Author Archives: privacynewshighlights

16-31 May 2013

Canada

CA – Stoddart: PIPEDA Reform, Enforcement Powers Needed

Privacy Commissioner Jennifer Stoddart, wrapping up 10 years in her office this year, used her keynote address at the IAPP Canada Privacy Symposium in Toronto to lay out her recommendations for reforming the Personal Information Protection and Electronic Documents Act. In short, amendments should include stronger enforcement powers, mandatory data breach reporting, teeth behind accountability and increased transparency measures. [Source] [Canada’s privacy laws inadequate for digital age, watchdog says] See also: [Commissioner Cavoukian marks 25 years of innovative access and privacy leadership in Ontario] and [Ontario power plant cancellations: Information watchdog Ann Cavoukian scolds Liberals for deleting emails]

CA – Government Went Too Far in Surveillance of First Nations Advocate: Report

The federal privacy commissioner says two government departments went too far in their monitoring of a First Nations children’s advocate and her personal Facebook page. Commissioner Jennifer Stoddart was looking into a complaint from activist Cindy Blackstock, executive director of an organization fighting the federal government in court over First Nations child welfare programs. Stoddart says the Department of Aboriginal Affairs and the Department of Justice violated the spirit, if not the intent, of the Privacy Act by compiling information from Blackstock’s personal Facebook page. Both departments have agreed to cease and desist their monitoring, destroy personal information not directly linked to federal policy, and set up a new system to make sure such surveillance does not happen again. The privacy commissioner found no merit to two other privacy complaints from Blackstock. [Source] See also: [Jeffrey Delisle case: CSIS secretly watched spy, held file back from RCMP]

CA – Top Court Won’t Hear Case For Sperm-Donor Dad’s ID

The Supreme Court of Canada will not hear an appeal from a woman who wanted to know the identity of her sperm-donor father. The appeal court said she has no constitutional right to information about her biological father. The court said providing such information would amount to state intrusion into the lives of many people. As usual in such decisions, the Supreme Court gave no reasons for refusing to hear the appeal. [Source]

CA – Security Breach Legislation Suffers Another Setback

The Harper government’s opposition to a private members bill calling for mandatory security breach notification is embarrassing, says privacy expert Michael Geist It’s been nearly two years since the government introduced Bill C-12, its proposed legislation featuring security breach disclosure notification and it looks legislators are nowhere near coming up with a meaningful reform of the country’s online privacy law, according to an Ottawa-based Internet law expert. Conservative MPs in the House of Commons last week opposed a security breach disclosure bill (Bill C-475) introduced by New Democratic Party MP Charmaine Borg even if it was “roughly similar” to their party’s own Bill C-12. “The opposition to meaningful privacy reform is particularly discouraging given the thousands of breaches that have occurred in recent years from within the government itself and its claim to be concerned with the privacy of Canadians,” he wrote in a blog this week. Both Borg’s Bill C-475 and the Conservative’s Bill C-12 include notification requirements to the Privacy Commissioner of Canada in the even organizations suffer certain security breaches. [Source]

CA – Online Surveillance Bill Would Have Unlocked Personal Secrets: Report

The Canadian Press reports on a new study by the Office of Privacy Commissioner Jennifer Stoddart indicating that a bill that would have given police more information about Internet users would have “unlocked numerous revealing personal details.” The report found that the online surveillance bill would have acted as “a digital key” to an individual’s details, Stoddart said, adding, “In general, the findings lead to the conclusion that, unlike simple phonebook information, the elements examined can be used to develop very detailed portraits of individuals, providing insight into one’s activities, tastes, leanings and lives.” The government dropped the bill earlier this year following widespread criticism. [Source]

CA – SK Commissioner Concerned About Securities Amendment Act

Saskatchewan’s information and privacy commissioner says he remains concerned that a bill passed by the provincial government this spring (Bill 65, The Securities Amendment Act, 2012) creates a new right of privacy for corporations. “Privacy law 101 — just a key foundational principle — is that privacy is uniquely the right of an individual. Corporations cannot have a right of privacy. And yet the bill that’s just been passed in fact indicates that corporations do have a right of privacy.” Dickson says the bill “specifically carves certain records out from the scope of the Freedom of Information and Protection of Privacy Act” and the issue could lead to confusion around privacy law in the province. He also speculated that the change “could be exploited” and corporations could now argue that they have a right of privacy. Dickson says his office was never consulted about Bill 65, but has been raising red flags about it since March. He expected a house amendment would address the issues he raised. Instead, his concerns were dismissed — he believes incorrectly — when the bill reached the committee stage.[Source]

Consumer

US – How Data Access May Improve Consumer Confidence

With the increasing data collection capabilities by mobile carriers and household energy suppliers, among others, consumers have difficulties accessing their personal data. “Never mind all the hoopla about the presumed benefits of an ‘open data’ society,” the article states, “In our day-to-day lives, many of us are being kept in the data dark.” Future of Privacy Forum Director Jules Polonetsky, CIPP/US, said consumers may feel more comfortable about having their personal data mined if businesses demonstrate direct consumer benefits arising from collection. [The New York Times]

US – Teens Post More but Manage Privacy Settings

A new Pew Research Center survey indicates that teens are posting more about themselves on social networking sites but are also taking formal and informal steps to manage their online privacy and reputation. The research canvassed 802 individuals between ages 12 and 17 and their parents. 60% of Facebook users used the highest privacy setting while 14% said their Facebook pages are public. ConnectSafely.org Co-director Larry Magid said, “The idea that young people will post anything is not true” and many are “thinking about whether this is something I’d want my grandmother, a college administrator, an employer or a future boyfriend or girlfriend to see.” [USA TODAY]

US – States Drop Out of Tracking Database

Officials in several states are backing away from a $100 million database intended to track students from kindergarten through high school. The database was launched this spring and stores student data including test scores, learning disabilities and discipline records. But parents and civil liberties groups have raised concerns about potential privacy breaches. Louisiana’s superintendent of education withdrew student data from the database in April and plans to hold public hearings on data retention and security. New York, Illinois and Colorado are active participants. The mother of a 10-year-old public school student said the thought of her son’s medical treatments being stored on the cloud indefinitely “feels like such a violation.” [Reuters]

US – Do College Kids Care About Privacy?

USA TODAY explores whether college students are concerned about the personal information businesses access about them as online games, streaming services and social networking sites increasingly give third parties access to the online data they’ve collected. Woody Hartzog, assistant law professor at Alabama’s Samford University, said, “Young people don’t think about privacy of information to third parties. When they get older, it becomes more real. It largely stems from young people not thinking about their information being given to third parties, and maybe not caring.” [Source] [PEW Internet Study]

WW – Teenagers Care More About Online Privacy Than You Think

New research by the Pew Research Center and the Berkman Center for Internet Society reveals that teens are surprisingly shrewd about protecting their personal data on social networks The joint paper found that teenagers are sharing more and more personal information online: 91% of teenagers post at least one photo of themselves (up from 79% in 2006), while 71% post their school name (up from 49%), 53% post their email address (up from 29%), and 20% post their cell phone number (up from 2%). At the same time, teenagers are more and more cautious as to who sees this information: about 60% of teen Facebook users set their profiles to private (friends only), and most report high levels of confidence in their ability to manage their settings. Today’s teenagers are, in the eyes of Pew, walking contradictions, increasingly open despite their understanding of privacy risks (and mastery of the tools needed to combat them). So what explains the privacy paradox? Teens care about privacy in a social context, not a big data context. [Source]

US – P&G Partners with Eye-Tracking Firm

Proctor & Gamble (P&G) has announced a European-based partnership with eye-tracking firm Sticky. The company has been trialing the eye-tracking service and making decisions to cancel ads based on those that aren’t getting seen. “Applying Sticky’s tracking to our digital media campaigns will help us to optimize and increase our ROI on digital marketing investments in some campaigns up to 25%,” said P&G’s head of digital. Sticky uses webcams to record eye movements from page to page. [Adweek]

E-Government

US – IRS Probe Brings Section 6103 into Limelight

As U.S. lawmakers investigate actions by the Internal Revenue Service (IRS) that may have targeted conservative nonprofit groups, some of the fact-finding, is being hampered by Section 6103 of the tax code, which establishes taxpayer privacy rights. Passed by Congress in 1976 after it came to light that Richard Nixon wanted to audit his political opponents, 6103 creates an assumption that taxpayer information is private unless it is needed for a specific investigation targeted at that individual. In the case of the current probe, since it is the IRS, itself, that is under investigation, many congressional questions can’t be answered directly by the IRS, as the answers involve private taxpayer information [Bloomberg]

See also: [US: Data breach puts DHS employees at risk of identity theft]

AU – House Removes Parliamentary Departments from FOI Scrutiny

The Parliamentary Service Amendment (Freedom of Information) Bill 2013 sailed through the Australian House of Representatives in 11 minutes flat. Not a query or concern from any quarter. If they stick together the two major parties have the numbers to push this through the Senate. The bill amends the Parliamentary Service Act 1999 to remove the parliamentary departments and office holders from the Freedom of Information Act 1982. Completely and retrospectively. The Australian Information Commissioner in 2012 had issued guidance that the departments were agencies subject to FOI, and had been since 1999, something overlooked by all and sundry.[Source]

Electronic Records

US – Hospital Creates Portal to Protect Teens’ Data

In an effort to address concerns over children’s privacy when it comes to their personal health records (PHR), Boston Children’s Hospital (BCH) has developed a custom-built PHR portal with separate accounts for patients and their parents. While children’s PHRs are generally controlled by their parents, teenagers have a right to privacy regarding the information they share with physicians, according to BCH’s Fabienne Bourgeois. “The parent has sole access to the patient’s portal until the patient turns 13, at which point both the parent and the patient can have access,” Bourgeois reports. At 18, access is restricted to the patient. [InformationWeek] See also: [Commissioner Cavoukian Commends Government of Ontario for Clarifying Privacy Rights for Electronic Health Records] ANd [Ontario Strengthening Patient Privacy] [ON: City’s disciplinary action not protected: privacy commission]

Encryption

US – Magistrate Reverses Ruling, Requires Man to Decrypt Storage Devices

US Magistrate William Callahan Jr. has ordered a Wisconsin man suspected of possessing child pornography to decrypt hard drives that law enforcement authorities seized from his home. In early April, Callahan ruled that to order Jeffrey Feldman to decrypt the devices would be a violation of his Fifth Amendment rights. At that time, prosecutors had been unable to crack the encryption on any of the devices. But since that ruling, prosecutors managed to decrypt a portion of one of the devices and found content linking Feldman to them. So Callahan reversed his order, writing, “the government has now persuaded me that it is a ‘foregone conclusion’ that Feldman has access to and control over the subject storage devices” and that “Fifth Amendment protection is no longer available to” the defendant. Callahan has ordered Feldman to either provide prosecutors with the passwords necessary to decrypt the data storage devices or provide decrypted copies of everything on those drives. [WIRED] [ComputerWorld] [WIRED] SEE ALSO: [Washington Post] [Forbes] [Cryptome]

WW – Google Will Upgrade SSL Encryption Keys

By the end of 2013, Google plans to upgrade all of its SSL certificates to 2048-bit keys. The change is scheduled to begin in August. Google plans to upgrade its root certificate as well. Certain client software embedded in devices like phones, gaming consoles, and cameras could run into problems with the upgrade; Google has offered advice to help mitigate those issues.[Ars Technica] [h-Online] [ZDNet] [ComputerWorld]

EU Developments

EU – New Data Protection Rules at Risk, EU Watchdog Warns

European Data Protection Supervisor Peter Hustinx highlighted the need to “distinguish the proposal from the rhetoric” in light of the lobbying around the proposed data protection directive. Hustinx addressed the media after delivering his annual report to the European Parliament’s Civil Liberties, Justice and Home Affairs Committee in order to acknowledge the importance of passing the legislation. Failure to do so before the end of Parliament’s tenure would “have serious repercussions in terms of economic development,” said Hustinx. German Rapporteur Jan Philip Albrecht told EUObserver of his concerns that the EU may end up with weaker legislation than it has now—contravening a 2011 vote to create a law at least as strong as, if not stronger than, the 1995 directive. [EurActive]

EU – The Regulation, Its Future and Questions on Profiling: A Roundup

A look through EU headlines from the past week yields a consistent theme: the proposed data protection regulation. Reports highlight concerns voiced by European Data Protection Supervisor Peter Hustinx and German Rapporteur Jan Philip Albrecht as well as worries from charitable organizations that the regulation could impact their ability to reach donors. As Field Fisher Waterhouse’s Eduardo Ustaran, CIPP/E, notes in his recent blog on the regulation and the issue of profiling, “The Working Party appears to sit somewhere in the middle between the commission’s proposal and Albrecht’s approach. That is still a very strict position to adopt, clearly aimed at eliminating the perceived risks of profiling…” [The Privacy Advisor] [Euro-deputies diverge on data protection details] [KPMG: 51% of organisations in UK fail to comply with EU cookie law]

EU – DPA Defines Obligations for Data Breaches

Stefano Taglibue reports on the Italian Data Protection Authority’s (Garante) recent decision defining obligations for telephone companies and Internet service providers regarding potential data breaches. Under the definition, providers must notify the Garante of a breach within 24 hours. Fines of up to 100,000 euros may be issued for failure to notify and of up to 1,000 euros per individual involved for failure to communicate the event to those involved, Taglibue writes. [The Privacy Advisor]

EU – Working Party Explains BCRs for Processors

The Article 29 Working Party has issued an explanatory document on Binding Corporate Rules for processors in response to the outsourcing industry’s request for a legal tool that reflects data-transfer practices today. The document includes clarity on such issues as onward transfers, cooperation and legal enforceability. [The Privacy Advisor]

EU – Ireland: Data Subject Told “Prove Your Loss”

The Irish High Court recently decided that for damages to be recoverable by a data subject for breaches of the Data Protection Acts, the data subject must prove that he suffered loss as a result of the breaches. In the case of Michael Collins v FBD Insurance plc, Mr Collins was awarded damages of €15,000 by the Circuit Court for 4 breaches of the Data Protection Acts by the defendant insurance company. The breaches arose out the manner in which a private investigator obtained and processed personal data of the plaintiff, including a criminal conviction, on behalf of the insurance company defendant, and the failure by the insurance company to respond to data access requests in a timely manner. The only question for the High Court was, in order for the plaintiff to be entitled to damages for breach of section 7 of the Data Protection Acts, did the plaintiff have to prove to the court that he had suffered loss or damage arising from the breaches of the Act. This case will be of some assistance to data controllers and processors in determining what their exposure will be arising from their breaches of the duty of care owed to data subjects under the Data Protection Acts. [Source]

EU – Commissioner Dislikes Xbox’s View Into the Living Room

Germany’s federal data protection commissioner says he’s “unsettled” by Microsoft’s new Xbox One console, launched by the company last week. Commissioner Peter Schaar says the box “records all sorts of personal information” that could be recorded and transferred to third parties. “The fact that Microsoft is now spying on my living room is just a twisted nightmare,” Schaar said. Microsoft says it is not using the box’s system to “snoop on anybody at all.” [Slate]

EU – In Denmark, Online Tracking of Citizens is an Unwieldy Failure

Five years ago, Denmark passed a law requiring telecommunication companies to retain and store customers’ personal data for up to one year. Now, the telecom industry and advocates are calling for changes to the law, citing “an unjustifiable invasion of privacy.” Police say the law hasn’t helped them track criminals, but the Danish government wishes to delay a review of the law for two years. [TECHPRESIDENT]

EU – Google, Microsoft, Yahoo Secret Backers of European Privacy Association

The European Privacy Association (EPA) has revealed that several U.S.-based tech companies are backers. Last week, the Corporate Europe Observatory (CEO)—a watchdog that “works to expose privileged access in EU policy making”—filed a complaint stating the EPA, while working to represent industry interests in EU data protection reforms, did not list any backers on the EU Transparency Register, the report states. A CEO representative said the group’s name conflicts with its pro-industry stance, creating a “confusing…mismatch.” In a press release, the EPA said, “We are immediately clarifying such discrepancies” to ensure that they’re “in line with the guidelines of the European Union.” [IDG News Service]

UK – Court: Compensation Only if Damages Are Due To Breach of DPA

The England and Wales Court of Appeal recently ruled that businesses “do not have to pay compensation for causing distress to consumers if they break data protection laws unless the distress suffered by consumers is linked to the breach itself.” The ruling stemmed from a customer’s complaint that upon receiving damages from a breach case, the finance company involved placed his settlement in a closed account and entered incorrect information about him in their systems indicating his account was in arrears—which was shared with a credit scoring agency. The customer claimed the company had breached the terms of the district court order and asked the court for further damages, prompting the court’s ruling. [Out-law.com]

UK – Commissioner: Serious Breach Offenders Deserve Prison Time

UK Information Commissioner Christopher Graham says people who misuse personal information should face tougher penalties, including prison time, citing a recent case in which a community health manager took personal data from the health center to use for his own fitness company. The man e-mailed data on 2,471 patients to his personal account, and soon thereafter, patients approached by the man began to complain. The man was fined 3,000 GBPs and ordered to pay other legal costs. Graham said the government “must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.” [Public Service]

EU – Garante Issues Fines Totaling 800,000 Euros

The Italian Data Protection Authority (Garante) has issued three orders of injunction against two IT companies—specialized in the data bank sector—and a telecom operator obliging them to pay fines equal to 800,000 euros for violating prescriptive measures already adopted toward them in 2008. “The two companies specialized in the data bank creation had created and sold data banks containing tens of millions of people’s personal data, without having both informed data subjects and acquired their consent,” explains Rocco Panetta. The companies will have to pay fines of 100,000 euros and 400,000 euros, respectively, and the telecom will pay a fine of 300,000 euros. Further orders of injunction are expected against other companies. [The Privacy Advisor]

EU – Facebook Appoints New Privacy Counsel, Gets OK from DPA

Irish Data Protection Commissioner Billy Hawkes says he’s satisfied with the work Facebook has done to meet a four-week deadline to comply with recommendations on improving user privacy. Had the company failed to comply, it would have faced fines of up to 100,000 euros. Following an audit by Hawkes’ office, the company had implemented changes to transparency and user controls, but a number of the office’s recommendations had not been met, prompting the four-week deadline. Facebook has also announced the appointment of a lead data protection and privacy counsel to its Dublin headquarters. [the Independent]

Filtering

UK – ISPs Block Two More Sites Accused of Enabling Piracy

To comply with a court order obtained by the Motion Picture Association (MPA), major UK ISPs have begun blocking two websites that have been accused of allowing downloads of pirated movies. There are now six sites for which industry groups have obtained court orders requiring blocks. The British Phonographic Industry (BPI) has named 25 sites it would like to see be blocked for aiding illegal downloads of popular music. [BBC] [CNET]

AU – Australian Government Shuts Down 1,200 Sites in Effort to Target Just One

In an attempt to block a website believed to be associated with a financial scam, the Australian government shut down 1,200 other sites that were unrelated to the targeted site expect for the fact that they were hosted on the same IP address. Although the Australian government was not initially forthcoming with information the source of the block request, it was finally revealed that the sites had been blocked at the request of the Australian Securities and Investment Commission (ASIC), the country’s financial regulator. The block was requested because the site was believed to be in violation of the Telecommunications Act 1997, which obliges service providers “to prevent telecommunications networks and facilities from being used in, or in relation to, the commission of offences against the laws of” Australia. All the other sites were affected because ASIC gave ISPs the IP address of the shared server on which the site was being hosted instead of the suspect site’s specific domain name. [Ars Technica] [SMH]

Finance

CH – Switzerland Eases Bank Privacy Law

Following requests by the U.S. government for information about potential tax cheats, the Swiss government has agreed to ease its privacy laws and allow banks to disclose information on U.S.-based clients to the Internal Revenue Service (IRS). Swiss banks will now be able to deliver client details to the IRS, along with any fines that might be appropriate, in exchange for amnesty from further U.S. indictments. In order for the agreement to proceed, the U.S. would have to ratify a new taxation treaty between the two countries. [The Boston Globe]

EU – EU Sets Deadline for Bank Data Sharing

“EU leaders have agreed that the automatic sharing of individuals’ bank account data, a key measure to prevent tax evasion, should become law across all member states by the end of the year.”. The report references EU President Herman Van Rompuy’s comments at a press conference calling for “member states to complete adoption of regulation covering private savings aimed at ending bank secrecy.” The report follows comments by French President Francois Hollande noting EU countries will start working on an automatic exchange of tax information. [AAP]

WW – Privacy and Data Security: Why Should Investors Care?

As data increasingly becomes the lifeblood of many businesses, the ability to shield and protect that data from mismanagement, hackers and cyberespionage is not only “vital to consumers” but also “critical to investors in publicly held U.S. companies”. “We believe boards have a fiduciary and social responsibility to protect company assets,” they write, “including personal information.” Meanwhile, a new survey reveals that 31% of European businesses have experienced a cyberattack in the last year. Consero Group Founder and CEO Paul Mandell says, “Confidence in information security is likely diminished by the high level of publicity surrounding recent cyberattacks and will likely continue to decline before it gets better.” [The Guardian]

US – Tea Party Group Sues Tax Collectors for Privacy Breach

The NorCal Tea Party Patriots, a northern California-based advocacy group, sued the U.S. Internal Revenue Service for allegedly breaching its federal privacy rights and the rights of like-minded organizations. The IRS has acknowledged that employees in its Cincinnati office targeted for special review groups seeking tax-exempt status as social welfare organizations that were also advocates for limited government and free markets. President Barack Obama has called the conduct “outrageous.” Four congressional committees are reviewing the matter and acting IRS Commissioner Steven Miller resigned. “Under pain of denial of tax-exempt status, the IRS and its agents singled out groups like NorCal Tea Party Patriots for intensive and intrusive scrutiny,” the group alleged today in a complaint filed at the U.S. court in Cincinnati. It seeks group status for “all conservative and libertarian groups targeted for additional scrutiny” between March 2010 and May 2013, together with unspecified money damages for the alleged violation of their constitutional rights and costs of compliance with the unlawful demands. The case is NorCal Tea Party Patriots v. The Internal Revenue Service, 13-cv-00341, U.S. District Court, Southern District of Ohio (Cincinnati). [Source]

US – IRS Sued for Allegedly Stealing EHRs  of 10 Million Individuals

A lawsuit filed in California alleges that the US Internal Revenue Service (IRS) violated the Health Insurance Portability and Accountability Act (HIPAA) when it seized electronic health records belonging to 10 million US citizens. The lawsuit, filed by an attorney on behalf of a corporate client identified as John Doe Co., alleges that when the 15 IRS agents raided the company in March 2011, they did not have a search warrant or a subpoena. The seized records include “information about treatment for any kind of medical condition, … and a wide range of medical matters covering the most intimate and private of concerns.” The seized data were in electronic format and were allegedly taken in connection with an investigation into “a tax matter involving a former employee of the company.” The lawsuit is seeking monetary damages as well as a court order requiring the IRS to return the records and remove them from their databases. [NextGov] [Actual Suit]

FOI

CA – Alberta Putting Raw Data Online for Study, Business

Who knew that compared with the rest of Canada, Alberta is a Y chromosome extravaganza, with 101 men for every 100 women? Or that there were six cases of mumps in 2012, that 19% of Alberta men say they binge drink, and that we share the road with more than 3,000 licensed drivers aged 90 or over? And that in Alberta, Big Tobacco isn’t giving up without a fight. In the past decade, the number of men who smoke has remained steady at 20%. The data is among the reams of charts, graphs and searchable tables launched by the Alberta government for intrepid researchers and entrepreneurs to either learn from or spin into commercial gold. Service Alberta Minister Manmeet Bhullar said the service is called the Open Data Portal. “It provides Albertans with a single access point for all publicly available provincial government data.” [Source]

Genetics

CA – Alberta Police Representatives Push For DNA Tests Upon Arrest

Along with fingerprinting and photographing, cops should be also be able to swab suspected criminals’ cheeks for DNA as part of the routine booking procedure, police representatives in Alberta say. Armed with its “Legislative and Police Strategy Targeting Repeat and High Risk Offenders,” the Alberta Federation of Police Associations recently went before federal MPs to call for reforms in DNA collection, parole authorization and other areas of law enforcement. Chief among the items in the proposal is changing the point of DNA collection from the point of conviction — and subsequent court order — to the time of arrest. The thinking, according to newly elected federation director Paul Wozney, is to speed up potential solving of other cases, cut down on the “maze” of court procedures to obtain a warrant for DNA, and expand the list for when a cheek swab can occur to include any indictable offence. [Source] SEE ALSO: [The Art of Turning Discarded Chewing Gum Into Your Portrait]

Google

WW – Google Unveils Object-Recognition Feature

Google’s latest rollout is an object-recognition feature that has thus far flown under the radar. “Photo Search with Visual Recognition” allows users to search for an object on Google’s network and view all photos taken of that object by people in their Google+ circles, the report states. “Of course, the privacy-invading nature of social network ‘upgrades’ has now become such old news that the Google+ feature may go off without a hitch,” the report states, noting, however, that the feature does somewhat mitigate privacy concerns by only allowing searches within established circles. [The Huffington Post]

US – Congress Wants Answers on Google Glass

Eight members of Congress have sent Google CEO Larry Page a letter requesting answers on the privacy implications of Google Glass. “We are curious whether this new technology could infringe on the privacy of the average American,” said Rep. Joe Barton (R-TX), chairman of the bipartisan privacy caucus, on behalf of his colleagues. Google has until June 14 to respond to the inquiry, though a spokesman has written, “We are thinking very carefully about how we design Glass because new technology always raises new issues.” [National Journal]

Health / Medical

CA – HIMSS Analytics Report Finds Hospitals Facing Data Access Challenges

A new study titled “Streamlining Workflows and Access to Patient Data in Canadian Hospitals,” commissioned by Imprivata, specifies how EHR adoption can impact workflow efficiency and data access, and identifies single sign-on (SSO) technology as one of the solutions to streamline access to clinical systems and patient information. Several key barriers to enabling clinicians to seamlessly access patient data are identified in the study, including:

  • Lack of integration between electronic systems
  • Frequent inability to access information quickly
  • Privacy and security concerns. [Source]

US – Smartphone Tracker Gives Doctors Remote Viewing Powers

Ginger.io is a company spun out of the MIT Media Lab, whose app of the same name is in trials with hospitals across the country. The Ginger.io smartphone app logs all activity on a patient’s phone and transmits the data to the hospital, where it can be monitored. “Now,” says cofounder and CEO Anmol Madan, “the doctor or nurse can get a sense of the patient’s life and help as needed.” The app automatically notes changes in phone-use patterns and sends alerts when they are detected, which can keep patients who generally care for themselves at home from suffering dire consequences if they deviate from prescribed medication or therapy. [MIT Technology Review]

Horror Stories

US – Hacker Pleads Guilty, Faces 10 Years

A member of hacker group “Anonymous” has pleaded guilty to hacking a private intelligence firm and several websites. 28-year-old Jeremy Hammond has admitted to assisting in the December 2011 attack on Stratfor Global Intelligence Service as well as hacking the Arizona Department of Public Safety, the Boston Police Patrolmen’s Association, the FBI’s Virtual Academy and an Alabama sheriff’s office. He faces up to 10 years in prison. Hammond said he committed the acts, which gathered the credit card and other personal information of more than one million people, in the name of greater transparency because people “have a right to know what governments and corporations are doing behind closed doors.” [The Huffington Post]

UK – ISU to Pay $400,000 Breach Fine

The Department of Health and Human Services (HHS) has released a resolution agreement following Idaho State University’s (ISU) HIPAA violations dating back to August 2011. ISU will pay $400,000 in penalties for exposing data on 17,500 patients by disabling a firewall for at least 10 months, the report states. HHS found ISU committed violations including failing to conduct a risk analysis of the confidentiality of its electronic personal health records and failing to implement sufficient security measures to reduce risk. ISU has entered into a corrective action plan agreement with HHS. [Health IT Security]

US – Data Breach Puts DHS Employees at Risk of Identity Theft

The U.S. Department of Homeland Security (DHS) has revealed that a vulnerability in a vendor’s system may have exposed the Social Security numbers and dates of birth of tens of thousands of its employees. A DHS spokeswoman said the data was stored in the vendor’s database of background investigations and may have been accessible as far back as July 2009. Meanwhile, the Maine Attorney General’s Office has issued an alert to people who have purchased tickets through online service Vendini. According to the company, a server containing the names, addresses, e-mail addresses, credit card numbers and expiration dates of tens of thousands of people—including many Maine residents—was breached. [Federal News Radio] See also: [NZ: Stalling on privacy report fuels speculation]

US – Reporters Use Google, Find Breach, Get Branded as “Hackers”

Two telecoms are calling Scripps Howard News Service reporters hackers after the reporters discovered the personal data of some 170,000 users of a subsidized cell phone program online. The telecoms claim the reporters violated the Computer Fraud and Abuse Act by using sophisticated and “automated” means to uncover the records, but the reporters say they found the data through a Google search. The data included applications for the Federal Communications Commission’s (FCC) Lifeline program—which contained Social Security numbers—collected for telecoms YourTel and TerraCom by Vcare. FCC regulations bar telecom providers from retaining this data, but, according to the report, Vcare had the applications stored on its servers and posted to an open file-sharing area. [Ars Technica]

WW – Breach May Have Exposed 22M IDs

Yahoo Japan released a statement on Friday that a file with 22 million login names may have been exposed. “We don’t know if the file was leaked or not, but we can’t deny the possibility, given the volume of traffic between our server and external terminals,” the statement notes. The company has posted information related to the breach on its homepage and is contacting those affected, the report states, noting the unauthorized access was discovered on Thursday and could affect 10% of the company’s user base. [InformationWeek]

WW – First Return on Investment (ROI) Analysis for the Critical Security Controls

John Pescatore compares Idaho State University’s (ISU) projected cost of settling HIPAA violations with the US Department of Health and Human Services (HHS) to what it would have cost the university to implement security controls that could have (helped) protect its systems from breaches. The estimated cost to ISU, including the fine, the costs of managing the breach, and the implementation of a Corrective Action Plan is US $1 million over two years. Putting in place certain Critical Security Controls that would have detected the issue that exposed patient data would cost an estimated US $75,000. Even adding in extras like vulnerability assessments and monitoring would put the cost at US $500,000, equivalent to one year’s share of the above cost. [SANS]

US – Drupal Resets Passwords After Breach

Drupal.org has reset all account passwords after discovering that intruders had gained unauthorized access to information on its servers. The intrusion was made through unspecified third-party software on the organization’s servers. Nearly one million accounts are affected. [H-Online] [ZDNet] [Ars Technica] [ComputerWorld]

US – Reporters Who Discovered Unprotected Data Are Accused of Being Hackers

Two telecommunications companies are accusing reporters of hacking after  the reporters uncovered a cache of personal data on a publicly accessible server. The Scripps reporters say they found the data, which include Social Security numbers (SSNs) and other personally identifiable information, through a Google search, but the companies maintain that  the reporters accessed the data and in doing so, violated the Computer  Fraud and Abuse Act. The reporters deny those allegations. The data,  which were gathered by a third party company on behalf of the two  telecommunications firms, were collected as supporting documentation for  families seeking to qualify for the US Federal Communications  Commission’s (FCC’s) Lifeline program, which helps low-income Americans  obtain phone service. The program allows the telecoms to request the  information but specifically says that it may not be retained. [Ars Technica] [SacBee] [NPR]

Identity Issues

US – Court: Best Buy’s ID Check Doesn’t Violate Privacy

A federal appeals court has determined that Best Buy’s driver’s license requirement for returning purchases does not contravene the Drivers’ Privacy Protection Act. The 11th Circuit Court of Appeals agreed with a Florida court ruling that tossed out a potential class-action lawsuit filed by Steven Siegler. The suit alleged the company’s practice of collecting and retaining driver’s license data during a purchase return is not a “normal course of business” use. [Bizjournals] See also: [Two-factor authentication: What you need to know (FAQ)]

WW – Twitter Launches Two-Factor Authentication

Twitter has introduced two-factor authentication for account access. Users who opt in to the feature provide Twitter with a mobile phone number, and whenever they want to log in to their accounts, they will be required to provide their regular passwords along with a verification code which will be sent to the specified phone. The introduction of this feature comes just weeks after several high-profile Twitter accounts were compromised and misused. [Ars Technica] [SC Magazine] [h-Online]

Intellectual Property

US – SIIA Releases Whitepaper on Balancing Innovation and Privacy

The Software and Information Industry Association (SIIA) on Monday released a whitepaper on balancing innovation with privacy in Big Data. In the paper, the SIIA cautions against over-legislation, recommending instead that companies take the initiative to build privacy into their Big Data policies. SIIA Senior Director David LeDuc says there are ways for companies to benefit from Big Data and still protect user privacy, adding that anonymizing consumer data as quickly as possible would be a good step. The SIIA and other industry groups would like to see policy-makers, consumer advocates and other stakeholders come together to create policy. [The Washington Post]

US – Commission Recommends Stronger Action to Protect Intellectual Property

The Commission on the Theft of American Intellectual Property, a private organization, has issued a report arguing that US companies should be permitted to act aggressively to prevent hackers from stealing their intellectual property. The report notes that “hundreds of billions of dollars” worth of US intellectual property (IP) is stolen each year, and estimates that China is responsible for 50 to 80 percent of international intellectual property theft. In addition, “the slow pace of legal remedies for IP infringement does not meet the needs of companies whose products have rapid product life and profit cycles.” The paper also makes a case for creating disincentives to IP theft by making it unprofitable. The report calls for laws to allow intellectual property owners to retrieve or “render inoperable” stolen IP. The process would be helped through increased “meta-tagging,” “beaconing,” and “watermarking,” technology that basically has a phone home effect, letting IP holders known when information has been stolen. [ComputerWorld] [SC Magazine] [ZDNet] [Forbes] AND [Text of Report] SEE ALSO: [Future in Review]

Internet / WWW

WW – Privacy Hampers Research Outcomes

Professors at the Massachusetts Institute of Technology say privacy remains a “big stumbling block” to effectively using Big Data. MIT’s Andrew Lo, Dimitris Bertsimas and Alex “Sandy” Pentland are building Big Data models to predict financial market shifts and crime and improve healthcare outcomes, the report states, but run into privacy issues when it comes time to analyze the data. There are also concerns about individuals being profiled based on Big Data findings. Meanwhile, Amsterdam’s ZyLAB has published a whitepaper warning IT decision-makers about “the dark side of Big Data.” [The Wall Street Journal]

Law Enforcement

US – Swire: FBI Initiative Threatens Secure Communications on the Internet

Recent moves by the FBI to persuade the Obama administration “to support major changes” to the Communications Assistance to Law Enforcement Act of 1994 (CALEA) have prompted a new report from the Center for Democracy & Technology and this latest Privacy Perspectives installment from Peter Swire, CIPP/US, who formerly served as chief counselor for privacy in the Office of Management and Budget under President Bill Clinton. The new changes could open up a range of risks and “harm cybersecurity.” [Source]

CA – Privacy Concerns Raised As U.S., Canada Share Data on Travellers

Canada and the U.S. have swapped biographic information on 756,000 cross-border travellers under a sweeping new effort to catch cheating entrants, according to a new border agency report. The flow of personal data between the countries has so far been limited to information about third-country nationals and permanent residents crossing at four major Canada-U.S. land border points. Next year, however, the bilateral exchange will expand to cover all travellers, including Canadian and American citizens, at all automated border crossings. The project is part of the 2011 Canada-U.S. Beyond the Border declaration and action plan. A chief concern among privacy advocates is minimizing the threat of personal information being used for secondary purposes unrelated to border security.[Source] See also: [Privacy complaint launched over CBSA reality TV show]

CA – Manitoba RCMP Members Watch Porn, Snoop on Spouses, Files Show

From snooping on spouses to downloading pornography, a number of RCMP members in Manitoba have been disciplined for abusing their time on duty and the resources available to them on the job. RCMP documents obtained by CBC News reveal the disciplinary actions taken against 10 members of Manitoba’s D Division between the beginning of 2010 and September 2012. The documents outline cases of members using police databases to keep tabs on girlfriends and ex-wives, using RCMP computers to download pornography, and providing civilians with the results of licence plate searches. The sanctions handed out range from a formal reprimand to a reprimand and the loss of 10 days’ pay, although some of the decisions noted that the members could have faced dismissal from the RCMP. [Source]

US – NYPD Detective Arrested for Allegedly Hacking eMail Accounts

US federal law enforcement agents have arrested a New York City Police Department (NYPD) detective for allegedly hiring a hacking service to break into more than 40 email accounts belonging to NYPD employees and other people. Edwin Vargas also allegedly paid the same group for gaining access to cell phone records. According to evidence gathered from a digital forensic review of Vargas’s hard drive, he had obtained access to three months of cellphone records for at least one individual. Vargas also accessed the National crime Information Center (NCIC) database, which he was authorized to use as a law enforcement officer, but he allegedly accessed information outside the realm of his duties. [The Register] [Information Week] [FBI]

UK – Northamptonshire Police Officers Given Body Cameras

Twenty body cameras have been issued to police officers in Northamptonshire to record incidents for use as evidence in court cases. The cameras operate continuously with a 180-degree sweep and can record in darkness. The Northamptonshire Police and Crime Commissioner said they were valuable in bringing more convictions. Linda Lee, former president of the Law Society, said she was concerned the cameras could be a privacy intrusion. Ms Lee said that because they operated continuously the cameras would pick up a lot about people’s everyday lives, which could be an unwelcome intrusion. Mr Simmonds said that instead of officers having to record incidents on paper and trace witnesses, the court could see and hear the details of incidents in real time.[Source]

Location

WW – Apple Seeks Tracking Suit’s Dismissal

Apple has filed a motion for summary judgment in a privacy class-action lawsuit. The company argues the plaintiffs in the suit—which claims the company uses third-party iPhone applications to access and track users’ personal information—admit suffering “no harm whatsoever” and “still have no idea whether their personal information or location data was actually tracked.” The court dismissed the plaintiffs’ first complaint in September 2011 and dismissed all but two claims of an amended complaint in June 2012. A hearing in this case is set for November 7. [Courthouse News Service] SEE ALSO: [Opinion: Judge’s Phone Ruling Is “Ridiculous”]

Offshore

US – Government Wants Security Research on Car-To-Car Nets

David Strickland, Administrator of the USA’s National Highway Traffic Safety Administration (NHTSA), has told that nation’s Senate Committee on Commerce, Science, and Transportation that he plans to research the security requirements of automated cars and vehicle-to-vehicle (V2V) networks. Strickland appeared before the committee this week and gaped with appropriate metaphorical awe at the likes of Google’s self-driving vehicles and V2V network proposals that would see one car radio another to tell it when heavy braking is required. Such systems, Strickland said, could “potentially address about 80 percent of crashes involving non-impaired drivers once the entire vehicle fleet is equipped with V2V technology.” He’s also worried about what he called “vehicle cybersecurity”, because he believes more technology in cars creates “growing potential for remotely compromising vehicle security through software and the increased onboard communications services” NHTSA has asked for an extra $US2m to research the problem, with the aim of “of developing a preliminary baseline set of threats and how those threats could be addressed in the vehicle environment”. Standards for car-makers are also on the agenda. [Source]

