practices Act

Complaints to the FTC against debt collectors increased in 2010 – categories of complaints include harassing the alleged debtors (i.e. repeated calls, using obscene language, calling at inconvenient times, and threatening violence), failing to send the required consumer notice (consumers were not made aware of the requirement for any disputes of their debt to be made in writing), failing to identify themselves as a debt collector (creating a false or misleading impression for consumers), revealing the alleged debt to third parties (either repeatedly calling employers, relatives, etc. or illegally disclosing the debt to them), impermissible calls to a consumer’s place of employment (such calls cannot be made if the collector knows or has reason to know the employer prohibits such calls), and failing to verify disputed debts (ignoring written disputes of a debt or failing to send a written verification of the debt). In 2010, the largest civil monetary penalty was obtained against a debt collector for $2.8 million (for misrepresenting that the collector was a law firm, would bring civil action or criminal prosecution against consumers, and non-payment would result in garnishment of wages or seizure of property); in 2011, the Consumer Financial Protection Bureau will enforce the Fair Debt Collections Practices Act concurrently with the FTC, and will have the authority to prescribe rules and collect complaints. [Source

WW – Payments by Cell Phones: Swiping Is the Easy Part

The cellphone has been more than a cellphone for years, but soon it could take on an entirely new role – standing in for all of the credit and debit cards crammed into wallets. Instead of swiping a plastic card at the checkout counter, consumers would merely wave their phones. There’s just one hitch: While the technology is already being installed in millions of phones – and is used overseas – wide adoption of the so-called mobile wallets is being slowed by a major behind-the-scenes battle among corporate giants. Mobile phone carriers, banks, credit card issuers, payment networks and technology companies are all vying to control these wallets. But first, they need to sort out what role each will play and how each will get paid. The stakes are enormous because small, hidden fees that are generated every time consumers swipe their cards add up to tens of billions of dollars annually in the United States alone. “It all comes down to who gets paid and who makes money,” said Drew Sievers, chief executive of mFoundry, which makes mobile payment software for merchants and banks. “You have banks competing with carriers competing with Apple and Google, and it’s pretty much a goat rodeo until someone sorts it out.” Consumer advocates, meanwhile, said they were concerned that a mobile system would bring higher fees and questioned whether consumers even want a new system. “Is it possible to make a system that’s too easy to use, where you reduce so much friction from the transaction process that people aren’t necessarily aware of what they’re spending on something?” asked Jan Chipchase, executive creative director at the design firm Frog Design, who studies mobile payments. [The New York Times]

FOI 

CA – Ratepayers Win on Freedom of Information Request

Persistence has paid off for the Centre Hastings Ratepayers Association (CHRA). The CHRA made a freedom of information request more than a year ago with the Information and Privacy Commissioner of Ontario for the information contained in monthly spending vouchers of the Municipality of Centre Hastings. According to CHRA member Wendell White, “the association’s position was that monthly voucher information is public information” and some information on the voucher was being “blacked out” so it was unreadable. The privacy commissioner recently ruled in favour of the CHRA, ordering the municipality to “disclose to the appellant all of the responsive information contained in the voucher reports for the period from April 2009 to December 2010 by providing him with a copy by March 4, 2011” excluding any information pertaining to employee salaries or wages. As part of the ruling, CHRA will also be waived the $60 voucher fee because of its not-for-profit status. “It’s certainly recognition for the ratepayers, taxpayers — anybody,” White said of the decision. “It shows that you can’t just withhold information because you wish to.” [Source

US – DHS Document Review Process Blasted

The review process on releasing potentially sensitive government files from the Homeland Security Department to the public was onerous and overly political, a key official in the process had complained in a series of e-mails in late 2009. Chief Privacy Officer Mary Ellen Callahan, who was appointed by Homeland Security Secretary Janet Napolitano, said she wanted to change the process, according to uncensored e-mails newly obtained by the Associated Press. In the e-mails, she warned that the Homeland Security Department might be sued over delays the political reviews were causing, and she hinted that a reporter might find out about the process. The reviews are the subject of a congressional hearing later this week and an ongoing inquiry by the department’s inspector general. [Source]

Genetics 

UK – Police Hit Delete on DNA Profiles

DNA records will no longer be kept on innocent people questioned over routine crimes in England and Wales, the government has said. It will still keep samples of those questioned in connection with terrorist offences. The move is a major change in Government policy and will result in a massive reduction in the number of innocent people whose DNA is held by police. The move comes two years after the European Court of Human Rights (ECHR) called the policy for England and Wales an unfair interference with subjects’ rights to privacy. It forms part of the Government’s Freedoms Bill, a law that seeks to reform the way that records on individuals are kept and used, among other things. The Bill will reduce the number of people who will have to undergo criminal records checks; reform the law on investigations into individuals; reduce stop-and-search powers; and reduce the allowed period of pre-charge detention to 14 days. The Bill orders the destruction of DNA material in most cases where a person is not charged or convicted of a crime. For those whose samples were taken while detained under the Terrorism Act they must not be immediately destroyed, though. They can be kept for three years, or indefinitely in the case of people who have already committed a serious crime. Samples taken from people in the investigation of other serious offences and from people who have been previously convicted of serious offences can also be retained, some for three years and some indefinitely, the Bill said. The Bill also contains provisions reforming the use of technology for surveillance, including CCTV systems and automatic number plate recognition (ANPR) systems. The Government said that the Bill would rebalance the relationship between the state and individuals. [Source]

Health / Medical 

US – Army: To Reduce Suicides, Share Mental Health Info

Army officials say knowing more about soldiers’ mental health will help to prevent suicides, the rates of which doubled after 2004. But that thinking is troubling to some who say army access to mental health records may deter soldiers from seeking help if they feel their privacy is being violated. Though HIPAA protects health information, exceptions exist, such as when a patient might cause harm to himself or another. The army encourages doctors to report if a “high-risk” solider misses a counseling session, for example, and has begun to require a list of soldiers’ medical appointments. It’s unclear what other behavior might allow the sharing of private therapy information, said a HIPAA officer at Duquesne University. [Source]

Horror Stories 

US – Big Breach at NYC Hospitals

New York City Health & Hospitals Corp. is notifying 1.7 million patients, staff, employees of vendors and others who received services at two hospitals and two clinics during the past 20 years that some of their protected health information has been breached. Computer backup tapes were stolen from the truck of a contractor on Dec. 23, according to a HHC statement and letter of notification to affected patients. Types of protected information on the tapes included name, address, telephone number, Social Security number, medical records, insurance details, diagnosis and treatment information, and birth, admission and discharge dates. “The data in the stolen files is not readily accessible without highly specialized technical expertise and data-mining tools, and there is no evidence to indicate that the information has been accessed and misused,” according to the HHC statement. [Source] See also: [US: Health record privacy violation haunts VA workers] See also: [Nine-Year Sentence for Breaking Into Medical Center Computers

EU – Ireland Telecoms Firms Guilty of Data Breach

Leading telecommunications companies Vodafone, 02, Eircom and UPC have been prosecuted for spamming customers with unsolicited text messages and phone calls in breach of the Data Protection Acts. The four companies pleaded guilty to a list of charges related to making unsolicited sales calls and sending text messages for direct marketing purposes without the consent of the recipients. The cases were brought before the Dublin District Court by the Data Protection Commissioner on foot of complaints by consumers who were subjected to repeated cold calls and unwanted messages after they had expressly asked not to be contacted for marketing purposes. [Source

US – BP Employee Loses Laptop Containing Data on 13,000 Oil Spill Claimants

The personal information of 13,000 individuals who had filed compensation claims with BP after last year’s disastrous oil spill may have been potentially compromised after a laptop containing the data was lost by a BP employee. The information, which had been stored in an unencrypted fashion on the missing computer, included the names, Social Security numbers, addresses, phone numbers, and dates of birth of those who filed claims related to the Deepwater Horizon accident. A spokesman is quoted as saying that BP waited nearly a month to notify victims of the breach because it was doing “due diligence and investigating.” BP said the missing laptop is equipped with a security capability that allows security administrators to remotely disable the computer “under certain circumstances.” However the company offered no further details on what those circumstances might be or whether it has actually disabled the system so far. “Because this investigation and search for the missing laptop is ongoing, we are unable to provide additional detail that might jeopardize our investigation efforts,” the company said. BP has sent written notices to victims informing them about the potential compromise of their personal information and to offer them free credit monitoring services, the statement noted. The BP compromise is only the latest in a very long list of similar breaches involving the loss of unencrypted personal data stored on laptops, and mobile storage devices.[Source] [Source] See also: [Medical records found in Regina recycling bin] and also: [TripAdvisor says email list of members stolen

US – Restaurant Group to Pay $110,000 to Settle Allegations of Poor Security Practices

The Briar Group LLC, which runs a number of restaurants in the Boston area, has agreed to pay US $110,000 to settle allegations that it did not take adequate precautions to protect customers’ personal information and placed at risk of compromise information on tens of thousands of payment cards. The Briar Group was the target of a data security breach in April 2009; malware that had been surreptitiously placed on the company’s computer systems was not removed until December 2009. The Massachusetts attorney general filed a lawsuit as a result. According to the lawsuit, the Briar Group did not change default usernames and passwords on its point-of-sale computer system; did not have adequate security for its wireless network; and accepted credit card information from customers after learning of the breach. [Source] [Source

UK – University of York Launches Personal Data Leak Probe

Personal details of 17,000 York students and residents have been accidentally leaked online. Students’ addresses, phone numbers and even A-level results were published on the University of York website. Dates of birth, phone numbers and the phone numbers and addresses of emergency contacts were also made freely accessible. The university has apologised and has informed the Information Commissioner, which has the power to fine organisations up to £500,000. Gus Hosein, of campaign group Privacy International, said: “That’s the largest breach I have heard of in the UK. “There could be a significant fine now the Commissioner has fining powers. “It’s appalling. If the university cannot secure the information it should not be collecting it.” [Source]

Identity Issues 

US – U.S. Military Using Fake Online IDs in ‘Sock Puppet’ Operation

U.S. Central Command has launched its first online “sock puppet” operation to plant hundreds of fake identities across social-media sites in the Middle East. The $2.7 million contract for “commercially available software” from Ntrepid Corporation in California, awarded in August 2010, gives U.S. Central Command 50 user licences, with 10 fake identities per user, 50 static IP address management licences, and “virtual private servers,” the contract said. “These are for overseas acts,” U.S. Central Command Cmdr Bill Speaks told the Star on Friday. “They are not directed at domestic U.S. audiences and not in English.” The “sock puppets,” a term for fake online identities, will operate at the MacDill Air Force Base in Florida, where U.S. Central Command operates, and in Kabul, Afghanistan, and Baghdad, Iraq. The cyber double agents will use social media and other websites, but “not Facebook or Twitter,” said Speaks. “This is not for use on U.S.-based websites. They are American companies.” Each of the fake personas uses the Ntrepid software to create “cyber presences that are technically, culturally and geographically consistent,” each with their own background, history, supporting details and “real-time local information” to fool their new-found online friends. One person could be pulling the strings on 10 “sock puppets” at one time “from the same workstation and without fear of being discovered by sophisticated adversaries,” the contract said. Rotating the IP (Internet Protocol) addresses daily should help shield them from discovery. “This traffic blending provides excellent cover and powerful deniability,” the contract says. The software also creates an online history for them so that over time the picture is fleshed out. Speaks wouldn’t say where the sock puppetmasters will be, but he did say this is the first time U.S. Central Command has launched this kind of operation. [Source] See also: [Cloud Girlfriend: Start-Up Offers Fake Relationships for Facebookers

WW – RSA Deeply Penetrated; Says SecurID Information Stolen

An “extremely sophisticated cyber attack against RSA” may have compromised the security of RSA SecurID two-factor authentication products. In an attack preliminarily identified as an Advanced Persistent Threat, digital information relating to SecurID tokens was stolen from RSA systems. The company is contacting customers to let them know of the breach and to offer suggestions for “strengthen[ing] their SecurID implementations.” Forty million SecurID tokens have been deployed; they are often used to conduct financial transactions and at government agencies. [Source] [Source] [Source] [Source] [Source] [Source] [The letter to customers from RSA ] [SecurID Customers Advised to Prepare for Worst Case] [RSA BREACH: Data storage maker’s anti-hacking division hacked]

WW – Children the Target for ID Theft

Identity thieves are targeting children when picking victims, MSNBC reports. That’s according to a report published by Carnegie Mellon University fellow Richard Power, who examined 40,000 children’s profiles using data from identity monitoring company Debix. Power found that, of those profiles, 10 percent had identities that were “tainted in some way,” including 500 children with names attached to mortgages or foreclosures and 415 with driver’s licenses. The report is the first real attempt to quantify the problem of children’s identity theft, Power said. The child ID theft expert at the Federal Trade Commission said the results are “informative, giving us the best insight available into the potential scope and nature of the problem.” [Source] [Report: “Child Identity Theft: New Evidence Indicates Identity Thieves are Targeting Children for Unused Social Security Numbers“ ] 

WW – How Your Username May Betray You

By creating a distinctive username—and reusing it on multiple websites—you may be giving online marketers and scammers a simple way to track you. Four researchers from the French National Institute of Computer Science (INRIA) studied over 10 million usernames—collected from public Google profiles, eBay accounts, and several other sources. They found that about half of the usernames used on one site could be linked to another online profile, potentially allowing marketers and scammers to build a more complex picture the users. “These results show that some users can be profiled just from their usernames,” says Claude Castelluccia, research director of the security and privacy research group at INRIA, and one of the authors of a paper on the work. “More specifically, a profiler could use usernames to identify all the site [profiles] that belong to the same user, and then use all the information contained in these sites to profile the victim.” Those who have more unique usernames are more vulnerable. “The other 50% of users are more difficult to link because their usernames have ‘low’ entropy and could in fact be linked to multiple users,” says Daniele Perito, a doctoral candidate at INRIA, who was involved with the work. The INRIA researchers have created a tool that can check how unique a username is, and thus how easily an attacker could use it to build a profile of a person. [Source]

Intellectual Property 

WW – McAfee Study Says Thieves Targeting Corporate Data

According to a study from McAfee, cyber thieves are increasingly targeting intellectual property. Some attackers are specializing in stealing data from corporate computer systems. In particular, information thieves seem to be looking for trade secrets, research and development reports, marketing plans and source code. The report also noted that many companies are not taking adequate measures to protect information and are not going public with news of data security breaches. Of the companies that reported experiencing a data security breach, just half said they had taken steps to improve cyber security. [Source] [Source]

Internet / WWW 

WW – EU and US Working Together on Web Regulation

Intensive meetings in recent months between Internet regulators from Washington and Brussels point to the fact that both the US and Europe are narrowing the gap in their approach to regulating the Web. Till recently officials on both the sides differed in their policy towards privacy on the Web. While Europe wants strict measures to protect individuals, the policy of the US has been to hold companies responsible for matters concerning privacy. However, after officials from both sides met again in Brussels last week, the gap seems to be narrowing, according to Reuters. EU justice commissioner Viviane Reding said, “Until recently there was a common belief that our approaches on privacy differed so much that it would be difficult to work together. This can no longer be argued.” Regulators on both sides say they have moved closer to a common position following US President Barack Obama’s endorsement this month of a “privacy bill of rights.” [Source

US – NIST Issues Guidelines on Security and Privacy in Public Cloud Computing

Key security and privacy issues include – trust (e.g. lack of visibility into cloud providers’ security, difficulty assessing and managing risk in cloud services, and insider threats now include cloud provider staff), architecture (e.g. traffic over virtual networks may not be visible to security devices, cloud providers hold significant amounts of ancillary data), identity and access management (e.g. attacks can manipulate validation mechanisms), software isolation (virtual machines may be large and difficult to analyze and improve security), governance (individuals may bypass an organization’s normal process for acquiring computational resources), and compliance (lack of information about location makes it difficult to ascertain if legal requirements are met); recommendations include incorporating mechanisms into the contract that allow visibility into cloud provider security controls, understand the cloud provider’s underlying technologies, virtualization and software isolation techniques used, and the laws that potentially impact cloud computing initiatives, duplicate physical network protection capabilities on the virtual network, ensure adequate safeguards are in place to secure authentication, and cover cloud computing environments in policies, procedures and standards used for application development and service provisioning. Public cloud outsourcing activities include planning (specify security and privacy requirements, assess risks, and evaluate the cloud provider’s ability to meet security and privacy levels stipulated), initiating (establish contractual obligations and assess cloud provider performance) and concluding (reaffirm contractual obligations, eliminate physical and electronic access rights, and recover organizational resources and data). [NIST - Draft Special Publication 800-144

WW – Top 11 Privacy Trends for 2011 – Ernst & Young

Privacy trends include governance, risk and compliance (“GRC”) tools (organizations can benefit from using GRCs by continuously monitoring their privacy program and asking GRC vendors for updated modules to help monitor risk and compliance), privacy by design (ensures that privacy professionals play an integral part in the consideration of the business developments that may impact both employee and customer personal information), hiring privacy professionals (requiring specific certification for professionals in marketing, IT, internal audit, compliance and legal), cloud computing (organizations should manage third-party reporting capabilities, review what business processes and personal information are needed before a move can be made to a cloud, assess what levels of protection and control they require and clarify retention periods and the ability of other parties to access the data for market research or other secondary activities), social networking (recruiters should have policies about how to use social networks to mine for information on candidates and should communicate those intentions when candidates are interviewed and organizations should be transparent about expectations of employees’ behavior on social networking sites and any monitoring practices and should bring together compliance and HR groups to discuss policies regarding personal information on social media sites of employees and job candidates), and use of mobile devices (organizations may apply technical controls that provide visibility such as requiring a download of a load set before allowing a personal device to connect to the firm’s network and should communicate what information is being monitored, how it is being monitored and the consequences for not adhering to mobile device policies). [Source]

Law Enforcement 

US – Thousands of FBI Probes After 9/11 Stir Privacy Concerns

Within months after the Bush administration relaxed limits on domestic-intelligence gathering in late 2008, the FBI assessed thousands of people and groups in search of evidence that they might be criminals or terrorists, a newly disclosed Justice Department document shows. In a vast majority of those cases, FBI agents did not find suspicious information that could justify more intensive investigations. The New York Times obtained the data, which the FBI had tried to keep secret, after filing a lawsuit under the Freedom of Information Act. The document, which covers the four months from December 2008 to March 2009, says the FBI initiated 11,667 “assessments” of people and groups. Of those, 8,605 were completed. And based on the information developed in those low- level inquiries, agents opened 427 more intensive investigations, it says. The statistics shed new light on the FBI’s activities after the 2001 terrorist attacks, as the bureau’s focus has shifted from investigating crimes to trying to detect and disrupt potential criminal and terrorist activity. It is not clear, though, whether any charges resulted from the inquiries. Because the FBI provided no comparable figures for a period before the rules change, it is impossible to determine whether the numbers represent an increase in investigations. Still, privacy advocates contend that the large number of assessments that turned up no sign of wrongdoing show that the rules adopted by the Bush administration have created too low a threshold for starting an inquiry. Attorney General Eric Holder has left those rules in place. [The New York Times

CA – 85% of B.C. Adults in Police Database ‘Disturbing’

The B.C. Civil Liberties Association says it is disturbing that up to 85% of B.C. adults have their names in a police computer database designed to track criminals. The association has written a letter to B.C. Solicitor General Shirley Bond, asking her to investigate why the majority of B.C.’s law-abiding citizens are in the PRIME-BC database. Even more troubling, said Robert Holmes, president of BCCLA, is that no information is available as to how long the information is kept on file. The computer database is used by police to record contacts with citizens, including “negative police contact,” which can then be used to prevent people from getting jobs, BCCLA claims. “With more than eight out of every 10 B.C. adults in this database, we’re wondering if people know what the police are writing about them,” Holmes said in a statement. “These notes by police officers can prevent people from getting jobs, schooling and training, and it is difficult if not impossible to remove or alter incorrect information.” The RCMP’s policy for the retention and destruction of records is online here. A spokesperson for the office of the Solicitor General has since issued this statement: ““It is wrong to suggest that 85 per cent of British Columbians names are entered into PRIME. In fact, many are multiple calls involving the same people. Names are retained for a minimum of two years, and privacy is maintained through federal and provincial privacy legislation. This is the same privacy standard maintained by other police forces across the country. PRIME is an important tool that is helping us to make big strides in maintaining the safety of communities throughout the province.” [Source] UPDATE: [BC Privacy czar to probe use of police database] See also: [Goldman Sachs Programmer Sentenced to 8 Years in Prison for Code Theft]

Location 

WW – Location Privacy and Wireless Body Area Networks

One of the factors that is rapidly changing the nature of healthcare is the increasing availability of wireless sensors that can monitor blood pressure, body temperature, blood oxygen levels and so on. These devices transmit their readings back to a hub, such as a smart phone, which then sends the data to a health care monitoring service. The benefits of this approach are many. One example is the “virtual ward” in which patients are monitored at home and visited by mobile medical teams when the data shows that it is necessary. That’s generally better for the patients and cheaper for the community that has to pay for it. One crucial requirement of such a system is privacy since these so-called wireless body area networks will be broadcasting highly personal information. It’s relatively straightforward to protect this data thanks to the many kinds of data encryption algorithms that are available. But Mohammed Mana at the University of Tlemcen in Algeria and a couple of buddies point out that data privacy is not the only issue at stake. They argue that another important issue is location privacy. They say that even though the data within a wireless body area network is encrypted, it’s still possible to track the location of the individuals simply by tracking the unique hardware addresses associated with the gadgets themselves, which are not encrypted. Such an attacker doesn’t even have to be particularly nearby. He or she could pick up the signals from a wireless body area network from a distance using ultra sensitive antennas, for example. Mana and co have a solution, however. Their idea is to make the monitoring devices within a body area network use pseudonyms which constantly change in a way that is hidden from external view. So although an eavesdropper may be able to pick up a temporary hardware address, that would quickly change preventing anybody following it. Mana and co say their new protocol is light weight and energy efficient, both important factors for networks that are likely to run on limited battery power. [Source] SEE ALSO: [Thailand: Patient data need protection

UK – Home WiFi Users Lack Understanding of Security

According to a survey from the UK Information Commissioner’s Office (ICO), nearly half of home computer users who have WiFi networks do not understand WiFi security settings. Most Internet service providers (ISPs) now set up and install customers’ WiFi security settings, but 40 percent of WiFi users do not understand those settings and 16 percent are either using an unsecured network or do not know if their network is secured. ICO head of policy Steve Wood pointed to Google’s Street View data collection vehicles gathering information from unprotected networks as evidence that users need to be aware of their network settings. [Source] [Source] [UK’s Information Commissioner’s Office guidelines for home users on how to secure their wireless networks

WW – Facebook ‘Places’ App Puts Soldiers at Risk by Telling Enemy Where They Are

Army chiefs have warned soldiers that a Facebook application that discloses their location could pose a security risk from terrorists. Troops have been urged to switch off the Facebook ‘Places I Checked Into’ application, which uses global-positioning satellites to pinpoint where they use a hand-held device. The Facebook Privacy Settings pamphlet, issued to units worldwide, warns the application ‘may inadvertently compromise the locality of a military user’. It continues: ‘Of significant note, users on operations in Northern Ireland are potentially putting themselves at risk by drawing attention to their exact whereabouts.’ The booklet, issued by the Army’s 643 Signal Troop, adds: ‘Personnel are generally unaware of the vulnerabilities associated with openly providing a vast amount of personal information on the internet.’ It follows growing concern in military circles about terrorists using the internet to monitor troops. An MoD spokesman said: ‘It is our duty to ensure that our personnel, who are a very unique user group…understand how to use social networks and channels safely and responsibly.’ [Source

WW – Color App: A New Frontier in Social Networking Privacy

Color, a new app, has launched with the goal of re-inventing the idea of social networking for the smartphone era. Now the question is whether users are ready for its notion of privacy. Color tells users that they shouldn’t expect any of the photos, videos or other information that they share through the app to be private. However, it does use a basic social standard to determine who gets to take a look at your stuff — people you’re physically near. Whenever the app is turned on, Color captures a lot of data about the world around the phone, including GPS location, information from the gyroscope, and even ambient light levels. It uses that data to figure out where the user is — and whether there are other Color users nearby. If there are other Color users nearby, the service automatically puts all of them in the same social network, instantly sharing each others’ photos, videos and messages from inside the app. When somebody else looks at one of your photos, you get a notice about it. (There is no lurking.) The Color app also keeps tracks of the people who users are around the most often, like family, co-workers and best friends. Those people get automatically added to what Color calls an “elastic network,” whose photos, video and other information you get regular updates about, even when you’re not around them. If you stop spending so much time around a member of your elastic network, that person’s photo starts to turn grey and eventually disappears (in a reference to the film “Back to the Future.”) There are no privacy settings to adjust, though you do have the ability to block a specific user from seeing what you share through Color. Each Color account is associated with a smartphone’s device ID, not a full name or other personally identifiable information. Users set up an account by entering a screen name and taking a photo, presumably of their face, to identify them to other users. [The Wall Street Journal

WW – Social Network Turns User “Likes” Into Ads

Facebook’s “sponsored stories” ad plan, which has raised concerns among privacy advocates, is now being rolled out across the social network. For those who don’t like the plan, Forbes reporter Dan Tynan suggests in his report, “don’t ‘Like’ it—or anything else. Because once you do…There is no opting out. Facebook can use your name and profile image alongside any product you endorse, per its privacy policy.” A forthcoming plan to allow third-party advertisers to put users’ images and names in a similar way will have an opt-out, the report states. [Source] [Source] See also [Wall Street Journal: Privacy Lost: Customized Ads Come to Television]

Offshore 

SK – Proposed Law in South Korea Would Mandate Security Software on PCs

Proposed legislation in South Korea would require users to have security software on their PCs. The Korea Communications Commission (KCC) would have the authority to decide which security products are acceptable and which are not, which means the security solution providers would be wooing the government rather than users. The KCC would also have the authority to “examine the details of the business, records, documents and others’ of those believed to be out of compliance with the security software mandate. Dancho Danchev, the article’s author, points out that security software “only mitigates a certain percentage of the risk … [and that] multiple independent reports and tests show that despite users running antivirus software, they still get infected with malware.” [Source

IN – Group Calls for National Body to Oversee Privacy

The Associated Chambers of Commerce and Industry of India (ASSOCHAM) is calling for a national body to oversee cybersecurity and data protection concerns. ASSOCHAM also wants a “detailed regulatory, legal and policy-enabling regime to facilitate further protection and preservation of cybersecurity,” the report states. The calls came from the ASSOCHAM event “Safeguarding the Digital Economy.” The group’s cyberlaw committee chairman, Pawan Duggal, said, “Both the requirements of national sovereign governments as those of balancing the needs of data protection and privacy have to be appropriately addressed.” [India Infoline News Service]

Online Privacy 

WW – Yahoo’s Offers Cookie Opt-out Button Ahead of New EU Law

Yahoo! Has introudced a feature that allows users to opt out of cookies. The icon was unveiled last Friday ahead of a new law that will come into force in the EU on May 25 known as the “Cookie Directive,” which will require online companies to obtain explicit consent to track users’ Web movements via cookies. Yahoo’s mechanism involves an “Ad Choices” icon that users can click to find out what information has been collected about them and modify their preferences on targeted ads. “Businesses like ours depend on the trust of our users,” said Justin Weiss, Yahoo’s director of international privacy and policy. [Source] See also [Advocates: Device Fingerprinting Easier to Track Than Cookies] and [Chrome Will Warn Users of Suspicious Downloads] and [CDT: What Does “Do Not Track” Mean: a Scoping Proposal - Center for Democracy and Technology

WW – Microsoft Adds Do-Not-Track Tool to Browser

Microsoft will be including 2 new features in Internet Explorer 9 – a do-not-track tool to help people keep their online habits from being monitored, and “tracking protection lists”, which will let users prevent specific Web-tracking companies from snooping on their browsing habits. It is uncertain how effective these privacy protection tools will be – the system will only work if tracking companies agree to respect visitors’ requests, no companies have publicly agreed to participate, and the Interactive Advertising Bureau says its members do not know how to respond to a do-not-track request (a header) because there is no context for headers or common definitions, and there is no standard operating procedure in place for entities to detect or react to headers. [The Wall Street Journal

WW – Mozilla Releases Firefox 4

Mozilla has released Firefox 4; the updated browser includes a number of new security features. Content Security Policy (CSP), which is enabled by default, helps stop cross-site scripting (XSS), data injection and other web-based attacks. CSP allows sites to let the browser know what information is legitimate. Firefox 4 also lets users automatically connect to websites through secure connections with the HTTP Strict-Transport Security (HSTS) feature. Firefox 4 also allows users to opt out of behavioral tracking. [Internet Storm Center] [Source

US – Man Charged with Polygamy After Posting Second Wedding Photo Online

You’ll never believe who turned him in: his first wife – because the two were still married. Here’s a tip we never thought we’d have to share: If you’re already married, don’t post pictures of your new wife on Facebook. An already-married Grand Rapids, Mich. man had what NewsFeed can only assume was a joyous wedding ceremony last July. But it turns out Richard Barton, Jr. already had a wife, whom he married in 2004. When photos of Barton and his new Michigan wife turned up on Facebook, his old (but still current) wife, living in Rhode Island, took issue with Barton. She alerted authorities, who arrested Barton for polygamy. [Source] See also: [How Young is Too Young for Kids to Start Social Networking?]

Other Jurisdictions 

AU – Content Providers Slammed for “Hostile” Privacy Policies

Long-time privacy advocate Dr Roger Clarke has called for tough new laws to rein in “hostile” terms and conditions used by international internet content giants like Facebook and Google. Speaking before the Joint Select Committee on Cybersafety, Clarke branded the business models of the internet and social media companies “consumer-hostile” and exploitative of “people and their data”. Clarke – who runs the Xamax business consultancy and chairs the Australian Privacy Foundation – appeared before the committee in a private capacity. He called on content service providers to “clarify” terms and conditions of use, including how much personal data could be used by a provider “for their own purposes”. Clarke also said that information on privacy settings – and the extent of user control over them – should be concisely tabled and clearly visible to consumers. Clarke called for “baselines” for privacy and disclosure to be established, backed by enforcement tools like “regulatory action” and “quick and efficient access to judicial warrants”, which could be used to force oversight. [Source

AU – Pilots Sue Over ‘Invasive’ Airport Screening Procedures

Two US commercial airline pilots complained in a lawsuit that new screening procedures for flight crews – scaled back after complaints by pilots – were still too invasive and violated privacy rights. The US Transportation Security Administration on October 19 started requiring air travelers and flight crews to go through full-body scanners or physical patdowns amid concerns that militants could hide a bomb underneath their clothing and detonate it aboard a plane. Pilots and flight crews complained the new screening exposed them to excessive radiation because they fly so frequently and that extra scrutiny for them was unnecessary because they already control the planes. [Source] [Australia to Get Stick Figure Airport Body Scanners This Year

AU – Digital Privacy a Concern, Says Federal Information Commissioner John Mcmillan

The expanding volume of sensitive personal information held in government and business databases is driving public concern about privacy protection, federal Information Commissioner John McMillan has warned. “People are concerned at how much is recorded about them in relation to their financial and taxation affairs, their family and medical history, employment records and transactions with agencies,” Professor McMillan told the Australian Government Solicitors Information Law conference in Canberra. “They are worried about the inconvenience and damage that may result if information is incorrect or out of date, and the danger their personal information will be misused, wrongly disclosed, merged inappropriately with other personal data, or revived at a time when it would be better buried or destroyed.” Data protection and management of personal information were now a high priority for organisations, with privacy breaches damaging to individuals and costly for government and industry. “Breaches can arise from simple programming and clerical mistakes,” Professor McMillan said, revealing the privacy commissioner received 60 notifications of data breaches in the past year. Professor McMillan said the Gillard government had announced its intention to strengthen the powers of the Privacy Commissioner to make enforceable determinations and seek civil court penalties for serious or repeated offences. “The prospect of (financial) penalties for privacy breaches will provide an added incentive for organisations to take their responsibilities seriously,” he said. [Source]

Privacy (US) 

US – Google Settles With FTC Over Buzz Privacy Charges

On Wednesday, March 30, Google settled deceptive privacy practice charges from the Federal Trade Commission regarding its social networking tool, Buzz. The terms of the settlement call for Google to launch a privacy program and undergo regular third-party audits for 20 years. The settlement does not impose a fine, but Google could face fines if it violates the terms of the settlement. The settlement is the first in which the FTC has ordered a company to implement a comprehensive security policy. On the same day, Google launched a new social networking tool called +1; it allows users to annotate search results to recommend pages to friends. [Source] [Source] [Source] [Source

US – Privacy Advocates, FTC, Google React to Proposed Buzz Settlement

Amid announcements by the FTC and Google that the two have reached a settlement agreement on privacy issues raised over last year’s introduction of the Google Buzz social network, FTC officials, privacy experts and advocates alike have been weighing in on the implications of the proposed settlement. Under the proposed settlement, Google has agreed to provisions including the implementation of a comprehensive privacy program to include independent privacy audits for the next 20 years. In its announcement, the FTC specifies, “The proposed settlement bars Google from misrepresenting the privacy or confidentiality of individuals’ information or misrepresenting compliance with the U.S.-EU Safe Harbor or other privacy, security or compliance programs. The settlement requires the company to obtain users’ consent before sharing their information with third parties…” FTC Commissioner J. Thomas Rosch issued a separate statement on the proposed agreement, stressing that he has approved of accepting the consent decree for public comment purposes but has concerns that such an opt-in requirement in the agreement “might sometimes be contrary to the public interest.” Public comments on the consent agreement are being accepted through May 2. [Source] See also: [US: Tech firms hiring White House staffers

US – EPIC Files Objection to Lawsuit Settlement

The Electronic Privacy Information Center (EPIC) has objected to a class-action settlement reached between Google and Gmail users. EPIC filed its opposition in court this week, saying that the part of the settlement that doles out $6 million to Internet privacy interests is flawed because the funds were given to groups that “receive support from Google for lobbying, consulting or similar services.” EPIC had requested but was not granted a share of that sum. The filing states that the court should reject a deal “that encourages organizations to stand by quietly while others do the actual work of safeguarding Internet privacy.” [Reuters

US – U.S. Court of Appeals Affirms Cell Phones are Computers

The Court of Appeal affirmed a district court’s decision that an ordinary cellular phone (used only to place calls and send text messages) was a computer; the district court found that “computer” has the meaning given in U.S. vs Kramer, 18 U.S.C. § 1030(e)(1), that is, an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device. [Decision

US – Privacy Lawsuits Rain Down on Netflix

In the wake of the most recent suit alleging a privacy violation by the world’s foremost video-rental provider, Netflix “has been accused of violating U.S. privacy laws in five separate lawsuits filed during the past two months,” with each case alleging the company “hangs onto customer information, such as credit card numbers and rental histories, long after subscribers cancel their membership.” The lawsuits allege the company has violated the Video Privacy Protection Act. The most recent suit was filed last week by a Michigan resident. Each of the plaintiffs has filed suit in U.S. District Court, and the complaints are seeking class-action status. [Source

WW – UDID: The Next Privacy Frontier?

Companies that make their money in the mobile computing space – application developers, device manufacturers, software adaptors – have a new worry. Many functions and applications used on iPhone devices currently rely on reporting that includes the UDID unique device identifier. Two new lawsuits against Apple for its use of UDID information may change the way that mobile functions and applications are built, managed and paid for. The UDID for the iPhone is a 40 character identifier that is set by Apple and stays with the specific defined device forever. Its function is to uniquely identify any one iPhone, allowing the UDID to be connected with the name and behaviors of that iPhone’s user. The Wall Street Journal may have started the snowball of lawsuits rolling in its ongoing series of articles about how the computer industry tracks people using the internet. The Journal’s investigation examined 101 popular smartphone applications (“Apps”) and found that 56 of them sent the UDID for their smart phones to other companies without the user’s awareness or consent. Five of the Apps transmitted personal details of the user like age and gender. Because each UDID is specific to each iPhone, it cannot be shut down or suppressed by users in the way that cookies may be deleted on laptop or desktop computers. The suits against Apple complain that releasing this information without the user’s consent or knowledge violates a number of U.S. federal and state laws including the Electronic Communications Privacy Act. [Source] See also: [The changing meaning of “personal data” ] SEE ALSO: [OPC Canada - Fact Sheet - Privacy on the Go: Workplace Tips for Protecting Personal Information on Mobile Devices

US – PG&E Unveils ‘Opt-out’ Plan for its Controversial SmartMeter Program

After months of controversy, PG&E has unveiled an opt-out plan for its SmartMeter program that further enraged its critics, who said its high fees would punish the customers it was designed to help. Barely meeting a deadline set by the California Public Utilities Commission, PG&E released a plan that would give customers the option of having the wireless portion of the device turned off but force them to pay hundreds of dollars for the privilege. [Source]

US – Hearing Date Set for WikiLeaks Twitter Data Demand Appeals

Three people associated with WikiLeaks are appealing a ruling that grants federal prosecutors access to records of their Twitter use. The legal team for the three maintains that the ruling violates a federal statute and the US Constitution’s First Amendment rights to free speech and association. The filing seeks to overturn the earlier ruling. The US Justice Department is seeking the Twitter records as part of a grand jury investigation into WikiLeaks and its disclosure of classified UG government information. A hearing is set for April 22. [Source] [Source] [Source]

RFID 

EU – EU Issues Opinion on the Revised Industry Proposal for an RFID PIA

The Working Party endorses a revised industry-proposed data protection impact assessment framework (“framework”) for RFID applications, following changes that will require a privacy impact assessment (“PIA”) when tags may be used outside the operational perimeter of an RFID application or are carried by persons (this addresses a concern that third parties may misuse RFID tags for tracking and profiling purposes); the framework takes effect August 11, 2011 (6 months after the date of this opinion). The framework contains two phases – categorizing RFID applications into 4 levels, with a full scale PIA required for the top levels (RFID tags are carried by individuals and applications further process personal data) and a risk assessment (identifying the risks to personal data, identifying controls to respond to the risks, and resolving the conditions of implementation for the application); personal data in an RFID application includes a unique ID contained in a tag, if the tag is destined to be carried by a person. [Article 29 WP Working Paper 180]

Security 

WW – Companies Lose Business Following Data Breaches: Study

A study conducted by the Ponemon Institute on behalf of Symantec, 37% of data loss cases reported in the UK in 2010 involved system failures; that figure is 7% higher than it was in 2009. The study also found that the average cost of data breaches for large UK companies in 2010 was GBP 1.9 million (US $3.1 million), an increase of 13% from 2009. The report also found that companies that suffer computer breaches experience significant financial repercussions in lost business. [Source] [Source] [Source

WW – Most Companies Keeping Mum on Data Breaches

For corporations, the threat of data breach is more dangerous than ever—but, according to a new study, most companies still do not take the measures needed to keep their information secure, nor are they always up front with their customers about security breaches. A recent study by McAfee outlined the difficulties companies face while securing information. Their study, “Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency” surveyed over 1,000 senior IT professionals in the U.S., U.K., Japan, China, India, Brazil and the Middle East. Despite the danger of losing corporate intellectual capital or customer information to cybercriminals, it appears that companies have not always been vigilant about trying to improve security, even following successful attacks. Of all the organizations that had experienced a data breach, only half undertook actions to fix and protect their systems from later break-ins. A quarter of companies assess the risks to their data twice a year, or less. But not many companies actually report suffering data breaches. Three in ten firms report all data breaches, with the majority, or six in ten companies, “picking and choosing” what breaches they share. Recently, Mozilla expressed its regret over failing to disclose a breach involving stolen SSL certificates for sites including GMail, Skype, Yahoo Mail and more. The attack was suspected to involve the work of the Iranian government. McAfee notes the report “also shows that organizations may seek out countries with more lenient disclosure laws, with eight in ten organizations that store sensitive information abroad influenced by privacy laws requiring notification of data breaches to customers.” And the biggest hassle may be yet to come, as the rise of devices like tablets and smartphones presents an as yet unsolved challenge for locking down information securely. [The Huffington Post] See also: [NSA to Join Nasdaq Hack Investigation] and [Australian Government Computers Attacked] and [European Parliament Network Attacked] and [NASA IG Finds Vulnerabilities in Agency Systems

WW – SecurID Customers Advised to Prepare for Worst Case

How serious is the security threat posed by the theft of inside information about SecurID, the two-factor authentication system sold by EMC division RSA? “It is important enough that it required an official note to the stock markets.” But, despite the apparent severity of the breach, RSA’s failure to detail what was stolen is generating an immense amount of customer frustration, because they don’t know if their SecurID hardware fobs are still secure, or if they might provide attackers with a conduit through enterprise defenses. Until RSA coughs up more information, security experts advocate conducting a thorough and immediate SecurID risk assessment. “Our recommendation for customers which have RSA SecurID cards implemented is to first carefully analyze the situation and their specific risks — [for example] which type of information is at risk if the RSA SecurID-based authentication is not only at risk — like now — but an attack actually takes place?” Next, identify specific technologies and remediation activities for securing at-risk data or accounts. “These actions might range from increased threat analysis and forensics to adding other authentication technologies.” RSA had 40 million SecurID hardware token customers by 2009, as well as 250 million users of SecurID software. [Source

US – NIST Issues Guidelines on Managing Information Security Risk

Organization, Mission, and Information System View, March, 2011, by the Joint Task Force Transformation Initiative, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology: NIST Special Publication 800-39 

WW – No Keystroke Loggers on Samsung Laptops

Concerns about Samsung laptops shipping with pre-installed keystroke loggers have proven to be groundless. An anti-virus program called VIPRE misidentified a folder created by Microsoft Live Application Suite as a known keystroke logging software. An executive with the company that that makes VIPRE has apologized for the incident. [Source] [Source] [Source] [Source

US – Captured Images of Your Physical Keys Can Be Used to Make Copies

Computer scientists at the University of California: San Diego, Jacobs School of Engineering, have presented proof-of-concept for capturing images of physical keys from a substantial distance and using those images to make working copies of the keys. “We built our key duplication software system to show people that their keys are not inherently secret,” said Stefan Savage, the computer science professor from UC San Diego’s Jacobs School of Engineering who led the student-run project. “Perhaps this was once a reasonable assumption, but advances in digital imaging and optics have made it easy to duplicate someone’s keys from a distance without them even noticing.” Professor Savage notes, however, that the idea that one’s keys are sensitive visual information is not widely appreciated in the general public. “If you go onto a photo-sharing site such as Flickr, you will find many photos of people’s keys that can be used to easily make duplicates. While people generally blur out the numbers on their credit cards and driver’s licenses before putting those photos on-line, they don’t realize that they should take the same precautions with their keys.” [Source]

Smart Cards 

US – Obama Administration Proposes Online Privacy Bill of Rights

The outcry over internet firms’ habit of surreptitiously tracking web surfers’ activities has clearly resonated inside the White House. On March 16th the Obama administration announced that it intends to work with Congress to produce “a privacy bill of rights” giving American consumers greater control over how their information is collected and used by digital marketers. Those who have been lobbying for change agree with, but are unsympathetic to, internet firms’ worries that such a law could dent their advertising-driven business models, which rely on tracking and targeting consumers to maximise revenues. “This is dimming the prospects of Google, Facebook and other digital ad companies,” says Jeffrey Chester of the Centre for Digital Democracy. Quite how dark things get for them will depend on the details of the bill. It will seek to lay down the basic principles of internet privacy rights, broadly following recommendations published last December by the Department of Commerce. The department’s report said consumers should be told more about why data are being collected about them and how they are used; and it called for stricter limits on what companies can do with information they collect. Whatever legislation finally emerges is likely to give a broader role to the FTC, which will almost certainly be charged with deciding how those principles are translated into practice and with policing their implementation. Among other things, the FTC is known to be keen on a formal “do not track” system, which would allow users to block certain sites from monitoring their online activities. [Economist] [Analysts Weigh In on Privacy Bill of Rights]

Surveillance 

US – The Right to Sue Over Wiretapping

Federal authorities have always made it difficult to bring a legal challenge against the government’s warrantless wiretapping enterprise that was set up by the Bush administration in the years after the Sept. 11, 2001, attacks. Because the wiretaps were secret, no one could know for certain if they were being tapped, so the government urged judges to throw out lawsuits for lack of proof of real harm. That strategy was halted last week when a federal appeals court said that civil liberties and journalism groups challenging an eavesdropping law could pursue a suit trying to get the government’s wiretapping declared illegal. In an important ruling, the United States Court of Appeals for the Second Circuit reinstated a lawsuit that a federal district judge had thrown out in 2009. The new decision might lead to a significant – and far too long delayed – legal review of the statute. The law in question, passed in 2008, amended the Foreign Intelligence Surveillance Act. It essentially legalized retroactively President George W. Bush’s outlaw program of wiretapping certain terror suspects without a warrant. It also immunized telephone companies that cooperated in the program. And it permitted the government to listen to the international phone calls of Americans who are not engaged in criminal activity, and to read their e-mail messages. At great cost to the privacy of innocent people, it reduced the longstanding protections of judicial supervision over these powers. The law was challenged by human rights, labor and news media organizations, led by the ACLU. They argued that their communications with clients and interview subjects outside the country would almost certainly be monitored under the law, in part because their jobs required conversations with activists and others whose work would be of interest to the government. Some are lawyers representing accused terror suspects in the United States and often need to communicate with the suspects’ family members or acquaintances outside of the country. The government argued that the plaintiffs had to prove that they were monitored or harmed, but the Second Circuit didn’t buy that defense. The plaintiffs had every reason to believe that they were being monitored, the court said, and some even spent considerable sums to go abroad for meetings to avoid the eavesdropping. The final outcome of this legal challenge is far from certain; the government, if it follows its pattern, is likely to cite another familiar defense that a full trial would reveal state secrets. But just by allowing this lawsuit to proceed, the Second Circuit has sent an important message: The government cannot count on simplistic legal arguments to avoid scrutiny of its program to spy on civilians. When one challenge is allowed, others will follow. [The New York Times]

Telecom / TV 

EU – ENISA Report: Top Ten Smartphone Risks

The risks that present the highest level of information security risk for smartphones include data leakage resulting from device loss or theft (encryption is recommended, but weaknesses exist in the implementation of encryption in smartphones), attacks on decommissioned smartphones (if decommissioned improperly, attackers can gain access to data on the device), and unintentional data disclosure (the user is unaware that an app collects and publishes personal data trace users). [Report] Other recent ENISA Publications: ENISA – App Kill-Switch – The Last Line of Defence | Privacy, Accountability and Trust – Challenges and Opportunities (Feb 2011) | Bittersweet cookies. Some security and privacy considerations (Feb 2011) | Survey of accountability, trust, consent, tracking, security and privacy mechanisms in online environments (Jan 2011) 

US – Mobile Phone Users Lax on Security: Survey

A survey conducted by the Ponemon Institute on behalf of ACVG says that mobile phone users in the US are lax on mobile phone security. Nearly 84% of those surveyed use the same phone for both business and personal matters. Many people also make purchases over their mobile phones. Few consumers use phone-locking passwords and many use the same password for multiple apps. [Source

UK – UK Users Not Wiping Mobile Devices Before Selling Them

An investigation commissioned by data protection company CPP Group found that many people in the UK who sell their old smartphones and SIM cards are failing to wipe the devices of sensitive personal data. More than half of the devices examined for the study were found to contain credit card PINs, bank account information, and login information for social networking sites. The information was gathered from 35 used phones and 50 used SIM cards. Users selling old phones should perform a factory reset. Unless old SIM cards are being transferred to another of the owner’s devices, they should be destroyed. [Source] [Source] [Source] [Source]

UK – Teachers’ Union Says No to Bill Allowing Searches of Student Mobiles

The UK teachers’ union, NASUWT, calls government plans to allow teachers to search and even delete content on student mobile phones “reckless”, according to the BBC. The education bill introduces the following measures in order to help combat cyber-bullying: (6E) The person [eg, a teacher] who seized the item [eg, ‘an electronic device’ belonging to a pupil] may examine any data or files on the device, if the person thinks there is a good reason to do so. (6F) Following an examination under subsection (6E), if the person has decided to return the item to its owner, retain it or dispose of it, the person may erase any data or files from the device if the person thinks there is a good reason to do so. Teachers claim that putting these measures into action will cause friction between teachers, pupils and parents. [Source

EU – Irish Parliament Passes Communications (Retention of Data) Act 2011

Ireland has passed a law that would transpose the Data Retention Directive requirements for service providers to retain for two years, fixed network telephone and mobile telephone data (e.g. calling telephone number, name and address of subscriber, number dialled, date and time of call, location of mobile callers and equipment identifiers such as IMEI number), and for one year, internet access, e-mail and internet telephony data (e.g. user ID, name and address of user, user ID of communication recipient, date, time and duration of communication, calling telephone number for dial-up access and DSL or end point of the originator of the communication); service providers are persons who provide a publicly available electronic communications service or public communications network. Service providers must provide the retained data to law enforcement for preventing, detecting and investigating serious offences (e.g. punishable by 5 years imprisonment, false reporting of child abuse, poisoning, and making false statements in a proceeding), for safeguarding the security of the State and to save a human life; service providers must also take appropriate security measures and destroy the data one month after their retention period has passed (unless they have been accessed under a disclosure request). [Source]

US Government Programs 

US – Panel Urges TSA to Implement ‘Trusted Travelers’ Program

Treating every airport passenger as a potential terrorist slows the security system, is needlessly frustrating and deters some people from flying, according to a report that recommends ways to ease bottlenecks at security checkpoints. The report, commissioned by the U.S. Travel Association, calls on airlines to allow passengers to check one bag free of charge and urges the creation of a voluntary “trusted traveler” program that partially resembles a mandatory one previously proposed by President George W. Bush – and shot down by Congress. The federal government would not need congressional approval to mandate that airlines allow one checked bag free. But it is doubtful that the TSA could implement a trusted-traveler initiative without congressional approval. Adding impetus to the report is the heavyweight panel behind it, headed by Tom Ridge, former secretary of homeland security, and former congressman Jim Turner (D-Tex.), who was on the House Homeland Security Committee. Travel industry analysts think the long-awaited report will continue the debate over screening procedures and add another element to it: Even a voluntary trusted-traveler approach would require passengers to provide credit information, tax returns and other personal data to verify that members pose little or no risk. In return, they would be allowed to zip through security. The proposal of a trusted-traveler program takes the debate through a thicket, pitting the right to privacy against the goal of secure flight. Congress rejected a Bush administration plan known as CAPPS II that would have tapped into credit information to verify passenger credentials. “The key difference is that the program we’re recommending is totally voluntary,” said Geoff Freeman, executive vice president of the U.S. Travel Association, which commissioned the study a year ago. The report recommends a voluntary trusted-traveler program in which passengers would supply fingerprints and other personal information in return for an identification card that would allow them to bypass security lines. Members would enter a kiosk where either fingerprint or iris scanning technology would be used to confirm their identity. Both the passenger and carry-on bags would pass through an explosives-detection device, but there would be no requirement to remove shoes, coats or hats. [Source

US – United States Government to Allow E-Verify “Self Check”

Starting on March 21, 2011, the U.S. Citizenship & Immigration Services (USCIS) will allow an individual to use E-Verify to check on his or her work authorization status and correct errors in the federal databases used by E-Verify. E-Verify is an Internet-based employment verification system run by the USCIS, part of the Department of Homeland Security (DHS). Until now, only employers were allowed to use the system to verify the work authorization of newly-hired employees. Any individual over the age of 16 will be able to use E-Verify Self Check by first providing information to authenticate the person’s identity and then submitting work authorization information normally provided in completing Form I-9 employment authorization forms. A message of “work authorization confirmed” will be displayed if the information provided by the individual matches the information contained in the DHS, Social Security Administration (SSA), and Department of State databases used by E-Verify. If there is a mismatch in the information, the Self Check will provide a message such as “Possible mismatch with SSA” or “Possible mismatch with Immigration Information.” The Self Check will also provide instructions on how to request corrections of errors in database records. Employers may not use Self Check as a pre-screening tool for possible new hires. For example, an employer may not require a job applicant to present Self Check certification as a condition of application for employment. As before, employers can only use E-Verify to confirm employment authorization of workers once they are hired. This use of E-Verify is limited to employers enrolled in the program. Self Check will initially be available only in Arizona, Colorado, Idaho, Mississippi and Virginia. The USCIS plans to expand Self Check to other states over time and eventually make it available throughout the United States. The service is free. A preview of the program is available at the USCIS website. [Mondaq News]