Online Privacy

NZ – Commish: School Sites Lack Data-Use Info

After sweeping a number of websites as part of the Global Privacy Enforcement Network , New Zealand Privacy Commissioner Marie Shroff has announced that many schools and some popular children’s websites “show there is often no information given to users about how their personal information collected via the site will be used and shared.” According to a press release, “We found that in a selection of the larger New Zealand schools’ websites we looked at, very few had any sort of policy at all.” In contrast, many children’s gaming websites had privacy policies that “were usually extremely detailed and lengthy, and the references were often to U.S. or European law.”[Media Release]

US – Website Shows Just How Private Snapchat Really Is

If recent stories showing the permanence of Snapchat’s supposedly ephemeral photo sharing didn’t convince you, perhaps the launch of the new SnapchatLeaked.com will. The startup website allows users to upload photos that have been sent to them, despite the senders’ assumption that they would be deleted after only 10 seconds of viewing. While the site covers up “naughty bits” and doesn’t display a Snapchat ID, there is still some speculation as to whether the site will lead to lawsuits. “All images are user-submitted,” the site’s creators told UK tabloid Metro, “if the person asks to take them down, we do. Most see it as fun and getting ‘Facebook famous’.” [Beta Beat]

WW – Facebook Joins Advocacy Group

Facebook announced on Wednesday that it has joined the online privacy and freedom advocacy group Global Network Initiative (GNI). The affiliation may help to show users that Facebook is taking privacy concerns seriously and also help it navigate expansion in developing countries, the report states. GNI provides guidance on protecting online privacy against government intrusions and reviews members’ practices to ensure they are in line with GNI’s goals. Meanwhile, Facebook CEO Mark Zuckerberg was in Poland on Wednesday meeting with Polish Minister for Administrative Affairs and Digitisation Michal Boni about the global significance of the Polish IT industry. [The Wall Street Journal]

WW – Firefox Cookie Blocking By Default on Pause

Mozilla has postponed default cookie-blocking in its Beta version of Firefox 22 “to collect and analyze data on the effect of blocking some third-party cookies.” The default setting has been criticized by the online advertisement industry. The nonprofit is currently testing a patch created by Jonathan Mayer. In a blog post , Mozilla Chief Technology Officer Brendan Eich wrote, “Our next engineering task is to add privacy-preserving code to measure how the patch affects real websites,” adding, “We will also ask some of our Aurora and Beta users to opt in to a study with deeper data collection.” [PC World]

WW – Future Version of Firefox Will Block Mixed Active Content by Default

A future stable version of Firefox will block mixed active content by default. Firefox 23 Aurora is scheduled for stable release in about three months.  Mixed active content is described as an HTTPS secured website that loads some HTTP content, which can make the site vulnerable to a variety of attacks. Users will have the option of disabling the content blocker on a site-by-site basis. [CNET] [Mozilla] [interesting article on the security implications of HTTP/HTTPS mixer-uppers]

EU – German Commission Calls Out Xbox One Privacy Issues

Not all are pleased with the technology behind Microsoft’s upcoming platform, the Xbox One. Speaking with news site Spiegel, Germany’s federal data protection commissioner Peter Schaar likened the next-generation console to a “monitoring device.” “The Xbox continuously records all sorts of personal information about me. Reaction rates, my learning or emotional states. [These] are then processed on an external server, and possibly even passed on to third parties,” Schaar said. “Whether it be deleted ever, the person concerned cannot influence.” Privacy concerns surrounding the Xbox One were brought up immediately after Microsoft revealed that the system’s built-in Kinect features an always-on standby mode that can react to users even when it is “off.” [Source]

Other Jurisdictions

AU – Gov’t Introducing Breach Notification Bill

Privacy Commissioner Timothy Pilgrim has voiced support for mandatory breach legislation. Attorney-General Mark Dreyfus has announced the government will introduce legislation to take effect in March that will require companies to disclose data breaches. The legislation, which the Australia Law Reform Commission has been proposing since 2008, will “require notification of serious data breaches that will result in a real risk of serious harm,” a Gizmodo report states, noting Dreyfus used the announcement of the legislation as an opportunity to chastise organizations for recent data breaches. As current legislation does not require companies to disclose breaches, the report questions “the data breaches we haven’t heard about over the last decade.” [CSO] See also: [Global tech giants to face Aussie privacy hurdles]

AU – Privacy Laws Stop Cops Tracking Refugees

Privacy restrictions are preventing police being told where asylum seekers are living in the community. The Immigration Department has told a parliamentary committee that “due to privacy reasons”, police were not told where boat arrivals on bridging visas are. More than 10,000 asylum seekers who have been released have had initial security checks, but are yet to undergo screening by ASIO. Police have been called to asylum seeker housing five times over assaults from November 2011 to December last year. Four asylum seekers living in the community have since absconded and are yet to be found. [Source]

RU – Russia Ratifies Commitment to Convention 108

On May 15, Russia ratified a treaty to join Convention 108—the “Convention for the protection of individuals with regard to Automatic Processing of Personal Data.” Council of Europe Secretary General Thorbjørn Jagland said he received Russia’s accession from Permanent Representative and Ambassador of the Russian Federation to the Council Alexander Alekseev. The treaty will enter into force on September 1. Russia will become the 46th state to join Convention 108. [NewEurope]

Privacy (US)

US – Consumer Groups Worry U.S.-EU Trade Pact Will Weaken Privacy Regulations

Reuters reports on developments regarding the Transatlantic Trade and Investment Partnership (TTIP), a proposed free-trade agreement between the EU and U.S. Consumer groups have called language in the agreement a “backdoor way” for U.S. businesses to sidestep EU data protection law. Roughly 60 supporters and opponents of the agreement will address a panel convened by the Trade Representative’s office to discuss TTIP this week. [Source] [See also Trade Law and Privacy Law Come Together]

US – Schnucks: Class-Action Suit Should Be Federal

Schnucks Markets claims a potential class-action lawsuit filed against it in an Illinois state court belongs in federal court because of the case’s scope and damages involved. The St. Louis-based grocer has filed a motion for removal. The motion notes the damages the plaintiffs claim exceeds the $5 million threshold for a federal case and that the number of people involved in the claim, from various states, means the case should be federal. Schnucks announced a breach earlier this year resulting in the exposure of 2.4 million credit and debit cards. The lawsuit claims the store was negligent and didn’t inform those affected quickly enough. [Computerworld] See also: [US: As Data Breaches Rise, AGs Emerge As Primary Enforcers]

US – FTC Asks Judge to Reject Wyndham Hotels’ Motion to Dismiss Complaint

The US Federal Trade Commission (FTC) has filed documents asking a US District Court to toss out Wyndham Hotels’ motion to dismiss an FTC complaint against the company after it suffered a number of data security breaches. Wyndham argued that the FTC is exceeding its authority because it is trying to make cybersecurity issues into consumer protection issues, saying the FTC “wants to turn a statute designed to protect consumers from unscrupulous businessmen into a tool to punish businesses victimized by criminals.” But court documents say “the FTC is not suing Wyndham for the fact that it was hacked, it is suing Wyndham for mishandling consumers’ information such that hackers were able to steal it.” The case is significant because “in the absence of comprehensive cybersecurity legislation … the only effective method for cybersecurity regulation by the government is to use the FTC’s enforcement authority.” [SC Magazine] [Lawfareblog]

US – FTC Sends Biz COPPA Education Letters

In light of upcoming rule changes to COPPA and recent pushback from industry, the FTC has issued more than 90 letters to app developers. The letters were sent to companies whose online services “appear” to collect personal information from children under the age of 13. “While the letters do not reflect an official evaluation of the companies’ practices by the FTC, they are designed to help businesses come into compliance” with the impending changes, an FTC press release states. Meanwhile, The Washington Post reports on comments made by Center for Digital Democracy’s Joy Spencer, who said, “Facebook is not doing enough to ensure children under 13 don’t have access to the site,” adding, “That raises a number of concerns about safety and because Instagram then is able to collect personally identifiable information on children, which can be used to target ads toward them in the future.” [FTC Press Release]

US – Privacy Organization Files FTC Complaint Against Snapchat

It’s recently surfaced that Snapchat photos and videos are stored somewhere on your phone and can be retrieved with a few tools. Snapchat hasn’t responded with a fix yet, and this has landed the app in hot water with the Federal Trade Commission. Way back when Snapchat was first launched, Buzzfeed discovered a loophole that allowed cached Snapchat videos to be rewatched on an iOS browser like iFunBox. The Electronic Privacy Information Center has been keeping a watchful eye on Snapchat, and the most recent evidence of Snapchat retrieval has proven reason enough for the privacy organization to strike. Photographer Nick Keck told us used iFile, an iOS browser, to dig up saved Snapchat videos. Photos can’t be retrieved as we reported earlier since photos aren’t cached. EPIC says Snapchat led users to believe their images and videos would “disappear forever.” But in the complaint that EPIC filed with the FTC, the group says the company used “unfair and deceptive acts and practices.”[Source]

US – Does “Neighbors” Photo Exhibit Violate Privacy?

Photographs taken by a New York City artist have residents infuriated. “In one photo, a woman is on all fours, presumably picking something up, her posterior pressed against a glass window. Another photo shows a couple in bathrobes, their feet touching beneath a table. And there is one of a man, in jeans and a T-shirt, lying on his side as he takes a nap,” the report states, noting the photos were taken through their windows by Arne Svenson from his nearby apartment. Although their faces are not shown, the residents “had no idea they were being photographed, and they never consented to being subjects,” raising questions of whether any privacy law has been violated. [The Associated Press]

US – Feds Tracked Reporter’s Movements, Personal E-Mail

In an effort to unmask a leaker who fed a reporter classified information about North Korea, FBI investigators tracked the journalist’s movements in and out of a government building, obtained copies of e-mails from his personal account and also took the unprecedented step of alleging that the reporter engaged in a criminal conspiracy simply for doing his job. Investigators tracked the reporter’s movement using security badge access records as he left and returned to the State Department’s headquarters in Washington, DC, and also obtained two days’ worth of e-mail correspondence from his Gmail account. “Never in the history of the Espionage Act has the government accused a reporter of violating the law for urging a source to disclose information,” Ben Wizner, director of the ACLU’s Speech, Privacy and Technology Project said in a statement. “This is a dangerous precedent that threatens to criminalize routine investigative journalism.” The revelations come in an affidavit filed in an investigation against a State Department security adviser who is accused of leaking classified information to Rosen. [Source]

US – Bloomberg Appoints Privacy Czar

In light of revelations that some of Bloomberg’s journalists were using private client data for reporting, the company has announced it has hired former IBM CEO Samuel Palmisano “to serve as an independent advisor regarding the company’s privacy and data standards.” According to Bloomberg’s press release, Palmisano “will immediately undertake a review of the company’s current practices and policies for client data and end-user information, including a review of access issues recently raised by the company’s clients.” Palmisano will report directly to the Board of Directors and will be assisted by representatives from Hogan Lovells and Promontory Financial Group. [Forbes]

US – Harvard College Dean Who Authorized eMail Searches Stepping Down

The Harvard College dean who authorized secret searches of residential deans’ email messages will step down this summer. Evelynn M. Hammonds acknowledged that she authorized the searches, which were aimed at identifying the source of an information leak about a cheating scandal that emerged at the school in 2012. Hammonds and other administrators maintained that automated searches were made only of email subject lines to determine who had shared a confidential message with someone at the Harvard Crimson newspaper, and that the searches were conducted in an effort to protect the privacy of the students involved in the cheating scandal. The administrators also acknowledged that it was a mistake not to notify the deans of the search either before or after the fact. [ComputerWorld] [CNN]

US – California’s Mobile App Privacy Law Test Case Unsuccessful

A California Superior Court judge has dismissed a lawsuit brought against Delta Air Lines for allegedly failing to comply with state laws regarding mobile application privacy. The lawsuit, filed by California Attorney General Kamala Harris, alleged that Delta had violated California’s Online Privacy Protection Act because it did not disclose how its Fly Delta smartphone app collected and used customer data. Delta argued that the state law is superseded by the Federal Airline Deregulation Act, which says that states may not enforce laws that affect airlines’ fares, routes, or services. Delta maintained that its mobile app was a service and Judge Marla Miller agreed. [ComputerWorld]

Privacy Enhancing Technologies (PETs)

WW – New ‘Clueful’ App Scans Android Phones for Privacy Leaks

Anti-virus firm Bitdefender launched Clueful, a free Android app that tells you how much other Android apps invade your privacy.” Clueful quickly scans your phone to see which apps are installed, and then gives you an overall privacy score ranging from a low of 1 to a high of 100. Clueful categorizes individual apps into high- moderate- and low-risk categories, with high scorers being those apps that “are viruses,” “send your identity to strangers” and “use very intrusive ads.” Moderate risk apps “send your private data to strangers,” such as popular games like “Angry Birds.” Other apps have the ability to read or intercept SMS messages, including Amazon, USA Today and IMDb; the same number might read contacts. Meanwhile, a whopping 42 apps had the ability to track location, including the games “Fruit Ninja.” Clueful is available for installation from the Google Play app store.[Source]

WW – Web-Security Firm Acquires Web-Privacy Firm

Web-security firm AVG has purchased web-privacy firm PrivacyChoice. PrivacyChoice offers a browser extension that analyzes a user’s web activity and indicates their exposed personal information. “Since founding, our mission has been to deliver more effective and more informed choices about how your data is collected, used and shared,” said PrivacyChoice founder Jim Brock. “We saw strong synergies between our approach and the efforts AVG continues to make in empowering people when it comes to their online privacy.” [Venturebeat]

RFID

WW – Chips Pose ID Theft and Privacy Concerns

Rising identity theft of travelers stemming from access to RFID chips in passports and credit cards. Criminals can also access personal data from smartphones via WiFi networks. To help curb such attacks, some luggage companies are inserting RFID-blocking compartments in luggage. Meanwhile, Bruce Schneier, a security expert, writes about the rise of the Internet of Things and surveillance in his latest blog post, noting that “any illusion of privacy we maintain” is “about to get worse.” [The Washington Post]

Security

UK – Smart Meters Need to Be Harder To Hack, Experts Say

By the year 2020 about 30 million British homes will have digital smart meters monitoring their gas and electricity usage, according to government plans. The scheme promises to reduce costs as in-house monitors will make energy consumption more visible and therefore controllable, and will remove the need for estimated bills. However this month the roll-out was delayed by the Department of Energy and Climate Change for more than a year as the government admitted more tests were still needed. One big issue for information security experts is the safety of the data collected by the meters and transferred back to the utility companies. While there are many different brands of meter, the communications hubs which transmit this information often use the mobile data network via a SIM card. “There are two main ways of hacking the meters – through the mobile network they use to communicate, or through hardware hacking – opening the meter up, tampering, altering the firmware or removing the cryptographic keys.” [Source] SEE ALSO: [AU: Hacking: Chinese spies steal ASIO blueprints]

US – Electric Grid Under Continuous Attack

Computer systems at utility companies that make up the US electric grid are under attack daily, according to a Congressional report. Two legislators sent questionnaires to more than 150 companies and received 112 responses. Just 53 of those actually answered the questions, while the rest provided partial responses or information that did not directly answer the questions. More than a dozen of the responses said their systems were under “daily,” “constant,” or “frequent” attacks. One company reported it experienced 10,000 attempted attacks a month. None of the companies noted that the attacks had damaged their systems. The report, “Electric Grid Vulnerability: Industry Responses Reveal Security Gaps,” looks at threats from both hackers and from natural occurrences. The report strongly urges Congress “to provide a federal entity with the necessary authority to ensure that the grid is protected from potential cyber-attacks and geomagnetic storms.” [Ars Technica] [CNET] [ComputerWorld]

US – Report Says Chinese Hackers Accessed US Weapons Systems Designs

According to a confidential report from the Defense Science Board, Chinese hackers gained access to designs for advanced US weapons systems. The confidential report, which was prepared for the Pentagon, did not specify whether the data were accessed through government networks or through contractor networks. According to the report, DOD “is not prepared to defend against this threat. With present capabilities and technology, it is not possible to defend with confidence against the most sophisticated cyber attacks.” An unnamed senior military official told the Washington Post that “in many cases, they don’t know they’ve been hacked until the FBI comes knocking on their door.” [Washington Post] [Reuters] [CNET] [REPORT] See alwso: [Clearwire Will Shed Huawei Hardware]

US – Iranian Hackers Targeting US Companies’ Industrial Control Systems

US officials say that hackers operating on behalf of the Iranian government are targeting industrial control systems at US energy companies in an attempt to damage the country’s critical infrastructure. Thus far, the attacks have focused on gathering intelligence about how the systems operate. Some US officials have posited that Stuxnet, the sophisticated malware attack that targeted centrifuges at an Iranian nuclear facility in 2010 pushed Iran to develop stronger cyberattack capabilities and to retaliate. [The Register] [eWeek] See also: [Syrian Electronic Army Hacked Sky’s Twitter and Android Apps] and: [Australian Official Will Not Confirm Reports of Cyberespionage]

US – Chinese Hackers Accessed Google’s Surveillance Database

The Chinese hackers who broke into Google servers in 2009 and 2010 were able to gain access to Google’s database of surveillance orders from the US government. The information was likely sought to determine which Chinese intelligence operatives in the US were under surveillance by law enforcement agencies there. A Microsoft official recently hinted that Microsoft suffered an intrusion at about the same time, and that the attackers appeared to be searching for information about accounts for which the US government legal wiretap orders. [Washington Post] and [Chinese Hackers Resume Attacks on US Organizations : Source | Source | Source]

WW – Software Security Standards Gaining Traction 

At a conference earlier this week, Microsoft announced its support for ISO 27034, an international standard that lays out processes and practices for secure software development. On the same day at the same conference, the Software Assurance Forum for Excellence in Code (SAFECode), an organization that promotes secure software development practices, announced the availability of free training modules on secure coding practice for developers. The first portion of the International Organization for Standardization’s (ISO’s) secure programming techniques document, 27034-1, was released in November 2011. It describes elements of a secure development process, which is useful information for both developers and consumers. [eWeek]

Surveillance

US – AG Tells Senate to Get Warrants to Access Stored Cloud Content

US Attorney General Eric Holder told the House Judiciary Committee that he supports requiring that the government obtain a probable-cause warrant to access email and other cloud-stored content. In April, the committee approved proposed legislation that would alter a portion of the 1986 Electronic Communications Privacy Act (ECPA) allowing law enforcement to access content stored in the cloud, unopened, for more than 180 days. [WIRED] [ZDNet]

Telecom / TV

US – Cell Phone Users ‘Have No Legitimate Expectation of Privacy’ – Judge

A federal judge recently ruled that if someone has their cell phone turned on, their location data does not deserve protection under the Fourth Amendment, meaning law enforcement can track individuals without a search warrant. New York magistrate judge Gary Brown decided in favor of Drug Enforcement Administration (DEA) agents who were seeking his approval over a warrant on a doctor who they suspected was being paid for issuing thousands of prescriptions. The warrant would have compelled the physician’s phone company to provide real-time tracking data from his cell. Brown, certainly to the delight of police, issued a 30-page brief outlining his opinion that, by carrying a cell phone, someone is essentially waiving their Fourth Amendment right to due process. “Given the ubiquity and celebrity of geolocation technologies, an individual has no legitimate expectation of privacy in the prospective of a cellular telephone where that individual has failed to protect his privacy by taking the simple expedient of powering it off,” Brown wrote. “As to control by the user, all of the known tracking technologies may be defeated by merely turning off the phone. Indeed – excluding apathy or inattention – the only reason that users leave cell phones turned on is so that the device can be located to receive calls. Conversely, individuals who do not want to be disturbed by unwanted telephone calls at a particular time or place simply turn their phones off, knowing that they cannot be located.” He goes on to suggest that because there are smartphone applications available that allow users to locate people in their area with similar interests, cell phone customers should not expect their inherent right to privacy to be observed. The American Civil Liberties Union (ACLU) has long been a voice for the American people against governmental overreach and technological surveillance. Chris Soghoian, a principal technologist and senior policy analyst at the ACLU, wrote that Brown’s opinion was “ridiculous.” “There is a big difference between location information you knowingly share with a select group of friends (or, in fact, the world) and information collected about you without your knowledge or consent,” he wrote. [Source]

US – NAI Working On New Mobile Privacy Rules

The Network Advertising Initiative (NAI) is moving forward with plans to eventually issue a set of mobile privacy rules. A draft version is being circulated among members to help provide a code of conduct for data collected from mobile apps. The draft rules cover behavioral targeting and are expected to be finalized by next month, NAI Executive Director Marc Groman, CIPP/US, has said. The rules would require participating companies to provide consumers with an opt-out for behavioral targeting ads but allows ad networks to continue to collect “non-personally identifiable” data for certain purposes, such as analytics, ad optimization and frequency capping. [MediaPost News]

EU – SAP Touts Service That Sells Customer Data from Phone Firms

European software firm SAP has announced a new service that will pull data from its “extensive partner network”—which includes “over 990 mobile operators”—collect and analyze it “without drilling down into user-specific information,” and, disclose the results to subscribers via web portal. SAP said of its Consumer Insight 365 mobile service that “this market intelligence will ultimately allow brands to strengthen relationships with consumers through more targeted and context-specific marketing efforts.” The Wall Street Journal reports on the potential privacy concerns from a service that will “broaden the range of data about individuals’ habits and movements that law enforcement could subpoena.” [CNET News]

US Government Programs

US – Border Data-Sharing Plan to Expand

Privacy advocates have expressed concerns over data sharing between the U.S. and Canada. Since the 2011 Canada-U.S. Beyond the Border action plan, the two countries have shared biometric data on 756,000 border crossers considered third-country nationals and permanent residents. Next year, the data shared will expand to include all travelers. Advocates are concerned the data could be used for secondary purposes. “We have provided questions to Canada Border Services Agency seeking information on how personal information collected may be used and by what other federal organizations and for what possible secondary uses outside of monitoring travel and immigration,” said a spokesman for Canada’s privacy commissioner. [Postmedia News]

US – GSA Seeks Comments on Cybersecurity Standards and Purchasing

The US General Services Administration (GSA) and the Pentagon have issued a request for information seeking input from industry on how best to incorporate cybersecurity standards into government purchasing requirements. Some ideas GSA and DOD are considering include establishing an accreditation program and allowing certain acquisitions to be exempt from cybersecurity standards. The goal is to protect government systems while not impeding market entry for potential new contractors. Comments will be accepted through June 12. [Washington Post] [Federal Register]

US – Vendors Want Cybersecurity Rule Freeze Until Standards are Issued

Federal contractors are asking the US General Services Administration (GSA) to temporarily suspend cybersecurity rulemaking until the government issues national guidelines later this year. The specific regulations may be “well intentioned” but there is concern that rules created now might conflict with the standards that are expected by November. [NextGov] [

US Legislation

US – Bill Would Require Feds to Obtain Warrant to Seize Phone Records

Four US legislators have introduced a bill that would require federal agencies to obtain a court order prior to obtaining phone records. The proposed legislation follows close on the heels of the disclosure that federal investigators obtained phone records of Associated Press (AP) journalists with just a subpoena. The Telephone Records Act, as currently written, allows federal agents to obtain records from service providers with an administrative subpoena to discover basic subscriber information, such as name, address, payment card number, and phone records. The proposed legislation, The Telephone Records Protection Act, protects all Americans’ phone records from being seized by federal agencies without a warrant. Federal agents would need to obtain judicial review before gaining access to those data, and they would have to provide “specific and articulable facts [that prove the requested data are] relevant and material to an ongoing criminal investigation.” The US Justice Department has been roundly criticized for the AP incident, in which they obtained phone records for 20 lines, some of which were the work and home numbers of AP reporters. DOJ maintained that it was following procedure when it issued a subpoena for the information. [WIRED]

US – Senator Introduces Bill to Bolster Fourth Amendment Rights

Sen. Rand Paul (R-KY) has introduced a bill aiming to ensure adequate Fourth Amendment rights when it comes to electronic communications. “The Fourth Amendment Preservation and Protection Act of 2013” requires specific warrants granted by judges for law enforcement to obtain electronic communications data. “In today’s high-tech world, we must ensure that all forms of communication are protected. Yet government has eroded protecting the Fourth Amendment over the past few decades, especially when applied to electronic communications and third-party providers,” Paul said. [Source]

US – Maine Cellphone Bill Could Be Nation’s First

The Maine legislature is set to pass what would be a first-in-the-nation bill requiring law enforcement to obtain a warrant prior to accessing an individual’s cellphone location history. Following last week’s vote by the Senate, the House voted 113-28 on Wednesday in favor of the bill. If passed, the bill would require the warrants with exceptions for emergencies such as bodily harm and would require police to notify individuals within three days that their data has been accessed. LD 415 now goes back to the Senate for enactment. [The Portland Press Herald]

US – Texas Likely to Enact Nation’s Strongest E-Mail Privacy Law

After unanimously passing both houses of the Texas state legislature, HB 2268 has landed on Gov. Rick Perry’s desk for enactment. If signed, Texas would host the nation’s strongest e-mail privacy bill. The proposed bill would require state law enforcement to obtain a warrant prior to accessing any e-mails, regardless of age of the electronic documents. Though the bill would give residents protections from state-level snooping, the bill would not prevent federal investigations. Perry has until June 16 to sign or veto the bill. If he does neither, the bill would automatically go into effect on September 1, the report states. [Ars Technica]

US – Washington Passes Password-Protection Bill

Washington’s governor has signed a law prohibiting employers from asking potential employees for passwords to social media accounts. The bill was sponsored by state Sen. Steve Hobbs (D-Lake Stevens), who said he was pleased the bill passed. “Privacy shouldn’t be a thing of the past that we are forced to sacrifice every time technology moves forward,” he said. Maryland, Illinois, California, Michigan, Utah, New Mexico, Arkansas, Colorado and New Jersey have similar laws. [Associated Press]

US – State Legislative Roundup

Over the past two weeks, several states have enacted or initiated privacy legislation. California has moved forward on a security breach notification law, and Maine has considered a 911 privacy bill. Topping state legislative action, however, are social media privacy laws. From Utah to New Jersey, states are clamping down on the employer practice of requiring employees and applicants to disclose social media passwords. In this roundup, we take a look at these initiatives and some concerns that these social media laws could conflict with the Financial Industry Regulatory Authority. [The Privacy Advisor] See also: [US: NetChoice: California privacy bills are bad for Internet]

Workplace Privacy

EU – Schaar: Busting Employees Online Is Illegal

German Federal Data Protection Commissioner Peter Schaar says job centers that search online for employees abusing unemployment benefits are breaking the law. “Job center employees are under no circumstances allowed to log into social networks or even under false pretenses become online friends with people in order to gain access to their data,” Schaar told a magazine. The report states, only if someone receiving unemployment benefits “is uncooperative and refuses to give out relevant data” can a center turn to the Internet—and, even then, the employee must be notified of the data collection, Schaar added. [The Local]

US – Survey Reveals Employees Not Concerned About Privacy on the Job

91% Accept and Welcome Computer Monitoring During Work Hours: In addition to revealing changing attitudes among U.S. employees when it comes to privacy and the workplace, the survey also showed that employees’ non-work-related computer activities are costing businesses millions of dollars in lost productivity annually, e.g.:

  • 100-employee businesses have productivity losses of 13,750 hours annually, equivalent to paying seven full time employees to do nothing all year
  • 1,000-employee businesses have productivity losses of 137,500 hours annually, equivalent to paying 69 employees to do nothing all year
  • 5,000-employee businesses have productivity losses of 687,500 hours annually, equivalent to paying 344 employees to do nothing all year

SpectorSoft has produced an infographic showing the key findings from the survey:

  • 75% of employees accept that employers may monitor their computer activities.
  • 16% of employees are “glad” their employers monitor their computer activities.
  • 9% of employees were “mad” about being monitored during working hours.
  • 49% of employees said their employers monitored their computer activities.
  • 69% of employers that have Internet Acceptable Use Policies (IAUP) monitor employees.
  • 15% of employers that do not have IAUPs monitor employees’ activities.

“This survey reveals that businesses desiring to strengthen security, improve efficiency and stop bleeding millions in lost productivity need to find ways to control employees’ use of corporate computing resources during work hours,” said Nick Cavalancia, vice president at SpectorSoft. [Wall Street Journal] : See also: [AB: Release of truck driver’s work history violated privacy laws, watchdog says] and [Karen Selick: Get the picketers off my porch]

+++

01-15 May 2013

Biometrics

US – Biometric Database of All Adult Americans Hidden in Immigration Reform

Immigration reform being debated in the Senate Judiciary Committee could eventually result in “a ubiquitous national identification system.” The proposed legislation includes a mandate to create a database of names, ages, Social Security numbers and photographs “of everyone in the country with a driver’s license or other state-issued photo ID,” to be maintained by the Department of Homeland Security. The ACLU has raised concerns, and David Bier of the Competitive Enterprise Institute said, “The most worrying aspect is that this creates a principle of permission basically to do certain activities and it can be used to restrict activities,” he said. “It’s like a national ID system without the card.” [WIRED]

Canada

US – OPC Survey and Demise of Data Farm Deal Highlight Privacy Issues

A deal has ended that would have resulted in a Facebook “data farm…full of high-powered servers necessary to store information from billions of users worldwide” being built in Manitoba. Facebook considered the province due to such factors as land prices and renewable energy but ultimately “cited concerns about Canadian privacy laws in making its decision to pull out of Manitoba,” the report states. In other news, an Office of the Privacy Commissioner survey indicates, “Privacy concerns are driving Canadians away from smartphone apps and online services,” SC Magazine reports. [Winnipeg Free Press] SEE ALSO: [NDP call for broader probe into data breaches, identity fraud]

CA – Alberta Privacy Commissioner says Child First Act threatens privacy

Alberta’s proposed Children First Act will erode privacy rights and undermine Albertans’ control over their own health and personal information, privacy commissioner Jill Clayton says. Alberta’s Information and Privacy Commissioner criticized the sweeping new law, saying the government hasn’t done enough to make sure those subject to the act — mainly at-risk children and their families – will have their privacy protected. The proposed new legislation allows those who work with at-risk children to talk to one another about the people they serve; those on the list include child welfare workers, police, teachers and foster parents, among others. These front-line workers have consistently said rules that restrict them from sharing information make it harder to do what is right for kids in care. Clayton said she recognizes the need to share information but remains concerned about the privacy implications of the bill, known as Bill 25. [Source]

CA –New Institute Designed To Turn Alberta Research Into Commerce

A new institute that will help colleges and universities commercialize their research in partnership with private companies and other agencies is underway, Advanced Education Minister Thomas Lukaszuk says. The institute, as yet unnamed, will be open to researchers and students from any campus in Alberta, and serve as a major vehicle for diversifying the economy. It should eventually generate a stream of royalties for campuses and businesses, Lukaszuk said. In 2010, the province closed the Alberta Research Council and an Alberta Heritage Foundation for Medical Research program funding scientists, two agencies at arm’s length from government with independent boards. In their place, the Stelmach government set up the four Alberta Innovates agencies inside Advanced Education, with budgets of $20 million to $70 million each to fund short-term, applied research projects geared to priorities set out by government. Those reforms caused concern and consternation in the research community. [Source]

Consumer

US – Man Takes On Data Miners by Selling Personal Information via Kickstarter

If pieces of information about our online habits are worth billions to marketers each year, should consumers be getting a piece of the pie? Zannier’s A Bite of Me. project sets out to find the answer – or at the very least, to get more people thinking about the big data industry, online tracking, and how the internet works. For the past three months, the Brooklyn-based electrical engineer and student has been tracking his every online activity using “spy software” similar to what’s sometimes used by professional data miners. The project started as part of his thesis at NYU’s Interactive Telecommunication Program, where Zannier translated the information into stunning data visualizations. Eventually, he decided to sell it via Kickstarter to raise both funds and awareness. Now, for just $2, anyone can buy a single day’s worth of his personal data. The package includes a log of every website Zannier visited that day, the applications he used, an image of his face looking at the computer taken every 30 seconds by a webcam, screenshots of what he was seeing onscreen, the position of his mouse pointer, and even his GPS locations throughout the day. For $200, you can buy the entire 7GB data archive along with a suite of tools (over 50 bash, python and R scripts are included) to help analyze the data and potentially create impressive data visualizations like the ones Zannier provides on Kickstarter and his own website. So far, 103 people have backed the project, netting him more than twice his original funding goal with 22 days still to go. [Source]

WW – Preteens’ Use of Instagram Creates Privacy Issue, Child Advocates Say

The photo-sharing service Instagram, the mobile app owned by Facebook, is seeing tremendous growth, doubling in size to 100 million users in about a year. But child advocates and some parents say too much of its rise has been driven by preteens or even younger kids. These advocates say they worry about whether Instagram is collecting the personal information of young children — and whether the company is doing enough to make sure kids are safe from adult strangers. Over the past two weeks, more than 4,500 people signed a petition on Change.org that calls for Facebook to automatically set the accounts of children and teens to private. It also asks the company to disable GPS technology that can pinpoint where children take photos.[Source]

E-Government

US – Obama to Agencies: Make Data More Public

President Barack Obama has “directed agencies to make their data easy to find and use by the public,” as agencies increasingly face requests and pressure to release government data to the public. The Office of Management and Budget has issued an open data policy requiring agencies to meet goals on improving data gathering, management and sharing. Agencies must create updated data set inventories, provide public listings of all public data and ensure the data is created and stored in “machine-readable and open formats, whether collected electronically, by phone or on paper,” the report states. [Federal Times] SEE ALSO: [Oshawa orders search of councillors’ email to find leak]

US – Executive Order Requires US Gov’t Agencies to Adopt Open Data Standards

The White House has issued an executive order requiring that “the default state of new and modernized Government information resources shall be open and machine readable.” Over the next six months, agencies must compile lists of all the datasets they collect and maintain. They must also indicate which of those lists are supposed to be available to the public. They also must make the publicly available data easy to find and to access and to use. [NextGov] [Text of Executive Order]

US – Government is the Largest Purchaser of Hacking Tools

According to a report from Reuters, the US government is the single largest buyer in the “gray market” of offensive hacking tools. While tools that exploit unknown vulnerabilities provide a tactical advantage, not disclosing the flaws leaves other organizations, including those in the US, vulnerable to attacks. Former high level cybersecurity officials have expressed concern about the situation. Former White House cybersecurity advisor Richard Clarke said, “If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users.” Howard Schmidt, also a former White House cybersecurity advisor, said, “It’s pretty naive to believe that with a newly-discovered zero-day, you are the only one in the world that’s discovered it.” And former NSA director Michael Hayden said that although “there has been a traditional calculus between protecting your offensive capability and strengthening your defense, it might be time now to readdress that at an important policy level.” Paying the vulnerability purveyors for the malware also removes the incentive for talented hackers to inform software makers about the flaws. [Reuters] [ZDNet]

Electronic Records

US – HIPAA Update Poses Tech Problems for Privacy

The move toward electronic health records and new federal rules set to give patients more control over their data are posing technical and administrative obstacles. One CEO of an electronic records system firm said, “The reality is, our ability to exchange electronic information is already well beyond our ability to control it.” Beth Israel Deaconess Medical Center Chief Information Officer John Halamka said, “It’s a technology problem and a work-flow problem and a policy problem.” Patient Privacy Rights Founder Deborah Peel said she’s concerned patients won’t be candid with their doctors over privacy fears. “Nobody knows who is using their health information and for what purpose,” she added. [The Wall Street Journal]

Encryption

WW – iPhone Encryption Stymies Law Enforcement

Law enforcement agencies are growing frustrated with Apple iPhone encryption. Because the encryption used on the devices is so strong, law enforcement agencies are finding that they need to ask Apple to manually override the security controls and decrypt the data on seized devices. The demand is high enough to have created a significant backlog. Some law enforcement officials report having been been told that they would have to wait seven weeks for Apple to help decrypt the information. Law enforcement frustration with Apple’s encryption is not new. Just a few weeks ago, the US Drug Enforcement Agency (DEA) warned that messages sent through Apple’s Messages App are nearly impossible to wiretap. The issue is illustrative of the balance that needs to be struck between law enforcement’s need to eavesdrop on certain communications, and people’s right to privacy. [v3.co.uk] [Ars Technica]

EU Developments

EU – Regulation Vote Delayed Again

The European Parliament Civil Liberties Committee has decided to delay a planned vote on the draft data protection regulation that had been scheduled for May 29. “German MEP Jan Philipp Albrecht, who is charged with steering the legislation through to the final vote, explained that although several meetings have been held and some agreements have been reached, more rounds of discussions are still needed,” the report states. Meanwhile, small- and medium-sized businesses remain concerned as the proposal would require those with 500 or more customers to have a data protection office, resulting in “additional expense in an economy where many are struggling.” Albrecht has said a vote is still possible before July. [PC World]

EU – Court Says Apple Must Revise Customer Data-Handling Rules

A German court has told Apple to change its data-handling rules. The court struck down eight of 15 provisions in the company’s data-use terms, stating they deviate too far from German law, the report states. The court also ruled Apple can’t seek “global consent” from consumers on the use of data, including geolocation information. “The ruling shows the high importance of data protection for consumers in a digital world,” said Gerd Billen, head of consumer group Verbraucherzentrale Bundesverband. [Bloomberg] [Source]

EU – BCR for Processors Endorsed

“The fact that with everything that is going on in the world of data protection right now, the Article 29 Working Party has devoted a thorough 19-page explanatory document to clarifying and endorsing the role of BCR for Processors or Binding Safe Processor Rules (BSPRs) is very telling,” Eduardo Ustaran writes for Field Fisher Waterhouse’s Privacy and Information Law Blog. Ustaran’s post highlights key elements in the Working Party’s document and notes that “despite the detailed requirements that must be met, the overall approach of the Working Party is very ‘can do’ and pragmatic.” [Source]

EU – Bill in Dutch Legislature Would Give Law Enforcement Broad Cyber Powers

Dutch lawmakers are considering broad legislation that would give law enforcement the authority to hack into computer systems in the Netherlands and abroad for research, evidence gathering, or to block access to specific data. Specifically, the bill would let law enforcement block illegal content like child pornography; read communication between criminals; and conduct digital wiretaps. It would also allow law enforcement to activate GPS capabilities on a suspect’s mobile phone for location tracking purposes. The powers would be subject to a judge’s approval and there must be logs kept of investigation data. The bill is being criticized for being “rushed” and for creating “new security risks for citizens.” [ComputerWorld]

Facts & Stats

EU – CNIL Report: Record-Breaking Year for Complaints

The French data protection authority (CNIL) has published its annual report, which indicates a “significant increase in complaints, audits and sanctions.” The CNIL processed a record-breaking number of complaints in 2012—more than 6,000—mostly from private individuals. It conducted 458 audits, up 20% from 2011. In the report, the authority notes “the challenges of regulating Big Data and cloud computing” and recommends “the right to be forgotten” within the proposed EU data protection regulation be enhanced. [Chronicle of Data Protection]

Finance

WW – Detangling the $45 Million Cyberheist

In the aftermath of the recent news about an international $45 million cyberheist and ATM cash-out scheme, experts say pinpointing the source of such a massive breach can prove to be extremely difficult. That’s because so many different entities are now involved in the global payments chain. “There are so many parties in the payments chain that it is very difficult to assign blame in these types of breaches,” says financial fraud expert Avivah Litan, an analyst with consultancy Gartner Inc., who blogged about the attack. “There can easily be seven roundtrip hops or more between an ATM cash disbursement request and the cash disbursement. The leakage can happen at any of those points or hops.” News reports this week named two payments processors that had their networks hacked, leading to the card data compromises in the $45 million cyberheist. But one is claiming it had no data intercepted, and the other has yet to make a statement.[Source]

FOI

CA – Plague of Government Secrecy Throttles Canadians’ Freedom

Canada now ranks No. 55 among 93 nations when it comes to the law that allows journalists and others to get access to federal government documents. The ranking by the Centre for Law and Democracy puts us just ahead of Angola and Thailand, but one place behind Slovakia. This is a huge drop from 31 years ago when Canada’s initial legislation on access to information (ATI) was hailed as world-leading. What has happened since then? For one thing, despite many demands over the years for changes to make our law more effective, successive Liberal and Conservative governments did nothing. Meanwhile, in many other countries new ATI laws were passed that gave individuals the right to express their views and also enshrined the right guaranteed in the Universal Declaration of Human Rights for people to receive information about important things going on in their government and society.Present Canadian law and processes concerning Access to Information are particularly bad and getting worse in how long it takes for government departments to reply. While 36.8% of requests in 1999 were answered beyond the 30 days the law allows, by 2011-12 that rose to 44.7%. According to a 2011 survey by Canadian Journalists for Free Expression, the average time for an answer was 395 days; on one request, the Department of Defence took an extension of 1,100 days. The CJFE’s annual Review of Free Expression in Canada, published today, gave a grade of D-minus to the federal Access to Information system. Another thing that can hurt Canadians is this country’s inability to protect whistleblowers — those brave people who step forward in the public interest to expose misdeeds, corruption or other wrongdoing in their workplaces. The federal and six provincial governments have laws and regulations about protecting whistleblowers among their employees, but they are flawed in many ways. In the private sector things are even worse. There is no direct legislation at any level that protects the jobs of whistleblowers and they are almost always terminated by their employers. Many never work again in their industry of choice. Amid all these issues, the federal government continues to stop the free flow of information to the public. In successive moves it has stymied federal government scientists, other bureaucrats, even their own backbenchers in Parliament and, most recently, senior RCMP officers from speaking to members of Parliament without permission from Public Safety Minister Vic Toews. In this era of news and views everywhere, the government tries to control its message, undermining democracy along the way.[Source]

CA – $2.1M in Severance Paid to Premier’s Advisers, But Details Remain Secret

More than $2.1 million in severance has been paid to departing members of the premier’s inner circle of advisers over the past three years, but the Redford government won’t say who received the payments — or even reveal how many staff received the taxpayer-paid settlements. Opposition critics and advocacy groups expressed surprise at the government’s position, saying it flies in the face of Premier Alison Redford’s oft repeated pledge to lead an open and accountable government. “You’re telling me severance payments are a state secret if they are issued by executive council?” said a Canadian Taxpayers Federation spokesman. “So when you have an embarrassing case of a political staffer who has done something wrong and they are let go, you can pay them out and no one can never know?” The amount of severance paid to departing employees is not included in the annual reports for executive council — the department the premier heads — and the premier’s office declined to provide the information to the Herald. In response to a subsequent request for the information under the Freedom of Information and Protection of Privacy (FOIP) Act, the premier’s office has provided aggregate amounts for 2010-11, 2011-12 and 2012-13, refusing to say how many staff received severance pay in each of those years. The largest amount, nearly $1.3 million, was paid in severance in 2011-12, the year Tory Premier Ed Stelmach handed over the reins of power to Redford, but since then more than $585,000 in severance has been paid to employees departing Redford’s office. The premier suggested Friday the details of severance payments can’t be released because of privacy legislation — a position her office has claimed for weeks. “It’s actually not up to us,” she said in Calgary. But the Freedom of Information and Privacy Commissioner has ruled previously that severance payments to publicly appointed officials must be disclosed. [Source]

SEE ALSO: [Canada: Why Do I Have To Agree To the Privacy Notice of Canada’s new online tool for making access to information (ATIP) requests? And Other Curiosities]

CA – Star Gets Action: Public Can Now Know Bad Cabbies’ Records

The public can now access records of bad taxi and tow truck drivers in Toronto. Detailed records of hearings where drivers were convicted of sexual assault, multiple Highway Traffic Act convictions and other crimes are now posted on the City of Toronto’s website. The documents were published following a Star investigation into the city’s licensing system that revealed the city’s policy of only checking criminal records every four years was allowing drivers with criminal convictions to remain on the road. The city has since pledged to tighten the gap between criminal background checks to two years, possibly one. [Source]

UK – Britain Struggles with Info Access vs. Privacy

In a recent case involving the theft of 113,000 GBPs from a building in Warwickshire, police refused to identify the man charged with the crime. His identity was only disclosed after free speech campaigners made hay, and it was then learned the suspect was a former police officer. “The incident is indicative of rising tensions between journalists and authorities in Britain” when it comes balancing privacy and freedom of information. “The police are in a real bind about this, because they have to balance the right to privacy against the public interest,” said one journalist. [NYT]

Google

WW – Google Introduces New Search Tools to Try to Read Our Minds

The company revealed new search tools at its annual developers conference. Taken together, they are another step toward Google’s trying to become the omnipotent, human-like “Star Trek” search engine that its executives say they want it to be. When people ask Google certain questions, it will now try to predict the person’s follow-up questions and answer them, too. Google Now, the service that sends you information on traffic and weather before you even ask for it, is also digging deeper into our minds. Google is adding more entertainment alerts, like new music based on videos watched on YouTube, and turning Google Now into a robotic to-do list and a stronger competitor to Apple’s Siri. Tell Google to remind you to buy milk next time you are in a grocery store, for instance, and the alert will automatically pop up when you step in a Safeway. Google is also trying to make search more conversational by encouraging people to talk to their phones and computers and hear answers out loud. Voice search has already been possible on both types of devices, but Google announced that people can now talk to its Chrome browser to perform a search, by saying, “O.K. Google.” Google also uses location information to answer questions. So people can ask, “How far from here to Santa Cruz?” and Google will know where “here” is, or they can ask, “How tall do you have to be to ride the Giant Dipper?” and Google will know that is a ride nearby. In another step to personalize search, Google is expanding its tool that plucks information from Gmail and presents it in search results. Already, a search for “flights” by logged-in users produces flight information from Gmail. Now, you can ask Google to show your photos from your trip to New York last year, and it will find them on Google Plus and show them to you. Underlying many of these developments is Google’s privacy policy, which it revised last year to permit the company to use information shared with one Google service on another one. [The New York Times] SEE ALSO: [Google’s Eric Schmidt On Data Privacy: The Internet Needs A Delete Button]

Health / Medical

AU – Keeping Tabs On Elderly, As Dick Tracy Would

Two Sydney brothers are launching a personal security smart watch they say will assist care of the elderly, at a time Australia braces for its “silver tsunami” of aged baby boomers. Peter and Paul Apostolis’ SOS Mobile Watch has a built-in SIM card and a GPS chip, and lets its wearer communicate with carers by initiating calls through their watch at the touch of a button. “Essentially it’s a GSM, GSP device, a mobile personal-security response device,” Peter Apostolis said. The watch has three SOS buttons which lets its wearer contact any of three carers or family members, with their numbers programmed in. While outgoing calls are restricted to carers, anyone can call in and say hello. It also features GPS for real-time tracking. To ensure a wearer’s privacy, only the three nominated carers can track a wearer’s location.[Source]

Horror Stories

US – Reputation Protection Biz Announces Breach

Reputation.com announced to its customers this week that it had been hacked, reports Dark Reading. The information compromised included customer names, e-mail addresses and mailing addresses, though no financial data was stolen. The company reports it has hired third-party security experts to inspect and improve its current operations. Law enforcement is also investigating. Meanwhile, HealthIT Security reports on how the Kmart data breach could have been avoided. [DarkReading] SEE ALSO: [Anti-piracy enforcement company becomes accidental pirate]

WW – Name.com Data Breach Includes Encrypted Passwords, Credit Card Info

Domain name register Name.com has notified customers that their personal information, including encrypted passwords and payment card data, were compromised in a security breach. Name.com required all customers to reset their passwords. The method used – customers were instructed to click a link to perform the reset – has been criticized because it resembles tactics used in phishing attacks.[SC Magazine] [ComputerWorld]

WW – Victims Suing for $40M; Other Beaches Announced

Montfort Hospital patients whose personal information was lost have filed a $40 million lawsuit. The breach involved the loss of a USB stick containing data on 25,000 patients back in November. Although it was eventually recovered, plaintiffs are accusing the hospital of “breach of contract, negligence, breach of privacy and violating its own bylaws and the Personal Health Information and Protection Act,” in connection with the loss of the memory stick, the report states. Meanwhile, in the U.S., Indiana University Health has notified 10,300 patients of a health data breach; Presbyterian Anesthesia reports a data breach affecting nearly 10,000, and Memphis Regional Medical Center has reported a breach involving three e-mails. [Toronto Sun] SEE ALSO: [Researcher suing B.C. government over privacy breach scandal] AND [Boston: Unions eye medical privacy violation]

Identity Issues

US – Rights Groups File Suit Over Plate-Readers

The American Civil Liberties Union Foundation of Southern California (ACLU) and the Electronic Frontier Foundation have asked a judge to order Los Angeles police and sheriff’s departments to provide details on their use of license-plate scanning technology. The departments have refused to produce the information as requested under the Public Records Act, stating the information is investigative material. The groups are seeking a week’s worth of data from the readers. The sheriff’s department responded, saying, “The public interest served by not disclosing the record clearly outweighs the public interest served by disclosure of the record,” but an ACLU lawyer notes, “Nothing will demonstrate to people the threat to their privacy as clearly as the release of this data.” [Los Angeles Times] SEE ALSO: [Automated Passport Control debuts at Vancouver International Airport] SEE ALSO: [Who Owns The Indian UID Database?]

US – FTC to Hold Hearing on Identity Theft and Senior Citizens

The US Federal Trade Commission (FTC) plans to hold a hearing on Tuesday, May 7 at which it will look into identity theft schemes perpetrated on senior citizens, including tax and government benefit identity theft; long term care identity theft; and medical identity theft, which is occurring with increasing frequency. One study said that about two million US citizens are victims of medical identity theft every year. The incidents cost an average of US $20,000 to resolve. The hearing will also look at ways of educating senior citizens about these issues. [SC Magazine] [FTC]

Intellectual Property

WW – Montreal Firm Monitoring Illegal Downloading for Court Cases

Massive lawsuits targeting people who illegally download copyrighted content are common in the U.S., where people have been stuck with hefty fines and out-of-court settlement and now, there’s an attempt to bring that to Canada. At the centre of the effort is Canipre, the only anti-piracy enforcement firm that provides forensic services to copyright-holders in Canada. The Montreal-based firm has been monitoring Canadian users’ downloading of pirated content for several months. It has now gathered more than one million different evidence files, according to its managing director Barry Logan. One of its clients is now before Federal Court in Toronto, requesting customer information for over 1,000 IP addresses — a user’s unique internet signature — collected by Canipre. That client is the American studio Voltage Pictures, maker of hundreds of films including the Academy Award-winning Hurt Locker. On the other side of the case is Teksavvy, an Ontario-based Internet provider. The IP addresses flagged by Canipre link back to its users. The case is set to resume next month. If the court orders Teksavvy to hand over customer info, it could be the beginning of a new chapter in the anti-piracy battle in Canada.”We have a long list of clients waiting to go to court,” said Canipre’s Logan, who estimates that about 100 different companies are paying close attention to the case.[Source]

Internet / WWW

WW – GPEN Launches First Internet Privacy Sweep

A total of 19 privacy enforcement authorities are participating in the Global Privacy Enforcement Network’s first Internet Privacy Sweep initiative. In announcing the launch of the weeklong initiative, the Office of the Privacy Commissioner of Canada said participating authorities will dedicate individuals to search the Internet in a coordinated effort to assess privacy issues related to the theme, Privacy Practice Transparency. “Privacy issues have become global and they require a global response,” noted Canadian Privacy Commissioner Jennifer Stoddart. “It is critical that privacy enforcement authorities work together to help protect the privacy rights of people around the world.” [Source] [Source]

Law Enforcement

US – FTC Sting Operation Results in Warnings to 10 Data Brokers

The FTC has announced it sent warning letters to 10 data brokers warning they may be in violation of the Fair Credit Reporting Act (FCRA). The potential violators were discovered by an undercover FTC data shopper in a sting operation; part of a Global Privacy Enforcement Network initiative. In it, the FTC approached 45 companies seeking financial data, citing reasons such as checks for employment eligibility or creditworthiness. Of those, “10 appeared willing to sell information without complying with the requirements of the FCRA.” [Ad Age]

Location

US – What’s the Equivalent of Shouting “Fire!” in a Crowded Theater?

The Center for Geographic Analysis held its annual conference at Harvard’s Tsai Auditorium last week, focusing on the challenges and thoughts surrounding policy-making for a location-enabled society. The benefits of location technology are hard to deny—identifying influenza outbreaks, getting necessary transportation to people in remote locations, providing emergency services to people who call 911 from cell phones, heck, even just figuring out how to get home without being stuck in rush-hour traffic—but the collection, analysis and use of this data bring risks, too. [Source]

US – How to Mine Cell Phone Data Without Invading Your Privacy

Cell-phone mobility data could be a huge boon to development and planning efforts. but that resource can’t be used if privacy is compromised. Researchers at AT&T, Rutgers University, Princeton, and Loyola University have devised a way to mine cell-phone data without revealing your identity, potentially showing a route to avoiding privacy pitfalls that have so far confined global cell-phone data-mining work to research labs. Working with billions of location data points from AT&T mobile phone calls and text-messages around Los Angeles and New York City, they’ve built a “mobility model” of the two regions that aggregates the data, produces representative “synthetic call records”—then mathematically obscures any data that could tend to identify people. [MIT Review]

Online Privacy

WW – LinkedIn Revises Policy for User Clarity

LinkedIn is updating its privacy policy within the next week, the company reports in its blog. The updates will clarify and simplify language to make it easier for members to read and understand. The policy will be located on a page that will become the company’s “Privacy Portal” where users can access all of their LinkedIn data. [Source]

US – Reddit Rewrites Policy for Usability

Reddit has rewritten its privacy policy “from the ground up” in order to be clearer and more accessible to the average user. The policy goes into effect May 15. “For some time now, the reddit privacy policy has been a bit of legal boilerplate,” said the announcement. “This new policy is a clear and direct description of how we handle your data on reddit and the steps we take to ensure your privacy.” [WebProNews]

WW – Online Ads Can Now Follow You Home

Advertisers already know what people are up to on their personal computers. But understanding their online whereabouts on smartphones or tablets has remained elusive. A number of companies are trying to better pinpoint mobile users’ online activity with new software and techniques they say could help advertisers track users across devices. By harvesting cross-screen identities, the ad industry could serve ads to mobile phones based on the interests people express when surfing the Web on their PCs.[Source]

WW – In-App Advertisers Beware: Lookout Announces Deadline

With adware targeting the Android operating system up 61% over last year, by Bitdefender’s estimate, mobile security firm Lookout has decided to take a firmer stance with in-app advertisers. The company has announced “rules and standards for acceptable advertising practices that promote good user experience and privacy best practices” and given advertisers 45 days from May 10 to comply or be otherwise classified as adware. If advertisers don’t get explicit user consent for display advertising outside the normal in-app experience, harvesting PII or performing unexpected actions in response to ad clicks, Lookout’s product will block them from users. [Source]

WW – Who Stands To Profit from the Quantified Self Movement?

The explosion of wearable devices and wellness apps are often transmitting potentially sensitive data to the cloud. As many as five million Americans currently use wearable devices, and as much as $700 million was invested by venture capital firms in creating such devices in the first half of last year. As a result, one digital tracking group, Quantified Self, has been formed and abides by the credo, “Self-knowledge through numbers.” Others, however, are concerned about the privacy ramifications of transmitting personal health data to the cloud. One computer scientist worries the data could be used against an individual. “It might mean that if your health is looking shaky, all of a sudden you won’t be able to get a loan,” he said. Meanwhile, a California-based programmer has raised concerns that Google Glass could easily be compromised by hackers. [Details Magazine] SEE ALSO: [Man with Down syndrome sues for $18 million after picture altered online]

US – Apple, Verizon Earn Poor Marks in EFF Privacy Report

The Electronic Frontier Foundation is warning that some companies should not be trusted with your data — but some should, and actively fight on the user’s behalf. Out of the 18 major Web and technology companies listed in the latest report from the U.S. privacy and civil liberties group, only six firms had five out of six stars rating how far they will go to either protect users from the government or even fight on their behalf in court. The report published by the EFF ranks the selected firms based on their privacy policies and law enforcement guidelines, but also how far they will go to protect users’ data when a subpoena is issued and so on. The EFF also notes whether the company in question needs a warrant to be issued before it hands over data. [Source]

Other Jurisdictions

AU – Draft Breach Notification Bill Being Circulated

A draft data breach notification legislation from the Australian government is being circulated among a “small number of stakeholders.” Circulated by the Australia Attorney-General’s Department, the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013 “appears to take a conservative approach in its demand for data breaches to be reported, with only classifications of serious data breaches considered,” and the report states the legislation could come into force this July with an undisclosed grace period for compliance. [SC Magazine] See also: [NZ: Senior executives told to address privacy breaches]

UK – Trade Group Issues Insurance Guidelines

The Association of British Insurers (ABI) has published guidance for insurance companies on obtaining consent for data-sharing. ABI advises companies obtain opt-in consent to share data with firms that are not “directly involved in managing or delivering a policy, handling a claim, setting premiums, detecting and preventing fraud” or involved in customer service, the report states, adding that companies collecting data must respect UK data protection laws. [Out-Law.com]

Privacy (US)

US – Foreign Intelligence Surveillance Court Approved All Requests in 2012

The US Justice Department sent a report to Senator Majority Leader Harry Reid (D-Nevada) detailing certain activity of the Foreign Intelligence Surveillance Court. In 2012, the court approved every request it received to authorize physical searches or surveillance of people within the US “for foreign intelligence purposes.” There were 1,856 requests in all. [WIRED] [WIRED]

US – Obama May Back FBI Internet Wiretapping

The Obama administration “is on the verge of backing” an FBI initiative for “a sweeping overhaul of surveillance laws that would make it easier to wiretap people who communicate using the Internet rather than by traditional phone services.” The original FBI proposal would have required Internet communications services to build in a means to wiretap, but the revised proposal, pending a White House review, would fine businesses that do not comply, the report states. The Center for Democracy & Technology’s Greg Nojeim said, “I think the FBI’s proposal would render Internet communications less secure and more vulnerable to hackers and identity thieves.” FBI General Counsel Andrew Weissmann said, “This doesn’t create any new surveillance authority” and would require a court order. [The New York Times]

US – Delta Wins Dismissal of California Mobile App Privacy Suit

Delta Air Lines has won its request for dismissal of claims it violated California’s Internet privacy law because it didn’t notify mobile app users that their data was being collected. California Attorney General Kamala Harris sued the company in December, alleging its “Fly Delta” app didn’t clearly post its privacy policy. But Judge Marla Miller said the federal Airline Deregulation Act “bars states from imposing regulations on airlines related to price, routes or services,” the report states. [Business Week]

US – FTC Denies Group’s Request for Delay in COPPA Date

The Federal Trade Commission (FTC) has voted to keep July 1 as the scheduled implementation date for the update to COPPA. The decision denies a request from 20 groups including the Interactive Advertising Bureau and the Application Developers Alliance that the date be pushed up by six months, citing “insufficient time” between the FTC’s issued guidance on the new rules and the required compliance date. The groups say they need more time to make changes to their products. But the FTC responded that the groups had enough time and didn’t provide sufficient reasons for the requested change in date. [ADWEEK]

US – Medine confirmed to lead PCLOB

The Senate confirmed President Barack Obama nominee David Medine as chairman of the Privacy and Civil Liberties Oversight Board (PCLOB). This ends a two-year process and finally allows the PCLOB to go forward “at full strength,” said Judiciary Chairman Patrick Leahy (D-VT). However, questions remain as to the jurisdictional and scope-of-authority issues that Medine and the agency must decide. [Source]

US – Meet Nicole Wong, Obama’s New Internet Privacy Czar

President Obama has tapped a former Googler nicknamed “the Decider” to handle the administration’s approach to Internet privacy. Nicole Wong, who’s spent the last six months as Twitter’s legal director, will report to White House Chief Technology Officer Todd Park. While she won’t be the nation’s chief privacy officer, she’ll be considered a senior adviser, someone familiar with the matter told me. Wong already has a truckload of issues to sort through, and she hasn’t even started yet. Last month, the administration threatened to veto the controversial Cyber Intelligence Sharing and Protection Act, better known as CISPA, on privacy grounds. Reforms to the way government is allowed to access your emails for forensic purposes are also headed to a full Senate vote. [Source]

US – Corporate Personhood Denied by Pennsylvania Judge

Do corporations count as people? The Supreme Court said as much in Citizens United, but a Pennsylvania judge recently issued a resounding “no.” On March 20, Judge Debbie O’Dell-Seneca ruled that the state’s constitution doesn’t guarantee corporations a right to privacy—because that’s a privilege reserved for people. Two local newspapers had petitioned O’Dell-Seneca to unseal a 2011 settlement between a western Pennsylvania family and several fracking companies. The Hallowich family had sued over charges that hydraulic fracking operations on their land were causing them chronic nosebleeds, headaches and sore throats. The companies agreed to settle but imposed a strict gag order—something the fracking industry regularly insists upon in health-related lawsuits. Gas extraction company Range Resources Corp. argued before O’Dell-Seneca that the companies’ privacy rights protected them from disclosing the details of the settlement. But the judge disagreed, finding the argument “meritless” because the companies have no right to privacy. In fact, Judge O’Dell-Seneca spent roughly one-third of her 32-page decision forcefully articulating the reasons why corporations are not considered legal persons under the state’s constitution, observing that, “the constitutional rights that business entities may assert are not coterminous or homogeneous with the rights of human beings.” She continued, “It is axiomatic that corporations, companies and partnerships have no ‘spiritual nature,’ ‘feelings,’ ‘intellect,’ ‘beliefs,’ ‘thoughts,’ ‘emotions’ or ‘sensations,’ because they do not exist in the manner that humankind exists.” “The ruling represents the first crack in the judicial armor that has been so meticulously welded together by major corporations,” Thomas Linzey, Community Environmental Legal Defense Fund (CELDF) executive director, told AlterNet. In what it calls a “new civil rights movement,” CELDF has helped more than 100 communities in eight states adopt a Community Bill of Rights to limit corporate personhood. Other activists hope that Judge O’Dell-Seneca’s decisions will boost the movement for an amendment to the U.S. Constitution clarifying that corporations are not people. The Move to Amend Coalition has gathered more than 280,000 online signatures supporting such an amendment, and 12 states have passed resolutions of support. [Source]

Privacy Enhancing Technologies (PETs)

WW – Lookout Will Intercept Privacy-Invading Mobile Ad Networks, Apps

Mobile security vendor Lookout plans to start flagging as adware mobile apps that use aggressive ad networks if they don’t obtain explicit consent from users before engaging in behavior that potentially invades privacy. Ad networks, advertisers and app developers have until June 24 to start conforming to the company’s set of privacy and security best practices for mobile app advertising if they want to avoid being blacklisted. According to a study released by Bitdefender in March, the number of adware apps for Android devices increased by 61% during a five-month period ending in January. In the U.S. in particular, the number of adware apps increased by 35% during the same period. [Source]

WW – The Struggling Do-Not-Track Negotiations

There is friction between industry and privacy advocates leading up to what will be the final face-to-face negotiations within the World Wide Web Consortium (W3C) on establishing a Do-Not-Track (DNT) standard. On Friday, Mozilla posted a new report on the “State of Do Not Track in Firefox.“ Yet, if the W3C cannot come to an agreement this week, the proposed standard may go the way of the dodo. Two main sticking points revolve around default settings and what data may be collected after a DNT signal is activated. Jonathan Mayer, a Stanford University graduate student and participant in the W3C talks, said, “I think it’s right to think about shutting down the process and saying we just can’t agree,” adding, “We gave it the old college try. But sometimes you can’t reach a negotiated deal.” [The New York Times]

Security

WW – Perimeter Security No Longer Enough: RSA

Forget about the perimeter, you’ve already been breached. That’s the mindset that RSA Security wants business and IT leaders want to adopt when it comes to security posture. “If you’re still racking your brains about how to keep the bad guys out, you’re already way behind,” said Art Coviello, the 59-year-old executive chairman of RSA said during a media briefing at the EMC World 2013 conference here. “It’s very likely that your network has already been breached and what you need to focus on is how to minimize and stop the damage.” A recent attack on RSA led it to refocus from authentication to detecting “faint noises” of an attack in progress and immediately plug that leak.” He said, as more companies adopt big data strategies, they are also expanding the attack surface for cybercrime organizations. Unfortunately, many companies are still locked in the old model of reactive security. The RSA chief characterized this as:

  • Perimeter-based and focus on keeping attackers out
  • Static and signature based, primarily using anti-virus and authentication
  • No true defense in-depth

Most organizations that employ this security strategy, he said, spend 80% of their IT budget on perimeter defenses, 15% on monitoring and 5% on response. However, in recent years, enterprises have been dealing with growing amounts of data and an increasing number of devices hooked-up to the corporate network and the Internet. This, Coviello argues, has expanding the threat landscape. A more mature security approach, he said, is one that splits the security emphasis this way:

  • Perimeter defense, 34% of budget
  • Monitoring, 33% of budget
  • Response, 33% of budget

Many organizations however are hampered by three main challenges: budget constraints, lack of skilled personnel and lack of information sharing. He said ideally, organizations should be sharing information on threats they have encountered and methods they have employed to reduce the security risk for everyone. “Information sharing in this matter has to scale out,” Coviello said. “What we need is a neighbourhood watch.” [Source]

WW – Honeywords Would Serve As Hack Alert

Researchers have proposed a technique to thwart account hijacking by seeding cryptographically hashed password files to include dummy passwords, or honeywords. Admins would be alerted when the phony passwords were used. While the technique does not prevent hackers from using dictionary attacks to crack passwords, the attackers will not know if they are using the correct passwords when attempting to access the account. [ArsTechnica] See also: [Facebook] [NakedSecurity] [DigitalTrends]

US – Pentagon Approves BlackBerry 10 and Samsung Galaxy Devices

The US Defense Department (DOD) has cleared Samsung Galaxy smartphones and tablets and Research in Motion’s BlackBerry 10 devices for use by military officials and government workers. A Pentagon spokesperson called the approvals “a significant step toward establishing a multi-vendor environment that supports a variety of state-of-the-art devices and operating systems.” The Pentagon expects to clear Apple iOS6 devices later this month. [Information Week] [ABC News] [The Register]

WW – Bloomberg Reporters Had Access to Client Account Information

Bloomberg news editor-in-chief Matthew Winkler has apologized for employees using the company’s financial data terminals to snoop on customers. Bloomberg reporters had access to login histories, “high-level types of user functions on an aggregated basis,” and help desk inquiries. Having access to the information may have given Bloomberg reporters an edge over other reporters. The terminals, which are in many financial institutions and related organizations, provide financial industry professionals with real-time market data, news, and a messaging service. Companies rent the machines for US $20,000 a year.

Winkler wrote, “Our reporters should not have access to any data considered proprietary. I am sorry they did. The error is inexcusable.” The issue came to light after a Bloomberg reporter commented to a Goldman Sachs executive that another Goldman executive had not logged in recently. The reporters no longer have access to the customer information. [CNN] [CNET] [Wash Post]

Surveillance

US – Use These Secret Google Search Tips to Become Your Own Spy Agency

There’s so much data available on the internet that even government cyberspies need a little help now and then to sift through it all. So to assist them, the National Security Agency produced a book to help its spies uncover intelligence hiding on the web. The 643-page tome, called Untangling the Web: A Guide to Internet Research, was just released by the NSA following a FOIA request. The book was published by the Center for Digital Content of the National Security Agency, and is filled with advice for using search engines, the Internet Archive and other online tools. [Source] [FBI Guidance on open source intelligence collection]

IN – Central Database Has Advocates “Up in Arms”

Privacy advocates are concerned after the Indian government introduced a central monitoring system (CMS) designed to give authorities access to citizens’ phone calls and online communications. The plan aims to thwart terrorism attempts, but the CMS will be accessible by law enforcement and tax authorities and allows the government “a single point of access to ‘lawfully’ intercept voice calls and texts, e-mails, social media and the geographical location of individuals.” Activists claim privacy laws aren’t strong enough to protect citizens against such powers. [The Register]

US – DoJ Obtains Journalists’ Phone Records

The Associated Press is crying foul after discovering the Department of Justice (DoJ) had secretly obtained two months of telephone records for more than 20 corporate and personal phone lines used by as many as 100 AP journalists. In a letter of protest to U.S. Attorney General Eric Holder, AP CEO Gary Pruitt said, “There can be no possible justification for such an overbroad collection of the telephone communications of the Associated Press and its reporters.” DoJ officials would not tell the AP why or how the records were obtained. The DoJ simply notified the AP via letter on Friday the records were in hand. The Obama administration denied knowledge of the investigation. Sen. Patrick Leahy (D-VT) pronounced himself “concerned” by the DoJ actions, as did Sen. Rand Paul (R-KY) and groups like the ACLU and American Society of News Editors. [Source]

AU – Cameras Shut Down Over Privacy Incident

New South Wales Premier Barry O’Farrell has said the government will move to enact legislation to ensure the continued use of closed-circuit television cameras (CCTV) on public streets after an invasion-of-privacy incident prompted officials to turn off the cameras. O’Farrell said CCTV “has proven essential in assisting police” and cameras are “a vital tool in the fight against crime, and I am determined to ensure they remain so.” O’Farrell also has asked the attorney general “to seek urgent advice on the implications and whether legislative amendments are required to validate the continued use of CCTV.” In the U.S., meanwhile, during Sunday’s airing of Meet the Press, a U.S. lawmaker discussed the importance of camera surveillance to curb terrorism in the context of the Boston Marathon bombings. [The Sydney Morning Herald] [CCTV use in spotlight after privacy ruling] SEE ALSO: [All cars may soon get eyes]

US – Boston Bombing Highlights Need for High-Tech Surveillance

Police and politicians across the U.S. are pointing to the surveillance video that was used to help identify the Boston Marathon bombing suspects as a reason to get more cameras on their streets. From Los Angeles to Philadelphia, efforts include trying to gain police access to cameras used to monitor traffic Relevant Products/Services, expanding surveillance networks in some major cities and enabling officers to get regular access to security footage at businesses. Some in law enforcement, however, acknowledge that their plans may face an age-old obstacle: Americans’ traditional fear that more law enforcement powers will erode their privacy. There are also questions about effectiveness. A 2011 Urban Institute study examined surveillance systems in Baltimore, Chicago and Washington, and found that crime decreased in some areas with cameras while it remained unchanged in others. The success or failure often depended on how the system was set up and monitored. There’s general agreement, however, that cameras can be useful to identify suspects after a crime in committed. [Source]

Telecom / TV

US – Judge Admits Evidence Gathered With Cell Tower Spoofing Technology

A judge in Arizona will allow evidence collected by federal investigators through the use of technology known as stingray, which mimics a cell phone tower. The defense had filed a motion to suppress the evidence, claiming that the use of stingray violated Daniel Rigmaiden’s Fourth Amendment rights because there was no warrant for the search of his apartment. The judge determined that Rigmaiden did not have a reasonable expectation of privacy because he had obtained all of those things fraudulently – using others’ identities. Rigmaiden allegedly filed hundreds of phony tax returns using the names of people who had died. He is the alleged mastermind in a scheme that stole US $4 million from the IRS through fraudulent tax returns. The judge also said that the government did not act improperly by failing to inform the magistrate judge who authorized the tracking activities that it planned to use a stingray to track the suspect or explain how the technology worked. [WIRED] [ArsTechnica] [Judge’s order denying motion to suppress evidence]

US – Former FBI Agent Says All Phone Calls in U.S. are Recorded by Government

Tim Clemente, a former FBI counter terrorism agent, hinted on CNN that the government uses an intrusive surveillance network to monitor citizens’ phone calls. On CNN, he discussed the Boston Marathon attacks and telephone conversations between Katherine Russell and her now deceased husband Tamerlan Tsarnaev. Clemente said that the conversations between them will be available to the FBI. He said that no digital communication was secure from the surveillance of the government. This isn’t the first time government surveillance on cellphone conversations has made headlines. Even Senators Ron Wyden and Mark Udall have said the public would be “stunned” to learn the lengths the government went to uncover information. Should the U.S. government have the right to invade privacy if it helps ensure the safety of the American people? [Source]

US – NYC Police Chase Smartphone Thief

“The closest comparison that leaps to mind is a classic chase scene from a 1971 thriller,” is how The New York Times describes a case where New York City police tracked down an individual who stole an iPhone. Law enforcement was able to track the suspect’s movements by using the “Find My Phone” feature. According to the report, 16,000 smartphone devices are stolen per year in New York City. [Source]

US – NY A-G Wants Mobile Phone Companies to Help Thwart Device Theft

New York State Attorney General Eric Schneiderman has sent letters to the CEOs of Apple, Samsung, Google, Motorola, and Microsoft asking them to specify what they are doing to make phones less susceptible to theft. Schneiderman asked why the companies do not offer technology that would make stolen phones useless, which would deter thieves. [CNET]

US Legislation

US – Gov’t: Warrantless E-mail Access OK; Legislators Intro Bills

The U.S. Department of Justice and the FBI have said they don’t believe they need search warrants for access to Americans’ electronic communications. That’s according to internal documents obtained by the ACLU. U.S. Reps. Tom Graves (R-GA) and Kevin Yoder (R-KS) have introduced a bill aimed at protecting consumer privacy by updating protections for electronic communications stored by third-party service providers. The E-mail Privacy Act would extend protections for regular mail to e-mail and cloud data. Meanwhile, Sen. Rand Paul (R-KY) has introduced a bill that would repeal the anti-privacy provisions in the Foreign Account Tax Compliance Act. [The Wall Street Journal]

US – FBI Domestic Investigation Guide Says No Warrant Needed to Access eMail

According to the 2012 edition of FBI’s Domestic Investigations and Operations Guide, the FBI believes it is has the authority to access individuals’ electronic communications and documents without a search warrant. The ACLU obtained the document through a Freedom of Information Act (FOIA) request. The guide indicates the FBI believes all that is required to access such information is a subpoena signed by a federal prosecutor. This policy appears to fly in the face of a 2010 ruling that requires federal authorities to obtain warrants prior to accessing email accounts. At a Congressional hearing earlier this year, DOJ officials acknowledged that the interpretation of the Electronic Communications Privacy Act (ECPA) of 1986 that allows access to opened email and unopened email more than six months old is not longer applicable. [Ars Technica] [ZDNet] [v3.co.uk]

US – Bill Requiring Data-Use Disclosure, Others Introduced

A new bill that would require app developers to have privacy policies detailing how they share user data. Rep. Hank Johnson (D-GA) has introduced the bill, which would require users to sign off on the privacy policy before using an app, the report states. The user would also be able to ask for data to be deleted upon ceasing to use the app. Politico reports that support for privacy legislation is gaining momentum from the right side of the political aisle; four Republican congressman have introduced two bills that would require law enforcement to obtain warrants before accessing individuals’ e-mail data. [Ars Technica] SEE ALSO: Researchers: Hold Off on APPS Act]

US – Proposed Legislation Would Place Privacy Onus on Mobile App Developers

A US legislator has introduced the Application Privacy, Protection and Security Act of 2013, a bill that would require mobile app developers to take responsibility for the privacy of users’ data. The legislation would require developers to inform users which data the apps collect and how the data are stored, and to obtain consent before the data are gathered. The developers would also need to specify how they will use the collected data, and whether they will be shared with other parties. The FTC would bear the responsibility of enforcing the measure should it become law. [ComputerWorld] [SC Magazine] [Discussion Draft of the Bill]

US – Researchers: Hold Off on APPS Act

Research reports on calls to hold off on the proposed Application Privacy, Protection and Security (APPS) Act . The Marketing Research Association (MRA) is concerned the act would empower the FTC “to define what the term ‘personal data’ meant, as the MRA had already seen in a previous act’s amendment debate that the FTC thought this meant that almost any piece of information could be personally identifiable,” the report states. The MRA is also concerned about the FTC being able to decide the meaning of de-identified data, the act’s mobile app transparency notice requirements and the legislation “not giving industry attempts to introduce a workable privacy code of conduct a chance.”