US Legislation 

US – Obama Administration Calls for New Privacy Law

The Obama Administration is backing a new data privacy bill of rights aimed at protecting consumers against indiscriminate online tracking and data collection by advertisers. In testimony prepared for the Senate Committee on Commerce Science and Transportation, the Commerce Department’s assistant secretary, Lawrence Strickling, said that the White House wants Congress to enact legislation offering “baseline consumer data privacy protections.” Such a bill is needed to protect personal data in situations not covered under current law, Strickling said, adding that any legislation should be based on a set of fair information practice principles and give the U.S. Federal Trade Commission enforcement authority. He also called for incentives to encourage the development of codes of conduct on privacy matters. Strickling said the administration’s call for new online privacy protections stems from recommendations made by the Commerce Department in a paper released in December. Many of those in the industry who weighed in on the idea at the time backed the creation of a new online consumer privacy law, he said. The document was based on a comprehensive review of existing privacy protections and of ongoing data collection, consumer tracking and profiling practices online. The administration’s support for privacy protections is very significant, said Joel Reidenberg, a professor at Fordham Law School who specializes in privacy issues. “This is the first time since 1974 that the U.S. government has supported mandatory general privacy rules,” Reidenberg said. [Source

US – “Privacy Bill of Rights” Draft Released

Following up on his announcement that he would soon submit the “Commercial Privacy Bill of Rights Act of 2011“ during a hearing on the call for federal privacy legislation, Sen. John Kerry (D-MA) and the bill’s cosponsor, Sen. John McCain (R-AZ), have published a draft of the legislation. The draft includes provisions to “give the Federal Trade Commission authority to craft privacy regulations and to operate a Web site where consumers can opt out of online behavioral targeting.” In the Hogan Lovells Chronicle of Data Protection, Christopher Wolf highlights major provisions of the draft legislation, including what would constitute PII and “unique identifier information,” safe harbor programs, access to data and opt-in consent. “No private rights of action are allowed,” Wolf writes, “and state laws–except those dealing with health or financial information, data breach notification or fraud–are preempted.” [Source

US – Senate Committee Holds Hearing on the State of Online Consumer Privacy

 Impact to Subscriber: In line with Sen. John Kerry’s statement that the status quo for online privacy cannot stand, a Senate Committee hearing heard support for online consumer privacy legislation from the Department of Commerce (based on a collection of agreed-upon fair information practice principles that provide the FTC with enforcement authority and creates incentives for developing codes of conduct, such as by offering a safe harbor for signatories), Microsoft (establishing reasonable baseline privacy protections), and Intuit (a principles-based approach should be taken). Participants testified that online consumers should have choices about how their information is being collected and used; the FTC set out 5 critical principles for a Do Not Track system of universal implementation (consumers do not need to repeatedly opt out on different sites), easy-to-find and use, persistent (choices should not be deleted if cookies are cleared or browsers updated), opt out of tracking altogether (do not limit the system to only tracking for advertising), and effective and enforceable without technical loopholes. [Source] [Source

US – Senator Pushes for Mobile Privacy Reform

Sen. Ron Wyden’s (D-OR) has proposed a bill that would provide privacy protections for geolocation information. Once introduced, the Geolocational Privacy and Surveillance Act (GPS Act) would seek to require law enforcement to obtain a warrant before accessing information related to a wireless device or GPS system, for example. The bill will likely gain “strong support” from Internet companies, civil libertarians and wireless carriers, “many of which have joined a coalition saying that location information should be accessed only with a warrant,” the report states. The bill would require court evidence relating to location data be thrown out if procedures weren’t followed and allows for civil lawsuits and damages in cases where location data is inappropriately accessed and used. [Source

US – Proposed Legislation Would Replace FISMA Paperwork with Real-Time Monitoring

US Representative James Langevin (D-Rhode Island) has introduced a bill that would replace the paper-intensive compliance requirements of the Federal Information Security Management Act with automated, continuous monitoring. The Executive Cyberspace Coordination Act would also create a National Office of Cyberspace in the White House and increase the Department of Homeland Security’s (DHS) authority over private networks that are part of the country’s critical infrastructure. [Source] [Source]

Workplace Privacy 

CA – Material on Work Computer Private, Court Rules

Ontario’s top court has found a right to privacy in material contained on a work computer. A judgment on from the Ontario Court of Appeal broke new ground on an issue that is exploding into the court system – the extent to which Internet information is private and beyond the reach of the law. The case involved a Northern Ontario high school teacher charged with possessing child pornography. The judges said that police breached his Charter rights by viewing his computer files without a warrant. “The police technique was intrusive in copying the entire contents of the hard drive,” the court said. “The contents of the hard drive of a laptop may contain extremely personal information such as medical and financial reports, personal journals, e-mails and appointments. At the same time, the court concluded that school officials who stumbled upon the pornographic images had a right to monitor whether the school computer system was being used appropriately. Frank Addario, a lawyer for defendant Richard Cole, said that the ruling has repercussions for employees who use their electronic devices for personal purposes, “which is pretty well everyone. “There was a belief that ownership meant control of privacy, but that’s an old school way of looking at privacy,” Mr. Addario said. “Most Blackberry users carry a subset of their existence around with them regardless of who paid for the hardware.” In a pretrial ruling, the trial judge in the case tossed out the evidence as a violation of Mr. Cole’s privacy rights. The Crown appealed to Superior Court, which reversed the ruling and sent it back for trial. The defence appealed that ruling to the Ontario Court of Appeal. Toronto lawyer Scott Hutchison, a privacy expert, said that the court has given a sound answer to a vital question. “This case comes down firmly on the side of privacy and holds that employers cannot give police investigators access to a workplace computer,” he said. “This case makes it clear that the employer may own the computer, but that doesn’t give them the power to waive the employee’s privacy rights,” Mr. Hutchison added. “It recognizes the realities of how people use modern workplace technology. People don’t artificially ‘switch off’ their privacy interests just because the device in question is owned by someone else.” [Source] [Mondaq: Work computers - user rights v owner rights] and [Breach of privacy case holds lessons for IT departments

US – Ex-Employee’s Blogs Can’t Be Stopped, NY Court Rules

Joseph Lazzarotti and John Snyder comment on Cambridge Who’s Who Publishing v. Sethi, a case recently covered on DataBreaches.net because of its reference to an alleged data breach that had never been reported in the media. The court ruled that Cambridge Who’s Who could not get an injunction that would stop its former employee from writing about a data breach that occurred while he was employed by them, nondisclosure agreements notwithstanding. [Pogo Was Right

US – DHS Sets Privacy Policies for Selected Social Media Tools

The Department of Homeland Security has trained its employees not to collect personal data from individuals with whom they interact via social media tools such as widgets, mobile applications, text messages and Real Simple Syndication feeds. Given the nature of such tools, some personal data — such as user ZIP codes — may be collected and displayed by the systems during sign-on or may be published in a public profile of the user. To protect privacy, DHS officials are not collecting or storing such personal information, says a 19-page report from the Office of the Chief Privacy Officer. The report gives an overview of DHS’s strategy for one-way social media communications, also including podcasts and video streams, in which it primarily pushes out messages to subscribers who request such services. [Source

AU – Australian Government Bans Free Web-Based eMail Services for Employees

Government workers in Australia will no longer be able to use free web-based email services like Gmail and Hotmail. The government made the blanket decision following a report from Australia’s Federal Auditor-General recommending that “agencies should not allow personnel to send and receive emails on agency ICT systems using public web-based email services.” For situations in which government employees require access to these services, the auditor recommended the use of single, stand-alone desktops. The ban will take effect on July 1, 2011. [Source] [Source

US – U.S. Supreme Court Clarifies Informational Privacy In Security Clearance Context

In a widely-watched case that pitted privacy rights against national security issues, the U.S. Supreme Court has issued a narrow ruling allowing the federal government to ask employees about drug counseling, medical treatment, sexual matters and other personal information. On January 19, 2011, the nation’s highest court unanimously upheld the National Aeronautics and Space Administration’s background checks in a defeat for scientists, engineers and others who argued the in-depth investigations were too intrusive. (NASA v Nelson et al, No. 09-530). The Respondents in this case were longtime government contract employees at NASA’s Jet Propulsion Laboratory (JPL) in California. At the time the Respondents were hired by NASA, there was no policy in place that required government background checks on contract employees, but the Department of Commerce later mandated that all contract employees with long-term access to federal facilities would have to undergo a standard background check by October 2007. As a result, the JPL announced that employees who did not timely complete the new required background check would be denied access to the JPL and face termination. The background check at issue consists of a standard form (SF-85), which inquires into whether an employee has “used, possessed, supplied, or manufactured illegal drugs” within the last year. If a JPL employee answers in the affirmative, then he or she must provide details about any treatment or counseling received and then sign a release authorizing the government to obtain personal information from schools and employers, among others. Upon the completion of SF-85, the government mails a questionnaire (Form 42) to the employee’s references that asks open-ended questions about the honesty and trustworthiness of the employee. The constitutional right to “informational privacy” has only been discussed by the Supreme Court in two cases, and even there, the Court did not go so far as to acknowledge that here is such a right. In both cases, Whalen v. Roe and Nixon v. Administrator of General Services, the Court held that any concern about the violation of privacy rights was eliminated by existing legislation that provides sufficient protection against the dissemination of private information. Prior to the JPL deadline, Respondents filed suit seeking an injunction and claiming a violation of their constitutional right. The District Court held in favor of the government, but the Ninth Circuit Court of Appeals reversed, ruling in favor of the employees. In the Supreme Court, Justice Samuel Alito wrote a majority opinion that again refused to declare whether there is a constitutional right to informational privacy and opted instead to assume that, even if there were such a right, it would not prevent the government from asking the sort of questions included on SF-85 and Form 42. The government interest in obtaining background information for the sake of hiring a competent, reliable workforce was held to outweigh the privacy interests of the individual employee. The Court ruled that the questions at issue were reasonable, in light of the fact that millions of private employers use background checks in order to make hiring decisions, checks which include questions about drug use and treatment. Similar to its holdings in Whalen and Nixon, the Court concluded its decision by stating that the Privacy Act provides sufficient safeguards against the dissemination of any personal information revealed in the course of an employee background check. Had the Court issued an opinion in favor of the JPL employees, and acknowledged a constitutional right to informational privacy, it is likely that both the government and private job application process would have been tremendously affected. Employees and prospective employees who are asked to provide sensitive information in order to retain or gain clearance could have had the option of pursuing litigation if their refusal to respond to such inquiries resulted in a denial of access or employment. This narrow decision maintains the status quo and allows the government to continue with its standard background checks. [Source

CA – Province Slammed for Secret Criminal Checks on Labour Inspectors

A branch of the Ontario government responsible for ensuring employers act fairly and obey the law has been criticized for infringing the privacy rights of its employees and violating a collective agreement. In a landmark decision, the Crown Employees Grievance Settlement Board found the labour ministry acted unreasonably by conducting secret criminal background checks on its inspectors. The Ontario Public Service Employees Union filed a grievance last year after a workplace health and safety inspector found out, via the ministry’s legal services branch, that his name had been run through the computerized Canadian Police Information Centre and registered a “hit.” The inspector hadn’t been told about the search beforehand or asked for his consent, but was questioned about the result. It involved an offence for which he’d been pardoned. “OPSEU was saying it is a fundamental right for employees to have privacy and you don’t give up privacy rights just because you choose to work for the Government of Ontario,” said Kate Hughes, a lawyer representing the union. “Your criminal or your disciplinary record are private to you.” [Source

US – Bizarre Incident in a Manager’s Living Room

A manager whose outburst at his TV set was accidentally recorded by a co-worker’s voicemail says Verizon fired him for his comments, which included his beliefs on politics and health care. Richard D’Arpe, a manager for Verizon for 15 years, says he was at home and off duty when he made a work-related call to Christian Flete, a technician. He hung up and put the phone “somewhere in the vicinity of his pants pocket.” It was July 7, 2010. While watching a news documentary, D’Arpe says, he became upset and “began to yell at his television regarding politics, health care and his beliefs. These comments were not directed at anyone.” D’Arpe did not realize that his phone had accidentally redialed Flete, whose voicemail caught D’Arpe’s rant. D’Arpe says he “was completely unaware of the entire incident at this point in time.” But Flete, who is not a party to the complaint, filed an incident report with D’Arpe’s manager about the message, D’Arpe says. He adds that Flete forwarded the message to an undisclosed number of colleagues, who in turn continued forwarding the message to others. D’Arpe was confronted by his manager and an Equal Employment Opportunity agent the next day and was suspended. D’Arpe says he refused to attend a meeting to discuss his employment status: “As Mr. D’Arpe was well aware that a number of other employees received the voicemail, he feared for his own safety and decided not to attend this meeting.” He was fired on July 14, “for violation of the company code of conduct.” D’Arpe says that any violation of that code did not occur at work, nor was it directed at any Verizon employee. It “merely represented comments made in the privacy of his own home and outside of the workplace.” He seeks punitive damages for wrongful firing, negligence, defamation, and privacy invasion, and documents, including a copy of the voicemail recording. [Source

US – Arizona County Employees Unhappy About Saliva Test

An Arizona county is trying to get reliable data on whether its employees are smokers by testing saliva, a move some workers are resisting. Maricopa County, which includes Phoenix and its suburbs, is not compelling employees to have their saliva tested – but those who do not, along with those who test positive for tobacco – will pay higher insurance premiums. Chris Bradley, who heads the county’s Business Strategies and Healthcare Program, said officials found that relying on employees to self-report that they or someone in their immediate family smokes produced data that appeared to be at odds with reality. Some employees who say they do not smoke are leery of handing over a saliva sample. They say they fear the county can gather other information and share it with other agencies. [Source

+++

 

01-15 March 2011

Canada 

CA – Canadian Air Passengers a Step Closer to U.S. Law After Bill Passes

The House of Commons passed a controversial private member’s bill that would force airlines to provide passenger information to the United States when they travel to American destinations or even pass through U.S. airspace. Bill C-42, introduced by Conservative House leader John Baird while he was transport minister, passed its third reading by a vote of 246 to 34. The NDP was the only party to vote against the proposed bill, which now moves to the Senate for consideration prior to royal assent. Opposition parties and civil liberties groups have said the proposed bill raises privacy concerns because Canadians’ personal information would be in American hands. The legislation is designed to amend Canada’s Aeronautics Act and essentially gives the U.S. the final say on who gets to travel on Canadian flights that pass over its airspace. Canadian airlines currently aren’t obligated to share flight information with the U.S. unless passengers are landing there. If made law, the bill would comply with American laws so that Canadian airlines would have to provide passenger information 72 hours before departure. U.S. Homeland Security officials would then screen travellers’ names, birthdates and sex information against lists of suspected terrorists, including the notorious American no-fly list. If a passenger shares the same name as someone on a no-fly list, he or she could be questioned, delayed or even stopped from boarding a flight. Last month, a British man was stuck in Canada for three days after he was barred from boarding a flight because his name was on a security threat list. Dawood Hepplewhite, 30, of Sheffield, England, said British High Commission consular officials had to intervene so he could leave Toronto. Hepplewhite’s name appeared on the U.S. no-fly list, and his flight from Toronto to England was scheduled to fly through U.S. airspace. Last month, the Canadian Civil Liberties Association said the government should disclose how Canadian passenger flight information will be shared with the U.S. “Canadian sovereignty has gone right out the window. You are going to be subject to American law,” Liberal transport critic Joe Volpe told Postmedia News when the bill was introduced. [Source]

Consumer 

US – ID Theft Tops List of Consumer Complaints

The Federal Trade Commission (FTC) yesterday released its list of the top consumer complaints for the year 2010, and identity theft tops the list for the 11th year in a row. According to an FTC press release, the commission received 250,854 complaints related to identity theft–19 percent of all of the complaints received. According to the Consumer Sentinel Network Data Book report, “government documents/benefit fraud” was the most common form of reported identity theft, and Florida is the state with the highest per capita rate of reported identity theft complaints. The category “Internet services” accounted for the third-highest number of complaints, with 65,565 reported to the FTC in 2010. [Source] [Text of Full Report

US – Study: Attitudes on Privacy Becoming Polarized

According to a Ponemon Institute study, 58% of social network users feel their privacy is less important to them than it was five years ago, while 53% of non-users said it is more important, msnbc.com reports. Ponemon Institute Founder Larry Ponemon, CIPP, called the findings surprising, adding, “The fact is there’s not a lot of complacency about privacy now. People are thinking about this.” Privacy expert Alessandro Aquisti says one reason for the polarization may be that the more people use social networks, “the more costly it becomes for others (who aren’t members) to be loyal to their views…That means some people’s right to privacy is being rendered more difficult to protect precisely by the right of other people not to care about privacy.” [Source] See also: [Why should I care about digital privacy?

WW – Study: Data Anonymity Changes Internet Users Minds

A PubMatic study asked about 500 Internet users how they feel about advertisers tracking their online activities. The study found that the anonymity of the data and how the data is used matters to respondents. Once respondents understood that only anonymous data was used for ad targeting, 40% changed their response from disapproving of the practice to approving of it. PubMatic’s vice president of marketing said, “Everyone knows the user’s privacy is paramount and that we provide a service to them. Understanding the how and the why changes everything.” [Source]

E-Government 

CA – Ontario Public Sector Must Go Beyond “Patchwork Adoption” of Open Government

Experts from the Office of Ontario’s Information and Privacy Commissioner (IPC) will make the case for taking a proactive approach at the 2011 Information Management and Access and Privacy Symposium at the Metro Toronto Convention Centre. Brian Beamish, Assistant Commissioner for Access, will discuss the benefits of Access by Design (AbD) as it relates to the open data and open government movement. The concept of AbD was developed by Commissioner Cavoukian to provide a set of fundamental principles that encourage a proactive approach to releasing government-held information. The objective is to foster a culture of transparency and accountability, where access is the default. [Symposium] [Source

CA – Ontario Could Let Cameras Capture Courtroom Dramas

Canadians have never been able to watch courtroom dramas unfold in their living rooms the way American viewers have come to expect. But now, Ontario, Canada’s largest court system and the only one in the country to specifically legislate a ban on cameras, is opening the door to delivering trials to the public via the small screen. In an interview with The Canadian Press, Ontario’s attorney general says he’s open to the idea of allowing cameras in courtrooms and says the time is right to canvas judges, Crown attorneys and defence lawyers on their opinions. “I’m interested in the views of people as to whether we should move forward,” Chris Bentley said. [Source

US – Man Pleads Guilty to Looking at Passport Files

The Justice Department has now netted a dozen convictions of State Department workers who looked at confidential passport records of celebrities in violation of privacy laws. Former State Department contractor Mark Carter of Upper Marlboro, Md., became the latest when he pleaded guilty to unauthorized computer access. The investigation began in 2008 after officials discovered access of files containing photos and personal information for then-presidential candidates Barack Obama, John McCain and Hillary Rodham Clinton. Federal agents found the unauthorized access extended well beyond politics. For example, Carter admitted he looked at the files for celebrities, musicians, actors, business leaders, a professional athlete, his colleagues and family members. He could face up to a year in prison and a $100,000 fine at sentencing Aug. 5. [Source] See also: [CA – Snooping Bureaucrats Get ‘Slap On The Wrist’

CA – Against Lawyer’s Advice, Toronto City Council Spent Over $250,000 on Legal Fees

Toronto city council has spent more than $250,000 pursuing a legal fight against the advice of its own lawyers, including $96,057 on a recent unsuccessful court case, according to confidential documents viewed by The Globe and Mail. The city’s top lawyer is recommending council abandon its quest for access to a database containing private information about residents, something the province’s privacy commissioner and two outside legal experts warned would violate privacy laws. The database legal saga began four years ago, when some councillors began pushing for “read-only” access to the Integrated Business Management System (IBMS,) which contains up-to-date information such as the status of permits, applications and inspections. The city’s legal department warned that granting councillors unfettered access to IBMS would violate privacy laws because the database includes the names and personal information of constituents. But if council votes this week to reject that advice, an appeal would cost at least another $35,000, the documents say. [Source

CA – Ottawa School Board Gets Personal

Ottawa-Carleton District School Board surveys asking students and their parents probing questions about home life, religious affiliation and sexual orientation are permitted under the Municipal Freedom of Information and Protection of Privacy Act and will go ahead unchanged in April and May, the board announced. Between April 18 and May 20, the board will survey the parents of students from junior kindergarten to Grade 6, while students in Grades 7 to 12 will be asked to complete the survey on their own. The Office of the Information and Privacy Commissioner of Ontario handed the board its final report. The board went to the commission to have its plans looked at in October, before those plans were made public. After a number of complaints were called into the commissioner’s office about the potential use of the information, potential errors, lack of anonymity and the process of withholding consent, a privacy investigation was launched. The report found that the information the survey hoped to glean was personal, but that it was OK to collect under the act because it was “necessary to the proper administration of a lawfully authorized activity.” The survey questions touch on a wide range of issues, including academic abilities, bullying, extracurricular activities, cultural backgrounds and language and religious affiliation.[Source

EU – Hackers Breach French Finance Ministry, Take G20 Files

The French Finance Ministry has confirmed that hackers infiltrated 170,000 of the agency’s computers in December and stole data related to the G20. The attack involved Trojan horses and was discovered in January, according to French Budget Minister Francois Baroin. Officials are investigating. [Source]

E-Mail 

WW – Google Faces Second Privacy Lawsuit Over Gmail Content Scanning

Google is being sued for the second time over its practice of scanning Gmail message content to serve users ads relevant to the messages’ topics. The first lawsuit brought by a Texas man in November 2010, has been sealed. The new suit, on behalf of Kelly Michaels, focuses on Google’s Terms of Service agreement. The complaint claims that Google asks users to agree to its Terms of Service, but doesn’t ensure that the users understand what it is they are agreeing to. The Google Terms of Service agreement includes 92 paragraphs. The Google Program Policy and Privacy Policy are also separate entities; the Privacy Policy includes 55 external links. [Source

CA – Canadian Scientists Crack Code for Tracing Anonymous Emails

Engineers and computer scientists at Concordia University have cracked the code for tracing anonymous emails. For the first time, said data-mining expert Benjamin Fung, analysts have used the complex algorithms and almost imperceptible human quirks that make up the concept of “frequent pattern” to work out each person’s unique email fingerprint or “write-print.” “The people who wrote the email don’t even recognize what they are doing,” Fung told the Star. “One of the features we break down is vocabulary richness. That would be hard to increase quickly.” Other telltale evidence of the mystery writer can come from common grammatical mistakes, an unconscious extra space between each paragraph or patterns in punctuation. “We’ve collected thousands of features to find the different combinations,” Fung said. The combinations are the key. All of the suspects may misspell “consensus,” but not all of them misspell “consensus,” use commas instead of periods, and think “none” takes a plural verb. “Everyone has a unique combination. We see it as quite useful in criminal investigations.” The cyber-forensic tool, reported in the journal Digital Investigation, can ferret out the author of emails used for phishing, spamming, cyber bullying, email bombing, child pornography and sexual harassment, among others. The next stage of research will be to apply the data-mining method to the even shorter texts of instant messaging, chat rooms and social media, said Fung. [Source] See also: [Robert Soloway Exits Prison, Disavows ‘Spam King’ Ways] [Fighting Spam And Spyware Canadian Style - Part I – McCarthy Tetrault Analysis] and also: [IPv6 Shift Will Impede Spam Filtering

US – Cyber Attackers Release Internal Bank of America eMails

The group of hackers that calls itself Anonymous has released email messages that they say demonstrate fraud at Bank of America (BofA). The information appears to come from an unnamed whistleblower, a former employee of Balboa Insurance, which used to be owned by BofA. The emails indicate that the company withheld foreclosure information from regulators. [Source] [Source] [Source]

Encryption 

CA – Friends of Medicare Call for Better Protection After Unencrypted PHI Disappears

Friends of Medicare are calling for Alberta to write privacy protection into law after yet another unencrypted hard drive containing patient information went missing. Two surgery videos and 3,600 photos of wounds, lab specimens and dead infants, all labelled with the patients’ names, went missing during an office move at the Misericordia Hospital in January, Covenant Health announced. The external hard drive, about the size of a book, was put under a desk during the move and couldn’t be found a week and a half later. The files were not originals, only four of the files have birth dates attached, and none contain financial information, but the hard drive should have been encrypted, said Covenant Health president. “In this case, a staff member did not follow policy,” he said. “We have a very solid policy that just wasn’t followed.” The Office of the Information and Privacy Commissioner will be investigating, he added. [Source]

EU Developments 

EU – Reding Calls for “Right to be Forgotten”

The European Commission’s new rules for Internet user privacy should protect EU citizens no matter which country the data is stored in, said Justice Commissioner Viviane Reding. The Wall Street Journal reports that during a speech in Brussels today, Reding said the commission’s proposed rules–expected to be finalized this summer–should provide citizens the “right to be forgotten…When modernizing the legislation, I want to explicitly clarify that people shall have the right–and not only the ‘possibility’–to withdraw their consent to data processing,” Reding said. She also called for harmonization of EU data protection rules and for the burden of proof that data collection is necessary to rest on data controllers, not Web users. [WSJ

EU – US-EU Data Sharing Efforts Snagged by Privacy Oversight Debate

The United States-European Union high-level contact group for data sharing has begun converting shared data exchange principles into workable standards, said a Homeland Security Department official speaking March 2. But the collaboration effort has hit a roadblock in the area of privacy oversight. Europeans argue that the United States lacks an independent agency that is equivalent to the EU authority over data privacy. “One thing that has been of debate or discussion with the Europeans is this issue of independence,” said Mary Ellen Callahan, chief privacy officer at DHS, while speaking at an American Bar Association event in Washington, D.C. “So what does the independence of the data protection commissioners get you? It gets you the ability to review something ex post in an objective fashion.” Callahan argues that there are plenty of bodies conducting ex post review in the U.S. federal government—the Government Accountability Office, inspector generals and Congress–and creating more bureaucracy is unnecessary. One solution that could move the high-level contact group beyond this impasse would be for Congress to make the dormant Privacy and Civil Liberties Oversight Board more independent and give it a full staff, said Abraham Newman, a foreign service professor at Georgetown University. [Source

EU – Germany Adopts Telecom Breach Notification Requirements

The German government has adopted a draft law that revises the German Telecommunications Act to include breach notification requirements for telecommunications companies. The law brings Germany into alliance with the European e-Privacy Directive. Under the draft law, telecommunications companies are required to notify the federal data protection commissioner and the federal network agency about data breaches. The law also includes provisions requiring “providers of location-based telecommunications services to send text messages informing users whenever their mobile devices are being tracked on location,” according to the report. [Hunton & Williams Privacy and Information Security Law Blog

EU – Irish Notification Requirements Didn’t Make Deadline

Data Protection Commissioner Billy Hawkes says a new code of practice that would have forced data breach notification cannot be enforced because it was not put it front of parliament before the last session’s dissolution. Hawkes said at a recent Irish Computer Society event that though he approved the code last year, it “does not have the force of law because the final step to give it such force was never taken,” the report states. Hawkes said, “the code of practice that exists now is not legally binding–it’s just strong recommendations.” He added that he would like to see penalties put in place to “complement” notification requirements. [Source

EU – French Decree Mandates Yearlong Data Retention

Internet service providers, video sites and other Web sites will be required to retain certain personal data on users for one year after account closure, according to a decree published in the official gazette. “Decree 2011-219 states that information provided upon contract subscription or account creation…must be kept,” the report states. Such information may include names, postal addresses, pseudonyms, phone numbers and passwords. “Web sites will also have to keep for one year after any content is published the user name, type of protocol used, nature, date and time of the operation,” according to the report. [Source

EU – Spanish Parliament Reduces DPA’s Penalties

The Spanish Data Protection Agency (DPA) is described as “one of the more enforcement-oriented DPAs in the EU,” but parliament has modified its penalty structure to lower many fines, the Hogan Lovells Chronicle of Data Protection reports. The main modifications include warning businesses and giving them a set amount of time to resolve breaches before fines would be levied and changes in the level of infringement for certain transfers of personal data, the report states. The modifications were announced in the wake of Europe’s highest court’s review of the DPA’s order that Google remove links to Web content due to privacy concerns. [Source

UK – New Camera Commissioner Could Cause Confusion, Says Privacy Watchdog

The Information Commissioner has warned that new plans for a Surveillance Camera Commissioner could result in confusion and conflicting regulation. The Government has proposed a new code of practice on the use of CCTV networks and traffic-monitoring automatic number plate recognition (ANPR) systems. The code will establish a new watchdog to ensure that it is followed, the Surveillance Camera Commissioner. The code was proposed by the Government’s Freedom Bill. In its evidence on that Bill to the Public Bill Committee, data protection regulator the Information Commissioner said that the appointment of another commissioner with some of the same duties as him could cause damaging confusion. [Source] See also: [UK: Unmanned spy drones and facial recognition cameras could soon be the norm]

Facts & Stats 

US – New Jersey Comptroller Finds Data on Machines Marked for Auction

An audit conducted by the Office of the New Jersey State Comptroller found that nearly 80 percent of retired state government computers headed for auction still contained sensitive personal data. The computers examined were being held at a state surplus property warehouse. New Jersey guidelines require that data be removed from hard drives before computers are sent to the warehouse. The audit was prompted by a number of arrests of warehouse employees. New Jersey state comptroller Matthew A. Boxer says that he believes it is likely that other machines containing data have already been sold because no outside agency had investigated the procedures before his office looked into the matter at the warehouse. [NYT] [GovTech] and also: [Solid State Drive Firmware Destroys Data

WW – Working On-The-Go Could Pose Privacy Threats

The ability to take work on the road via laptops, tablets and smartphones enabled for WiFi access is convenient, but these mobile offices are vulnerable to data breaches, The New York Times reports. According to a report by Symantec and the Ponemon Institute, such breaches are becoming more expensive. From leaving laptops in hotel rooms to using public WiFi to sharing information on social networks, experts detail the myriad risks to personal and business data. Prof. Betsy Page Sigman of Georgetown’s McDonough School of Business suggests, “You want to be overly cautious, especially if you are around a lot of competitors.” [Source

WW – Survey: Quick Responders Pay More for Breaches

InformationWeek reports that the cost of a data breach for a U.S. company continues to rise, reaching $7.2 million in 2010, an increase of 9% from the previous year. A Ponemon Institute study, published by Symantec, found that companies that responded to a breach rapidly paid more than companies that responded slowly. “Quick responders paid $268 per record, an increase of 22% from 2009, while organizations that took more time paid $174 per record, a decrease of 11% from 2009,” the report states. Negligence topped the list of data loss causes. [Source]

Filtering 

EU – Medical Malpractice Case at Heart of Legal Debate

A plastic surgeon who was cleared of wrongdoing in a criminal medical malpractice case 20 years ago is at the heart of a legal debate in a Spanish court. The case involves the Spanish data protection authority’s request for Google to remove from its search results links that go to a 1991 newspaper article about the surgeon’s troubles. Google is contesting the request, saying that to do so would be censorship. But “Spain has always taken an extremely strong line over privacy,” says a Barcelona lawyer, and now the European Court of Justice may become involved. [Source

WW – Google Remotely Removes Infected Apps from Android-based Devices

Google has begun using its “remote removal function” to purge infected apps from Android devices running versions prior to 2.2.2. About 50 apps were found to be infected with malware known as DroidDream; all have been removed from the Android Market. Google has also suspended the accounts of the developers believed to be responsible for the infected applications and plans to take legal action. [Source] [Source] [Source] [Source] [Source] [Source] and also: [Google Pulls Infected Apps From Android Marketplace

US – Legislative Subcommittee Approves Bill Nullifying Net Neutrality Rules

The House Energy and Commerce Committee Subcommittee on Communications and Technology has voted to nullify the Federal Communications Commission’s (FCC) net neutrality rules. The action was taken through the subcommittee’s approval of a bill that uses the Congressional Review Act. It now goes before the full committee. [Source] [Source]

Finance 

EU – European Lawmakers Still Worried About Banking Data Security

Europe’s police force, Europol, has approved requests to send private citizens’ banking data to the U.S. Department of Treasury without sufficient consideration for data protection laws, according to an internal report. An official report on an investigation carried out by the organization’s Joint Supervisory Body (JSB) was made public by the German Commissioner for Data Protection and Freedom of Information. Since August 2010, the European Union has allowed European citizens’ financial data to be transferred to the U.S. under the Terrorist Finance Tracking Agreement, also known as the Swift agreement. However, one stricture of the accord specifies that the U.S. must “clearly substantiate the necessity of the data” in combating terrorism. The JSB inspection team was made up of seven data protection experts who found, that of the four requests made by the U.S. since the Swift pact was established, all were too abstract to allow proper verification for whether they comply with the accord. The report concludes that given the dearth of information, verifying whether the requests to date “are in line with the conditions of the agreement, is impossible.” Oral statements from the U.S. Treasury to Europol personnel had a bearing on the decisions, but even the JSB team has no knowledge of the content of those statements. Therefore it is impossible to tell whether omissions in the written requests were rectified by oral information, according to the report. This renders proper inspection by Europol’s Data Protection Office impossible, concluded the report. Giving Europol a role in implementing the controversial agreement was one of the concessions made to the European Parliament after it initially rejected the accord over concerns about civil liberties. On Wednesday these misgivings resurfaced. Parliamentarians said that Europol appears to be just rubberstamping requests for the transfer of bulk data, without any kind of scrutiny or oversight. Alexander Alvaro, Parliament’s rapporteur on the TFTP Agreement, called for “all relevant documents must be declassified.” “This report should send alarm bells ringing in Brussels,” added Sophie In’t Veld, vice-president of the parliamentary committee on civil liberties. “It would seem Europol has not been respecting the agreed data protection safeguards which we insisted upon as a condition for this agreement to go ahead. We need clarification on how these data transfers are being processed.” The Commission is due to publish its evaluation of the TFTP on March 17. [Source

CA – Canada Still Has More Work to do on Money Laundering: Report

An evaluation of Canada’s anti-money laundering and anti-terrorist financing regime over the past decade suggests government institutions still don’t share enough information among themselves. The report presented to the Finance Department by a private consulting firm Monday says a lack of proactive disclosures from Canada’s financial intelligence unit hampered efficiency. The report says the inefficiencies in the regime’s efforts related to the Financial Transactions and Reports Analysis Centre of Canada stem from the strict rules the agency has to operate under. The evaluation was mandated by the Treasury Board with its findings meant to contribute to an upcoming five-year parliamentary review of the Proceeds of Crime act. [Source]

FOI 

CA – CAJ Opposes Proposed B.C. ‘Proactive’ Disclosure

The Canadian Association of Journalists has told the British Columbia government it opposes so-called proactive disclosure plans proposed for ministries and agencies because they will lead to fewer freedom-of-information requests. The Office of the Information and Privacy Commissioner for British Columbia was seeking input on proposed changes to legislation in B.C. that would, in part, require all FOI requests to be posted freely online after the requester had gone through the expense of filing the request. “The CAJ supports proactive disclosure. We’ve been advocating for more routine disclosure for years as part of our work promoting access to information and open government,” CAJ president Mary Agnes Welch said. “What the B.C. government is proposing is not proactive disclosure. This is still reactive disclosure, because it relies on a formal request being filed and a long and at times expensive legislated process.” In particular, the CAJ opposes the idea that someone who would file an FOI request, work through the red tape and pay at times exorbitant fees to see what they’ve asked for would see the fruits of that effort immediately posted online for all to see—before even receiving their own paper copy. If the province insists on continuing to charge these fees, then those paying them should have time-limited exclusive access to review what they paid for before a full public posting. [Source] [BC: Why David Hahn Has Investigative Reporters in a Tizzy] See also: [US: Lawmakers’ cell phones often out of public reach]

Genetics 

US – Researchers Present Study of Vulnerabilities in Cars’ Computer Systems

Researchers at the University of California, San Diego and the University of Washington have published a paper in which they say they have found ways to break into newer-model cars’ computer systems through Bluetooth and cellular network systems and through the diagnostic tools used by auto mechanics. The same researchers presented a study last year describing how they were able to shut off a car’s engine, lock the doors, turn off the brakes and falsify odometer readings. That attack required plugging a laptop into the car’s diagnostic system. The new paper focuses on remotely accessing a car’s computer system. The researchers, Stefan Savage and Yoshi Kohno, acknowledge that the attacks are challenging, but Savage noted that “When people first started connecting their PCs to the Internet, there wasn’t any threat and then over time it manifests. The automotive industry … has the benefit of the experience we went through.” [Source] [Source]

Health / Medical 

US: New App Gives Patients Instant Access to their Medical Records

University Health Care now offers a free application for students to access their medical information directly from their iPhones. MyChart, developed by Epic Systems Corporation, gives patients instant access to lab results, medications, immunizations and any other medical records. The smartphone app keeps record of interaction with any U care facility or physician as well. The program also serves as a reminder for any needed medical care. If a patient is due for a shot, checkup or any type of procedure, MyChart will alert the patient with a notification. Curtis Newman, director for the MyChart project, said the “ask my doctor” feature is a major bonus for students in particular. MyChart’s developer has yet to come out with technology in support of the Android or BlackBerry operating systems, but Newman said these will likely follow close behind. [Source] See also: [State AGs to Get HIPAA Training

US – OMB Reviews Information Disclosure Changes to HIPAA Privacy Rule

The Office of Management and Budget’s review of a Health and Human Services (HHS) proposal to extend the HIPAA privacy rule’s requirements to “include disclosures during the previous three years for treatment, payment and healthcare operations (TPO) if a healthcare provider uses an electronic health records (EHR) system.” The Medical Group Management Association is raising concerns about the plan, writing to HHS that the stipulation “that the TPO accounting is only required for those physician practices that have adopted an EHR suggests that the government believes TPO disclosures would be collected and stored on this one clinical system. This is simply not the case.” [Source

US – Study: HIPAA Laws May Have Borders, Ethics Don’t

It is a breach of ethics to post pictures of medical patients receiving treatment outside of the U.S., even if HIPAA laws don’t extend that far. That’s according to researchers in a recent Journal of Medical Internet Research study, who looked at 1,023 medical students’ Facebook pages and found 12 photos of patients being treated in developing countries. In the U.S., patients agree to be photographed after signing consent forms. But in developing countries, patients may feel that by signing such a form, they have a better chance at receiving care, says one of the study’s authors. “Use your moral and ethical compass,” she tells practitioners. “What if this was your child?” [Source]

Horror Stories 

US – CA Investigating Latest Health Net Data Breach

After Health Net, Inc. in California announced that several data servers containing sensitive health and personal information on its enrollees are unaccounted for, state officials said the security breach involves “personal information for 1.9 million current and past enrollees nationwide.” The California Department of Managed Health Care, the only stand-alone HMO watchdog agency in the nation, also provided further details beyond the plan’s statement, saying that the missing records on nine servers are “for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in the California Department of Insurance products (another state agency that has oversight responsibility) and a number enrolled in Medicare.” “The DMHC has opened an investigation into Health Net’s security practices,” said DMHC spokesperson Lynne Randolph. “Health Net has agreed to provide two years of free credit monitoring services to its California enrollees, in addition to identity theft insurance, fraud resolution and restoration of credit files, if needed.” [Source] See also: [Health Canada mails details of marijuana users] and [Youth-only clinic delivers privacy patients crave] and also: [Privacy breaches found at Central Health] See also: [2010 Annual Study: U.S. Cost of a Data Breach – Ponemon/Symantec] 

US – Company Fined for Improper Document Disposal

The Office of the State of Illinois Director of Insurance’s has issued a decision to fine an insurance company for its improper disposal of private insurance documents. MetLife must pay a fine of $75,000 and provide credit fraud protection for those customers who may have been affected when a former sales office discarded clients’ personal documents in a dumpster without shredding them. The documents, which remained in the dumpster for up to four days, included such information as Social Security numbers, birth dates and account balances. [Source

US – Student Data Losses for Three Institutions

The State reports that the University of South Carolina has notified 31,000 current and former faculty, staff and students throughout its eight campuses about a breach that exposed their personal information–including Social Security numbers (SSNs). Meanwhile, at Missouri State University, the names and SSNs of 6,030 students of the College of Education were accidentally posted online and searchable through Google, reports SC Magazine. The university has worked with Google to remove the lists and is notifying those affected and offering them identity theft protection. In a separate incident, the Alaska Department of Education and Early Development is notifying students and parents that 89,000 students’ personal information was being temporarily stored on an external hard drive that was stolen from its Juneau headquarters. [Source

US – Blood Bank Loses Data on 300K

Cord Blood Registry (CBR), the world’s largest stem cell bank, has notified about 300,000 people that their data may have been have been exposed when storage tapes and a laptop were stolen from an employee’s locked car last December. According to CBR’s director of corporate communications, the tapes may have contained credit card numbers, driver’s license numbers or social security numbers but no medical information. CBR sent letters to affected people dated February 14 offering a year of free credit monitoring and assurances of better security practices in the future, but some are questioning why it took so long for them to notify people and why the data was not better protected. [Source

US – BCBS of Florida Mails Forms to Wrong Addresses

Blue Cross and Blue Shield of Florida (BCBSF) has alerted about 7,400 of its members that for three months it has been mailing explanation of benefits forms to old addresses. The error occurred when BCBSF converted to a new source of customer mailing address information. According to BCBSF, no Social Security numbers, dates of birth of financial information was exposed. The company has corrected the problem and notified all affected customers. [Source]

Identity Issues 

WW – Fingerprinting to Supplant Cookies?

Several startups are experimenting with tracking technologies that could supplant cookies as behavioral targeting mechanisms. Device fingerprinting operates by tracking mobile phones, PCs, TVs and cars using unique identifiers. Based on the device’s properties and settings, fingerprinting allows advertisers to link to and track the device and transmit messages based on activity. It’s easier to opt out of fingerprint tracking than cookies, developers say; because the device’s fingerprint lasts as long as the device itself, opting-out must only happen once. In addition, the developers say, the new technology already complies with do-not-track principles because users can “opt out of both tracking and targeting independently.” [Source

US – CA Zip Code Ruling Incites Flurry of Class Actions

In the month’s time since the California Supreme Court decided that zip codes are personal information, 106 class-action lawsuits have been filed. That’s because the presiding justices ruled that the law would apply retroactively, putting every retailer that has collected zip codes during credit card transactions since the Beverly-Song Act of 1971 at risk for liability. In a Privacy Advisor exclusive, experts discuss the potential implications of the Pineda v. Williams-Sonoma decision. Among them, Linda Woolley of the Direct Marketing Association says the case is “very troubling” and has “great implications for what marketers do in terms of data collection,” while Martin Abrams of the Center for Information Policy Leadership at Hunton & Williams says the court’s decision is the “wrong approach.” [Source]

Internet / WWW 

UK – UK ISPs to Clarify Traffic Management Policies

Major broadband providers in the UK will soon clarify their network traffic management practices. BT, Virgin Media and others have signed a voluntary code of practice saying they will provide consumers with clear information about when Internet connection speeds are slowed, why they are slowed, and what effect the throttling will likely have on consumers’ broadband service. The disclosures will also state whether the provider has arrangements with specific content providers to prioritize their traffic. [Source] [Source] [Source] See also: [AT&T to Impose Data Caps for Broadband Customers

US – Twitter, Facebook Still Reluctant to Join Free Speech Initiative

Three years ago, some of the world’s leading tech companies agreed to participate in the Global Network Initiative (GNI) – a code of conduct designed to protect online speech and privacy around the world. The initiative was originally launched in response to brewing tensions in China, where some Internet companies were accused of complying with government censorship policies in order to pursue profit-driven agendas. Today, the GNI can count corporations like Google, Microsoft and Yahoo among its prized members, but there are still some glaring omissions – including Facebook, and Twitter. According to its code of conduct, all initiative participants are required “to avoid or minimize the impact of government restrictions on freedom of expression,” while doing their best to protect user privacy whenever government regulations “compromise privacy in a manner inconsistent with internationally recognized laws and standards.” All companies and organizations are subject to evaluations from independent auditors, who determine whether or not their policies comply with the initiative’s objectives. [Source

US – Private WiFi Intended to Protect Consumers on Public WiFi Networks

Private Communications Corporation (PCC), a security technology company that protects personal data and information online, today announced the launch of Private WiFi®, its flagship Virtual Private Network (VPN) software. Private WiFi encrypts all data going into and out of a person’s computer to support online privacy, protect consumers’ identities and secure sensitive communications transmitted over the more than 400,000 known unencrypted WiFi networks or “hotspots” worldwide, according to JiWire. Microsoft’s 2010 U.S. Remote Working National Research findings suggest that more employees are working from public places, reporting 21% on a plane, 27% from a coffee shop and 37% on vacation. Consequently, users are increasingly taking advantage of WiFi networks in public places. In fact, the U.S. experienced a 17.3% growth in public Wi-Fi usage in 2010. Despite such rapid growth in public WiFi usage, many are unaware of the risks associated with transmitting information across unprotected public networks. [Source

UK – Home WiFi Users Lack Understanding of Security

According to a survey from the UK Information Commissioner’s Office (ICO), nearly half of home computer users who have WiFi networks do not understand WiFi security settings. Most Internet service providers (ISPs) now set up and install customers’ WiFi security settings, but 40% of WiFi users do not understand those settings and 16% are either using an unsecured network or do not know if their network is secured. ICO head of policy Steve Wood pointed to Google’s Street View data collection vehicles gathering information from unprotected networks as evidence that users need to be aware of their network settings. [Source] [Source

WW – Report Forecasts Pros and Cons of the Cloud

Experts have suggested that 75% of senior business leaders believe that privacy and security concerns are the key impediments to the adoption of cloud computing, the Financial Times reports in an analysis piece on the benefits and risks of cloud computing for entities in the UK and EU. With the European Commission anticipating introducing data protection reforms later this year, the report stresses that “to comply with EU personal data requirements, the data controller needs to ensure that the security standards are appropriate, having regard to the nature of the personal data, the state of technological development and the cost of implementing particular measures.” [Source

EU – Cloud Provider: Legislation Required for Cloud Success, Census

“Legislation is an impediment” to the UK government’s G-Cloud initiative, say officials from Lockheed Martin, the largest provider of cloud services to the U.S. government. In the UK and Europe, data privacy laws prevent the movement of data outside the jurisdiction, which is “the antithesis of cloud computing’s concept.” For the cloud to succeed, privacy and confidentiality legislation will need to change, the report states. “Governments should all be updating their laws if they aren’t already,” said Melvin Greer, chief strategist for Lockheed Martin, adding that the UK government and the G-Cloud initiative “will have to deal with the concept of having a secure infrastructure…” [Source

WW – Google Street View Expands Off-Road Imagery

Google Street View has added more locations in the U.S. and around the world, the company revealed on its blog this week, thanks to a high-tech tricycle that’s filming public and private places that aren’t accessible by roads. In 2009, the company unveiled the “trike,” a modified bicycle with camera and surveying equipment mounted in the rear. For more than two years, the trike has been mapping bike paths, gardens and many other off-road areas around the world. “Some of the properties that we are currently interested in include zoos, parks, universities, amusement parks, outdoor marketplaces, stadiums, monuments, tourist destinations and race tracks (to name a few),” according to Google. “I feel like we’re just scratching the surface of what sorts of images our users want to see,” Google engineer Daniel Ratner, the trike’s inventor, told McClatchy news service. [Source]

Law Enforcement 

CA – Ontario Police Can Detect Computers Accessing Child Porn

Halton police say technology is helping them pinpoint predators in their war on child pornography. A one-second snapshot of Internet use on Wednesday morning showed six Oakville computers, seven in Burlington, four in Halton Hills and five in Milton were accessing child pornography sites at that moment, said Det.-Sgt. Brad Cook. Police also detected 158 computers in Halton that accessed child porn last month, he said. But Cook said police won’t reveal how they can track Internet traffic for fear of giving an upper hand to those who troll child porn sites. Police departments around the world are engaged in an evolving game of technological cat-and-mouse with web offenders. In 2005, Halton was one of several Canadian police departments that adopted the Microsoft Child Exploitation Tracking System (CETS). The CETS database acts as an information repository, helping officers organize data and share information across jurisdictions. Halton is among 18 police services across Ontario involved in a joint forces strategy to protect children from sexual abuse and exploitation. [Source] See also: [Ottawa man victim of Facebook, email scam] and [In Social Media Postings, a Trove for Investigators]

Location 

CA – IPC, ASU Partner on Applying Privacy by Design to Mobile Technologies

Ontario’s Information and Privacy Commissioner Ann Cavoukian and Arizona State University’s Privacy by Design Research Lab have released a new white paper that maps the way forward for achieving meaningful privacy protection in the mobile space. The new report builds on original research conducted by ASU’s new PbD Research Lab, which convened an expert panel of top executives from leading mobile organizations to identify privacy and security challenges in their rapidly-expanding field, and propose potential solutions, grounded in real-world experiences. Focusing on the solutions identified by this expert panel, The Roadmap for Privacy by Design in Mobile Communications outlines practical tools to help developers, service providers, and users achieve mobile privacy. [Source

CN – China to Track Its Citizens Using Cellphones

The Chinese government is planning to track Beijing’s 17-million mobile-phone users using their phones’ built-in GPS. The initiative is being sold as a way to curb traffic congestion, but human-rights campaigners worry the government will use the information to quell unrest. In a city infamous for its nine-day traffic jams, the “information platform of real-time citizen movement” would use signals from a mobile phone’s GPS to monitor traffic and track how residents were using the subway, bus lines and roads, according to the Chinese government’s website. Beijing’s inhabitants would be able to buy some of the data, helping them avoid bottlenecks as they moved through the city. Specific information about individuals would not be available. But some worry this latest announcement could be part of a larger plan to curtail dissent. Last year, China passed legislation making it illegal for the country’s 850 million cellphone users to register their SIM cards under a false name. “Certainly the use of the platform will not be limited to gathering traffic information. Officials in other areas, such as anti-terrorism and stability maintenance, will also find it useful.” There is no word on whether people will be able to opt out of the program, which is expected to launch in the first half of this year. [Source

CN – Mobile Phone Tracking Proposal Approved

An expert panel has approved plans to collect real-time location data on 17 million China Mobile subscribers to help resolve Beijing’s traffic problems. Under the program, phones’ locations will be registered with base stations then collected, aggregated and reviewed by transportation officers and city planners. The first phase of the Beijing Real-Time Travel Information Platform is expected to roll out in June. Once the program is up and running, the government plans to send the aggregated data back to citizens to help them make smart travel decisions. While the deputy director of social development said the data would only be used for traffic control–and mobile users’ privacy would be protected–the panel that approved the plan recommended linking the platform with city-management efforts in other government departments. [Source

EU – Industry Submits Code of Practice for Online Maps

Germany’s digital industry has submitted a voluntary code of privacy to the government in response to public concerns over services like Google’s Street View that publish images of residences online. The draft code of practice, submitted by a federation representing the industry, would establish a Web site disclosing information collected about German towns, explain how Germans can file objections to data gathering and offer links for complaints, the report states. Interior Minister Thomas de Maizière, who received the industry’s code, called it “a sign of greater transparency by German businesses and international corporations.” [Source]

Offshore 

LV – DPA Suspends Electronic Tax Service

Latvia’s data protection inspectorate has suspended the State Revenue Service’s tax return service due to privacy concerns. The inspectorate ordered a halt to the Electronic Declaration System due to the fact that “users who happen to know another person’s identity number can find out that person’s name, surname, address and other personal data,” the report states. The system will remain suspended until the revenue authority finds a way to control access. [Source]

Online Privacy 

EU – E.U. Privacy Directive Angers Start-Ups

U.K. start-ups have reacted angrily to the stance by the country’s Information Commissioner on the European e-Privacy Directive on web cookies which comes into effect in May. According to the E.U.’s Privacy and Electronic Communications Directive “explicit consent” must be collected from Internet users who are being tracked via cookies. The e-Privacy Directive was passed in Brussels in 2009. It comes into force on May 25. [Source] See also: [Peter Fleischer blog: Foggy thinking about the Right to Oblivion] See also: [Data Mining: How Companies Now Know Everything About You] and [New York Times: Tracking Users’ Web Footprints] and [Peer Swire paper: Social Networks, Privacy, and Freedom of Association] [Executive Summary] [Full report

WW – Consumer Group: Cookie Concerns Continue

An investigation by Which?, a consumer group, that points to difficulties for Internet users to manage local shared objects–more commonly known as Flash cookies–is sparking a push for stricter online legislation. The difficulties of removing local shared objects from hard drives and features comments by Sarah Kidner of Which?, who suggests, “If such practices are happening without the user’s knowledge, it is pretty serious and could be in contravention of data protection law.” A member of the group’s legal counsel says that “as the online behavioral advertising industry innovates to collect ever more data,” both the UK Information Commissioner’s Office and the EU need to address such technologies. [Source

US – Judge: Debt Agency Can’t Contact Woman on Facebook

A Florida debt collection agency has one less tool in its quiver for contacting debtors. A judge has ordered Mark One Financial LLC not to contact a debtor or her family or friends via Facebook. Attorney Billy Howard said in doing so, the company violated his client’s privacy and a provision of the state’s consumer protection law. He said that debt collectors are turning to social media increasingly to retrieve payments and, increasingly, debtors are looking for legal remedy. “It’s the beginning of an epidemic,” Howard said. [Source]

Other Jurisdictions 

NZ – Privacy Measures Removed to Help Quake Response

Privacy protections for taxpayers and other New Zealanders have been temporarily removed or amended to help the response to the Christchurch earthquake. Using controversial legislation put in place following last September’s quake, Earthquake Recovery Minister Gerry Brownlee has made an “Order in Council” allowing the Inland Revenue Department to share information with other Government agencies. A spokesman for Finance Minister Bill English said the order, which is in force until the end of October, was to allow processing of claims under the Government’s $130 million financial support package for Christchurch’s employers and workers, specifically the wage support subsidy. Information sharing for anything other than earthquake-related support would “absolutely” not occur. [Source

MY – Prime Minister: SMS to 4 Million Didn’t Violate Privacy

Malaysian Prime Minister Datuk Seri Najib Abdul Razak says he did not violate people’s personal privacy or the data protection law when he sent Chinese New Year messages to citizens. The four million messages were sent to three telecommunications companies for transmission, he said in response to inquiries. “The Prime Minister’s Office has ensured that the principle of personal data protection was not compromised and the terms and conditions of the companies were fully respected,” Najib said, adding that the prime minister had no access to any of the recipients’ personal data. [Source]

Privacy (US) 

US – Administration: Privacy Bill of Rights Needed

The Obama Administration is weighing in on the dialogue surrounding online privacy, and the consensus is that the time has come for baseline privacy legislation at the federal level. That was the focus at a Senate Commerce Committee hearing on consumer privacy. The Department of Commerce “has concluded that the U.S. consumer data privacy framework will benefit from legislation to establish a clearer set of rules for the road for businesses and consumers,” explained National Telecommunications and Information Administration Administrator Lawrence Strickling. This Daily Dashboard exclusive examines the testimony and reactions from legislators, industry and advocates at today’s hearing paired with expert opinions on a U.S. “privacy bill of rights.” [Source

US – Supreme Court Determines Corporations Are Not Persons

The U.S. Supreme Court has ruled that the term “personal privacy” does not extend to corporations. The 8-0 decision in FCC v. AT&T, which was prompted by an appellate court decision to extend a Freedom of Information Act exemption prohibiting the release of information that causes “unwarranted invasion of personal privacy” to corporations. In his opinion, Chief Justice John G. Roberts Jr. wrote, “We do not usually speak of personal characteristics, personal effects, personal correspondence, personal influence or personal tragedy as referring to corporations or other artificial entities. In fact, we often use the word ‘personal’ to mean precisely the opposite of business-related…” [Source

US – Bureau to Enforce Self-Regulatory Program

The Council of Better Business Bureaus plans to announce it will start enforcing its program to make online tracking more transparent and give consumers an easy way to opt out. In an effort to avoid government regulation, the council released self-regulatory principles in 2009 that require companies to “clearly explain how they track and use information about consumers’ Web activities,” the report states, including an icon that users can click on for information and to modify ad preferences. The council will employ 300,000 volunteers who will use software allowing them to view companies tracking their Web movements to be sure companies are complying. [Wall Street Journal

US – CDT Receives 2011 IAPP Privacy Leadership Award

The Center for Democracy and Technology has received the 2011 IAPP Privacy Leadership Award. The annual award recognizes a global leader in the field of privacy and data protection. Presenting the honor at the IAPP Global Privacy Summit in Washington, DC, IAPP Board of Directors treasurer Brendon Lynch, CIPP, said the CDT “is at the forefront of efforts to keep the Internet open, innovative and free. They have consistently been a leading voice for free expression and privacy in communications and have fostered practical and innovative solutions to public policy and civil liberties.” CDT President Leslie Harris accepted the award on stage with CDT staff members Justin Brookman, Jim Dempsey and Erica Newland and CDT board chairman Deidre Mulligan. [Source

US – FTC Settles With Online Ad Agency for Privacy Violation

The Federal Trade Commission said that it settled with online advertising provider Chitika for allegedly tracking online activities of users who had opted out of the company’s service. The consumer protection agency had been investigating Chitika for deceptive practices, it said. Between May 2008 and February 2010, the company allegedly placed cookies on the Web browsers of consumers who had explicitly asked to bar the tracking service from collecting information to be used for behavioral advertising. Chitika had stopped tracking those users for just 10 days and then resumed placing cookies on their browsers to target ads, the FTC said. The cookies are used to collect information about users, such as the searches they perform, items purchases and sites visited. In a settlement agreed to unanimously by the FTC, Chitika agreed to stop making misleading statements about the extend of its data collection and to extend to five years the period it is barred from tracking users to opt out of its service. Highlights from the settlement:

-          Every targeted ad by Chitika must include a hyperlink that takes consumers to a clear opt-out mechanism.