US – State Legislative Roundup

A number of U.S. states have passed or are working on various types of privacy legislation—from employee privacy to breach notification. Most notably, California has pulled a bill that would have required businesses to disclose to consumers data they have collected on them. The Pennsylvania Senate has passed a law that would require state agencies to notify residents of a breach “as soon as possible.” And the Texas House has also “tentatively” approved similar social media legislation. [Source]

US – U.S. Companies Fight EU-like Proposals

U.S. Internet companies are pushing back against California privacy bills that closely resemble EU proposals. One such bill would require companies to disclose what information they share with third parties and provide them with the corresponding contact information. Another would require social networking sites to remove user information within four days of such a request, akin to Europe’s “right to be forgotten” provision in the draft data protection regulation. Companies have argued the provisions would be detrimental to ad revenues. [Bloomberg]

Workplace Privacy

CA – Director’s ‘Reply All’ Email Discussing Firing of Employee Leads to Lawsuit

We have all experienced that awful feeling after hitting the ‘send’ button and realizing a copy of a sensitive or confidential email has inadvertently gone to the wrong person. Usually, the situation is simply embarrassing. Not so for Maria Fernandes, a Mississauga employee of healthcare communications company Marketforce Inc. In March 2011, she accidentally received an email discussing whether or not she should be fired. Court documents allege that Linda Guerin, the company’s Director of Operations intended to send the email to the company’s lawyers. Too late she realized Fernandes was also on the list and she unsuccessfully sent three recall notices. She also sent an email to Fernandes asking that she delete the message without opening it. Fernandes read it, treated the information in the email as a constructive dismissal and hired a lawyer. A few weeks later, she left her job as a Director of Client Services at Marketforce, which subsequently amalgamated with Sudler & Hennessey ULC. Fernandes claimed in a court filing, she had effectively been fired. She had worked for the company for over six years and was earning $145,000 a year. She is suing her former employer in the Ontario Superior Court for wrongful dismissal. The case has not been heard, so we don’t know if a trial judge will agree that Fernandes was constructively dismissed. The company went to court and argued that because the intended recipients of the email were the company’s lawyers, the information in it was a privileged communication. The company wanted the email removed from the Statement of Claim in Fernandes’ lawsuit. The company’s motion was dismissed and an application to appeal the ruling was also refused. [Source]

+++

16-30 Apri 2013

Biometrics

US – The Power and Limits of Facial Recognition

Salon interviews Carnegie Mellon computer scientist Alessandro Acquisti to explore why, according to Boston’s police commissioner, facial recognition technology did not help identify the Boston bombing suspects. Among the “three or four potential hurdles,” Acquisti said image quality, available data stored in databases to match images, the high cost of such software and the problem of false positives may have all played a role. Meanwhile, Google Executive Chairman Eric Schmidt and Google Ideas Director Jared Cohen “forecast the raft of new innovation and corresponding threats that will arise for dictatorships, techno revolutionaries, terrorists and you” in an NPR interview.

WW – Apple Siri Retains Query Data for Two Years

Apple has responded to concerns raised by the ACLU about ambiguous information in its Siri privacy policy. Terms, such as “disassociated” and “period of time” have now been clarified by Apple spokeswoman Trudy Muller. Apple has revealed that it retains information about questions users ask Siri for as long as two years, although the company does try to anonymize the data. Siri queries are sent to Apple’s servers, where they are assigned an identifier – not an AppleID or email address – that links the voice files to the device from which they were sent. After six months, the identifier is removed, but the query data are retained to help Apple with product testing and improvement. Muller added, “If a user turns Siri off, both identifiers are deleted immediately along with any associated data.” But ACLU Lawyer Nicole Ozer says Apple should do more, including linking to the Siri privacy policy from its FAQ page so consumers can review data-handling practices prior to purchasing the company’s products. [WIRED] [Ars Technica] [ZDNet]

WW – Will ‘Passthoughts’ Replace Passwords?

A new form of biometric security using brain waves to authenticate users has been developed by researchers from the University of California, Berkeley. Rather than a using a password to gain access, a user would submit a “passthought,” generating a unique signal from brainwaves that may or may not prove difficult to duplicate by a hacker. The recent commercialization of external electroencephalogram (EEG) devices — the researchers used a Neurosky MindSet, which connects wirelessly via bluetooth and costs about $100 — makes this technology plausible. secure, and could someday be used to replace traditional passwords. [Phys.org]

Canada

CA – Committee Calls for Voluntary OPC Guidelines

The House of Commons Standing Committee on Access to Information and Privacy is not recommending the government give the Office of the Privacy Commissioner (OPC) power to fine companies for breaking federal privacy law, instead calling on the OPC to “establish guidelines“ to help social media and data management companies develop practices that fully comply” with the law. The committee voiced concern that “major social media companies, while doing business in Canada, prefer to be governed by laws other than those of this country.” The guidelines would address how websites and data brokers “collect and use the personal information of Internet users”; however, “any direction provided under the proposed guidelines would only be voluntary,” the report states. [Postmedia News] [Privacy watchdog urged to create guidelines for social media and data brokers] [Privacy and Social Media in the Age of Big Data: Report of the Standing Committee on Access to Information, Privacy and Ethics | PDF version]

CA – Canada’s Grapple with Privacy and Freedom of Expression

A recent Alberta Court of Appeal decision that the province’s privacy law is unconstitutional can be seen as potentially rippling through the country at large and setting up a clash between privacy and freedom of expression, as included in the charter passed in 1982. This clash between privacy and freedom of expression is particularly interesting because while freedom of expression is a “fundamental right” under the charter, there is no similar privacy right, except as listed in the legal rights of those dealing with the justice system. [The Privacy Advisor] SEE ALSO: [Data Protection Laws of the World Handbook: Second Edition – Canada]

CA – Government Announces Software to Enhance Airport Passenger Privacy

Minister of State (Transport) Steven Fletcher has announced that the Canadian government is deploying software on Canada’s full body scanners to enhance passenger privacy. The new Automatic Target Recognition software is now being updated to produce a computer generated stick figure rather than displaying an outline of the passenger’s body, the report states. “Our government is committed to ensuring the safety and security of all passengers traveling through Canadian airports,” Fletcher said. [The Herald] See also: [Detector finds smuggled cellphones even without batteries or SIM cards]

CA – Canadian Gov’t Quietly Drops Lawful Access from Cyber-Security Strategy

The government has recently dropped lawful access from its national cyber-security strategy. The 2010 Cyber-Security Strategy telegraphed the intent to bring forward lawful access legislation with a commitment to introduce a bill:

  • Requiring Internet service providers to maintain intercept capable systems, so that law enforcement agencies can execute judicially authorized interceptions;
  • Requiring Internet service providers to provide police with basic customer identification data, as this information is essential to combatting online crimes that occur in real time, such as child sexual abuse

Yet earlier this month, the government released its Action Plan 2010-2015 for the Cyber-Security Strategy.  It removed all references related to lawful access including the commitment to legislation involving Internet service providers. Given that the document originates with Public Safety – the most ardent supporter of lawful access within the government – the removal of surveillance language provides a strong signal that it is not part of the legislative plan for the foreseeable future. [Source] See also: [N.S. wants ban on spreading images after Rehtaeh Parsons case]

CA – BC Hydro Smart Meters Provoke Class Action Lawsuit

Opponents of smart meters are preparing a class action lawsuit against BC Hydro, alleging installation of the high-tech devices has led to thousands of health, safety and privacy concerns over the last two years.   The group estimates that some 200,000 homes would switch back to analog meters if they had the choice. The coalition’s lawyer is now collecting signatures online for the class action lawsuit, which they plan to file in court in the near future. BC Hydro spokeswoman Cindy Verschoor says Stutters’s new analog meter isn’t approved for use in Canada and if something went wrong it could be liable. The only meters BC Hydro does approve are the smart meters, she said. “In cases where a meter’s expiration date is up or the meter is broken, B.C. Hydro has always had to replace the meter with a new meter,” said Verschoor. B.C. NDP Leader Adrian Dix has promised to submit the smart meter program to an independent review if he’s elected premier. [Source]

CA – BC Homeless People Deserve Privacy Too, Says Advocate

An agency that helps homeless people is waging a battle with government agencies over how much personal information to share about its marginalized clients. The Lookout Society, which receives funding for a New Westminster transition house from Fraser Health, is upset the health authority wants details about the residents, including their names, from the agency’s electronic database. The health authority stated it wanted the information to track services clients receive from the agencies it funds, as well as to monitor their progress.  “Sending all of this really personal information to government, which hasn’t got a really good track record of holding this information private, is not in the clients’ best interest,” said Lookout executive director Karen O’Shannacery. “And there is a question of whether we can legally release all that information.”[Source] SEE ALSO: [POLL: Should Alberta health cards include photo ID?]

CA – Competition Bureau Loses its MLS-Access Case Against TREB

The federal Competition Tribunal has dismissed a high-profile case regarding access to MLS data on a technicality and awarded costs to the Toronto Real Estate Board. In a decision released last week, the tribunal ruled the case, which accuses TREB of anti-competitive behaviour, had been initiated by Melanie Aitken, former commissioner of the Competition Bureau, under the wrong section of the Competition Act. The densely written, 7-page decision — reached after more than 8 months of preparation and 2 months of hearings in Toronto last fall — came as a surprise to some close to the complex case. [Source]

Consumer                       

WW – Microsoft Launches Public Awareness Campaign

Microsoft is introducing a public awareness campaign that includes TV, print, billboard and online ads as well as a quiz to determine consumer attitudes on privacy. The quiz aims to get people talking about their attitudes on privacy. “It assesses how much you are interested in managing access to your information online,” said Mary Snapp, Microsoft corporate vice president and deputy general counsel, adding, “It enables you to talk about privacy choices with your friends and family.” Microsoft is rolling out the campaign in Washington, DC, and Kansas City, MO, where competitor Google “might be exposed” an Ad Age report notes. [The Washington Post] See also: [Washington Post: As cyberthreats mount, hacker’s conviction underscores criticism of government overreach]

US – The ZIP Code Data Trail

CNN reports on the data trail established when consumers willingly give their ZIP code to offline retailers when making a purchase. The combination of a name—given during a credit card purchase—and a ZIP code can help data brokers link a consumer’s purchasing habits with publicly available records for the purposes of targeted advertising. Privacy Rights Clearinghouse Director of Policy Paul Stephens said, “For the majority of the country, the ZIP code is going to be the piece of the puzzle that is going to enable a merchant to identify you.” The Massachusetts Supreme Court recently ruled that ZIP codes are personal information, preventing retailers from asking for ZIP codes for marketing purposes. [CNN]

US – Survey Shows Consumers Want Some Targeted Ads

A Digital Advertising Alliance (DAA) survey has shown that nearly 70 percent of respondents would like at least some targeted advertisements. “It’s unfortunate that targeted advertising has been conflated with all kinds of privacy fears,” said DAA Managing Director Lou Mastria, adding that he hopes the study will inform the debate surrounding the necessity of legislation. “We asked real specific questions about the real-world proposition, the value exchange between advertising and the experience on the Internet,” he continued. “And that yields clear answers.” However, Annenberg School of Communications Prof. Joseph Turow analyzed the poll and expressed doubts over the validity of results. [Ad Week]

WW – Study Shows Major Generational Divide On Online Privacy Attitudes

A study published this week by the USC Annenberg Center for the Digital Future found that young adults don’t care as much about online privacy as older Internet users. Individuals between the ages of 18 and 34, known as Millennials, were found to be more willing to hand over their personal data or web behavior to online businesses. Although 70% of young adults agreed that companies should never be allowed to access their personal data, compared to 77% by those older than 35, Millennials were more willing to give up some privacy if they benefited from it, such as receiving coupons or other business deals. More than half of Millennials surveyed said they would be willing to trade personal information for something in return, compared to just 40% of those aged 35 and older. Both age groups agreed, however, that personal data being used for targeted advertisements was a concern. Only 25% of young adults agreed with targeted ads, compared to 19% of Internet users age 35 and older. “Online privacy is dead — Millennials understand that, while older users have not adapted,” said Jeffrey I. Cole, director of the USC Annenberg Center for the Digital Future. “Millennials recognize that giving up some of their privacy online can provide benefits to them. This demonstrates a major shift in online behavior — there’s no going back.”

“We are seeing a whole new set of values driving Millennials in their behavior online,” said Greg Bovitz, president of Bovitz Inc, co-publisher of the study. “The fact that Millennials are willing to part with personal information creates new opportunities for businesses to develop marketing models that capitalize on the wants of this generation of Internet users.” [Source]

CA – Bank Fraud, Computer Security Top Survey of Canadians’ Privacy Concerns

Canadians feel the grip on their privacy slipping away in a world where web sites, mobile devices and even eyes in the sky can track their every move, a new poll suggests. A growing unease over how well personal information is safeguarded is among the findings of a newly released survey commissioned by the federal privacy watchdog. The poll suggests two-thirds of Canadians are concerned about the protection of their privacy — with a quarter of respondents saying they are “extremely concerned.”  Many Canadians feel a growing sense of helplessness when it comes to protecting their privacy. Seven of every 10 people think their personal information has less protection today than it did a decade ago. More than half of those surveyed felt they did not know enough about new technologies to determine if their privacy is at risk. The survey also suggests most Canadians are concerned about bank fraud, credit-card fraud, computer security and identity theft. Despite these concerns, the poll found most Canadians remain largely unaware of their privacy rights. Some 63% rated their knowledge of privacy laws either low or in the neutral range. That said, Canadians’ knowledge of their privacy rights is higher now than in previous years, the survey suggests. [Source]

E-Government

US – CFPB Head Defends Consumer Data Collection Plan

Testifying at a Senate Banking Committee hearing, U.S. Consumer Financial Protection Bureau (CFPB) Director Richard Cordray defended his agency’s data collection plans. He said the data collected is not privacy-invasive and parallels techniques already used in the private sector. “The big banks know more about you than you know about yourself,” Cordray said, “And me, too, as a consumer.” The CFPB is currently collecting data from credit bureaus and requesting large amounts of data from major banks in order to improve the agency’s rule-writing and supervisory work, the report states. Sen. Mike Johanns (R-NE) said, “To many people, this is going to sound downright creepy.” Cordray said, “The notion that we’re tracking individual consumers or invading their privacy is quite wrong.” [Bloomberg]

US – US Amasses Big Data on 10 Million People; Banks Protest

The new US consumer finance watchdog is gearing up to monitor how millions of Americans use credit cards, take out mortgages, and overdraw their checking accounts. Their bankers aren’t happy about it. The Consumer Financial Protection Bureau is demanding records from the banks and is buying anonymous information about at least 10 million consumers from companies including Experian. While the goal is to sharpen enforcement and rule-making, banking executives question why the bureau is collecting so much without being more specific about the benefits. [Source]

E-Mail

US – IRS Will Obtain Warrant Prior to E-mail Access

In response to news last week that the Internal Revenue Service (IRS) does not obtain warrants prior to accessing suspects’ electronic communications, IRS Acting Commissioner Steven Miller said the no-warrant policy for e-mails will be abandoned. Testifying in front of the Senate Finance Committee , Miller said it’s currently the IRS’s policy to get a “search warrant in advance” of accessing a suspect’s e-mail, but he said he didn’t know if that policy extended to other electronic communications such as Facebook or Twitter. [CNET News]

Electronic Records

US – New HIPAA Rules Create New Responsibilities

With the final omnibus HIPAA and HITECH rule released by the Department of Health and Human Services in January, there are new concerns for healthcare privacy. Business associates and subcontractors can now be held directly liable for any breach of personal health information (PHI) and are now responsible for breach reporting. Breach documentation must be maintained for six years, and there are new limits on use and disclosure of PHI. Bowen writes that “adherence to HIPAA must be an ongoing, full-time effort,” and “privacy is not a one-and-done; it must become part of the fabric of your organization.” [Becker’s Hospital Review]

Encryption

US – Judge Will Not Force Man to Decrypt Hard Drives

A federal judge in Wisconsin said that forcing a suspect to decrypt his hard drives would violate his Fifth Amendment right against self-incrimination. Judge William E. Callahan called the decision a “close call.” [Ars Technica] [WIRED] [Text of  Ruling]

EU Developments

EU – Committee Votes Down PNR Bill

The EU Parliament’s Civil Liberties Committee voted against plans for sharing airline passenger data among EU nations. The plans call for a passenger name registry, similar to a current agreement with the U.S., that would share the names, contact details and payment data of passengers. Dutch MEPs Sophie In’t Veld and Jan Philipp Albrecht welcomed the vote, the report states, noting that citizen rights and the rule of law had been considered first. UK MEP Timothy Kirkhope said the vote was “irresponsible” and accused other MEPs of putting “ideological dogma before a practical and sensible measure that would have seriously assisted our fight against crime and terror.” BBC News provides video of the Parliamentary debate. [PCWorld] [EU parliament committee votes against air passenger data sharing bill]

EU – Coalition: Revised Law Would Undermine Privacy       

A coalition of international civil liberties groups is contending that proposed changes to the EU’s data protection regulation “would strip citizens of their privacy rights.” The move to create one regulation to replace the existing data protection laws in the EU’s 27 member states “obviously requires compromise, but many parliamentarians report never seeing lobbying on such a scale before,” the report states, noting the civil liberties coalition, which includes such groups as EDRI and Privacy International, has set up a website “to help concerned citizens contact their representatives in the Parliament.” [IDG News Service]

EU – EDPS Hustinx Outlines Road Ahead for Regulation

As the opening speaker at the IAPP Europe Data Protection Intensive in London, European Data Protection Supervisor Peter Hustinx laid out his predictions for what the much-anticipated EU privacy regulation would finally look like when adopted. Confident that it would meet deadline and be in place by the spring of 2014, Hustinx said, “my impression is that there is a basic consensus that the current architecture of the regulation is the right one…Now the focus is on getting it right, and the key word there is balance.” [IAPP Privacy Advisor]

UK – Former ICO Wants Rewrite of Chapter IV

Noting the prescriptive and inflexible nature of the EU’s draft data protection regulation, Former UK Information Commissioner Richard Thomas used his keynote address here at the IAPP Data Protection Intensive in London on Thursday to outline an alternative framework that would focus more simplistically on outcomes, provide incentives for regulatory requirements and allow for as much self-enforcement as possible. [Source]

EU – Privacy Regulators Criticize Companies’ Tactics

Criticism has been levied by German data protection regulators on Google and Facebook in light of investigations into the companies’ privacy practices. Regulators said the companies have used “delay tactics” and have exercised “impertinent” behavior during the probes, the report states. Federal Data Protection Commissioner Peter Schaar said “Google will keep making attempts to delay investigations through continuous correspondence and always freshly repackaging arguments.” Google was fined by Hamburg’s data protection commissioner earlier this week. A German appeals court has also rejected an attempt by Schleswig-Holstein Data Protection Commissioner Thilo Weichert to require Facebook to allow users to register under pseudonyms. Facebook said, “We’re seeking to have a constructive dialogue with all groups, also with our greatest critics.” [Bloomberg]

EU – Hustinx Outlines Road Ahead for Regulation

As the opening speaker at the IAPP Europe Data Protection Intensive in London, European Data Protection Supervisor Peter Hustinx laid out his predictions for what the much-anticipated EU privacy regulation would finally look like when adopted. Confident that it would meet deadline and be in place by the spring of 2014, Hustinx said, “my impression is that there is a basic consensus that the current architecture of the regulation is the right one…Now the focus is on getting it right, and the key word there is balance.” [Source] See also: [Vodafone’s Deadman: Show Us the Carrots]

EU – Working Party Dislikes EC’s Impact Assessment Template

The Article 29 Working Party has criticized the European Commission’s recommended template for data protection impact assessments (DPIA) on smart meter use. “The submitted DPIA Template does not directly address the actual impacts on the data subjects, such as, for example, financial loss resulting from inaccurate billing, price discrimination or criminal acts facilitated by unauthorized profiling,” said the Working Party. Smart metering is due to take effect in the UK in 2014, but privacy concerns have been raised. [Out-Law.com] [The Working Party’s opinion]

US – FTC’s Brill Looks to Smooth EU-U.S. Privacy “Rift”

The Wall Street Journal reports on comments made in Brussels by FTC Commissioner Julie Brill. “I don’t want to say there’s confusion about the U.S. privacy regime,” Brill told reporters, “but there does seem to be a lack of understanding about how robust it is and how much enforcement work we actually do and how strong the laws are that we do have in sensitive areas.” Brill noted, “Last year we issued what I call our big privacy rethink…Many of the principles we talked about are actually reflected in the proposed EU regulation.” Facebook Chief Operating Officer Sheryl Sandberg said, “I believe there is a perception and fear that because we are American we don’t take privacy as seriously as Europeans do…If there is a single American who cares as much about privacy—just one—as someone in Germany, then we have to understand it.” [Source]

EU – Vote on Regs Delayed Until Late May

A final vote on the EU data protection proposal was scheduled to take place this week, but the Civil Liberties, Justice and Home Affairs Committee (LIBE) has postponed it until May 29-30. Industry is lobbying heavily against the proposal, which they say will stifle business and innovation in member states. John Pooley, of specialist agency the Data Partnership, says the proposed changes “will render both targeting and analytics and almost anyone currently engaged in digital marketing to have to review their current practices.” The delay is being attributed to an effort to concentrate on the fallout over the banking crisis in Cyprus, the report states. [Marketing Magazine]

Facts & Stats

US – The Consumer Cost of a Data Breach

New research has revealed the consumer costs of last year’s breach of the Utah Department of Health. On average, according to Javelin Strategy & Research, “each incident will result in more than $3,300 in losses” and each victim “will spend about 20 hours and $770 on lawyers and time lost from work to resolve the case.” Meanwhile, Bloomberg reports that more clinics and hospitals are investing in biometric technology—such as iris scans—to improve patient safety and curb identity theft. U.S.-based data breaches may have cost the healthcare industry as much as $7 billion a year, according to a Ponemon Institute study. [The New York Times]

Filtering

JP – Japan’s National Police Wants ISPs to Block Tor for Those Who “Abuse” It

Japan’s National Police Agency (NPA) may begin asking ISPs there to block Tor, a network that helps people anonymize their online activity. (Tor stands for The Onion Router). The ISPs would be asked to block people’s use of Tor if those people had been found to be abusing the network. Japanese police were thwarted in their efforts to nab a cybercriminal because he used Tor. The NPA’s plan comes in response to a recommendation from a panel brought together to help decide how to fight crime that is committed with the help of Tor. [ArsTechnica] [BBC] [The Register]

Finance

US – CFPB Head Defends Data Collection Plan

Testifying at a Senate Banking Committee hearing, U.S. Consumer Financial Protection Bureau (CFPB) Director Richard Cordray defended his agency’s data collection plans. He said the data collected is not privacy-invasive and parallels techniques already used in the private sector. “The big banks know more about you than you know about yourself,” Cordray said, “And me, too, as a consumer.” The CFPB is currently collecting data from credit bureaus and requesting large amounts of data from major banks in order to improve the agency’s rule-writing and supervisory work, the report states. Sen. Mike Johanns (R-NE) said, “To many people, this is going to sound downright creepy.” Cordray said, “The notion that we’re tracking individual consumers or invading their privacy is quite wrong.” [Bloomberg]

CA – Digital Cash Replacement from Royal Canadian Mint in the Works

Secure chips have already made it into our credit and debit cards. Next up, they could replace pocket change. The Royal Canadian Mint has been pushing forward with its “MintChip” prototype, a digital cash replacement aimed at transactions under $10, since it surfaced a year ago. The Crown corporation is factoring in developer feedback, hiring a product manager and consulting with the financial sector. MintChip, as envisioned, could enable paying someone back by tapping phones together, scanning a QR code to donate to charity, or clicking to spend cents on an online article. However, it’s not known when — or even if — the MintChip will be released into circulation. A Finance Department official said the Crown corporation is consulting with the federal government on potential next steps, and currency changes can require legislative approval. To even attempt to create such a system sets Canada apart from other countries, said electronic transaction specialist Dave Birch. “To the best of my knowledge, Canada is the only mint that’s seriously experimenting with this sort of thing,” he said. [Source]

FOI

WW – Increase in Content Removal Requests from Governments

According to Google’s most recent transparency report, the company received more requests from governments to remove content in the last six months of 2012 than during any pervious six-month period for which records have been kept. Between July and December 2012, Google received 2,285 requests from governments around the world to remove a total of 24,179 pieces on content. The figures for the first half of 2012 were 1,811 requests to remove 18,070 pieces of content. Many of the requests came from governments seeking the removal of content critical of government officials. Google does not automatically comply with content removal requests, but instead scrutinizes the legality of requests and considers each request’s scope. [CNet] [ZDNet] [Google’s Transparency Report]

US – Will Public Release of Privacy Audits Become the Norm?

Last week, Facebook released some details of its FTC-mandated, independent privacy practice audit. This Privacy Perspectives blog post looks into why this could be good for the privacy profession. [Source] [Source] [New York Times: Privacy Practices Up-to-Par, Facebook Audit Reveals]

US – Facebook: Audit Finds Privacy Practices Sufficient

Facebook says that an independent audit found its privacy practices sufficient during a six-month assessment period that followed a settlement with federal regulators. Facebook Inc. said it submitted the findings to the FTC. The audit was a required part of the social networking company’s settlement with the FTC last summer. The settlement resolved charges that Facebook exposed details about its users’ lives without getting the required legal consent. Facebook provided a copy of its letter to the FTC, along with a redacted copy of the auditor’s letter, to The Associated Press two days later. The redacted portion contains trade secret information and does not alter the auditor’s findings, the company said. The audit, which found that Facebook’s privacy program met or exceeded requirements under the FTC’s order, covered written policies as well as samples of its data. “We’re encouraged by this confirmation that the controls set out in our privacy program are working as intended,” said Erin Egan, Facebook’s chief privacy officer for policy,” in an emailed statement. “This assessment has also helped us identify areas to work on as Facebook continues to evolve as a company, and improve upon the privacy protections we already have in place. We will keep working to meet the changing and evolving needs of our users and to put user privacy and security at the center of everything we do.” Facebook did not disclose the full, 79-page report or specific details on shortcomings in its privacy practices that were revealed by the audit. Spokeswoman Jodi Seth said Facebook declined to disclose such details “based on contractual obligations and the possibility of security and competitive vulnerabilities.” The company has asked the FTC to keep the redacted information private, saying it would put it and its auditor at a competitive disadvantage and because it could reveal possible limitations of its privacy program. The name of the accounting firm is also redacted but that information will be released when the FTC responds to the audit. [Source]

Genetics

US – ‘Biobank’ Bill Threatens Genetic Privacy

Minnesota health officials have built an unauthorized state biobank of DNA and health data on individuals. They admitted in testimony to the Legislature that the Minnesota Department of Health has been collecting genetic information for decades without specific legislative authority. They now want the Legislature to retroactively legalize what they did — and let them keep doing it into the future. The department’s biobank legislation — wrapped into the omnibus data practices bills, H.F. 695 and S.F. 745 — is ready for a floor vote in the Minnesota House and Senate. [Source]

Google

WW – Google’s Predictive Search Comes to iPhone, iPad

Google’s predictive search feature, Google Now, uses the cache of data Google stores on individual users to target them with the information it deems most relevant to their needs at any given moment. The feature was rolled out for iPhones and iPads this week and is based on users’ search histories, location information and Gmail confirmations for flights, hotel bookings or restaurants, for example. “We’re providing answers before you’ve even asked the question,” said Google’s director of product development. [CNN] SEE ALSO: [Book Review: The New Digital Age: Reshaping the Future of People, Nations and Business]

EU – Google Chiefs to Face Prosecutorial Appeal in Video Case

Google’s Senior Vice President David Drummond, Chief Legal Officer Peter Fleischer and Chief Privacy Counsel George Reyes head back to Italy to face an appeal brought by the prosecutor of a 2010 case over alleged privacy offences involving a video posted to the now-defunct Google Video service. The executives were originally given suspended six-month sentences, which were then overturned . The report states the prosecutor will now appeal the case to the Italian Court of Cassation arguing that employees can be responsible for content uploaded by users and that services should be responsible for pre-screening user-created content. [PCWorld]

EU – 145,000-Euro Fine for Google

Hamburg authorities have fined Google 145,000 euros for collecting data from unsecured wireless networks while collecting photos for its Street View services. Google has said the collection was a mistake and the company never analyzed the information, which it has expunged. But Hamburg Data Protection Commissioner Johannes Caspar said, “In my opinion this case constitutes one of the biggest known data protection violations in history,” noting that by law, the maximum fine his office can levy for an accidental violation is 150,000 euros. [The Economic Times] [Google Fined a Pittance for Street View Data Collection: CNet | BBC | ComputerWorld | v3.co.uk]

WW – Google Play Store Changes Content Policy

The Google Play Store has changed its Content Policy to require that developers not update apps outside of the store. Specifically, “an app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play’s update mechanism.” Apps that do not abide by the new requirement will be labeled “dangerous products” and may be removed from the store. The policy change may have been prompted by Facebook’s introduction last month of a silent update feature for Facebook for Android. [CNet] [Ars Technica] [ZDNet] [h-Online]

WW – BadNews Malware Snuck Into Google Play Apps (

Malware known as BadNews has been downloaded from Google Play at least two million times. BadNews was found to have been hidden in at least 32 separate apps from four different developers. The malware was added to the apps after they had been submitted to Google Play. Infected Android devices connect to remote servers every four hours to send harvested data, including device phone numbers and unique serial numbers. The remote servers also instruct infected devices to install a Trojan horse program called AlphaSMS that sends text messages to numbers that incur charges. Google has removed the infected apps. [The Register] [ArsTechnica] [SC Magazine] SEE ALSO: [Facebook Used to Market Banking Trojans]

US – ACLU Files Complaint With FTC Over Android Security Updates

The American Civil Liberties Union (ACLU) has filed a complaint with the US Federal Trade Commission (FTC) asking that the agency investigate major wireless phone service carriers for failing to deliver updates for known security issues in the Android operating system. The complaint alleges unfair and deceptive business practices for failing to distribute the patches and failing to inform customers that their devices are vulnerable to attacks. While Google has issued updates for the flaws, the carriers have not pushed them out in a timely manner. Apple issues its own updates for its phones, but individual carriers bear the responsibility of pushing out Android fixes. [WIRED] [h-Online] [ArsTechnica] [Washington Post] [Text of Complaint]

US – Google Wallet Update Upsets Privacy Advocate

Google’s update to an e-commerce tool used by vendors to manage sales is merely for show, charges a consumer advocacy group, which adds that the company should be more clear about its privacy policies. The update, used in conjunction with Google Play and other services, displays less of a customer’s personal information to the vendor than the previous iteration. The update to the e-commerce tool is rolling out to vendors now and over the next few weeks. But consumer advocacy site Consumer Watchdog says Google’s move is not an “actual” change, and it’s demanding more privacy policy accountability from Google. John Simpson, Privacy Project director at Consumer Watchdog, described his organization’s complaints from February and March filed with the U.S. FTC and the California Attorney General’s office about the Google Merchant Center. “Google was passing on the name, address, and e-mail address of the app buyer. We alleged that it violated policy law and the Buzz agreement.” “Google is a serial privacy violator,” said Consumer Watch’s Simpson, adding that Google’s “statement is pure bafflegab.”  [Source]

WW – Google Releases Glass App Developer Guidelines

Google has released “extensive” guidelines for software developers aiming to build apps for the company’s wearable, Internet-connected glasses. According to the report, the guidelines are “much more restrictive” about Google Glass than has been the case with other products because of perceived consumer privacy concerns. Developers cannot sell ads, collect user data or share data with ad companies. A Forrester analyst said, “What we find is the more intimate the device, the more intrusive consumers perceive advertising is.” Google said to developers, “Be honest about the intention of your application, what you will do on the user’s behalf and get their explicit permission before you do it.” [The New York Times] See also: [What is the proper etiquette for Google Glass in a public bathroom? Nothing, really, according to Scoble]

Health / Medical

US – Parents Say HIPAA Risks Public Safety

Parents say there are risks to public safety when it comes to HIPAA privacy standards. At a recent hearing at the House Oversight and Investigation Subcommittee of the Energy and Commerce Committee, parents articulated concerns about HIPAA’s “limiting nature.” One parent, whose son died of a heroin overdose, testified that HIPAA rules prevented him from obtaining his child’s medical data—data that could have contributed to the child’s wellbeing. Some experts say the problem isn’t with HIPAA but with how some organizations interpret it, the report states. [HealthIT Security]

Horror Stories

CA – More Than 3,000 Gov’t Breaches in 10 Years

Documents tabled in Parliament this week show that the federal government has experienced more than 3,000 data and privacy breaches in the past 10 years, affecting more than 725,350 Canadians. Less than 13 percent of those breaches were reported, prompting NDP critic Charlie Angus to say, “As a standard, we should involve the privacy commissioner when Canadians’ privacy is breached,” noting that there may have been circumstances when Canadians were put at risk and not informed. [PostMedia] [Geist: Thousands of government breaches point to need for reform] [Public data breaches at all-time high] See also: [CA: IIROC broke own rules by losing private data — can we believe its explanation?]

US – Health Info Breach at 911 Center       

A 911 emergency dispatch center in Monroeville, PA, is notifying all users of the service in 2012 or 2013 that they should “take all necessary steps to make sure that all your personal information is safe and secure.” A complaint alleges the center e-mailed personal information to a former police chief and allowed callers’ medical information to be anonymously accessed using generic user names and passwords. An investigation into the breach is underway, but investigators do not yet have “any specifics on who had access to the system or the dates the system had been breached.” [Post-Gazette] See also: [NL: Another breach of privacy for Eastern Health]

WW – 50 Million Passwords Hacked

Cyberthieves have breached LivingSocial, accessing the passwords of more than 50 million users. It is not yet known how the attackers breached the systems, but the passwords were salted and hashed, the report states. With the passwords, the hackers potentially had access to user names, e-mail addresses and birthdays; credit card and other financial data were not affected. LivingSocial CEO Tim O’Shaughnessy said the company is “redoubling efforts to prevent any issues in the future.” [PC Magazine] [CNet] [The Register] [ComputerWorld]

US – “Unsecured” E-mails Cause Health Data Breach

A Texas-based hospice center is informing more than 800 patients of a data breach after an employee allegedly sent out at least two “unsecured” e-mails containing sensitive patient information. The e-mails in question included recent referrals and admission activity reports, and compromised data included patient names, referral sources, admission and discharge dates and insurance providers. Hope Hospice discovered the breach during a routine security check and has said employees have since gone through additional training. [Health IT Security]

US – Verizon: One In Five Data Breaches Are the Result of Cyberespionage

IDG News Service reports that Verizon will soon publish its 2013 Data Breach Investigations Report, which compiled information from over 47,000 security incidents and 621 confirmed data breaches. The study explored financially motivated criminal attacks as well as cyber espionage. Analysts noted that in “four out of five breaches, the attackers stole valid credentials to maintain a presence on the victim’s network” and that mobile devices and cloud technologies were not major targets. Meanwhile, the British Department for Business, Innovation and Skills says small- and medium-sized businesses (SMBs) are increasingly the targets of cybersecurity attacks, and it will extend its Innovation Vouchers scheme to SMBs, allowing them to apply for funding to invest in cybersecurity. [PC World]

UK – The Guardian’s Twitter Accounts Hijacked

The same group that hijacked the Associated Press’s Twitter feed last week is now claiming responsibility for taking over Twitter accounts belonging to the UK newspaper The Guardian. The Syrian Electronic Army claims to have taken control of 11 Twitter feeds at the Guardian. The attack occurred over the weekend; as of Monday, Twitter had suspended most of the hijacked Guardian accounts. Following last week’s AP incident, which resulted in a phony tweet claiming that there had been an attack on the White House, Twitter announced that it is conducting internal testing of two-factor authentication. [ZDNet] [InformationWeek]

WW – Twitter Warns News Companies to Improve Security

Twitter has contacted major news organizations around the world, warning them that attacks like those against the Associated Press and The Guardian are likely to continue, and advising them to examine their internal policies for using social media. Twitter made suggestions, such as increasing the strength of account passwords and designating just one computer to use for Twitter. [BBC] [ZDNet]

Identity Issues

US – Professor Re-Identifies DNA Study Volunteers

Working with her research assistant and two students, Harvard Data Privacy Lab Director Prof. Latanya Sweeney scraped data on anonymous volunteers who shared their DNA with the Personal Genome Project, re-identifying more than 40 percent of the sample. Profiles of anonymous participants include information on medical conditions, illegal drug use, alcoholism, depression, sexually transmitted disease and medications, as well as DNA sequences, the report states, noting Sweeney’s team was able to discern identity from ZIP code, date of birth and gender “combined with information from voter rolls or other public records.” Sweeney has set up a website to help individuals determine how easily they could be identified by entering those three pieces of information. [Forbes]

WW – Microsoft to Begin Offering Two-Factor Authentication

Microsoft will start offering two-factor authentication to Microsoft Account users on an optional basis. The scheme will be much like those used by Google, Apple, and Facebook in which accounts are protected with both a password and a one-time passcode sent to users in a text message or generated by an authentication app. Users will have the opportunity to designate certain devices as trusted on which they do not need to use two-factor authentication. [ArsTechnica] [ComputerWorld] SEE ALSO: [Microsoft asks: What’s your online privacy type?]

US – AirBNB Starts Verifying User Profiles

Airbnb, which helps people find vacation rentals all around the world, today will start verifying the identity of all users by asking for their real-life papers, the company announced. Airbnb is asking both travelers and those who have property listings to provide two forms of identification for a new verification process. The company will take people’s IDs from Airbnb reviews and social media sites, like LinkedIn or Facebook, and will ask users to fill in information only they would know or scan a photo ID to confirm a match. For now, the company plans to require 25% of its users in the U.S., chosen at random, to complete the process. It intends to expand the requirement worldwide so that all Airbnb members will be verified. [Source]

Intellectual Property

US – Class-Action Incites Music Industry Privacy Concerns

A proposed class-action lawsuit has some in the music industry concerned that artists’ financial privacy will be breached. The proposed class-action was launched against Universal Music Group (UMG) by two musicians seeking damages based on treating income from online downloads as “sales” instead of “licenses.” The plaintiffs’ lawyers want UMG to disclose download revenue tied to particular artists to calculate potential damages. Lawyers for UMG said, “Under plaintiffs’ proposal, plaintiffs’ attorneys and music-industry professionals could review the private financial information of thousands of recording artists with whom they may have adverse relationships and who have not indicated any desire to be part of any class or to be represented by these attorneys or professionals.” [Hollywood Reporter]

WW – New Media Asset Tracking System Introduced

A media industry organization has announced the results of a two-year study on a new coding system that tracks media assets—from video clips to commercials. The Coalition for Innovative Media Measurement said the system would increase revenue by the billions for media companies and help them determine where, when and how content is viewed. One analytics representative said the system would help advertisers specifically tailor ads and allow media companies “to spend less time putting the data together and more time doing analysis.” Meanwhile, a new survey from the University of Southern California reveals that Millenials—those between the ages of 18 and 34—tend to be more willing to share personal information with marketers, particularly when there’s a relevant exchange of information. [The New York Times]

US – Erroneous DMCA Takedown Notices Problematic (April 22, 2013)

The Fox broadcasting company has sent Digital Millennium Copyright Act (DMCA) takedown notices regarding URLs linking to a novel, written by Cory Doctorow, called “Homeland.” Fox produces a television show with the same name; the two are in no way related. Further complicating matters is the fact that Doctorow published his novel under a Creative Commons license, which means its availability on BitTorrent is completely legal, so Fox’s takedown notices are causing legitimate content to be removed from the Internet. There is little recourse in situations like this. The DMCA requires that the takedown notices be issued in good faith, but it is easy enough to blame the erroneous notices on carelessness. In any case, the party whose content was wrongly taken down can recover only costs and attorney’s fees. [ArsTechnica] [DMCA robo-notices have been problematic for some time. For a hilarious (and terrifying) account of copyright shenanigans and DMCA notices, see: http://dmca.cs.washington.edu ]

Internet / WWW

US – ITA Says Safe Harbor Covers Cloud Technology

The U.S. Department of Commerce’s International Trade Administration (ITA) has published a report saying that U.S. companies’ compliance with Safe Harbor principles guarantees sufficient data protection, regardless of whether outsourcing contracts involve cloud computing. The ITA says because Safe Harbor is binding on all countries in the European Economic Area, EU data protection authorities cannot “unilaterally refuse to recognize Safe Harbor certification as a valid means of demonstrating that a service provider ensures an adequate level of data protection,” contrary to an Article 29 Working Party opinion released last year. One expert suggests the ITA has “not recognized some regulatory burdens facing some clients of U.S. cloud providers.” [Out-Law.com] [Source]

US – FTC Urges States to Look at Data Brokers

In a speech to the National Association of Attorneys General, FTC Commissioner Julie Brill urged states to be more active in investigating data brokers for contravening the Fair Credit Reporting Act. The FTC recently sent out letters warning companies that compile data on individual’s rental histories. [Lexology]

US – FTC Seeks Input on “Internet of Things”

The FTC is seeking input from the public through June 1 concerning the privacy implications of the “Internet of Things.” The term describes the ability of cars, appliances and medical devices to communicate with each other and people. Ahead of a public workshop to be held in November, the FTC aims to determine how privacy will be balanced with the benefits of such technology, among other concerns. FTC staff seeks input on the privacy and security implications of these developments. 