-          Chitika must destroy all identifiable user information collected about users who had opted out of the service.

-          Chitika must alert consumers who previously tried to opt out that their attempt was not effective and advise those users to opt out again to avoid targeted ads.

“The FTC investigated Chitika as part of its ongoing efforts to protect consumers’ privacy online,” the agency said in a release. “The FTC charged Chitika’s claims about its opt-out mechanism were deceptive and violated federal law.” [Source

US – Twitter Settles With Feds Over ‘09 Obama Hack

Twitter has settled a federal complaint over a pair of 2009 breaches in which hackers were able with relative ease to gain access to user accounts, including one used by President Barack Obama. The FTC had accused Twitter of promising privacy and security to users while, it alleged, protections were so lax hackers were able to take over accounts with little effort. The final consent order does not impose fines for what amounts to a truth in advertising violation. But it does require that Twitter tighten its security system, perform security audits every two years for the next decade and not make deceptive security claims. Twitter agreed to the punishments, but admitted no violation of law. Among the sloppy practices outlined in the FTC order:

  • From July 2006 to July 2009, nearly all Twitter employees had total access to the Twitter system, including the ability to reset passwords, read users’ direct messages and nonpublic tweets and send tweets in any user’s name.
  • Twitter employees used the public Twitter login page to get into these admin accounts and there were no controls on how strong such passwords had to be or how long they lasted. Twitter did not lock down accounts after multiple wrong password guesses.

On Jan. 4, 2009, a hacker took advantage of these flaws using an automated password guessing tool (a so-called dictionary attack) to figure out an employee’s administrative password, after submitting thousands of guesses into Twitter’s public login webpage. Once in, the hacker reset passwords, passed them along to other hackers and sent out Tweets from the president’s account — one promised Obama’s followers $500 in free gasoline for filling out a survey — as well as from Fox News. [Source] [Source] [Source] [Source] [Source] See also: [Judge Denies Request to Throw Out Order Seeking Twitter Account Information

US – E-Commerce Site Makes Changes After Users Complain

As a result of privacy concerns voiced by a number of users, an e-commerce Web site has decided to stop publishing customers’ purchase histories within user feedback posts. Etsy recently activated a “people search” tool allowing users to search for other users’ names as a way to view purchases and recommendations. However, some users claimed they were not notified that their information would become public when they initially entered their full names on the Web site. Etsy has now disabled the feature and says it is considering further changes to protect buyer privacy, Ars Technica reports. In the future, the site may allow users to post purchases, but it would be “completely opt-in,” executives said. [Source] See also: [The Changing Meaning of “Personal Data” by William Baker and Anthony Matyjaszewski ]

Privacy Enhancing Technologies (PETs) 

WW – Microsoft Do-Not-Track Tool to Debut

Microsoft’s newest version of Internet Explorer is set to release with a do-not-track tool to help Internet users “keep their online habits from being monitored.” However, concerns persist as to whether self-regulatory approaches will work. Microsoft and Mozilla have adopted do not track in the wake of the Federal Trade Commission’s recommendation for such tools, highlighting “the pressure the industry faces to provide people with a way to control how they are tracked and targeted online” with legislation being contemplated at the federal level. However, the report goes on to state, industry-based systems “will only work if tracking companies agree to respect visitors’ requests,” and to date, none have publicly agreed. [The Wall Street Journal

US – U.S. Funding Tech Firms That Help Mideast Dissidents Evade Government Censors

The Obama administration may not be lending arms to dissidents in the Middle East, but it is offering aid in another critical way: helping them surf the Web anonymously as they seek to overthrow their governments. Federal agencies – such as the State Department, the Defense Department and the Broadcasting Board of Governors – have been funding a handful of technology firms that allow people to get online without being tracked or to visit news or social media sites that governments have blocked. Many of these little-known organizations – such as the Tor Project and UltraReach- are unabashedly supportive of the activists in the Middle East. [Source]

Security 

US – Walgreen Accused of Selling Patient Data

Walgreen Co is the target of class-action lawsuit related to how the company profits from customers’ prescription data. The suit claims that Walgreens deprives its customers of the “commercial value of their own prescription information,” by selling it to data mining companies. “We believe this information belongs to the patient who paid for the drug, not the pharmacy,” said a lawyer for the plaintiffs. Last week, a Pennsylvania man filed suit against another drugstore chain for similar activities, but that suit alleges the activity violated the privacy of consumers. [Source

US – Health System Installs Data Protection Technology

New Jersey’s Saint Barnabas Health Care System is rolling out a “major data loss prevention initiative that will enforce new content-control restrictions” on more than 10,000 computers used by the system’s staff. Software installed on each computer will enable policies on what kind of data they collect or what they e-mail, according to a spokesman for the healthcare system, and will be capable of recognizing what is patient information and what is “just a medical document,” he said. [Source] See also: [DLP Comes of Age]

Surveillance 

US – Homeland Security Looked Into Covert Body Scans at Public Venues

The Homeland Security Department paid contractors millions of dollars to develop and study surveillance systems that could covertly track pedestrians and check under people’s clothing with airport-style body scanners as they enter train stations, bus depots or major events, newly released documents show. Two contracts the department signed in 2005 and 2006 were part of its effort to acquire technology to find suicide bombers in a crowd of moving people, according to documents given to the Electronic Privacy Information Center (EPIC), a privacy-rights group that is suing Homeland Security. The department dropped the projects in a “very early” phase after testing showed flaws. EPIC lawyer Ginger McCall says the project is disturbing nonetheless because it shows the department “obviously believed that this level of surveillance is acceptable when in fact it is not at all acceptable.” A $1.9 million contract with Rapiscan Systems, which makes airport body scanners, asked the company to develop similar machines for “covert inspection of moving subjects” and to find explosives on suicide bombers “through clothing, backpacks and other packages.” The contract was signed in 2005. Rapiscan’s airport body scanners require subjects to stand still while the machines create an image of passengers underneath their clothing to reveal hidden weapons. EPIC has sued the department to stop their use, saying the machines violate privacy. Rapiscan Vice President Peter Kant says the company gave Homeland Security a prototype machine designed “primarily for non-aviation settings” because it could scan people while they were moving. [Source 

US – Drivers May Lower Insurance Premiums by Getting Monitored

Progressive is one of a growing list of insurers with discounts for monitoring: Although the programs are voluntary, they’ve raised the eyebrows of privacy advocates. One worry is that the insurers eventually will make the monitoring mandatory. And while insurers say they information will only be used for discounts - not punitively - there is little to prevent them from “changing the rules down the line” says Robert Ellis Smith, publisher of Privacy Journal. And, he notes, some states have privacy laws that might ban such programs even if drivers are willing to opt in. Progressive says it is trying to protect privacy while delivering discounts. It notes that its device, for instance, doesn’t have GPS tracking, so it doesn’t know where a participant is driving. It also doesn’t monitor speed. He predicts the program, now available in 32 states, will appeal to drivers who feel they aren’t getting the discounts that their safe driving habits deserve. Insurance companies typically set rates based on accidents or tickets, but also on such factors as age, gender and ZIP code. [Source] See also: [US: ‘Black boxes’ common in US autos, but many drivers don’t know they’re there

WW – Cable, Satellite Test Targeted TV Ads

As cable and satellite providers test systems to target ads to specific households, The Wall Street Journal reports that data gatherers are compiling information on what viewers are watching with such personal data as prescription records to “emulate the sophisticated tracking widely used on people’s personal computers with new technology that reaches the living room.” However, some industry executives are raising privacy concerns, pointing to the push to regulate online tracking. Others say TV targeting is less intrusive, as it involves outside companies providing aggregated data without PII. The founder of one such company says they do not know who is sitting in front of any given TV, noting, “We don’t want to look in the window. It is a little spooky.” [Source]

Telecom / TV 

IN – RIM Hits India’s Email Demands

A top executive of BlackBerry-maker Research in Motion Ltd. said Indian security agencies are making “rather astonishing” demands for increased powers to monitor email and other data traffic, raising serious privacy issues that threaten to harm the country’s reputation with foreign investors. Robert Crow, vice president of industry and government relations for RIM, said India’s Home Ministry, which oversees domestic security, wants the ability to intercept in real time any communication on any Indian network—including BlackBerry’s highly secure corporate-email service—and get it in readable, plain-text format. Such a broad requirement raises the question of whether the government believes any communications are legally off-limits, he said, including email conversations of foreign ambassadors and financial records that get transmitted over secure telecommunications networks to Indian outsourcing companies. [Wall Street. Journal] [Source] See also: [Montreal city hall addresses BlackBerry privacy]

US Government Programs 

US – Proposed DOT Rule Invasion of Privacy, Says AIA

AIA is very concerned that a new rule proposed by the Transportation Department would constitute an unnecessary and undesirable invasion of privacy, hampering the mobility of citizens and companies. “The Block Aircraft Registration Request program functions much like a ‘Do Not Call’ list for private aircraft owners,” said AIA President and CEO Marion C. Blakey. “The rule that the FAA is proposing would strip away that right to privacy.” Currently, private aircraft owners can choose to have access to their private travel itineraries blocked to third parties. Through its Aircraft Situation Display Information and National Airspace System Status Information data, the FAA has all the information it needs to monitor the movement of legally registered aircraft for safety and security reasons. The rule proposed in Docket No. FAA-2011-0183 would make available the personal and business itineraries of law-abiding citizens to anyone requesting them, unless the aircraft owner could demonstrate a “Valid Security Concern.” American companies need to be able to operate and explore new business opportunities free from surveillance or competitive interference. For example, under the proposed rule, business competitors would be able to track the movements of private aircraft owners, making it easier to discern their proprietary business plans. “When Americans get in their cars, they don’t have to worry that strangers are able to follow their every movement,” said Blakey. “Why should citizens who fly their own aircraft be subject to such scrutiny?” [Source]

US Legislation 

US – Proposed Bill Would Put Curbs on Data Gathering

Senators John McCain (R-AZ) and John Kerry (D-MA) are the most recent federal legislators moving forward with plans for online privacy legislation. The Kerry-McCain proposal “would create the nation’s first comprehensive privacy law, covering personal data gathering across all industries,” The Wall Street Journal reports, with an “online privacy bill of rights…that would require companies to seek a person’s permission to share data about him with outsiders” and would pertain to such data as names and addresses to identification numbers and biometrics. “It would also establish a program to certify companies with high privacy standards” that would be allowed special provisions for selling personal data, the report states. [Source] See also: [WSJ Poll: Is Your Personal Info for Sale?] and also [Privacy in the Legislative Branch: A Quick Update

US – RI Legislators Seek to Protect SSNs

The Boston Globe reports on a push by two Rhode Island lawmakers to keep businesses from asking for the last four digits of customers’ Social Security numbers (SSNs). The new legislation follows an existing state prohibition on recording full Social Security numbers on personal checks, the report states. Sen. Dominick J. Ruggerio (D-North Providence) and Rep. Brian Patrick Kennedy (D-Hopkinton) have introduced bills seeking to end a practice where businesses may record partial SSNs, noting an entire number can be determined from those few digits. [Source

US – Drug Database Passed in South Carolina

South Carolina has joined nine other states in passing a law to adopt a national database for tracking the sale of pseudoephedrine, which can be used to make methamphetamines. While pharmacies throughout the state have been recording purchases, National Precursor Log Exchange (NPLex) allows states to share information. Privacy advocacy groups are not “watching NPLex,” says the report, but when “personal information is collected into a database, there is always a chance of some secondary use,” said Tena Friery of Privacy Rights Clearinghouse. Meanwhile, an Arkansas Senate panel is backing legislation to create a statewide database for tracking some prescription drug purchases. [Source 

U.S. – Bill Would Make It Illegal to Take a Picture of a Farm

The days of photographing picturesque farm landscapes will be a thing of the past if a new U.S. bill passes. The legislation, moved by Florida senator Jim Norman, would make it a felony to take photos or videos of farms without written permission from the owners. The bill does not explain the reasons behind it. It is a move that has Canadian farming groups scratching their heads. “We’re going the opposite way of this legislation,” said Crystal Mackay, executive director of Ontario Farm Animal Council. “We encourage farmers to open their barn doors. We’re here to have a conversation with you.” A similar bill was put forward in Iowa, but that one focuses on making it illegal for people to shoot undercover videos and gain access to farming facilities under false pretenses. The Iowa legislation is in response to animal activist groups, which have released videos taken from inside farming facilities, said Iowa Senator Sandy Greiner. [Source]

Workplace Privacy 

US – Employee Fired for F-Bomb Tweet on Chrysler Account

An employee of Chrysler Group LLC’s social media agency has been fired after it was discovered the person dropped the f-bomb in a tweet on the Chrysler brand’s official account. The message has since been removed from the account, but the offending quip has been re-tweeted by some Twitter users. The Auburn Hills-based carmaker posted a response on its official blog apologizing for the actions of the New Media Strategies employee. “Chrysler Group and its brands do not tolerate inappropriate language or behaviour, and apologize to anyone who may have been offended by this communication,” the post read. The blog also confirmed an employee at NMS had been fired for the Motown diss. [Source

CA – Probe Into Request for Leadership Candidates’ Social-Media Passwords Continues

British Columbia’s privacy commissioner says she isn’t backing off her investigation of a request by the B.C. NDP for party leadership candidates to provide social-media passwords even though a high-profile dispute on the issue has been resolved. Elizabeth Denham said that she is pleased that MLA Nicholas Simons has reached a compromise with the party, which is poring over candidate sites to look for embarrassing information. However, she said she worries about similar requests, which may be at odds with provincial privacy legislation. “This is a teachable moment for other organizations.” [Source] [Leadership candidate rebuffs B.C. NDP request for social media passwords]

+++

 

15-28 February 2011

Biometrics 

CA – OPC Issues Report on Biometrics and the Challenges to Privacy

Canadians are witnessing a growing interest among government and private-sector organizations in adopting systems that use biometric characteristics to automatically identify people or verify their identity. But whether a fingertip, a face or an iris is being scanned, what’s being collected is personal information about an identifiable individual. The Office of the Privacy Commissioner of Canada has prepared a primer on biometrics (“Data at Your Fingertips”) and the systems that use them. It also describes some of the privacy implications raised by this emerging field, as well as measures to mitigate the risks. [Source]

Canada 

CA – Alberta Proposes Missing Persons Act

New legislation proposed by the Alberta government will make it easier for police when searching for missing persons. Bill 8: the Missing Persons Act will allow a police agency to obtain the personal information they need to help find missing persons in cases where the police have no reason to suspect that a crime has been committed. The proposed legislation is intended to balance fundamental privacy rights with access to important information such as cell phone and financial records. [Source

CA – Funding Available for Privacy Research and Education in Canada

The Office of the Privacy Commissioner of Canada is calling for proposals for cutting-edge privacy research and public education projects in Canada. The application deadline is March 14, 2011. The Office is interested in receiving research proposals focusing on four priority areas: 1) identity integrity and protection, 2) information technology, 3) genetic privacy, and 4) public safety. However, the Office will continue to accept research proposals on issues that fall outside these areas. As well, the Office invites proposals to fund public education and regional outreach initiatives that aim to inform Canadians about their privacy rights and how they may better protect their personal information. All proposals will be evaluated on the basis of merit by OPC officials, and the maximum amount that can be awarded for each research or public education project is $50,000. ot-for-profit organizations, including education institutions and industry and trade associations, are eligible, and this includes consumer, voluntary and advocacy organizations. [Source

CA – Supreme Court Deabtes National Security Versus Privacy

Canada’s highest court will have a tough decision later this week when it has to choose between the public’s right to now versus national security issues when it comes to the domestic activities of both CSIS and the RCMP. In what’s being called a case of history against national security, the Canadian Press is challenging the government’s refusal to fully disclose the 1,142-page dossier on socialist icon Tommy Douglas, widely regarded as the father of Canada’s medicare system. Uncensored information released by Library and Archives Canada shows RCMP security officers shadowed Douglas for 50 years, showing particular interest in his links to the peace movement and Communist party members. The library is refusing to release the entire dossier saying fuller disclosure would jeopardize the country’s ability to detect, prevent or suppress “subversive” activities. [Source]

Consumer 

US – Research: Consumers Want Transparency, Control

Recent research indicates that when it comes to online privacy, what consumers want is security and control. Ball State University’s Center for Media Design found that “the notion of privacy is actually ‘situational’ and depends on the context of the consumer, the nature of their information being tracked and the organizations that are tracking it,” the report states. With a focus on how consumers—rather than advocacy, industry or regulatory groups—react to online tracking, the first round of research found that college students surveyed are concerned about online tracking, but the focus is “not about privatizing their information. It’s about keeping it secure.” [Source] [Research website]

E-Government 

CA – Bureaucrats Sending Sensitive Information on BlackBerrys

Senior federal bureaucrats are sending sensitive government information on their BlackBerrys despite warnings to stop. Deputy ministers at Transport Canada, Veterans Affairs and Public Works have all used a BlackBerry feature called PIN messaging to discuss information that is supposed to be secure, The vulnerability of government communications was exposed this week with the revelation that computer networks at two federal departments were compromised by hackers. Exactly what the hackers were after is unclear but Internet service at the Treasury Board and finance department has been curtailed as a result. [Source] See also: [Foreign hackers attack Canadian government] and [Montreal councillors’ email privacy questioned

US – US Immigration Computer System Vulnerable to Insider Threats

According to a report from the Department of Homeland Security (DHS) Office of the Inspector General (OIG), the US Citizenship and Immigration Services’ (USCIS) processing system is vulnerable to insider threats. The OIG brought in a third-party group from Carnegie Mellon University’s software engineering institute to evaluate insider threats on systems at USCIS. [Source

CA – Family Suing Alberta Government Over Alleged Privacy Breach

Four years of domestic abuse “hell” followed by nearly a decade-long battle to obtain a nationwide name change came crashing down for a Canadian mother and daughter after the Alberta government posted their identities online. “Jane” and her daughter “Janet Doe” obtained Unpublished Secure Name Changes more than five years ago and began rebuilding their lives with new connections, re-location and the security of never having to look over their shoulders. But all the effort and security went up in flames after a Google search revealed both the old and new identities of the Does were published online in the Alberta Gazette – the official newspaper of the Government of Alberta. Now, nearly 19 months later after contacting top Canadian officials, agencies and individual organizations for a settlement, no restitution has been received. [Source]

E-Mail 

WW – Google Investigating Problem that Reset 150,000 Gmail Accounts

Google is looking into a problem with Gmail that emptied the inboxes of a small percentage of users over the weekend. Some users have had their information restored; Google engineers are working on the problem. About 150,000 accounts appear to have been reset, meaning that users cannot access their stored emails, attachments and chat logs. [Source] [Source] [Source]

Electronic Records 

AU – APF Concerned About E-Health Implementation

The head of the Australian Privacy Foundation says that patients’ medical data is vulnerable because e-health projects are being planned absent their input. “Because consumer representatives have had so little input, there’s a very strong chance sensitive data will be compromised, and the system won’t suit people’s needs,” says Roger Clarke, who adds that consumer engagement only began in January. A health department spokeswoman said that consultations with consumers and privacy groups have been “constructive,” and “The government is serious about a personally controlled system in which privacy protections will be a key element.” [Source

CA – Feds Order Monster Hard-Drive Grinder for Sensitive Data

The federal government has ordered a monster machine to chew up its discarded hard drives, USB thumb drives, CDs, and even ancient Beta videotapes. Like a tree chipper, the grinder will rip apart a range of data-storage devices into pieces so tiny the sensitive information can never be recovered. The Public Works Department is calling for “destruction equipment that performs disintegration, which is the physical demolition of electronic storage devices to particle sizes too small for data retrieval or reassembly,” says a recent tender document. Until 2005, the RCMP’s technical security branch provided departments with free hard-drive overwrite software, known as DSX. But the Mounties stopped supporting the program six years ago because it often did not work properly on newer drives with larger storage capacities, leaving confidential information in place. Some newer hard drives have software embedded in them that allow their entire contents to be securely erased on the proper command. But data storage in other formats such as memory sticks, and even in some new hard drives, sometimes cannot be reliably overwritten, creating headaches for security-conscious departments. [Source] [UK – The Limits of Anonymisation in NHS Data Systems

WW – Erasing Data on SSDs Proves Difficult

A study published by researchers at the University of California at San Diego says that it is more difficult to erase data from solid state drives (SSDs) than from hard disk drives (HDDs). On some SSDs, overwriting the data several times can make it inaccessible, but some techniques proved more successful than others. Techniques for sanitizing hard drives may not work well on SSDs because their internal architecture is so different. Cryptographic erasure, which involves encrypting the device so that users must provide a password to use it, and when the device is ready to be retired, deleting the cryptographic keys on the SSD, appears to be quite effective. [Source]

EU Developments 

EU – Europe’s Top Court to Hear Google Case

The European Court of Justice (ECJ) will consider the Spanish Data Protection Authority’s demands for Google to remove from search results the links to Web sites that contain certain information about citizens. The ECJ will “offer guidance on whether Spain’s demands comply with European law.” A Google official said the company is pleased that Europe’s top court will review the issue. “It shows that key issues are at stake,” said Google’s head of European external relations. “We believe that European law rightly holds the publisher of material responsible for its content.” [Source

EU – Regulators Seek Stronger IP Address Protection

German data regulators are considering making it illegal for Web companies to provide their visitors’ IP addresses to third parties without their users’ permission. The Lower Saxony DPA has already moved in that direction, with Data Protection Commissioner Joachim Wahlbrink recommending that users’ permission be in place before IP addresses can be passed on to advertisers. Germany’s revised law only allows the use of personal information for marketing “if the individual has expressly consented to such use.” The Lower Saxony DPA’s order to one online marketer to remove an ad tool feature may result in a lawsuit from the company, the report states. [The Register

EU – AFDCP Report Finds Lack of Compliance

The French Association of Data Protection Officers (AFCDP) has determined that 82% of organizations do not abide by the French Data Protection Act. The AFCDP’s annual report for 2011, published last month, found that just 18 percent of responding organizations addressed information access requests in a “legally satisfactory manner,” Monique Altheim writes, adding, “This very useful survey by the AFCDP illustrates how the passing of data protection acts alone is totally useless unless these laws actually get enforced,” questioning that “if legislation does not even guarantee significant compliance, what kind of compliance will ‘self-regulation’ achieve?” The AFCDP’s Bruno Rasle told the Daily Dashboard that most individuals are not familiar with the right of access, “So it is not, until now, very often used,” and “organizations are not ‘trained’ to handle it when it occurs.” Rasle explained that the French press only began writing on this right last year, “but things change. Our results show the presence of a CIL (French version of DPO) provides better quality response. For AFCDP, it is a strong sign: Someone is needed to handle the subject/do the job, and the DPO is the right man. And since we’ve started this index, we see a lot of improvements–thanks also to the CNIL’s onsite audits and penalties. We are confident we are going to see major improvements in the near future.” [Source

EU – CNIL Announces Data Processing Exemption

The French Data Protection Authority (CNIL) has published its Deliberation No. 2011-023, which should make reporting requirements less odious for companies that have no operations in France but use subcontractors or cloud providers there to process data. The French Data Protection Law requires companies to file with CNIL and, in some cases, obtain authorization in advance. Under the new declaration, payroll processing, workforce management and the management of databases of clients and prospects for personal data collected outside of France will be exempt from the requirement for data that is returned to the data controller, or other specified recipient, “for the benefit of the data subject,” the report states. [Source]

Filtering 

WW – Libya Cuts Internet, Bahrain Restricts Traffic

There are reports that Internet access in Libya has been shut down. In that country, the “Internet is essentially owned and controlled by the government through a telecommunication company,” which is chaired by the eldest son of Moammar Gadhafi. The government of Bahrain has reportedly restricted Internet traffic and blocked access to YouTube in an effort to impede protesters’ momentum. The government claims the Internet traffic is lower because connections are overwhelmed. Last week, US Secretary of State Hillary Clinton announced her department’s policy on Internet freedom. [Source] [Source] [Source] [Source] [Source

AU – Supreme Court: Data Could Prevent Fair Trial

The Australian Supreme Court has ordered newspapers to delete certain articles from their Web sites, saying that they could impact the fairness of an upcoming trial. The jurors on the trial will also be ordered to refrain from reading about or discussing the case, but “The confidence in the integrity of the jurors does not mean the court should not protect them from incidents that put their integrity to the test,” said Justice Derek Price. One publishing executive described the decision as “the modern equivalent of burning books,” and a civil liberties advocate said the order appears to “discriminate against the Internet because courts never ordered the removal of a microfiche from every library in the state.” [The Age]

Finance 

EU – Refuses to Reveal Bank Data Transfers to US

The European Commission and Europol have once again refused to reveal any information about how the Terrorist Finance Tracking Agreement between the E.U. and the U.S. is working six months after it came into force. The so-called ‘SWIFT’ accord, which allows the bulk transfer of European citizens’ financial data to the U.S. authorities, came into force on Aug. 1 last year. In December, German representatives revealed that questions from the German data protection commissioner about how many requests the U.S. has made for data and how many, if any, have been approved, were not answered. Europol said that questions could only be answered by the Commission. But the Commission said that ‘neither the Commission nor Europol nor the member states have the power to bindingly interpret the agreement.” Europol further indicated that such sensitive information is in any case top secret. The German delegation to the Council of Europe said that repeatedly sidestepping the questions is not helpful and will lead to growing public mistrust. [Source] [MEP: Swift ‘secrecy’ may hamper new data deals with US

US – FINRA Imposes $600K Fine on Lincoln National Units

The Financial Industry Regulatory Authority (FINRA) has reached an agreement with Lincoln Financial Securities Inc. (LFS) and Lincoln Financial Advisors Corp. (LFA) over inadequate data security. FINRA fined the broker-dealer and financial advisory firms a combined $600,000 for allowing employees to “use shared usernames and passwords to access customer records from any Web browser on any network” and other inadequacies, the report states. FINRA fined LFS $450,000 and LFA $150,000. [Source

WW – PCI Council Launches Training Program

The PCI Council begins its series of training programs intended to educate practitioners on Payment Card Industry Data Security Standards (PCI DSS). The courses “cover all PCI basics, including how the payment system operates straight through to how PCI works and why it is important to be compliant.” Offerings include in-person sessions as well as online training, and there will likely be supplemental guidance throughout the year. Version 2.0 of the PCI DSS went into effect last month, and merchants have one year to comply with the new standard. [Source]

FOI 

CA – Privacy Rules Halted Investigation of Rogue Scientists

The federal government has been pushing Canada’s largest research council to release the names of scientists who fudge research results, plagiarize reports or misspend grant money, according to federal documents obtained by Canwest News Service. But the Natural Sciences and Engineering Research Council has yet to change its rules, despite pointed recommendations from its political masters. The council, which distributes $1 billion in federal funding every year to thousands of researchers across the country, says federal privacy laws prevent it from identifying scientists involved in misconduct, or their universities. [Source]

Genetics 

US – DHS to Test Portable “Real Time” DNA Analyzer

The Homeland Security Department this summer plans to begin testing a DNA analyzer that’s small enough to be easily portable and fast enough to return results in less than an hour. The analyzer, about the size of a laser printer, initially will be used to determine kinship among refugees and asylum seekers. It also could help establish whether foreigners giving children up for adoption are their parents or other relatives, and help combat child smuggling and human trafficking. Only DNA can positively determine family relationships. Eventually, the analyzer also could be used to positively identify criminals, illegal immigrants, missing persons and mass casualty victims. [Source]

Health / Medical 

US – OCR Plans to Tighten Up HITECH Privacy, Security, Breach Regs

Financial penalties for single privacy and security violations will be increased to $50,000 per violation with a maximum fine of $1.5 million under final HITECH privacy, security and breach notification rules. Adam Green, senior health IT and privacy advisor at the HHS Office for Civil Rights (OCR) says changes to the current rules will be made under the OCR’s authority, will arrive in 2011 and “need to be revised to reflect the more widespread use of electronic data and electronic health records.” Besides steeper fines, key changes the OCR aims to implement include direct liability for business associates and subcontractors and restrictions on the use of patient data for marketing and fundraising, the report states. [Source

US – HHS Stepping Up HIPAA Privacy Rules Enforcement

The US Department of Health and Human Services (HHS) appears to be getting serious about enforcing Health Insurance Portability and Accountability Act (HIPAA) privacy rules. HHS has imposed enforcement actions against two organizations for HIPAA privacy violations. Cignet Health was charged a civil monetary penalty of US $4.3 million for failing to provide patients access to their own medical records and failing to cooperate with an HHS investigation into the matter. When Cignet finally sent boxes of records to the US Justice Department, they included records for the 41 individuals who had requested their records as well as records of 4,500 other people. Massachusetts General Hospital will pay HHS US $1 million for the exposure of personal information of 192 patients when documents were left on a subway in March 2009. HHS appears to be getting serious about enforcing HIPAA privacy rules. Both incidents are the result of business process failures rather than technology failures. [Source] [Source

US – Advances in Health Care IT Increase Data Breach Risks, Says Deloitte

Health care organizations using advanced technologies are at increasing risk for patient data breaches, warns a new Deloitte report. The report, “Privacy and Security in Health Care: A Fresh Look“, says that as the health care industry increasingly adopts electronic health records, clinical data warehousing, home monitoring, and telemedicine, the risks of patient data breaches are also increasing. This could lead to more medical fraud and identify theft. Some of the reasons identified in the report for inadequate data protections by health care providers include lack of internal resources, poor internal controls over patient records, lack of upper management support for data security, outdated policies and procedures, and inadequate personnel training. The report recommends that the health care industry adopt a three-prong approach to improve data security: develop and implement appropriate data security controls to mitigate or avoid risk; adopt and implement policies, procedures, and training to mitigate or avoid risk; and verify organizational compliance with policies and standards. [Source] [Press Release

UK – Patients’ Privacy Threatened In NHS Shake-Up, Say Doctors

The overhaul of the NHS will spell the end of doctor-patient confidentiality, the British Medical Association has warned. The association says new legislation will give the Government, quangos and local authorities the power to access sensitive medical details without the patient’s permission. It fears that the change will lead to patients withholding information from doctors. The doctor’s union raised its concerns in a letter to Simon Burns, the health minister. It is calling for the legislation to be redrafted so that proper safeguards are in place. [Source

CA – Study Raises Concerns About Security Measures for Clinical Trial Data

Privacy and security safeguards designed to protect patients’ sensitive files during clinical trials are inadequate, according to a study published in the Journal of Medical Internet Research. Khaled El-Emam – Canada research chair in electronic health information at the Children’s Hospital of Eastern Ontario Research Institute – led the study. Key Findings

  • Researchers successfully decoded passwords for 14 of 15 files transmitted by e-mail. Thirteen of the 14 compromised files contained sensitive health data and other identifying information, such as dates of birth and names of the clinical trial site.
  • Unencrypted patient data was shared through e-mail and posted on shared drives with common passwords.
  • Some password choices were as simple as number sequences like “123” or the names of car manufacturers.
  • Having inadequate security can harm patients participating in clinical trials, potentially leading to medical and non-medical identity theft. [Source]

 

Horror Stories

US – Massachusetts General Takes $1 Million Hit for Losing 193 Patient Records

Following closely on the heels of its first Health Insurance Portability and Accountability Act (HIPAA) privacy rule fine, the Department of Health and Human Services (HHS) has doled out a $1 million fine against Massachusetts General Hospital for a data breach involving 192 patients begin treated for infectious diseases. HHS levied the fine on Mass General for a data breach involving the loss of documents containing names and medical record numbers of 192 patients at the hospital’s Infectious Disease Associates practice, as well as billing forms that included names, dates of birth, medical record numbers, health insurers and policy numbers, diagnosis, and names of provider for 66 of those patients. The practice treats patients with HIV/AIDS, as well as other infectious diseases. According to HHS, the documents, which were not recovered, were left by a Mass General employee on the subway on March 9, 2009. In addition, Mass General agreed to take actions to prevent future data breaches, including implementing a set of policies and procedures regarding information that is removed from the hospital’s premises, training personnel on these policies and procedures, and designating the hospital’s director of internal audit services to serve as an internal monitor to assess the hospital’s HIPAA compliance and produce semi-annual compliance reports to HHS for three years. [Source] See also: [Patient privacy breached at St. Thomas Elgin General Hospital] and [HK – Lost Flash Drive Contains Patient Records]

Identity Issues 

IN – ‘Aadhar’ Does Not Breach Privacy: Nilekani

Allaying privacy fears surrounding ‘Aadhar’, the Unique Identification Authority of India Chairman Nandan Nilekani said the project would in no way put at risk citizens’ security and rights. “The data collected of the individual by means of biometric system will only be for the sake of their identification and access to other facilities like availing bank loans, being part of the PDS system and others. There is no way other agencies or non-concerned parties having access to the Aadhar data base,” Nilekani said. He asserted that the 12-digit Aadhar number will not have much personalised information about the resident for anyone to misuse. He said, nevertheless, the government was looking to put into place a data security law to iron out any privacy issues. UIDAI has issued close to 2 million Aadhaar numbers and targets to touch the 600 million mark by 2014. [Source] See also: [Technology diluting privacy: Indian Supreme Court] and [IN: 45% active users want to pay for goods, services through mobile

IN – Indian Gov’t to Tighten Cyber-cafe Rules: ID & Monitoring

New rules proposed by the Indian government would require users at cyber-cafes to establish their identities, while placing the onus on cyber-cafe operators to take precautions to ensure that their computers are not utilized for any illegal activity. The proposed rules, which would come into effect under the country’s Information Technology Act, reflect concerns that the Internet is being used for illegal activities such as planning terrorist attacks and viewing pornography in public, which is illegal in India. The government has viewed public Internet services offered by cyber-cafes with suspicion for some time, and more recently it has scrutinized other online communications, including through mobile phones. Under the proposed rules for cyber-cafes, operators cannot allow a user to use computer resources without the person’s identity first being established. Users will be asked to establish their identities by producing documents such as their passport, voter identity card, photo credit card, driver’s license, or identity cards issued by schools and colleges. Users who cannot establish identity to the satisfaction of the cyber-cafe operator might be photographed by the cyber-cafe using a Web camera. The photographs are to be part of the log register, which may be maintained in physical or electronic form. The Ministry of Communications and Information Technology has invited public comments on the new rules. The rules would require cyber-cafe owners to store and maintain certain backups of logs and computer resource records for at least six months for each access or login by any user. These include the history of websites accessed, mail server logs as well as logs of any proxy servers, network devices, firewalls or intrusion prevention and detection systems that are installed. Partitions of cubicles in the cyber cafe would not be allowed to be higher than four and a half feet from the floor level, and minors would be denied access to computers from these cubicles unless they are accompanied by parents or guardians. The draft rules, if they come into effect, would also require that all the computers in a cyber-cafe be equipped with safety and filtering software to avoid access to websites relating to pornography, obscenity, terrorism and other material deemed objectionable. Cyber-cafes would also have to display a board, clearly visible to users, prohibiting them from viewing pornographic sites, according to the proposed rules. [Source]

Intellectual Property 

US – Lawsuits Challenge U.S. Online Data Brokers

Two lawsuits in federal court in California that challenge the way a popular online data-mining company does business could give consumers more privacy protection from firms that sell personal information on the Web. In the most recent complaint, filed last week in the Central District of California, plaintiff Thomas Robins alleged that Spokeo Inc. violated the Fair Credit Reporting Act by offering false data about individuals without giving them the chance to correct or remove inaccurate reports. The suit alleged that Robins’ Spokeo profile was rife with misinformation, stating that he was in his 50s, married with children and employed in a professional field. Robins is actually in his 20s, single and has no children. He argued that such false representations have hurt his employment prospects, causing him anxiety and lost earnings. In a similar suit filed in September in the Northern District of California, plaintiff Jennifer Purcell alleged that Spokeo marketed her personal information in violation of the FCRA, which restricts who can access personal information. Both Robins and Purcell are seeking class-action status for their cases. The lawsuits reflect efforts by privacy advocates to gain some measure of control over the data aggregators like Spokeo, which have proliferated. The Privacy Rights Clearinghouse lists over 130 online data vendors on its website, including Intelius, Jigsaw and Peek You. Robins and Purcell face the challenge of proving actual harm – a heavy burden in privacy cases where the damage is seldom tangible. [Source]

Internet / WWW 

UK – High Court: Newspaper’s Anonymous Posters Can Stay Anonymous

The Daily Mail does not have to identify the people behind two anonymously posted comments on its website because to do so would breach their rights to privacy, the High Court said. The subject of a news story had demanded information from the Daily Mail that would help her to identify the two commenters so that she could sue them for defamation, but the Court said that identification of those people would be disproportionate. But Justice Sharp said that the posters’ rights to privacy were more important than the woman’s right to take legal action about comments that were little more than “pub talk”. Jane Clift sued Slough Council after it put her on its list of potentially violent people following her complaint to the Council about the antisocial behaviour of a man in a park. The Council said that Clift’s conduct in complaining had been threatening and it put her name on the list, where it could be seen by Council departments and Government agencies, for 18 months. Clift won her case and was paid libel damages. The Daily Mail’s website carried a report on the story and a year after its publication Clift saw it. She objected to remarks made by two readers in the comments section of the web page. She asked the High Court to order the Daily Mail to give her information which could help identify the people so that she could sue them for defamation. Justice Sharp said that Clift’s case was not strong enough to merit the identification, and that she should not have taken the comments as seriously as she did. [OUT-LAW News

US – Cyber Security Bill Expressly Prohibits Internet Kill Switch

Legislation introduced in the US Senate late last week clarifies the intent of the bill’s sponsors. The Cybersecurity and Internet Freedom Act specifically denies the President the “authority to shut down the Internet.” The new language comes in response to reports that the bill’s sponsors had written a provision for an Internet kill switch into the legislation. The new bill would require critical infrastructure operators and owners to address vulnerabilities on their networks. [Source] [Source] [‘Kill Switch’ Internet Bill Alarms Privacy Experts

US – Legislator Calls for Secure Default Web Pages

Senator Charles Schumer (D-NY) is calling on online companies to switch their default pages from HTTP to HTTPS to help protect users who connect to the Internet through public Wi-Fi hot spots. The advent of programs like Firesheep makes it easy for people with little or no technical skill to steal sensitive information, including login credentials and financial account information. [Source]

Law Enforcement 

CA – Alberta Government Will Make Public Police Database Report

Alberta Solicitor General Frank Oberle says the government will make public an internal government report that shows how a new police database will affect people’s privacy. The government initially said it would not release the assessment of The Alberta Law Officers’ Network, known by its acronym, Talon. A spokeswoman had said that “once the privacy commissioner has reviewed it, then we will be guided by his comments.” Oberle did not say when the review will be released. His department has previously said it would be complete by early March. [Source

US – Lawful Access Proposals: Privacy vs. Policing

The Washington Senate Judiciary Committee heard testimony on a bill that would prohibit local law enforcement agencies from collecting and storing information about an individual’s political, religious or other First Amendment-protected views unless “there is reasonable suspicion that the subject of the information is or may be involved in criminal conduct or activity.” Law enforcement turned out in force in opposition to the bill. Don Pierce, executive director of the Washington Association of Sheriffs and Police Chiefs, said the bill would prevent police from collecting information and storing it as they conduct criminal investigations. “We call these tidbits of information ‘clues,’” he said. “If you pass that bill, you will effectively prevent us from collecting that information.” Police also raised concerns about the potential cost of the bill, which calls for audits of law enforcement agencies to ensure compliance. Sen. Adam Kline, D-Seattle, the chairman of the Senate Judiciary Committee and the prime sponsor of the bill, suggested that the bill would create some accountability for agencies that investigate and collect information about protected speech. Michael German, the ACLU’s policy counsel in Washington, D.C., and a former FBI agent, said unjustified law enforcement investigations of political activity protected by the First Amendment have a chilling effect on such speech and are “damaging to democracy.” [Source] See also: [US: GBI arrests Georgia Cop for Running Tag info]

Offshore

IN – Indian Government Publishes Draft Rules

The Ministry of Communications and Information Technology has proposed three draft rules that would implement the Information Technology Act, 2000. The rules include Reasonable Security Practices and Procedures and Sensitive Personal Information, which covers information processed in India no matter its origin; Due Diligence Observed by Intermediaries Guidelines, which requires intermediaries to notify computer resources users of unethical and unsafe online activities and police these actions, and Guidelines for Cyber Cafés. The rules are open for comment through today, and according to the report, the U.S. Department of Commerce is considering submitting comments on behalf of the U.S. government. [Hunton & Williams Privacy and Information Security Law Blog]

Online Privacy 

EU – ENISA Warns About Privacy Threat from Next-Generation Cookies

The European Network and Information Security Agency (ENISA) is warning that new types of cookies with “privacy-invasive” features for marketing, tracking, and profiling pose increased privacy risks for computer users. In its policy paper Bittersweet cookies: Some security and privacy considerations, ENISA said that new types of cookies being developed by the advertising industry support user-identification in a persistent manner and do not have enough transparency about how they are being used. To mitigate the privacy and security implications of these next-generation cookies, ENISA recommends that users’ informed consent should guide the design of systems using cookies; the use of cookies and the data stored in cookies should be transparent for users. In addition, users should be able to manage cookies, in particular new cookie types. All cookies should have user-friendly removal mechanisms which are easy to understand and use by any user. Also, storage of cookies outside browser control should be limited or prohibited, and users should be provided with another service channel if they do not accept cookies, ENISA recommends. [Source

WW – SANS Technology Institute Paper: Assessing Privacy Risks from Flash Cookies

This paper was developed by students Stacy Jordan and Kevin Fuller as part of the SANS Technology Institute Masters Program. It includes an analysis of flash cookies; a description of the risks of using flash cookies; and technical approaches for detecting, removing, managing and analyzing flash cookies. [Source] [Paper

US – Ad Industry Slams Do-Not-Track Proposal

The public comment period on the FTC’s “Protecting consumer privacy in an era of rapid change: A proposed framework for businesses and policymakers” report has ended, and the reactions are varied. Industry groups, for example, are among those opposing calls for a do-not-track mechanism to improve consumer privacy online. InformationWeek reports on the assertion by industry groups that the FTC’s proposal would “wreck the ability of Web sites to provide personalized content.” The Interactive Advertising Bureau, which suggests “a do-not-track program would require reengineering the Internet’s architecture,” is instead recommending self-regulation for online advertising. [Source

US – IAB Members Must Publicly Affirm Privacy Principles

In the midst of looming online tracking legislation, the Interactive Advertising Bureau (IAB) has voted to require all its members to sign a new code of conduct that includes compliance with the industry’s self-regulatory principles. The IAB is giving members up to six months to follow the principles, which state that companies must provide clear notice of cookie-based behavioral advertising in at least two places and must obtain user consent—though it may be on an opt-out basis–in order to track. Companies that fail to comply face a six-month suspension and possible FTC sanctions, the report states. [Source

US – Facebook Responds to FTC’s Privacy Plans

In its 29-page response to the FTC’s proposal for protecting privacy online, Facebook offered one of the most comprehensive looks to date at its stance on privacy and how the company believes the issue will – and should – evolve. While acknowledging that government regulation ought to play a role in safeguarding user information on the Internet, Facebook argued in the response that web companies should be principally self-regulated so as not to stifle innovation. The company said it agreed with the FTC that greater transparency and the option of “context-sensitive privacy protections,” or what the FTC had called “privacy by design,” were important, but stressed the importance of taking into account individuals’ evolving perceptions of privacy. [Source] [Facebook’s comments to the FTC]

WW – Facebook to Redeploy Sharing Feature

As Facebook plans to reactivate a feature that would allow third-party applications to request contact information from users, Rep. Ed Markey (D-MA) says he is not satisfied with the company’s response to his inquiry about such features. After Markey and Rep. Joe Barton (R-TX) last month wrote to the company about privacy concerns, Facebook suspended the feature temporarily. It now says it will redeploy the feature alongside enhanced “user controls.” Responding to Markey’s concerns about third-party access to minors’ contact information, a Facebook spokesman said children under 13 are prohibited from using the site and that it is “actively considering” whether third parties may request information from anyone under 18. [Source] [Facebook letter

US – Google in Privacy Trouble Again for Collecting Kids’ Digits

Google has nabbed the “privacy outrage spotlight” this week over its collection of the last four digits of children’s social security numbers in an art contest — Doodle 4 Google. Documentary director Bob Bowdon brought the practice to light in a Huffington Post editorial, pointing out that Google’s entry forms for the contest requested children’s date and city of birth, as well as the last four digits of their SSNs. He hyped the story by pointing out that “a national, commercial database of names and addresses of American children” could “be worth many millions to marketing firms and retailers.” Children’s protection groups started rumbling; “twenty-six hours later Google released an updated Parental Consent form without requiring the last four digits of the child’s SSN, although the form still inexplicably asks for the child’s city of birth,” wrote Bowdon. Broadcasting & Cable reports that Google was using the SSNs to sort entries and prevent duplicate entries. The children’s city of birth was needed to ensure that the contest was limited to U.S. citizens. Privacy advocate Anne Collier, executive director of ConnectSafely.org, tells the Associated Press: “It was a stupid mistake, but they corrected it so let’s move on.” But yesterday, Congressmen Joe Barton and Ed Markey, heads of the House Privacy Caucus, released a joint statement saying they plan to hold a hearing over children’s privacy because of the Google flap: We are deeply disturbed by recent media reports that Google may have engaged in sketchy practices with its Doodle 4 Google contest by collecting the social security numbers of children who participated in the contest. This is unacceptable. [Source

WW – Google Mapping Feature Expands, Authorities Concerned

As Google moves forward with plans for its Street View mapping feature in Israel and Switzerland, authorities are voicing concerns. The company will soon photograph 218 miles of the Swiss Alps for the feature, despite a pending court challenge. A hearing is scheduled for February 24 after Switzerland’s data protection officer argued in 2009 that Street View’s privacy safeguards were insufficient. Google has agreed not to post new photos in Switzerland until a ruling has been made and said it has made improvements. The company has also met with Swiss data protection officials. Meanwhile, as Google plans to launch Street View in Israel, officials are concerned about potential uses of the images. [Source

AU – Nations Look to Retain Data for One Year

Talks between the U.S. and Australia could result in Internet search providers (ISPs) retaining data on users for one year. The talks, slated for July, aim to align data retention periods between the two countries and Europe. Though some European nations suggest retaining data for five years–an idea being considered by the European Convention on Cybercrime–both the U.S. and Australia believe that’s too long, according to Australia Attorney General Robert McClelland. McClelland added that governments have a “strong obligation” to balance the scope of data retention and law enforcement needs for data to solve crimes. [Source]

Other Jurisdictions 

NZ – Emergency Code Issued After Earthquake

In the aftermath of the Christchurch earthquake, Privacy Commissioner Marie Shroff has issued an Information Sharing Code to allow emergency services to “share personal information as necessary to assist victims of the earthquake and their families.” The code will remain in effect for the next three months and will then be reviewed. “Although the Privacy Act already allows collection and disclosure of information in emergencies and for public safety, greater certainty will help everyone,” Shroff said. The code is aimed at helping identify injured individuals, assisting with medical and financial needs, notifying families and making it possible for visitors to get home. [Source]

Privacy (US) 

US – Supreme Court: Businesses Do Not Have Personal Privacy Rights

Corporations do not have personal privacy rights when it comes to the disclosure of federal records. That’s according to a U.S. Supreme Court ruling. The case was brought forward after an Appeals Court ruling that found an exception in the federal Freedom of Information Act where the U.S. Congress defined a “person” to include “an individual, partnership, corporation, association or public or private organization.” In today’s ruling, the justices unanimously overturned the prior court’s finding that “corporations can assert personal privacy in claiming the records should be exempt from disclosure,” the report states. [Reuters

US – California’s High Court Rules That Stores Can’t Request ZIP Codes

Retailers do not have the right to ask consumers for their ZIP code while completing credit card transactions, according to a ruling by the California Supreme Court. California’s high court of seven judges unanimously stated that the practice of requesting customers’ ZIP codes infringe on their privacy rights. The ruling, which overrules previous decisions by trial and appeals courts in the Golden State, pointed to a 1971 State law that prohibits businesses from asking credit card users from information that could be used to track them down. Requesting ZIP codes “would permit retailers to obtain indirectly what they are clearly prohibited from obtaining directly,” the ruling stated. [Source

US – FERC Report Cites Smart Grid Privacy Concerns

The Federal Energy Regulatory Commission (FERC) this month released its biannual report, which includes questions about smart meters and privacy. The report outlines concerns about consumer data privacy as companies continue to deploy new technologies, and customers, unsure of the purposes and uses of such technologies, push back. “The existing business policies and practices of utilities and third-party smart grid providers may not adequately address the privacy risks created by smart meters and smart appliances,” the FERC report states. Jeff St. John writes that this year may be the year that “smart grid privacy finally becomes a must-do, rather than a oft talked-about, subject.” [Source

US – Suit: Sharing Device IDs Violates Privacy

The most recent potential class-action suit against Apple and 11 outside companies is for allegedly violating the privacy of iPhone and iPad users. The suit is the fourth case of its kind and was filed in U.S. District Court in California. It alleges the company violated federal and state laws and contends that users did not authorize Apple to share their devices’ unique identifiers with application developers and other parties. However, the report states, it remains to be seen “whether courts will rule that transmitting a unique device number–as opposed to a name or street address–raises any privacy issues.” [Source

US – Customer Sues Game Retailer for PII Collection

A California resident has filed a class-action lawsuit against a game retailer for allegedly “requesting and recording personal information from its customers without their knowledge or consent.” Melissa Arechiga filed the suit last week on behalf of all customers who made a purchase within the last year at a GameStop location that allegedly collected her name, credit card number and personally identifiable information (PII). The suit claims that the store made no attempt to delete the information from the electronic cash register after the credit card number was recorded, which violates a California law prohibiting corporations from requesting credit card customers to provide and record PII, the report states. [Source]

Privacy Enhancing Technologies (PETs) 

WW – Governing Body Accepts Microsoft Tracking Proposal

The World Wide Web Consortium (W3C), the governing body for HTML5, has accepted Microsoft’s tracking opt-out proposal to protect consumer privacy. Microsoft’s Tracking Protection allows users to choose not to be tracked on the Web by blocking the content that does the tracking, the report states. Internet Explorer’s corporate vice president, Dean Hachamovitch, said online privacy is a high priority for consumers and governments around the world. Ashkan Soltani, a privacy and security researcher, called Microsoft’s release of the program “a great move” that demonstrates the company’s recognition “that for this to work, you want both technology and policy to work in tandem.” [PCWorld

WW – Start-Ups Capitalize on Data as Currency

Entrepreneur Shane Green’s company allows people to personally profit from providing companies with their personal data, which he says has become “a new form of currency.” His company is one of about a dozen start-ups aiming to capitalize on privacy as marketers increasingly rely on personal data for targeted ads. One London real estate developer now offers to sell people’s personal information on their behalf and give them 70% of the sale, the report states, while others offer products to help block online tracking or charge to remove users from marketing databases. One entrepreneur said while “privacy” was a hard sell as of two years ago, investors are now quick to jump at opportunities. [Wall Street Journal: Web’s Hot New Commodity: Privacy

US – Despite Tracking Concerns, Investments Continue

The Wall Street Journal reports that in spite of ongoing concerns about tracking and a push for legislation to regulate online advertising, companies that specialize in this kind of tracking continue to secure venture capital investments. “Since 2007, venture firms as a group have invested $4.7 billion in 356 online ad firms,” the report states, increasing at a rate of 29% last year alone. While a Jafco Ventures partner suggests, “Advertisers want to buy individuals. They don’t want to buy (Web) pages,” Chris Fralic of First Round Capital says privacy concerns can influence investment decisions. As he puts it, “What I look for are the consumers raising their hands” against having their privacy compromised. [Source]

RFID 

EU – Working Party Approves Self-Regulatory Proposal

The Article 29 Working Party has approved an industry proposal for a privacy and data protection impact assessment framework for RFID self-regulation. Although it rejected a series of drafts, including a March 31, 2010, proposal that contained only “scattered references” to risk assessment, industry reworked its proposal and submitted its latest version, the Revised Framework, on January 12. The industry proposal was developed at the request of the European Commission, which issued a recommendation in 2009 on the implementation of privacy and data protection principles in applications supported by RFID. In its February 11 opinion, the Article 29 Working Party endorsed the revised framework. [Source]

Security 

WW – Security Shocker: Android Apps Send Private Data in Clear

Cellphones running the Android operating system fail to encrypt data sent to and from Facebook and Google Calendar, shortcomings that could jeopardize hundreds of millions of users’ privacy, a computer scientist says. In a simple exercise for his undergraduate security class, Rice University professor Dan Wallach connected a packet sniffer to his network and observed the traffic sent to and from his Android handset when he used various apps available for Google’s mobile platform. What he saw surprised him. The official Facebook app, for instance, transmitted everything except for the password in the clear, Wallach blogged on Tuesday. This meant that all private messages, photo uploads and other transactions were visible to eavesdroppers, even though the account had been configured to use Facebook’s recently unveiled always-on SSL encryption setting to prevent snooping over insecure networks. Google Calendar showed a similar carelessness in Wallach’s experiment by also sending and receiving data in the clear. That makes it possible for snoops to see your schedule when the service is accessed on unsecured networks. Wallach found a few other apps that took a cavalier approach to user privacy. [Source] See also: [Modified Android App Sends Surreptitious Text Messages to Premium Numbers] [NYT: Security to Ward Off Crime on Phones] and [Suspect in iPad data theft remains jailed in NJ

AU – Security to Go Under Privacy Microscope

The Australian federal privacy commissioner Timothy Pilgrim intends to clamp down on businesses that neglect security standards following a string of public data breaches this year. Future investigations will focus on determining if businesses have adopted baseline privacy and security benchmarks before collecting customer data. Businesses will need to have constant “strong risk assessment processes” that ensure only necessary customer data is held within corporate systems, he said. “Businesses need to make sure the privacy protections are strong and are built early into the systems. Information will be vulnerable when the right security controls are not in place, as we found with the Vodafone system.” Privacy probes will examine whether security systems have been “regularly updated” and are designed in accordance with industry benchmarks including ISO 27002:2006. [Source

UK – Keystroke Loggers Found on Library Computers

Keystroke logging devices were found plugged in to computers at libraries in Cheshire, UK. It is not known how long the devices were connected to the computers before they were discovered. Keyboards are now being plugged in to ports at the front of computers. [Source] [Source]

Surveillance 

AU – Australian Government Opens Consultation on Cybercrime Treaty

The Australian government is seeking public comments on a proposed cyber crime treaty that would allow the government to order real-time network traffic data collection. Australia is considering signing the Council of Europe Convention on Cybercrime, which was established in 2004. Australia is in line with much of the treaty already, but the treaty’s provisions for collection and storage of traffic data would require legislative amendments. [Source] [Source] [Source] see also: [New Technology Hinders FBI Wiretaps

JP – Japan Company Developing Sensors for Seniors

Japan’s top telecoms company is developing a simple wristwatch-like device to monitor the well-being of the elderly, part of a growing effort to improve care of the old in a nation whose population is aging faster than anywhere else. The device, worn like a watch, has a built-in camera, microphone and accelerometer, which measure the pace and direction of hand movements to discern what wearers are doing – from brushing their teeth to vacuuming or making coffee. In a demonstration at Nippon Telegraph and Telephone Corp.’s research facility, the test subject’s movements were collected as data that popped up as lines on a graph – with each kind of activity showing up as different patterns of lines. Using this technology, what an elderly person is doing during each hour of the day can be shown on a chart. The prototype was connected to a personal computer for the demonstration, but researchers said such data could also be relayed by wireless or stored in a memory card to be looked at later. Plans for commercial use are still undecided. [Source] See also: [Canadian Doctor filmed naked patients with hidden camera

UK – Freedoms Bill good for CCTV, Not for Privacy

A statutory code of practice covering CCTV/ANPR is to be produced by the Home Secretary and regulated by a new “Surveillance Camera Commissioner”. The code’s application is limited to policing bodies and local authorities; it does not cover the CCTV systems that are installed by Government Departments, the Security Service, other public bodies, or used in large shops or shopping malls. If the measure was intended to limit CCTV surveillance, then one would expect that some of these missing areas would be covered in its provisions. Also not covered in the code is the use of CCTV in the domestic circumstance. The Home Secretary is seeking powers that could extend the bodies that are subject to the code. There is no penalty if the code is breached, although a breach of the code may be raised in any legal proceedings. There are no new individuals rights created – for instance, for the Surveillance Camera Commissioner to investigate complaints about the operation of the code. There is also a possibility of at least two regulators with apparently overlapping responsibilities; this does not seem to be a useful proposal if privacy protection is an objective. The Surveillance Commissioner could be a third regulator if CCTV is used in combination with covert directional microphones. There is no provision in the code with respect of retention of CCTV images, but retention provisions can be included in the code at any time. Also missed from all the press coverage is the role of Automated Number Plate Recognition (ANPR) camera systems. ANPR is important because of the police have a policy of “denying criminals the use of the roads” [Source] [UK: People get power to take CCTV abusers to court] see also: [US: ‘Spier’ education: Officials pull plug on website promoting hidden camera gadgets for principals]                                                                                             

NZ – Reality TV Show Breached Privacy

A Northland man whose arrest for possession of a small amount of cannabis was shown on TV2’s Police Ten 7 programme had his privacy breached, in what the Broadcasting Standards Authority (BSA) says is a “landmark decision” regarding filming reality television. It has ordered TVNZ to pay the man $1500 in compensation for breach of privacy and the Crown costs of $1000. [Source

WW – Microsoft Addresses Silent Updates in Blog Posting

Microsoft has admitted that it has been issuing “silent” updates for some time. The fixes are not documented in security bulletins and are usually delivered to address variants of vulnerabilities for which fixes have already been issued. [Source] [Source

WW – Microsoft Changes Stance on Internet Quarantining

Microsoft’s Scott Charney has had a change of heart about where the responsibility for keeping inadequately protected machines off the Internet should lie. Last year at the RSA conference, Charney, who is Corporate VP for Trustworthy Computing, said that ISPs should take the lead, possibly scanning machines and quarantining those deemed unsafe. Speaking again at RSA this year, Charney says he “realize[s] that there are many flaws with that model.” Users may perceive the scans as invasive, and an unpatched machine could keep someone who uses it for communication from reaching emergency services. The biggest stumbling block, said Charney, is the cost imposed on ISPs. The new position would have web service providers impose requirements on users. [Source] [Source] [Source]

Telecom / TV 

AU – Australian Communications Authority Questioning Telecoms About Data Security

Following Vodafone’s exposure of customer data, the Australian Communications and Media Authority (ACMA) is starting to crack down on other telecommunications providers. Ten major players in Australia’s telecommunications market have been contacted by ACMA, which is seeking answers to questions about how each company handles customer information security. [Source

UG – Uganda: Phone Tapping Law Comes Into Force

President Yoweri Museveni has assented to the Regulation of Interception of Communications Act 2007, which authorises the tapping of telephones and other private communication for security purposes. The Act, which has now become law, forbids repeated sending of abusive messages and letters. “A person who repeatedly makes abusive telephone calls or causing another person to make abusive telephone calls to the victim, commits an offence,” reads the Act. This also means telecommunication service providers will be required to register SIM cards of their clients. The President assented to the Act on February 17, 2011. [Source] See also: [Jamaica: Nelson tackled on privacy rights stance]

US Government Programs 

US – Bill Would Require CISOs in Federal Agencies

The E-Government Act, currently in front of congress, would require federal agencies to designate a senior officer as chief information security officer (CISO) and lays out the responsibilities of that position. Sponsored by the leaders of the Senate Homeland Security and Governmental Affairs Committee, the bill states that the CISO would oversee agency security operations and report annually to the agency head. The CISO would also, with the federal CIO, “establish, maintain and update an enterprise network, system, storage and security architecture” to be accessed by a newly created National Center for Cybersecurity and Communications. [Source]

US Legislation 

US – Full-Body Scan Privacy Law Gets One Step Closer to Reality

Back in December, a law being proposed by Senator Chuck Schumer would make it a crime to distribute or save images taken as part of an airport security scan. That law has come one step closer to becoming a reality after being unanimously accepted as an amendment to the FAA Reauthorization Bill being considered by the Senate. The legislation, known as Security Screening Confidential Data Privacy Act, ensures that anyone — airport staff or member of the public — with access to scanned body images would be prohibited from photographing or disseminating those images. Violators could face up to one year in prison and a fine of up to $100,000 per violation. In addition to airports, the bill would also cover images from scans in courthouses and federal office buildings. It also covers not just the original image files, but any photographs taken by cameras, cell phones or any other video device. By being attached to the non-controversial FAA Reauthorization Bill, which sets travel policy for the entire country and funds the Federal Aviation Administration, insiders tell Consumerist that the privacy legislation is virtually guaranteed to pass. The Senate is expected to vote on the complete bill as early as this week. [Source] [DHS: Body Scanners Do Not Store, Transmit Images]

Workplace Privacy 

US – Disneyland Workers Plan Lawsuit Over Privacy Concerns

Two Disneyland Resort employees will seek to certify a class action lawsuit against the Walt Disney Company to stop Disney from encoding the worker’s Social Security numbers in a barcode printed on their cast member identification cards. Jorge Iniestra and Josh Stern claim this practice violates a California privacy law, and exposes the cast members to the risk of identity theft. The union says the lawsuit could involve 20,000 Disneyland Resort employees, and that Disney employees elsewhere in California may also be covered by the action. Local 11 says that workers at the Walt Disney World Resort in Florida also have the same information on their ID cards, but that those workers are not part of this lawsuit. [Source] See also: [Florida Police Obtain Warrant to Search ‘All Persons’ in Apartment Complex] and also: [Court gives SPCA access to workers’ compensation documents in dog slaughter case

US – Maryland AG: Requiring Employees’ Personal Passwords is Legal

Maryland Attorney General Douglas Gansler says requiring a prospective state employee to turn over his social networking user names and passwords as a condition of employment could be appropriate and legal. A day after Maryland’s Department of Public Safety and Corrections suspended the practice, which it used to root out potential employees’ possible gang affiliations, Gansler says the major problem is there hasn’t been a written policy in place for corrections officials. Gansler, whose office defends the corrections department in court, says it “it would be patently unfair” to say to a current employee, who had passed all background checks, “Now you’re going to have to waive all your privacy rights on the Internet in terms of your social networking.” “It’s a completely different issue to prospectively do it, and say ‘You can be a correctional officer at this facility, but one of the things you should know up front is that you’ll have to give up your passwords to your social networking websites.’” Gansler says his office was not consulted by corrections officials before or after the policy was put in place, or since it was temporarily suspended after complaints from the American Civil Liberties Union of Maryland. [Source] [Want A Job? Password, Please!]

CA – Many Companies Monitor Employees Online Use

Any electronic correspondence sent at the workplace should be considered about as private as a postcard. That’s the message from the head of Quebec’s Privacy Commission, Jean Chartier, who recently advised that a “computer screen is not a wall that you can hide behind.” A case set to unfold this week before Montreal’s city council illustrates the lingering question surrounding how much privacy an employee can expect at work, The Montreal Gazette reports. A city employee claims to have been spied upon by officials who say they investigated the employee based on allegations of misconduct. Employees must work within the employer’s guidelines, Quebec’s privacy commission warns. [Source

+++

 

01-14 February 2011

Biometrics 

AU – No Ad Hoc Biometrics Sharing: Privacy Chief

Australian Privacy Commissioner Timothy Pilgrim has warned pubs and clubs collecting biometric information from their patrons not to “automatically” share that information with other clubs unless they have notified their patrons. This week the news emerged that the collection of personal information such as biometrics and driver licence details by pubs and clubs has soared. Clubs and pubs use the information to reduce the risk of violence by pinpointing offenders and banning them from venues. “The office is aware of the use of this technology by some organisations. Any pubs and clubs using this technology should be aware that under the Privacy Act, organisations must provide individuals with notice of what will happen to the collected information,” Pilgrim said. “It cannot be automatically shared with other venues, even if the purpose for sharing it is the same across all the organisations.” Pilgrim also backs a voluntary privacy code created by the Biometrics Institute. Clubs NSW has agreed to sign onto the charter and will participate in upcoming biometric privacy discussions, but the reception from other states has been cold, according to Biometrics Institute head Isabelle Moeller. Interesting points in that code include that the venues have to provide individuals with access to the personal information stored, and if possible, be given the opportunity to have their information removed from the system. All biometric information should also be encrypted immediately after collection, according to the code, and third-party auditing of the system should be implemented. [Source

EU – Reding Investigating Passport Laws

The Dutch government is treating innocent citizens as potential criminals by storing their fingerprints for passports, according to MEP Sophie in’t Veld, who has incited a European Commission investigation into whether Dutch passport legislation breaches EU data protection rules. The government stores four fingerprints in a central database kept by local councils. European Justice Commissioner Viviane Reding is leading the commission’s investigation. In’t Veld says the Dutch practice is much more privacy-intrusive than other EU-member states’ practices and that the United Nations Human Rights Council is critical of the practice. [Radio Netherlands Worldwide]

Canada 

CA – Joint Border Plan Gets Green Light

Canada and the United States are poised to take a major step toward common border security controls that could lead to joint government facilities, sophisticated tracking of travellers, better cyber-security protection and improved oversight of overseas cargo shipped to both countries. Prime Minister Stephen Harper and U.S. President Barack Obama are expected to give the green light to a comprehensive shared review of border security aimed at tightening protection from terrorists and easing the flow of cross-border traffic. They are expected to assign a working group of government officials to study the issue and return back with an “action plan” within several months. On Parliament Hill, the Harper government came under attack again from the Liberals and New Democrats for negotiating the border security deal in secret – potentially putting Canadian sovereignty at risk. But business groups are welcoming the development. Several “principles” would buttress the Action plan: a “greater sharing of information” between the two nations; co-operation to develop and implement security initiatives and standards; respect for privacy and civil liberties; and recognition of the “sovereign right of each country to act independently in its own interest.” [Source

CA – Feds say Google Maps, Canpages Taking Right Steps to Protect Privacy

A House of Commons committee says the privacy of Canadians is being protected by online mapping applications like Google Maps. The committee has been examining efforts by companies that build online maps using real pictures of homes and streets, such as Google and Canpages, the report states, and says both companies’ policies about notifying individuals of filming and blurring identifying information are sufficient. Following Privacy Commissioner Jennifer Stoddart’s investigation and subsequent recommendations about Google Street View cars’ accidental collection of WiFi data, MPs now say they are “cautiously optimistic” that Google is taking privacy more seriously since it hired a privacy director and introduced employee training. Stoddart had said today was Google’s deadline for compliance. The committee, however, said it has concerns about companies not considering privacy in the development phase of new technologies. [Winnipeg Free Press] See also: [CA – Report: Lottery Site Privacy Problems Fixed] [Google adds optional two-step Gmail security]

Consumer 

US – Survey: Americans Worry About Online Privacy

Most Americans are worried about privacy and viruses when using social networking media. Seven out of 10 Facebook members surveyed said they are either “somewhat” or “very concerned” about their privacy on the site. In the same survey, 52% of Google users also said they are somewhat or very concerned about privacy while using the search engine. Privacy attorney Chris Wolf of Hogan Lovells says, however, that companies are increasingly paying attention to privacy concerns and that new services revolve around “ways to empower people to protect their information,” the report states. [Source] See also: [Did the Internet Kill Privacy?] 

UK – Wired UK Tries to Creep Out Readers With Invasive Personalized Covers

Some British subscribers to Wired Magazine are in for a surprise this month — a few select readers are receiving personalized versions of the magazine, with their personal details spilled across the cover. The first report of a “dossier issue” came from Benjamin Cohen, a technology reporter. Titled “Your Life Torn Open,” a paragraph on Cohen’s cover begins, “We mean you, Benjamin Cohen,” and then goes on to list his employer (Channel 4 News), that he will be 29 on August 14th, his address — current and former (not shocking that a magazine mailed to you would have that), his parents’ address, and that he had met up with his ex-boyfriend earlier this month. The only piece of information that seemed to really shock him was that last bit (Wired had mined his Twitter account).Condé Nast did not respond to a media request as to how many of these covers were printed. [Source]

E-Government 

US – Seattle Ramping Up Single Sign-On

Seattle launched a new website this week allowing citizens to customize Seattle.gov’s home page to display only the services relevant to them. On My.Seattle.Gov, users can add a widget to view crime stats for their neighborhoods, news feeds, events occurring in their communities and Seattle Channel Live videos. The customization functionality is modeled after Google’s customization tool iGoogle. Seattle’s Office of the Mayor used the launch as an occasion to announce Seattle.gov’s single sign-on function. Having been in place since 2009, the single sign-on is a work in progress. It aims to authenticate users with one sign-on to access the roughly 50 services on Seattle.gov that usually require individual registrations. So far, the single sign-on covers the following services: Residents can use the single sign-on to submit electronic Department of Planning and Development permits and watch their permits progress through the system. Police reports can be seen via the single sign-on, and Seattle Department of Transportation employees can use it to access a project management tool for interacting with vendors. [Source

CA – Tories Accused of Digging Up Dirt on ‘Liberal’ Profs

Two University of Ottawa professors, vocal critics of the federal Conservative government, say they have become targets of a new political intimidation tactic, aimed at using their private, personal information against them. Professors Errol Mendes and Amir Attaran, frequently castigated as Liberal sympathizers by the Conservatives, were notified in recent weeks of two unusually massive freedom-of-information requests at the U of Ottawa, demanding details of the professors’ employment, expenses and teaching records. The person (or persons) behind the requests remains anonymous under Ontario law, but Mendes and Attaran are convinced that it’s part of an academic witch hunt by the governing party – part of a wider campaign to silence university voices that may be critical of the Conservatives. This hyperpartisan chill descended on the federal bureaucracy years ago – now the concern is that it’s stretching into academia as well. “I was stunned,” said Mendes, who said the University of Ottawa does not intend to release much of the information requested, since most of it is personal and private and therefore exempt from the disclosure requirements in the legislation. [Source] See also: [Cat’s ‘privacy’ protected by BC Liberals

US – Oregon Prisons Hit by Worker Info Breach

The Oregon Department of Corrections (DOC) announced that a non-employee had access to a thumb drive that may have contained the payroll information of up to 550 staffers from at least three correctional facilities. The DOC and the state police are investigating the breach. An agency spokesperson said, “We do not believe the breach was malicious in intent, nor do we have any indication at this time that the personal information has been used or misused.” The DOC is offering free credit protection to those affected and is reviewing its internal security practices to prevent future breaches. [KTVZ

CA – Ontario Privacy Boss Slaps Vaughan, PowerStream

Ontario’s information and privacy commissioner has ruled that the way municipally owned energy company PowerStream and the City of Vaughan shared customer information in the past violates rules of the Municipal Freedom of Information and Protection of Privacy Act. Since 2005, PowerStream has shared customer information via electronic records with city staff. The information was then used periodically by the mayor and members of council to send a “welcome letter” to new city residents, according to the report. City hall watchdog Richard Lorello filed the complaint with the commissioner one year ago over concerns that residents’ personal information was being improperly used. The seven-page report written by assistant commissioner Brian Beamish does not make any recommendations because the sharing of information between the electricity company and the city stopped when the complaint was made. The commissioner’s office is satisfied the practice has stopped. [Source]

Electronic Records 

US – HHS Rule to be Reviewed

The Department of Health and Human Services’ Office of Civil Rights (OCR) is asking the White House Office of Management and Budget to review its new privacy rule that will provide “an expanded requirement that healthcare providers track and be able to report to patients any disclosures of their medical records.” The rule is aimed at improving patient privacy rights by building on provisions included in HIPAA. Meanwhile, a study is making headlines with findings that protected health information (PHI) breaches affecting more than 6 million individuals have been recorded since HITECH’S Breach Notification Rule was issued in August of 2009. [Modern Healthcare

US – Study: Medical Social Networks Lack Privacy Protections

A recent study of 10 medical condition-focused social networks revealed that privacy policies “significantly varied.” “Social but safe? Quality and safety of diabetes-related online social networks,” which was conducted by researchers from Children’s Hospital Boston, revealed a lack of safeguards for personal health information privacy protection, with only three sites providing member control for personal information and the vast majority using privacy policies that were difficult to read. Elissa Weitzman, the study’s lead author, voiced concerns about the implications for patient safety and said such sites need policies to protect members’ privacy. [InformationWeek] [US: Data Mining Technology Burns User Privacy Rights, Say Experts] SEE ALSO: [Most Americans favor electronic medical records: study] AND ALSO [CMA Revises Privacy Policy - strengthens pateint rights of access]

EU Developments

EU – PNR Data Could Be Required for EU Travel

Proposals set to come before the European Commission will require air travelers to have their passenger name record (PNR) data—such as home addresses, mobile phone numbers, credit card information and e-mail addresses—checked by authorities and shared with other member states if links to terrorism or serious crime are suspected. Negotiations between member states and the European Parliament on the plan are expected to last two years. “So far, the U.S. and other countries using the PNR system have failed to convince us about its necessity,” said German MEP Manfred Weber, adding, “There are deficits in the usage of current data. So why should we collect even more mass data?” [EUobserver] [OUT-LAW: EU Commission proposes new directive on storing air passenger details] [EU wants air-passenger data for probes of terrorism, crime

EU – German Justice Minister Focuses on Privacy Leadership

Justice Minister Sabine Leutheusser-Schnarrenberger’s comments that Germany should become a leader in international data protection standards. Urging the EU to include agreements on data protection standards with the U.S. in its revision of existing data protection laws, she spoke of the “different legal cultures” of data protection on both sides of the Atlantic, noting, “For this reason, I believe it is important that we strive to achieve basic ground rules of what constitutes data security.” Leutheusser-Schnarrenberger has announced the creation of a German foundation to explore such data security issues as developing technology to protect users’ privacy. [Source] [Source] See also: [UK Minister resigns after breaching data protection code

EU – Data Retention Implementation Faces More Delays

As Sweden prepares to implement the European Data Retention Directive, a parliamentary committee’s request for consultation may further delay such action. Sweden was to have implemented the directive in September 2007. The European Commission sued the country in 2010 for failing to do so. Now, the Parliamentary Constitutional Committee wants the government to consult parliament on details within the directive and “has sent its opinion to the Committee on Justice, which is currently hearing a report on how the directive is to be introduced in Sweden.” [Stockholm News]

EU – Privacy Watchdog Urges Stronger Data Protection in EU Law Review

Organisations which lose personal data should be forced to disclose the data security breach, the European Union’s privacy watchdog has said. Planned changes to EU privacy law do not go far enough, said the official. [OUTLAW] [EDPS Opinion] See also: [Communication to the European Parliament (20-page / 215KB PDF) outlining its proposals for reforming data protection law] 

EU – EC Publishes Israel’s Adequacy Status

The European Commission (EC) has published its opinion formalizing Israel’s status as “adequate” under the European Data Protection Directive. The decision, rendered in October 2010, follows the recommendation of the EC’s Article 29 Working Party. It allows for personal data transfers between EU countries and Israel. Israel is one of only a handful of countries to have obtained adequacy status. [Source

UK – Advocates Angered Over End of BT Investigation

Privacy groups are criticizing the Information Commissioner’s Office (ICO) for closing its investigation of a BT data breach. The ICO said BT cannot be held responsible for the incident in which a spreadsheet with such confidential information as customer names, addresses and telephone numbers was sent to a law firm by a BT employee, the report states. While the ICO closed its investigation after determining the company was not liable for a mistake committed by one of its employees, advocates contend such a move “appears to give the green light to companies like BT claiming to have a data protection policy but failing to adequately enforce it.” [The Guardian] [Crackdown on firms spying on internet users in bid to Tighten Data Privacy Rules] [BT Class Actions Abound

WW – G8 May Have Privacy Focus

Following up on its efforts in October to move toward the goal of adopting “an international binding legal instrument harmonizing the protection of privacy,” France has announced its intent to bring the world’s Internet leaders to the G8 Summit in May. An announcement from France’s Commission nationale de l’informatique et des libertés (CNIL) suggests that including privacy on the agenda for the G8 “would mark a critical milestone in the protection of privacy against the development of digital technologies.” Despite the continual exchange of data across borders and the prevalence of biometrics, geolocation and surveillance, the CNIL points out that “there is no globalized legal answer, and the levels of privacy protection are disparate.” [Source

EU – Berlusconi Probe Human Rights Violation of Privacy?

An ally of Silvio Berlusconi says the Italian government might appeal before Europe’s human rights court, alleging that a prostitution probe targeting the premier is a violation of his privacy. Italian prosecutors want to put Berlusconi on trial on charges he had sex with a 17-year-old and tried to cover it up by using his power. Berlusconi has dismissed the allegations as a smear campaign. Franco Frattini, foreign minister and close Berlusconi ally, said that on the privacy-violation issue “there is rich jurisprudence” at the European Court of Human Rights in Strasbourg, France, according to LaPresse news agency. He reportedly said “the privacy-violation is a theme that can be brought forward not just in Italy but before the Strasbourg court.” [Source]

Facts & Stats 

US – Study: Compliance Saves Money

A benchmark study conducted by the Ponemon Institute and sponsored by Tripwire has shown that investing in IT and security compliance can save companies money over time. Through interviews with 160 IT practitioners across a broad range of industries, the study found that companies that review and maintain compliance with security standards spend an average of $3.5 million yearly, while the cost of noncompliance came in at $9.4 million—due mostly to business disruption and loss of productivity, according to the researchers. Tripwire’s Rekha Shenoy noted that, in terms of compliance reviews, “PCI was the one that was top of mind across all industries, because they all take card payments.” [Bank Info Security]

Finance 

US – FTC Settles Credit Report Complaints

The FTC has approved proposed settlements of complaints against three credit report resellers for lax security practices that resulted in hackers accessing more than 1,800 credit reports without authorization between October 2006 and June 2008. The settlements require each company to create comprehensive cybersecurity programs and obtain independent audits of the programs every other year for the next two decades. “These cases should send a strong message that companies giving their clients online access to sensitive consumer information must have reasonable procedures to secure it,” said FTC Consumer Protection Bureau Director David Vladeck. The agreements will be available for public comment through March 7. [CIO] [FTC Press Release

US – Financial Industry Asks to Opt Out of FTC Rules

With the FTC deadline for public comment on its recent privacy rules recommendations just two days away, industry and individuals are weighing in on all sides of the issue. The Securities Industry and Financial Markets Association (SIFMA), which represents large banks and investment firms, has asked “to not be regulated by any FTC privacy rules at all,” citing sector-specific privacy regulations that already apply. SIFMA wrote, “financial services firms appreciate more than almost any sector of the economy the importance of maintaining the confidentiality of customer information.” The FTC, meanwhile, has suggested that certain types of information–including financial, health and geolocation data–require “special protection.” [paidContent

US – State Settles Online Privacy Dispute

The Seattle Times reports that the American Civil Liberties Union (ACLU) and the North Carolina Department of Revenue have settled their dispute over the state’s efforts to collect personal information about e-commerce customers for tax purposes. The ACLU and online retailer Amazon filed a federal privacy lawsuit against North Carolina last year. As part of the settlement, the state has agreed not to ask for information that could link consumers to the products they purchase online. The agreement “will go a long way toward protecting the privacy and free speech rights of online customers in North Carolina and hopefully elsewhere,” said ACLU attorney Aden Fine. [Source]

FOI 

CA – Canada Kept U.S. Border Talks Under Wraps: Document

The federal government deliberately kept negotiations on a border deal with Washington secret while it planned ways to massage public opinion in favour of the pact, according to a confidential communications strategy. The 14-page public relations document recommended that talks keep a “low public profile” in the months leading up to the announcement by Prime Minister Stephen Harper and U.S. President Barack Obama. At the same time, the government would secretly engage “stakeholders” — interested parties such as big business groups and others — in a way that respected “the confidentiality of the announcement.” In advance, the government departments involved — including industry, foreign affairs, international trade and citizenship and immigration — were to “align supportive stakeholders to speak positively about the announcement,” according to the strategy prepared by Public Safety Minister Vic Toews’ officials. On Friday, Harper and Obama signed off on a plan that for the first time envisions throwing up a single security ring around the perimeter of Canada and the U.S. The wide-ranging blueprint calls for increased cooperation between the two countries’ police, border and intelligence agencies; an integrated Canada-U.S. exit-entry system using high-tech identification techniques and more sharing of information about Canadians with U.S. authorities. At least three major business organizations — the Canadian Chamber of Commerce, the Canadian Council of Chief Executives and the Canadian Trucking Alliance — quickly issued statements praising the framework agreement Friday. The document was prepared last fall, when the Canada-U.S. talks were being conducted without any public notice. [Source] [Harper and Obama eye sweeping change in border security] See also: [Public salaries not so public in Quebec]

Health / Medical 

US – FTC Releases Medical Identity Theft Guide

The FTC has released information for healthcare providers and health insurers about how to help patients minimize the risk of medical identity theft and deal with the consequences if it occurs. The Medical Identity Theft FAQs for Health Care Providers and Health Plans publication says indications that medical identity theft has occurred include health plan statements that benefit limits have been reached or insurance claim denials due to medical conditions the patient doesn’t have. Healthcare providers and insurers should advise victims to notify health plans, file complaints with police and the FTC and review credit reports, the report states. [Source

US – Hospital Breaches Require Credit Protection

Two U.S. health plans are providing credit protection to patients and employees after data breaches potentially exposed Social Security numbers (SSNs) and other personal details. Oklahoma’s Saint Francis Health System is notifying 84,000 affected employees and patients that their personal information may have been compromised after a laptop was stolen containing names, dates of birth, mailing addresses, SSNs and diagnostic codes about patients treated prior to 2004. Meanwhile, New York City Health and Hospitals Corp. has filed a lawsuit against a data storage and transport vendor to recover breach notification costs after files on 1.7 million patients and employees were stolen. [Health Data Management

US – Survey: Privacy, Accountability Lead Health IT Concerns

Doctors and patients agree on the way health IT should be used in modern healthcare, according to a Markle Foundation survey. The Markle Survey of Health in a Networked Life interviewed 1,582 members of the public and 779 physicians. It found that respondents are accepting of technology’s increasing role in healthcare, but both groups want privacy and accountability provisions. A majority of both groups support allowing individuals to know who has accessed their records and the controls to change incorrect data. The majority also supports breach notifications and a policy against government collection of PII for quality improvement programs, the report states. [InformationWeek

US – Survey: Despite Privacy Concerns, Many Want EHRs

Despite privacy concerns, researchers from the University of Chicago have found that most Americans surveyed support a move to electronic health records (EHRs). “Our core finding is that a large majority of Americans support use of health IT to improve healthcare and safety and reduce costs,” said Daniel Gaylin of the University of Chicago National Opinion Research Center. The survey of 1,000 people found that while nearly half said they had worries about the privacy of EHRs, 64% thought the benefits of being able to access their records online outweighed those concerns, the report states. [Reuters

CA – Dickson: Breaches Need Stiffer Penalties

Saskatchewan Privacy Commissioner Gary Dickson said that the province needs to dole out stiffer penalties to individuals and organizations responsible for data breaches. The comments came on the heels of a breach at the Sun Country Health Region where an employee inappropriately accessed patient prescription data. Dickson said he was “impressed” with the investigation but noted privacy breaches involving electronic health records are serious matters and risk undermining public confidence in the system. “In a number of cases, termination would be the appropriate response,” Dickson said, adding, “A minor fine or a suspension of a couple weeks without pay in my mind really minimizes what I think is a much more serious matter.” [Source] See also: [University Hospital Fires Three After Breach] and [Universities Suffer Medical Record Breaches]

Horror Stories 

US – Millions Affected by PHI Theft

Confidential information on about 1.7 million New York City hospital patients and employees dating back as far as 20 years was stolen in December. The New York City Health and Hospitals Corporation (HHC) reported the breach on Friday. While a recent study indicates that well over half—61%—of such breaches are the result of malicious intent, HHC President Alan D. Aviles noted, “The loss of this data occurred through the negligence of a contracted firm that specializes in the secure transport and storage of sensitive data.” HHC will provide credit monitoring to potentially affected individuals as the stolen data included names, addresses, Social Security numbers and medical information. [The Wall Street Journal

US – Dating Site Hacked, Names and Passwords Exposed

The online dating site eHarmony has announced that a hacker used a vulnerability to access the usernames, e-mail addresses and passwords of users of its informational site eHarmony Advice. The Krebs on Security blog first reported the vulnerability and soon after found eHarmony data offered for sale on an online marketplace for hacked data. The company says it has fixed the vulnerability and is notifying affected customers and suggesting that they change their passwords. “At no point during this attack did the hacker successfully get inside our eHarmony network,” the company said in a blog post. The company has not released the number of users affected, but says it represents less than .05 percent of eHarmony’s 33 million users. [CNET News] [Source] SEE ALSO: [‘Dating’ Site Imports 250,000 Facebook Profiles, Without Permission

US – Sensitive E-mail Affects 2,400

A data breach at California’s Medicaid program has affected about 2,400 beneficiaries. The Human Services Agency of San Francisco says a former employee e-mailed records to her personal computer, two attorneys and two union representatives, the report states, in an effort to demonstrate that she was responsible for a disproportionately high caseload. The agency’s director says that though the records included Social Security numbers and names, they did not include medical or benefits information. The agency is mailing letters to those affected. [CaliforniaHealthline

US – Councils Fined £150,000 After Laptop Theft

The Information Commissioner’s Office (ICO) has fined two councils a combined total of £150,000 after two laptops were stolen. Ealing Council used the laptops to provide a service for itself and Hounslow Council. The laptops contained data on more than 1,700 individuals and were not encrypted. Ealing Council has been fined £80,000 for the breach, and Hounslow Council has been fined £70,000 for failing to have a written contract in place with Ealing and not monitoring its operational procedures. Deputy Commissioner David Smith said the Hounslow Council fine makes clear that organizations can’t outsource services “unless they ensure that the information is properly protected.” [ComputerWeekly

EU – Job Recruiting Site Breached

Ireland’s Gardaí are investigating a data breach on the job recruitment Web site recruitireland.com. The data protection commissioner has also been informed of the breach, which the company says exposed the names and e-mail addresses of its users. According to a message posted to the site’s homepage, no other data has been compromised, but the company is recommending that once the site is back online, users change their usernames and passwords. “We have a process in place for eventualities such as this; when we were notified, we shut down the server and the database to prevent any access,” the message says. [Silicon Republic

US – SSNs on Envelopes in Ohio

A company hired by the Ohio Department of Job and Family Services mailed 8,000 letters to day care providers with member numbers–which in some cases are the providers’ Social Security numbers–printed on the outside of the envelopes. The breach affected the at-home child care providers paid by the state; child care centers are given random six-digit numbers. A Department of Job and Family Services spokesman said the department is “extremely disappointed” by the breach, and it will be offering identity theft protection services to those affected. [The Chronicle-Telegram]

Identity Issues 

JP – Gov’t to Implement National ID System

Privacy concerns have arisen about recently announced government plans for a comprehensive identification system to be implemented in 2015. The Council for a Number System for Social Security and Taxation drafted the plan, which would assign each citizen a unique number. The system would store such personal information as name, gender, annual income and number of dependents, the report states. But the plan calls for a third party to monitor the stored data, and it has yet to be determined what information could be used for business purposes, prompting concerns about data protection and privacy. A bill pertaining to the ID system is expected this fall. [Source] See also: [US – Schmidt Discusses Trusted Identity Program] See also: [After Octopus Breach, Concerns Persist]

Internet / WWW 

US – NIST Releases Cloud Guidelines, Definitions

The National Institute of Standards and Technology (NIST) released guidance on cloud computing, Gov Info Security reports. Two drafts, “Guidelines on Security and Privacy in Public Cloud” and “The NIST Definition of Cloud Computing,” seek public comments until February 28. The guidelines include such provisions as ensuring security and privacy in cloud solutions before deployment, ensuring cloud providers meet organizations’ privacy and security guidelines and maintaining data protection accountability, the report states. The definitions provided are the result of NIST putting its “ear to the ground and listening to what the public and private sectors are saying,” a NIST co-author said. [Source

EU – Commissioner: EU Should Guide Cloud Deployment

The European Union is set to introduce a set of cloud computing guidelines that will address data protection, privacy regulations and common approaches to cloud deployment. At the World Economic Forum in Davos, European Digital Agenda Commissioner Neelie Kroes said the EU can help the transition to the cloud run “smoother and faster,” and should take care that data protection achievements do not clash with the cloud. The three areas the EU should get involved in are the cloud’s legal framework around data protection and privacy, technical and commercial fundamentals and supporting pilot projects towards cloud deployment, the report states. A document containing plans for such action should be released by 2012, Kroes said. [Computerworld]

Law Enforcement 

US – Legislators Question Facebook on Privacy

As privacy legislation discussions continue at the federal level, Reps. Edward Markey (D-MA) and Joe Barton (R-TX) of the House Energy and Commerce Committee have again sent a letter to Facebook CEO Mark Zuckerberg about privacy concerns. Writing to Zuckerberg, the legislators requested answers to questions prompted by changes the social network outlined last month about sharing such user data as mobile phone numbers and addresses with third parties, nextgov reports. Markey said the goal is “to better understand Facebook’s practices regarding possible access to users’ personal information by third parties. This is sensitive data and needs to be protected.” [Source

UK – ICO Approves Crime Maps But Warns of Possible Privacy Dangers

Privacy watchdog the Information Commissioner’s Office (ICO) has said that police must take care to ensure that the localised crime maps launched today in England and Wales do not breach privacy laws. Information Commissioner Christopher Graham was consulted over the new maps and said that in their current state they do not breach the privacy of individuals involved in or affected by crime. He said, though, that there is a danger of that happening and that reviews will be necessary to check that current protections are adequate. The ICO helped police and the Government to put in place measures to ensure the privacy of individuals, he said. The maps allow users of the police website to see the details of what crimes and incidences of antisocial behaviour have happened on their, or any other, streets. [OUT-LAW

CA – New Alberta Police Database Allows Officers to Share Real Time Information

The Alberta government is quietly building a $65 million police information database that will allow officers across the province to share details about proven and suspected criminal activity in real time. The Alberta Law Officers’ Network, or Talon, is meant to help police catch increasingly sophisticated criminals, but civil liberties groups and academics worry it unnecessarily invades citizens’ privacy and will be open to abuse. “The concept is that we will have a single source of the truth,” said Ayaaz Janmohamed, executive director of the solicitor general’s information technology branch. “It is going to create this information repository, which will allow for a master index of any person who comes into contact with any police agency in Alberta.” The program has been in the works for more than five years. The servers are now online, the top-secret office building that houses the servers is nearly complete and pilot projects are slated to begin in Calgary this fall. Every police service in the province is expected to be online by 2013. Janmohamed said the information in the massive databases will be used to varying degrees by police, crown prosecutors and sheriffs who work on Alberta highways and in provincial jails. Talon will allow them to quickly access information about a person of interest, just as the Canadian Police Information Centre does, though the databases contain different kinds of information. CPIC contains details about pending charges and a permanent record of convictions, as well as information about recent acquittals and discharges. Talon contains much more sensitive and personal information, including speculations, unproven allegations, investigation theories, details of 911 calls – virtually any record of a citizen’s contacts with the police. Unlike CPIC, officers will not have to provide a reason for accessing the information. Information and Privacy Commissioner Frank Work has been involved in the planning process and the government is following his recommendations. A privacy impact assessment is expected to be finished by early March, and it will review rules about who can access the information, who has custody of it and who ultimately controls it. The assessment will not be made public. [Source

US – Police Test App that Instantly Reveals Criminal Records

A new iPhone app will give California Police the ability to instantly see what’s been previously reported to have happened inside a home and who with a criminal record has lived there. The SafetyNet Mobile Insight app enables an officer to point an iPhone’s camera at a location, and using the phone’s GPS to bring up the address, check the law enforcement history or officer safety hazard information of the location in question – within seconds of getting a 911 call. The app can also track police units to determine how far away an officer is from a crime scene. Hoss said as newer versions come out, he’d like to see more querying functionality and license plate recognition incorporated. When the trial began, 70 percent of San Mateo’s and Burlingame’s officers already owned a personal iPhone, Hoss said, which they were allowed to use during the testing phase. However, he isn’t sure he wants officers using their personal phones on the job, partly for security reasons. The system feeding data into SafetyNet Mobile Insight is encrypted through a virtual private network and data isn’t stored on the phone. If an officer loses the phone, the device would be remotely wiped of data. For now, the app only searches within the participating city’s database of criminal records, so an officer in another part of the state wouldn’t have access to San Mateo’s database. [Source] See also: [US: Catholic Church gives blessing to app that helps people confess

CA – Strip-Searched Woman Sues U.S. Border Guards

A woman from Stratford, Ont., has launched a $500,000 lawsuit in a U.S. federal court against two female U.S. border guards in Detroit. In March 2010, Loretta Van Beek was pulled over by customs agents and sent to secondary inspection when customs officers found a few raspberries in her car that she’d forgotten to declare. After more than an hour of questions, Van Beek was told she was being denied entry on suspicion that she was living illegally in the U.S. Van Beek said she was marched into a holding cell by two female agents and ordered to remove her shirt and stand spread-eagled against the wall, and subsequently strip-searched in an invasive way. She said they photographed her and took her fingerprints, then sent her back to Canada. U.S. Customs and Border Protection wouldn’t comment on Van Beek’s case but said the rules state: “We rely upon the judgment of our individual CBP officers to use their discretion as to the extent of examination necessary. However, CBP officers are expected to conduct their duties in a professional manner and to treat each traveller with dignity and respect.” A spokesperson said a strip-search is allowed when there is reason to believe someone is hiding something on his or her body, and the person has to be told the reason. Van Beek said she wasn’t given a reason. The lawsuit documents were filed on Feb. 9, 2011. [Source]

Offshore 

IN – State of Data Security and Privacy in Banking Industry

After releasing the annual security surveys on the IT & BPO industry in past few years, the Data Security Council of India (DSCI) in association with KPMG under the aegis of CERT-In released first report on the State of Data Security and Privacy in the Indian Banking Industry. The report deals with the state of data security and privacy concerns and offers insight into banking industry’s capability for data protection. G Gopalakrishnan, Reserve Bank of India’s executive director, released the survey report. The survey covered some 20 banks and interviewed chief information security officers (CISOs). Asper the findings of the report, customer awareness on information security along with insecure customer end points is one of the most significant challenges faced by banks. External threats and the increasing usage of online and mobile channels along with regulatory equipment are driving banks in India to invest in information security. Managing security is more challenging in online banking and phone (IVR) banking as compared to other service delivery channels, the report states. [Source

PH – Data Privacy Law Moves On

The Philippines House of Representatives last week passed a second reading of the proposed Data Privacy Act, which aims to set regulations for the processing of personal information. The bill recently received the endorsement of both the committee on information and communications technology and the committee on government reorganization and has the backing of the business process outsourcing sector. Chief author of the bill Roman Romulo says, “The bill is quite strong…you are expected to adopt adequate organizational, physical and technical measures to protect your electronic files.” Meanwhile, a proposed cybercrime bill that seeks international cooperation in fighting cybercrime is also in congress. [Newsbytes.ph]

Online Privacy 

US – Study: “Flash Cookie” Tracking Persists

A Carnegie Mellon University study suggests that about 10% of popular Web sites may be using so-called “Flash cookies” to track users. The study, commissioned by Adobe, tested the 100 most popular Web sites and 500 others that were randomly selected, finding “none of the 500 random sites engaged in re-spawning, and only two of the 100 most-popular sites engaged in re-spawning,” the report states. However, a significant number of Web publishers “still won’t say if they’re using Flash cookies for tracking.” Adobe, the creator of Flash Player, has condemned the use of its local storage objects for tracking purposes and recently introduced changes to simplify Flash’s privacy options. [paidContent] See also: [US: History Sniffing Code Collides With Privacy Concerns] [The Dirty Little Secrets of Search

EU – Reding: Tracking Technologies Highly Intrusive

European Union regulators are concerned that mobile phone and computer technologies that monitor online activities threaten individual privacy rights. “I am concerned about the use of highly privacy-intrusive tracking technologies,” EU Justice Commissioner Viviane Reding said in a speech in Brussels yesterday. “Mobile phones and computers have become tracking devices.” She added that tracking technologies can have serious consequences for people and can lead to criminal penalties. Reding’s concerns come as the European Commission reviews the EU’s data protection law with plans to update it to reflect new technologies that have emerged since the law passed nearly 16 years ago. [Bloomberg] [Internet Tracking May Threaten Privacy Rights, EU’s Reding Says

US – Judge: Juror Must Turn Over Online Posts

A California judge has ordered a juror to turn over social networking posts he made during the trial of several gang members or face possible jail time. The juror’s attorney has called the order an invasion of privacy and plans to appeal, while defense counsel for the alleged gang members have suggested the posts will help determine whether the juror was influenced by communications outside of the courtroom. The juror had “allegedly characterized the evidence as ‘boring’ in one posting and revealed he was on the jury in another,” the report states. [Mercury News] [Juror Appealing Social Network Order] [Juror: Social Network Posts Are Private

US – WikiLeaks Supporters Trying to Prevent U.S. Access to Their Twitter Accounts

Three people involved with WikiLeaks are trying to bar a federal judge in Alexandria, Va. from gaining access to information about their Twitter accounts. According to a Washington Post report, the individuals are challenging a December 14 court filing that would force Twitter to disclose private information about their accounts. The court documents were unsealed at the request of lawyers from the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EEF). These organizations are also trying to get other court filings related to WikiLeaks unsealed. EEF legal director Cindy Cohn said that the government’s request for access to these Twitter accounts “raises serious First and Fourth Amendment concerns.” “It is especially troubling since the request seeks information about all statements made by these people, regardless of whether their speech relates to WikiLeaks,” she said. The effort is part of the Department of Justice’s ongoing investigation into whistle-blowing organization WikiLeaks. A hearing to unseal further court proceedings is scheduled for February 15 at the U.S. District Court in Alexandria, Va. [Source] See also: [Anonymous Hacks Security Firm Investigating It; Releases E-mail

UK – ‘Twitter Messages Not Private’ Rules PCC

Material that is published on Twitter should be considered public and can be published, the Press Complaints Commission (PCC) has ruled. The decision follows a complaint by a Department of Transport official that the use of her tweets by newspapers constituted an invasion of privacy. Sarah Baskerville complained to the PCC about articles in the Daily Mail and Independent on Sunday. The messages included remarks about being hungover at work. She complained that this information was private and was only meant to be seen by her 700 followers. Ms Baskerville said she had a clear disclaimer that the views expressed by her on Twitter were personal and not representative of her employer. Ms Baskerville complained to the press regulator, arguing that she could have a “reasonable expectation” of privacy and that the reporting was misleading. But the PCC said the potential audience for Ms Baskerville’s tweets was much wider than her followers, because each message could be forwarded by others, known as retweeting. It also agreed with the newspapers’ argument that Twitter was publicly accessible and that the complainant had not taken steps to restrict access to her messages and was not publishing material anonymously. As a result, the commission ruled that the articles did not constitute a breach of privacy. [Source

US – Analysts Support Code of Ethics

The Web Analytics Association is supporting an online code of ethics in the midst of increasing scrutiny of the Internet data industry to allow consumers to opt out of online tracking and offer clear privacy policies explaining data collection and usage. However, questions remain about how such a self-regulatory approach would be enforced, the report states. “We have to trust that this is a community of professionals and that putting your name and city–and behind the scenes your e-mail address–means you’re actually committed to following through,” said one of the Web analytics experts behind the effort, adding, “it’s about the long-term health of our sector.” [The Wall Street Journal]

Other Jurisdictions 

AU – Vodafone Investigation Concludes: Act Breach

After an investigation, Privacy Commissioner Timothy Pilgrim has found that Vodafone breached the Privacy Act by failing to take reasonable steps to protect its customers’ information, but the commissioner dismissed claims that information was made public. The company had been accused of allowing billing and call records to be stored on a public Web site with only a password to protect them. Pilgrim found that some staff may have breached company login and password policies, and that “Vodafone did not have the appropriate level of security measures in place to adequately protect their customers’ personal information.” [ABC News

IS – Israeli Bill Aims to Ban Media Images of Victims Without Consent

The Knesset Law Committee held a third and final debate on an amendment to the Protection of Privacy law that would prohibit the publication of images of injured or deceased persons without their consent or the consent of their family members. The bill, which is sponsored by United Torah Judaism MKs Uri Maklev and Moshe Gafni, aims to protect the privacy of victims of terrorist attacks, violent crimes or accidents, by prohibiting the media from displaying images in which the victims can be identified. Opponents of the bill said it was an attempt to limit freedom of the press and would harm the public’s right to information. They urged that a solution be found by increasing self-regulation by the media rather than by legislation. Maklev said that though he respected and cherished the work of the media, the amendment would strike a balance between the public’s right to information and the individual’s right to privacy. He said that the amendment would strengthen media ethics, prevent outlets from competing with each other over who has a more bloody photo and present guiding principles to unregulated online news distributors. [Source]

Privacy (US) 

US – CA Court: ZIP Codes Are Personal Information

The California Supreme Court has ruled that merchants may not collect ZIP Codes from credit card customers. In a unanimous decision, the justices deemed that ZIP Codes are part of a person’s address and are therefore covered by the state’s 1971 Credit Card Act, the report states. “The legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction,” Justice Carlos R. Moreno wrote. [Los Angeles Times

US – Report: Companies Will Hire More Privacy Pros

Ernst & Young has released its new report “Privacy Trends 2011: Challenges to Privacy Programs in a Borderless World,” and the findings include expectations that organizations will invest more in the protection of personal information. Accounting Today reports that the study indicates organizations will allocate more funding in the year ahead toward hiring “highly skilled certified privacy professionals and invest in technical controls that monitor and manage external attacks and internal leaks from within the organization.” The report suggests that beyond privacy professionals, many positions that impact the use of personal information—such as IT, audit, legal and marketing–will become increasingly focused on privacy risk and compliance. “In an increasingly borderless business environment, protecting personal and professional information is a paramount concern,” says Sagi Leizerov, CIPP, executive director and leader of privacy advisory services for Ernst & Young. “New technologies associated with mobile communication, social networking and cloud computing have erased the boundaries of how we do business today, but while these new technologies provide tremendous opportunities, they also present new privacy risks for organizations and employees alike.” [Source

US – Industry Opposes FIPPs-Based Regulations

A coalition of advertising, media and business organizations has submitted comments to the Department of Commerce arguing that while Fair Information Practice Principles (FIPPs) are a “useful tool” when analyzing online privacy, they should not be codified in new laws. The comments were submitted in response to calls for industry and advocacy groups to develop enforceable, self-regulatory privacy policies. A FIPPs-based framework for online privacy “would reduce industry’s ability to respond to changes in consumer preferences and would hinder advancements in technology,” according to the coalition, which includes such groups as the Interactive Advertising Bureau and Newspaper Association of America. Some privacy advocates, meanwhile, have submitted comments that government regulation is needed to protect consumers. [Source]

US – DMA to Enforce Self-Regulation Initiative

The Direct Marketing Association (DMA) has announced enforcement plans for its online data collection self-regulatory program. The DMA is requiring members to place the “Advertising Option Icon” on ads, linking to pages that educate consumers about data collection and offer opt outs from online tracking and will investigate consumer complaints about noncompliance. For members that do not comply, “the ultimate sanction is that you are thrown out of the association. If a non-member is persistently noncompliant, we will refer them to the FTC,” said Linda Woolley of the DMA, who stressed that, “the goal is not to rat people out. The goal is to make companies comply.” [Direct Marketing News

US – Swire: Federal Privacy Office Needed

Peter Swire writes in support of a proposal in the Department of Commerce’s new green paper to create a federal privacy policy office. Swire disagrees with comments by some privacy advocates that the creation of such an office would weaken the Federal Trade Commission’s privacy efforts. “I believe there is an extremely strong case in favor of developing an ongoing privacy policy capability in the executive branch,” Swire writes. “Privacy policy requires familiarity with a complex set of legal, technological, market and consumer considerations. Good government thus calls for creating an institutional memory and a group of civil servants experienced in privacy policy.” [Center for American Progress] [Memo

US – Franken Named Head of New Privacy Committee

Sen. Al Franken (D-MN) has been selected to chair the new Senate Judiciary Subcommittee for Privacy, Technology and the Law. Franken said his goal will be to “make sure that we can reap the rewards of new technology while also protecting Americans’ right to privacy.” The new committee was created by Senate Judiciary Committee Chairman Patrick Leahy (D-VT) to “oversee laws and policies governing the collection, protection, use and dissemination of commercial information by the private sector,” the report states. Leahy said the new committee will focus on how new technology has “unleashed new questions about how to protect Americans’ privacy in the digital age.” [The Washington Post] [Committee Gives Online Privacy a Higher Profile

US – Apple Hit With Another Suit Alleging Privacy Violations

A lawsuit has been filed in federal court alleging privacy violations in the way Apple shares information collected from iPhone, iPad and iPod Touch users with advertisers. The suit, which seeks class-action status, states that the company shares information about browsing history, application use and other personal details without user consent, alleging the result is that application developers can “put a name to highly personal and in many cases embarrassing information derived from app downloading activity and usage, and Internet browsing history, that would otherwise be anonymous.” The company previously stated its apps are not supposed to transmit user data without prior permission, the report states. [PC World

US – Court: No Common Law Duty to Protect PII

An Illinois appellate court case–”the first that we are aware of in the United States”—is focusing on the question of “whether common law duty exists to safeguard personal information.” An Illinois appellate court upheld the dismissal of a suit over the unauthorized disclosure of such sensitive personal information as names, addresses and Social Security numbers, finding that no such duty to protect personal information exists for purposes of a negligence claim. Speculating that the case could be appealed to the Illinois Supreme Court, the report suggests, “Based on the strong dissent, it appears as if the majority opinion may be at risk for an overturn.” [Information Law Group

US – Judge Dismisses Data Aggregator Lawsuit

A U.S. District Court judge has dismissed one of two lawsuits filed against an online data aggregator after determining the plaintiff did not “allege he had been injured by Spokeo.” Privacy advocates are concerned about the information the company makes available, noting that although this case has been dismissed, the questions it poses “will almost certainly reappear in other litigation–especially given the wave of recent privacy lawsuits.” The report also highlights a complaint brought before the FTC alleging that Spokeo “violates federal law by offering information about users’ financial status and credit ratings without giving consumers the protections required by the federal Fair Credit Reporting Act.” [Source]

Privacy Enhancing Technologies (PETs) 

US – ACLU Launches Privacy Mobile App Contest

Branches of the American Civil Liberties Union (ACLU) and others are launching a contest challenging mobile application developers to address privacy concerns for mobile phones and other portable devices. The 2011 Develop for Privacy Challenge aims to encourage developers to build open-source tools for mobile devices to help users understand and address privacy threats, the report states. Brian Alseth, technology and liberty director at the ACLU of Washington, said the contest’s goal is to show developers that “privacy doesn’t need to be an afterthought in new technologies. Rather, privacy can and should be a fundamental building block.” Contest submissions may be made at the Develop for Privacy Web site until May 31. [InfoWorld] [IPC Press Release] See also: [Privacy as Competitive Edge: Can A Start-Up Search Engine Compete On Privacy?]