  • What are the significant developments in services and products that make use of this connectivity?
  • What are the various technologies that enable this connectivity?
  • What types of companies make up the smart ecosystem?
  • What are the current and future uses of smart technology?
  • How can consumers benefit from the technology?
  • What are the unique privacy and security concerns associated with smart technology and its data?  For example, how can companies implement security patching for smart devices?  What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
  • How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve health-care decision making or to promote energy efficiency? Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances? [FTC Press Release]

Law Enforcement

US – Apple, AT&T and Verizon Receive Lowest Marks in EFF Privacy Report

In its annual review of tech companies’ sharing of user data with law enforcement and government, the Electronic Frontier Foundation (EFF) says companies have improved markedly since last year, but the results may still be “sobering.” The EFF grades companies on six categories, including whether they require a warrant to share data, inform users of requests and publish transparency reports. “When you use the Internet, you entrust your conversations, thoughts, experiences, locations, photos and more to companies like Google, AT&T and Facebook,” the EFF wrote. “But what do these companies do when the government demands your private information? Do they stand with you? Do they let you know what’s going on?” [San Francisco Chronicle]

US – Industry, Scholars Back Drone Innovation

The Association for Unmanned Vehicle Systems International has written a letter to Google Executive Chairman Eric Schmidt expressing concerns “that such an influential tech industry executive” would support bottling up a “promising technology.” Schmidt recently expressed concerns about drones. Meanwhile, an op-ed for Wired makes the case for why Americans should not be afraid of drones. George Mason University researchers Eli Dourado, Adam Thierer and Jerry Brito, in a Federal Aviation Adminstration filing, argue that constraining commercial drones to strict privacy policy requirements is “unwise and premature.” Dourado writes, “It’s true that opening up U.S. airspace…will have some important privacy implications to consider. But it’s even more important that we consider the effect of too-early, heavy-handed regulation on future innovation.” [Bloomberg Businessweek]

US – Industry, Scholars Back Drone Innovation

The Association for Unmanned Vehicle Systems International has written a letter to Google Executive Chairman Eric Schmidt expressing concerns “that such an influential tech industry executive” would support bottling up a “promising technology.” Schmidt recently expressed concerns about drones. Meanwhile, an op-ed for Wired makes the case for why Americans should not be afraid of drones. George Mason University researchers Eli Dourado, Adam Thierer and Jerry Brito, in a Federal Aviation Adminstration filing, argue that constraining commercial drones to strict privacy policy requirements is “unwise and premature.” Dourado writes, “It’s true that opening up U.S. airspace…will have some important privacy implications to consider. But it’s even more important that we consider the effect of too-early, heavy-handed regulation on future innovation.” [Bloomberg Businessweek]

US – SCOTUS: Warrant Needed for DUI Testing

The Supreme Court has ruled that in most cases police need to try to obtain a search warrant prior to ordering blood tests for suspected drunk drivers. The court sided with the defense in Missouri v. McNeely, which argued that taking the defendant’s blood without his consent or a warrant violated his Fourth Amendment rights. Justice Sonia Sotomayor wrote that natural dissipation of alcohol in the blood is not generally a sufficient reason to dispense with the warrant requirement. The court did not offer guidance on when police may obtain a blood sample without a warrant, but the report states Justice Anthony Kennedy said an upcoming case may give the court an opportunity to say more. [NPR]

Offshore / Cloud Computing

WW – Former Hosting Provider Allegedly Placed backdoors on 2,700 Servers

A man who was once employed by hosting provider Hostgator has been arrested and charged with breach of computer security. Eric Gunnar Gisse worked as an administrator at Hostgator from September 2011 through February 15, 2012. He allegedly installed backdoors on more than 2,700 company servers. The day after Gisse was dismissed from his position, officials at Hostgator detected the backdoor application that he had installed. The backdoor was disguised to look like a Unix administration tool. [ArsTechnica]

Online Privacy

WW – Do Not Track Framework Doc Stirs Controversy Ahead of W3C Meeting

There are rumblings within the World Wide Web Consortium (W3C) leading up to next week’s Do-Not-Track (DNT) meeting after a document was distributed among members “rendering the meeting practically moot.” The “Draft Framework for DNT Discussions Leading Up to Face-to-Face“ has been called a “framework,” but privacy groups have called it a “proposal” from the Digital Advertising Alliance (DAA). According to the document, DNT would be off by default. W3C Co-Chair Peter Swire, said, “As the name states, it is a framework for discussion, to help frame a possible agenda for next week’s face-to-face meeting in California.” DAA Counsel Stu Ingis said the document is the result of input from the DAA, consumer groups and other stakeholders. “It’s hard for stuff to happen if there’s no agenda,” said Ingis, adding, “There are a lot of cats to herd.” [AdWeek]

US – CA Lawmaker Proposes DNT Honesty-Checker

California Assemblyman Al Muratsuchi (D-66th District) has proposed a bill requiring website operators to disclose whether their sites honor consumer requests to disable tracking and if they do not allow third-party tracking of site users. Author Mathew Schwartz calls the bill “a rare note of clarity” in the Do-Not-Track (DNT) debates. Industry efforts stalled last November, causing some members of the Senate Commerce Committee to question their commitment to the initiative. Sen. Jay Rockefeller (D-WV) is pushing for legislation that includes DNT, but not everyone agrees this is the best solution. George Mason University Researcher Adam Thierer says working to educate people while “pushing for greater transparency about online data collection practices” is the right course. [Information Week]

WW – Given “Doxing,” Hackers Need Not Apply

Media reports on the practice of “doxing,” or document tracing. Recently, celebrities have been at the practice’s mercy; Microsoft CEO Bill Gates was recently outed online for having an outstanding debt on his credit card, for example. But doxing data isn’t produced via hacking; it’s “either already public or accessible by, for example, paying an online people-finding service to get a Social Security number and then running a credit check,” the report states. Data is also gleaned from social media sites. One human rights advocate says posting online has widespread implications. “There’s nothing you can do in the electronic world that your boss can’t find and you can’t be fired for,” he said. [NBC News]

US – Sen. Rockefeller On Do-Not-Track, Data Brokers

The data marketing trail is often mysterious and one U.S. senator is working to ensure consumers have legal protections to opt out and correct personal information amassed by data brokers and other online third parties. The range of ways companies gather consumer data—from sweepstakes to online surveys—makes it difficult for users to correct errors in their marketing profiles, the report states. Sen. Jay Rockefeller (D-WV), who recently led a contentious hearing on the current status of Do Not Track, said, “People have the right to be private insofar as it’s possible in the modern world,” though he acknowledged that Do-Not-Track legislation does not address the bigger issue of consumer data collection by data brokers. [The New York Times]

WW – Ramirez: Functioning DNT System “Long Overdue”

In a speech to the advertising industry this week, Federal Trade Commission Chairwoman Edith Ramirez impelled the industry to work with the World Wide Web Consortium to develop a browser-based Do-Not-Track standard. Ramirez’s position surprised attendees by implying that the Digital Advertising Alliance’s (DAA) self-regulatory program doesn’t suffice and championing cookie-blocking initiatives by Mozilla and Microsoft. DAA Counsel Stu Ingis reacted saying, “We keep getting demagogued by the FTC…The DAA’s program covers 100% of the advertising ecosystem,” adding, “The problems have been caused by two browser companies.” Sen. John (Jay) Rockefeller (D-WV) is also pushing for Do-Not-Track and has scheduled a hearing on the issue next Wednesday. [AdWeek]

WW – Flaw in Adobe Reader Tracks Documents 

A vulnerability in Adobe Reader could be exploited to track PDF files’ movements. The flaw discloses when and where PDF files are opened and affects all versions of Adobe Reader, including the most recent update (Reader XI 11.0.2). McAfee Labs discovered the flaw and has not provided details because Adobe has not yet released a fix. McAfee also noted that it has detected in-the-wild attacks that exploit the flaw. [ComputerWorld] [v3.co.uk] [SCMagazine]

Other Jurisdictions

US – White House Shifts Stance; FBI Driving Wiretap Bill

The Obama administration is changing its position on the path to creating a critical cybersecurity infrastructure from mandatory standards to a more voluntary approach lined with compliance incentives for private companies. White House Cybersecurity Coordinator Michael Daniel said, “This is a huge focus for my office right now—driving forward and staying on track with the executive order.” The National Association of Federal Credit Unions has urged the Senate to consider cybersecurity legislation. The Post also reports on a government task force crafting legislation “that would pressure companies such as Facebook and Google to enable (FBI) officials to intercept online communications as they occur.” The Center for Democracy & Technology’s Greg Nojeim said the bill is a “non-starter” and added, “They might as well call it the Cyber Insecurity and Anti-Employment Act.” [The Washington Post] [Washington Post: Bringing Wiretap Laws Into the Digital Age]

AU – Privacy Week Sees Calls to Prepare for Changes

At the launch of the Office of the Australian Information Commissioner’s (OAIC) Privacy Awareness Week, Privacy Commissioner Timothy Pilgrim and Australian Attorney-General Mark Dreyfus cautioned businesses to prepare for impending privacy reforms. “Now is the time to change existing systems and practices…The sooner these changes are embedded, the easier it will be to comply with the new measures in March 2014,” Dreyfus said. The OAIC has released guidance to help covered entities better protect personal information. While not binding, Pilgrim said the guidelines send a “clear message about my expectations in this area.” A survey commissioned by McAfee found that 59% of employees responsible for managing customers’ personal information were unaware or unsure of the changes. [ZDNet] [Pilgrim: Build privacy into your systems or risk penalties]

Privacy (US)

US – Posner: Privacy Laws Have Little Social Benefit

“There is a tendency to exaggerate the social value of privacy,” writes Judge Richard Posner of the U.S. Court of Appeals for the Seventh Circuit and a senior lecturer with the University of Chicago Law School. Against the backdrop of the Boston Marathon bombings, Posner discusses the balance between privacy and security, asserting that privacy laws don’t “confer social benefits comparable to those of methods of surveillance that are effective against criminal and especially terrorist assaults.” Posner says critics of surveillance ignore deterrence, and while acknowledging issues surrounding government surveillance of digital information, says surveillance technologies are “also used by our enemies. We must keep up.” [New York Daily News]

Privacy Enhancing Technologies (PETs)

US – Start-Up Lets Users Track Who Tracks Them

A start-up based in Palo Alto, Calif., Disconnect, which helps you track who is tracking you online, this week released its latest tool to help safeguard your browsing history. Its new browser extension works on Chrome and Firefox browsers and is meant to block an invisible network of around 2,000 separate tracking companies. The new Disconnect filter is part of an emerging crop of privacy tools aimed at tech-savvy consumers who want to protect personal data online. Most of these companies – Abine and Ghostery are others – offer at least a basic version of their product free and charge for more advanced versions. Disconnect is offering its filter on a sliding scale. [Source

RFID

US – Student Attendance Program Raises Concerns

A pilot program in Georgia designed to track children on their way to school using Radio Frequency Identification (RFID) technology is raising concerns among some privacy advocates. The pilot program was announced by East Coast Diversified, a company that specializes in “student transportation and class attendance management systems.” Andrej Jeremic, director of marketing and business development for the company, said, “We don’t track students…We watch for anomalies.” A similar program has been scrutinized in Texas. A representative from the Electronic Privacy Information Center said, “What you’re doing is telling kids it’s normal to be tracked.” [International Business News] SEE ALSO: [RFID Helps Make Marriage Special]

CA – Smartphones Easily Skim Credit Card Information: CBC Investigation

A technology designed to make it easier to pay with your credit card may be putting Canadians at risk of fraud and identity theft, say security experts. Many new credit and debit cards come with chips that allow customers to tap the card to make a purchase. The chips are read by payment machines, used in many retail outlets, and are supposed to be a safe and convenient way to pay for goods. But the chips can also be read with a device millions of Canadians carry with them every day: a smartphone. Using a Samsung Galaxy S3 — one of the most popular smartphones available in Canada — and a free app downloaded from the Google Play store, CBC News was able to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a credit or debit card. The information could be read through wallets, pockets and purses. Google did not comment on the apps used by CBC in its investigation, but said in an email it would remove any app that violated Google’s developer distribution agreement or content policies. However, the apps tested by CBC were still available following Google’s comments. [Source]

Security

US – NIST Releases “Major Revision” of SP 800-53, Emphasizes Privacy

In what the National Institute of Standards and Technology describes as its most significant revision of the U.S. federal government’s foundational computer security guide since it was first released in 2005, eight new families of privacy controls, based on the international accepted Fair Information Practice Principles, have been added. Security and Privacy Controls for Federal Information Systems and Organizations , known generally as SP 800-53, now includes an Appendix J, the Privacy Control Catalog, and the name of the document as a whole now has “privacy” in it for the first time. [NIST]

WW – Study Says Home Routers Vulnerable to Attacks

Many widely used home routers are easy to hack into, according to a study by a company called Independent Security Evaluators. A test found 13 of the most popular home routers had easily remotely exploitable vulnerabilities that could be used to snoop on or modify network traffic. All of the routers tested were using the most recent firmware and were tested with their out-of-the box default configurations. [CNet] [ComputerWorld]

WW – Reputation.com Hit by Security Breach

Reputation.com, a company whose business it is to manage its customers’ online reputations, has acknowledged that it suffered a data security breach. The company has sent email notifications to its customers. The compromised information includes names, email and physical addresses, and employment information. Some customers’ encrypted user passwords were compromised as well. The company reset user passwords. Experts note that users should not be reassured by companies’ assertions that salted passwords are unlikely to be cracked. Cracking techniques are improving and salting does not hinder the task of cracking for just one password, so if it’s a particularly valuable password, the time spent cracking it is well spent.  [SC Magazine] [LA Times] [ArsTechnica]

WW – Targeted Cyberattacks Jump 42% in 2012, Symantec Says

Internet users are seeing less spam but more targeted attacks, according to security software company Symantec. Looking at last year’s security landscape, Symantec’s Internet Security Threat Report 2013 found that traditional spam accounted for 69% of all e-mail in 2012, down from 75% in 2011. Yet, 30 billion spam messages are still sent on a daily basis. Junk e-mails that hawk sex or dating products and services now account for 55% of all spam, taking the top spot away from pharmaceutical spam. Malware is also part of one out of every 291 e-mail messages, with 23% of those malware-carrying messages offering links to malicious Web sites. Around 247,350 malware attacks were blocked every day in 2012, according to Symantec, a 30% jump over 2011. Last year also saw a 42% rise in the number of targeted attacks, averaging around 116 per day, triggering a comparable increase in data theft and acts of industrial espionage. Small businesses with fewer than 250 employees were fingered in 31% of those attacks in 2012. Symantec believes smaller businesses are targeted because many of them don’t have the stronger security employed by larger firms. More cybercriminals are using a special type of targeted cyberattack known as a “watering hole attack,” Symantec noted. The attackers infect a Web site that their targeted victims are apt to visit, exposing the victims to malware as soon as they access the site. Mobile malware attacks grew by 58 last year, compared with 2011, according to the report. Apple’s iOS was hit by 387 vulnerabilities, much higher than the 13 recorded for Android. Yet Google’s mobile OS accounts for a greater percentage of treats due to its larger market share, open platform, and multiple app distribution methods, Symantec said. Symantec’s Internet Security Threat Report 2013 captured information from more than 69 million attack sensors across 157 different countries. [Source]

Surveillance

CA – Researcher: Internet of Things Is “Bit of a Wild West”

The growth of Internet-connected devices is known as “the Internet of Things”—washing machines, overhead lights, smart scales and more that can all be controlled by owners’ mobile devices. The Organisation for Economic Co-operation and Development estimates the average household with two teenagers will own around 50 Internet-connected devices by 2022. “The vast majority of the future devices of this type don’t exist today,” says Stephen Prentice of Gartner. “If you can measure it, then someone is going to have a device to do that and someone will find a use for that data.” Prentice cautions that the regulatory environment isn’t keeping pace with technology, saying, “At the moment, it’s a case of buyer beware.” [The Globe and Mail] SEE ALSO: Opinion – The Internet of Things and a Balanced Approach to Regulatory Intervention] and [2012 EU Public Consultation] AND [Indirectly connected to The Internet of Things]

US – Judge Denies FBI Permission to Install Software on Suspect’s Computer

The FBI may not install specialized surveillance software on a suspect’s computer, according to a ruling from a federal magistrate judge. Judge Stephen Smith said that the order requested by the FBI was too broad and too invasive. The FBI had sought permission to install specialized software on a computer used by the suspect; the software “has the capacity to search the computer’s hard drive, random access memory, and other storage media; to activate the computer’s … camera; to generate [location] data for the device; and to transmit the extracted data to FBI agents.” The judge also took the FBI to task for failing to specify how the operation would be certain to target the suspect and no one else. [ArsTechnica] [ComputerWorld]

WW – Technology Aids Investigations, But at What Cost?

In the aftermath of the Boston Marathon bombings, experts are examining the use of video surveillance and analysis to solve crimes. While technological advances and government use of surveillance enables faster identification and tracking of individuals, the debate over how to balance privacy rights with the needs of authorities continues. Some are concerned that data collected for one investigation—or even for an entirely different purpose, like applying for a license—will be retained and used in unrelated investigations. Some European regulators have expressed discomfort with the level of surveillance in the U.S. “Surveillance doesn’t give more security. That’s our experience,” said Schleswig-Holstein Data Protection Commissioner Thilo Weichert. [The Wall Street Journal]

UK – Group Challenges Gov’t Over Spyware Investigation

Human rights group Privacy International has announced it is challenging the British government for unlawful conduct during an investigation into the export of surveillance tool FinFisher. The tool is designed to monitor communications and collect hard drive data and is capable of conducting live surveillance via webcams. Privacy International says Her Majesty’s Revenue and Customs (HMRC) illegally declined to provide information related to its investigation of the technology’s shipment to countries with “poor human rights records.” The group has filed a judicial review application at the High Court in London. If the legal action is successful, “it could set a precedent for other cases in the UK’” [Slate]

US – DOJ Granted Immunity to ISPs Participating in Threat Monitoring Program

According to documents obtained by the Electronic Privacy Information Center (EPIC) through a Freedom of Information Act (FOIA) request, the US Justice Department granted some Internet service providers (ISPs) immunity from prosecution for their participation in a communications monitoring and interception program. The program, originally known as the Defense Industrial Base Cyber Pilot project, was designed to monitor traffic for indicators of cyberthreats and use the information to help protect systems from cyberattacks. Participation was initially limited to certain defense contractors and their ISPs, but has since been expanded to include all sectors of critical infrastructure. The DOJ provided the ISPs with “2511 letters,” granting them immunity for the monitoring activity. [CNet] [WIRED]

US Government Programs

US – Foreign Intelligence Surveillance Court Approved All Requests in 2012

The US Justice Department sent a report to Senator Majority Leader Harry Reid (D-Nevada) detailing certain activity of the Foreign Intelligence Surveillance Court. In 2012, the court approved every request it received to authorize physical searches or surveillance of people within the US “for foreign intelligence purposes.” There were 1,856 requests in all. [WIRED] [WIRED]

US Legislation

US – Rockefeller: Ad Industry ‘Dragging Its Feet’ On Do-Not-Track

Senate Commerce Committee Chairman Jay Rockefeller (D-WV) had blunt words for the online advertising industry at a hearing on Do-Not-Track (DNT) legislation yesterday. “There’s a broad feeling that the advertisers and data brokers are just dragging their feet,” he said, adding, “And I believe they’re doing it purposely.” In his call for DNT legislation, Rockefeller said he doesn’t believe “companies with business models based on the collection and monetization of personal information will voluntarily stop those practices if it negatively impacts their profit margins.” Digital Advertising Alliance Managing Director Lou Mastria said the previous DNT agreement was “short-circuited” by recent privacy decisions by at least two browser-makers. In a column for Wired, W3C Co-Chair Peter Swire warned of a looming “digital arms race“ that could have damaging effects for everyone involved. The solution? “The same way we defuse any other arms race,” Swire wrote, “through negotiation.” [MediaPost]

US – Officials: Privacy Concerns Will Kill CISPA

“The Senate will almost certainly kill a controversial cybersecurity bill, recently passed by the House,” due to privacy concerns, citing a senate committee aide. Senate Committee on Commerce, Science and Transportation Chairman Jay Rockefeller (D-WV) has said the privacy protections in the Cyber Intelligence Sharing and Protection Act (CISPA) are “insufficient,” the report states, noting the White House has also said President Barack Obama will not sign the bill. The House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies heard testimony from privacy experts including Mary Ellen Callahan, CIPP/US, and Harriet Pearson, CIPP/US. Meanwhile, the Department of Homeland Security is also preparing to “deploy a more powerful version” of its EINSTEIN intrusion-detection system, but COMPUTERWORLD reports its deep inspection packet technology is raising “serious privacy concerns.” [ZDNet]

US – House Passes CISPA

The U.S. House of Representatives Thursday passed a version of the Cyber Intelligence Sharing Act (CISPA). The bill aims to encourage the sharing of threat data between the government and private sector. President Barack Obama earlier this week threatened to veto CISPA if it did not include stronger privacy protections. CISPA co-sponsor Rep. Mike Rogers (R-MI) said, “Our goal is to get the Senate to pass a bill…We’d love to get a bill in conference.” An amendment proposed by Rep. Alan Grayson (D-FL) that would have required law enforcement to secure a “warrant obtained in accordance with the Fourth Amendment” prior to searching databases for criminal wrong doing was not included in the bill. [The Washington Post] [White House Issues Formal CISPA Veto Threat]

US – Advocates Ask FTC to Not Delay COPPA       

In response to an industry-backed letter asking the Federal Trade Commission (FTC) to postpone implementation of new COPPA rules for six months, privacy groups on Tuesday urged FTC Chairwoman Edith Ramirez not to delay. Signed by 19 privacy groups, including Common Sense Media and the Electronic Privacy Information Center, the letter to Ramirez said the delay is “unwarranted” and would harm children and “undermine the goals of both Congress and the FTC.” COPPA updates are slated to go into effect on July 1. [AdWeek]

US – FTC Releases COPPA FAQs

The Federal Trade Commission (FTC) has issued Frequently Asked Questions (FAQs) to help clarify changes to the Children’s Online Privacy Protection Act (COPPA) that go into effect on July 1. The FAQs cover enforcement, privacy policies and notifications, geolocation data, verifiable parental consent and COPPA in schools, the report states. The FAQ also includes a list of things that covered entities must do, like post a comprehensive privacy policy, provide direct notice to parents and offer parents the ability to prevent further use or collection of their children’s data. [Forbes]

US – Senate Judiciary Passes ECPA Reform

In a unanimous vote, the Senate Judiciary Committee yesterday passed reforms to the Electronic Communications Privacy Act (ECPA). Called the ECPA Amendments Act, the update would require law enforcement to obtain a warrant prior to accessing a user’s private online content. “After years of work on ECPA reform, the time has come for Congress to enact these common-sense privacy reforms,” Sen. Patrick Leahy (D-VT) said. The Center for Democracy & Technology praised the reform. “With the vote today,” CDT Senior Counsel Greg Nojeim wrote, “Congress took a huge step toward finally updating ECPA to ensure e-mails and documents we store in the cloud receive the same Fourth Amendment protections as postal mail and documents we store in desk drawers in our homes.” [The Verge]

US – Sen. Grassley Signals ECPA Reform Support

Sen. Chuck Grassley (R-IA) signaled support for reforms to the Electronic Communications Privacy Act (ECPA). “I would anticipate this year that there wouldn’t be any problem getting (the bill) out at whatever meeting you want to bring it up,” Grassley told Senate Judiciary Chairman Patrick Leahy (D-VT) at a meeting this week. Leahy said he will bring the “e-mail privacy bill” to a vote at the next committee meeting. “I have long believed that our government should obtain a search warrant—issued by a court—before gaining access to privacy communications,” Leahy said. [The Hill]

Workplace Privacy

US – Does HIPAA Prevent Background Check Compliance?

The Office for Civil Rights has issued an advance notice of proposed rulemaking to address concerns that in some states the HIPAA Privacy Rule may prevent states from “reporting the identities of individuals subject to the mental health prohibitor” to the National Instant Criminal Background Check System (NICS). The notice is an effort to get public input on ways to address these barriers, adding, “In particular, we are considering creating an express permission in the HIPAA rules for reporting the relevant information to the NICS…” [Examiner.com]

US – Wall Street Takes On State Employee Laws

An “unlikely alliance of regulators and industry groups” is seeking to “carve out exemptions” in a slew of proposed state laws barring employers from accessing the social media accounts of employees or applicants. The Financial Industry Regulatory Authority (FINRA) has stated that financial institutions need an avenue to check “red flags” on personal account misuse. The proposed state laws, FINRA argues, could put investors at risk, the report states. FINRA has reached out to lawmakers in approximately 10 states, asking them to include changes to proposed employee privacy legislation. California lawmakers—in whose state the employee privacy law has already gone into effect—”rebuffed requests” by FINRA and other industry groups to include exemptions. Wisconsin is currently considering similar employee legislation. [The Wall Street Journal]

WW – Analyzing Employee Behavior To Inform HR

An emerging field known as workforce science is using Big Data to analyze worker behavior and apply it to human resource management. The field aggregates and analyzes patterns in employees’ digital history as well as personality-based assessments to guide hiring, firing and promotions, raising some questions about worker surveillance, the report states. “The larger problem here is that all these workplace metrics are being collected when you as a worker are essentially behind a one-way mirror,” says Marc Rotenberg of the Electronic Privacy Information Center. [The New York Times] [Additional Reading]

+++

01-15 April 2013

Biometrics

US – EPIC Sues FBI Over NGI Database

The Electronic Privacy Information Center (EPIC) has filed a Freedom of Information Act lawsuit against the Federal Bureau of Investigation (FBI) to get access to documents outlining the “Next Generation Identification” (NGI) database. The database contains biometric identifiers—including fingerprints, DNA profiles, iris scans, palm prints and voice identification profiles—of millions of American citizens. The complaint filed by EPIC stated, “When completed, the NGI system will be the largest biometric database in the world.” The FBI plans to use the database to match information with data gleaned from outlets such as CCTV. [EPIC press release]

CH – Swiss Researchers Investigate Unique Breathprints

Swiss researchers have discovered a way to identify humans through their unique breathprints. In a research paper titled, Human Breath Analysis May Support the Existence of Individual Metabolic Phenotypes, researchers conclude that individual signatures of breath composition exist, suitable enough to identify humans. [Source]

Canada

CA – Revelations Continue in Student Loan Incident

Information continues to trickle in, revealing the true import of the external hard drive loss that has exposed personal information about 583,000 Canadian student loan borrowers. This week the public has discovered the drive also contained business plans and financial information about the Canada Student Loan program, along with “investigative reports” on applicants whose eligibility was questionable. Privacy Commissioner Jennifer Stoddart continues to investigate the data loss, which also includes a missing USB stick, and that inquiry has grown to include the Department of Justice. [Ottawa Citizen]

CA – Ontario Embraces World-Class Standard of Privacy Protection

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, introduced an information centre designed to further educate and advise members of the Ontario Public Service (OPS) on the best privacy practices, thus ensuring excellence in the protection of personal information. The Privacy by Design Centre of Excellence is a joint project between the Office of Information and Privacy Commissioner and the Ministry of Government Services (MGS). This new centre will further engrain a culture of privacy offered as the default, in all new and existing Ontario government programs. It provides tips and guidance into best practices for privacy protection, as well as educational materials and additional resources. Example materials include white papers and case studies from various sectors including telecommunications, technology, healthcare, transportation, and energy. The centre is a resource for the numerous professionals in the Ontario Public Service responsible for project design, information management, architecture management, and customer service in a broad array of institutions ranging from provincial agencies to municipal boards and commissions, to police service boards, to school boards and many more. [Source]

CA – Nunavut MLAs Meet on Language, Privacy Reports

Regular members of Nunavut’s legislative assembly will hold hearings April 16 to 18 in Iqaluit to discuss the most recent annual reports of the languages commissioner and the privacy commissioner. The MLAs say they want the Government of Nunavut to “publicly account” for its actions to their recommendations and to those of the privacy commissioner’s recommendations “concerning the important issues of access to information and protection of privacy,” said Louis Tapardjuk, standing committee co-chairperson. Recently, the GN responded to privacy commissioner Elaine Keenan Bengts’ 2011-12 annual report, tabled last October in the Nunavut legislature, and some of its concerns. Those included concerns about a surveillance project that gathers health information about all Nunavut mothers and babies from before birth up to age five, which the report found could be highly invasive of personal privacy. In her response, Nunavut Premier Eva Aariak said “the use of personal information for this project did receive the proper authorization.” [Source]

Consumer

US – State AGs and Facebook Align to Educate Youth

The National Association of Attorneys General (NAAG) and Facebook are launching plans to educate children and their parents about privacy and online safety. NAAG President and Marlyland Attorney General Doug Gansler said, “There are more and more parents now who understand Facebook and how it works and how their children are using it but don’t necessarily understand the privacy settings and how they work.” The partnership will launch several different online tools, including a Facebook page featuring information on privacy settings, best practices and privacy control tips. [ABC News

CA – Canadians Anxious About Privacy In the Face of New Technology: Poll

A significant number of Canadians do not feel they understand the privacy risks posed by new technologies and are not confident in their ability to protect their personal information, a new poll commissioned by the Office of the Privacy Commissioner of Canada suggests. Further, such concerns are affecting consumer choices. The telephone survey of 1,513 residents across Canada found that 56% are not confident that they understand how new technologies affect their privacy, a number that has increased steadily since the year 2000. Seven in ten Canadians also reported feeling that they have less protection of their personal information in their daily lives than they did 10 years ago. The declining lack of confidence reflects a range of concerns Canadians have about sharing their personal information online. Many reported being very concerned about posting information about their location (55%) and contact information (51%). The majority (55%) said they have decided not to install, or have uninstalled, an app because of the amount of personal information they would have to provide, and 68% of Canadians say they have chosen not to use a site or a service because they were uncomfortable with the terms of the privacy policy. The Survey found that while individuals’ concerns about the protection of privacy are high—66% are very concerned, with 25% of them saying they are extremely concerned—they often don’t take advantage of privacy protection options or information. For example, half of Canadians rarely or never consult online privacy policies and 54% do not take steps to limit tracking of their Internet activities. Other findings from the survey include:

  • 71% think protecting the personal information of Canadians will be one of the most important issues facing our country in the next 10 years.
  • 21% of Canadians think the federal government takes its responsibility to protect personal information seriously while only 13% feel businesses are serious about this responsibility.
  • 60% have asked an organization for an explanation of how it will use their information.
  • 97% would want to be notified by an organization if their personal information was compromised.
  • 73% who use the Internet are concerned about companies using their information to send them spam.
  • 81% think it is very important that websites actively inform them about what kinds of personal information they are collecting and how they use it.[Source]

US – Acxiom to Unveil Transparency Service

Consumer data broker Acxiom plans to introduce a service allowing consumers to access data collected about them. In recent months, the U.S. FTC has placed the data broker industry under the microscope. Acxiom Chief Marketing and Strategy Officer Tim Suther said, “We live in an era when transparency is important,” adding, “We’re listening to that and trying to be even more transparent with people who are interested in understanding what companies like Acxiom do with information.” The company said the service may be available later this year, but it is working on identity theft protection and other logistical obstacles. [Financial Times]

WW – Why Consumer Privacy Decisions Aren’t Always Rational

The New York Times profiles the work of Carnegie Mellon behavioral economist Alessandro Acquisti. Acquisti’s research “has shown that despite how much we say we value our privacy—and we do, again and again—we tend to act inconsistently,” the report states. Policy-makers, his research has proposed, should learn more about how consumers actually behave because, as consumers, “we don’t always act in our own best interest”—suggesting that user control can sometimes be an illusion. Samford University Prof. Woodrow Hartzog said, “His work has gone a long way in trying to help us figure out how irrational we are in privacy-related decisions,” adding, “We have too much confidence in our ability to make decisions.” [New York Times]

WS – Samoa Air Introduces ‘Pay-As-You-Weigh’ Fare Policy

Samoa Air has become the first airline in the world to charge passengers by weight. Instead of a flat rate per seat, the airline will charge passengers a fixed price per kilogram, with the price varying depending on the route. The pay-as-you-weigh system was announced on the airline’s website. “We at Samoa Air are keeping airfares fair, by charging our passengers only for what they weigh. You are the master of your Air ‘fair’, you decide how much (or little) your ticket will cost. “No more exorbitant excess baggage fees, or being charged for baggage you may not carry. Your weight plus your baggage items, is what you pay for. Simple.” The airline posted the news on its Facebook page, getting mixed reaction. [Source]

E-Government

US – Opinion: Increased Gov’t Data Sharing Mandates Increased Oversight

While it may be a “natural application of Big Data” for government agencies to search already collected information about U.S. citizens for suspicious patterns of behavior, Alex Howard, writing for O’Reilly Radar, says the expanded rules on government data sharing that went into effect last year are concerning. First reported by Julia Angwin at The Wall Street Journal, these new database search powers, Howard argues, are unlikely to be sufficiently checked by the privacy professionals who were bowled over when they objected to them in the first place. [O’Reilly Radar]

US – Report: Law Poses Security Risks, Could Violate Privacy

A report by the National Academy of Public Administration (NAPA) says a law requiring the personal financial information of 28,000 federal workers to be posted online poses a national security risk and could violate privacy. The STOCK Act requires the data be available online by April 15 for public searching, sorting and downloading. NAPA concludes that transparency “does not necessarily equate to unrestricted accessibility when it comes to thousands of federal employees’ sensitive financial information,” and “considerations must be made for balancing transparency and privacy needs appropriately and in a way that does not expose federal employees to unnecessary risk.” [USA TODAY]

E-Mail

US – IRS Claims It Can Read Your E-Mail Without A Warrant

According to Internal Revenue Service (IRS) documents obtained by the ACLU, Americans have “generally no privacy” in their e-mail and social media communications. A 2009 IRS handbook obtained by the ACLU says, “e-mails and other transmissions generally lose their reasonable expectation of privacy and thus their Fourth Amendment protection once they have been sent from an individual’s computer.” An ACLU spokesman said the IRS “should formally amend its policies” to require a warrant prior to accessing e-communications. There has been growing consensus of late to update the Electronic Communications Privacy Act to require warrants by law enforcement prior to accessing electronic communications. [CNET News] UPDATE: [IRS Refutes Breach of Privacy Claims]

US – After Searches, Harvard Orders E-Mail Policy Review

In the wake of a “secret search“ of e-mail accounts belonging to 16 of the university’s deans, Harvard President Drew Faust has ordered a review of e-mail privacy policies, describing the inconsistency across the university “highly inadequate.” Calling the lack of e-mail privacy policies an “institutional failure,” Faust plans to form a task force to develop recommendations on e-mail guidelines. Faust has also asked an independent attorney to investigate the e-mail searches “and to verify that the information provided so far is a full and accurate description of what actually happened,” the report states. [COMPUTERWORLD]

Electronic Records

WW – The Potentials and Risks of Data Science

Columbia University’s new Institute for Data Sciences and Engineering emphasizes the importance of educating a broader swath of society. Google Chief Information Officer Ben Fried expressed concern that “the technology is way ahead of society” and warned against only having an intellectual elite who understand the implications of Big Data—a situation that could cause “a runaway technology or a public rejection.” Fried added, “I think it is a mistake if conversations about this technology leave out the humanities.” Meanwhile, one consulting firm notes that Big Data could save U.S. citizens as much as $450 billion in healthcare costs. [The New York Times]

EU Developments

EU – WP29: Consent “Almost Always” Required

A new opinion issued by the Article 29 Working Party (WP) states that “free, specific, informed and unambiguous ‘opt-in’ consent” is almost always necessary when organizations want to use previously collected personal data in Big Data projects. The exception may be Big Data projects that involve detecting “trends and correlations.” The WP also said businesses should provide consumers with access to their “profiles,” knowledge of the underlying logic of how the profiles were created and allow consumers to correct and share the information in them. The opinion includes a four-factor criterion to help determine whether businesses’ processing activities are compatible with the purposes for which the data was first collected. [Out-law.com]

EU – Europe Launches Controversial Crime-Fighting Database

The Schengen Information System II (SIS II), after substantial delays, has launched. SIS II is a centralized database that aims to help security officials exchange information more quickly and efficiently within the Schengen zone, where people can move freely. “It’s important for member states to exchange data among one another more closely and join forces in fighting crime—as a counterbalance to the absence of border controls,” said a spokesman for Germany’s Federal Ministry of the Interior. But privacy authorities including Germany’s Federal Commissioner for Data Protection and Freedom of Information Peter Schaar have taken issue with the centralization of such data, and have called for uniform standards across Europe on how the data can be used and who has access. [Deutsche Welle]

EU – Reding and Holder Discuss Online Privacy Protection

EU Justice Commissioner Viviane Reding met with U.S. Attorney General Eric Holder to discuss a range of issues including data protection initiatives and other collaborative efforts between the European Commission (EC) and the U.S. Justice Department. Among more specific topics, the officials discussed online protections for children and ongoing data-sharing efforts. According to an EC press release, “Each noted recent progress made, and both sides were optimistic in reiterating their determination to finalize negotiations as rapidly as possible.” Meanwhile, the UK government is not backing efforts within the proposed EU data protection regulation to instill a “right to be forgotten.” [The Guardian]