RFID 

EU – Art 29 WP Posts Opinion on Revised RFID PIA

This opinion is a follow-up to opinion 5/2010 (WP 175) on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications.. [Opinion 9/2011 on the revised Industry Proposal for a Privacy & Data Protection Impact Assessment Framework for RFID Applications -11 Feb 2011] [Privacy & Data Protection Impact Assessment Framework for RFID Applications 12 January 2011] See also: [ENISA Opinion on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications [March 31, 2010]

Security 

US – TSA Deploys New Body Scanners

The Transportation Security Administration this week debuted software designed to make airport body scanners less invasive. The software creates generic body images and displays any detected anomalies in a red outlined box around the specific area of concern. The software will be incorporated at Reagan National Airport in Washington, DC, and in Atlanta, the report states, and could eventually land at all 78 airports currently using body scanning technology. “We believe it addresses the privacy issues that have been raised,” said TSA Chief John Pistole. [The Washington Post] [Source

US – Nasdaq Suffers Security Breach

Nasdaq OMX Group says it found suspicious files on its U.S. computer servers. Nasdaq says it found malware at the end of last year and alerted forensic groups and U.S. law officials and that the FBI and Department of Justice are now investigating. The malware was pointed at Nasdaq’s Web-based program, where about 5,000 companies store documents for board members, the report states. Nasdaq deleted the malware and says no customer information appears to have been compromised as a result of the security breach. Law enforcement officials have not yet issued a statement on the case. [Banking Business Review] [NASDAQ Breach: You Should be Concerned]

Surveillance 

US – ACLU Calls for Moratorium on City Cameras

The American Civil Liberties Union (ACLU) is calling for a moratorium on installations of surveillance cameras in Chicago and new policies to prevent their misuse. The city has more than 10,000 surveillance cameras, capable of tracking people or vehicles, searching for images of interest and reading license plates, the report states. “Our city needs to change course before we awake to find that we cannot walk into a bookstore or a doctor’s office free from the government’s watchful eye,” an ACLU spokesman said. A spokeswoman for the Chicago Police Department said it is committed to “safeguarding the civil liberties of city residents” and “upholding the constitutional rights of all.” [Source] See also: [US: Female hostellers damage CCTV cameras to protect privacy] [UK: Coventry’s Stoke Park School has 112 CCTV cameras] [US: Supermarket camera suspect charged with privacy violation] and [US: Red-Light Cameras Lower Traffic Deaths, Agency Claims - NYT

AU – Vehicle Tracking Devices Could Be Used to…Track

A private car-for-hire company in Australia has announced it will install GPS devices in up to 30% of its fleet. The company said the devices will allow them to know if the cars are driven out of the contracted range or on dirt roads, which would breach contract. But Civil Liberties Australia calls the move an “excessive invasion of privacy.” Meanwhile, the U.S. National Highway Transportation Administration will consider new rulemaking that would require event data recorders to be installed in passenger vehicles, according to a press conference announcement. The announcement has some privacy advocates concerned that the recorders could be used to track Americans’ movements. [News.com.au] [Source

US – Smart Meters Face Resistance

The New York Times reports on the growing opposition to smart meter installations at homes in Maine and California. The wireless meters report hourly home energy usage back to the utility. Some Maine residents have launched e-mail campaigns, and some municipalities in both states have adopted moratoriums on meter installation. A group of Californians has launched a “Stop Smart Meters” campaign, and four protesters have been arrested for blocking trucks delivering meters to homes. In response to privacy concerns, the vice president of Edison Electric Institute, the national association of utilities, said, “We’ve always gotten information about customers’ usage and always kept it confidential. We’re going to honor their privacy.” [Source 

CA – Cavoukian Releases Smart Grid Study

Ontario Privacy Commissioner Ann Cavoukian released a study on an Ontario utility’s approach to smart meter deployment, which she says should serve as the model for all future smart grid investment. Released at a California event, Operationalizing Privacy by Design: The Ontario Smart Grid Case Study is the third in a suite of papers on smart grid deployment. It describes the utility’s policy to only include customer identification information in the company’s own billing records and not share it with third parties unless consent is acquired for service offers. “Smart grid technologies have the potential to collect extremely detailed information about energy consumption in the home, which can lead to the unwelcome profiling of individuals,” Cavoukian said. [The Globe and Mail] [Utilities work to prevent privacy backlash over smart grid]

Telecom / TV 

US – Obama Touts Plan to Get Wireless Internet to 98% of U.S.

President Obama has outlined a plan to expand super-fast wireless Internet connections. Speaking at Northern Michigan University, Obama said he would use $18 billion in federal funds to get 98% of the nation connected to the Internet on smartphones and tablet computers in five years. To get there, the federal government will try to bring more radio waves into the hands of wireless carriers to bolster the nation’s networks and prevent a jam of Internet traffic. He said he hoped to raise about $27.8 billion by auctioning airwaves now in the hands of television stations and government agencies. And with that auction money, the government would fund new rural 4G wireless networks and a mobile communications system for fire, police and emergency responders. [Source]

US Legislation 

US – Speier Introduces Financial Privacy Bill

The former California lawmaker who sponsored some of the nation’s strongest financial privacy protections during her time as a state senator has dropped a new federal law. Now in the U.S. Congress, Rep. Jackie Speier (D-CA) introduced the Do Not Track Me Online Act of 2011. The bill has elicited support from privacy advocates and warnings from the online advertising industry. It would let consumers opt out of having their online activities tracked through the creation of a do-not-track system such as the one called for in the Federal Trade Commission’s recent report on Internet privacy. Also, Speier introduced the Financial Information Privacy Act of 2011. [MediaPost News

US – Speier to Introduce Do-Not-Track Bill

Rep. Jackie Speier (D-CA) plans to introduce an online privacy bill next week directing the FTC to begin a do-not-track program for online advertisers. The program would enable consumers to opt out of behavioral advertisers’ tracking. The bill is meant to provide a floor rather than a ceiling, according to the report. Speier worked with Consumer Watchdog, Consumer Federation of America, Consumers Union and the Electronic Frontier Foundation on the bill. Meanwhile, Rep. Bobby Rush (D-IL) is expected to re-introduce his online privacy bill next week. [The Hill] See also: [Online Privacy Legislation Expected To Abound] [National Journal] See also: [Wyden Discusses Mobile Privacy Bill

US – Senators Propose Body Scanner Legislation

U.S. Senators Charles Schumer (D-NY) and Ben Nelson (D-NE) proposed legislation that would make the misuse of airport body scan images a federal crime, Computerworld reports. The Security Screening Confidential Data Privacy Act would prohibit the dissemination or photographing of scanned body images, punishable by up to one year in prison and a $100,000 fine per violation. The bill follows advocates’ and passengers’ concerns about privacy as the machines are increasingly implemented at U.S. airports. Marc Rotenberg of the Electronic Privacy Information Center is pleased with the legislation and said, “Obviously, there are no circumstances under which anyone should be able to take an image generated by one of these devices and circulate it to others.” [Source

US – Legislators Introduce Breach Bills

Hawaii legislators have introduced several bills to amend the state’s data breach notice law. Among those, security breach bill S.B. 728 and its house companion would require more specific notification in security breach cases, would eliminate the harm trigger in state law and would apply to any disclosure of records. It also would list the plaintiffs’ rights of action and would state that any person at risk for identity theft as a result of a data breach may sue for damages sustained. S.B. 796 would widen the definition of a security breach and would require three years of credit monitoring service by the responsible party to those affected. [Covington & Burling’s Inside Privacy

US – Bill Banning Texting While Driving Concerns Some

A bill headed to the Mississippi House of Representatives that would ban texting while driving is raising privacy concerns. The bill passed the senate last week with only two lawmakers voting against it. It would extend Mississippi’s ban on texting while driving from young drivers to all drivers, carrying a misdemeanor charge and a $500-$1,000 fine, depending on whether an accident occurred as a result. Sen. Terry Brown (R-Columbus) is concerned about privacy, however. “A law officer could read a person’s text message after an individual was pulled over. Are they going to confiscate your cell phone for evidence?” Brown questioned. [Justice News Flash] [Source]

Workplace Privacy 

IS – Court Restricts Monitoring of Employee E-mail

Israel’s National Labor Court has set out rules for employers’ monitoring of workers’ e-mails. Dan Or-Hof of Pearl Cohen Zedek Latzer, writes that “The rules impose severe restrictions…and employers should consider reforming their workplace policies accordingly.” The rules state that employers must establish policies on e-mail monitoring and must inform employees of the policies. They also establish clear guidelines on when and how e-mail monitoring is permitted. “Employers should carefully study the opinion and make all necessary adjustments to comply with its requirements,” Or-Hof writes. “Specific attention should be given to…harmonizing the corporate information security system and policies with a new pro-privacy workplace environment.” [Source] See also: [US: Facebook Firing Case Is Settled

AU – Employers to be Banned from Monitoring Staff’s Email, Facebook, Internet Use

SNEAKY bosses who spy on personal emails are facing D-Day as state and federal politicians move to protect workers’ privacy. Queensland Attorney-General Cameron Dick said it was time to safeguard workers who unknowingly had their emails read and internet use monitored by unreasonable bosses. Companies are also monitoring social network sites and using information to sack staff even if they are posting messages at home and don’t mention their employer. Lawmakers say they are determined to stop any such abuse. The state and federal attorneys-general have been working on a set of workplace privacy guidelines since 2009 but Mr Dick said he would introduce his own code, regulations or law if national progress was not made soon. [Source] See also: [Who’s the Boss, You or Your Gadget?] and [CA - Privacy rights at work? Not so much

IN – India Service Book of Govt Servant Not Personal: CIC

In a major decision that could spark privacy versus transparency debate, the Central Information Commission (CIC) has said the service details of a public servant are not confidential and can be provided to an RTI applicant. The country’s top watchdog had earlier taken out property details and income tax returns of public servants from the ambit of confidentiality which has been challenged in the Delhi High Court. [Source

+++

 

01-31 January 2011

Biometrics

US – D.C. Jail to Fingerprint Visitors, Check for Warrants

All visitors to the District’s jail soon will have their fingerprints scanned and checked against law enforcement databases for outstanding warrants. The D.C. Department of Corrections is already using the “live scan” fingerprint technology on inmates when they enter and leave the jail, corrections officials said. The digital technology allows the department to take an image of an inmate’s fingerprint and check it against D.C. police databases to confirm the inmate’s identity. Starting in March, the fingerprint-scanning technology will be put to use for all visitors, DOC spokeswoman Sylvia Lane said. [Source]

WW – Fingerprints Collected From Up to Two Meters Away

Over the years, fingerprinting has evolved from an inky mess to pressing fingers on sensor screens to even a few touch-free systems that work at a short distance. Now a company has developed a prototype of a device that can scan fingerprints from up to two meters away, an approach that could prove especially useful at security checkpoints in places like Iraq and Afghanistan. The device, called AIRprint, is being developed by Advanced Optical Systems (AOS). It detects fingerprints by shining polarized light onto a person’s hand and analyzing the reflection using two cameras configured to detect different polarizations. Joel Burcham, director for projects at the Huntsville, Alabama-based company, says AIRprint could help make authorization more efficient in lots of settings. Instead of punching a keypad code or pressing fingers to a scanner, individuals could simply hold up a hand and walk toward a security door while the device checks their identity. “We’re looking at places where the standard methods are a hassle,” says Burcham. For instance, AIRprint could be linked to a timecard system, he says, to help avoid a logjam at manufacturing plants at the start or end of the workday. The military has a growing interest in biometric sensors that operate at a distance. The U.S. Department of Defense awarded $1.5 million to Carnegie Mellon’s CyLab Biometrics Lab to support development of technology that performs iris detection at 13 meters. Over the past nine years, the Marines have made increasing use of biometrics to distinguish friend from foe in Iraq and Afghanistan. Says Powell, “It’s actually been very successful so far, and technologies like AIRprint have the potential to make it even more so.” [Source]

TW – Taiwan Develops Face-Recognition Vending Machine

Government-funded researchers in Taiwan have developed a vending machine that recommends purchases based on people’s faces, one of the inventors said. The machine, designed by the Institute for Information Industry in Taipei, builds a profile after checking characteristics such as complexion and hair color. Those clues help the machine guess a shopper’s gender, approximate age and other things that might be helpful in promoting a suitable product. Researchers spent the past year using a grant from Taiwan’s Ministry of Economic Affairs to build the first machine, which was rigged up to spit out free cosmetics samples in the institute’s lobby. The machine looks for clues like whether a person has glasses, a beard or a mustache, said Tsai. Based on that it guesses their use of make-up or frequency of shaving, Tsai said. It then might recommend a facial mask, razor, or health products that people in a certain category are statistically likely to buy. “If you stand in front of it, the machine has ways of recognizing your characteristics, though it doesn’t know exactly who you are as that would infringe on personal privacy,” Tsai said in an interview. Researchers in Japan unveiled a similar concept in August last year. The Taiwanese machine isn’t a copy of that but the Taiwan researchers kept up on what Japan was doing. The machine also attempts to detect any smartphones, e-readers or tablets the buyer might be carrying, the institute told Taiwan’s Central News Agency. That recognition would tell the machine whether the shopper was equipped to download books, music or films. Taiwan’s institute aims to tailor-design machines for vendors, with storage capacity and exact features depending on the individual order. Information on what buyers actually choose will be stored and sent to the Internet, helping retailers to analyze shopping patterns. [Source] See also: [Facial recognition a system problem gamblers can’t beat? ]

Canada

CA – Quebec Swears in New Access and Privacy Chief

Greater access to government information and a preventive approach in privacy protection will be the focus of Jean Chartier, sworn in this month as the province’s new access and privacy commissioner. Chartier said he wants to introduce a “preventive” approach, informing people they are not obliged to divulge extensive private information just to join a video club, for online shopping or to join a social network. The same goes for Google Street View, the online service that shows pictures of your street. Chartier said his “personal colour” would influence the direction of the commission. Saint-Laurent was voted unanimously by the Quebec National Assembly as the assembly’s first ethics commissioner in December, when the assembly named Chartier to succeed Saint-Laurent. [Source]

CA – Privacy Commissioner at ‘Impasse’ with SGI

Saskatchewan’s information and privacy commissioner says Saskatchewan Government Insurance is collecting vast amounts of personal health information and needs to do a better job of protecting people’s privacy. That SGI is “over-collecting” is one of Gary Dickson’s conclusions after dealing with three privacy complaints about the Crown corporation. The complaints concerned people who made claims after being injured in motor vehicle accidents over the last decade. Dickson said he investigated and while SGI has a right to collect information, he agreed with some of the concerns raised. “From a risk assessment perspective, the fact that so many persons will have the opportunity to view the personal health information, much of which will be completely irrelevant to the particular claim in dispute, of any claimant, is worrisome,” Dickson said in the 37-page report, which was released this week. However, the investigation was complicated by SGI’s insistence the complaints weren’t under his jurisdiction, he said. Dickson said he wants the legislative assembly to clarify the rules and confirm that he has a role investigating SGI privacy complaints. As things stand now, the privacy commissioner’s office is at an “impasse” with SGI on privacy investigations, he said. [Source] Other news: [Sask. woman guilty of census refusal] and [Summit on perimeter security delayed as negotiations face obstacles] and [Conservatives relied on a few complaints to scrap the census] [Democracy includes freedom to refuse census pressure

CA – Privacy Year in Review (2010): Legislation

Bill 89: Personal Health Information Act (NS) The Nova Scotia government finally re-introduced the Personal Health Information Act in the fall of 2010, but it’s still working its way through the provincial legislature. Hopefully, it will not be long before Nova Scotia joins New Brunswick and Newfoundland and Ontario with third-generation health privacy laws. It should be noted, while we’re thinking about the year that was, that both New Brunswick’s Personal Health Information Privacy and Access Act and Newfoundland’s Personal Health Information Act came into force this past year. All of these are designed to be substantially similar to PIPEDA so that PIPEDA would cease to apply to most health information in the relevant provinces. None of them have yet been so-declared, though.

PIPEDA Revisions: The LONG awaited result of PIPEDA’s so-called five year review was introduced on May 25, 2010 as Bill C-29 and has yet to get to second reading. Unless there’s an election (and who knows about that ...) here are the main features:

Business Contact Information: The first significant change is the exclusion of “Business Contact Information” from the purview of the statute. “Business Contact Information” refers to an individual’s name, position name or title, work contact details (including e-mail address) and any similar information of the individual so that, in the new Section 4.01, business contact information is excluded from the provisions of PIPEDA if business contact information is collected, used or disclosed solely for the purpose of communicating with the individual in relation to their work.

Valid Consent: Bill C-29 raises the bar, or at least clarified, what is necessary to get consent from an individual. Section 6.1, entitled “Valid Consent” clarifies that the consent that is required under Principle 3 of the CSA Model Code is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting. This likely raises the bar on what is valid consent.

Witness Statements and Work Product: In Section 7, which allows the collection, use or disclosure of personal information without consent a number of changes have been added to permit the collection, use and disclosure of information in witness statements where it is necessary to assess, process or settle an insurance claim. In addition, information produced by individuals in the course of their employment is exempt from the consent requirements provided that the collection, use and disclosure are consistent with the purposes for which the information was produced. This particular exemption codifies what is often referred to as “work product” exception to consent.

Lawful Authority: Also in Section 7, the government has attempted to clarify what has been a very confusing provision regarding disclosures to law enforcement. Section 7(3)(c.1) permits the disclosure to government institutions and law enforcement where the government body has identified its “lawful authority” to obtain the information. The meaning of “lawful authority” has been very problematic since the first version of PIPEDA, with interpretations ranging from legal authority to compel or just part of a lawful process.

Gag Order: A notable addition to PIPEDA is a “gag order” that prohibits an organization from notifying an individual that information has been requested or obtained by a government institution or part of a government institution under a range of provisions contained in Section 7(3). Before it notifies the individual, it has to notify the government institution and get their OK. If the government institution vetoes the disclosure, the organization is not allowed to notify the individual but is required to notify the Privacy Commissioner. This above provision supplements what had previously been the case where an individual had made a request for access to their own personal information or an account of its collection, use or disclosure where that personal information had been the subject of a government request.

Removing Investigative Bodies: Notably, these amendments have completely done away with investigative bodies. It used to be that under Section 7(3), an organization could disclose personal information to designated investigative bodies for the purposes of investigations. Investigative bodies included the Insurance Fraud Bureau of Canada, most Barristers’ Societies and other professional regulators. Instead, the new Section 7(3)(d.1) permits disclosures to another organization where that disclosure is necessary to investigate a breach of an agreement or a violation of the laws of Canada or Province or is necessary to prevent, detect or suppress fraud where it would be reasonable to expect the disclosure with the knowledge or consent of the individual would undermine the ability to prevent, detect or suppress the fraud. Subsection (d.2) allows disclosures to government institutions or next of kin related to “financial abuse”. Finally, Subsection (d.3) further permits disclosures for notifying the next of kin of injured, ill or deceased individuals.

Business Transactions: The new Section 7.1 permits disclosures and uses of information in connection with a “prospective business transaction”. This term is defined to include a range of transactions, including purchase or sale of a business, mergers and amalgamations, financings, leasings, and joint ventures. This section 7.1, parties to a perspective business transaction can use and disclose personal information without the knowledge or consent of the individual if they have entered into an agreement that requires the recipient to use the information and disclose it solely for the purposes related to the transaction, to protect that information with appropriate safe guard and, if the transaction does not proceed, to return or destroy the information within a reasonable period of time. This provision that permits the use and disclosure of personal information for business transactions does not apply to business transactions where the primary purpose or result is the purchase, sale or other acquisition of personal information.

Employee Personal Information: The new Section 7.2 will mark a significant change in how PIPEDA applies to employees of federal works, undertakings and businesses. No longer is consent of the individual required to collect use and disclose employee personal information if that collection use or disclosure is necessary to establish, manage, or terminate the employment relationship, provided that the employer has notified the individual that the personal information will be or may be collected, user disclosed for these purposes.

Breach Notification - Notification of the Commissioner: Perhaps the most notable addition to PIPEDA in Bill C-29 is the addition of Division 1.1, which deals with breaches of security safe guards. The new section 10.1 requires an organization to report to the Privacy Commissioner any “material breach” of security safeguards. Whether the breach is material depends upon the sensitivity of the information, the number of individuals whose personal information was compromised and an assessment by the organization whether the cause of the breach or a pattern of breaches indicates a systematic problem. The form of the notice will be set out in the regulations. The Commissioner has no power to require the organization to notify individuals, nor does she have any power to seek a remedy on behalf of affected individuals unless they themselves complain.

Breach Notification - Notification of the Individual: The new Section 10.2 deals with notification to the individual, which is mandatory if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. Section 10.2(2) defines significant harm to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Subsection (3) then goes on to provide guidance on whether there is a “real risk”, which is based on the sensitivity of the information and the probability that the personal information has been, is being or will be misused. The notification has to contain enough information to allow the individual to understand the significance of the breach to them and to take steps to mitigate that harm. Notice has to be given as soon as feasible after the organization confirms the occurrence of the breach and concludes that they are required to give notice occasionally under Section 10.2(1). The form and manner of notice may be prescribed in regulations, which I anticipate will allow for notice to large groups of people though the mass media where it is not feasible to give individual notice. This new Section 10.3 allows organizations to give breach notification to other organizations that will help to reduce the risk of harm that could result from the breach or to mitigate that harm.

Bill C-28, Fighting Internet and Wireless Spam Act or FISA After what has been a very, very long process, 2010 finally saw the passage of Canada’s attempt to grapple with unsolicited commercial e-mail through Bill C-28, Fighting Internet and Wireless Spam Act. The bill, in various forms, had been previously introduced and fell off the order paper. [Opinion: Email marketing might be a casualty on the anti-spam battlefield] Parliamentary Library Summary Story by [David Fraser, Privacy Lawyer] SEE SLSO: [The 2010 Top 10 International Data Privacy Changes]

CA – Help for B.C. Privacy Watchdog

B.C.’s privacy watchdog has created an external advisory board to help with her duties. Information and Privacy Commissioner Elizabeth Denham announced Monday she invited six people from both the public and private sector to help identify and address emerging privacy problems in the province. The six board members are University of Victoria political scientist Colin Bennett, former assistant privacy commissioner Heather Black, privacy consultant Drew McArthur, former B.C. privacy commissioner David Flaherty, UBC law professor Ben Goold, and former B.C. police complaints commissioner Dirk Ryneveld. [Source] See also: [Holding dear the value of privacy by Elizabeth Denham] and [Empower privacy watchdogs to enforce laws, name offenders: Geist]

CA – Alberta Privacy Ruling Forces Change at Staples

Alberta’s privacy commissioner has ordered Staples Canada to better protect personal information on computers brought in for repair. In a recent finding, the office supplies retailer was told to ask customers who bring in computers for repair whether the unit contains a hard drive. Staples must also ask customers if they authorize any personal information on it to be destroyed or preserved in the event the company buys back the computer. The Office of the Information and Privacy Commissioner investigated after a woman complained in 2008 that a Calgary Staples store had returned her laptop missing its hard drive after she had taken it in for repair. Staff had told her it was not cost-effective to repair the laptop and it would be “bought back.” But when she asked to have the computer to back up its contents and wipe the hard drive clean of family and business information, she discovered the drive was gone and it could not be found. Adjudicator Teresa Cunningham said in her report that if Staples had taken steps to confirm it had the hard drive, asked the customer’s wishes for personal information on it and documented the status of the hard drive at each stage, it would have reduced the risk of its unauthorized destruction. [Source]

Consumer

US – Data Privacy Concerns Have a Reality Gap: Report

A survey released to coincide with Data Privacy Day, shows American’s have strong concerns related to online privacy violations, though they aren’t always very proactive in defending themselves. One surprising data point in the survey results is that among U.S. respondents, concern over online privacy violations rated higher (25%) than having to declare bankruptcy (23%) or even losing their jobs (22%). A clear majority of American respondents (79%) said they use anti-virus solutions to protect their privacy. But only 61% said that they use safe passwords and only 47% said they regularly delete their browsing history (though men did so more often (52%) than women (42%)). Only 15% of respondents said they only use software and websites that do not collect personal information. Research firm YouGov conducted the online survey, sponsored by browser developer Opera Software, which said more than 1,000 people in the U.S., Japan and Russia completed the survey between January 19 and January 24. The figures were weighted and are representative of all adults aged 18 or more in the three countries, according to Opera. Responses diverged among countries on the question of who should be responsible for ensuring citizen’s online safety and privacy. For example, in the U.S. 54% said users themselves should be responsible versus only 46 and 42% in Russia and Japan, respectively. The results for Japan show that 47% believe Web companies should be primarily responsible, while only 25% of those in U.S. agreed. In the Russian response, 41% said Web companies should be primarily responsible for online safety and privacy. Desktop computers rated higher than mobile devices on the question of which was safer for accessing the Internet. In the U.S., 54% said desktop computers were safer, while only 3% said mobile devices were safer and 31% said they didn’t think either platform was safer than the other. [Source] [Report

US – California: Cantil-Sakauye Court Opens With ZIP Code Privacy Concerns

California’s new chief justice kicked off her first oral arguments at the Supreme Court with a privacy rights case that deals with whether retailers can record customers’ ZIP codes to track down their addresses. In Pineda v. Williams-Sonoma, S178241, Folsom attorney Gene Stonebarger argued that retailers improperly record ZIP codes when customers check out with credit cards, then use the data to look up their addresses later to send them catalogues or, worse, sell the information to other marketers. Williams-Sonoma’s attorney urged the court to agree with the Fourth District, and at least one other court, that have found a ZIP code too general to be considered personally identifying information. And he argued that, with the Song-Beverly Credit Card Act of 1971, the Legislature only intended to prevent retailers from asking customers for personal information on pre-printed credit card forms. But most of the justices sounded bothered by retailers’ ability to record ZIP codes, and eager to address consumers’ privacy rights, asking “Isn’t this privacy issue the exact thing the Legislature was intending to stop?” amd “Isn’t the effect here that you obtain indirectly what you couldn’t obtain directly?” [Source] [CA – Nudity laws to be subject of constitutional challenge] and [Wired-up ref sparks controversy: Shocked by minor hockey ‘invasion of privacy’] and [Woman who refused to fill our census gets absolute discharge] [Data Privacy Day is January 28, 2011] [Protect your personal information because the Internet never forgets, Privacy Commissioner of Canada says] and [ANA Asks Marketers To Comply With Self-Regulatory Privacy Standards] and [Banks allow ads in online checking accounts]

E-Government

CA – Alberta Privacy Commissioner Blasts Provincial Gov’t on Transparency

Alberta’s Information and Privacy commissioner publicly castigated the provincial government for failing to keep an election promise to foster accountable and transparent government. Frank Work issued the rebuke in the opening message to his most recent annual report, released this month. People who want our votes … espouse accountability and transparency. The first of Premier Ed Stelmach’s five priorities when he ran for election in 2006 was to govern with integrity and transparency,” Work said in the two-page message. “I cannot let this occasion pass without commenting on what I see as a lack of leadership at the provincial level with respect to access to information,” he said. “What I do not see, for the most part, is leadership at the political level in terms of getting information out, being proactive and fostering a culture of openness.” Work suggested ministers have failed to issue clear directives that instruct staff to err on the side of disclosure when handling requests for access to information. Work highlighted the government’s “lukewarm” response to Right to Know Week and openly challenged Stelmach to appear during the event this year and “talk specifically about what has been done to further open and transparent government.” [Source]

KR – Korea: Tax Group Criticizes Invasion of Privacy

New government guidelines stipulating that charity donors should give more detailed information to tax authorities is being criticized as an invasion of privacy. The Korea Taxpayers Association, a non-profit organization established in 2001, claimed that donors’ personal information is at risk of being exposed if the regulations introduced by the National Tax Service go into effect this year. Previously, donors who made contributions of more than 500,000 won ($444) to charities had to submit details to get tax deductions. However, all donors must now submit documents to the NTS no matter how small the contribution. Documents to be submitted to the NTS must include the name and business registration number of the charities receiving the donations and the donor’s name, social security number, address and contribution amount. KTA is raising concerns on the possible abuse and misuse of the personal information relating to donors. “From the personal information given to the NTS, it is very easy to find out about an individual’s religious or political orientation,” said Kim Sun-taek, president of KTA. “You would never know if a NTS official decided to gain access to its computer system to retrieve this information,” he added. “The NTS was found to have logged into 19 million personal records per month (on average). And despite the massive amount of taxpayers’ information to be managed, the NTS has only one person who has been managing log-in security for the last seven years,” Kim said. [Source]

BR – Brazil: Your Personal Data in the Wrong Hands

What happens when all of your personal data is readily available for use by a cybercriminal? In Brazil CPF numbers – the Natural Persons Register – are the equivalent of a Social Security Number used by the Brazilian government to identify each citizen. A CPF is the most important document a Brazilian citizen possesses. It’s a prerequisite for a series of tasks like opening bank accounts, getting or renewing a driver’s license, buying or selling real estate, receiving loans, applying for jobs (especially public ones), getting a passport or credit cards, etc. Apparently criminals are now offering access to a complete database of all Brazilian citizens that have a CPF – all you need to do is contact a number and the system will bring you the complete personal data of a potential victim. The database is complete and contains data about every Brazilian. The search results display full name, date of birth, address, filiations, city, zip code, etc – all easily available to a cybercriminal. 3 mirrors of this website offering this kind of ‘service’ to Brazilian bad guys have been detected. Using such data it is possible for a cybercriminal to impersonate a victim and steal their identity in order to access resources or obtain credit and other benefits in that person’s name. You are probably wondering how the cybercriminals obtained this kind of information. Basically, it occurred through incidents of data leakage – not only from governmental departments, but via e-commerce and other corporate entities that have had their databases attacked and their data stolen, too. [Source] See also: [Privacy And Data Protection Laws In India: India has become an Orwellian Society] and [NYT: High Price for India’s Information Law]and also: [When MySpace Goes, What Happens to the Data and Privacy? ] and also: [Administrative Access to Government and Education Sites For Sale in Underground Forum | Source | Source | Source]

UK – Ex-KGB Agent Sues MI5 Over ‘Privacy Breach’

A former senior KGB agent is suing MI5 over invasion of his privacy, alleging his family members were victims of a campaign of harassment and unlawful surveillance. Judges are now investigating claims made by Boris Karpichkov that his east London home was broken into and his telephone calls and post unlawfully intercepted. [Source]

UK – Scandal of Computer Snooping by Public Servants

The scandal of dozens of police officers, nurses, social workers, council staff and other public servants caught snooping in the private files of people living in Yorkshire can be revealed for the first time. Disciplinary records released by police forces, NHS trusts and local councils across the region have revealed scores of cases of public workers being caught abusing their positions of trust to look up private information about people they know. The cases include numerous police officers caught running criminal record checks against ex-partners and family members, a council finance officer in Rotherham found looking up the private details of 72 friends and neighbours, and a doctor in Doncaster caught looking at a colleague’s medical records. At one hospital, in Rotherham, a cleaner was caught only last month accessing the private medical files of a friend to determine that she had recently had an abortion. That disciplinary case is still proceeding. At another hospital, in Sheffield, a receptionist gathered patients’ personal contact records and used them for a second job as a market researcher. The most worrying pattern of data abuse emerges at the region’s four police forces, where by far the most frequent breaches of data protection have taken place. Humberside Police said 31 members of staff had been disciplined for inappropriately accessing data over recent years, including a CID “serious crime” officer who received a written warning after running criminal record checks on his own nephew. [Source] See also: [David Edgar asks “Who’ll stand up for liberty in Britain?”][Councils banned from abusing terror laws to Snoop] and [Despite continuing attack fears, UK’s new government rolls back unpopular anti-terrorism laws]

CA – Thousands of Federal Officials Under Lifelong Gag Order, Records Show

More than 12,000 current and former federal intelligence officials must take the secrets of their most sensitive work to the grave, newly obtained records show. The number of people “permanently bound to secrecy” is more than double the figure expected in 2003 when the government began putting the provisions in place after the Sept. 11, 2001, terrorist attacks. The Security of Information Act – quickly passed following the dramatic assaults on the United States – updated several elements of Canada’s antiquated legal regime covering classified information. The secrecy law forbids discussion of “special operational information” including past and current confidential sources, targets of intelligence operations, names of spies, military attack plans and encryption or other means of protecting information. Revealing such information could result in up to 14 years in prison. Notes prepared by the Treasury Board Secretariat say individuals forever bound to secrecy are “held to a higher level of accountability” than others under the secrecy law. It means unauthorized disclosures are subject to penalty whether the information is true or not and even if it was obtained after the employee left a sensitive post. [Source]

E-Mail

US – Client Attorney Privilege Doesn’t Apply if Client Communicates Through Work eMail

A ruling from a California appeals court means that communications between client and attorney are not considered privileged if the client uses his or her work email account to conduct the communication. A unanimous decision by the Sacramento Third Appellate District involves a secretary who claimed her employer turned hostile after learning of her pregnancy shortly after she was hired. The company used email the secretary had sent from the workplace as evidence that she was not suffering severe emotional distress. [Source] [Source

UK – Fears Over Privacy With Virgin Emails

Virgin Media has been allocating previously used email addresses to new customers, leading to potential breaches of privacy. If a new customer using a recycled address attempts to register with a website that happens to have beenused by the former subscriber, the site will inform them that they are already registered. The website will unwittingly send the new subscriber the former customer’s password on request, allowing them to view personal information- perhaps including bank account details. Virgin Media said when an account holder cancelled their subscription they were told they would be losing their email address and they were given three months to cancel any automated links to their account. Following that period, for a further three months, the company said it would keep control of the address and remove all personal details linked to it. The address would then be reallocated. Virgin said other internet service providers followed the same policy. However, the Information Commissioner said recycling could lead to companies falling foul of the Data Protection Act. ‘The Act requires that personal information should be kept secure and processed fairly,’ said a spokesman. [Source]

Electronic Records

US – Hard-to-Use Software Causing Data Leaks from Confidential Health Records: Study

Software that is difficult to use is a top culprit for much of the leakage of health data – creating privacy and security concerns about confidential medical records, according to a new study by Dartmouth business researchers. According to The Wall Street Journal, the reason why difficult-to-use software is responsible for leakage is because people using the weak proprietary software find ways around it, such as “word-processing and spreadsheet tools.” These aren’t very secure, and many times files are downloaded onto home computers. In addition, the researchers point out in their study that consumers of health care are increasingly concerned about their privacy. There has been “increasing reliance on web-based systems for managing health information and the deployment of personal health banks.” In addition, government mandates, such as the HIPAA Act, are criticized for their “lack of clarity.” There are currently “low levels of full compliance among hospitals.” The researchers also point out that in the past five years the health care sector has seen “significant growth in use of mobile devices and web-based applications.” With growing use of digitized versions of health records, medical identity theft has become a large issue, say the researchers. In addition, the growing use of cloud computing may actually help reduce the risks in the health care sector because of improved software. But bill collectors and labs are sharing “much more information about patients than they need to conduct business.” In a related matter, TMCnet reported recently that electronic medical records were once seen as a panacea to increase patient safety and ensure better treatment. There were errors with medical records recorded with pen and paper. However, errors continued as patient records are recorded electronically. A government panel is reviewing the use of electronic medical records and is trying to come up with a list of recommendations to improve patient safety. The Institute of Medicine’s Committee on Patient Safety and Health Information Technology was to hold its first meeting in December. [Source] [Data Breaches at Arizona Medical Center Makes Case for Zero Trust Security] and [SCOTUS to hear case on Vermont law & Rx data-mining]

US – Mandatory Data Retention Is Overwhelmingly Invasive

The House Judiciary Subcommittee on Crime, Terrorism and Homeland Security held a hearing on mandatory Internet data retention, once again reviving the debate over whether Congress should pass legislation to force ISPs and telecom providers to log information about how users communicate and use the Internet. The hearing, awash with rhetoric about targeting Internet crime and including an unexpected condemnation of EFF’s privacy advocacy, was purportedly an information- and fact-finding hearing to explore the issue of data retention and consider what Congress’ role should be. However, it’s already clear where the new House Judiciary Chairman, Representative Lamar Smith, stands on the issue: he introduced data retention legislation just last year and likely will do so again this year. EFF believes that government-mandated data retention would be an overwhelmingly invasive and costly demand, raising serious privacy and free speech concerns – points well-argued at the hearing by John Morris, General Counsel of CDT [written testimony], and Kate Dean, Executive Director of the United States Internet Service Provider Association [written testimony].Perhaps the biggest surprise in the hearing was Deputy Assistant Attorney General Jason Weinstein’s attack on EFF and our Best Practices for Online Service Providers (OSPs) whitepaper. Unfortunately, today’s hearing is the first signal that the Obama Administration, like the Bush Administration before it, hopes to push a new data retention law through Congress. [EFF]

Encryption 

WW – Self-Encrypted Drives Set to Become Standard Fare

As secure data storage becomes more crucial, more companies are moving to on-board data encryption. We’ve seen this coming over time: Based on the Trusted Computing Group’s standard, hard drives and solid state drives (SSD), are offering self-encryption built-in. The key difference with these next-generation encrypted drives is that these units have the encryption integrated into a single chip on drive in the drive. Securing data storage is especially important for small businesses, due to legal specifications that require companies to report breaches, and to maintain data for long periods of time for accountability purposes. Since 2005, over 345,124,400 records containing sensitive personal information have been involved in security breaches. One of the advantages to the single-chip, no-software approach now in place: There’s no performance degradation. It’s also safer; the encryption keys are generated within the drive, so there are no keys to lose. The keys never leave the drive. What is a self-encrypted hard drive? The drive itself protects the data, with either 128-bit or 256-bit AES keys that are stored in the drive itself. In a few years, predicts Thibadeau, you’ll be buying a self-encrypting drive and you won’t even realize it-because it will be so pervasive. “The encryption just works, it doesn’t impact you.” [Source] [DOJ pressed for details on Internet tracking plan] [House Panel Presses for ISP Data Retention Mandate] [DOJ seeks mandatory data retention requirement for ISPs]

EU Developments

EU – Privacy Watchdog Urges Stronger Data Protection in EU Law Review

Organisations which lose personal data should be forced to disclose the data security breach, the European Union’s privacy watchdog has said. Planned changes to EU privacy law do not go far enough, said the European Data Protection Supervisor (EDPS) Peter Hustinx, who has published an opinion urging the European Commission to extend the obligation to tell people when their data security has been compromised beyond current limits and has backed calls for a ‘right to be forgotten’. The Commission said in November that it would consider adopting a more wide-ranging security breach policy as part of a review of the Data Protection Directive. Hustinx said that the ongoing review of the Data Protection Directive should strengthen the rights of the subjects of data to know and control what information is held about them. He said that in addition to the right to be informed of data security breaches they should have a ‘right to be forgotten’, meaning that they should be able to demand the deletion of information held about them by online service providers. That proposal has proved controversial, since deleting information that is in the public domain is being seen by some as allowing the alteration of historical record. The EDPS also backs a strengthening of rules that organisations must adhere to in order to stay within the revised Data Protection Directive. Hustinx also said that national data protection authorities should be given greater powers as a result of the review, and that there should be more consistency between the way that the Directive is implemented in the EU’s 27 member states. [Source]

EU – Study Frowns Over Data Breach Notification Rules

A new EU study has identified risk prioritisation, enforcement and resources as key issues in applying data breach notification rules. ENISA, the EU’s cyber-security agency, launched its investigation on data breach notification rules against a backdrop of steadily rising incident of personal information disclosure breaches. The agency identified key concerns from both telecom operators and the Data Protection Authorities (DPA) in applying a recent ePrivacy Directive (2002/58/EC) that applied breach notification rules to the electronic communication sector. The agency hopes the research will help to develop best practice on breach notification as well as informing ministerial decisions on whether EU data breach disclosure rules first applied to telcos ISPs ought to extended to financial service firms and other sectors of the economy. Key concerns raised by telecom operators and DPAs interviewed by ENISA include:

  • Risk Prioritisation – Interested parties want breaches categorised according to risk levels to avoid ‘notification fatigue’. Graded responses should be applied depending an the level of risk. A one size fits all approach would be counterproductive.
  • Communication Channels – Operators wanted assurances that applying by breach notification rules and reporting slips would not result in damaging their brands. The concern is that those that report problems, in compliance with the rules, will be “punished” by earning a reputation for poor security while those that do nothing will avoid tarnishing their reputation.
  • Resources – Several regulatory authorities have other priorities beyond the handling of breach notification and there were concerns this could lead to over-stretching of resources, leading to possible problems in enforcement and other areas.
  • Reporting Delay – The report identified a split between service providers and regulators on deadlines for reporting breaches. Regulators want short deadlines whereas service providers wanted to be able to focus their resources on solving the problem, before they dealt with the regulatory fallout.
  • Content of Notifications – Another area of disagreement. Operators want to make sure the notification content avoided unduly alarming customers, who might be inclined to think the worst about any breach. Regulators, meanwhile, advocated complete transparency.

ENISA intends to use its research to develop guidelines on best practice for data breach notification, as well as analysing the possibility for extending the general obligation of data breach notification to other sectors, such as the financial sector, health care and small businesses. The issue will be discussed at an ENISA-organised workshop in Brussels on 24 January. [Source] [full report]

UK – New U.K. Law Keeps Royal Secrets Private

A new British law that took effect this month makes Queen Elizabeth II, Prince Charles and Prince William exempt from freedom of information laws, meaning many private details of their lives won’t be made public for decades. Justice Secretary Ken Clarke says the exemption will protect the monarch’s private conversations with politicians and officials — but information advocates say it will make it even harder to hold to account a royal family that costs taxpayers millions a year. For centuries, the workings of the British monarchy were shrouded in secrecy by a blend of law, convention, deference and media self-censorship. That media acquiescence is long gone, and under freedom of information laws that took effect in 2005, information about the royal family could be released if it was shown to be in the public interest. “It at least raised the possibility that information could be disclosed,” said Maurice Frankel of the Campaign for Freedom of Information. “What the changes do is remove the public interest test — exemption becomes absolute.” [Source

EU – German Privacy Commissioner Terminates Talks over Google Analytics

Google faces trouble again as a German privacy commissioner overseeing Analytics, the search giant’s service that gives website administrators the power to monitor and trace who visits their websites, terminates negotiations in an issue that will likely arrive in court. The main advantage of having Google Analytics is data comparison, allowing website administrators and owners to manage data with Google records for a better understanding on who visits their websites, where they can adjust the site’s products or messages to focus on a particular group of visitors. Two years ago, Google suggested to German officials that removing parts of a visitor’s IP address, the Internet Protocol number designated to each online connection, would help make data more private, and the US-based online company has not changed its stance. However, Johannes Caspar, Hamburg’s privacy commissioner, announced on the German Press Agency that the US Internet giant is taking things lightly by not providing more secure methods to solve the problem. As the representative for all 16 state privacy commissioners in handling Google negotiations, Caspar said, “About 10 per cent of web users are not being included.” The German privacy commissioner announced that he would bring up the issue on an upcoming conference among state commissioners, and make a proposal to let the court decide on the necessary steps to handle the problem. [Source] See also: [SKorean police say Google violated laws] and [Former F1 boss makes EU privacy case over tabloid sex-orgy story]

Facts & Stats 

US – More Drivers Let Insurers Track Miles for Discount

A form of car insurance that requires electronic verification of miles driven, in return for a discount, is gaining popularity. These so-called pay-as-you-drive policies – miles are often tracked through a GPS system in the car – are now offered in more than half of the states and are spreading, albeit slowly, despite privacy concerns. Progressive Insurance, which began selling pay-as-you-drive policies in 1998 and now offers them in 27 states, said acceptance was strong among those eligible. “Approximately one in four customers are choosing this,” said Richard Hutchinson, Progressive’s general manager for usage-based insurance. Several factors are driving the growth. One is that the cost of GPS systems and data devices has plunged. For less than $100, companies can buy trackers that simply plug into the diagnostic port required on cars made after 1996. Insurers have also decided to collect less information than they once anticipated. GMAC Insurance, which offers pay-as-you-drive coverage in 35 states, uses the OnStar system in General Motors cars only to confirm miles driven. “Mileage is pretty innocuous,” said Tim Hogan, vice president for national accounts. “When you talk about time of day and speed, people become more concerned.” Initially, the idea was that the insurers would collect data on what streets a driver takes, at what time of day and how aggressively he drives. Insurers would then determine risk based on behavior as well as mileage. Progressive was at the forefront of this movement in the United States, but has reduced the scope of the data it uses to rate drivers – for instance, by excluding location and speed. And it has changed the name of its plan to Snapshot Discount because it sets a discount after 30 days of data collection. After monitoring a driver for six months, it removes the device. [Source]

Filtering 

IN – RIM to Block Porn in Indonesia

Research In Motion said it will filter pornographic Internet content for its BlackBerry smartphone users in Indonesia, following government pressure to restrict access to porn sites or face its browsing service being shut down. RIM “is fully committed to working with Indonesia’s carriers to put in place a prompt, compliant filtering solution for BlackBerry subscribers in Indonesia as soon as possible,” it said in a statement. Indonesia, home to about 2 million BlackBerry users, also asked RIM to open a local server, though RIM says the location of its servers makes no difference to the ability to decrypt the data flow on its devices. [Source]

Finance

US – Banking Industry Criticizes FinCEN’s Proposed Reporting Rules

The banking industry has been sharply critical of the Financial Crimes Enforcement Network’s (“FinCEN”) proposed rules (the “Proposed Rules“) to broaden the reporting obligations of banks and money transmitters for cross-border electronic transmittals of funds (“CBETFs”). Comment letters from the industry have attacked the proposal on various grounds, including that the Proposed Rules are overbroad and that FinCEN is not technologically prepared to utilize the data which would be provided by banks under the Proposed Rules. The banking industry’s main criticism of the Proposed Rules is that requirements for annual reporting of taxpayer identification information for accountholders engaged in cross-border electronic transfers are an unnecessary invasion of privacy that would not collect useful information. In addition, the industry commented that the Proposed Rules would require banks to submit a large volume of reports, but that the information would not provide FinCEN with more meaningful data than it could collect through more limited reporting requirements. Industry commenters also pointed to the fact that FinCEN exceeds current FinCEN data management capabilities and fails to impose adequate standards on law enforcement for data use accountability or security. Other commenters stated their views that the Proposed Rules exceed the limited rulemaking authority provided to FinCEN by Congress in Intelligence Reform and Terrorism Prevention Act of 2004 by imposing overly broad reporting requirements. [Source]

US –Banks to Get Updated Online Authentication Guidelines

The Federal Financial Institutions Examination Council (FFIEC) plans to issue new online transaction authentication guidelines for banks. The guidelines will clarify existing recommendations. The earlier version of the guidelines called on banks to use two-factor authentication, but allowed the institutions to choose their own methods. Some chose measures that did little or nothing to improve security, so the updated guidelines will make it clear what steps the banks need to take. Cyber theft through online transactions has been on the rise over the last few years; the criminals have been targeting small and medium-sized businesses. The thefts have also drawn attention to the need to implement transaction monitoring controls and fraud alert systems. [Source] [Source]

US – Corporate Account Takeover Case Could Set Precedent

Valiena A. Allison, CEO and president of Michigan-based Experi-Metal Inc., says it’s no longer” business as usual” when it comes to online fraud. EMI this week faced its former online banking account provider, Comerica Bank, in U.S. District Court. The crux of the trial: determining who is responsible for the takeover of EMI’s online bank account. The case – the first major ACH/wire fraud incident to actually go to trial – ended Jan. 26. The two parties now await judgment. Although originally framed as a legal showdown over what constitutes “reasonable security,” that question was taken off the table by the court. According to a July 2010 opinion filed by the district judge presiding over the case, “Based the plain and unambiguous terms of the Service Agreement and Master Agreement, the Court finds as a matter of law that Comerica’s secure token technology was commercially reasonable.” But EMI’s attorney, Tomlinson, says the question over reasonable security is a mere sliver of the big picture. “We had three real themes in this case,” he says. The themes include:

  • Approving a wire transfer that was allegedly authorized by EMI’s controller, even though the controller was not authorized by EMI to approve or initiate wire transfers;
  • Comerica’s acceptance of a wire transfer that was not initiated in accordance with industry standards;
  • Comerica’s lack of adequate fraud-detection and monitoring tools.