EU – Euro Task Force Initiates Enforcement Measures Against Google

A taskforce of data protection agencies has begun follow-up measures against Google after the company failed to fix flaws in a new privacy policy. The taskforce is led by France’s data protection authority, the CNIL, and includes authorities from the UK, Germany, Italy, Spain and The Netherlands. The CNIL says it has notified Google of the inspection’s initiation, which follows a March 19 meeting between the company and the regulators that ended in deadlock. “The authorities’ goal is not to fine Google,” said a CNIL spokeswoman. “The goal is for Google to be in line with what we demand.” Meanwhile, the company’s forthcoming “Google Glass” is raising privacy concerns in the U.S. [CNIL] [CNET: Europe continues privacy tussle with Google]

UK – ICO Performance Report Is “Mixed Bag”

A recent report by the Commons Justice Select Committee on the performance of the Information Commissioner’s Office (ICO) includes both supportive and troubling news for the agency. The committee backed the ICO’s intention to place NHS bodies and local authorities under compulsory audits. The article suggests the ICO’s view of the committee’s report was accurate when the ICO said, “the picture that emerges (of the ICO) is of a regulator that is delivering, that is relevant and that is efficient” but cautions the ICO also faces funding issues and is “running out of road and cannot absorb further cuts to the FOI budget without adversely affecting performance.” [Mondaq]

Facts & Stats

WW – Opinion: Top Five Threats of 2013

Ccolumnist Melissa Riofrio lays out the top five online privacy threats in 2013, including the proliferation of cookies, law enforcement’s seizure of cloud data, the ease of locating users by their smartphones, facial recognition software and looming government concerns about cybersecurity. “This year’s online threats to privacy will continue to grow unless Congress and other decision-making bodies offer some meaningful support for privacy,” Riofrio writes, adding, “it all boils down to a matter of openness versus secrecy.” [PCWorld]

Finance

WW – Secret Files Expose Offshore’s Global Impact

A cache of 2.5 million files has cracked open the secrets of more than 120,000 offshore companies and trusts, exposing hidden dealings of politicians, con men and the mega-rich the world over. The secret records obtained by the International Consortium of Investigative Journalists lay bare the names behind covert companies and private trusts in the British Virgin Islands, the Cook Islands and other offshore hideaways. They include American doctors and dentists and middle-class Greek villagers as well as families and associates of long-time despots, Wall Street swindlers, Eastern European and Indonesian billionaires, Russian corporate executives, international arms dealers and a sham-director-fronted company that the European Union has labeled as a cog in Iran’s nuclear-development program. The leaked files provide facts and figures — cash transfers, incorporation dates, links between companies and individuals — that illustrate how offshore financial secrecy has spread aggressively around the globe, allowing the wealthy and the well-connected to dodge taxes and fueling corruption and economic woes in rich and poor nations alike. The records detail the offshore holdings of people and companies in more than 170 countries and territories. The hoard of documents represents the biggest stockpile of inside information about the offshore system ever obtained by a media organization. The total size of the files, measured in gigabytes, is more than 160 times larger than the leak of U.S. State Department documents by Wikileaks in 2010. To analyze the documents, ICIJ collaborated with reporters from The Guardian and the BBC in the U.K., Le Monde in France, Süddeutsche Zeitung and Norddeutscher Rundfunk in Germany, The Washington Post, the Canadian Broadcasting Corporation (CBC) and 31 other media partners around the world. Eighty-six journalists from 46 countries used high-tech data crunching and shoe-leather reporting to sift through emails, account ledgers and other files covering nearly 30 years.  [Huffington Post]

US – FTC Sends FCRA Warning Letters to Six Companies

The Federal Trade Commission (FTC) has sent letters to six companies warning them to “double-check” their Fair Credit Reporting Act (FCRA) responsibilities. The selected companies specifically collect information about the rental histories of tenants and share the data with potential landlords, the FTC press release states. “If you assemble or evaluate information on individuals’ rental histories,” the release states, “and provide this information to landlords so that they can screen tenants, you are a consumer reporting agency that is required to comply” with FCRA [FTC]

FOI

US – Industry Pushes Back on State’s Right to Know Act

There is an industry backlash against California’s proposed “Right To Know Act.” If the bill passes, it would require companies to disclose their data-use practices to California consumers upon request. A coalition of businesses and trade groups—including the Internet Alliance, TechNet and TechAmerica—have written to the bill’s sponsor, Assemblywoman Bonnie Lowenthal (D-Long Beach), urging that she “not move forward” with the bill, citing its “costly and unrealistic mandates.” Nicole Ozer of the ACLU—which co-sponsored the bill—said there is “real impact for individuals when they don’t know how their information is being collected and when it is being shared in ways they don’t want.” [The Wall Street Journal] [CSO Online] [CNET]

Genetics

US – DNA Project Aims to Make Public a Company’s Data on Cancer Genes

The New York Times reports on a privately owned database containing information on DNA mutations that increase cancer risk and a corresponding grassroots project aimed at making that data public. Owned, built and kept private by Myriad Genetics, the database contains millions of tests on genetic mutations—data to which several researchers want access. The project, Sharing Clinical Reports , asks cancer clinics and doctors around the country to share all Myriad data they have from patient tests, and, according to the report, none of the data contains patient identifiers. On Monday, the Supreme Court will also hear a case that may determine whether two patents of genes owned by Myriad are legal. [NYT]

Google

WW – Google Adds Cookie Notification to EU Search

Google has added cookie notification language on its search and results pages to users in the EU. The company has also reportedly switched from using the Digital Advertising Alliance icon to its own “i” icon information. AdWeek reports on the implications of third-party cookie blocking for large and small businesses. “In a cookieless world, publishers with business models that naturally collect strong names and addresses and other personally identifiable information (PII) are going to be able to…connect to CRM databases,” an Acxiom representative said, adding, “For publishers that have a weak PII story, they’ve been more heavily reliant on the cookie world.” [AdWeek]

WW – Google Privacy Chief Stepping Down

Google’s first director of privacy plans to retire. Alma Witten, named director of privacy in 2010 following controversy over Google’s Street View and Buzz services, was tasked with overseeing product development at the company to prevent against future privacy mishaps. She led the privacy team that saw the merging of Google’s 70-plus privacy policies into one. Whitten will be replaced by Google engineer Lawrence You, who will now take over a privacy team consisting of several hundred individuals. [Forbes]

WW – Google Rolls Out New Inactive Account Manager

Google announced a new service it’s calling Inactive Account Manager. What it essentially allows is for customers to designate “trusted contacts” to receive their Google data in the event of their death or inability to access their Google products. It also, however, allows users to decide to have their information deleted automatically following a specified period—three, six, nine or 12 months—of inactivity. Kashmir Hill notes in Forbes that some have already taken to calling the service “Google Death Manager” and wonders how you’ll use it. [Google Blog]

Health / Medical

US – Court: HIPAA Trumps Florida Disclosure Law

The 11th U.S. Circuit Court of Appeals has ruled unanimously that a federal law requiring licensed nursing homes to disclose deceased residents’ medical records only to a designated “personal representative” trumps a Florida state law allowing disclosure to individuals including spouses, guardians, surrogates or attorneys who request them. Judge Susan Black wrote in the court’s decision: “The unadorned text of the state statute authorizes sweeping disclosures, making a deceased resident’s protected health information available to a spouse or other enumerated party upon request, without any need for authorization, for any conceivable reason, and without regard to the authority of the individual making the request to act in a deceased resident’s stead.” [The Miami Herald]

US – Company Stores Doctors’ Records, Serves Patients Ads

A US company is offering doctors cloud-based electronic medical records software. Practice Fusion stores health data for 150,000 providers on 690 million patients. Its primary business is putting advertisements on those records via its relationships with testing and pharmaceutical companies. Ads are targeted to customers based on their medical records. Patient names and other identifiable information are not shared with advertisers, however. [The New York Times]

US – Groups Develop Trust Framework

The Texas-based Patient Privacy Rights Foundation, along with Microsoft and PricewaterhouseCoopers, has developed a “trust framework” for health IT systems. The framework includes 75 criteria based on 15 privacy principles to enable “objective measurement of how well health IT, platforms, applications, electronic systems and research projects protect data privacy and ensure patient control over the collection, use and disclosure of their health data,” the Patient Privacy Rights Foundation noted. The principles include elements available under current state and federal laws, the report states, as well as provisions indicating individuals should “decide who can access information” and “how and if sensitive information is shared.” [ModernHealthcare]

Horror Stories

WW – A Roundup of Recent Breaches

Following two recent breaches in Utah, one affecting 780,000 individuals, the state is taking steps to prevent future incidents. The health department is creating a data security office, and the governor recently signed a law that will see the implementation of security and privacy best practices there and in other government departments. In California, Kirkwood Community College officials say hackers accessed a database containing applicants’ names, Social Security numbers and other personal information. And the VA medical center has alerted 7,405 patients of a breach involving an unprotected laptop containing their personal information. [GovInfoSecurity]

US – Potentially Massive Class-Action Moves Forward

A federal court has granted class-action status to a lawsuit claiming online tracking firm comScore secretly collected and sold Social Security numbers and credit card numbers as well as passwords and other personal data from consumer systems. The lawyer representing the two plaintiffs said this could be the largest privacy case to go to trial by way of class size and potential damages, the report states. ComScore says it captures approximately 1.5 trillion user interactions monthly—or nearly 40% of Internet page views. [COMPUTERWORLD]

US – Hannaford Breach Class-Action Decision

U.S. District Court Judge Brock Hornby has denied a plaintiff’s motion to certify a class action seeking damages stemming from a data breach at Hannaford Bros. The March 20 decision by Hornby noted that proving damages “required highly individualized determinations that could not be tried through proof common to the class as a whole,” and the article states that the “Hannaford case illustrates how damages issues, even in cases articulating a viable common damages theory, can still frustrate class certification.” Though Hornby denied an argument that a voluntary refund program offered by the company “provides a defense against class certification, such programs still provide a way to mitigate class damages, reduce potential overall exposure and retain customer goodwill.” [National Law Review]

US – Breach Roundup; Supreme Court Upholds Strict Harm Requirements

Oregon Health and Science University has sent data breach notification letters to 4,022 patients following the theft of a surgeon’s unencrypted laptop. The University of Mississippi Medical Center reports a password-protected laptop containing personal information on adult patients has gone missing, and Utah’s Granger Medical Clinic has notified patients of a potential breach after 2,600 medical appointment records scheduled to be shredded went missing. Meanwhile, Wilson Elser attorneys report on the recent Supreme Court ruling that upheld requirements for plaintiffs to prove harm that is “certainly impending” in order to have standing to sue in privacy cases. [HealthITSecurity]

US – GSA Reports Breach; VA Holds BYOD Plans

The U.S. General Services Administration recently alerted users of its System for Award Management that personal information was exposed due to a security vulnerability. The notice said registrants using Social Security numbers as identifiers may be at greater risk for identity theft. Meanwhile, InformationWeek reports the Department of Veterans Affairs has put on hold plans to allow employees to use their own mobile devices for work purposes. The department said it must resolve legal issues on confiscation and investigation of such devices before moving forward. [CNET News]

Identity Issues

US – Actress Loses Privacy Lawsuit Against IMDb.com

A jury has rejected claims by an actress that IMDb violated its own privacy policy by disclosing her date of birth. “It’s not known why the jury rejected actress June Hoang’s claim,” the report states. “But the trial did make at least one thing very clear: Lying about your age isn’t easy in the era of Big Data.” Hoang sued IMDb.com in 2011, alleging the company violated its privacy policy by allegedly accessing her credit card datawhich was supposed to remain confidential. IMDb.com countered that the “fine print in its privacy policy gave it cover,” the report states. [Source]

WW – Mozilla Brands Persona as Password Killer

Mozilla’s Web site log-in alternative known as Persona unveiled a Beta 2 version. Now you can sign in to any Web site supporting Persona using a Yahoo Mail account. Persona, which is still in development, is an open authentication system that works on desktops and mobile devices. In addition to being able to log in using either your Persona ID or your Yahoo credentials, today’s release introduces support for Firefox OS, which means you can expect to use Persona to log in to any Firefox OS devices that launch later this year. It also includes back-end changes that make the log-in system work twice as fast as before, Mozilla says. The company boldly claims that Persona will also be a “password killer.” “Facebook and Twitter sign-in conflate the act of signing into a Web site with sharing access to your social network, and often granting the site permission to publish on your behalf. Sometimes this is what a user wants, but far too often it’s absolutely not,” said Lloyd Hilaiel, the technical lead for the project, in a post explaining Persona Beta 2. [Source]

US – Court Rejects 1st Amendment Balancing Test for Online Anonymous Speech

A Michigan appellate court ruled last week that state discovery rules provide adequate safeguards for anonymous online speech. The opinion is a significant deviation from the rulings of other state courts, which have applied a First Amendment balancing test to determine whether to grant discovery requests for the identities of anonymous online speakers. [Source]

CA – Feds Launched Wide-Scale Search in Hunt for Lost Student-Loans Data

The disappearance of an external hard drive in November triggered a sweeping search at the Human Resources and Skills Development Canada building where it was last seen, with cubicles swept, folders checked one-by-one, and cabinets moved around to leave no nook unchecked. Similar looking hard drives were collected and scanned to see if they contained personal information on 583,000 student loan borrowers, but the missing drive couldn’t be located. The details are contained in emails and a security report about the loss of personal information, including names, addresses and social insurance numbers of Canada Student Loan recipients. The hard drive was used to back up information about the loan recipients, including HRSDC investigation reports, but wasn’t encrypted or password protected, a violation of federal policies on information management. As well, the security report notes the drive was stored in a secure cabinet that was not locked all the time — another violation of federal policies. “Two employees had access to the cabinet…the cabinet was not locked 100 per cent of the time,” reads the security report, filed on Nov. 29, 2012. The documents were released to Postmedia News under access to information law. [Source]

Internet / WWW

US – DHS Warns Personal Data on Public Websites Used in Phishing Attacks

The US Department of Homeland Security (DHS) is warning organizations not to post business and personal information on publicly accessible web pages because the data could be exploited in spear phishing attacks. The alert grew out of an incident last fall in which spear phishing campaigns targeted energy sector organizations. The attacks used information from a list of conference attendees that included names, email addresses, and organizational affiliation, that had been posted on a public website. [COMPUTERWORLD]

WW – Hackers Steal Passwords from Scribd User Database

Document-sharing website Scribd says that hackers compromised as many as one million user passwords. The data were stored with an old hashing algorithm. A Scribd software engineer said that no accounts had been compromised. The company has contacted affected users and instructed them about how to change their passwords and make them more secure. [ZDnet] [NBC News]

WW – Privacy Focus Remains in Microsoft’s Ad Campaign

The third phase of Microsoft’s marketing campaign targeting Google’s privacy practices suggests Google is “more interested in increasing profits and power than protecting people’s privacy and providing unbiased search results.” The story suggests the ads, which one observer calls typical of an industry underdog, ”say as much about the dramatic shift in the technology industry’s competitive landscape as they do about the animosity between the two rivals.” The new “Scroogled” ads, which began this week, criticize Google for sharing personal information gathered about purchasers of apps “designed to run on smartphones and tablet computers powered by Google’s Android software,” the report states. [The Boston Globe]

WW – EBay To Open Data to Marketers

EBay will now allow advertisers access to data on what products a consumer has bought in order to send targeted ads. The company has used such data to promote products to users, but it will now commercialize “that capability for the benefit of other marketers who want to reach shoppers,” said an eBay spokesman. “That’s something new this year.” But eBay risks alarming consumers who might have been okay with eBay showing them related products but who “expect eBay not to tell anybody else who they are.” [AdWeek]

Law Enforcement

US – Court Case Reveals FBI Stingray Details

Details of how the FBI uses cellphone surveillance technology have been revealed in a court case involving a suspected identity theft ringleader. Court documents note that Verizon reprogrammed the suspect’s air card to respond to silent incoming calls from the FBI causing the device to disclose its location. The government did not dispute the claims during a March 28 hearing in a U.S. District Court in Arizona. Electronic Frontier Foundation Staff Attorney Hanni Fakhoury said, “It shows you just how crazy the technology is…This is more than just (saying to Verizon) give us some records…This is reconfiguring and changing the characteristics of the (suspect’s) property, without informing the judge what’s going on.” [WIRED]

US – Google Fights U.S. National Security Probe Data Demand

Just a few weeks after U.S. District Judge Susan Illston created a bit of legal limbo around the U.S. federal government’s so-called National Security Letters (NSLs) by declaring them unconstitutional and putting her ruling on hold to allow for appeal, Google has stepped into the breach by refusing to comply with an FBI-issued NSL. According to a Bloomberg report, Google has challenged a demand by the FBI for private user information in what the Electronic Frontier Foundation believes is the first time a “major communications company” has decided not to comply with an NSL. Google outlines its policy toward NSLs here . The law allows judges to set aside requests by the FBI if they are “unreasonable, oppressive or otherwise unlawful.” [Bloomberg]

US – FAA to Host Online Drone Privacy Session

The Federal Aviation Administration (FAA) will host an “online public engagement session” on Wednesday to allow the public to express privacy concerns stemming from domestic use of drones. The FAA is seeking specific comments on a privacy protocol that would be implemented at its six drone testing sites. Public comments “are not intended to predetermine the long-term policy and regulatory framework under which commercial (drones) would operate,” the FAA has said, adding, “Rather, they aim to assure maximum transparency of privacy policies.” [The Washington Times]

US – Fed Appeals Court Restricts Phone Searches

The U.S. Court of Appeals for the Sixth Circuit has ruled that a school may not search a student’s phone, even if the student has a history of troubled behavior. G.C. v. Owensboro Public Schools also more specifically defined under what circumstances a student’s phone may be searched, and, according to the report, it is one of the “more significant rulings on student privacy rights.” [The Wall Street Journal]

Location

EU – Studies Say Mobile Apps View Too Much Data

France’s data protection authority, the CNIL, says mobile phone apps are accessing and processing an unnecessary amount of private data. The CNIL studied 189 apps on six smartphones. The aim was to analyze the nature of the apps, not to put blame on app developers, CNIL President Isabelle Falque-Pierrotin said. Meanwhile, security researchers at a Romanian-based firm are warning that mobile apps are becoming increasingly intrusive. Nearly 13% of apps disclose user phone numbers without the user’s consent. [PCWorld]

Online Privacy

PL – New Cookie Rules Make Opt-Out OK with Proper Info

According to SSW privacy lawyer Joanna Tomaszewska, changes to Poland’s telecoms laws mean a “very strict information duty” requiring website operators to inform consumers of cookie use and ways they can alter their cookie settings; however, if properly informed users do not change default settings, inaction will constitute “explicit consent.” The Office of Electronic Communications (OEC) has also been given the power to issue financial penalties of up to three percent of the previous year’s profits to companies that breach the rule. While noting that “it is too early to know how the OEC will impose penalties,” Tomaszewska said it is “rather unlikely” the OEC will levy a fine amounting to three percent of annual profits. [Out-Law]

US – Franken: Company’s Opt-Out Tracking Unsatisfactory

Sen. Al Franken (D-MN) has said that the opt-out policy used by Euclid Analytics is unsatisfactory because it requires consumers to go to the company’s website instead of asking consumers for permission. Franken sent Euclid a letter last month looking for more information about its privacy practices and on Monday released the organization’s response . “I am pleased that privacy is a priority for Euclid,” Franken said, “but their continued use of opt-out technology underscores the need for Congressional action to protect consumer location privacy.” Euclid CEO Will Smith said the company does not collect personal information, only provides metrics to its retailer clients and does “not have any plans to sell, rent or disclose” its data to any third parties. [The Hill]

AU – Report: Law Would Put Small ISPs at Disadvantage

Proposed data retention legislation may have impacts on small Internet service providers (ISPs). While the comments had not been made public previously, the government was cautioned a year ago by a Department of Broadband Communications and the Digital Economy adviser that small ISPs “faced the heaviest financial burden under data retention laws being sought by law enforcement bodies,” the report states. The proposed legislation is the subject of an inquiry by the Joint Parliamentary Committee on Intelligence and Security. Law enforcement officials have said they are not attempting to extend their powers, but advocates caution the laws are “too intrusive on privacy of innocent civilians,” the report states. [Australian IT]

Other Jurisdictions

US – Gov’t Report: IRS PIAs Need Improvement

A government report has revealed that the U.S. Internal Revenue Service (IRS) has not yet installed appropriate processes ensuring Privacy Impact Assessments (PIAs) are executed in a timely manner. The Treasury Inspector General for Tax Administration (TIGTA) report made a total of 11 recommendations to the IRS. The IRS agreed with nine of the recommendations but noted it has already implemented two of them, the report states. TIGTA Inspector General J. Russell George said, “The privacy of taxpayer information is essential to taxpayer confidence in the fairness and integrity of the American system of tax administration,” adding, “It is imperative that the IRS adopt our recommendations to ensure the effectiveness of this important initiative.” [Accounting Today]

MX – Mandatory Notice Guidelines to Go Into Effect

Littler Mendelson’s Javiera Medina Reza outlines Mexico’s new Privacy Notice Guidelines, which go into effect April 17. The mandatory guidelines bring requirements for data privacy notices and obtaining consent prior to collecting personal data in accordance with the Federal Law on the Protection of Personal Data Held by Private Parties , enacted in 2010. The Federal Institute for Access to Information and Data Protection (IFAI) may impose sanctions for noncompliance, and Reza writes that a recent IFAI decision leading to a fine of more than $162,000 for a company’s failure to fix problems with its privacy notice underscores the importance of complying with the guidelines. [Mondaq]

HK – PCPD Condemns Deceitful Octopus Card Marketing Practices

The Office of Privacy Commissioner for Personal Data (PCPD) has found that an insurance broker and a body-check service obtained personal information through deceitful means for direct marketing purposes. After receiving complaints from consumers, the PCPD investigated the companies and found that Hong Kong Preventive Association Limited had collected personal data from about 360,000 people under false pretenses, which it then sold to Aegon Direct for direct marketing. Privacy Commissioner Allan Chiang Yam-wang said while he hoped Octopus’s contraventions would serve as a “wake-up call…in many recent investigation cases, including this one, it was found that the data users still fell short of meeting customer expectations and compliance with the requirements of the ordinance.” [The Standard]

AU – Company to Launch Data Breach Insurance

Australian insurer Beazley Group plans to roll out data breach insurance in Australia at the end of this year. “There is certainly growing interest in this sector,” said Beazley Chief Executive Andrew Horton, noting data breach notification laws could get tougher. He added that data breaches happen in forms other than cyber threats, including when data is simply lost when a business moves from one location to another. The company launched the product in the U.S. five years ago and in the UK earlier this year. [Australian Financial Review]

AU – Advertisers Face Privacy Timebomb, Warns ADMA

Advertisers and agencies do not understand the significant fines they face under major new changes to the Privacy Act set to take force within the next 12 months, says the Association of Data Driven Marketing and Advertising. The organisation said there is still little industry focus on how the changes will impact advertiser interactions with consumers with breaches due to attract major fines of up to $1.1m. The association argues the changes will dramatically impact on both agencies and advertisers, especially those marketing online using demand-side platforms and social media. Technology driven by demand-side platforms is allowing online advertisers to be increasingly sophisticated about how they target messages at users based on individuals’ browsing behaviour. Under the new laws, which begin in March 2014, this definition will broaden so that any information which identifies an individual, regardless of whether their name is included, will be classed as personal information and subject to the new regime. One group of marketers who are likely to be impacted by the changes is the not-for-profit organisations which may lack resources when it comes to legal compliance but generate funding through interactions with the public. [Source]

SL – Commissioner Challenges New Data Law as Unconstitutional

Andrej Tomsic, deputy information commissioner for the Republic of Slovenia, writes for EDRi-gram that his boss, Commissioner Natasa Pirc Musar, challenged on March 19 the national implementation of the Act on Electronic Communications before the Constitutional Court. Musar believes the new data retention provisions, which were enacted January 15, “do not respect the principle of proportionality and that they have been transposed into the national law in contrast with the provisions of the Data Retention Directive 2006/24/EC.” This will broaden data retention to all criminal offenses and anything in the “interests of the state,” along with civil litigations and labor law disputes. Musar hopes to have enforcement of the act suspended and the new provisions declared unconstitutional, which could take as much as a year. [EDRI]

SA – Bill Aims to Protect South Africans from Prying Eyes

Amid the vocal protest and fury over the “secrecy bill” another protection of information bill has been crafted to protect South Africans from identity theft and unwanted electronic marketing. The Protection of Personal Information Bill has been a number of years in the making in Parliament’s justice committee. It has been approved by the National Assembly and awaits processing by the National Council of Provinces. The bill seeks to create a regime by which institutions such as banks, insurance companies and other businesses must manage the personal information of their clients. A key provision is the removal of the so-called negative approval under which electronic marketers operate. At present they can send SMSses and e-mails requiring the individual to “opt out” for the unwanted messages to stop. The new provision will allow one message to be sent and if the recipient does not respond positively they may not send another.[Source]

Privacy (US)

US – IAB Asks FTC for Delay on New COPPA Implementation

Changes to the privacy rules within the Children’s Online Privacy Protection Act (COPPA), slated to be published by the FTC in the form of FAQs “sometime this month,” have prompted an industry advertising group to ask the FTC for a six-month delay on implementation. “It’s a complete makeover and that will take time,” said Interactive Advertising Bureau Senior VP and General Counsel Mike Zaneis, adding, “They’ll need time to determine if they can bear the burden of a strict liability regime or convert to a pay-for-content model.” Morrison Foerster Partner D. Reed Freeman, Jr., noted the changes are “a market-altering event…It won’t be the end of the world, but there will be a lot of fallout first.” [Source]

US – SCOTUS Refuses E-mail Privacy Case; Senate to Take Up ECPA Reform

The Supreme Court has declined to hear a case that could test the boundaries of federal protection of e-mail privacy. An appeal in Jenning v. Broome asked the court to resolve differing lower court rulings by a California appeals court and the South Carolina Supreme Court. Meanwhile, the U.S. Senate is prepared to mark up legislation that would mandate police obtain warrants prior to searching citizens’ e-mails, The Hill reports . Bill co-sponsor Sen. Patrick Leahy (D-VT) said, “Safeguarding Americans’ privacy rights is not a Democratic issue or a Republican issue—it is something that is important to all Americans, regardless of political party or ideology.” [Christian Science Monitor]

US – FTC Chairwoman Releases 2013 Annual Highlights

Newly appointed Federal Trade Commission (FTC) Chairwoman Edith Ramirez released the agency’s 2013 Annual Highlights, calling attention to several of its initiatives including protecting consumer privacy, challenging deceptive advertising and safeguarding children online. Ramirez said, “As we head into our second century, the FTC is dedicated to advancing consumer interests while encouraging innovation and competition in our dynamic economy.” [Source]

US – FTC Approves Computer Spying Final Order

The Federal Trade Commission (FTC) has approved nine final orders settling charges against seven companies and a software design firm, including two principles accused of using the software and computers to spy on customers. According to the FTC press release, “the respondents will be prohibited from using monitoring software and banned from using deceptive methods to gather information from consumers.” The settlements will also require the companies to get consent from users prior to using geophysical location tracking and to maintain records for the next 20 years to enable the FTC to assess compliance. [FTC]

US – Supreme Court Asked To Hear NebuAd Case

Two subscribers of Internet service provider (ISP) Embarq have asked the Supreme Court to determine whether the company violated existing privacy law when it partnered with NebuAd. Embarq was one of six ISPs that used NebuAd’s behavioral targeting services in 2007 and 2008, but some consumers have claimed the partnership violated federal wiretap laws. In a petition to the Supreme Court, two former Embarq subscribers wrote, “The present case illustrates the significant harm to societal interests in communications privacy if an ISP is considered to be permitted, in the ordinary course of its business, to sell its customers’ private communications to the highest bidder.” [MediaPost News]

Privacy Enhancing Technologies (PETs)

WW – Product Stops Third-Party Tracking

A California start-up’s product allows individuals to view which companies are tracking them online. The browser extension, Disconnect, aims to help users safeguard browsing history. First-party trackers are still permitted to follow a user, but the data won’t be shared with third-party websites, and ads won’t be served based on such data. “We are stopping that flow of data as you bounce around the web,” said the company’s co-founder. “Third-party retargeters are not going to have information about you.” The filters are distinct from Do-Not-Track signals. [NYT]

WW – Tech Firms Unveil Ad-Blocking Tools

Two tech companies have started offering ad-blocking tools for mobile users. Evidon is delivering the Ad Choices icon and the opt-out system for users, while TRUSTe has upgraded its real-time bidding system so that advertisers know prior to bidding that the user cannot be targeted for behavioral data, the report states. The moves come before the Digital Advertising Alliance (DAA) has published any mobile guidelines . DAA Counsel Stu Ingis said those guidelines could come “this spring—a few weeks to a couple of months.” TRUSTe’s Kevin Trilli said, “That is why we didn’t wait, and why we just started to build.” [AdAge]

WW – Mozilla Readies Third-Party Cookie Blocker

In a preview version of its Firefox 22 web browser, Mozilla has included an automatic third-party cookie blocker, putting the company “on a collision course with the online ad industry.” Some trade groups say the new feature, called Aurora, is “dangerous and highly disturbing” and warn that users will experience more ads as a result. Stanford University graduate student Jonathan Mayer, creator of the code, tweeted, “The new Firefox cookie policy has migrated to Aurora!” Firefox 22 is expected to fully release in late June. [COMPUTERWORLD]

WW – Firefox Announces More DNT Options

Seth Rosenblatt reports on Firefox’s “more nuanced approach” to implementing its Do-Not-Track (DNT) setting and efforts to provide additional user choice. Firefox engineers describe the past practice of “on” or “off” DNT implementation in light of what they describe as the “three states of Do Not Track.” Firefox’s Tom Lowenthal explains, “DNT:0 means, ‘I consent to being tracked.’ DNT:1 means, ‘I object to being tracked.’…When DNT is off, it doesn’t mean ‘please track me.’ It means that the user hasn’t told the browser their choice yet.” Rosenblatt notes, “What’s not clear is how sites react to that.” [CNET]

US – New Tool Encrypts Online Photos So They’re Only Visible to Friends

A team of researchers from USC has developed an encryption tool that makes your photos grey and unrecognizable to everyone but your (Facebook) friends. With a new cloud-based photo-encryption service, you won’t have to trust Facebook or any other online service to keep your photos private. A team of researchers at the University of Southern California developed the tool, dubbed “P3” for “Privacy-Preserving Photo Sharing,” which pulls a small amount of data out from digital photos and encrypts it into a key that can be shared with friends. The unencrypted, but unrecognizable part of the photo is posted online as a grey image that doesn’t have any clear detail and can only be viewed by those with whom the encrypted key is shared. It’s not only made for Facebook, but for any cloud-based service like DropBox, Flickr or any other way people share photos, even chat services and forums.While they have a prototype, they haven’t yet decided how it will be marketed, but hope to have a company set up by the summer. So those estimated 250 million photos uploaded to Facebook each day will have to remain unencrypted and arguably unsecure, for the time being. [Source]

Security

UK – Device Losses Lead to Inquiry

The Information Commissioner’s Office (ICO) is looking into the BBC’s recently reported loss of 785 devices. An ICO spokesperson said the office had not been informed of the incident, but it will “be making further enquiries into the loss of this equipment to find out the full details.” A freedom of information request revealed 399 laptops, 347 mobiles and 39 tablets lost or stolen at the BBC, which the report states is “probably low” for an organization of its size. The BBC told V3 that it has no official figures on how many devices have been issued to staff. [v3.co.uk]

US – 93% Knowingly Breach Company Data Policies

A recent breach affecting St. Louis-based Schnucks supermarket chain was exacerbated by the company’s inability to detect the source. As a result, the number of credit and debit cards exposed continued to grow, capping at about 2.4 million. The company has hired a third party to investigate. Meanwhile, Global Payments, Inc., says it is closing its investigation of a March 2012 breach that exposed 1.5 million debit and credit cards. The breach cost the company $92.7 million in expenses. And Financial Times reports on a recent survey of 165,000 employees indicating nine out of 10 knowingly breach employers’ data policies. [ComputerWorld]

US – Hotel Data Security Issues on the Rise

There are data security issues within the hospitality industry and an alleged rise in identity thefts and malware attacks. One attorney specializing in hospitality law said, “Data security is becoming an issue of significant importance in the hospitality industry.” Hackers now attack hotel systems and data in third-party reservation systems not only for credit card data but for additional personal information, including address, license plate number and date of birth, all of which aid in identity theft. [Chicago Tribune]

Surveillance

US – Case May Determine Text Message Privacy Rights

The Washington State Supreme Court is expected to hear two cases next month involving the privacy of text messages in criminal proceedings. In both cases, alleged drug users were arrested after police intercepted their text messages without a warrant. An earlier appellate court case ruled the expectation of privacy of text messages “terminates upon delivery.” Calling text messaging “the 21st-century phone call” in an amicus brief, the Electronic Frontier Foundation has argued the lower court’s decision to uphold the warrantless case “ignored the technological realities of text messaging and threatened to erode privacy protection to a ubiquitous form of communication in the United States.” The high court will hear arguments on May 7. Meanwhile, customers suing Apple for privacy violations are seeking monetary sanctions in a pretrial discovery dispute. [Courthouse News Service]

US – Tracking Study Habits: “It’s Big Brother, Sort of, But With a Good Intent”

Professors at nine colleges are testing technology that allows them to get detailed reports of their students’ study habits through digital textbooks. While students’ digital textbook use has been tracked for a while now, CourseSmart individually packages information on all the students in a professor’s class. The start-up says that surveys indicated few privacy concerns, but one student who uses non-tracked forms of studying worries, ““If he looks and sees, ‘Hillary is not really reading as much as I thought,’ does that give him a negative image of me?” More than 3.5 million students and educators currently use CourseSmart textbooks, and the program is expected to be introduced broadly in the fall. [The New York Times]

US – NYC Awareness System Raises Privacy Concerns

New York City’s Domain Awareness System (DAS), which combines police know-how with computer algorithms, is reportedly making the city money and making it safer, but some worry it is also invading people’s personal privacy. The system combines more than 3,500 publicly placed cameras, license-plate readers “at every major Manhattan entry point,” radiation detectors and real-time 911 alerts with “a trove” of police data. The success of the DAS has generated interest from other municipalities, but others worry the invasion of privacy will be “much greater than anything we have seen so far.” In another surveillance story, the Office of Naval Research aims to use autonomous technology to patrol and map the ocean. [The New York Times]

Telecom / TV

US – California AG Harris Urges App Developers to Respect Users’ Privacy

The wealth of personal data that mobile apps collect on their users needs to be conspicuously stated to consumers or developers could face legal heat, California attorney general Kamala D. Harris said. Rather than resorting to subpoenas and enforcement actions, the California attorney general’s office is in the midst of a crusade of sorts built around encouraging app developers, and Internet services firms in general, to become compliant with state privacy laws on their own accord. Last year, for instance, the office reached an agreement with a number of major tech companies, including Facebook and Google, to make the privacy policies for those companies’ mobile apps available to consumers in the Apple App Store and Google Play Store before the download process rather than after. The idea is to encourage technology companies that have access to users’ personal identifiable information such as geolocation and contact lists to better inform consumers how that information is used so consumers can make better decisions about using the app in the first place. A major law at the center of the issue in California is the Online Privacy Protection Act, which requires operators of websites and online services, including mobile and social apps that collect personally identifiable information from Californians, to clearly post a privacy policy. The state has already sued Delta Airlines for failing to comply with the law; that case is ongoing. [Source]

WW – Android Apps Found To Have Breached User Privacy: Study

Android phone users have been warned to check app permissions after it was found that some popular apps upload mobile numbers to third-party entities without notification. According to a new study by Bitdefender, 12.87% of 130,000 free Android apps sent user phone numbers to third-party servers. The researchers found that Texas Poker by Kama Games and Paradise Island by Game Insight International accessed user data. Location and personal email addresses were also distributed to third parties by 12.03%  and 7.72% of the apps analysed. Approximately 6% of apps accessed browsing history. According to Bitdefender chief security strategist Catalin Cosoi, the line between third-party advertisers and malware is becoming more blurred. “While malware may steal passwords and other credentials, aggressive advertisers may collect everything else,” he said. “Although violating user privacy raises serious concerns, the risk of having collected data used for malicious purposes is greater than most people imagine.” [Source]

WW – Opinion: Facebook’s ‘Not-A-Phone-But-More-Than-An-App’ Home

Facebook released a mobile thing today. It’s not a Facebook phone. But it’s more than an app. It’s like a digital skin that you slide your phone into so that it’s covered in sticky Facebook goodness. It’s a thing that you will be able to get pre-installed on some Android phones or download from Google Play. It will basically turn your phone’s face into a slideshow version of the Facebook News Feed — photos, check-ins and status updates will flip past and you will be able to “like” them by tapping your phone. It will make frictionless sharing EVEN MORE FRICTIONLESS as you will be able to have mobile apps open inside of Facebook and share instantly. Most importantly, Facebook is bringing us a new bit of terminology with the new Home which Facebook describes as “[not] a phone or operating system [but] more than just an app”: “Chat Heads.” When you get a message from a friend, their head appears on your phone and it will follow you around from screen to screen until you read their message or swipe them away. I suspect the term “Facebook Friends” is about to be replaced by this one, as in, “I don’t really know him that well, he’s just a Chat Head.” Home could be a GPS jackpot for Facebook. If users actually take to Home, Facebook has come up with an excellent way to get people to have Facebook running on their phones all the time. That means Facebook will be able to constantly collect location information from them, making Facebook even more attractive to advertisers looking to deliver ads based on who you are, where you are and what you’re doing. The privacy issues were not missed by Om Malik at GigaOm: The phone’s GPS can send constant information back to the Facebook servers, telling it your whereabouts at any time. So if your phone doesn’t move from a single location between the hours of 10 p.m. and 6 a.m. for say a week or so, Facebook can quickly deduce the location of your home. Facebook will be able to pinpoint on a map where your home is, whether you share your personal address with the site or not. It can start to build a bigger and better profile of you on its servers. It can start to correlate all of your relationships, all of the places you shop, all of the restaurants you dine in and other such data. The data from accelerometer inside your phone could tell it if you are walking, running or driving. As Zuckerberg said — unlike the iPhone and iOS, Android allows Facebook to do whatever it wants on the platform, and that means accessing the hardware as well. [Forbes]

US Government Programs

US – EPIC Urges Distinction between Cybercrime and Cyberterrorism

The Electronic Privacy and Information Center (EPIC) wants the US National Institute of Standards and Technology (NIST) to make clear distinctions between cyber crime and cyber terrorism. NIST is developing a cybersecurity platform as part of the president’s executive order on cybersecurity, and asked for public comments on the development of that platform. In its comments, EPIC notes that “the overwhelming majority of cybersecurity incidents do not fall within the ‘national security’ designation.” [Source]

US Legislation

US – White House: CISPA Not Doing Enough for Privacy

The Obama administration has issued a statement indicating it is unlikely to support the Cyber Intelligence Sharing and Protection Act (CISPA) in the form passed this week by the House Intelligence Committee. “While stopping short of an outright veto threat that many privacy activists may have wanted, the statement made clear that the administration does not believe the bill in its current form does enough to safeguard personal information,” the report states. The committee voted 18-2 in support of CISPA after removing four amendments aimed at increased privacy protections. [Los Angeles Times]

US – Revamped CISPA to Go to Committee Vote

The House Intelligence Committee this week will discuss the Cyber Intelligence Sharing and Protection Act (CISPA), which would provide companies “lawsuit immunity in the case of data exchange.” Changes to the proposal haven’t been announced yet, but some say it will require stronger data anonymization and use restrictions in hopes of allaying the Obama administration’s privacy concerns—which lead to threats of a veto last year. “We need to get a little more specific in terms of what type of information we’re sharing and under what circumstances,” said George Washington University Homeland Security Policy Institute Director Frank Cilluffo. CISPA is slated for a committee vote April 10 in a closed session.[ZDNet]

US – Rep to Propose CISPA Amendment; Franken to Reintroduce Bill

Rep. Adam Schiff (D-CA) will propose an amendment to the Cyber Intelligence Sharing and Protection Act (CISPA) to address privacy advocates’ major concerns. Schiff’s amendment would require companies to strip any information “that can be used to identify a specific person unrelated to a cyber threat” before sharing the data with the government or other third parties, the report states. The bill is to be discussed in a closed-door meeting of the House Intelligence Committee next week. Meanwhile, Sen. Al Franken (D-MN) plans to reintroduce his Location Privacy Protection Act and recently admonished retail analytics firm Euclid for the opt-out nature of its data collection practices. [The Hill]

US – Advocates Want House to Debate CISPA Openly

Privacy groups are calling on U.S. lawmakers to make significant changes to the Cyber Intelligence Sharing and Protection Act (CISPA). The 41 groups include the Center for Democracy and Technology, the ACLU and the Electronic Frontier Foundation, and they want the House Intelligence Committee to debate the bill publicly rather than behind closed doors. While Rep. Mike Rogers (R-MI) said recently that concerns with CISPA are due to bad PR, the ACLU says everyone, “from the privacy community to the president, agrees that CISPA is bad on privacy.” Meanwhile, a recent survey indicates data security concerns from American Chamber of Commerce members operating in China are on the rise. [COMPUTERWORLD]

US – The Challenges of Geography-Based Regulations

San Francisco Chronicle explores the challenges that come with geographically differing regulations for online privacy. California, for example, has more defined privacy laws than other U.S. states, but non-California-based Internet companies accessed by California residents are still required to follow California law. Developer Jonathan Nelson says, “The thought of an ‘international boundary’ when it comes to data is really silly to me,” adding, “It’s archaic.” But the EU is also considering regulations that say any online business used by EU citizens is subject to EU privacy laws. Parker Higgins of the Electronic Frontier Foundation adds, “The best approach isn’t necessarily legislating every situation” but “giving consumers the information they need to make choices for themselves.” [Source]

US – Idaho Passes Drone Privacy Law

Amid growing concerns over privacy, Idaho Governor C.L. “Butch” Otter signed a law restricting the use of unmanned aerial aircraft (UAV) by law enforcement and other public agencies. Idaho now becomes the second state, after Virginia, to pass legislation limiting UAV use. To use the burgeoning technology, law enforcement will need to obtain a warrant prior to collecting evidence on suspects, unless the criminal activity involves illegal drugs or if the UAV is being used for public emergencies or rescue missions, the report states. Idaho Assistant Majority Leader Chuck Widner said, “We’re trying to prevent high-tech window-peeping.” [Chicago Tribune]

Workplace Privacy

US – Retailers Track Employee Thefts in Vast Databases

The New York Times reports on databases created by retailers across the nation that track employees accused of workplace theft. Retailers tap into the databases in order to avoid applicants who have been accused of such crimes by previous employers. In many cases, the report states, employees “have no idea that they admitted to committing a theft or that the information will remain in databases.” Presently legal, the databases are being scrutinized by the Federal Trade Commission for potential violations of the Fair Credit Reporting Act. One lawyer familiar with the system said such a database is a “secret blacklist” and added, “The employees don’t know about it until they have already been hurt.” [Source]

+++ 

16-31 October 2012

 

Biometrics

US – FTC Releases Facial Recognition Best Practices

The Federal Trade Commission has released recommendations for companies using facial recognition technology. “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies“ recommends that companies design their services with consumer privacy as a consideration; develop reasonable security practices; assess the sensitivity of the information that is collected, and make sure consumers are aware when a facial recognition technology is being used. “Fortunately, the commercial use of facial recognition technologies is still young,” the staff report states. “This creates a unique opportunity to ensure that, as this industry grows, it does so in a way that respects the privacy interests of consumers while preserving the beneficial uses the technology has to offer.” [Source] [Source] SEE ALSO: [EU – Referral Decision to the European Court of Justice re: refusal to provide biometric data in relation to travel documentation and passports – The Council of State, Netherlands]

WW – The Emergence of Emotion-Sensing Technologies

Improved facial recognition technologies are now capable of sensing human emotions such as anger, sadness and frustration. Affective computing is currently being developed to assess a wide range of applications from reading student interest in the classroom to helping those on the autism spectrum understand the emotions of others. Emotionally aware devices, however, give “many people the creeps,” the report states. Oxford University Future of Humanity Institute Director Nick Bostrom said, “We want to have some control over how we display ourselves to others,” adding, “it’s not obvious the world would be a better place” with such technology. [The New York Times] SEE ALSO: [Smart Cameras Predict Human Behavior]

Canada

CA – Online surveillance Set as Tories’ Bill C-12 Comes Up for Second Reading

The Conservative government’s widely criticized online surveillance legislation may be on the back burner, but another bill that would expand police access to Internet users’ data is about to resurface. Bill C-12 would make it easier for authorities — possibly including private security firms — to obtain information about subscribers from Internet service providers, email hosts and social media sites on a voluntary basis. The legislation also includes provisions that could effectively impose a gag on the companies, preventing them from telling customers their personal details have been shared. Government House leader Peter Van Loan recently signalled the little-noticed bill could come up for second-reading debate as early as next week. The likely re-emergence of the bill comes eight months after a storm of outrage over another, highly publicized attempt to boost Internet surveillance. Bill C-30 alarmed civil libertarians because it would allow authorities access to Internet subscriber information — including names, addresses, telephone numbers and email addresses — without a warrant in cases where companies refused to provide it voluntarily. [National Post] SEE ALSO: [Canadian police urge Parliament to pass domestic spying bill]

CA – Canadian, German Data Protection Watchdogs Join Forces

The German and Canadian data protection commissioners signed an agreement that aims to ensure people’s digital privacy will be better protected if data travels across borders via the Web, the authorities announced. International cooperation could help put companies like Facebook and Google on a privacy leash. Both countries will inform each other about important events and complaints and will cooperate on specific cases, the authorities said in a news release. Although there have not yet been cases where the data protection authorities might have wanted to work together, Peter Schaar, the German Federal Commissioner for Data Protection and Freedom of Information, said international cooperation is needed in cases dealing with companies like Google and Facebook. Both data protection agencies are striving to expand their coordination with counterpart agencies around the world, they said. At the 34th International Conference of Data Protection and Privacy Commissioners at the end of October in Uruguay, Canada and Germany plan to discuss extending their cooperative agreement to more countries. [IDG News Service]

CA – Federal Confusion Undermines No-Fly List, Spy Watchdog Says

The federal spy watchdog says confusion over how Canada’s no-fly list should work has “significantly undermined” its potential to help keep the skies safe. In its newly released annual report, the Security Intelligence Review Committee reveals there is uncertainty in government over who should be on the no-fly roster. Under the program in place since June 2007, airlines rely on a list of individuals considered “an immediate threat to civil aviation” should they board an aircraft. The review committee says, however, that description is open to interpretation, and federal agencies have “struggled” with nominating people for the list. The review committee also raises concerns about CSIS’s information exchanges with foreign counterparts — a sensitive issue given the possibility such sharing can lead to the torture of people detained in overseas prisons. The committee identified problems with:

 - CSIS’s efforts to obtain assurances from foreign partners when receiving information from them.

 - the attachment of caveats — or restrictions on use — when providing information to a foreign agency.

 - the sharing of information on young offenders.

The watchdog concluded there was a “lack of clarity and absence of guidelines” on assurances from foreign partners when information-sharing poses a substantial risk of torture. It also found the use of specific caveats was inconsistent — noting up to a dozen different ones had been attached to files shared in recent years. The review committee recommends CSIS develop policy and direction on the use of assurances, and that it revise its policy on caveats. [CBC News] SEE ALSO: US – Experts warn about security flaws in airline boarding passes] AND [Auditor General report: Canada’s online security centre not operating around the clock]

CA – Federal Privacy Commissioner Satisfied With Response from ‘Leaky’ Web Sites

Privacy Commissioner Jennifer Stoddart says she’s pleased with the progress made by organizations flagged as raising privacy concerns. In September, Stoddart said some leading Canadian websites were inappropriately sharing users’ personal information with third parties. After investigating 25 shopping, travel and media sites, Stoddart wrote to 11 of them asking for changes in order to comply with Canadian privacy law. A Stoddart spokesperson said she’s “pleased that they appear to be taking this issue very seriously,” and the office is now analyzing their responses for continued discussions. [ITBusiness.ca]

CA – Ontario Commissioner Releases Paper on Personal Data Ecosystem

Information and Privacy Commissioner of Ontario Ann Cavoukian, with co-authors from Europe and the U.S., has released a paper, Privacy by Design and the Emerging Personal Data Ecosystem, that highlights new technologies enabling Internet users to have more control over their data. “Privacy is all about control,” Cavoukian says in a news release, adding, “that is why I am taken with the promise of the emerging Personal Data Ecosystem. New technologies…give individuals a central point of control for their personal information and the ability to decide what information to share, with whom and under what conditions.” [News Release] See also: [NYT: New Online Storage Service to Put Users in Charge] AND [US – Data Deluge Creates Privacy Issues]

Consumer

WW – Transaction Data-Sharing Rising; Consumers Want Control Over PI, Says Survey

MasterCard is currently reviewing transaction data to help marketers improve targeted advertising. MasterCard Senior VP of Media Solutions Susan Grossman said, “The foundation of all our solutions is transaction data.” A company spokesman said MasterCard is “committed to protecting individual privacy” and that shared data is anonymous and aggregated. Wired reports on potential business ventures for Amazon. A representative from a digital ad agency said, “With rich data on its users, Amazon is uniquely positioned to match advertisers with shoppers.” Meanwhile, a TrustedID survey has revealed that less than 20% of consumers have a good understanding of “data brokers.” [Financial Times]

E-Government

US – Presidential Campaigns Ramping Up Online Tracking

The New York Times reports on the online tracking of consumers by both U.S. presidential campaigns. “One of the hallmarks of this campaign,” the article states, “is the use of increasingly complex—but not always accurate—data-mining techniques to customize ads for voters based on the digital trails they leave as they visit Internet sites.” According to an Evidon report, both campaigns have increased their online tracking beyond that of many popular retailers, the report states. Some privacy advocates worry that collected data could be used for secondary purposes, giving businesses a window into users’ political beliefs. The ACLU’s Chris Calabrese said, “We simply don’t know how this information is going to be used in the future and where it is going to end up.” [NYT] SEE ALSO: [AU – Site names homeowners – concern over website’s breach of privacy]

Encryption

US – Inspector General: Lack of Encryption Software Puts Vet Data at Risk

Encryption software purchased for PCs and laptops at the U.S. Department of Veterans Affairs (VA) has been installed on only 16% of computers, according to the department’s inspector general. The software was purchased six years ago after a high-profile data breach involving the loss of information on 26 million veterans and costing $20 million to clean up. An anonymous tip that the software was not being implemented prompted the inspector general to investigate. The inspector’s subsequent report states that veterans’ data “remained at risk due to unencrypted computers.” The VA says it plans to complete installing the software by September 2013. [InformationWeek] [Inspector-General report]

UK – RSA Splits Passwords in Two to Foil Hackers’ Attacks

A product that scrambles and then splits users’ passwords in two before storing them on different computer servers has been unveiled by RSA. The security firm says the facility offers better protection against hackers, who would only gain access to half a “randomised” password in the case of a successful attack. The firm said the idea had been discussed by academics for some time. However, one expert said it would only prevent a minority of attacks. RSA’s distributed credential protection (DCP) facility was announced at the company’s annual European Conference in London. “DCP scrambles, randomises and splits sensitive credentials, passwords and Pins and the answers to life or challenge questions into two locations,” said the firm’s marketing manager Liz Robinson. “This is especially important in today’s landscape as we’ve seen over 50 million passwords stolen in large data breaches in 2012 alone.” [bbc.co.uk] SEE ALSO: [Top 25 common, attackable passwords: Stop using ‘ninja’ and ‘jesus’]

EU Developments

EU – Justice Committee Calls for Changes in Draft Data Protection Proposals

The Justice Select Committee has said the European Data Protection proposals “need to go back to the drawing board.” The committee says in a new report that the updates to data protection laws are “too prescriptive” and don’t allow necessary flexibility for data protection authorities or organizations that retain personal data. The proposals should focus on the commission’s objectives while compliance should be monitored by member states, the committee suggests. The committee noted its support for the draft law’s provisions that would give individuals increased control of their data, allow for data erasure or removal and harmonize laws across regions. [Parliament.uk] SEE ALSO: [EDPS – Comments on DG Connect’s Public Consultation on Improving Network and Information Security (NIS) in the EU] SEE ALSO: [EU – RSA’s Coviello calls for privacy laws to be overhauled to improve security]

US – FTC Declines to Comment on EU’s Call for Privacy Policy Changes

Following French DPA (CNIL) President Isabelle Falque-Pierrotin’s announcement on calls for Google to revise its privacy policy, the U.S. has “declined to join European criticism.” Falque-Pierrotin had asked the FTC’S David Vladeck to support a letter that Dutch DPA Chairman Jacob Kohnstamm previously confirmed was endorsed by 27 EU member states, Canada and some countries in Asia. Vladeck declined, and the FTC has not commented on whether it is investigating privacy issues raised in the letter, the report states. “We would have been happy if they would have signed it,” Falque-Pierrotin said, adding, “I think they will study it and have their own conclusions.” [The Washington Post]

EU – Reding Hints at Data Protection Concessions for SMEs

At a Home Affairs Council meeting in Luxembourg last week, EU Justice Commissioner Viviane Reding said she was willing to offer some concessions to small-medium enterprises (SMEs) and the public sector in revisions to the data protection regulation. Though the regulation needs the “right firmness of touch,” Reding said she did not want SMEs to be overburdened. “The commission is prepared to look at whether this SME exemption could be broadened to other areas and that we can also look to add further flexibility through an approach that takes into account the amount and sensitivity of the data processed,” Reding said, adding, “One thing is clear: There can be no general exemption for the public sector.” [COMPUTERWORLD UK]

EU – Council of Europe Promoting Latin American Data Protection

The Council of Europe is encouraging non-EU member states to ratify Convention 108—the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. Uruguay, which recently hosted an international privacy conference, has initiated the ratification process, possibly becoming the first non-Council of Europe member state to do so. Council of Europe’s Jörg Polakiewicz said, “The eventual accession of Uruguay will be a key step towards the global promotion of the convention and intergovernmental cooperation on personal data protection,” adding, “We are sure, hopefully, that Uruguay will be the first of many non-European countries to join the treaty.” [MercoPress]

UK – ICO Looking Into Police Data Collection, Retention

The Information Commissioner’s Office (ICO) is investigating claims against Kent police over data collection and retention activities. A spokesman for the ICO said, “If police forces are examining the content on mobile phones and are wanting to use that information, this would need to comply with the Data Protection Act.” He added the office is “looking at this issue and will be considering whether any action is necessary to help ensure compliance…” Meanwhile, a spokesman for the Home Office said that although information about suspects is crucial, police “should only be extracting and retaining data relevant to criminal investigations or for other permitted purposes.” [This is Kent]

UK – UK ICO Updates Guide to ICO Data Protection Audits, Version 2.0

The audit guidelines have been updated to reflect the likelihood of follow-up action after the original audit has been completed, based on the original audit findings – a high assurance of data protection was found (there will be no follow up), a reasonable assurance of data protection (an e-mail follow up will be conducted at 6 months and a short summary report will be produced), limited assurance of data protection was found (an e-mail follow up will be conducted at 6 months to determine whether a follow up visit is required) and very limited assurance of data protection was found (3 monthly updates will be required from the organisation, as well as a full update at 12 months, and a follow up site visit will probably be required). [Source] SEE ALSO: [UK Information Commissioner’s Office – Audit: A Guide to ICO Privacy and Electronic Communications Regulations Audits] AND [UK Information Commissioner’s Office – Audit Outcome Analysis: Central Government – February 2010 to July 2012] AND [UK Information Commissioner’s Office – Audit Outcome Analysis: National Health Service (NHS) – February 2010 to July 2012] AND [UK Information Commissioner’s Office – Surrey and Sussex Probation Trust – Data Protection Audit Report Executive Summary] AND [Datainspektionen, Sweden – Decision – Uppsala County Council Hospital is Correcting Deficiencies: the Data Inspection Board (“DIB”) issues a decision regarding a hospital’s shortcomings in its IT systems regarding doctor access to medical records]

UK – ICO Fines Council £120,000 After Child Data Breach

The Information Commissioner’s Office (ICO) has fined Stoke-on-Trent Council £120,000 after sensitive personal information was e-mailed to the incorrect recipient. The council failed to resolve issues raised by an earlier and similar incident by failing to provide a legal department with encryption software and lacking data protection training, the report states. ICO Head of Enforcement Stephen Eckersley said “the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.” [publicservice.co.uk] SEE ALSO: AND [UK – Information Commissioner’s Office – Data Protection Act 1998 Monetary Penalty Notice – Norwood Ravenswood Limited]

EU – Regulators Looking Into Microsoft Changes

Luxembourg and other EU data protection commissions (DPCs) are looking into whether changes Microsoft made to its Internet products Hotmail and Bing bring new privacy risks for users and comply with the region’s standards on notice and choice. President of the Luxembourg DPC Gerard Lommel acknowledged that possible issues “can neither be excluded nor confirmed” in this case, suggesting the review is not on the level of a recent investigation into Google’s privacy policy changes “where clear privacy issues had been identified.” [The Washington Post] SEE ALSO: [EU – European Commission v. Republic of Austria – Case C-614/10 – European Court of Justice]

EU – Court Rules Austria DPA Needs More Independence from Gov’t

The Court of Justice of the European Union (CJEU) has ruled that the Austrian government has not complied with EU law as it has not provided its data protection authority (DPA), the Datenschutzkommission, with “complete independence.” In order to attain “complete independence,” the CJEU ruled that DPA staff must not share offices with government officials; must not be required to provide the government with “unconditional” access to information about the DPA’s work, and an individual heading a DPA must not simultaneously hold other government positions. During a speech in Brussels, the European Data Protection Supervisor called the decision a “great day for data protection in Europe,” while also discussing the relationship between the proposed EU regulation and the e-Privacy Directive. [Out-Law.com]

UK – Graham: “Important Data Protection Principles at Stake”

Information Commissioner Christopher Graham told a committee of MPs recently that the draft Communications Bill, currently in front of Parliament, may miss its intended mark and instead uncover “incompetent and accidental anarchists” rather than the “really scary people.” The bill would see Internet service providers (ISPs) required to store communications data for at least one year, but Graham says it may only apply to the six largest companies, adding, there are “important data protection principles at stake. There is a judgment to be made between the security community saying ‘we have to have this stuff’ and the civil liberties community, which says this is a gross intrusion of privacy and of citizens’ rights.” [BBC News]

Filtering

WW – Twitter Posts Notices for Copyright-Deleted Tweets

Twitter has made a significant shift in how it responds to copyright complaints. In the past, such complaints meant that tweets would vanish without a trace but now people can see the place where the tweet once stood — and reaction to its disappearance. [GigaOm]

Finance

WW – PCI Council Says Payment Regulation Is Challenging

PCI Security Standards Council European Director Jeremy King has said the council was “surprised at how fast new technologies were coming along” in the mobile payment landscape. King added, “Mobile technology is still new, and there is still no knowledge of how to do mobile security.” Analyst Alan Goode said challenges not only reside on the security side but in the authentication and data protection spheres as well. “It is difficult to regulate and ensure data is protected,” he said, adding, “With mobile you can do it right, providing that the data is protected and assured.” [SC Magazine]

US – Credit Report Data Security Questioned

The theft of credit reports raises questions of whether adequate security is being employed to protect credit reporting databases. Instead of directly targeting the big three credit bureaus, data thieves often target affiliated businesses that utilize credit background checks. Sen. Richard Blumenthal (D-CT) said, “This is profoundly important because it illustrates a growing problem when it comes to data breaches and security—the chain is only as strong as its weakest link,” adding, “If their customers have inadequate security practices, so do the credit bureaus.” A spokesman for Experian said, “We continue to invest in the security systems we have in place to protect our clients and consumers.” [Bloomberg] see also: [CA – TD Bank missing data could affect 1,000 Canadians with U.S. accounts] SEE ALSO: [US – Can’t fix error in your credit report? Call Consumer Financial Protection Bureau] AND [“Lagarde list” of Greek depositors in Swiss bank leaked, journalist arrested for breach of privacy]

FOI

CA – Federal Gov’t Plans Online Pilot Project for Access-to-Information Requests

Canada’s archaic access-to-information regime is about to establish a toehold in the online world. The Harper government plans a pilot project early next year to allow ordinary citizens and others to request internal documents under the Access to Information Act via the Internet. The one-stop online portal would route each request to the proper department, allow fees to be paid electronically, and permit detailed tracking of the processing of the file. The initiative will begin with just three departments, but is to include most federal agencies and institutions over the next three to four years. Canada, once considered a global leader in freedom of information, has since become a laggard, with one 2011 study ranking the country 40th among 89 nations with similar transparency laws. [Source] [Canadian government revamping open data portal] SEE ALSO: [Ontario ombudsman André Marin says municipalities ‘shockingly secretive’]

US – Gazette Sues City for Records of Employee Discipline for Internet Abuse

The Billings Gazette filed a lawsuit against the city of Billings, asking for the release of public records dealing with city workers who were disciplined for viewing inappropriate websites on the job. The state District Court lawsuit seeks a court order compelling the city to produce documents in the case of five workers who were suspended without pay for five days last spring. In the lawsuit, Gazette attorney Martha Sheehy cited the right-to-know provision of the Montana Constitution and said the city “impermissibly violated the public’s right to inspect and copy documents held or generated by a public body.” The city has not identified the five workers and would not say what positions they held or where in the city they worked. “The law is well settled,” the suit says. “Public employees who occupy positions of trust have no legitimate right to privacy to investigations of their conduct.” The suit further says that managerial employees “clearly had no reasonable expectation of privacy” and nonmanagerial employees “have limited privacy interests in the misuse of government time and computers in the accessing of inappropriate internet sites.” “The public’s right to know clearly outweighs any privacy interests which might be asserted by a public employee disciplined for accessing or repeatedly attempting to access inappropriate materials while at work for the City,” the suit continues. In addition to asking for a court order requiring the city to produce the requested documents, the suit asks that the city pay the newspaper’s attorney fees and costs. [Source] SEE ALSO: [IPC ON – Order PO-3110 – Appeal PA11-347 – Ministry of Health and Long-Term Care]

Genetics

US – Citing Privacy Concerns, U.S. Panel Urges End to Secret DNA Testing

They’re called discreet DNA samples, and the Elk Grove, California, genetic-testing company easyDNA says it can handle many kinds, from toothpicks to tampons. If the availability of such services seems like an invitation to mischief or worse – imagine a discarded tissue from a prospective employee being tested to determine whether she’s at risk for an expensive disease, for instance – the Presidential Commission for the Study of Bioethical Issues agrees. On Thursday it released a report on privacy concerns triggered by the advent of whole genome sequencing, determining someone’s complete DNA make-up. Although sequencing “holds enormous promise for human health and medicine,” commission chairwoman Amy Gutmann told reporters, there is a “potential for misuse of this very personal data.” The bioethics panel recommends a dozen forms of privacy protection, including that “surreptitious commercial testing” be banned: No gene sequencing or other genetic testing should be permitted without consent from the person the DNA came from, it said. About 25 states currently allow such DNA testing. The full report from the presidential commission is at www.bioethics.gov. [reuters.com] [US Panel: Protect patients who use whole genome sequencing] SEE ALSO: [IN – Department of Biotechnology, Government of India – Draft Human DNA Profiling Bill 2012]

Google

US – Policies of Google and Others Said to Mean Privacy Risks For ‘Cloud’ Users

The privacy policies of Google and other tech firms could allow them to mine personal data held by government agencies that use cloud-based e-mail, database and document services, an industry group warned. The group, SafeGov.org, a consortium of industry experts promoting safe government use of cloud services, raised the concern as Google has sought to defuse controversy over changes to its privacy policy that allow for more extensive tracking of consumers. SafeGov.org first highlighted this issue in January after Google announced plans to consolidate its privacy policy across more than 60 services, including Gmail and YouTube, allowing tracking of users as they move among those sites. The group recently renewed its call for greater safeguards after European data-protection commissioners last month identified significant legal shortcomings in the policy and called for changes. Google officials say the changes to its privacy policy do not affect the bundle of productivity software it sells to governments, which are governed by contractual provisions. “The privacy policy as written gives them unlimited ability to mine [data] as they see fit,” said Jeff Gould of SafeGov.org. SafeGov.org says its concerns extend to state and local governments, as well as schools and other public institutions. “It’s just not appropriate to have data mining,” Gould said. “If they’re not doing that, then let them say that.” [The Washington Post] SEE ALSO: Europe: [Google’s privacy policy under fire] AND [NYT: Larry Page Defends Google’s Privacy Policy] AND [UK: Google told to fix privacy policy by EU data regulators]

EU – Advocate: Google Data Use Should Be in Antitrust Talks

A European-based consumer rights group has said the European Union should consider Google’s access to personal data in its antitrust considerations. Consumer organization BEUC Director General Monique Goyens said in a letter to the EU’s antitrust chief that much of the company’s market advantage is “largely fueled by its access to users’ personal data.” Goyens added, “The privacy policy of Google is directly linked to its dominance in the online search and should therefore be considered as an aggravating factor in your analysis.” [BusinessWeek]

US – Opposition to Google’s Safari FTC Privacy Settlement to Be Heard Next Month

A California court will hear arguments next month against a proposed settlement between Google and the FTC. The $22.5 million settlement is the largest fine handed down by the FTC thus far and stems from Google’s use of cookies to track users of Apple’s Safari browser. Privacy advocates have criticized the settlement for being “too soft,” the report states. Advocacy group Consumer Watchdog will argue at the November 16 hearing that the deal does not prevent Google from conducting similar tracking in the future and does not require the company to destroy information gleaned from past tracking. [IDG News Service]

WW – Google Exec: Internet Evolves Too Fast for Regs

A Canadian policy manager at Google, Colin McKay told a House of Commons committee that the online world moves too fast to create regulations that will endure and that a more enforcement-focused system could curb open discussions between tech companies and regulators. “We would have to consider what the possible repercussions of having that open a discussion, in a system that’s more heavily focused on enforcement, would have on how our products roll out and how the privacy commissioner interprets our actions,” McKay said, adding, the two sides now engage in constructive dialogue and companies respond quickly to rulings. [The Canadian Press] SEE ALSO: [CA – OPC – Letter to the French Data Protection Authority Regarding its Review of Google’s Privacy Policy] and [CA – Wayne Plimmer v. Google Inc. – Class Action Complaint – Supreme Court of British Columbia] and [US – Brad Scott and Todd Harrington et al. v. Google, Inc. – Defendant Google Inc.’s Motion to Dismiss Plaintiffs’ First Amended Class Action Complaint – United States District Court Northern District Of California, San Jose Division] AND [AU – student data stored for Google ads] AND, finally: [Google allows anyone with a Web browser to peer into data centers that power its services]

Health / Medical

UK – NHS lost 1.8 Million Patient Records in a Year

More than 5,000 confidential patient records are being lost by the NHS every day, according to new figures. Official statistics showed that at least 1.8 million sensitive papers went missing throughout the health service in just 12 months. Among the breaches included data security records dumped in public bins and electronic records found for sale on an internet auction site. Other security lapses involved details of terminally ill patients being faxed to the wrong number, patient records being stolen and posted on to the internet and unsecured laptops being stolen from homes of staff members. Campaigners today labelled the disclosures as worrying lapses in date protection laws and called for systems across the NHS to be tightened. [Telegraph Reporters] SEE ALSO: [US – Seeking a difficult balance: The limits of privacy in the emerging healthcare IT ecology] AND [US – Electronic Health Records vs. Patient Privacy: Who Will Win?] AND [US: Centers For Medicare & Medicaid Services (CMS) Falls Short In Response To Healthcare Data Breaches] AND [Ontario College of Physicians keeps secret details of doctor’s incompetence] AND [NYT: Boy Scout Files Give Glimpse Into 20 Years of Sex Abuse]

Horror Stories

US – Breach Report: 174 Million Records Compromised in 2011

According to Verizon’s Data Breach Investigations Report, 174 million records were compromised in 855 data breach incidents in 2011. Calling it “an all-time low” for data breach protection, the report revealed that 96% of organizations required to follow the Payment Card Industry Data Security Standard (PCI DSS) that experienced a breach—according to Verizon’s “caseload”—were not compliant with PCI DSS. The Verizon report stated, “We are seeing a continuing trend whereby more of the organizations that fall in the 96% tend to be on the small side,” adding, “In many cases, these organizations have either failed to perform their assessments or failed to meet one or more of the requirements.” [Out-Law.com]

US – 3.5 Million SSNs Exposed in Data Breaches

A data breach at the South Carolina Department of Revenue has exposed as many as 3.6 million Social Security numbers and 387,999 credit card numbers. The breach was the result of a cyber attack against the department’s systems in mid-September. The Social Security numbers were not encrypted. The state’s chief consumer advocate is calling for privacy laws to be strengthened to tell agencies how to guard against a breach. Meanwhile, employees of the Hillsborough Area Regional Transit Authority in Florida have been alerted that their Social Security numbers and bank information may have been compromised. [SecurityWatch]

WW – Hackers Breach 53 Universities and Dump Thousands of Personal Records Online

Hackers published online Monday thousands of personal records from 53 universities, including Harvard, Stanford, Cornell, Princeton, Johns Hopkins, the University of Zurich and other universities around the world. The group of hackers, calling themselves Team GhostShell, claimed responsibility for the attack on Twitter and published some 36,000 e-mail addresses and thousands of names, usernames, passwords, addresses and phone numbers of students, faculty and staff, to the Web site Pastebin.com. In most cases the data was already publicly available, but in some instances the records included additional sensitive information such as students’ dates of birth and payroll information for university employees. [New York Times] SEE ALSO: [Spear-phishers lie in wait at ‘watering hole’ websites]

US – PIN Pads Breached at Barnes & Noble Stores

Credit card information of Barnes & Noble customers has been stolen by hackers at 63 store locations across the country. The bookseller discovered the breach in September and was instructed by the Justice Department to keep the matter under wraps so the FBI could investigate. The hackers allegedly accessed the financial data via PIN pads placed at store registers. Though breach notification varies by state, Morrison & Foerster Attorney Miriam H. Wugmeister said, “If you have a breach that included name plus credit card information, but the credit card information was encrypted, you would not have to provide notice.” [The New York Times]

US – Tennessee Hospital Reports Breach

A Tennessee hospital is notifying 27,000 patients that their personal information has been compromised. Blount Memorial Hospital says a laptop was stolen during a burglary in August. The laptop contained 22,000 patient names, dates of birth, addresses and billing information, among other details, and the Social Security numbers of about 5,000 additional patients. The hospital has alerted the U.S. Department of Health and Human Services Office for Civil Rights. [knoxsnews.com] SEE ALSO: [CA – Lawyers to start process for class action suit over privacy breaches at Peterborough hospital]

US – University of Georgia Notifies 8,500

The University of Georgia (UGA) is notifying 8,500 current and former employees that their personal information may have been exposed. According to UGA Vice President for Information Technology Timothy Chester, “This appears to be a planned intrusion by someone who knew enough about our operations to know which accounts to attack and where the sensitive information was located within the system.” The intruder reset the passwords of two IT department personnel to gain access to the data. “It is clearly a criminal act of computer trespass, and we are working with UGA Police to investigate,” Chester told employees in an e-mail. [SCMagazine]

US – $665,000 or More Expected in Settlement of MN Case

A former police officer may receive more than $665,000 in the settlement of a case where other law enforcement officers illegally accessed her driver’s license information. Her suit alleges 144 law enforcement officers “accessed, used or disclosed her private information approximately 554 times” between 2005 and 2012 “without any legitimate business reason to do so” and names the cities of St. Paul and Minneapolis, MN, among others. A $385,000 settlement is proposed with St. Paul, MN, and a $280,000 settlement was reached during an October 1 court-ordered mediation with the 16 other area cities. A settlement conference with the city of Minneapolis is scheduled for October 25. [KSTP-5 Eyewitness News] see also: [NZ: Independent inquiry into WINZ privacy breach]

Identity Issues

CA – Service Ontario ID Card Changes

In a recent press release, Liz Sandals and Bob Chiarelli, Ontario Minister of Infrastructure, Minister of Transportation announced that the program running the Ontario ID cards is improving. Ontario is making it easier for residents without a driver’s licence to get official, government-issued photo ID. The Ontario Photo Card is now available at the following local ServiceOntario centres: The card will be offered at all ServiceOntario centres throughout the province by December 2012. [Source] SEE ALSO: [New Canadian Passports: Tories Pushed Design In A Historical Direction] AND [CA – Alberta man wins back identity 8 years after losing wallet]

WW – Facebook Removes Two-Factor Authentication Mobile Numbers From Search

Mobile phone numbers used for Facebook’s ‘Login Approvals’ account security feature are no longer searchable through the website. Facebook’s search system provides reverse lookup functionality that allows users to find other people on the website by searching for their phone numbers or email addresses instead of their names. Facebook “Login Approvals” is a two-factor authentication feature that requires users to input special codes sent to their mobile phones in addition to their regular passwords when attempting to authenticate from a new device. The feature is designed to prevent account abuse in cases where the user’s password is compromised. The new restriction only applies to mobile phone numbers used for two-factor authentication, not every phone number added by users in the “Contact Info” section of their profile pages, the Facebook spokeswoman said. Last week, Facebook limited the rate at which phone numbers can be searched on its mobile website in order to block a phone-number harvesting method disclosed by a security researcher. Suriya Prakash, an independent security researcher from India, publicly reported on Oct. 5 that Facebook’s reverse lookup feature can be abused to search for thousands of sequential phone numbers in order to find any Facebook profiles associated with them. [IT World]

Intellectual Property

US – Judge Sets Record $1.5 Million Fine in BitTorrent Case

Kywan Fisher was ordered by an Illinois federal court to pay $1.5 million, or $150,000 for each of the ten movies he downloaded, to adult film production company Flava Works. In a default judgment, the judge set the maximum penalty under U.S. copyright law of ten times statutory damages — the biggest penalty to date in a BitTorrent case. [Forbes]

Internet / WWW

WW – UN Wants “Anti-Terror” Internet Surveillance

The United Nations (UN) has released a report calling for more surveillance of Internet traffic and users for the purpose of undermining terrorist activity. “The Use of the Internet for Terrorist Purposes“ states, “One of the major problems confronting all law enforcement agencies is the lack of an internationally agreed framework for retention of data held by ISPs.” The 148-page report notes that terrorists use social networks to spread propaganda. UN Executive Director Yury Fedotov said, “Potential terrorists use advanced communications technology, often involving the Internet, to reach a worldwide audience with relative anonymity and at a low cost.” [CNET News] SEE ALSO: [US – Zillow Now Tells the World About Your Foreclosure]

Law Enforcement

US – Minneapolis Police Want to Limit Access to License Plate Camera Data

A Minneapolis municipal committee is now advocating on behalf of local police for a change in Minnesota’s state law concerning the right to access data collected from license plate readers (LPRs). For now, the city maintains a massive database collected from its 11 LPR readers that hold each license plate number seen, along with the corresponding GPS location data, date and time for the previous 90 days. In a recent meeting, the Committee of the Whole Agenda heard discussions regarding a new proposal from the city police department that would restrict access to license plate reader records. Under the proposed rules, only the police would have access to the entire database, and a non-police individual would only be able to access the data that pertained to his or her car. Currently, a rather liberal open records state law known as the Data Practices Act makes all government data public by default. If approved by the Minneapolis city council, such changes could be put forward to the sate legislature as soon as next year. [ars technical]

CA – Police Push for Surveillance, Data-Sharing Legislation

Police chiefs across the country are pushing for controversial Internet surveillance legislation in the name of investigations involving cyber and cell phone technology. The Canadian Association of Chiefs of Police says such investigations are being hampered by antiquated laws and wants Bill C-30 back on Parliament’s agenda, though privacy concerns halted its progress earlier this year. Police say requiring Internet providers to share information on subscribers would allow for better crime-solving and would help thwart cases such as cyberbullying. Meanwhile, Bill C-12, which would facilitate data sharing between online service providers and police, is expected to see a second reading debate soon. [Source] SEE ALSO: [Edmonton police in the wrong for withholding file, rules Alberta’s privacy commissioner]

US – Police May Use Hidden Surveillance Cameras on Private Property Without Warrant

A federal judge in Wisconsin has ruled that law enforcement officers may, in some cases, install hidden surveillance cameras on private property without first obtaining a warrant. US District Judge William Griesbach ruled that the US Drug Enforcement Administration (DEA) acted reasonably when it entered private property without the owners’ permission and without a warrant and installed several hidden surveillance cameras in an operation aimed at gathering evidence that the suspects were growing marijuana. The defendants, who could face life in prison and fines of up to US $10 million, maintain that their Fourth Amendment rights were violated because there were “No Trespassing” signs posted on the 22-acre property. Judge Griesbach adopted a recommendation by US Magistrate Judge William Callahan that said the action did not violate the defendants’ Fourth Amendment rights. The trial is scheduled to begin in January 2013. [CNET] SEE ALSO: [AB – Cops to test ‘body-worn video’ to record police work]

Location

US – Judge Concerned About Warrantless Cell Tracking

A Texas judge has concerns about the ways law enforcement agents are using technology to gain data on cell phones in particular areas. Magistrate Judge Brian Owsley recently denied two federal requests for warrantless cell phone tracking, noting the government should apply for warrants. The judge says he’s concerned agents and U.S. attorneys don’t understand the technology. “Without such an understanding, they cannot appreciate the constitutional implications of their requests,” Owsley wrote in an order last month, adding there has been no discussion around how data retained on innocent people would be used. [The Wall Street Journal]