“This not just about a lack of authorization, but that Comerica failed to have any monitoring, with respect to the payments,” Tomlinson says. “As a result, a customer who had made zero transfers in 19 months suddenly made 90 in one day.” That should have been a red flag, Tomlinson and Allison say. “Under the FFIEC, monitoring is the industry standard,” Tomlinson says. “Nearly all of the top 40 banks monitor. Comerica, being the 31st biggest bank in the country, should have monitored those transactions.” [Source

US – Survey on PCI: How It’s Impacting Network Security

A survey of 500 information technology professionals with responsibility to assure compliance with the Payment Card Industry (PCI) security standard shows just over half find it “burdensome but necessary” in their organizations and about a third see it impacting their virtualized network environments in particular in the future. The survey was sponsored by Cisco to gauge attitudes toward PCI, its cost to organizations that need to achieve PCI compliance and where future security changes are now under consideration. The survey indicated about 85% were confident their organizations were prepared to pass a PCI audit but at the same time about a third indicated they anticipated making changes to their virtualized networks, such as using firewall and intrusion-protection systems as virtual security appliances, to meet future PCI compliance needs. Although the PCI mandate applies specifically to how payment-card data is secured and stored, the security standard, which is set by the PCI Security Standards Council, appears to be having the effect of influencing security in general across the organization. “A whopping 60% were using point-to-point encryption to simplify their compliance efforts and possibly reduce the scope of their next PCI assessment,” Cisco’s survey results state. The PCI mandate is impacting plans for how virtualized networks will be secured as well. When asked, “How do you anticipate needing to change your virtualized environment to meet PCI compliance?” about a third replied they would need to add virtual security appliances, such as firewall and IPS, in order to meet PCI 2.0 compliance, while a third also wanted to “further harden our virtualization software.” [Source] See also: [Mint.com helps you stay on track, but at what risk? ] and [Newfoundland: RCMP warns of slick credit card scam by fraudsters]

FOI 

US – Republican Congressman Proposes Tracking Freedom of Information Act Requests

Representative Darrell Issa calls it a way to promote transparency: a request for the names of hundreds of thousands of ordinary citizens, business executives, journalists and others who have requested copies of federal government documents in recent years. Mr. Issa, a California Republican and the new chairman of the House Committee on Oversight and Government Reform, says he wants to make sure agencies respond in a timely fashion to Freedom of Information Act requests and do not delay them out of political considerations. But his extraordinary request worries some civil libertarians. It “just seems sort of creepy that one person in the government could track who is looking into what and what kinds of questions they are asking,” said David Cuillier, a University of Arizona journalism professor and chairman of the Freedom of Information Committee at the Society of Professional Journalists. “It is an easy way to target people who he might think are up to no good.” [The New York Times] See also: [NYT: Documents Open a Door on Mideast Peace Talks] and [Wikileaks: A True Test of the Cloud

US – Wikileaks, Twitter, and Our Outdated Electronic Surveillance Laws

CATO Institute Opinion: The U.S. government last month demanded records associated with the Twitter accounts of several supporters of WikiLeaks-including American citizens and an elected member of Iceland’s parliament. As the New York Times observes, the only remarkable thing about the government’s request is that we’re learning about it, thanks to efforts by Twitter’s legal team to have the order unsealed. It seems a virtual certainty that companies like Facebook and Google have received similar demands. Most news reports are misleadingly describing the order [PDF] as a “subpoena” when in actuality it’s a judicially-authorized order under 18 U.S.C §2703(d). Computer security researcher Chris Soghoian has a helpful rundown on the section and what it’s invocation entails, while those who really want to explore the legal labyrinth that is the Stored Communications Act should consult legal scholar Orin Kerr’s excellent 2004 paper on the topic. As the Times argues in a news analysis, this is one more reminder that our federal electronic surveillance laws, which date from 1986, are in dire need of an update. Most people assume their online communications enjoy the same Fourth Amendment protection as traditional dead-tree-based correspondence, but the statutory language allows the contents of “electronic communications” to be obtained using those D-orders if they’re older than 180 days or have already been “opened” by the recipient. Unlike traditional search warrants, which require investigators to establish “probable cause,” D-orders are issued on the mere basis of “specific facts” demonstrating that the information sought is “relevant” to a legitimate investigation. Fortunately, an appellate court has recently ruled that part of the law unconstitutional -making it clear that the Fourth Amendment does indeed apply to email. a mere 24 years after the original passage of the law. The D-order disclosed this weekend does not appear to seek communications content-though some thorny questions might well arise if it had. (Do messages posted to a private or closed Twitter account get the same protection as e-mail?) But the various records and communications “metadata” demanded here can still be incredibly revealing. Unless the user is employing anonymizing technology-which, as Soghoian notes, is fairly likely when we’re talking about such tech-savvy targets-logs of IP addresses used to access a service like Twitter may help reveal the identity of the person posting to an anonymous account, as well as an approximate physical location. The government may also wish to analyze targets’ communication patterns in order to build a “social graph” of WikiLeaks supporters and identify new targets for investigation. (The use of a D-order, as opposed to even less restrictive mechanisms that can be used to obtain basic records, suggests they’re interested in who is talking to whom on the targeted services.) Given the degree of harassment to which known WikiLeaks supporters have been subject, easy access to such records also threatens to chill what the courts have called “expressive association.” But unlike traditional wiretaps, D-order requests for data aren’t even subject to mandatory reporting requirements-which means surveillance geeks may be confident this sort of thing is fairly routine, but the general public lacks any real sense of just how pervasive it is. Whatever your take on WikiLeaks, then, this rare peek behind the curtain is one more reminder that our digital privacy laws are long overdue for an upgrade. [Source] See also: [CATO: The Sun Never Sets on the PATRIOT Act] and [The New York Times: 1986 Communication Privacy Law Outdated For Cloud Age]

CA – Privacy Association Hopes to See IBM Contract

The B.C. government must hand over an unedited copy of its $300-million contract with IBM to a privacy group – just 24 hours after the government awarded another multi-million-dollar contract to the computer services company. Vincent Gogolek, policy director of the B.C. Freedom of Information and Privacy Association, said Monday he suspects the government will deliver the hefty copy today – as it was ordered to do in late November. However, the “insanity” of a six-year battle so far suggests the government might choose instead to take an adjudicator’s ruling to B.C Supreme Court for a judicial review, he said. The association claimed a huge victory over “government secrecy” more than a month ago when B.C.’s privacy commissioner ordered the Citizens’ Services Ministry to release its full IBM workplace services agreement. Since the association began fighting for a copy of the contract in 2004, it has garnered about 483 pages of it – more than half. Information and Privacy commissioner Elizabeth Denham said recent decisions that both the Vancouver Island Health Authority and the Ministry of Citizens’ Services must disclose commercial and financial details of two outsourcing contracts demonstrate that public agencies should consider routine disclosure of these types of contracts with private service providers. Despite this, the government has continued to argue that releasing the full IBM contract would threaten its security systems and B.C.’s economic interests, as well as the business interests of IBM. However, in a 13-page ruling, adjudicator Michael McEvoy strongly disagreed with the government. [Source

US – Consumer Product Safety Commission to Launch Public Database of Complaints

The federal government is poised for the first time to make public thousands of complaints it receives each year about safety problems with various products, from power tools to piggy banks. The compilation of consumer complaints, set to be launched online in March by the Consumer Product Safety Commission, has been hailed by consumer advocates as a resource that will revolutionize the way people make buying decisions. But major manufacturing and industry groups have raised concerns about the public database, saying it may be filled with fictitious slams against their brands. Competitors or others with political motives could post inaccurate claims, business leaders say, and the agency will not be able to investigate most of the complaints. Arguing that this could present a new burden in an already difficult economic environment, they are working behind the scenes to delay or revamp the project. “We’re not opposed to a database,” said Rosario Palmieri, vice president of the National Association of Manufacturers. “We’re opposed to a database that’s full of inaccurate information.” Agency officials say they have built in safeguards to prevent such abuse and have carefully balanced the interests of consumers and manufacturers. The database, which is scheduled to be launched March 11, will be available at www.saferproducts.gov. [Source]

Health / Medical 

CA – Ontario Recruiting for Massive Health Study

Researchers in the province of Ontario have embarked on the largest long-term health study ever conducted in North America. An initial research phase involving 8,000 adults in three different communities in Ontario is complete and the Ontario Health Study is now beginning the main phase, which will follow the health of adults in the province for the rest of their lives. Study organizers have kicked their recruitment efforts into high gear with advertising, posters, tweets and Facebook updates being used in an attempt to recruit around 2 million volunteers (around 20% of eligible adults in the province). [Source] See also [Canadian woman denied entry to U.S. because of suicide attempt]

Horror Stories 

WW – 2011 Starts with a Reminder that Privacy Breaches Cause Harm

The first three breach posts of 2011 all involved insiders, and they all caused harm:

  • A breach report by Kinetic Concepts, Inc. (KCI) that a call center employee with authorized access to a database of customer information misused some customers’ payment card information for fraudulent purposes;
  • A court opinion that reveals how a former employee of the Social Security Administration exceeded his authorized access and obtained information about women he was romantically interested in; the women felt scared and unsettled at what he knew about them and that he just showed up at their homes when they had no idea how he got their address or details;
  • A story about how an employee of Moniker/Oversee.net domain registrar misused his authorized access to a database and for personal reasons, contacted the employer of a customer to reveal that their employee had registered a domain with a “sucks.com” domain name – even though the customer had enrolled for WHOIS privacy protection.

Each of the situations represents a different type of harm, but they all involve harm. All of these privacy breaches are insider security breaches that are not just human error. They are not the kinds of security breaches that tend to make major headlines in the mainstream media because they involve only one or a few individuals, but they serve as a timely reminder that breaches cause harm and our current legal system does not always recognize the harm or compensate victims adequately. [Source] [Top 10 Data Breaches of 2010] and [Statistics Canada mum on data breaches involving Canadian citizens] [Security lapses at Stats Can]

WW – Trapster Hack May Have Exposed Millions of iPhone, Android Passwords

Millions of e-mail addresses and passwords may have been stolen from Trapster, an online service that warns iPhone, Android and BlackBerry owners of police speed traps, the company announced. California-based Trapster has begun alerting its registered users and has published a short FAQ on the breach. “If you’ve registered your account with Trapster, then it’s best to assume that your e-mail address and password were included among the compromised data,” the FAQ stated. But in the next breath, Trapster downplayed the threat, saying it wasn’t sure that the addresses and passwords were actually harvested. And when replying to follow-up questions today, Trapster claimed that not all its 10 million users were at risk. Trapster said it has rewritten the service’s code to prevent similar attacks in the future, and has “implement[ed] additional security measures to further protect your data.” The company did not spell out what those measures were, however. [Source

CA – Privacy Czar Orders Ottawa Hospital to Tighten Rules on Personal information

The Ottawa Hospital has again been ordered by Ontario’s privacy commissioner to examine its rules and practices relating to personal health information, following another electronic breach of a patient’s medical records. Information and Privacy Commissioner Ann Cavoukian says in a report that the hospital failed to comply with certain elements of a revised policy. Cavoukian asked the hospital to consider changes following a breach in 2005 that was “strikingly similar” to one she recently investigated. Cavoukian says the hospital failed to inform a patient of any disciplinary action against Allan (she was suspended for three days without pay and ordered to undergo privacy re-training and counselling), did not report the breach to the appropriate professional regulatory college, and did not follow up as it was supposed to with an investigation to determine if policy changes were required. Cavoukian also concludes “the actions taken to prevent the unauthorized use and disclosure by employees in this hospital have not been effective” and fail to comply with a section of the Personal Health Information Protection Act. She also says her directives in the report “speak to the cultural shift that is required in order to effect a change in attitude about patients’ privacy in the Ottawa Hospital.” [Source] See also: [CA – Privacy Breach at Bruyere Clinic]

US – OCR Patient Data Breach List Hits 225

The number of entities reporting breaches of unsecured protected health information (PHI) affecting 500 or more individuals has hit 225. The web site was born out of HITECH and has been live since February 2010. OCR says the breach reports date back to September 2009. Hence, it’s been about 17 months since OCR has accepted the reports. It amounts to about 13 reports filed per month, or 0.44 per day. The OCR breach notification website also reports the following numbers:

  • 10 – Number of reports affecting more than 100,000 individuals, or 4.4% of breaches.
  • 4 – Number of reports affecting between 50,000 and 99,999 individuals
  • 6 – Number of reports affecting between 25,000 and 49,999 individuals
  • 27 – Number of reports affecting between 10,000 and 24,999 individuals
  • 61 – Number of reports that involve a laptop, or 27.1 percent.

HITECH’s breach notification interim final rule is still in effect. OCR has been close to signing off on a final rule before it pulled it out of the hands of the Office of Management and Budget (OMB) for further review. [Source

US – UConn Reports Data Breach of Online Retail Site

An online retail site at University of Connecticut is warning thousands of customers that their billing information may have been hacked. The information was exposed when a hacker managed to breach the HuskeyDirect.com database, which has billing information for about 18,000 customers who use the site to buy Husky-branded sports items from the UConn Co-op. The Co-op acts as the university’s bookstore but is a run as a separate, member-owned non-profit group. The information includes names, addresses, e-mail addresses, credit card numbers, expiration dates and security codes. The retail site is managed for the co-op by an unnamed third-party vendor. It was this vendor that alerted the co-op about the attack, according to a statement issued by the co-op on Jan. 11. In a separate FAQ, the co-op says the Web site vendor reported that the hacker had compromised an administrative password to gain access to the encrypted credit card data. “The hacker appears to have unencrypted that data,” according to the FAQ. The credit card information was encrypted, but the hacker appears to have unencrypted that data. The co-op’s first response was to order the Web site shut down, and pull the database offline. It then notified the customers, and “is in the process of arranging for credit protection” for them. The breach only affects those who made online purchases of items on the HuskyDirect Web site. [Source] See also: [US: Three fired at Tucson hospital for violating patients’ privacy] and [Security lapses at Stats Can] and [Michael Poer: Privacy: Linking Damage Awards to Values]

Identity Issues 

WW – Security Alert on Facebook’s New Privacy Setting ‘Instant Personalization’

Facebook does share your information with so-called partners (more like clients) and non-Facebook websites for advertising and other purposes. This is no longer a secret with the introduction of a new privacy setting that spells it out for you in plain English. The setting is cleverly called ‘Instant Personalization’ and is automatically set to enable sharing of your information. However, you can secure your privacy and disallow your information from being shared (even if Facebook buried the option to do so deep). The procedure to maintain privacy in your Facebook account is simple but your friends must do it as well or your information will be shared regardless of your preference not to have it so. [Source, details and instructions] See also [U.S. eyes Internet user ID system] [What Your Facebook Profile May Be Telling ID Thieves] and [Facebook Would Love to Go to Court to Protect a User’s Privacy] [Tapscott: Social media’s unexpected threat]

WW – Facebook Disables Ability to Share Home Address With Apps

Facebook is temporarily disabling the feature that lets users share their mobile number and address with third-party app developers, following privacy concerns. Facebook announced third-party app developers could access a user’s home address and mobile phone number that they have on their profile when they agree to download an app. However, following criticism over privacy protection from users and security experts, Facebook has decided to temporarily disable this feature and make some changes in order to ensure that users only share this information when they clearly intend to do so. Facebook noted that the feature was made to allow users to share their mobile number and address with a shopping site to streamline the purchasing process or sign up for text alerts on special deals. However, the new feature raised fears that users may grant permission to share their home addresses with third-party app developers without realising. Some were worried it could be a new way for scammers to gain access to such personal information of Facebook users. “The ability to access users’ home addresses will also open up more opportunities for identity theft, combined with the other data that can already be extracted from Facebook users’ profiles.” [Source] [Facebook backs down over address and mobile information

WW – Facebook Lets Users Prove Their Identity by Identifying their Friends

Facebook has launched a pair of new security features — “social authentication” and “secure connection” — each designed to prevent hackers from gaining access to user profiles and private data on the world’s largest social network. With social authentication, users will be asked to identify photos of their friends in order to prove their identity. The thinking is that while a hacker might be able to figure out a user’s password, they won’t be able to identify that person’s friends. Facebook describes the social authentication technology as an upgrade over the ubiquitous “captcha” challenge-response tests employed by other sites on the Web. Captcha tests are often used on online forms and at the check outs of e-commerce sites to prove that the user is in fact a human being, and not a computer or bot attempting to manipulate the system. However, Facebook believes the technology is sometimes difficult to understand — anyone who has ever tried to use captcha knows that sometimes it takes a couple of attempts to even read the words contained in the box — and is still vulnerable to human hackers. Facebook said the new social authentication technology will be used to verify a user’s identity in the event of suspicious activity on the account. Facebook is also going to allow users to conduct all of their interactions with Facebook over an HTTPS connection. Facebook said the new secure connection feature will be rolled out to all users over the next couple of weeks and that users who want to use HTTPS connections exclusively can make the change on their Account Settings page. Facebook said the plan is to offer HTTPS as a default whenever anyone is using Facebook “sometime in the future.” [Source] See also: [Japan: EDITORIAL: ID number system] and [CA – Privacy concerns surround ID scanners] and [‘Anonymous’ movement views Web hijinks as public good, but legality is opaque] and [The wrong kind of sharing: Mark Zuckerberg’s Facebook page hacked] and [Healthcare assistant ‘Kate Middleton’ banned from Facebook] and [Facebook Wins Relatively Few Friends in Japan] [Social media in Indonesia: Eat, pray, tweet: Who will profit? – The Economist] 

US – Jury Acquits Mocek of All Charges in TSA Airport Identification Protest

A Seattle man has been acquitted of all charges brought against him when he refused to show ID to TSA officials and videotaped the incident at an airport security checkpoint. Prosecutors’ case against Phil Mocek was so weak that he was found not guilty without testifying or calling a single witness. Friday’s acquittal was the first time anyone has “successfully challenged the TSA’s assumed authority to question and detain travelers.” Mocek’s video, shot in November 2009 at the Albuquerque International Airport, portrays a passenger politely refusing officers’ request that he show ID and stop videotaping his encounter with them. Watch the video. But as the six-woman jury in New Mexico’s Arizona’s Bernalillo County Metropolitan Court made clear, Mocek isn’t in trouble. They returned not guilty verdicts for charges that included concealing his identity, refusing to obey a lawful order, trespassing, and disorderly conduct. along: That checkpoint staff have no police powers, that contrary to TSA claims, passengers have the right to fly without providing ID, and yes, passengers are free to video record checkpoints as long as images on screening monitors aren’t captured. “Annoying the TSA is not a crime,” the blog post states. “Photography is not a crime. You have the right to fly without ID, and to photograph, film, and record what happens.” [Source] [Source] [Source] [The TSA’s Worst Nightmare: The Seattle frequent flyer finally gets his day in court] [Phil Mocek: TSA Demand for ID all About Airline Revenue] and see also: [Michigan - ID Required to Enter Detroit Public School Buildings] See also: [Jesse Ventura files lawsuit against DHS and TSA Screening Procedures] and [Privacy advocates, Boise State expert say no thanks to federal government ID] and [CATSA offers apology for humiliating cancer survivor at airport ] and [Ralph Nader: “The TSA is a basketcase, collectively” ] [US officials say airport scanners ‘erode rights’ ] and [Key lawmaker wants to limit full-body screening at airports] and [The Stripping of Freedom: EPIC vs. DHS on TSA Body Scanners EPIC vs. DHS on the Stripping of Freedom and TSA naked body scanners]

Internet / WWW 

WW – Beware Shortened URLs, Geo-Location in Social Media

Security vendor McAfee is warning of a rising security risk in 2011 in the 3,000 shortened URLs generated per minute for use on social media sites such as Twitter. With the growing phenomenon that is social networking and instant communication, the popularity of shortened URLs in a limited character space is a ripe opportunity for cyber criminals. “People click on things and they really don’t know where they’re going to go, or what they’re going to get.” It’s an incredibly lucrative business for hackers, who can easily drop malware on unsuspecting Twitter users in order to reap private information. Another risk, also pertaining to social media, is the increased hacker attention to geo-location services such as Foursquare, Gowalla and Facebook Places that track and publish the whereabouts of users. Cyber criminals can easily determine a user’s interests based on geo-location information and launch specific targeted attacks at that person. It’s a vector attack that’s particularly alluring for well-funded organized crime. Social media aside, McAfee also predicts that 2011 will be the year when hackers up the ante on Mac-targeted attacks given the popularity of Apple devices such as the iPhone and iPad. So far, the primary mobile threat to Apple devices has been “jailbreaking” – when users are able to remove usage and access limitations set by Apple – but that’s about to change. [Source]

Law Enforcement 

US – California Court: Cops Can Search Texts Without Warrant

The California Supreme Court ruled that police do not need a warrant to search a cell phone carried by someone under arrest. The justices determined a Ventura County deputy had the right to conduct a warrantless search of the text messages of a man he had arrested on suspicion of participating in a drug deal. The state court ruled 5-2 that U.S. Supreme Court precedent affirms that police can search items found on defendants when they are arrested. However, the San Francisco Chronicle reported that in 2007, U.S. District Court Judge Susan Illston ruled that police could not search the cell phones of drug defendants without a warrant. The Ohio Supreme Court also found in 2009 that police did not have that right. California Deputy Attorney General Victoria Wilson, who represented the prosecution in the case decided Monday, told the newspaper the split opinions in California and Ohio could lead the U.S. Supreme Court to weigh in on the cell phone issue. The California Supreme Court decided the loss of privacy upon arrest extends beyond the arrestee’s body to include personal property. Authorities can not only seize items but also can open and examine what they find, the ruling said. [Source]

Location

US – Lawmaker Seeks to Protect Device Location Privacy

A US legislator plans to introduce a bill that would require law enforcement agencies to obtain a warrant before requesting location-based data from mobile devices. Senator Ron Wyden (D-Oregon) is concerned about citizens’ privacy. [Source] [Source]

CA – Calgary Airport Wi-Fi Abuses Privacy: Traveller

A Calgarian who is a frequent air traveller wants to know why he should provide personal information to use Wi-Fi at the airport. One of the options for logging on to the Wi-Fi network at the Calgary International Airport involves hooking up through Facebook. Users hooking up through Facebook must agree to provide access to the personal information on their Facebook accounts. “It just seemed a completely ridiculous request and one that I just wasn’t prepared to accept,” said Andrew Burton, a Calgarian and a frequent traveller who contacted the CBC about the issue. A Calgary airport spokesperson wouldn’t comment on Monday except to say it’s the policy of the airport’s third-party provider, Boldstreet Wireless. Boldstreet said users’ information is safe. President and CEO Tom Camps said the company provides the airport with a demographic breakdown of who is using the service. [Source

US – ‘Find Your Car’ System in US Gaining Fans Amidst Privacy Concerns

Santa Monica Place in US has installed the nation’s first camera-based ‘Find Your Car’ system, which can help absent-minded shoppers locate their vehicles. Shoppers who have lost track of their vehicle amid a maze of concrete ramps and angled stripes can simply punch their license plate number into a kiosk touch screen, which then displays a photo of the car and its location. But the new system has also brought out privacy concerns, with people questioning if the array of 24/7 surveillance cameras could be worth the loss of privacy. Steven Aftergood, a senior research analyst at the Federation of American Scientists, which studies national security issues, said people should understand that the technology is being forced upon them. “What should give people pause is that this technology is advancing upon us without anyone having chosen it,” Aftergood said. “We have not decided as a society or as individuals that we want this convenience. It is being thrust upon us,” he stated. “The unintended consequences can be huge.” [Source]

Online Privacy

US – D.C. Judge Blocks Release of TSA Body Scan Images

The U.S. Department of Homeland Security has shielded from public review 2,000 whole-body scan images, a federal judge in Washington said in a public records suit. The Electronic Privacy Information Center sued in the U.S. District Court for the District of Columbia to force DHS to turn over the images and other documents. The Washington-based privacy center is examining the use of body scanning technology and its implications for civil rights. Lawyers for the center want to review “unfiltered or unobscured” images of volunteers that the body scanning technology captured. The center filed suit in November 2009. DHS officials produced more than 1,700 pages in response to the suit but it withheld 2,000 whole body images and 376 pages of Transportation Security Administration training materials. The images were created to test the degree to which the body scanners met the government’s detection standards, government lawyers said. Judge Ricardo Urbina of Washington’s federal trial court said the government has no obligation under the Freedom of Information Act to produce the images to the plaintiffs. The center’s lawyers were not immediately reached for comment this morning on the ruling. U.S. Justice Department lawyers said in response to the demand for the images that their release “would constitute a threat of transportation security” by revealing certain vulnerabilities of body-scanning technology. The images, DOJ lawyers also said, are internal records that are not subject to public disclosure. Lawyers for the privacy center, John Verdi and Marc Rotenberg, said in court records that the government has already produced a limited number of body scanner images to the public and therefore there’s no justification for blocking further disclosure. The attorneys said there is a substantial public interest in the release of the images. “The body scanner program is presently the subject of substantial debate in Congress, between international delegations, and in the media,” the center’s lawyers said in court papers in June. “Central to the dispute is whether the TSA can store and record detailed images of naked air travelers at US airports without any privacy filters. The TSA contends that it would not do this, but the agency possesses 2,000 relevant images and refuses to release any.” In his 15-page ruling, Urbina said the privacy center has provided no basis for the court to question the government’s “reasonable conclusion that disclosure of the images may provide terrorists and others with increased abilities to circumvent detection by TSA and carry threatening contraband onboard an [airplane].” [Source] [Source]

CA – Canadian Sues Google Over Data-Sharing Program

A Manitoban is suing Google for unspecified damages in a class-action suit over alleged problems with the launch of Google’s Buzz program earlier this year. It took information from user email and integrated it with social networking accounts like Facebook. Lawyer Norman Rosenbaum is acting for Tyler Wereha, of Rosa, Manitoba. Rosenbaum alleges that even though Google told users on Feb. 9 they had a choice whether or not to activate Buzz, Google automatically activated it on users’ Gmail accounts. “It’s a breach of privacy,” Rosenbaum said. “It automatically affected all of your followers. Even if you said you didn’t want to have your email list forwarded, it did it anyway.” The statement of claim, filed in Manitoba Court of Queen’s Bench, alleges anyone who has exchanged at least one email with a person could add that person to their Buzz “following” list and immediately see private information, including the user’s profile, Buzz posts and follower and followings lists. Information available to everyone “following” the user could contain the user’s occupation, where they live and contact information. The lawsuit asks the courts to put a permanent injunction on Google, preventing it from operating Buzz in “a deceptive and unfair manner whereby causing the unwanted disclosure of personal information.” Because it’s a class-action suit, other complainants can sign on. [Source

WW – Dating Site Believes It’s the ‘Facebook of the Dating World’

A U.S. online dating company hopes to be the “Facebook of the dating world” by creating profiles for non-registered individuals based on publicly available information online, including social networking sites. Gotham Dating Partners Inc., a New York City-based dating company behind such websites as PrisonHookup.com and UglyPeopleDate.com plans on compiling bits of public information on 300 million people around the world to create profiles. They hope to re-launch the site on Feb. 14 -Valentine’s Day. “We are the Facebook of the dating world,” he continued. “We are not doing anything malicious. It’s no different than what Facebook does. We are accessing the same public records.” Gotham will build profiles of public information from social networking sites, such as Facebook and MySpace, mailing lists, marketing surveys, marriage and divorce records, government census records, real estate listings and personal and business websites. Once the information is posted, a person can delete or update their profile for free but will be charged a fee if they want to contact any other member, Jordan said. If the profile lists the person as single, their profile will automatically be added to the dating section of Gotham’s site. David T.S. Fraser, a privacy lawyer with McInnes Cooper in Halifax told the Star that Gotham’s initiative would violate Canadian privacy laws since anybody engaged in commercial activity would have to have consent from the individual to use or disclose personal information. And in terms of a person’s public information on a site like Facebook, the information can only be used for the purpose for which it would have been made available in the first place, Fraser said. Fraser said Gotham and Facebook differ in how they gather information. Information on Facebook profiles are submitted by users themselves, while Gotham’s model includes the site itself gathering the information online, and the user then updating or deleting information. [Source] See also: [OkCupid Profile Fraud Is The Crime You’d Never Expect

WW – Spokeo Raises Privacy Concerns For Celebrities: No Privacy from Fans

Spokeo is raising some eyebrows in the electronic world today with their new service. As people realize this website is an one-stop shopping opportunity to find out anything and everything about an individual, they are asking if it goes too far. Boasting “it’s not your grandma’s phone book” the website mills and then publicizes information about an individual found online. According to the website, it doesn’t share Social Security numbers, driver’s license numbers or bank account information, but that doesn’t stop it from telling everything else including your astrology sign to anyone who asks. If you don’t think Spokeo knows about you, take a minute to go over to the website and type in your name. If you have a Facebook page, ever subscribed to anything or even typed your name into a form online, there is a good chance you too have a file over there waiting to be read by the world. [Source

WW – Facebook ‘Sponsored Stories’ Turn You into the Ad

Your clicks of Facebook’s “Like” button and check-ins at restaurants, stores and other establishments are already valuable marketing material. Now Facebook is letting companies and individuals buy the right to republish those actions to your friends in ads – including your name and profile photo – on the social network’s site. Called “Sponsored Stories,” these ads look like the other small ads that adorn the right side of the screen (which can already feature your name if you’ve Liked the product in question). In this case, as a video posted to Facebook’s marketing page explains, the ad will simply recycle your check-in or Like as an ad labeled “Sponsored Story.” In the video, Facebook developers explain how the format works and how it lets advertisers get around one disadvantage of people’s check-ins and Likes showing up in the usual News Feed: “a lot of impressions do get lost because there’s so much content coming through.” One staffer also makes an important point that is already getting lost in debates about this: “A sponsored story never goes to somebody who’s not one of your friends.” [Source] See also: [What Happens to Your Digital Life When You Die?

EU – Facebook Makes Deal With German Privacy Group

Facebook, facing potential fines for violating strict privacy laws in Germany, has agreed to let users in the country better shield their e-mail contacts from unwanted advertisements and solicitations it sends. Facebook, which has more than 10 million users in Germany, agreed to modify its Friend Finder service to let Germans better block its ability to contact people, including non-Facebook users culled from a user’s e-mail address books. Tina Kulow, a Facebook spokeswoman in Hamburg, said users in Germany would now be advised that the site could send solicitations to people on their mailing lists, should they choose to upload their address books to Friend Finder. [The New York Times

WW – Google and Mozilla Announce “Do Not Track” Browser Features

Google has announced a new feature for its Chrome browser that lets users opt out of tracking cookies from several online ad networks. Just two months ago, the US Federal Trade Commission called for a do not track mechanism like the “Do Not call” list, that would let users choose whether their personal data are collected. Mozilla recently said it is looking into adding a similar feature to Firefox. [Source] [Source] [Source] [The Wall Street Journal: Web Tool on Firefox to Deter Tracking] [Google to Debut Chrome “Do Not Track” Tool]

Other Jurisdictions

LV – New Latvian Data Protection Law to Take Effect February 1

The law was passed in October 2010 in the wake of a major security breach of online financial and tax records from the State Revenue Service. The legislation also creates a new Cyber-Security Response Agency. This marks the first legislation in this Baltic nation that puts a new IT security head at the top of every state institution.This official will also have to check the systems for any vulnerability to threats by hackers and viruses at least once a year and make sure that no files are lost in case of emergency or natural disaster. “We will establish the minimal standards for every state and every local government institution in IT security,” said Maris Andzans, the head of the Consultative Council on Security of Electronic Communications and IT, and one of the officials involved in drafting of the legislation. He adds that while the country has fire safety rules, but there have been no such laws for the use of digital information. In order to ensure that the officials follow and obey the rules, two present computer security prevention institutions will be merged into a new Cyber-Security Response Agency. [Source

IS – Israel: Child Welfare More Important Than Privacy Laws

The welfare of children must take precedence over the right to privacy, lawmakers concluded, giving the government 14 days to complete legislation that would demand its ministries share information pertaining to children at risk. [Source] See also: [Uganda: Uganda Court Bans Outings by Media and Women protest bra checks]

Privacy (US)

US – Supreme Court Limits Privacy Rights Of Federal Contract Workers

The Supreme Court has upheld the personal background checks now required of scientists and thousands of others who work under government contracts, ruling that questions about drug use and other personal matters do not violate their privacy rights under the Constitution. In the wake of the 9/11 attacks, the Bush administration extended the use of background checks to those in companies and universities who worked on government-funded projects. A group of 28 veteran scientists and researchers at NASA’s Jet Propulsion Laboratory in La Canada Flintridge, Calif., sued, contending the prying questions violated their privacy rights, and they won before the U.S. 9th Circuit Court of Appeals. But the high court unanimously reversed that decision this month and said that backgrounds checks, long standard for federal civilian employees, were reasonable for government contract workers as well. Writing for the court, Justice Samuel A. Alito Jr. agreed it would raise true privacy concerns if the government were to pry into the private lives of ordinary citizens. But the government has “wide latitude,” he said, “in its dealings with employees.” [Source]

US – List of Online Tracking Class Action Lawsuits in 2010

Review of important class action lawsuits about online tracking in 2010:

[Source] SEE ALSO: [Is 2011 the Year of a Digital Privacy Revolution?

US – What’s in a Word: Does ‘Personal Privacy’ Extend to Corporations?

Telecom giant AT&T wants “personal privacy” protections applied to businesses, just as they have long been granted to individuals. At issue is whether corporate “personhood” extends to the Freedom of Information Act, which exempts the public release of government documents that invade personal privacy. The company wants material gathered by a federal agency during a consumer investigation to be kept secret. Several justices seemed deeply skeptical of the company’s claims for relief. Citing “dozens and dozens” of examples in a study of government bureaucracy, Justice Ruth Bader Ginsburg said that “overwhelmingly, ‘personal’ is used to describe an individual, not an artificial being.” “Can you give me any examples in common usage where people would refer to the ‘personal privacy’ of a corporation?” asked Justice Antonin Scalia. “It’s a very strange phrase to me.” But others on the bench were not willing to say personal privacy applies only to a single human being. Beyond interpreting the meaning of personal privacy, the court may also have to wrestle with defining or redefining “corporate,” either as an association of citizens with extended, shared rights, or as a state-chartered entity with its own separate, competing rights apart from those of its members. Such interpretation was key to the high court’s controversial campaign finance ruling a year ago, in which the conservative majority gave corporations greater power to spend freely in federal elections, overturning a federal law that had imposed strict limits. The court said corporations had to be treated as “persons” when it came to campaign spending, with the same power as individual donors. Now the dispute is whether corporations enjoy similar protections in the privacy context. Liberal groups have complained that the Roberts court has been overly friendly to businesses in recent rulings, at the expense of individual consumers. They want a blanket rule exempting corporations from personal privacy protections. “Congress did not and could not imbue corporations with the dignity interests that FOIA protects when it shields living, breathing human beings from invasions of personal privacy,” said Elizabeth Wydra, chief counsel of the Constitutional Accountability Center. “A corporate charter cannot blush or feel embarrassed by FOIA’s policy of transparency,” The case is FCC v. AT&T Inc. (09-1279). A ruling is expected in the next five months or so. [Source] [Justices Appear Skeptical in AT&T Privacy Case]

Privacy Enhancing Technologies (PETs) 

EU – Germany: Digital Eraser Software Aims to Increase Privacy

Currently only a prototype, a piece of software created by a group of German researchers could help photos automatically disappear from the Internet after an amount of time determined by picture’s owner. Called X-pire, the software would let users give their pictures an expiration date after which the photo would become unrecognizable, said Michael Backes, the software’s creator, and the chair for Information Security and Cryptography at Saarland University. The software, an add-on for the Firefox Web browser, was presented during a conference held by the German Ministry for Consumer Protection. This is the first concrete application since the German interior minister, Thomas de Maiziere, called for a “digital eraser,” as part of a broader German government Internet plan unveiled in June 2010. Data protection officials praised the project for giving the public a way to have more control over what happens to the material they post online. [Source] [Der Speigel: Why ‘Web Erasers’ Can’t Wor 

WW – API Allows Users to Delete Flash Cookies More Easily

Adobe has introduced technology that makes it easier for users to delete local shared objects (LSOs), known as Flash cookies. LSOs store user preferences, but some websites have been using the LSOs to restore user cookies even after users have manually deleted them. Working with Mozilla, Google and Apple, Adobe has developed an application programming interface (API) known as NPAPI ClearSiteData that lets users delete LSOs from the settings panels of certain browsers. [Source] [Source] [Source]

Security 

US – 2010 Annual Security Report Notes Cybercrime Moving Toward Mobile Devices

According to Cisco’s 2010 Annual Security Report, cyber criminals appear to be shifting their focus from Windows machines to mobile devices. Users are falling prey to social engineering scams through social networking, email and even phone calls. In addition, 2010 marks the first year “in the history of the Internet” in which the volume of spam dropped, due in large part to botnet takedowns and increased ISP email restrictions. [Source] [Source] [Source] [The Cisco report

WW – Experts Display Skepticism on IT Security Matters

Experts paint a gloomy picture of global cybersecurity. The EastWest Institute issued a report this week and a poll of participants suggests that the global challenges of cybersecurity are tough ones:

  • 61% anticipate the impact of losing global connectivity for an extended period of time to be catastrophic with irreversible consequences;
  • 66% say a treat on cyber warfare is needed now or is overdue;
  • 66% think home users need to take more responsibility for cybersecurity;
  • 66% view their government’s maturity as low regarding int’l cooperation in cybersecurity;
  • 69% doubt their country could defend against a sophisticated cyber attack; and
  • 70% believe that international policies and regulations are far behind technology advances.

According to the Institute report, Protecting the Digital Economy: The First Worldwide Cybersecurity Summit in Dallas, the current approach to cybersecurity is limited: “We left with the clear impression it could take years to arrive at a global treaty on cybersecurity, since many states are not ready for it – and perhaps never will be.” The solution, the report suggests: Voluntary agreements in the private sector and international standards as avenues to change. “The best approach is to target concrete, specific problems while speaking to the big issues.” [Source] See also: [Tracking Bad Guys Who Enter IT Systems] and [AU – Criminals may be microchipped one day, Mal Hyde tells forum]

Smart Cards 

UK – University Will Not Take Down Chip-and-Pin Vulnerability Thesis

A UK banking lobby group is attempting to censor a student’s thesis on chip and pin system vulnerabilities. In a letter to Cambridge University, The UK Cards Association asked that the thesis be removed from a website because it provides a “blueprint for building a device … to exploit a loophole in the security of chip and pin.” The thesis is an outgrowth of earlier work by Cambridge researchers that was published early last year. Cambridge University Professor of Security Engineering Ross Anderson sent a response, refusing the request, and questioning the right of the University to censor a student’s published work “simply because a powerful interest finds it inconvenient.” Anderson also pointed out that the publication of the earlier research last year resulted in some financial institutions improving their chip and pin systems to mitigate the vulnerabilities. [Source] [Professor Anderson’s response

UK – End of the Road for ID Cards

The much criticised UK ID cards scheme is finally dead and buried after the government revealed on Friday that any cards issued can no longer be used to prove identity or travel within Europe. A brief statement on the Home Office web site explained that the final nail in the coffin would come “within days” when the National Identity Register, the database designed to hold the card details, will be destroyed. “Laying ID cards to rest demonstrates the government’s commitment to scale back the power of the state and restore civil liberties,” said home office minister Damian Green. “It is about the people having trust in the government to know when it is necessary and appropriate for the state to hold and use personal data, and it is about the government placing their trust in the common-sense and responsible attitude of the people.” [Source] [UK: £400k to destroy National Identity Register personal data]

Surveillance

US – BCJ Report: FBI Domestic Spy Powers Too Broad

New restrictions should be placed on the FBI’s power to investigate people and organizations inside the United States suspected of having links to terrorist activity, including requiring agents to get prior written approval before conducting surveillance operations, according to a new report from a nonpartisan public-interest law center. The report, released by the Brennan Center for Justice at New York University School of Law, calls for both Congress and the Obama administration to rein in investigatory powers granted to the FBI in 2008 by then-Attorney General Michael Mukasey. The Obama White House has retained the powers, known as the Attorney General’s Guidelines for Domestic FBI Operations, even though they were written during George W. Bush’s administration. The guidelines allow FBI agents, for example, to initiate surveillance on a person or group inside the United States without first opening a formal investigation and getting approval from a manager and without having probable cause. “Both Congress and the Justice Department should act to ensure vigorous oversight of the guidelines’ use,” the report states. “There must be meaningful internal and external checks on the vast powers the FBI have been granted.” The report does not call for abolishing the guidelines but rather for more oversight to prevent abuses. “The time to act is now–before the guidelines result in widespread and unwarranted intrusions into Americans’ privacy, harmful religious and ethnic profiling, and the divergence of scarce resources to ineffective and indiscriminate collection of information,” the report concluded. [National Journal] RELATED STORIES: [IG launches new probes of domestic surveillance 17 June 2010] and [Justice official keeps mum on privacy rights – Sept 23, 2009] and [Roots of surveillance standoff go back decades

EU – Privacy Study Signals a Worrying Increase in Surveillance Across Europe

The UK improves its privacy performance since 2007 but France is catching up as Europe’s “worst surveillance society.” A landmark EU-wide study of national privacy safeguards published today shows a decline in privacy protection across Europe and a steep increase in state surveillance over the lives of individuals. The year-long study, funded by the European Commission and backed by a 600-page analysis of privacy in 31 countries, was co-authored by the London-based global watchdog Privacy International, the Electronic Privacy Information Center in Washington DC and the Center for Media and Communications Studies of the Central European University in Budapest. The study includes a rating for EU member states and accession candidate countries. This rating pits Britain and Ireland fighting over the bottom of the privacy league. The EPHR project comprises three action areas: (1) Map European privacy laws and recent developments as well as summarise the trends in the light of the right to privacy; (2) disseminate information and publish it on multiple online and offline platforms; and (3) develop innovative awareness-raising campaigns to be launched at the European Data Protection Day on 28th January 2011. The country reports were also translated into native languages. [Source] [Worrying increase in surveillance across Europe] Further information about the project will be found at www.privacyinternational.org/ephr

UK – CCTV Success in 2010

London’s Metropolitan Police Service has released a statement with some statistics supporting the use of CCTV: 2512 wanted people, including suspected murderers and rapists have been successfully identified by the Metropolitan Police Service using CCTV this year. In 2010 specialist teams of video ID investigators identified 574 robbery suspects, 427 people wanted for burglary, 199 for grievous bodily harm, and 23 suspected sex offenders. The overall figure marks a 25% increase on 2009. CCTV hasn’t prevented any terrorist acts and its use in terrorism is all after-the-fact to identify suspects. [Source

CA – Surveillance Cameras in Calgary Useful, Report Finds

Calgary police and bylaw officers are using downtown surveillance cameras about four times a month on average — enough that they should be kept, but not enough that there should be more of them, a new report says. City bylaw officials will tell a council committee that the cameras have not triggered a single privacy complaint since a two-year trial program began in March 2009. Officers have accessed the footage 93 times for investigation or security work. Staff have stopped trying to move around the 16 cameras to emerging crime hot spots because it’s proven tough to keep up, and they’ve concluded the system isn’t used in investigations often enough to warrant buying more electronic eyes. The system has cost $500,000 for the new equipment, and $100,000 to operate. [Source] See also: [Studies Says Webcam Users Under Serious Threat] and also: [Cobourg: CCTV cameras won’t be used to violate citizens’ privacy, chief promises] and also: and [US: Air Force’s ‘All-Seeing Eye’ Gorgon Flops Vision Test] and [US: Privacy issues hover over police drone use] and [AU – Dads banned from filming birth in new privacy clamp down by hospitals] and [Wyoming - Lawmakers propose classroom video surveillance]

CN – Restive Chinese City Put Under Full Surveillance After Ethnic Riots

China is putting a western city where deadly ethnic violence broke out in 2009 under full surveillance, including ensuring “seamless” coverage of sensitive areas of the city with tens of thousands of cameras, state media reported. Security has been tight in Urumqi since tensions between the area’s largely Muslim Uighurs and members of the country’s Han majority flared into open violence in 2009. Uighurs have long resented what they see as an incursion by Han migrants into their ancestral homeland, the Xinjiang region. The government says 197 people were killed in that outbreak of violence, the deadliest in Xinjiang in years. China has sentenced dozens of people for their involvement in the riots, most of them Uighurs. Beijing blamed overseas Uighur groups of plotting the violence, but exile groups denied it. Just before the one-year anniversary of the violence last year, officials said about 40,000 high-definition surveillance cameras with riot-proof protective shells had been installed throughout the region. Nearly 17,000 were installed in Urumqi last year, the state-run Xinhua News Agency reported. It was not clear if that figure was in addition to the one reported last year. The surveillance coverage will continue to grow this year, according to Urumqi Mayor Jerla Isamudinhe. Surveillance is “seamless” — meaning there are no blind spots — in sensitive areas of the city, the report quoted Wang Yannian, who leads the city’s information technology office, as saying. [Source] and also: [D.C. expanding public surveillance camera net

EU – Belgium: Supreme Court Clarifies Key Concepts of Camera Law

In a judgment dated 5 October 2010, the Supreme Court (Hof van Cassatie/Cour de Cassation – the “Court”) clarified certain key concepts of the Law of 21 March 2007 regulating the placement and use of surveillance cameras (the “Camera Law”). The dispute before the court relates to a surveillance camera which recorded a criminal offence. The relevant images were provided to the police and the public prosecutor and later on used as evidence during criminal proceedings. During these criminal proceedings, the accused opposed the use of the images as evidence based on restrictions imposed by the Camera Law. Full discussion by [Mondaq News]

AU – Crime-Fighting Video Camera in Public Toilet Sparks Privacy Complaints

Security cameras that helped cut vandalism in a public toilet have prompted a complaint to the South Australian privacy watchdog. A report by the South Australian Privacy Committee reveals concerns have been raised over “surveillance” by a local council in a public toilet. A Local Government Association (LGA) spokeswoman refused to release the name of the council, but said the cameras had been installed in a male toilet after consultation with the police. The cameras recorded people entering the toilet block as well as rear-view vision of the urinal. “The cameras only record persons entering the toilets and the walls,” an LGA spokeswoman said. The spokeswoman said video recorded by the camera had secured successful vandalism prosecutions and helped reduce graffiti attacks by 90 percent. [Source]

Telecom / TV

IN – RIM Gives India Access but Not to Secure E-Mails

BlackBerry maker Research In Motion said it has given India the means to access its Messenger service and reiterated that no changes could be made to allow monitoring of secure corporate emails. “… No changes can be made to the security architecture for BlackBerry Enterprise Server customers since, contrary to any rumors, the security architecture is the same around the world and RIM truly has no ability to provide its customers’ encryption keys,” the company said. [New York Times] See also: [SKorean police say Google collects emails, other data from Wi-Fi networks

WW – Smartphone OSes Disclose MAC Addresses When Interacting with IPv6

Smartphones interacting with IPv6-based servers have a privacy hole -the IDs they transmit contain unique hardware IDs. The problem lies not in IPv6, but in the smartphones’ operating systems. Devices determine half of their IPv6 addresses themselves, so the operating systems need to be tweaked to generate random IDs. The problem is not currently widespread because IPv6 is not yet in wide use. [Source

AU – Privacy Fears for Phone Data

Police would have access to the telephone records of missing people even when there was no suspicion of criminal activity under a plan that civil liberties activists say could lead to “gross invasions of privacy”. A federal bill to change surveillance laws would give state and federal police the power to inspect records such as call, SMS and data use in the search for missing people. Police could look at records in the period leading up to the filing of a missing persons report. But NSW Police want the bill to include access to all records beyond the date of the missing persons report. Privacy activists fear that would allow police to use technology to monitor people’s movements without their knowledge. [Source]

AU – Privacy Commissioner Investigates Vodafone

Australian Privacy Commissioner Timothy Pilgrim has said that he will investigate the allegations that personal information of Vodafone customers had been exposed. Vodafone fell into hot water following allegations that criminals had been sold access to its sensitive customer database who planned to use the information, which includes voice and SMS logs, to blackmail customers. It was also alleged that other people had obtained the internal log-in to check their spouse’s communications. Pilgrim said he had spoken with Vodafone CEO Nigel Dews, who had promised full cooperation. [Source] [Roger Clarke Q&A: the Vodafone breach

US – NY judge Questions Husband-Wife Calls on Wiretaps

A federal judge demanded the government explain itself for eavesdropping on phone calls between an insider trading defendant and his wife in a case that was celebrated for its use of wiretaps. U.S. District Judge Richard Sullivan in Manhattan ruled in favor of the government’s right to wiretap insider trading suspects, but drew the line at the private chats between a husband and wife, saying it was the only area where he believed some suppression of the evidence might be warranted. He was the second judge to rule in favor of wiretap evidence in insider trading cases. Sullivan ordered the government to respond in writing to claims by a lawyer for defendant Craig Drimal that 13% of his time on phones involved chats with his wife, including “deeply personal conversations about private marital matters.” Drimal has pleaded not guilty. Prosecutors have described the prosecution that resulted in Drimal’s 2009 arrest as the biggest hedge fund insider trading case in history. Among defendants is Raj Rajaratnam, a one-time billionaire founder of the Galleon group of hedge funds who has pleaded not guilty and insisted any trades he made were based on publicly known information. Prosecutors say the insider trading resulted in more than $50 million in profits. The government began wiretapping Drimal, a former Galleon trader, in November 2007. His lawyer, Janeanne Murray, said in court papers that 98.2% of the calls captured by the government and 97.4% of the call-minutes involved non-pertinent conversations. Murray accused the government of a “cavalier disregard for marital privacy,” saying investigators were required to discontinue monitoring if they discovered that they were intercepting a personal communication solely between Drimal and his wife. [Source] [Huffington Post: Do Married Couples Have a Reasonable Expectation of Privacy in Their Email Messages? ] and also: [BC Court: ex-Wife Awarded $40K Over Privacy Violation

US – Cell Phones Used More to Track Criminal Movements

When FBI agents wanted to reconstruct the movements of a rogue New York City cop who staged a $1 million perfume heist in Carlstadt, N.J., last February, they turned to cell phone records to trace his steps. Using a computer mapping program and “call detail” logs obtained from Sprint Nextel, agents plotted the locations of 42 cell sites in Bergen and Hudson counties and New York to track Kelvin L. Jones’ movements as the armed robbery plot unfolded. Jones was convicted last month. Cellular tracking of criminals – including those like Jones who use prepaid mobile phones that can’t easily be traced because there is no subscriber contract — has become a cottage industry for the FBI. The demand for cell site records has mushroomed as the ability to zero in on phones has become more and more precise, drawing criticism from civil libertarians and prompting some courts to take a new look at the legal ground rules for granting access to such data. The ACLU and the EFF say they don’t object to law enforcement using cell-tracking records as long as they get a warrant first. Ultimately, adds the EFF’s Bankston, the uncertainty will continue until either the Supreme Court rules on the issue or Congress steps in and clarifies the law. [Source] See also: [CA – Cellblock audio recorders being installed]

US Government Programs 

US – DoC to Establish National Program Office to Support Trusted Identity Efforts

The US Department of Commerce will establish a National Program Office focused on creating and promoting trusted online identities for Internet users; the effort will support the current administration’s National Strategy for Trusted Identities in Cyberspace (NSTIC) by encouraging the development of interoperable technologies and standards for online authentication. Users would be able to establish a single online identity that could be used across multiple sites with confidence, eliminating the need for remembering a lengthy list of passwords. NSTIC seeks to create an Identity Ecosystem that does not rely on a centralized database and will not be mandatory. The final version of the NSTIC will be released in the next few months. [Source] [Source] [Source] [Source

US – Federal Agencies Must Submit Classified Data Management Reports by End-Month

US federal agencies have three weeks to submit reports to the White House on how they manage and protect national security data. Shortly after the first of the stolen diplomatic cables appeared on WikiLeaks, the White House issued a memo directing all agencies to assess their procedures for ensuring the security of information that has been designated classified. A January 3, 2011 memo from the Office of Management and Budget (OMB) provides compliance guidance for the agencies and includes questions about what agencies are doing to prevent unauthorized information disclosures by disgruntled employees. Agencies have until January 28 to submit internal assessments outlines in the first memo and answer questions in the January 3 memo. [Source] [Source] [Source

US – Color-Coded Terror Warnings to be Gone by April 27

By the end of April, terror threats to the U.S. will no longer be described in shades of green, blue, yellow, orange and red. The nation’s color-coded terror warning system will be phased out beginning this week, according to government officials familiar with the plan. The officials requested anonymity to speak ahead of an announcement scheduled by Homeland Security Secretary Janet Napolitano. The Homeland Security Department and other government agencies have been reviewing the Homeland Security Advisory System’s usefulness for more than a year. One of the most notable changes to come: The public will no longer hear automated recordings at U.S. airports stating that the threat level is orange. The Obama administration will take the next three months to roll out a replacement, which will be called the National Terrorism Advisory System. The new plan calls for notifying specific audiences about specific threats. In some cases, it might be a one-page threat description sent to law enforcement officials describing the threat, what law enforcement needs to do about it and what the federal government is doing, one of the officials said. When agency officials think there is a threat the public should know about, they will issue an announcement and rely on news organizations and social media outlets to get the word out. [Source

US – Defense Dept. Social Media Policy Set to Expire

Social media guidelines set by the US Department of Defense (DoD) last year are set to expire on March 1, 2011. Despite concern that the event might leave the future of social media at DoD ‘in limbo,” a Pentagon spokesperson said that it will not ban the use of social media, noting that “social media tools are pervasive in the 21st century communications environment, and the department intends to fully utilize those capabilities.” Reports up through 18 months ago indicated that the US military was considering a wholesale ban on networking tools because of network security concerns. [Source] [Source] [Source] [Source]

US Legislation 

US – Senator Proposes Mobile-Privacy Legislation

Federal law needs to be updated to halt the common police practice of tracking the whereabouts of Americans’ mobile devices without a search warrant, said Ron Wyden, an Oregon Democrat, who also said it was time for Congress to put an end to this privacy-intrusive practice, which the Obama Justice Department has sought to defend in court. In an luncheon speech at the libertarian Cato Institute in Washington, D.C., Wyden said his staff was drafting legislation to restore “the balance necessary to protect individual rights” by requiring police to obtain a search warrant signed by a judge before obtaining location information. Even though police are tapping into the locations of mobile phones thousands of times a year, the legal ground rules remain hazy, and courts have been divided on the constitutionality and legality of the controversial practice. Wyden’s push to advance Fourth Amendment-like privacy protections through legislation is likely to be met with applause among technology firms. Last March, as CNET was the first to report, a group called the Digital Due Process coalition including Facebook, Google, Microsoft, Loopt, and AT&T as members endorsed the principle of location privacy. One of the coalition’s principles says: “A governmental entity may access, or may require a covered entity to provide, prospectively or retrospectively, location information regarding a mobile communications device only with a warrant issued based on a showing of probable cause.” The Obama Justice Department, on the other hand, has argued that warrantless tracking is permitted because Americans enjoy no “reasonable expectation of privacy” in their–or at least their cell phones’–whereabouts. U.S. Department of Justice lawyers have argued in court documents that “a customer’s Fourth Amendment rights are not violated when the phone company reveals to the government its own records” that show where a mobile device placed and received calls. [Source

US – Indiana Lawmakers to Consider Upskirt Ban

A key Indiana Senate committee will consider a proposed bill by State Sen. Tom Wyss (R-Fort Wayne) that would make it illegal to take or distribute pictures or video of a person’s private areas. The bill would establish the new crime of “Invasion of Privacy by Photography,” a Class A misdemeanor. A crime is committed if a person, with the intent to: (1) gratify the person’s sexual desires; (2) humiliate or embarrass the victim; or (3) publish, transmit, or disseminate the photograph; surreptitiously photographs the private area of an individual under circumstances in which a reasonable person would believe that the individual’s private area would not be visible to the public. The penalty is increased to a Class D felony if the person knowingly or intentionally publishes, transmits, or otherwise disseminates the photograph. [Source

US – Women Say Salon Filmed Them Naked

Two women claim they were surreptitiously photographed naked at a tanning salon, and their nude photos posted on “numerous pornographic websites.” The women sued Sunkissed Tanning and Spa and its owner in Westmoreland County Court. In separate but identical complaints, both women say they were longtime customers of the tanning spa in Mount Pleasant, Pa. They also sued its owner, Toni Tomei. Both women say the surreptitious filming happened in 2006, though they did not discover it until the summer of July 2010. Both say that Tomei “knew or should have known the aforesaid conduct was occurring on her premises, especially in light of the fact that the authorities previously investigated complaints of similar conduct in the past.” They seek punitive damages for negligence, privacy invasion and outrage. [Source]

Workplace Privacy

CA – B.C. NDP Screening Leadership Candidates to Head off Internet Embarrassments

Have you left a cringe-inducing impression on YouTube? Ever made intemperate remarks on a blog? Would all your tweets bear public scrutiny? B.C. NDP leadership hopefuls must hand over the keys to their social media accounts – their usernames and passwords – in a confidential questionnaire as the party aims to head off any e-embarrassments. The 23-question disclosure statement asks potential candidates to bare any legal troubles, past political affiliations or disagreements with party policy – any incidents that could be considered politically controversial. But it is the sweeping demands for access to any social-media activity that has taken some candidates aback. The New Democratic Party’s executive is asking each candidate: “Do you currently author or have you previously authored a blog? Please send all previous or existing blogs. Do you have a personal website or belong to any social networking sites such as Facebook? Do you have a Twitter account? Are there any photos or videos of you on YouTube or similar sites? Are there any photos or comments about you or by you on someone else’s sites?” The party also is demanding access to material that would-be candidates have posted in private forums. “Do any of your social-media sites have material ‘behind’ privacy settings? Please provide details including site URL and your username and password for all social networking sites to which you belong.” The 17-page disclosure allows the party executive the right to reject any candidate they deem unfit. It asks sweeping, cover-all-bases questions such as: “Is there any matter in which you were/are involved which has/may result in an accusation of impropriety or illegality, or an incident which if disclosed could cause embarrassment to you or the BC New Democratic Party?” [Source] See also: [US: A Site (Un)Seen: Using Social Media in Hiring Decisions] and [Calgary City staff face new online protocols: Social media caution urged] and [When monitoring needs meet privacy rights]

+++

16-31 December 2010

Biometrics

EU – Europe tells Britain to Justify Itself Over Fingerprinting Children in Schools

The European Commission has demanded Britain justifies the widespread and routine fingerprinting of children in schools because of “significant concerns” that the policy breaks EU privacy laws. The commissioner is also concerned that parents are not allowed legal redress after one man was told he could not challenge the compulsory fingerprinting, without his permission, of his daughter for a “unique pupil number”. In many schools, when using the canteen or library, children, as young as four, place their thumbs on a scanner and lunch money is deducted from their account or they are registered as borrowing a book. Research carried out by Dr Emmeline Taylor, at Salford University, found earlier this year that 3,500 schools in the UK – one in seven – are using fingerprint technology. EU data protection rules, Brussels legislation that overrides British law, requires that the gathering of information such as biometric fingerprints, must be “proportionate” and must allow judicial challenges. In May, the incoming Conservative and Liberal Democrat coalition promise to “outlaw the fingerprinting of children at school without parental permission”. A government spokesman was not available yesterday to comment on the commission’s letter. [Source]

Canada

CA – MLAs in B.C. Resist Disclosing Expenses

A government promise to shed more light on how politicians spend taxpayer dollars is being undermined by MLAs who don’t want their expenses to be made public, says a Liberal MLA running for premier. Mike de Jong, who as attorney general and Liberal house leader spearheaded a push earlier this year to disclose expenses, said he’s frustrated at behind-the-scenes resistance from his colleagues. De Jong had promised the public would see, by September, the amount MLAs bill taxpayers for food, rent, salaries and office expenses. But some politicians complained about privacy concerns, and the deadline passed without information being disclosed or a new deadline set. [Source

CA – Provinces Win Control of Assisted Reproduction in Supreme Court Challenge

The Supreme Court has upheld the right of the provinces to regulate the assisted reproduction industry. The court issued a divided advisory opinion that upholds in part a 2008 Quebec Court of Appeal decision which said Ottawa had overstepped in asserting control over assisted reproduction. The Supreme Court spit 4-4-1 with Justice Thomas Cromwell offering the determining view. Quebec filed a constitutional challenge to the federal Assisted Human Reproduction Act and was supported by three other provinces. The province argued that Ottawa was treading on provincial jurisdiction over health care. The 2004 act regulated the use of sperm, eggs and embryos, while banning and cloning and hybrids. Ottawa maintained it had the right make criminal laws and that the purpose of the act was to protect the “health, safety and public morals” of Canadians [Source]

Consumer 

US – Poll: Most Web Users Dislike Targeted Ads

A new Gallup poll has found that two-thirds of Americans do not want to receive targeted ads based on their Web surfing habits. Responses to the poll indicated privacy concerns vary generationally, but 67% opposed having their Web use tracked for advertising purposes, while 61% “care so much about their privacy that they aren’t willing to sacrifice it in exchange for more free content paid for by targeted ads.” The report notes that “most Internet users would rather pay for content instead and withhold something as seemingly innocuous as their Web browsing history from advertisers.” [Source]

US – Targeted TV Ads Set for Takeoff

After years of promises and false starts, TV commercials targeted at individual homes may finally be ready for prime time. DirecTV Group Inc. is planning the biggest rollout yet of “addressable ads,” allowing advertisers to reach close to 10 million homes with commercials tailored to each household. Dog owners, for instance, could see ads for dog food, not kitty litter, while families with children could be shown minivan spots. Targeted TV ads are the latest manifestation of a fast-growing phenomenon: the gathering, repackaging and trading of personal data. Driving this move is the fact that targeted ads command much higher prices than regular ones. DirecTV plans to roll out its targeted ad service in August or September next year. [Source]

US – Study: Education Lacking on Smart Meters

When it comes to smart meters, consumers are not being adequately informed about their capabilities and the way they will affect privacy. That’s according to a new Ponemon study, “Perceptions about Privacy on the Smart Grid,” which polled 509 U.S.-based adults and found that 54% of those surveyed did not receive information about or know they had a smart meter until after installation. Smart meters will measure home energy usage, in some cases down to the appliance level. The privacy concerns consumers noted were misuse of personal information by the government (53%) and failure to protect personal information. [Source]

E-Government

US – Woman Pleads Guilty to Accessing Student Loan Files

An Illinois woman says it was curiosity that led her to view the student loan files of hundreds of individuals while working within the Federal Student Aid Division of the Department of Education. Charlotte M. Robinson pleaded guilty in court this week to unauthorized computer access, according to a Department of Justice press release. She will be sentenced on February 22. Robinson admitted to repeatedly viewing the confidential student loan records of musicians, actors, family members, friends and others, even though she had no official reason to do so. [Source] See also: [U.S. Ups Scrutiny of Public]

E-Mail 

US – Federal Court in Ohio Upholds E-Mail Privacy

A defense attorney said he sees a federal court’s opinion upholding e-mail privacy as groundbreaking and possibly helpful to his client, the founder of a company that sold male enhancement pills. Lawyer Martin Weinberg said e-mail evidence should have been excluded from the government’s case against Steven Warshak, who was convicted of fraud and other crimes related to his Ohio company. The company, Berkeley Premium Nutraceuticals Inc., sold products including Enzyte pills – known for their commercials featuring Smiling Bob, whose life improves after using them – and other herbal supplements promoted as treating a variety of health and personal conditions. The Warshak case, in which investigators obtained 27,000 e-mails, has been closely watched by civil liberties advocates in the still-developing field of online privacy, and some said Tuesday’s opinion was perhaps the strongest yet in protecting digital communications against unreasonable search and seizure. The 6th U.S. Circuit Court of Appeals in Cincinnati threw out Warshak’s 25-year sentence, saying the trial court didn’t adequately explain how it arrived at a figure that more than $400 million in losses resulted from deceptive ads, manipulating credit card transactions and refusing to accept product returns or cancel orders. While upholding Warshak’s conviction, the three-judge panel also said his constitutional rights were violated when investigators obtained his e-mails without warrants. The court said that with so much of today’s communication done electronically, citizens have a reasonable expectation of privacy just like with telephones and traditional mail. “The Fourth Amendment must keep pace with the inexorable march of technological progress or its guarantees will wither and perish,” Judge Danny J. Boggs, a Ronald Reagan appointee, wrote for the panel. The opinion stated: “The police may not storm the post office and intercept a letter, and they are likewise forbidden from using the phone system to make a clandestine recording of a telephone call – unless they get a warrant, that is.” But the panel concluded that the e-mail evidence was allowable in the case because law enforcement officers believed they were following the law when seeking it from an Internet service provider. Weinberg said that part of the ruling likely will be appealed in his effort to get Warshak’s convictions thrown out. “The extension of the Fourth Amendment to e-mails is a groundbreaking opinion that is of pivotal importance in terms of protecting privacy in the Internet age,” Weinberg said. [Source]

Electronic Records

US – Practitioners’ Holiday Wish? Privacy Improvements

HealthLeaders Media reports on healthcare practitioners’ holiday wishlists that they had more staff, more time to study HIPAA regulations and a year free of data breaches. A recent Ponemon Institute study revealed that of the 65 hospitals surveyed, 71% said they had inadequate resources to prevent and quickly detect patient data loss, the report states. Other wishlist items include a smooth transition to the implementation of electronic health records, an efficient and compliant data encryption program and more safeguards to protect personal health information. “I hope that technology continues to be enhanced to support patient privacy,” said Debra Mikels, a healthcare practitioner in Boston, MA. [Source]

Encryption

US – Google Seeks Dismissal of Class Action

Google says its collection of personal data off of WiFi networks earlier this year broke no laws, and the company is asking a district court judge for dismissal of a potential class-action lawsuit related to the activity. In a filing last week with the U.S. District Court James Ware in San Jose, CA, the company said, “It is not unlawful under the Wiretap Act to receive information from networks that are configured so that communications sent over them are ‘readily accessible to the general public.’“ [Source] See also: [Blumenthal: Legal Action Possible in Connecticutt]

EU Developments

EU – Parliament Demands Commission Protect Web Users from Advertising

OUT-LAW News reports on the European Parliament’s call for stricter online advertising rules giving Web users more control of their privacy. The European Parliament has adopted a resolution asking the European Commission to introduce rules requiring Internet companies to disclose behavioral advertising and give users the right to opt out, expressing “serious reservations about the use of sophisticated technologies in advertising systems to track users’ activity.” Parliament is calling on the commission to “update, clarify and strengthen its guidelines on the implementation of the Unfair Commercial Practices Directive,” the resolution states, and create a labeling system based on the European Privacy Seal “certifying a site’s compliance with data protection laws.” [Source] [Source] [Resolution] See also [EU: Human rights court condemns Ireland over abortion

EU – German Resolution Sets Minimum Qualifications for DPOs

The German data protection authorities responsible for the private sector–the Düsseldorfer Kreis–issued a resolution pertaining to company data protection officers (DPOs). The resolution sets out minimum expertise requirements for DPOs and addresses their independence within the organizations for which they work. The resolutions come after inspections revealed a “generally insufficient level of expertise among DPOs given data processing complexities and the requirements set by the Federal Data Protection Act.” Under the resolution, DPOs should have a general command of data protection law, the blog states, including comprehensive knowledge of the Federal Data Protection Act. [Hunton & Williams Privacy and Information Security Law Blog]

Facts & Stats 

UK – Fraudsters Claim Nearly 2.5m Victims in 2010

More than 2.4 million people fell victim to a scam this year, with teenagers and the over-80s proving particularly vulnerable to cheats and fraudsters, according to new research by the charity Age UK. Its findings, which suggested almost three-quarters of victims lost money, coincided with an announcement of new government funding for the Scambuster teams run by trading standards departments. The most common type of deception was online fraud, with 34% of scams being perpetrated via the internet. The second most common category involved phone calls typically offering “failsafe” investments or informing the victim they have won money or a holiday. Others included bogus timeshares and rogue driveway repair companies. While most people lost under £100, almost one in six were cheated out of more than £500. Those in the youngest (16-24) and oldest (80-89) age groups were most likely to be “swindled”. Age UK’s study also found that once people had been “scammed” they were unlikely to tell anyone about it. Only 8% of victims went to the police, and only 9% went to organisations such as Citizens Advice. Perhaps surprisingly, most did not even share their story with friends or family. [Source] See also: [US: Man charged with hacking after reading wife’s emails]

Finance 

CA – Calgary Man Wins $5,000 Court Judgment Over Credit Agency’s Blunder

A man who pleaded his own case before the Federal Court has won a precedent-setting $5,000 in damages from a company which sent an inaccurate credit report to his bank. Mirza Nammo of Calgary was also awarded $1,000 in legal expenses. Judge Russel Zinn found the credit agency, TransUnion of Canada Inc., blundered when it sent the report on Nammo to the Royal Bank. The report led the bank to refuse Nammo a business loan. The case is the first in which a judge levied damages for a breach of the Personal Information Protection and Electronic Documents Act. The judge took a harsh line with the credit agency, saying it put someone else’s information into Nammo’s file, tried to blame another company for the error and, when it finally redid the file, it failed to tell the bank. Zinn said if TransUnion had bothered to check its information before sending it to the bank it would have noticed that the person cited in the file had a different name, a different date of birth and lived in a different province. The information was “grossly inaccurate,” he said. Nammo had been planning to go into business with another man, but the plan fell through when the bank denied him the loan. When Nammo complained to TransUnion in February 2008, it sent a letter blaming a Calgary collection agency for the error. “It is a challenge to determine whether its response was mere obfuscation or, as was suggested by the applicant, a deliberate misrepresentation,” the judge wrote. He went on: “In the letter, TransUnion took no responsibility for the error which was its and its alone.” Nammo sued under the provisions of the personal information law. He had earlier gone to the privacy commissioner, who ruled that the complaint was founded, but has been rectified. The judge didn’t feel the agency’s error was completely rectified because, while it told the bank that there had been a change to Nammo’s file, it didn’t say what the change was. He also said that TransUnion took too long to correct the error. The judge refused to award Nammo compensation for lost business, but did award him damages for the humiliation he suffered by being labelled a bad credit risk. [Source]

US – President Obama Signs Red Flag Program Clarification Act

President Barack Obama has signed the Red Flag Program Clarification Act of 2010 into law, amending the Fair Credit Reporting Act and limiting the Federal Trade Commission’s Identity Theft Red Flags Rule. The Hunton & Williams Privacy and Information Security Law Blog reports that the new law limits the application of the Red Flags Rule to exclude creditors “that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” The change addresses concerns that the rule previously extended to “entities not typically thought of as creditors,” such as legal firms and healthcare providers, the report states. [Source

US – Judge Issues Permanent Injunction Against DA, Weld Sheriff

A Larimer District Court judge has put a formal end to efforts on the part of Weld District Attorney Ken Buck and Weld County Sheriff John Cooke to crack down on illegal immigration and identity theft using records from a Greeley tax preparer. District Judge Stephen Schapanski made permanent a temporary injunction issued against Buck and Cooke in April. The ruling directs the Weld County court clerk to destroy all copies of information obtained from the search and seizure of tax files from Amalia’s Translation & Tax Service in Greeley in 2008. Weld authorities also are forbidden from using any information learned from the contents of those files. Buck said authorities had already stopped using the files after the Colorado Supreme Court ruled in December 2009 that Operation Number Games was illegal. Schapanski’s ruling came as part of a civil suit filed by the ACLU filed on behalf of tax preparer Amalia Cerillo. The ACLU issued a release Wednesday that called Schapanski’s ruling the final nail in the coffin for Operation Number Games. [Source]

FOI 

CA – Access Law Does Not Cover Personal Emails Stored at Work

Personal emails stored on workplace computers are not covered by access to information laws, an Ontario judge has ruled. In overturning a decision of the province’s Information and Privacy Commissioner, which granted an Ottawa resident access to the personal emails of a city solicitor, Madame Justice Anne Molloy said the purpose of Ontario’s access to information laws is not to provide unfettered access to any document within a government office, but rather “to enhance democratic values by providing its citizens with access to government information.” “It can be confidently predicted that any government employee who works in an office setting will have stored, somewhere in that office, documents that have nothing whatsoever to do with his or her job, but which are purely personal in nature,” the judge wrote. [Source

CA – Two more Tory Staffers Tried to Block Access to Information Requests

Two more Conservative staffers in the office of cabinet minister Christian Paradis tried to block the release of access-to-information documents, The Canadian Press has learned. In October, Paradis adviser Sebastien Togneri resigned after it was revealed he had meddled in at least three different access-to-information requests while with the Public Works Department. Those incidents are the subject of an investigation by the Information Commissioner. But two more policy advisers within Mr. Paradis’s office were also involved in dealing with records destined for public release under access-to-information legislation. Documents obtained by The Canadian Press show that Marc Toupin and Jillian Andrews both argued against the release of material on sensitive subjects. In one case dealing with the members of a federal panel who wrote a damning report on asbestos, Mr. Paradis’s political office had highlighted material it did not want released. When bureaucrats asked for an explanation, Mr. Togneri directed them to his colleague Mr. Toupin. “Those comments are inappropriate and improper, not relevant to the request and should not be disclosed,” Mr. Toupin said of the material in a July 2009 email. The manager of access to information and privacy balked at the direction. “Please note that the Access to Information Act was created to provide access to records under the control of federal institutions and limit the application of severances,” Julie Lafrance wrote to Mr. Toupin. “Therefore, the legislators did not include a section in the Act for ‘inappropriate and improper’ comments.” Ms. Andrews intervened in a separate access-to-information request, about preparations for U.S. President Barack Obama’s visit to Canada in February 2009. Mr. Togneri had argued with bureaucrats that only a single document should be released, and then directed them to Ms. Andrews for further “in-depth” analysis. “Our department specifically states that the only documentation they have pertaining to this is a work stop order,” Ms. Andrews wrote in July 2009. “The document is found at the very last page of the ATIP. Therefore, this should be the only part of the ATIP to be released.” But another bureaucrat noted in response that officials specifically mandated with collecting documents within the department had put together a much heftier package than a single work-stop order.[Source]

Health / Medical

CA – Nova Scotia Health Privacy Bill Passes Despite Media Fear of Jail or Fines

Nova Scotia legislation that aims to protect personal health records but also raises fears that it’s too restrictive on the media has passed. Fred Vallance-Jones, a journalism professor at the University of King’s College in Halifax, says the law could see journalists fined or jailed if they seek information from hospital officials when patients haven’t given permission to release information about their status. The opposition Liberals and Conservatives agreed with his objections and raised them during third reading of the bill last week, but still voted for it. NDP Health Minister Maureen MacDonald says her legal counsel doesn’t believe the legislation will be used to prosecute journalists, and the intent is simply to protect privacy rather than restrict reporting on the health care system. As drafted, a clause in the legislation says a person is guilty of an offence if he or she “wilfully gains or attempts to gain access to health information in contravention of this act or the regulations.” [Source] See also: [CA: Intervention or intrusion? Hospital asks patients about abuse

WW – Doctors on Facebook: Survey Shows Concerns

Doctors with Facebook profiles should be mindful of the privacy settings in order to avoid potential pitfalls with patients, according to a study published in the Journal of Medical Ethics. The study, which polled 200 residents and fellows at Rouen University Hospital in France last year, the majority of whom had a Facebook profile. About half of the respondents indicated that they felt the doctor-patient relationship would be changed if the patient had unrestricted access to the doctor’s profile, the report states. Deven McGraw of the Center for Democracy and Technology said young doctors are facing a dilemma familiar to many professionals–the merging of social and professional boundaries. [Source]

Horror Stories 

US – 110,000 Credit Card Records Stolen In NY Tour Company Web Server Breach

The web server of CitySights NY – a company that organizes tours around New York on double-decker buses – has been breached and names, addresses, e-mail addresses, credit card numbers, their expiration dates and Card Verification Value 2 codes belonging to 110,000 of their customers have been stolen. The breach is thought to have happened on September 26, when the attackers uploaded a script using an SQL injection attack, which allowed them to access the database on that web server. According to the breach notification letter sent to and published by New Hampshire’s attorney general, the compromise was discovered on October 25, when a web programmer discovered the unauthorized script. [Source] See also: [CDPH Loses Employee, Patient Data in Mail]

US – Millions of Honda Owners Victims of Data Breach

Carmaker Honda is warning more than 2 million of its customers in the U.S. that an e-mail database containing some of their personal information has been stolen. The list contained the names, login names, e-mail addresses and vehicle identification numbers of more than 2 million Honda owners. Another list, this one containing only the e-mail addresses of nearly 3 million Acura owners, was also taken. Honda has contacted all the customers via e-mail. The worry is that affected owners, especially those on the list with the VINs, may be targeted for some kind of phishing attack. [Source

US – OSU Notifying 760,000 of Data Exposure

The Ohio State University is notifying 760,000 individuals that hackers may have accessed their personal information after officials discovered unauthorized activity on a university server. “We regret that this has occurred and are exercising an abundance of caution in choosing to notify those affected,” said Provost Joseph Alutto. School officials expect to spend up to $4 million in investigative and credit-protection costs. Alutto said the university is “committed to maintaining the privacy of sensitive information and continually works to enhance our systems and practices to reduce the likelihood of such events occurring.” [Source

US – Case Against Starbucks Gets the Go-Ahead

The 9th Circuit Court in Seattle, WA, ruled on Tuesday that Starbucks employees whose names, addresses and Social Security numbers were on an unencrypted laptop stolen in 2008 have grounds to sue the company for negligence. A district court had dismissed the case saying it did not meet state requirements for injury but that it did have federal standing. The plaintiffs alleged that though they hadn’t lost any money, the time taken to monitor their credit and the stress of the possibility of identity theft amounted to an injury. The federal appellate panel agreed. “Here, plaintiffs-appellants have alleged a credible threat of real and immediate harm,” wrote judge Milan Smith for the court. [Source]

Identity Issues 

US – California: Online Impersonation Banned Starting in New Year

Assuming another person’s identity on the Internet and fabricating an e-mail or Facebook account is now against the law in California. A state law effective Jan. 1, authored by Sen. Joe Simitian, D-Palo Alto, makes online impersonation, when it seeks to harm someone, illegal. A handful of Internet free-speech advocates initially expressed concerns about Simitian’s law. Their chief fear was that such a measure would prevent spoofs or political satire. The final legislation holds that the person who is impersonated has to be “real” and “credible,” meaning there’s leeway for parody and Abe Lincoln and Santa Claus can still legally have Twitter accounts. [Source

IN – Powers to be Established for ID Governing Body

After the introduction of The National Identification Authority of India Bill (NIAI) in the Rajya Sabha earlier this month, privacy concerns persist. The bill will establish the Unique Identification Authority of India (UIDAI) as a legally sanctioned body and set out its powers and functions, The Telegraph reports. UIDAI will assign each citizen a unique identifying number, though legal experts and advocates say UIDAI’s plan does not provide enough safeguards for privacy. The Centre for Internet and Society says that the bill fails to protect citizens’ rights. “Lots of important details have been left to be defined by the UIDAI,” a spokeswoman said. [Source]

Intellectual Property 

FR – Nicolas Sarkozy’s Internet Police Warn 100,000 Illegal Downloaders

Nicolas Sarkozy’s war on illegal downloading has begun in earnest, with the state internet surveillance body dubbed “Big Brother” warning more than 100,000 French internet-users that they have been caught accessing pirate material. The controversial anti-piracy law is one of Sarkozy’s pet projects, backed by his singer wife, Carla Bruni-Sarkozy. The couple argue that artists must be protected from the nation’s massive illegal download culture – France is thought to be the world number one in illegally accessing film and music online. The internet policing system, known under its acronym Hadopi, investigates specific incidents of illegal downloading reported by music and film companies. It obtains web-users’ details from internet service providers and issues a series of warnings by email and letter. Repeat offenders risk one month’s suspension from all internet access. Those accused of counterfeiting can be fined and cut off from the internet for one year. At least 100,000 warning emails have been sent since early October. The French left has attacked the law as draconian and against civil liberties. But it is also criticised as ineffective and out of date. The law targets peer-to-peer sites, but not streaming and direct download sites. A study by the University of Rennes earlier this year reported an increase in illegal downloading as web-users turned to new ways of accessing material not covered by the law. [Source]

Internet / WWW 

WW – Microsoft Cloud Data Breach Heralds Things to Come

What might be the first major cloud data breach has happened. Microsoft announced that data contained within its Business Productivity Online Suite (BPOS) has been downloaded by non-authorized users. The knee-jerk reaction might be to blame hackers, but that’s not so here. The breach was down to an unspecified “configuration issue” in Microsoft’s data centers in the United States, Europe and Asia. The Offline Address Book component of BPOS, which contains business contact information, was made available to non-authorized users in “very specific circumstances,” according to Microsoft. The problem was fixed two hours after being discovered (how long was it open before that?), and to Microsoft’s credit it has tracking facilities in place that allow it to clean up the mess by contacting those who downloaded the wrong data. However, the whole affair will feel like a stomach punch for anybody considering cloud adoption in the coming year–especially those considering Office 365, Microsoft’s major cloud offering that ties into its Office suite. There are three basic threats that could lead to data leakage when it comes to cloud computing offerings from any vendor: 1. Misconfiguration of cloud service software, or bugs within the software; 2. Hackers stealing data, for fun or profit; 3. Employees being careless with data. [Source] See also: [Japanese woman sues Google for displaying images of underwear]

Law Enforcement 

CA – Vancouver Police to Use Licence-Plate Readers to Track Gangsters’ Movement

The Vancouver police department’s plans to use automatic licence-plate readers to track gangsters’ movements could have a real impact on gang violence, according to one of the first U.S. police departments to deploy the technology. Lt. Mike Wallace, head of Palm Beach County’s Gang Taskforce, said his force has successfully used the technology to help execute arrest warrants, gather intelligence on shifting gang alliances in Florida and prove in court that someone is affiliated with a criminal group. Automatic licence-plate readers, usually installed in a police car, use a series of mounted cameras to constantly scan for visible licence plates. Plate numbers are then automatically checked against police databases, alerting the officer inside if it finds a match against any wanted vehicles. The $20,000 devices can process 1,500 plates a minute. Wallace said Palm Beach County — an area of one million people that includes affluent Palm Beach but also a number of rural areas — got its first plate-reader four years ago. At first, the force used it mainly to find stolen vehicles. “But once we understood the technology we thought: There’s more we can do with this,” said Wallace. Soon, every time police learned gang members would be congregating, such as at a funeral or party, police simply drove one of their tracking-equipped cruisers to the scene and turned it on. “We’ll take it out and drive around at a funeral for an hour and we’ll get 3,000 to 4,000 numbers,” said Wallace. Almost immediately, said Wallace, the device started paying off, alerting officers to the presence of gangsters with outstanding arrest warrants. It also helped them discover new gang members who weren’t on their radar. The technology has also come in handy in court. Under Florida sentencing rules, gang members can receive stiffer sentences if police can prove their gang ties. Licence-plate tracking data has been submitted in Florida courts, along with other evidence, to help prove someone’s a gangster, said Wallace. Over the past five years, Palm Beach has seen a significant drop in gang murders, from 48 in 2006 to 18 so far this year. [Source] See also: [Public faith in local police still high: EKOS Poll

US – Washington Subway Police To Begin Random Bag Checks

Metrorail police officers plan to randomly select bags before passengers enter subway stations and they will swab them or have an explosives-sniffing dog check the bags, according to the Metro police. There is “no specific or credible threat to the system at this time,” Metro said in a statement. Passengers who refuse to have their bags inspected will be denied entry into the subway system. “The program will increase visible methods of protecting our passengers and employees, while minimizing inconvenience to riders,” Metro Transit Police Chief Michael Taborn said in a statement announcing the new checks. The decision to launch the new security checks, similar to programs in New York and Boston, comes after two people were arrested in recent months, accused separately of threatening to explode bombs in the Washington subway system. [Source]

Location 

US – MMA Calls for Smartphone Privacy Guidelines

Following media reports about smartphone apps sharing user data, the Mobile Marketing Association (MMA), which represents smartphone advertisers and publishers, is calling for guidelines to better protect users from “intrusive tracking technologies.” The MMA announced that it will begin work on a “comprehensive set of mobile privacy guidelines…to create consistency so marketers know how to act and consumers know what to expect.” MMA Global CEO Greg Stuart said the initiative demonstrates the “ongoing commitment to the importance of consumer transparency with regards to privacy issues and data collection.” The MMA hopes to address such mobile phone marketing as text messages, e-mail and voice calls, the report states, as well as mobile Web sites and apps. MMA Privacy Committee Co-Chairman Alan Chapell, CIPP, told the Daily Dashboard, “We’re optimistic that this initiative will attract a wide variety of stakeholders so that we can address these important issues in a meaningful way.” [The Wall Street Journal]

Online Privacy 

WW – Website Allows Users to Anonymously Post Hurtful Comments

“You should kill yourself.” It’s a message Vernon Hills , Ill., police officer Jim Koch said he sees “all the time” on one of the newest social networking sites that allows users to post messages anonymously. Others include “why r u so ugly? i cant find one attractive thing about u,” “ur so (bleeping) ugly and stupid! GO THE HELL AWAY! NO ONE LIKES U,” and “whats wrong with ur teeth theyre nasty.” Barely a year old, Formspring.me is quickly turning into a sensation, in part because of teenagers who are attracted by the ability to leave their names off their comments. Formspring boasts nearly 20 million users around the globe, according to a company spokeswoman. The idea of the site is to have a conversation by answering questions stemming from the prompt “Ask me anything.” So far, more than 1.5 billion questions have been answered. “It’s like a bathroom wall,” said Koch, the school resource officer at Vernon Hills High School. “You write whatever you want.” As a result, nearly every day he is calling students in to talk, on the phone with parents or in the hallways hanging up news stories of teens who committed suicide after being on the receiving end of nasty online remarks. [Source] See also: [Big Brotheresque App Kills Your Automotive Anonymity

US – Vigilante Group Wrongly Names Man As Serial Killer on Facebook

A man who feared for his safety had to be escorted from his home by police after he was wrongly named on Facebook as a wanted serial killer in the United States. A vigilante group posted the man’s name and photograph on Facebook and labelled him the “Kensington Strangler”, who is wanted in connection with at least three murders and several sexual assaults in Philadelphia, ABC America reported. Residents of Kensington, who once severely beat a suspected rapist based on a police photo, posted hundreds of comments and theories about the case on a Facebook page titled “Catch the Kensington Strangler, before he catches someone you love.” The Facebook group attracted more than 8000 members and one post falsely identified a suspect, leading to an angry crowd gathering outside the man’s home. The terrified occupant of the house called police for help. He was taken to a police station at his own request and had a DNA test performed, which cleared him of any link to the case. Police asked the Facebook group’s administrators to take down the photos and remove any reference to the man. [Source] See also: [I took Riewoldt’s naked photo, says apologetic Gilbert

WW – Facebook Testing New Ways to Tag Photos

Facebook will try to make it easier to identify friends in photos uploaded to the social networking site by using facial recognition software to suggest people that users may want to tag. In a blog post, Facebook engineer Justin Mitchell said the new tag-suggestions feature will match new photos to others that people have already been tagged in. Similar photos will be grouped and the software will let users know who it thinks is in the shots. Palo Alto-based Facebook already offers a way to tag one person in a group of photos, and it hopes this will add more simplicity to the process. Tag suggestions will be rolled out in the U.S. in the coming weeks. Users who don’t want their name suggested can use the site’s privacy settings to turn the feature off. Mitchell said over 100 million tags are linked to photos on Facebook daily. [Source] See also: [Facebook to hold hacker cup]

Other Jurisdictions

HK – Commissioner: Privacy Office Should Prosecute

Privacy Commissioner Allan Chiang feels that privacy-related prosecutions should be left to his office. Speaking at an RTHK program, Chiang said that resource limitations prevent the police from making privacy offenses a high priority. This, and the fact his office has the expertise means that his office should be given the power to prosecute, he said. [Source]

Privacy (US) 

US – Online “Privacy Bill of Rights” Called for by Obama Administration

New guidelines were released by the Obama administration that recommends ways to protect the privacy of consumer’s online. The new recommendations would create the “Privacy Bill of Rights” and would establish a privacy policy office within the Commerce Department. The recommendations would also establish clear guidelines for what types of data can be collected on a user and how that data can be used by companies according to a Commerce report. The Privacy Bill of Rights would give clear rules on data collection and would set up an audit trail to hold companies accountable for sticking to the rules. The Washington Post quotes commerce Secretary Gary Locke saying, “Self-regulation without stronger enforcement is not enough. Today’s report is a road map for considering a new framework that is good for consumers and businesses.” Locke also stated that the U.S. needs to ensure that regulators here coordinate their privacy standards with the standards adopted in Europe and other countries so there is no confusion. The ACLU said, “This is the first time that the administration has emphasized the need for comprehensive privacy protections, and that as of today it is a Wild Wild West out there for consumers and their privacy. We hope it will lead to strong administrative protections but Congress needs to act.” [Source] and also: [US: New report calls for online privacy bill of rights

US – Commerce Report Calls for Privacy Office, Federal Breach Notification Standard

The Commerce Department released its online privacy green paper today. The report calls for the creation of a Commerce Department privacy office and recommends a federal data breach notification law that would preempt state laws. “A comprehensive national approach to commercial data breach would provide clarity to individuals regarding the protection of their information throughout the United States, streamline industry compliance and allow businesses to develop a strong, nationwide data management strategy,” the report states. The paper also recommends the development of Fair Information Practice Principles. The department is soliciting comments on the paper. [Source] [Report: Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework] [Commerce Report Draws Praise, Criticism] SEE ALSO: [FTC Report: Protecting Consumer Privacy in an Era of Rapid Change: A Framework for Businesses and Policymakers

US – President Appoints Two to Privacy Oversight Board

President Barack Obama has begun appointing members to the Privacy and Civil Liberties Oversight Board. The president’s first two nominees are Jim Dempsey, VP of the Center for Democracy and Technology, and Elisebeth Cook of the law firm Freeborn and Peters. “President Obama has nominated two outstanding and well-qualified individuals,” said Alan Charles Raul of Sidley Austin. “I hope the Senate will act quickly to confirm their nominations and that the president will nominate a chairman and two other members very soon.” The oversight board was created in 2004 on the recommendation of the 9/11 Commission to help advise and oversee the Administration’s efforts to fight terrorism while protecting the rights of Americans. It languished in 2008 following legislative changes. This week’s nominations are “an important first step to reestablishing the privacy board.” [Source

WW – Kids should Ho Ho Hold the Sensitive Info When Writing to Santa on the Internet

“Dear Santa” websites may not turn out to be as jolly as they look, warns a U.S. advertising regulator. More than 60 Internet domains have been registered in the name of Santa Claus offering kids a chance to email the portly purveyor of gifts, according to the U.S. Children’s Advertising Review Unit which is urging parents to be vigilant. While the organization hasn’t received any complaints, director Wayne Keeley says it’s good practice for parents to check a site’s privacy policies and to monitor their kids to ensure they don’t reveal too much personal information. Privacy policies should explain whether sites share information with third parties, including advertisers, whether they publicly disclose all information — for instance, by posting children’s letters — or retain them for future purposes, CARU said. Kids should avoid revealing their full names, phone numbers, addresses and schools, said CARU staff attorney Angela Tiffin, adding such data could be used by predators. “Santa already knows where all the children live,” CARU said. [Source] See also: [Santa’s Privacy Policy] [Check Privacy Policy on “Dear Santa” Websites]

Privacy Enhancing Technologies (PETs) 

WW – Browsers Boosting Privacy Options

Mozilla says the next version of its Firefox Web browser will include technology to let users cloak their online activities. The updated software will be released in the first part of next year, according to Mozilla Chief Executive Gary Kovacs. “Where I go on the Internet is how I live my life; that is a lot of data to hold just for someone to serve me ads,” Kovacs said. Microsoft, too, will increase privacy options in its Internet Explorer browser, the report states, including a feature “to help keep third-party Web sites from tracking your Web behaviour.” An MIT Technology Review article asserts that this would be a “step in the wrong direction for privacy on the World Wide Web.” [Source]

Security 

WW – Android Mobile Malware Has Botnet-Like Traits

Hackers are aiming for users of Google’s Android mobile operating system with a malicious application that harvests personal information and sends it to a remote server. The malware, which has been named “Geinimi,” appears to be the first one that has botnet-like capabilities targeted at the Android platform. Geinimi appears to target Chinese-speaking users of Android, and Lookout was tipped off to Geinimi after a user wrote a post concerned about it on a forum. The malware communicates with a central command-and-control server. The server can issue commands to a phone remotely, such as to download or uninstall software. The user of the Android phone is prompted and must approve either action, but it still raises concern, Mahaffey said. “It might be a vector to install other potentially malicious applications.” Geinimi also sends the Android device’s location and other hardware identifiers, such as the device’s International Mobile Equipment Identity (IMEI) number and SIM card information, to a remote server every five minutes. It can also send a list of the Android device’s installed applications. The malware can contact up to 10 domain names that are used to upload the information to the remote server. It is Geinimi’s ability to contact multiple domains and obtain instructions from a command-and-control server that Lookout decided to say it has botnet-like capabilities, Mahaffey said. [Source

WW – Apple Sued Over Applications Giving Information to Advertisers

Apple Inc., making of the iPhone and iPad, was accused in a lawsuit of allowing applications for those devices to transmit users’ personal information to advertising networks without customers’ consent. The complaint, which seeks class action, or group, status, was filed on Dec. 23 in federal court in San Jose, California. The suit claims Cupertino, California-based Apple’s iPhones and iPads are encoded with identifying devices that allow advertising networks to track what applications users download, how frequently they’re used and for how long. “Some apps are also selling additional information to ad networks, including users’ location, age, gender, income, ethnicity, sexual orientation and political views,” according to the suit. The suit, filed on behalf of Jonathan Lalo of Los Angeles County, identifies applications such as Pandora, Paper Toss, the Weather Channel and Dictionary.com, and names them as defendants along with Apple. Lalo is represented by Scott A. Kamber and Avi Kreitenberg of KamberLaw LLC in New York. The case is Lalo v. Apple, 10-5878, U.S. District Court, Northern District of California (San Jose). [Source] See also [PopCap fires back at ‘misleading’ privacy probe

US – Colorado Flunks Test of its Information Security Systems

A covert penetration test conducted by the Colorado State Auditor has found that the state government networks and computers are at “high risk” of compromise, infosecurity.com reports. The test “identified a significant number of serious vulnerabilities in the state’s networks and applications that would likely provide a malicious attacker with unauthorized access to the public’s data.” The audit penetrated “thousands of individuals’ records…containing confidential data,” the report states. It also found that more than half of state agencies have not submitted information security plans to the state Office of Cyber Security despite the July 15, 2009 statutory deadline. [Source]

Smart Cards 

EU – Bankers Fail to Censor Thesis Exposing Loophole in Bank Card Security

A powerful bankers’ association has failed in its attempt to censor a student thesis after complaining that it revealed a loophole in bank card security. The UK Cards Association, which represents major UK banks and building societies, asked Cambridge University to remove the thesis from its website, but the request was met with a blunt refusal. The thesis by computer security student Omar Choudary, entitled “The smart card detective: a handheld EMV interceptor”, described a flaw in the chip-and-pin (personal identification number) security system that allows criminals to make fraudulent transactions with a stolen bank card using any pin they care to choose. But in a reply to the UKCA, Ross Anderson, professor of security engineering at the university’s Computer Laboratory, refused to take down the thesis and said the loopholes had already been disclosed to bankers. “You seem to think we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton and of Darwin; censoring writings that offend the powerful is offensive to our deepest values,” Anderson wrote. Anderson and his colleagues discovered the loophole in chip-and-pin security in October 2009 and told the banks about the flaw later that year. They revealed the loophole publicly on the BBC’s Newsnight programme in February 2010. In view of the UKCA’s letter, Anderson has authorised Choudary’s thesis to be published as a Computer Laboratory technical report. “This will make it easier for people to find and cite, and will ensure that its presence on our website is permanent,” his reply to the UKCA states. [Source

WW – Unsmart Investments in Smartcards

Chaos Computer Club (CCC) Congress, Security consultant Harald Welte explained how he was able to break Taiwan’s smartcard-based transportation-payment system, which was expanded this year to be a larger citywide payment system, using a $40 smartcard reader and a few hours of time. “Using this in the year 2010 as a payment system is ignorant, clueless, and a sign of gross negligence,” he told the audience. Taipei’s EasyCard system has been in place since 2001, largely as a means of paying for the subway, bus, taxis and parking. It has also been widely known to use a smartcard system called MIFARE Classic, produced by NXP Semiconductors, the security of which was publicly demonstrated to be broken by CCC members at their annual congress three years ago. This break is no secret. It was publicized at the time, is noted on Wikipedia, and the issue was noted by NXP itself on its Web site, which today says the MIFARE Classic offers “basic levels of data security.” The problem, Welte said, was when the city government decided to adopt a broader card-based payment system for stores and other functions, and EasyCard stepped in with its old, now-broken technology. According to Welte, researchers from the University of Taiwan wrote a letter protesting the decision, noting the security problems. But early in 2010, the EasyCard system was rolled out on a widespread basis, now upgraded to store the equivalent of nearly $350 in Taiwanese New Dollars, which was spendable at major department stores, 7-11s, Starbucks and other shops. [Source

WW – Breaking GSM With a $15 Phone … Plus Smarts

Speaking at the Chaos Computer Club (CCC) Congress, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network “sniffers,” a laptop computer and a variety of open source software. While such capabilities have long been available to law enforcement with the resources to buy a powerful network-sniffing device for more than $50,000, the pieced-together hack takes advantage of security flaws and shortcuts in the GSM network operators’ technology and operations to put the power within the reach of almost any motivated tech-savvy programmer. “GSM is insecure, the more so as more is known about GSM,” said Security Research Labs researcher Karsten Nohl. “It’s pretty much like computers on the net in the 1990s, when people didn’t understand security well.” [Source]

Surveillance 

UK – CCTV ‘Used to Monitor Schoolchildren in Toilets and Changing Rooms’

Schools are using CCTV cameras to spy on pupils in toilets and monitor teachers’ performance in the classroom, according to a report by the Information Commissioner’s Office that warned many schools were flouting guidance on CCTV which insists cameras should only be used to monitor behaviour in exceptional circumstances. The study, which features contributions from a series of academics, said: “The use of CCTV has migrated from perimeter security and access control to monitoring pupil behaviour in public areas such as in corridors and playgrounds, and to more private realms such as changing rooms and toilets.” The report added that some schools failed to understand “their new regulatory responsibilities” as the nature of CCTV usage has changed. [Source] See also: [AU: Home security cameras are creating privacy concerns for Sydney neighbours]

Telecom / TV 

AU – Reverse Directory Web Site Under Investigation

Privacy experts are investigating a new Web site that allows people to look up the names and addresses attached to landline and mobile phone numbers to determine whether it breaks any privacy or communications laws. The Australian Communications and Media Authority (ACMA) claims the site breaks the Telecommunications Act, but the U.S. developer disagrees and has plans to release a smartphone app in the coming months. David Vaile of UNSW’s Cyberspace Law and Policy Centre and vice-chair of the Australian Privacy Foundation says the service carries potential criminal risks and has concerns about the requirement that database users log in with their Facebook account information. [Source] See also: [CRTC hits Bell with record penalty for violating Do Not Call rules]

US Government Programs 

US – VA Acknowledges Improper Patient Data Storage

Veterans Affairs (VA) facilities have been found in violation of the department’s policy that no patient information be stored on systems outside its firewalls. The most recent incident involved personal information on 878 patients—including patients’ full names, dates and types of surgery and last four digits of their Social Security numbers. The data had been shared between VA employees via an online calendar since 2007, and the breach was detailed in a November report to the U.S. Congress. The VA is looking at ways to bring such online tools inside its firewall, the report states, as part of ongoing steps to improve security and privacy. [Source]

US Legislation 

US – Two Privacy-Related Bills Signed Into Law

This week, President Obama signed several bills into law that have privacy implications. In addition to repealing Don’t Ask Don’t Tell, he signed The Social Security Number Protection Act of 2010 and The Truth in Caller ID Act. The former bill is intended to help reduce identity theft by restricting the use of full Social Security Numbers on government-issued checks and by preventing prisoners from having access to Social Security Numbers. A number of media stories in the past few years had revealed how government agencies were contracting with prisons, who, in turn, had prisoners doing work that gave them access to SSN. The second bill prohibits any person within the United States from knowingly transmitting misleading or inaccurate caller identification information “with the intent to defraud, cause harm, or wrongfully obtain anything of value.” Exemptions to the prohibition include law enforcement. People who violate the law may face forfeiture or criminal fines. [Source]

Workplace Privacy 

CA – Privacy Watchdog to Appeal Email Ruling

Ontario’s privacy commissioner is seeking leave to appeal a recent court ruling that says private emails on workplace computer systems are not covered by freedom of information laws. In overturning a decision of the commission, the Ontario Divisional Court ruled this month that the purpose of Ontario’s access to information laws is not to provide unfettered access to any document within a government office, but rather “to enhance democratic values by providing its citizens with access to government information.” Therefore, the court ruled, the fact that emails are stored on the computers of a public institution does not necessarily mean that the emails should be public too. “It can be confidently predicted that any government employee who works in an office setting will have stored, somewhere in that office, documents that have nothing whatsoever to do with his or her job, but which are purely personal in nature,” the judge wrote. The case was brought by Ottawa resident John Dunn, who grew up in foster care, and heads the Foster Care Council of Canada. Ann Cavoukian, the Ontario Information and Privacy Commissioner, granted him access before the Divisional Court overturned that ruling. The Ontario Court of Appeal is not obliged to hear the case. [Source

+++

 

01-15 December 2010

 

Biometrics

EU – Europe Tells Britain to Justify Itself Over Fingerprinting Children in Schools

The European Commission, acting on the concerns of the Article 29 Working Party, wants to know more about Britain’s collection of schoolchildren’s fingerprints, The Telegraph reports. More than 3,000 schools in the UK are using fingerprint technology to deduct students’ lunch payments and loan books, for example. In a letter to British authorities, the commission wrote, “We should be obliged if you could provide us with additional information both regarding the processing of the biometric data of minors in schools, with particular reference to the proportionality and necessity in the light of the legitimate aims sought to be achieved, and the issue concerning the availability of judicial redress.” [Source]

US – Fingerprint Scanner Use Raises Privacy Concerns in N.C.

Next month, 13 law enforcement agencies in the region will begin using a new handheld device that lets an officer scan a person’s fingerprints and seek a match in an electronic database – all without going anywhere. Police say taking fingerprints in the field will allow them to work more efficiently and safely. But the ACLU North Carolina in Raleigh worries that the device may allow officers to violate privacy rights. The ACLU is concerned about what will become of fingerprint scans that are sent to other databases, such as the National Crime Information Center. “Part of the danger is the idea of the government creating a database on its citizens,” said Sarah Preston, policy director for ACLU North Carolina. “Citizens should be allowed some degree of privacy.” But those concerns are unwarranted, said Sam Pennica, director of the City-County Bureau of Identification, the agency that processes fingerprints in Wake County and is providing the devices to local agencies. The software for the device, known as Rapid Identification COPS Technology, would not store fingerprints of any individuals, even those charged with a crime. “It will not retain the fingerprints of any individuals under any circumstances,” he said, adding that fingerprints would only be compared to those in the Wake County database. “They will not be submitted to any state or federal agency.” [Source]

AU – Australian Government Considering Fingerprint Technology for Poker Machines

The Australian government is considering using USB memory sticks that can recognize individual fingerprints in order to enforce loss limits on video poker machines. As part of a program designed to cut down on the risk of problem gambling in Australia, the government has made plans to implement a pre-commitment scheme that would require players to set a limit as to how much they’re willing to lose while playing the machines. Once that limit was reached, the players would no longer be able to play for a predetermined length of time. The USB key would have an advantage over a card system. According to Phillip Ryan, director of Responsible Gaming Networks, about one-third of players using a “smartcard” system in Canada shared their cards with other players as a way to get around spending limits. In addition, Ryan defending the USB key against charges that it would violate the privacy rights of players. Fingerprint data wouldn’t be stored in a central location; only the USB card would have the fingerprint as a method of activation. [Source]

Canada

CA – No Border Deal With U.S. Yet, Harper Says

While saying he has not reached a border-security agreement with the United States, Prime Minister Stephen Harper said his government is intent on bolstering “safety” measures and “economic access” to the United States. Mr. Harper has come under fire in the House of Commons for secretly negotiating a “security perimeter” deal with Washington that could affect the privacy rights of Canadians. Liberal leader Michael Ignatieff called on the Prime Minister to reveal the details of the negotiations the Conservative government has been conducting with the Obama administration. Last week, a flurry of leaked documents revealed what has been occurring behind the scenes. According to the documents, the title of the deal being negotiated is Beyond the Border: A Shared Vision for Perimeter Security and Competitiveness. It is supposedly to be signed by Mr. Harper and U.S. President Barack Obama in January. The agreement apparently would give the U.S. government more influence over Canada’s border security and immigration controls. Furthermore, Canada would share more information with U.S. law-enforcement agencies.[Source] [Ottawa crafts plan to ward off criticism over U.S. border deal]

CA – Canada’s Privacy Watchdog to Probe Treatment of Air Travellers

Canada’s privacy watchdog has launched a sweeping audit to find out whether the federal government is doing enough to protect the privacy of air travellers given the heightened focus on national security. Jennifer Stoddart said “identity management” for citizens and consumers in the online world remains a priority — but so do national-security issues. That’s why Ms. Stoddart’s office is conducting an air travel security audit focusing on the government agency in charge of passenger screening, she said in an interview. In the case of the new full-body airport scanners — dubbed “naked scanners” by detractors — the audit will determine whether the Canadian Air Transport Security Authority is following through on promises made to minimize the privacy intrusions of this new technology. For example, the agency agreed that no record of the image would be kept and no personal information, such as a passenger’s name or boarding pass number, would be associated with the scanned image. “We want to go back and see what’s happening a year later — if the commitments made by the government have been followed up,” said Ms. Stoddart. The air travel security audit will also look at the use of surveillance cameras at airports. “Some new issues include things like bar codes on boarding pass — how is this personal information managed,” Ms. Stoddart said. The audit will also revisit whether the Passenger Protect Program has adequate controls and safeguards in place to protect personal information. In November 2009, an earlier audit dealing exclusively with Canada’s no-fly list found “several concerns” with the program, which was introduced in 2007 to prevent people named on a “specified persons list” from boarding flights to or from Canadian airports. The 2009 audit found the deputy minister ultimately in charge of who is on the list was not provided with complete information to make informed decisions. Transport Canada, meanwhile, had not verified that airlines were complying with federal regulations related to the handling of the no-fly list, and there were no requirements that air carriers report to government security breaches involving personal information related to the no-fly list. The more exhaustive air travel security audit about how CATSA manages privacy issues, to be published next fall, was launched after Stoddart’s office published a reference document last month to provide guidance to government agencies and departments about how to integrate privacy protections with new public safety and national security objectives. [Source] See also: [TSA frisks groom children to cooperate with sex predators, abuse expert says]

CA – G20 ‘Massive Compromise of Civil Liberties:’ Ombudsman

Torontonians were effectively placed under martial law during the G20 Summit, says Ontario ombudsman Andre Marin. The provincial government’s decision to secretly invoke an obscure 1939 war measures law to give police extreme powers to detain, search and arrest people was likely unconstitutional and unnecessary, Marin says in his report, Caught in the Act, which was released this week. [Source]

CA – Privacy Amendments Lack Teeth, Critics Say

Privacy experts are applauding a bill currently before parliament that would require Canadian businesses to disclose when they lose customer data, but saying it must go further and also put penalties in place. Bill C-29 is currently before Parliament and if passed will reform PIPEDA. Amongst its revisions, the biggest change would be a breach notification requirement. Organizations would have to report to the Privacy Commissioner of Canada “any material breach of security safeguards involving personal information under its control.” If the breach creates a risk of significant harm to any individuals, then the organization must also inform those individuals. But the proposed bill doesn’t actually penalize organizations that fail to report. An article about the bill by McCarthy Tetrault LLP notes that Alberta’s recently enacted breach notification requirement in its Personal Information Protection Act included financial enforcement. Organizations can be fined up to $100,000 for failing to notify. The federal office should also use fines, says Michael Geist, an Internet law lawyer at the University of Ottawa. Otherwise some companies will be tempted to risk not disclosing to save on the bottom line. “It’s quite clear we need to have real penalties so part of that risk assessment is the real costs associated with it,” he says. Ann Cavoukian, the Information and Privacy Commissioner of Ontario, has the power to issue orders. It’s one she uses sparingly. “When we talk to companies, we always lead with the carrot,” she says. “You can avoid privacy harm and potentially save millions that a data breach will cost you, and avoid the loss of consumer confidence.” Still, it would be preferable for the federal office to have that power, Cavoukian says. “Having order making power is an enormous strength.” Bill C-29 passed its first reading in the House of Commons in October. If critics don’t like the reforms in the bill that may eventually pass, they’ll get another crack at it next year. In 2011, PIPEDA will undergo a mandatory five-year review. [Source]

CA – Ontario School Boards to Share Data on Violent Students

Ottawa’s regional school boards have pledged to follow a new protocol for assessing violent threats from students, and are promising to share information with each other when troubled students transfer between boards. Ottawa police said the community-based threat risk assessment protocol would mean earlier intervention with troubled students before situations escalate. The protocol was developed by traumatic stress consultant Kevin Cameron, who led the crisis response to the school shooting in Taber, Alberta in 1999, where one student died and another was wounded. Cameron said the incident changed the way schools react to threats to identify the more potentially serious ones from off-hand comments a student might make in a heated moment. Cameron said the protocol is all based on engaging students, rather than suspending them. “We’ve learned that by just talking earlier on rather than just blowing it off as a moment in time statement… we’ve been able to identify that there’s problems at home [or] maybe there’s a bullying issue going on that hasn’t been addressed,” he said. [Source]

Consumer

US – Data-Miners Will Let Consumers See their Information

Online data and tracking companies are partnering to develop a service that lets internet users see and even edit what information has been collected about them. This first of its kind service, which will launch in January, is an attempt to head off an increasing amount of criticism and scrutiny regarding personal privacy on the Internet. The project, dubbed the “Open Data Partnership”, will let consumers view and edit the interests, demographic and other profile details collected about them. Details from eight online data and tracking information companies will included in the system, including Lotame Solutions Inc., BlueKai Inc., and eXelate. Big internet companies like Google Inc. and Yahoo Inc. and at least 100 tracking firms are not involved in the project. However, more tracking companies will join Open Data Partnership after it launches. Many of the data mining firms taking part in the project are among the biggest in the fast growing industry of tracking internet users, and have been profiled in mainstream media reports about online privacy. Scott Meyer explained “The government has told us that we have to do better as an industry to be more transparent and give consumers more control. This [Open Data Partnership] is a huge step in that direction”. [Source]

US – FBI Issues Alert For Barbie Doll With Video Camera

The FBI has issued a cyber crime alert on a new Barbie doll that comes with a hidden video camera. Mattel’s Barbie Video Girl has a video camera lens built into its necklace that can record up to 30 minutes of footage to be downloaded on a computer. Officials warned that it could possibly be used to produce child pornography, but said they don’t have any reported crimes. The FBI’s Sacramento office issued a report with the warning on the doll last month. FBI spokesman Steve Dupre said the alert was inadvertently sent to the media but was meant for law enforcement agencies advising them not to overlook the doll during any searches. [Source]

E-Government

CA – Nova Scotia: Drivers’ Renewal Notices Could Come by Email

It won’t happen anytime soon, but Nova Scotians could be getting email reminders that their drivers licence or vehicle registration are due. Kevin Malloy, Service Nova Scotia and Municipal Relations Department deputy minister, said the current practice sees reminders of upcoming renewals mailed to residents. He said department staff have discussed the possibility of switching to email but would have to set up the process of collecting drivers’ email addresses. “We’re looking at it from a couple of perspectives,” Malloy said as he answered questions at the legislature’s public accounts committee Wednesday. “One is it’s an opportunity to reduce costs because you’re not mailing out hard copy forms. The second is that it simply is more convenient.” The department spends about $300,000 a year sending out 500,000 paper reminders of expiring licences and vehicle registrations. That cost includes the paper, ink for the printer, envelopes and postage. Malloy said the biggest issue with setting up an email system is that “people tend to do a pretty good job of (sending change of address notices) when they move, but they may not do such a good job of changing their email address when they go from one (service provider) to another.” He said New Brunswick, the only province using email reminders, has had issues with them bouncing back as undeliverable. [Source]

E-Mail

US – Sixth Circuit Says E-mail Protected by Fourth Amendment

A Sixth Circuit Court of Appeals ruled this week that e-mail is protected by the Fourth Amendment and that the government must have a search warrant to intercept and read e-mails, according to an Electronic Frontier Foundation media release. In its decision in U.S. v. Warshak, the court said that, like traditional forms of communication, e-mail “requires strong protection.” Tanya Forsheit, of the InformationLawGroup said that this is “another great example of how it takes the courts and the law years to catch up with technology.” As noted by the Sixth Circuit, said Forsheit, ‘given the fundamental similarities between e-mail and traditional forms of communication, it would defy common sense to afford e-mails lesser Fourth Amendment protection.’ And yet the law is just now getting there.” Forsheit says privacy professionals and lawyers play an essential role in educating the courts and legislators on changes in technology and what those changes mean for privacy in this country. [Source] [Source]

Electronic Records

AU – Leak of Draft E-Health Document Raises Privacy Concerns

Patients will have limited control of their medical information, as a leaked document shows consumer access will be confined to a portal. While Health Minister Nicola Roxon said consumers would “truly control” their personal electronic health records at her e-health forum last week, attendees did not see a draft concept of operations, showing a patient portal tacked on to a public/private providers’ shared e-health record system (SEHR). The confidential draft for the $467 million personally controlled e-health record (PCEHR) system was produced by the National E-Health Transition Authority, just before the forum. The Australian has obtained a key system design diagram, which shows there is no mechanism for consumers to manage access by their doctors. On the contrary, it appears providers will continue operating largely as they do now. An e-health analyst who examined the material said it revealed an SEHR with “an access path for the consumer” on top. “The diagram shows that while patients will have a window on some of their information, the routine flow between GPs, specialists, pathology and so on will remain unchanged,” he said. “It will also remain as invisible to the ordinary consumer as it always has been. “The present design also makes it clear that NEHTA plans — at the very least — to create a virtual repository of summary clinical information, with all the attendant hazards that brings.” Ms Roxon had said the PCEHR would not involve the creation of a “massive data repository”. Instead, the system would link data held in GPs’ systems, at the pharmacy and within hospitals. [Source]

US – Concern Raised Over Health Record Database

An Office of Personnel Management plan to launch a comprehensive database of federal workers’ health-care records has raised the ire of some privacy advocates, employee unions and consumer groups. The OPM is organizing a research database of insurance claims filed by the 8 million workers and dependents enrolled in the Federal Employees Health Benefits Program, as well as participants in two other federally administered programs. The claims data, which will be supplied by the private insurers that participate in the FEHBP, will help the OPM figure out ways to lower costs, improve quality and fight fraud, the agency has said. But critics – including the American Civil Liberties Union, Consumers Union and the American Federation of Government Employees – argue that the government should avoid setting up a repository of sensitive information that could be vulnerable to privacy breaches. At minimum, they say, the OPM should provide more information about how the database, the Health Claims Data Warehouse, will work and who will have access to it. [Source]

CA – Ontario Commissioner: Don’t Sweat E-Health Outsourcing

Ontario’s privacy watchdog says its rules protecting patient records are so tight, patients needn’t worry about them being vulnerable if London hospitals go ahead with a deal with a U.S. software giant. “You can outsource services, but you cannot outsource accountability (for privacy),” Ann Cavoukian said. Saying Ontario has “perhaps the best (health information) privacy law on the planet,” Cavoukian said the privacy-protection buck stops with the health-care system – so she’s not worried if the hospitals outsource electronic patient-record work to Cerner Corp. London Health Sciences Centre and St. Joseph’s Health Care have been negotiating an outsourcing deal with Cerner – it supplies services to 8,500 facilities worldwide, including some now to London hospitals — that could save the hospitals hundreds of thousands of dollars a year. The controversy surfaced when word got out the move could eliminate dozens of high-paying IT jobs at the hospitals. Cavoukian said the privacy laws clearly make custodians of personal health information responsible. “They are accountable. so you can bet they are going to insist these provisions are embedded in contractual provisions (with the service provider).” At Queen’s Park this week, Ontario New Democrat Leader Andrea Horwath said she fears patient confidentiality may be put at risk. Privacy concerns were also cited by Issam Thabit, a member of the hospitals’ IT team who stood to lose his job, but become a whistleblower and quit. [Source]

EU Developments

EU – EDPS Defines Strategy on EU Administration

Europolitics reports on plans to hold European institutions accountable for respecting the obligations of data protection laws. On Monday, European Data Protection Supervisor (EDPS) Peter Hustinx adopted a policy paper that sets a framework where the EDPS “monitors, measures and ensures data protection compliance in the EU administration.” To date, the EDPS has taken a non-punitive approach. The new framework is designed to encourage proactive compliance by cracking down on those who flout the law. [Source] See also: [E.U. privacy chief Reding to meet with U.S Attorney General Holder]

EU – Spanish Researchers Want to Tag Human Embryos With Bar Codes

Researchers from the Universitat Autonoma de Barcelona in Spain have just finished testing a method for imprinting microscopic bar codes on mouse embryos – a procedure they plan to test soon on humans. The venture is meant to avoid mismatches during in vitro fertilization and embryo transfer procedures. But privacy experts and children’s rights advocates were instantly concerned by the concept of “direct labeling” of embryos, calling for transparency in the process. “An embryo is a human life, so we have to move forward with this very, very cautiously,” Pam Dixon, executive director for the World Privacy Forum, told FoxNews.com. “Obviously we can’t ask the embryo what it wants, so the individual making the donation must consent to this as well as the individual receiving the donation. There’s got to be a lot of public discussion.” The researchers insist that their technique is perfectly safe, claiming that the bar codes simply evaporate as the embryo develops into a fetus. The bar codes aren’t hidden or concealed — in fact, they’re easily observed through a standard microscope, and the research team hopes to develop an automatic code reading system when they perfect their technique for labeling mouse embryos. And once that’s done, testing on human embryos will begin. [Source]

EU – Brussels Mulls Shortening Data Retention Periods

The European Commission is planning a review of the Data Retention Directive, which could include harmonisation and a reduction of the periods when public authorities can access citizens’ private electronic data for security reasons. “We may need to agree on more harmonised, and possibly shorter, retention periods,” said EU Internal Affairs Commissioner Cecilia Malmström in a conference on the Data Retention Directive. Her statement came as the EU executive prepares to publish, at the beginning of 2011, an evaluation report on the application of the directive, which is likely to lead to legislative amendments to tackle shortfalls that could possibly emerge. [Source]

Finance

US – DOJ’s “Hotwatch” Real-Time Surveillance of Credit Card Transactions

A 10 page Powerpoint presentation recently obtained through a Freedom of Information Act Request to the Department of Justice, reveals that law enforcement agencies routinely seek and obtain real-time surveillance of credit card transaction. The government’s guidelines reveal that this surveillance often occurs with a simple subpoena, thus sidestepping any Fourth Amendment protections. As the FOIA document makes clear, Federal law enforcement agencies do not limit their surveillance of US residents to phone calls, emails and geo-location information. They are also interested in calling cards, credit cards, rental cars and airline reservations, as well as retail shopping clubs. The document also reveals that DOJ’s preferred method of obtaining this information is via an administrative subpoena. The only role that courts play in this process is in issuing non-disclosure orders to the banks, preventing them from telling their customers that the government has spied on their financial transactions. No Fourth Amendment analysis is conducted by judges when issuing such non-disclosure orders. While Congress has required that the courts compile and publish detailed statistical reports on the degree to which law enforcement agencies engage in wiretapping, we currently have no idea how often law enforcement agencies engage in real-time surveillance of financial transactions. [Source]

CA – Alberta Justice Broke Privacy Laws: Commissioner

Alberta Justice broke the province’s privacy laws when it ran unauthorized credit checks on 25 employees, says the privacy commissioner. Commissioner Frank Work said the department has agreed an error was made and is satisfied steps have been taken so it doesn’t happen again. The investigation was launched when employees with the Maintenance Enforcement Program (MEP) lodged complaints about unauthorized credit checks. Work’s report said the credit checks were part of a 2009 internal investigation involving fraudulent cheques being cashed. There were concerns an employee was involved in the forgeries, says the report. “To rule out the risk of internal involvement,” officials with the MEP decided to get a credit report on all employees working in the program’s revenue unit. “They were able to determine the breach was an external one and they handed it over to police to investigate,” said Wayne Wood, spokesman for the Office of the Information and Privacy Commissioner. In his report, Work says officials with the MEP violated the Freedom of Information and Protection of Privacy Act. [Source]

FOI

WW – WikiLeaks: Do They Have A Right to Privacy?

Henry Stimson, a predecessor of Hillary Clinton as US Secretary of State, once remarked that “Gentlemen do not read each other’s mail”. If that remains the case, there must be precious few gentlemen left in the United States, and Barack Obama’s Administration must start by blaming itself for the mess it now finds itself in. The 250,000 dispatches and diplomatic cables revealed by WikiLeaks have, apparently, been on a Pentagon-run electronic database that could be accessed, quite properly, by at least tens of thousands and, possibly, hundreds of thousands of officials and military personnel with the appropriate security clearance. The intention appears to have been to ensure that information available to any one of the US’s intelligence agencies should be available to the whole of its intelligence community, in the national interest. While that was reasonable, it is disturbing that so little care was taken to ensure that highly sensitive material reached only those who needed to know. What is appalling is that the distribution system had got out of control and nobody seemed to notice. This incompetence does not entirely excuse WikiLeaks, however. Some of what has been revealed doesn’t matter very much and will irritate rather than alarm foreign governments. There isn’t an ambassador anywhere who is not reporting to his government with his personal opinions of the strengths and weaknesses, warts and all, of the presidents, prime ministers and politicians of the countries to which he is accredited. It all comes down to trust in government. This was, very sadly, deeply corroded in both the United States and in Britain by the controversies surrounding the Iraq war and the failure to find any weapons of mass destruction. That trust must be rebuilt. Presidents and prime ministers of democratic nations must be allowed private and secure dialogue as they try to resolve some of the most difficult problems the world has known. If they are not allowed this freedom, the likelihood is that we will all suffer. [Source] [Operation: Payback attacks can be tracked down]

Health / Medical

US – Vermont Urges SCOTUS to Overturn Second Circuit’s Medical Privacy Decision

The State of Vermont has petitioned the U.S. Supreme Court to review a Second Circuit Court of Appeals decision striking down the state’s prescription confidentiality law, according to an Electronic Privacy Information Center media release. The Second Circuit overturned the 2007 law last month in a split decision, saying it constituted “an impermissible restriction of commercial speech.” In the request for appeal filed this week, Vermont’s attorney general emphasized the importance of consistency across state boundaries, pointing out that 26 states are considering prescription confidentiality laws. [Source] For more information, see EPIC: IMS Health v. Sorrell and EPIC: IMS Health v. Ayotte.

CA – Yukon Health Survey Illegal: Ombudsman

The Yukon government’s latest health survey unfairly and illegally threatened to revoke people’s health-care coverage, according to the territory’s ombudsman. In a report released Monday, Tracy-Anne McPhee said this year’s Health Insurance Survey was “not done within the scope of the law” and targeted innocent Yukoners. The Yukon Health Department and the Yukon Bureau of Statistics have been jointly surveying health-care insurance recipients every year. This year’s survey was mailed out to 5,113 people in April. But those who received the surveys were alarmed when they saw the following statement on the attached cover letter: “If you do not sign and return this card, your health care could be cancelled.” “Whatever the intent of including that statement, some survey recipients clearly saw that as a threat,” McPhee stated in her report, adding that the survey was meant to be completed on a voluntary basis. [Source]

CA – Sask Health Regions Opt Out of Fundraising Over Patient Privacy Concerns

Saskatchewan’s health minister admits he may have underestimated public reaction to a change in privacy rules for hospital fundraising. The change announced by the provincial government in April allows health regions to automatically share patients’ names and addresses with hospital foundations that raise money. But more than half of Saskatchewan’s 13 health regions have opted not to go ahead in large part because of public outcry over privacy concerns. Privacy commissioner Gary Dickson said in April that families of patients were concerned about being directly solicited for donations. Some were worried that it could affect the care their loved ones received. Dickson said at least seven health regions so far are backing away from the idea and he has not yet heard a final decision from the remaining six. [Source]

Horror Stories

CA – Provincial Informants’ Identity Compromised

Alberta’s privacy commissioner is fuming over a string of lap top and cameras losses that included unsecured data on confidential government informants and children’s medical records. Frank Work said the theft of six digital devices and the misplacement of another in the span of six weeks have shown his repeated warnings of securing such material either physically or by encryption is largely falling on deaf ears. “It’s an endless source of frustration,” said Work, adding none of the devices had employed encryption that would prevent access to data. “With all the technology with encryption devices, why take the chance?”[Source] See also: [Medical records of 2,700 children stolen from Alberta Health Services] and [Sask. privacy czar: Faxing of private health info part of systematic problem]

US – Data Cards Missing from AZ Medical Center

Mountain Vista Medical Center in Mesa, AZ, has informed 2,284 endoscopy patients that their data was contained on compact memory cards that were discovered missing on October 13, reports The Arizona Republic. The cards hold names, dates of birth, genders and hospital medical record numbers of patients receiving endoscopy procedures between January of 2008 and October 2010. Though there was no financial data on the cards, the medical center warned patients to monitor their credit for fraudulent charges. The center has made changes to its security procedures and retrained all endoscopy unit employees on security and confidentiality. [Source] See also: [McDonald’s: Customer database hacked]

UK – ‘No Risk of Identity Theft’ After GAA Data Breach

More details have emerged about the Gaelic Athletic Association (GAA) data exposure involving the personal information of more than 500,000 members. A former employee of a company that ran the GAA database was arrested in connection with the stolen data but was released without charges. The thief sent copies of the GAA’s member database to Ireland’s data protection commissioner and the UK Information Commissioner’s Office (ICO). The ICO said in a statement that it is “working closely with the Police Service of Northern Ireland and the Data Protection Commission in the Republic of Ireland” to learn more. [Source]

US – Feds Find Common Link in Data Theft

More details have emerged in the theft of McDonald’s customer data. FBI agents are looking into similar events that may have originated with a marketing services provider based in Atlanta. FBI special agent Stephen Emmett said, “The breach is with Silverpop (Systems), an e-mail service provider that has over 105 customers.” Emmett added that the breach “appears to be emanating from an overseas location.” [Source] See also: [Veteran ‘shocked’ after receiving medical records of other military members]

US – Law Enforcement Files, Personal Information Released on the Internet

Mesa County is trying to figure out the extent of a security breach that put secure law enforcement files and some peoples’ personal information out on the internet for anybody to view. Officials say the error occurred while preparing for a future transition to a new software system for the Mesa County Sheriff’s Office. The person responsible has been let go, but the problem is just beginning for investigators. “It’s the county’s fault that it was there,” Sheriff Stan Hilkey said. Hundreds of thousands of pieces of personal information have been leaked onto an un-secure file-transfer website, or FTP.”We do know that some of them do contain social security numbers,” Hilkey said. Other information includes names and addresses of current and form sheriff’s office employees. The same information could be found for almost anyone who had been listed on a police report with the county. Also, some investigation files were leaked. [Source]

Identity Issues

CA – ID Request at Gas Station Riles Driver

David Menzies came close to being arrested Saturday after refusing to give his driver’s licence to a cashier at a Petro-Canada station. The freelance journalist says he thought the request was odd, but he took his licence out of his wallet to show the cashier so he didn’t hold up the people in line behind him. But when the clerk insisted it was company policy that he had to write down the licence numbers, Menzies refused. “This is a document I share with two parties only. The police and the MTO (ministry of transportation Ontario). If someone gets a licence and a credit card number, those are the keys to the castle in terms of identity theft.” Menzies decided to forget about the candy and lottery tickets so his purchase would be under $100. Menzies says he would like the Ontario privacy commissioner to look into this matter. “Any retailer asking to record driver’s licence info is surely out of line. I say we expose this given the rampant upswing in ID theft these days,” he says.” I’m still shaking over this.” It is not company policy to demand a driver’s licence for a purchase over $100, says Petro-Canada spokesman Michael Sutherland. [Source]

US – UPS to Require Photo IDs for Shipping Packages

UPS is now requiring photo identification from customers shipping packages at retail locations around the world, a month after explosives made it on to one of the company’s planes. The Atlanta-based package courier said the move is part of an ongoing review to enhance security. The directive will apply at The UPS Store, Mail Boxes Etc. locations and other authorized shipping outlets. UPS customer centers have required government-issued photo identification since 2005. [Source]

EU – False Facebook Profile – French Court Awards Damages

A French Court has awarded €1,500 privacy damages against a person who created a false Facebook profile of a French actor and comedian. On 24 November 2010, the Tribunal de Grande Instance de Paris gave judgment in the case of Omar S v Alexandre P. The applicant was Omar Sy a well known television actor and comedian.  A “false profile” of him had been created on Facebook site, illustrated with a photograph of him and containing contains the comments he was supposed to have have posted and the replies to “friends” who had accessed the site. [Source]

Internet / WWW

IN – Now, You Can Track Your Lost Laptop

To allow law enforcement agencies access a novel method of tracking and recovering lost laptops, leading anti-virus solution provider Quick Heal launched a service. All that a laptop owner has to do is register with ‘Quick Heal’ on its website for the service through Mac-id and it keeps continuous track of where the laptop is. If the laptop is stolen the tracker service traces it on the basis of Mac-id and IP addresses. This information can then be used by the police to track the laptop down and retrieve it, said the company press release. The method is aimed at helping police by providing them an interface with the website. [Source] See also: [Vancouver police take to Twitter]

WW – Botnets, Web Threats Take Center Stage In Security Report

Symantec’s MessageLabs has released its annual security report, and it’s not pretty. Not only does the MessageLabs Intelligence: 2010 Annual Security Report reveal concerning malware trends for 2010, but the sneak peek at what 2011 might hold isn’t very comforting either. Like the recent report from McAfee, the MessageLabs security report finds that new malware was detected at an alarming rate in 2010. The MessageLabs press release explains, “In 2010, there were more than 339,600 different malware strains identified in malicious emails blocked, representing over a hundred-fold increase since 2009. This massive increase is largely due to the growth in polymorphic malware variants, typically generated from toolkits that allow a new version of the code to be generated quickly and easily.” Two of the findings in the MessageLabs report are indicators of an overall trend in malware. First, as businesses and consumers continue to migrate to the cloud, and as users spend more time online–whether from a desktop or laptop PC, or from a tablet or smartphone –the Web is emerging as a primary platform for attacks. [Source]

Location

NZ – Commissioner Concludes WiFi Investigation

The Privacy Commissioner of New Zealand has concluded her investigation into Google’s collection of data from WiFi networks while photographing cities for its Street View feature. Privacy Commissioner Marie Shroff said that the company breached New Zealand privacy law when it collected the content of people’s communications and has acknowledged that it “went about things the wrong way.” Shroff said she is “pleased that Google has taken full responsibility for the mistakes it made here and that it has improved its practices to prevent future privacy breaches. This includes training their staff better and checking new products carefully before they’re released.” [Source] [NZ: Google apologises for privacy breaches]

WW – Geist: Location Matters Up in the Cloud

The Wikileaks disclosure of hundreds of U.S. diplomatic cables dominated news coverage last week as governments struggled to respond to public disclosure of sensitive, secret information. One of the most noteworthy developments was Amazon’s decision to abruptly stop hosting the Wikileaks site hours after U.S. Senator Joe Lieberman exerted political pressure on the company to do so. Amazon is best known for its e-commerce site, yet it is also one of the world’s leading cloud computing providers, offering instant website hosting to thousands of companies and websites. In recent years, the combination of massive computer server farms in remote locations and high speed networks have enabled cloud computing to emerge as a critical mechanism for offering online services and delivering Internet content. After Amazon pulled the plug, Wikileaks quickly shifted to a European host, demonstrating how easily sites can shift from one cloud provider to another. Although it seems counter-intuitive to consider the physical location of cloud computing equipment when discussing services that by their very definition operate across borders in the “cloud”, the Wikileaks-Amazon incident provided an important reminder that location matters when it comes to cloud computing. The notion of cloud forum shopping is relatively new, but likely to become more important as legal rules have a direct effect on cloud services and public confidence in them. Interestingly, Canada is well-positioned to emerge as a cloud computing leader in a world where service providers compete at least in part on regulatory frameworks. [Source] [Canada can be a cloud leader thanks to PIPEDA]

Offshore

PH – Bill To “Sharpen the Country’s Competitive Edge”

The author of data protection legislation is confident that its passage will help solidify the Philippines’ position as a global leader in business process outsourcing, a sector that is expected to produce hundreds of thousands of new jobs in the region over the next five years, Inquirer.net reports. “We are absolutely confident that more companies around the world will subcontract their business support jobs to Philippine providers once the proposed Act Protecting Individual Personal Data in Information and Communications Systems is decreed,” said House Deputy Majority Leader Roman Romulo. “This will sharpen the country’s competitive edge in BPO activities, besides reinforcing consumer trust and user confidence in electronic commerce,” he said. [Source]

UG – Uganda: Newspaper Outs Gays, Calls for their Death

A Ugandan newspaper that “outs” people it says are gay and has called for them to be hanged said on Tuesday it would use a two-week window before a court verdict on its activities to continue with its campaign. Three gay activists who were featured in the publication secured an interim injunction on Nov. 1 stopping the newspaper from publishing such photos on privacy grounds. The paper has published some images under the headline “Hang them.” [Source]

Online Privacy

WW – Microsoft Builds Online Tracking Blocking Feature Into IE9

Microsoft is building an anti-tracking function into its upcoming version of Internet Explorer. The new feature will let users keep lists of websites that track what they do online, and block any site from logging their web activity, the company announced. The new feature, called “Tracking Protection,” will be bundled into IE9’s next beta release early next year, and is intended to give users control over what widgets and scripts display – and pull in data – when they visit a given website. The announcement comes just a week after the Federal Trade Commission castigated the online-ad industry for not regulating itself and dragging its feet on being transparent with users about the data they collect and how they use it. [Source] [Microsoft Announced Do Not Track Feature for IE9] [‘Do Not Track’ idea rattles ad industry] [New York Times Editorial - Protecting Online Privacy]

WW – History Sniffing: How YouPorn Checks What Other Porn Sites You’ve Visited

YouPorn is one of the most popular sites on the Web, with an Alexa ranking of 61. Those who visit the homemade-porn featuring site — essentially, a YouTube for porn enthusiasts — are subject to scrutiny, though, of the Web tracking variety. When a visitor surfs into the YouPorn homepage, a script running on the website checks to see what other porn sites that person has been to. How does it work? It’s based on your browser changing the color of links you’ve already clicked on. A script on the site exploits a Web privacy leak to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color “purple,” meaning you’ve clicked them before. YouPorn did not respond to an inquiry about why it collects this information, and tries to hide the practice by disguising the script with some easy-to-break cryptography. The porn site is not alone in its desire to know what other websites visitors have visited. A group of researchers from the University of California – San Diego trolled through the Web’s most popular sites to see which ones were collecting this information about visitors. They found it on 46 other news, finance, sports, and games sites, reporting their findings in a paper with the intimidating title, “An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications.” The researchers who wrote the paper identifying this practice call it “history hijacking” or “history sniffing.” Mozilla, the foundation behind Web browser Firefox, calls it the “CSS: visited history bug.” It’s a bug that’s been discussed in developer circles for over a decade. Some browsers have fixed the bug. If you’re surfing using Chrome or Safari, this script doesn’t work. Firefox has fixed it in its newest version (for a long explanation as to how, see this post on the Mozilla security blog.) Internet Explorer, the most popular browser out there, is vulnerable to the history sniffing (though you can prevent it by going through the slightly onerous step of activating InPrivate Browsing, according to a spokesperson. That feature also blocks ad networks’ cookies.) [Source]

WW – Consumers Want Targeted Marketing: Facebook

Today’s consumers feel it’s “their right” to receive personalized messages from marketers, says the new managing director of Facebook Canada. “Isn’t that the consumer’s expectation these days? We’re in this era of … this two-way conversation that every consumer feels is their right,” said Jordan Banks during a public interview at the NextMedia digital media industry conference in Toronto. “Whenever they interact with a brand these days, they want to have a say, they want to be treated … personally and they want to be talked to in a timely and relevant manner.” He called the rise of platforms like Facebook — which has more than 500 million users worldwide and is visited by 10 million Canadians daily — a “paradigm shift” that provides a “huge commercial opportunity.” “The social web has opened us all up to very targeted and relevant and personalized messaging that allows us to develop these very meaningful and rich relationships with brands.” Banks downplayed privacy concerns, saying no personally identifiable information is ever provided to marketers, no one can talk to users individually unless they volunteer, and marketers can’t engage users without informing them what data they want. [Source]

Other Jurisdictions

NZ – International Privacy Leaders To Meet 6-8 December 2010, Auckland

In mid-December, the Privacy Commissioner Marie Shroff hosted privacy leaders from around the Asia-Pacific region to discuss the latest international data protection issues. For the first time the US and Mexico will be attending the Asia Pacific Privacy Authorities Forum (APPA) as members. Mexico and the US Federal Trade Commission have very recently joined the APPA Forum. The focus was on international developments in cross-border protection of data and how we can further promote data-safe business practices,” said Ms Shroff. The APPA Forum looked at:

  • Web 2.0 technologies and privacy regulation such as FTC action on social networking sites including Twitter’s security practices that left users vulnerable to hackers
  • direct marketing and privacy, including the sale of data from Hong Kong’s public transit Octopus card for marketing purposes
  • credit reporting and privacy
  • international privacy developments
  • international cross-border privacy enforcement. [Source]

 

Privacy (US)

US – FTC Staff Report: Web Privacy ‘Inadequate’

The FTC weighed in on the issue of Internet privacy, calling for development of a “do not track” system that would enable people to avoid having their actions monitored online-prompting immediate objections from the online-advertising industry. “Self regulation of privacy has not worked adequately and is not working adequately for American consumers,” said FTC Commissioner Jon Leibowitz. “We deserve far better.” The FTC endorsed a report by its staff that faulted the industry for not doing enough to protect consumer privacy online. Mr. Leibowitz said the FTC isn’t calling for legislation yet but pointed to the report as a recommendation for lawmakers. “A legislative solution will surely be needed if industry doesn’t step up to the plate,” Mr. Leibowitz said. The FTC report suggests that the most practical method of providing a do-not-track system would be to include a setting in Web-browsing software that would broadcast people’s desire not to be tracked. Major Web browser makers including Microsoft Corp., Google Inc., Mozilla Corp. and Apple Inc. have experimented with do-not-track tools in their browsers, Mr. Leibowitz said. “We’re going to give these companies a little time but would like to see them work a lot faster,” he said. Privacy advocates cheered the report. “The FTC finally gets it- consumer privacy is seriously at risk online and off,” said Jeffrey Chester, director of the Center for Digital Democracy. However, the $23 billion online ad industry immediately rejected the FTC’s proposal. Mike Zaneis, senior vice president at the industry’s lobbying group, the Interactive Advertising Bureau, said the industry already provides the “functional equivalent” of a do-not-track system with its website, Aboutads.info, which allows people to “opt out” of receiving targeted ads from nearly 60 companies. Mr. Zaneis said consumers wouldn’t benefit from turning off tracking because “consumers depend on sharing of data … to customize news sites, optimize Web services such as social networks, and provide relevant content and advertising across the Web.” Advertisers said restricting tracking could limit the ability of websites to offer free content that is paid for by advertising. The FTC report also calls for companies to provide “just in time” notice to consumers if they plan to use people’s data in a way that is “not commonly accepted” and for companies to give people “reasonable access” to data collected about them. The report challenged the notion that data collected by tracking companies is benign because it doesn’t include user’s names. The report says the distinction between data containing personally identifiable information and anonymous data is becoming less meaningful. As a result, the FTC report says its recommendations apply to the collection of any data that can be “reasonably linked to a specific consumer, computer or other device.” The ad industry’s current opt-out system prevents only the use of tracking data for advertising purposes, not the collection of tracking data. The FTC supports being able to “opt out of data collection, not [just] out of targeted advertising,” said Jessica Rich, the deputy director of the FTC’s Bureau of Consumer Protection.The FTC is seeking comments on its privacy recommendations and will issue a final version of its report next year. Mr. Leibowitz said the report “is not a template for enforcement.” He added: “At this point I think we’re making recommendations for best practices.” [The Wall Street Journal] [Feds propose tough new rules to limit online ‘tracking’]

US – The Evolution of Privacy Breach Litigation

On the Concurring Opinions blog, Sasha Romanosky outlines a pattern that has emerged in privacy breach litigation over the past several years. Citing existing analyses on the topic, Romanosky characterizes three types of breach lawsuits–the classic “you lost my data” suits, where the plaintiffs must prove they have been harmed; the “intentional disclosure” suits, where “the legal focus shifts from the plaintiff’s harm to the defendant’s behavior,” and the increasingly common “unauthorized collection” suits, where plaintiffs claim that organizations “knowingly and willfully collected their personal information.” The categories “tell an interesting story of how the landscape of privacy breaches and breach litigation is evolving,” Romanosky writes. [Source]

Security

US – NASA Sold PCs Without Wiping Sensitive Data

NASA has revealed that 10 computers used for its space shuttle program were sold to the public without being wiped of sensitive data. Another computer that was confiscated before it could be sold contained information on space shuttle-related technology, which was subject to export control by the International Traffic in Arms Regulations. In addition, computers that were being prepared for sale were found at the Kennedy Space Center’s disposal facility with NASA’s Internet Protocol information prominently displayed, which the investigators said could provide hackers with details they needed to target NASA network assets and exploit weaknesses.[Source]

US – Most Employees Expose Sensitive Info When Working Outside Office

Two-thirds of employees put sensitive data at risk when working outside the workplace, and some workers even expose highly regulated and confidential information such as customer credit card and Social Security numbers, according to a recent study. Additionally, the majority of companies do not have policies or measures in place to protect sensitive information from computer screen snooping when employees are working in public places, according to The Visual Data Breach Risk Assessment Study, conducted by People Security and commissioned by 3M, the maker of privacy filters for computers and mobile devices. The study included a survey of 800 working professionals and an experiment at a large IT conference where computer usage habits and data security choices were observed. The latest smartphones now make it possible for a data thief to take a high-resolution picture of confidential information on a computer screen and retrieve data without having to hack into anything. He said the information revealed on mobile devices outside the workplace now gives a thief a window into a company’s most confidential data, greatly increasing the possibility of visual data breaches. The study also examined how privacy concerns affect employee productivity when they work outside the office. 57% of workers surveyed said they’ve stopped working on their laptops in a public place because of privacy concerns and 80% thought that “prying eyes” posed at least some risk to their organizations. [Source]

Surveillance

UK – Britain’s Move Towards A Surveillance Society Intensifying, Report

According to a new report by the Surveillance Studies Network (SSN), Britain’s move towards a surveillance society are expanding and intensifying. Information commissioner Christopher Graham has urged the Prime Minister to introduce new privacy safeguards for the citizens after the report. The report was prepared on behest of the Commons home affairs committee and is an update to a similar report published in 2006. The report in 2006 has resulted in earlier commissioner warning that the Britain was “sleepwalking into a surveillance society”. SSN now says that the warning is no less cogent in 2010 than it was then. The report took note of unmanned drones being used by cities, full body search scanners and workplace surveillance techniques as troublesome indicators upcoming trends. British citizens are already the most-watched citizens in the democratic world due to use of techniques and tools such as CCTV, cameras that track vehicles, vast government databases and the sharing of personal data, the report said. The use of technology for such type of surveillance decreases what one expects of privacy, according to the report. A government spokesperson has responded by saying that the authorities are committed to rolling back the `state intrusion’. [Source]

US – Florida: The Legality of Posting Surveillance Video to Shame Your Neighbour

Sometimes, when your neighbor throws a bag full of dog crap into your bushes every single day while walking his dog, you need to fight back. Here is what one guy did (See source for Video). As discussed in The New York Times, the man who made the video above is Steve Miller of Palm Beach Gardens, Fla. The Times says that in so doing, Miller joined the ranks of outraged homeowners who are recording their neighbours’ misdeeds. Attracted by the declining prices and technological advances of such devices, these homeowners are posting the videos online to shame their neighbours or using them as evidence to press charges. Tara Krieger of the Legal As She is Spoke blog posted on the legality of posting such videos, identifying two key issues:

(1) Under what circumstances may private citizens set up hidden cameras?; and

(2) Can private citizens then upload unauthorized footage of others to the Internet?

Looking at Miller’s situation, Krieger writes that for private citizens, the First Amendment often protects this type of freedom of expression. In addition, Florida is not among those states that have enacted statutes banning the use of surveillance cameras in “private places” where one would have a “reasonable expectation of privacy,” and a public sidewalk probably would not fit that definition, anyway. In short, Krieger says, Miller “can rest assured that in taking pains to film and show what was on his own property, his revenge against the poop dropper was legal.” [Source]

US – California Allows “Driver Cams” Starting in 2011

In the name of vehicle safety, California Assembly Bill 1942 will permit among other things “driver cams” to be mounted on vehicle windshields beginning on January 1, 2011. Formally known as “video event recorders,” these devices can continuously record audio, video, and G-force levels in a digital loop in order to help identify bad driver habits or other factors that lead to vehicle accidents. Well intended, the new law certainly will create a range of privacy issues for employers, particularly those in the transportation and delivery business. Specifically, the law will permit the monitoring of driver performance through video event recorders so long as the following are satisfied:

§         Size limitation – The recorder must be mounted either (i) in a seven-inch square in the lower corner of the windshield farthest removed from the driver, (ii) in a five-inch square in the lower corner of the windshield nearest to the driver and outside of an airbag deployment zone, or (iii) in a five-inch square mounted to the center uppermost portion of the interior of the windshield.

§         Notice requirement – A notice must be posted in a visible location informing passengers that their conversations may be recorded.

§         Length of recording – No more than 30 seconds may be recorded before or after a triggering event, e.g., a collision.

§         Driver for hire rights – Employers that install a video event recorder in vehicles of their employees driving for hire must provide those employees with unedited copies of the recordings upon the request of the employee or the employee’s representative. These copies must be provided free of charge to the employee and within five (5) days of the request.

There are a number of obvious issues that face employers interested in utilizing video event recorders, such as not knowing what information will be captured by these devices and how to discipline employees who violate policy as shown in the recording. There are other less obvious issues which employers should consider when deciding to implement this technology. For example, the law does not provide a period after which employees can no longer request a copy of the recording. This raises the question of how long recordings must be maintained. Another concern is whether information captured in a recording could be used against the employer, such as in a wage and hour class actions or violations of common carrier or vehicle safety requirements. Because the law is designed to address vehicle safety, a question exists as to whether the law implies a training requirement on employers aware of bad driving habits of employees from the recordings. [Source]

WW – All US-Bound Airlines Join Program to Check Passenger Info Against Watchlists

All 197 airlines that fly to the U.S. are now collecting names, genders and birth dates of passengers so the government can check them against terror watch lists before they fly, the Obama administration announced. Getting all air carriers that travel to or through the U.S. to provide this information marks a milestone in the U.S. government’s counterterrorism efforts and completes one of the 9-11 Commission’s recommendations. The program, called Secure Flight, has been delayed for years because of privacy concerns and went through three versions before it was approved. It’s designed to give U.S. authorities more time to identify and remove suspected terrorists from flights and reduce instances when passengers are mistaken for people on terror watch lists. Misidentification of passengers has been one of the biggest inconveniences in post-Sept. 11 air travel, and widely known for putting thousands of innocent travellers and well-known figures like former Sen. Ted Kennedy, through extensive searching and questioning before they were allowed to fly. Previously, airlines have been responsible for checking the passenger lists against terror watch lists. But the airlines did not have any information other than a name. Now the screening is done by the Transportation Security Administration. The more information available about a passenger, the less likely a passenger will be mistaken for someone on a watch list. When someone makes a flight reservation, that information goes to the Secure Flight database within seconds. [Source]

Telecom / TV

WW – Race Is On to ‘Fingerprint’ Phones, PCs

David Norris wants to collect the digital equivalent of fingerprints from every computer, cellphone and TV set-top box in the world. He’s off to a good start. So far, Mr. Norris’s start-up company, BlueCava Inc., has identified 200 million devices. By the end of next year, BlueCava says it expects to have cataloged one billion of the world’s estimated 10 billion devices. Advertisers no longer want to just buy ads. They want to buy access to specific people. So, Mr. Norris is building a “credit bureau for devices” in which every computer or cellphone will have a “reputation” based on its user’s online behavior, shopping habits and demographics. He plans to sell this information to advertisers willing to pay top dollar for granular data about people’s interests and activities. Device fingerprinting is a powerful emerging tool in this trade. It’s “the next generation of online advertising,” Mr. Norris says. It’s tough even for sophisticated Web surfers to tell if their gear is being fingerprinted. Even if people modify their machines-adding or deleting fonts, or updating software-fingerprinters often can still recognize them. There’s not yet a way for people to delete fingerprints that have been collected. In short, fingerprinting is largely invisible, tough to fend off and semi-permanent. Mr. Norris became CEO and spun off BlueCava to market device fingerprinting both to fraud-prevention and online-ad firms. Eventually, he hopes Blue Cava can fingerprint everything from automobiles to the electrical grid. In October, Texas billionaire Mark Cuban led a group of investors who put $5 million into BlueCava. BlueCava embeds its technology in websites, downloadable games and cellphone apps. Later this year, BlueCava plans to launch its reputation exchange, which will include all the fingerprints it has collected so far. Unlike most other fraud-prevention companies, BlueCava plans to merge its fraud data with its advertising data. Rivals say they don’t mix the two types of data. Mr. Norris says collecting that data is “standard practice” in the online-ad business. Blue Cava also is seeking to use a controversial technique of matching online data about people with catalogs of offline information about them, such as property records, motor-vehicle registrations, income estimates and other details. It works like this: An individual logs into a website using a name or e-mail address. The website shares those details with an offline-data company, which uses the email address or name to look up its files about the person. The data company then strips out the user’s name and passes BlueCava information from offline databases. BlueCava then adds those personal details to its profile of that device. As a result, BlueCava expects to have extremely detailed profiles of devices that could be more useful to marketers. In its privacy policy, BlueCava says it plans to hang onto device data “for the foreseeable future.” Advertisers are starting to test BlueCava’s system. Mobext, the U.S. cellphone-advertising unit of the French firm Havas SA, is evaluating BlueCava’s technology as a way to target users on mobile devices. “It’s a better level of tracking,” says Rob Griffin, senior vice president at Havas Digital. Phuc Truong, managing director of Mobext, explains that tracking on cellphones is difficult because cookies don’t always work on them. By comparison, he says, BlueCava’s technology can work on all phones. “I think cookies are a joke,” Mr. Norris says. “The system is archaic and was invented by accident. We’ve outgrown it, and it’s time for the next thing.” [The Wall Street Journal]

US Government Programs

US – Government Reports Violations of Limits On Spying Aimed at U.S. Citizens

The federal government has repeatedly violated legal limits governing the surveillance of U.S. citizens, according to previously secret internal documents obtained through a court battle by the American Civil Liberties Union. In releasing 900 pages of documents, U.S. government agencies refused to say how many Americans’ telephone, e-mail or other communications have been intercepted under the Foreign Intelligence Surveillance Act – or FISA – Amendments Act of 2008, or to discuss any specific abuses, the ACLU said. Most of the documents were heavily redacted. However, semiannual internal oversight reports by the offices of the attorney general and director of national intelligence identify ongoing breaches of legal requirements that limit when Americans are targeted and minimize the amount of data collected. The documents note that although oversight teams did not find evidence of “intentional or willful attempts to violate or circumvent the law . . . certain types of compliance incidents continue to occur,” as a March 2009 report stated. The unredacted portions of the reports refer only elliptically to what those actions were, but the March 2009 report stated that “information collected as a result of these incidents has been or is being purged from data repositories.” All three reports released so far note that the number of violations “remains small, particularly when compared with the total amount of activity.” However, as some variously put it, “each [incident] – individually or collectively – may be indicative of patterns, trends, or underlying causes, that might have broader implications.” and underscore “the need for continued focus on measures to address underlying causes.” The most recent report was issued in May. In a statement Thursday, the ACLU said that violations of the FISA Amendments Act’s “targeting and minimization procedures . . . likely means that citizens and residents’ communications were either being improperly collected or ‘targeted’ or improperly retained and disseminated.” The ACLU has posted the documents on its Web site. [Source]

US – Service Members Face New Threat: Identity Theft

The government warns Americans to closely guard their Social Security numbers. But it has done a poor job of protecting those same numbers for millions of people: the nation’s soldiers, sailors, airmen and Marines. At bases and outposts at home and around the world, military personnel continue to use their Social Security numbers as personal identifiers in dozens of everyday settings, from filling out health forms to checking out basketballs at the gym. Thousands of soldiers in Iraq even stencil the last four digits onto their laundry bags. All of this is putting members of the military at heightened risk for identity theft. That is the conclusion of a scathing new report written by an Army intelligence officer turned West Point professor, Lt. Col. Gregory Conti. The report concludes that the military needs to rid itself of a practice that has been widespread since the 1960s. [Source]

Workplace Privacy

CA – B.C. Labour Board Backs 2 Firings Over Facebook Comments

Two workers at a B.C. car dealership were sacked for what they wrote about their employer and their managers on Facebook. And the B.C. Labour Relations Board has upheld their dismissal. The incident, which occurred in Pitt Meadows just east of Vancouver, is believed to be the first such case in Canada. “It’s the first Facebook case that has made it to hearing,” said Donald Richards, the lawyer who handled it for the employer, but he added there are likely plenty more to come. “I think they’re in the hopper now.” In this case, the two employees left few defamatory stones unturned. One or the other slagged their employer, accusing the business of being crooked, accused managers of performing homosexual acts together and mused about committing acts of violence against them. In addition, some of the posts were made from computers at the business and one of the managers in question was a Facebook “friend” of the two, at least for part of the time in question. [Source] See also: [No-Facebook experiment yields dramatic results] [US Man charged with hacking women’s Facebook accounts, posting nude photos] [Facebook Seeks Friends in Washington Amid Privacy Talk] [As Bullies Go Digital, Parents Play Catch-Up] [Opinion: Where Anonymity Breeds Contempt]

NO – Boss Orders Female Staff to Wear Red Bracelets When They Are on their Periods

A boss in Norway has ordered all female staff to wear red bracelets during their periods – to explain why they are using the toilet more often. The astonishing demand was revealed in report by a workers’ union into ‘tyrannical’ toilet rules in Norwegian companies. The study claimed businesses were becoming obsessed with lost productivity due to employees spending too much time answering the call of nature. It found 66 per cent of managers made staff ask them for an electronic key card to gain access to the toilets so they could monitor breaks. Toilets in one in three companies were placed under video-surveillance, while other firms made staff sign a toilet ‘visitors book’, the report by the Parat union said. It added: ‘But the most extreme action was taken by one manager who made women having their period wear a red bracelet to justify more frequent trips to the loo. ‘Women quite justifiably feel humiliated by being tagged in this way, so that all their colleagues are aware of this intimate detail of their private life.’ The report, which did not name the firm imposing red bracelets on female staff, has now been passed on to Norway’s chief consumer ombudsman Bjorn Erik Thon. He said: ‘These are extreme cases of workplace monitoring, but they are real. ‘Toilet Codes relating to menstrual cycles are clear violations of privacy and is very insulting to the people concerned. ‘We receive many complaints about monitoring in the workplace, which is becoming a growing problem as it is so often being used for something other than what it was originally intended for. ‘We will be carrying out a full review of the rules surrounding employment and privacy over the coming year.’ [Source]

+++

 

Follow

Get every new post delivered to your Inbox.