US – The Growing Use of GPS Tracking Devices

The New York Times reports on the use of GPS tracking devices by families. The small, beeper-like gadgets can be placed in a car to follow a teenager or spouse, in a child’s backpack to ensure the child gets to and from school safely or embedded in medical-alert technology to provide emergency help to the elderly. The user can track a subject’s location via the web or smartphone app—and some companies offer multiple tracking services. This “kind of air-traffic control panel of familial concern” raises issues of privacy and personal space, the report states. [Source] SEE ALSO: [Location-based services: Common sense will keep you safe]

CA – Woman Files Suit Over iPod Location Privacy

A Surrey woman has filed a suit in British Columbia’s Supreme Court alleging Apple’s iOS4 operating system violates users’ privacy rights. Amanda Ladas says her iPod allows anyone with “moderate computer knowledge” to determine her location. The suit, which seeks class-action status, claims Apple has “violated the privacy and security rights” of Ladas and other potential plaintiffs and “has engaged in deceptive acts or practices” entitling plaintiffs to damages. [The Vancouver Sun]

Offshore

IN – Gov’t Panel Issues Privacy Law Recommendations

A government-appointed panel tasked has issued recommendations identifying privacy issues and preparing a report to facilitate the proposed Privacy Act. Led by former Delhi High Court Chief Justice A P Shah, the group laid out guidelines on telephone tapping and other forms of communications surveillance as well as recommendations to set up national and regional privacy regulators. The group identified differences between existing laws that allow government surveillance, stating, “these differences have created an unclear regulatory regime that is inconsistent, non-transparent and prone to misuse and does not provide remedy or compensation to aggrieved individuals.” [The Times of India]

IN – India Asks EU to Declare it as “Data Secure” Country

The government of India has asked the EU to declare the country as “data secure.” Without a data secure declaration from the EU, sensitive data such as medical information cannot legally flow between the regions. India Commerce and Industry Minister Anand Sharma said, “It is our clear analysis that our existing law does meet the required EU standards. We would urge that this issue is sorted out quickly, and necessary comfort in declaring India data secure in overall sense needs to be given as almost all the major Fortune-500 companies have trusted India with their critical data.” The EU is studying whether India’s laws meet the EU’s directive. [The Times of India]

SG – Gov’t Considers Banning Free Phone Books

Singapore is considering halting the publication of free telephone directories due to privacy concerns. Concerns about the listing of residential and office numbers has prompted the Infocomm Development Authority of Singapore (IDA) to publish a consultation on whether “it is still necessary to maintain the regulatory requirement for Directory Services.” The IDA notes “increasing public awareness, and concerns, about use and protection of personal data.” Singapore’s Parliament passed a data protection law earlier this month that includes a Do-Not-Call registry, provisions on private-sector use of personal data and the creation of a new enforcement agency, which may fine noncompliant organizations. [AFP] SEE ALSO: [PH – High Court in Philippines Suspends Contentious Internet Law]

Online Privacy

WW – Yahoo to Ignore Default DNT Settings

Yahoo has announced that it will ignore Internet Explorer 10’s default do-not-track (DNT) settings, indicating the setting “ignores the wishes of its users.” The browser will continue to offer its Ad Interest Manager, which allows users to make choices about the online ads targeted to them, and other tools. “Ultimately, we believe that DNT must map to user intent-not to the intent of one browser creator, plug-in writer or third-party software service,” Yahoo said in a statement. [InformationWeek] See also: [Letter from John D. Rockefeller to the Federal Trade Commission Regarding the World Wide Web Consortium Deliberations on Do-Not-Track – U.S. Senate] See also: [The Bizarre, Belated Assault on Do Not Track – Leslie Harris and Justin Brookman, Center for Democracy and Technology] AND ALSO: [US – Mozilla stresses privacy while testing new social API in Firefox]

UK – Do Not Track Standard Needs Action Says Commissioner

European commissioner Neelie Kroes has accused members of the online industry of watering down a standard designed to protect consumers’ privacy on the web. Websites are under pressure to allow consumers much greater control over how they are tracked online. But work undertaken by the World Wide Web Consortium (W3C) to create a Do Not Track (DNT) standard was “not going to plan”, said Ms Kroes. She is angry about delays and a proposal to exempt marketing. [bbc.co.uk] SEE ALSO: [NYT: Privacy Advocates and Advertisers at Odds Over Web Tracking]

WW – Microsoft Alters Its Privacy Rules

A new policy implemented by Microsoft allows it “broad leeway” over how it collects and processes information from consumers using its free, web-based services. Unlike Google’s policy changes earlier this year, “Almost no one noticed” Microsoft’s change, the report states, adding, “The difference in the two events illustrates the confusion surrounding Internet consumer privacy.” Consumer Watchdog’s John Simpson said, “What Microsoft is doing is no different from what Google did,” adding, “It allows the combination of data across services in ways a user wouldn’t reasonably expect.” A Microsoft spokesman said, “one thing we don’t do is use the content of our customers’ private communications and documents to create targeted advertising.” [The New York Times]

WW – Microsoft to Clarify Privacy Rule Changes

Microsoft has said it will clarify part of its new disclosure policy to explicitly state that it will not use personal information gleaned from certain free services for targeted advertising. Rep. Edward J. Markey (D-MA) sent a letter to the company expressing concerns that the move would allow Microsoft to compile “detailed, in-depth consumer profiles.” In a statement, Microsoft said, “We appreciate the feedback we’ve received, and as a result, we will update the agreement as soon as possible to make that point absolutely clear.” [The New York Times]

US – McDonald’s Removes Sharing Feature Following COPPA Complaint

McDonald’s has removed social networking features in some of its online games following complaints from a privacy advocacy group. The Center for Digital Democracy filed a complaint with the FTC last month that the restaurant chain was violating children’s privacy laws by, without requiring parental consent, asking children to list the e-mail addresses of friends as part of a “tell-a-friend” feature on HappyMeal.com. McDonald’s said it has removed the feature and the online security of its guests “remains a top priority.” [The Washington Post]

US – Company Settles Supercookies Lawsuit

An analytics company has agreed to settle a class-action lawsuit over tracking practices. The settlement forbids KISSmetrics from using ETags and other supercookies for tracking purposes without first giving users “reasonable notice and choice” and requires it pay $2,500 each to the two consumers who sued as well as $500,000 in attorney costs. The suit alleged the company violated wiretapping laws by using ETag technology, which can be used to track users’ web movements even after they deleted traditional cookies. [MediaPost] SEE ALSO: [CA – Man distributed sexual images of ex-girlfriend to poison new relationship, court told]

EU – Law Student’s Quest Against Facebook Continues

Austrian law student Max Schrems has said Facebook and European regulators have not done enough to curb what he says are violations against European privacy laws. Founder of “Europe v Facebook,” Schrems is looking to raise approximately 200,000 euros to keep his campaign moving forward. “At the core of the fight is one of the overarching questions of our time: Who has rights to the trillions of bits of data users create online every day?” the report states. Schrems said, “We’re right now defining what our world is going to look like in 20 years.” [The Washington Post] SEE ALSO: [US: Facebook photos point to burglary, party at Tega Cay home] AND ALSO: [US – Obama Worries About Malia Using Facebook, Cites Privacy Concerns] AND [UK – Online life after death needs clear data regulation]

CA – Commissioner Cavoukian Joins the Fight Against Cyberbullying

Online social media networks like Facebook and Twitter appear to have become the new schoolyard for bullies. But unlike the tormentors of the playground, cyberbullies are able to lurk in the shadows of anonymity on the Internet, and their cruelty doesn’t stop at the end of the school day. The harm they inflict on their victims can have devastating effects, and for some may lead to the most tragic of consequences, said Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, in a YouTube video. [Source] SEE ALSO: [BC – Hackers say they’ve found Amanda Todd’s tormentor]

Other Jurisdictions

PK – Law Must Balance Security with Individuals’ Rights

Responding to criticism over a new Pakistani counterterrorism law, Sen. Raza Rabbani has said the law “must not be used to put the fundamental rights of people at stake.” The Fair Trial Act allows the state to intercept private communications, including e-mails, SMSs, phone calls and audio-visual recordings, in order to arrest suspected terrorists. The law has been tabled in the National Assembly. “We must strike a balance between adopting modern techniques of investigations and the fundamental rights of the people,” said Barrister Zafarullah Khan. [The Express Tribune] SEE ALSO: [HK – Hong Kong’s watchdog for data privacy sees upsurge in complaints]

AU – Australia Attorney-General Consults on Australian Privacy Breach Notification

The Australian Attorney-General has issued a consultation on a nationwide mandatory breach notification scheme; the rationale for such a scheme includes mitigation of consequences of a breach, deterrence/incentive to improve data security, tracking of incidents and provision of information in the public interest, and maintaining community confidence in legislative privacy protections. Triggers for notification could include an appropriate test (e.g. a “catch-all” test or specific triggers based on volume of records breached or sensitivity of the records); notification could be decided by the organisation or agency, the Commissioner, or the organization in consultation with the Commissioner, and notification could be provided to the Commissioner and/or the affected persons and the police, financial institutions and CERT Australia. The issue of timely notification must be considered (e.g. before a particular deadline or as soon as possible); the content of the notification should be detailed (e.g. a description of the breach, types of information lost, and contact details). A scheme could apply only to those agencies regulated by the Privacy Act, or all entities, with a potential exemption for law enforcement agencies; penalty options include civil, criminal or administrative penalties or the capacity to “name and shame,” with consideration given to the circumstances in which they are applied. [Discussion Paper]

AU – Mandatory Notification Back on the Table

Australian Attorney General Nicola Roxon has published a discussion paper on whether the country needs a mandatory breach notification law that includes a poll for the public to weigh in on the issue. Privacy Commissioner Timothy Pilgrim renewed his calls for a law after a decrease in notifications in the last financial year. Pilgrim said “there is a strong case to have mandatory data breach notification laws in Australia” but cautioned against notification for minor breaches due to administrative burdens, notification fatigue and lack of utility, the report states. The attorney general is accepting comment until November 23. [The Australian Financial Review]

SA – Pending Privacy Bill Could Cost 35,000 Jobs, Observer Says

According to one critic, South Africa’s proposed Protection of Personal Information Act (PPI) could cause as many as 35,000 citizens to lose their jobs. The PPI is expected to limit unwanted telemarketing calls and spam, the report states. CareerCall’s Andy Quinan says the bill could affect the call-sector industry and stifle entrepreneurs who use telemarketing as a cost-effective marketing tool. Quinan has based his estimate on the 2008 C3Africa National BPO Survey. [ITWeb]

CO – Data Protection Law Becomes Effective

Colombia has enacted an omnibus data protection law, reports the Hunton & Williams Privacy and Information Security Law Blog. The law was enacted on October 17. It contains “significant notice and consent requirements, special provisions for the processing of children’s data, European-style data subject rights…and cross-border data transfer restrictions,” among other provisions. The law also calls for the establishment of a data protection authority. [Source]

UK – Insurance Group Asks for Veto

An insurance industry group has asked Ukraine’s president to veto a measure to amend the data protection law. The League of Insurance Organizations of Ukraine (LIOU) says the amendments “unreasonably extend the powers of the State Service of Ukraine on Personal Data Protection,” the report states. “We think the adoption of this law in such wording, despite numerous plus points, contains serious obstacles to entrepreneurship in Ukraine, creating a serious threat of the appearance of unreasonable additional financial and organizational expenses for businesses, as well as contradicting international standards regarding personal data protection, and the norms of the Ukrainian legislation,” the group stated in its letter. [KyivPost] SEE ALSO: [MX – Mexico Guidelines for Privacy Notice – Secretariat of Economy] and [AU – Office of the Australian Information Commissioner – Review of Counter-Terrorism Legislation] and [NZ – C v Holland – [2012] NZHC 2155 – High Court of New Zealand] and [RU – Recent Developments in Russian Personal Data Protection Regulation – Leonid Zubarev, Partner, and Anastasiya Lemysh, CMS Russia Client Alert]

Privacy (US)

US – California Issues App Developer Noncompliance Notice

California Attorney General Kamala Harris has reportedly sent out notices warning as many as 100 mobile app developers that they must conspicuously post privacy policies within the next 30 days to be in compliance with the California Online Privacy Protection Act. The new state protocol requires mobile applications that collect personal data within the state to post a privacy policy stating what data is collected and how it will be used. Harris said, “We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians, but it is critical that we take all necessary steps to enforce California’s privacy laws.” [Bloomberg]

WW – Researchers Find Android Apps Pose Data Privacy Concerns

Researchers say that more than a quarter of apps for Androids available through the Google Play store appear to pose potential security risks to users. The researchers considered the apps to be questionable or suspicious if they had the capability to access personal information such as GPS data, phone calls and phone numbers. Users were led into allowing the apps to collect the data when they were installed; if users do not agree to the apps’ requests, the apps will not run on their devices. The practice appeared to be popular among games, entertainment, and wallpaper apps, despite the fact that those apps would seem to have little or no practical use for the information. The researchers state specifically that these apps are not considered malware, simply that they pose a privacy risk to users. [InformationWeek] [ComputerWorld]

WW – Study: Free Apps Present More Privacy Risks

A new study reveals that free mobile apps are more likely to cause privacy and data security risks to users than paid apps. According to a Jupiter Networks survey of 1.7 million Android apps, free mobile apps are 401% more likely to track location and 314% more likely to access users’ address books than paid apps. A Juniper representative said, “Companies, consumers and government employees who install these apps often do not understand with who and how they are sharing personal information,” adding, “Even though a list of permissions is presented when installing an app, most people don’t understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust.” [Source] SEE ALSO: [JP – Five Arrested in Japan in Connection with Malware Hidden in Android Apps]

US – Rules Surrounding App Data Collection a “Gray Area”

The New York Times reports on the gray legal area surrounding mobile apps. The law has not kept pace with advances in technology, resulting in online businesses’ collection of large volumes of personal data. Meanwhile, users are often oblivious. “Generally, most people are simply unaware of what is going on,” said one expert. App developers’ data collection practices are loosely regulated in the U.S., the report states. California Attorney General Kamala Harris recently reached an agreement with six leading companies that they would only sell or distribute apps with privacy policies, the report states. Meanwhile, in Europe, revisions to the data protection regulation would require consumer consent before data collection on the web. [Source]

US – California AG Tells Mobile App Makers to Post Privacy Policies

California’s attorney general Kamala Harris has notified the makers of mobile applications that they will be held accountable for their handling of Californians’ personal data. The first round of notices was sent to the makers of 100 apps that do not have written privacy policies describing what data the app collects and shares. The companies have 30 days to post “conspicuous” privacy policies or face fines of up to US $2,500 each time a California resident downloads the app that does not have such a policy. Harris is extending the privacy requirements imposed on personal computers to smartphones and tablets. [Source]

CA – Privacy Commissioners Help Developers Create Privacy-Friendly Apps

Today’s app economy is like a new frontier marked by innovation, thousands of jobs and millions of consumers worldwide equipping themselves with useful, convenient, informative and entertaining tools. Like any new frontier though, this one has risks, including those to privacy. To help heighten personal information protection in the mobile era, the Privacy Commissioner of Canada, and the Information and Privacy Commissioners of Alberta and British Columbia today issued new guidance to help mobile app developers set themselves apart by making user privacy central in their design process. The guidance, shared with international data protection authorities and released upon the close of the 34th International Conference of Data Protection and Privacy Commissioner in Punta del Este, Uruguay, provides app developers with insights in the following areas:

  • Accountability under the law
  • Transparency
  • Collection
  • Gaining meaningful consent despite the “small screen” challenge
  • User notice and consent timing

The full guidance can be found on the web site of either: the Office of the Privacy Commissioner of Canada; the Office of the Information and Privacy Commissioner of Alberta; or the Office of the Information and Privacy Commissioner of British Columbia. [Canada Newswire]

US – Courts Widening View of Data Breach Damages, Lawyers Say

Federal courts are widening the definition of damages from data breaches. This “sea change” leaves unprepared companies at risk when it comes to class-action lawsuits, according to lawyers from the firm Pepper Hamilton. Until recently, courts would dismiss data breach lawsuits that couldn’t prove specific harm. But courts “are starting to pick up on the fact that the data that can get out there can cause serious harm, maybe not immediately but sometime in the near future,” lawyer Jeffrey Vagle said. A recent survey found the average settlement award for class-action data breach suits to be $2,500 per plaintiff. [CSO] SEE ALSO: [US: How should judge protect privacy of Colorado shooting victims?]

US – Court Allows Path Lawsuit to Move Forward

A judge has allowed a lawsuit against mobile app developer Path to proceed. The company has been urging the court to dismiss the suit, claiming users did not suffer economic harm, but U.S. District Court Judge Yvonne Gonzalez Rogers found that a user sufficiently alleged harm in the case. The company is accused of violating users’ privacy after it was discovered that users’ address books were uploaded without consent. A second class-action lawsuit against the company is pending in a federal court in Austin, Texas. [MediaPost]

US – FTC Finalizes Two Privacy Settlements

The FTC has finalized settlements with two companies for allegedly illegally exposing the sensitive personal information of thousands of consumers through the installation of peer-to-peer file-sharing software on computer systems. The settlements are with EPN, Inc., and Franklin Budget Car Sales, Inc., and will “bar misrepresentations about the privacy, security, confidentiality and integrity of any personal information collected from consumers,” the FTC press release states. The companies must also create and maintain comprehensive information security programs. [Source] SEE ALSO: [US – Facebook Amended Settlement and Release – U.S. District Court for The Northern District Of California]

US – State Tax Department Breach Incites Class-Action Lawsuit

Fallout from a breach at South Carolina’s state tax agency is affecting 3.6 million individuals’ Social Security numbers. A law firm has filed a class-action lawsuit against both the state’s governor and the Department of Revenue (DOR) alleging they failed “to protect the citizens of South Carolina” and violated the state’s breach disclosure laws. The governor said the fact that the information wasn’t encrypted isn’t an anomaly. “It’s not just that this was a DOR situation but an industry situation,” she said. The breach may be the “largest cyber-attack against a state tax department in the nation’s history.” [The Washington Post] SEE ALSO: [US – Lauren Chaikin et al. v. Lululemon USA Inc., Lululemon Atheltica Inc., and Does 1-50 – Class Action Complaint – Superior Court of California, County Of San Diego]

US – EFF Fights Energy Company’s Subpoenas

A privacy group is advocating against an energy company’s subpoena seeking information on dozens of e-mail accounts. Following a $19 billion judgment in favor of Ecuadorean aborigines and farmers against Chevron for an oil contamination, the company has filed subpoenas for information—including IP addresses and time stamps—about Yahoo and Google users, calling the verdict “extortionate fraud.” In response to the subpoenas, the Electronic Frontier Foundation has filed an amicus brief stating that the release of the information the company seeks would intrude on the privacy of the John Does involved, adding the court “should not permit Chevron’s unnecessary and unwarranted fishing expedition” without sufficient cause. [Courthouse News Service]

US – FTC Reaches Settlement with Analytics Company

The Federal Trade Commission (FTC) has reached a settlement with web analytics company Compete, Inc., for allegedly misrepresenting its data collection practices and failing to adequately secure collected data. The company has agreed to destroy data collected from users prior to February of 2010 and to undergo biennial audits for the next 20 years. According to the FTC, the company did not appropriately disclose “the full extent of data collected through tracking software,” and such a failure “was, and is, a deceptive act or practice.” Compete said, “We will continue to develop and uphold new standards for transparency and security.” [MediaPost]

US – Judge Dismisses Consumer Privacy Allegations

A federal judge has dismissed much of a class-action suit over a data breach at Sony’s Playstation Network in April 2011. The suit alleges hackers were able to access the gaming network because the company negligently “failed to provide adequate firewalls and safeguards” for users’ personally identifiable information. Sign-up for the games requires users to provide names, mailing addresses, e-mail addresses, birthdays and credit and debit card information, the report states. The suit alleges Sony should have known the system was vulnerable to an attack. A U.S. District Court judge has dismissed several of the suit’s claims, including violations of California consumer protection statutes. [Courthouse News Service] [US – In Re: Sony Gaming Networks and Customer Data Security Breach Litigation – 2012 U.S. Dist. LEXIS 146971 – U.S. District Court for the Southern District of California]

US – FPF Announces Privacy Papers for Policy Makers 2012

The Future of Privacy Forum (FPF) has announced this year’s selections for its Privacy Papers for Policy Makers. Of the more than 35 entries, eight were selected. The papers cover topics such as Privacy by Design, online behavioral advertising, mobile privacy, government surveillance, de-identification and social networking. FPF Founder and Co-chair Christopher Wolf said, “Improving privacy protection is vitally important in this technology age, so we are delighted to help build a bridge of communication between privacy scholars and privacy policy makers.” FPF Director and Co-chair Jules Polonetsky, said, “These writings offer some of the most compelling and innovative viewpoints that we hope policy makers consider as they look to address privacy issues.” [Source]

Privacy Enhancing Technologies (PETs)

US – Carnegie Mellon to Offer Masters in Privacy

Carnegie Mellon University has created a masters degree program in privacy. The one-year program will start in the 2013-14 academic year and aims to help prepare students for the increasing marketplace demand for privacy-savvy computer scientists and engineers. The program will include classroom instruction and a summer work experience project. CMU Professors Lorrie Cranor and Norman Sadeh created the program. [The Pittsburgh Post-Gazette]

CA – Privacy Commissioner Designates Route1 as Privacy by Design (PbD) Ambassador

Route 1 announced that the Office of the Information and Privacy Commissioner of Ontario has designated the Company as a Privacy by Design (PbD) Ambassador for its commitment to secure remote access and identity management, evidenced in the development and success of the MobiKEY. A security and identity management company, Route1 customers include both government and military organizations in the U.S. and Canada, as well as private sector businesses such as law firms, healthcare facilities and financial institutions. MobiKEY provides multi-factor authentication to ensure the identity of an individual attempting to remotely access data, which integrates privacy protocols for both the user and the institution. [Mediacaster Magazine] SEE ALSO: [US – Symantec Corporation : Norton Hotspot Privacy Keeps Consumers Safe on Public Wi-Fi]

Security

US – Cyber Liability Insurance Awareness Is Growing

A survey reveals that 60% of businesses do not have cyber liability insurance, but according to one expert, companies are becoming more aware of it. The Advisen survey report states that 52% of businesses not currently covered have no plans to gain the insurance in the next year. Pinsent Masons’ Ian Birdsey said, “When you consider the frequency, severity and exposure of security and data breaches,” it’s “surprising” that 52% are not considering the insurance. Birdsey noted that “the test remains whether advocates for data risks or cyber liability insurance cover at general counsel or chief privacy officer level can persuade their management teams to allocate budget to buy cover in the next financial year.” [OUT-LAW] [The Advisen survey report] SEE ALSO: [US – Cyber Risks: An Insurance Perspective – Jillian Raw, Kennedys LLP] AND [EU – ENISA, Annual Incident Reports 2011] AND [EU – Lifecycle Data Protection Management – Alexander Alvaro, Vice-President of the European Parliament: the concept of lifecycle data protection management (“lifecycle DPM”) is proposed in addition to the framework contained in the EU data protection regulation proposal] AND [AU – Information Security Manual 2012: Executive Companion – Department of Defence, Australian Government] AND [CA – Feds earmark $155M over five years to fight cyber threats]

Smart Cards

US – Supervisor Calls for Public Transit Card Privacy

A San Francisco supervisor is calling for stricter privacy controls surrounding “Clipper cards” used to pay for public transportation. Supervisor Jon Avalos has introduced a resolution to ensure that “people who are using Clipper cards can actually be protected against any use of information about where they go and what their whereabouts are.” The cards do not contain personal information, according to a Metropolitan Transportation Commission spokesman, but do contain travel logs on a passenger’s past 10 trips. The agency is required by state law to provide travel information when subpoenaed, the spokesman said. [The San Francisco Examiner]

HK – Privacy Watchdog Slams Excessive Use Of Data on Customer Loyalty Scheme

Customers’ privacy may have been violated under the customer loyalty schemes, the Privacy Commissioner for Personal Data Allan Chiang said in four investigation reports. The three scheme, including the “Fun Fun Card” program 1 by China Resources Vanguard Company Limited, the “Mann Card Program” by The Dairy Farm Company Limited, and the “MoneyBack Program” by A.S. Watson Group (HK) Limited through PARKnSHOP and Watsons. The commissioner particularly slammed Watson Group, directing it to stop collections of customers’ ID numbers, erase completely the ID number of applicants and other data collected. “Ill-defined” purposes much also be removed. “After the Octopus incident in 2010, public awareness of the collection and use of personal data in direct marketing activities has significantly raised. I expect that corporations in Hong Kong should have learnt a lesson and paid more attention to data privacy regulations,” Chiang said. According to the report, the operators had collected the applicants’ Hong Kong Identity Card or passport number, complete or partial number, for the purpose of providing them with a default log-in password for using the program’s online service. This amounted to unnecessary and excessive collection. In particular, the program operators have either not defined or ill-defined the purpose of use of the data and class of data. [The Standard Hong Kong]

Surveillance

UK – Group Warns of Public Transit Privacy Concerns

Privacy International is warning that public transportation companies voluntarily share personal information about travelers with law enforcement agencies. “Every single authority and company we have spoken to so far has shocking practices,” said a spokesman from Privacy International, which has polled 48 transport authorities and companies globally to ask how they handle personal information stored on public transportation cards. “The problem with smart cards is that they record a very fine grain of information,” the spokesman added, in some cases including bank details, e-mails, passwords and telephone numbers. While court orders are required in some countries, that is not the case for others. [IDG News Service]

US – Judge: DEA’s Warrantless Surveillance Did Not Violate Law

A U.S. District Court ruling that, in some circumstances, police are allowed to install hidden surveillance cameras on private property without a warrant. U.S. District Court Judge William Griesbach has ruled Drug Enforcement Administration (DEA) agents had reason to “enter rural property without permission—and without a warrant” to install surveillance cameras to investigate suspected criminal drug activity. Griesbach’s ruling upheld a recommendation by U.S. Magistrate Judge William Callahan stating the DEA did not violate the law as “The Supreme Court has upheld the use of technology as a substitute for ordinary police surveillance.” [CNET News]

US – Calif. Privacy Groups Oppose Cellphone Surveillance Device

FBI investigators used a court order authorizing access to cellphone customer data to quietly deploy a powerful surveillance technology known as “stingrays,” privacy groups contend in a new court filing that claims the devices are overly invasive. Your cellphone can be singled out by its international mobile subscriber identity, or IMSI, which then makes it possible to secretly determine your whereabouts using stingray devices, also known as IMSI catchers. The law enforcement tool troubles security experts and civil libertarians alike because it mimics cellphone towers. Stingrays track the locations of mobile devices, including those that are not targeted but are nearby. IMSI catchers can also be adjusted to capture the content of communications, although the government claims that was not done in this case. An expert in 2010 showed spectators at a technology conference in Las Vegas that IMSI catchers could be built at home for as little as $1,500, exposing a potential weakness in cellphone security. Thirty cellphones in the room reportedly attempted to connect to his do-it-yourself tower, and anyone in the room who made a call while connected to it received an automated message that said their communications were being recorded. The government’s pursuit of an alleged tax fraudster that began in Northern California and is now playing out in an Arizona courtroom has become the first major constitutional challenge to stingrays. Law enforcement agencies using the technology have held it close to the chest, and the public has little knowledge of it. In an Oct. 19 friend-of-the-court brief filed with the U.S. District Court of Arizona, the Electronic Frontier Foundation in San Francisco and the ACLU of Northern California argued that stingrays are “highly intrusive and indiscriminate,” and claimed government investigators sought to utilize them while providing Judge Richard Seeborg with scant details about the technology’s extraordinary power. [The Tribune]

UK – Draft Communications Bill: Powers May Uncover ‘Wrong Targets’

Plans to monitor all Britons’ online activity risk uncovering “incompetent criminals and accidental anarchists” rather than serious offenders, the information commissioner has warned. Ministers want to strengthen the law on internet data retention to help the police tackle security threats. Christopher Graham said the “really scary people” could simply avoid detection by changing their behaviour. Under the government’s plans, currently being scrutinised by Parliament, service providers will have to store details of internet use in the UK for a year to allow police and intelligence services to access it. Records will include people’s activity on social network sites, webmail, internet phone calls and online gaming. Ministers argue law enforcement agencies need to keep pace with the changing technology used by offenders but critics have called the proposals a “snooper’s charter”. [BBC]

WW – New Memoto Camera Captures ‘Every Single Moment Of Your Life’

Do you wish you had photos of “every single moment of your life” so you could “revisit any moment of your past”? Like the time you walked in on your roommates having sex, or the look of disappointment on your girlfriend’s face when you forgot her birthday? Then Memoto’s new wearable camera, about half the size of a matchbox, may be for you. The Memoto camera is constantly on while you wear it (clipped to a shirt or hung on a necklace), and you can use it rain or shine as it’s weather-protected. It’s got a GPS that geotags each photo, and a battery that is said to last between one and two days, that’s recharged when connected to your computer. Dubbed a “lifelogging” camera—referring to the process of computer-assisted recording to capture large portions of your life—the creators say the name Memoto is associated with the words “memory motor.” Founded by six Swedish entrepreneurs and posted on crowd-funding website Kickstarter, the product exceeded its $50,000 funding goal in only five hours. It takes photos every 30 seconds, and synchronizes with apps to work as a photographic memory – a digital timeline of your life. “The website talks about lifelogging as capturing your life, but what you’re really capturing is the life of everyone else around you… sometimes without their awareness,” said Dr. Bita Amani, an associate professor of law at Queen’s University who teaches a course on information privacy. Amani says Memoto raises three kinds of privacy issues: those related to the original recording (photographs), the subsequent publication (i.e. on Facebook), and cloud storage. She also notes that any kind of recording may become subject to a use other than what was originally intended. [Global News]

Telecom / TV

US – EFF, ACLU Take on Data Collection Practices

The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) are challenging the data-collection activities of Verizon Wireless. The advocacy groups say Verizon violates the federal Wiretap Act when it collects data on customers’ app usage, locations and web browsing and sells it to advertisers. Verizon says its actions are legal because it notifies customers of its practices and allows them to opt out, and the data cannot be tied to an accountholder. The groups claim, however, that the act of collection is the violation. “What you do after the fact is certainly important, but the violation of the Wiretap Act has already occurred,” said EFF lawyer Hanni Fakhoury. [PC World] [US: Verizon draws fire for monitoring app usage, browsing habits]

WW – Study: Free Apps Present More Privacy Risks

A new study reveals that free mobile apps are more likely to cause privacy and data security risks to users than paid apps. According to a Jupiter Networks survey of 1.7 million Android apps, free mobile apps are 401 percent more likely to track location and 314 percent more likely to access users’ address books than paid apps. A Juniper representative said, “Companies, consumers and government employees who install these apps often do not understand with who and how they are sharing personal information,” adding, “Even though a list of permissions is presented when installing an app, most people don’t understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust.” Among the findings:

  • 24% of free apps have permission to track location vs only 6% of paid apps.
  • 7% of free apps have permission to access to your address book vs 2% of paid apps.
  • 2.6% of free apps have permission to silently send text messages vs 1.5% of paid apps.
  • 6% of free apps have permission to clandestinely initiate calls in the background vs 2% of paid apps.
  • 5.5% of free apps have permission to access the device camera vs 2% of paid apps. [San Jose Business Journal]

US Government Programs

US – Privacy and Civil Liberties Oversight Board to Hold First Public Meeting

The Privacy and Civil Liberties Oversight Board will hold its first public meeting this month, according to a notice in the Federal Register. The board, which aims to provide privacy oversight on U.S. surveillance and security measures in the fight against terrorism, had remained dormant since 2007, inciting widespread criticism. President Barack Obama appointed new members to the board in 2011, and the Senate confirmed four of five nominees earlier this year. The aim of next Tuesday’s meeting is to gather feedback from nongovernmental organizations and members of the public on priorities the board should consider on its forthcoming agenda. The public portion of the meeting will take place from 10 a.m. to noon on October 30 in Washington, DC. [Federal Register]

US – FTC Working on Data Collection Nutrition Label

The Federal Trade Commission (FTC) is working on a nutrition label for data collection. FTC Chairman Jon Leibowitz says the label would act as a “disclosure mechanism that websites can customize to succinctly tell consumers what kind of data they are collecting and how they are using it.” The news follows calls from academics and advocates for companies to create privacy policies that are accessible and easy-to-read and understand for the average consumer. [Law360]

US Legislation

US – FTC’s Proposed COPPA Changes Could Face Legal Challenge

A potential legal backlash may occur against the FTC if it pursues proposed changes to the Children’s Online Privacy Protection Act. At a recent forum, TechFreedom President Berin Szoka and others cited specific issues with the proposed changes, including expanding the definition of personally identifiable information to cover persistent identifiers, a move they believe could hamper website functionality and innovation, the report states. Szoka said, “The FTC should take the time next year, probably hold a workshop and discuss these things and issue a revised rule,” adding, “If they don’t, they will be sued.” [NationalJournal] see also: [No “Do Overs”: Children, Personal Information And Marketing In Canada]

US – Rep. Barton: “We Need Stronger Privacy Laws”

In a blog post, Rep. Joe Barton (R-TX) calls for tougher online privacy legislation. “If our forefathers knew what the Internet and modern technology would be like today,” Barton writes, “they would have put a right to privacy explicitly in the Constitution.” Barton contends that parts of the online industry are listening, “while others remain tone-deaf,” particularly in relation to Do Not Track. Barton writes that some are “putting profits over privacy” and describes the Do Not Track Kids Act as “common-sense legislation.” Meanwhile, the Center for Digital Democracy and Commonsense Media have launched an online petition aimed at persuading the FTC to “stay the course” on proposed changes to COPPA. [Source]

US – Lawmakers Call for Improved Medicare ID Theft Prevention

Reps. Wally Herger (R-CA) and Sam Johnson (R-TX) are calling on the Department of Health and Human Services (HHS) to remove users’ Social Security numbers from Medicare cards. Citing a recent report that found flaws in the way the HHS responds to Medicare identity theft, Johnson said, “This report is a wakeup call for (the Medicare agency) to heed the advice of its own inspector general and take immediate action to develop a new system for protecting seniors from medical identity theft.” [The Hill]

US – FTC’s Ohlhausen Skeptical of New Privacy Legislation

The FTC’s Maureen Ohlhausen has voiced concerns that calls for new privacy legislation could undermine the FTC’s other task of promoting competition. Ohlhausen said, “Before seeking new privacy legislation, I think it is important to identify a gap in statutory authority or to identify a case of substantial consumer harm that we would like to address but can’t within our existing authority.” Ohlhausen noted the many benefits of information sharing for consumers, adding, “that’s why I am concerned about treating privacy solely as a consumer protection issue. It also must be viewed through the competition lens if you want to reach the best outcome for consumers.” [National Journal]

US – NJ Senate Passes Applicant Privacy Bill

New Jersey’s Senate has passed a law to prevent employers from requiring applicants to provide access to private accounts. The Assembly passed a similar bill in June. “There are plenty of other steps in a job application process for employers to gain a profound understanding of an applicant’s experience, fitness and personality,” said Republican State Sen. Kevin O’Toole, adding, “Applicants should not have to choose between preserving their due privacies and earning incomes.” The bill also bans “associated discrimination or retaliation” and allows applicants to sue for damages in the event of violations, according to the report. [NJTODAY.NET]

Workplace Privacy

CA – Supreme Court Confirms Privacy Survives in the Workplace

Many employers seek to remove any reasonable expectation of privacy by telling employees that they should not expect any privacy when using workplace computers during company time. Earlier this month, the Supreme Court of Canada grappled with the question of workplace privacy and arrived a somewhat different conclusion. Michael Geist’s technology law column (Toronto Star version, homepage version) notes it ruled that the workplace environment may diminish an employee’s reasonable expectation of privacy, but it does not remove the expectation altogether. The case involved a criminal action against a high school teacher, who was provided with school-issued laptop computer that could be used for incidental personal purposes. A computer technician at the school discovered nude photographs of a female student while performing routine maintenance on the machine. The school copied the images and turned over the computer and the images to police, who later charged the man with possession of child pornography and unauthorized use of a computer. The legal issue in the case turned on whether the police conducted a warrantless search of the computer in violation of the Canadian Charter of Rights and Freedoms, which guards against unreasonable search and seizure. To answer that question, the Court assessed whether the employee had a reasonable expectation of privacy, which they ruled depends upon the “totality of the circumstances”. Given competing interests, the Court ruled that the reduced privacy interest was not eliminated in its entirety. It therefore ordered that the teacher face a new trial. [Source] [CA — Privacy in Workplace Computers: Employers Can Manage Employee Expectations of Privacy – Earl G. Phillips, Partner, McCarthy Tetrault LLP]

CA – Supreme Court: Employees Have Computer Privacy Rights

The Supreme Court of Canada has ruled that employees have some privacy rights over workplace computers and that computers should not be searched by law enforcement without a warrant. In the 6-1 ruling, the court wrote, “Computers that are reasonably used for personal purposes—whether found in the workplace or the home—contain information that is meaningful, intimate and touching on the user’s biographical core.” The author of the ruling, Justice Morris Fish, added, “Canadians may therefore reasonably expect privacy in the information contained on these computers, at least where personal use is permitted or reasonably expected.” [Toronto Star] SEE ALSO: [OIPC AB – Order F2012-23 – Alberta Corporate Human Resources re: collect an employee’s personal information (“PI”) for its operating activities] AND [Datatilsynet, Norway – “A Normal Day at Work”: Workplace Electronic Tracking] AND [FR – Companies, Other Than Those from the Banking and Financial Sectors, Now Allowed to Implement Background Screening Processing for the Detection and Prevention of Corruption – Denise Lebeau-Marianna and Idriss Kechida, Baker & McKenzie] AND [AB: Court injunction granted to prevent random drug testing]

 

+++

01-15 October 2012

 

Canada

CA – Authorities to Cooperate on Cross-Border Digital Privacy

The German and Canadian data protection authorities have signed an agreement on protecting privacy in cross-border data transfers via the web. The countries will cooperate on specific cases and inform each other on privacy complaints. “Since personal data can be transferred to other countries and parts of the world with one mouse click, data protection agencies have to cooperate better internationally,” Canada’s Office of the Privacy Commissioner noted. Germany and Canada plan to discuss extending the plan to additional countries at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay later this month, the report states. [IDG News Service]

CA – Stoddart’s Annual Report Raises Surveillance, Disposal Concerns

A proposal set forth by the Royal Canadian Mounted Police and House of Commons to more than double the number of video cameras on Parliament Hill has raised concerns from federal Privacy Commissioner Jennifer Stoddart. “We were concerned about the scope of the project and its potential impact on the privacy rights of parliamentarians, parliamentary staff, guests and visitors to Parliament Hill,” Stoddart’s annual report states. “According to the preliminary (privacy impact assessment), a deliberate decision was made to not post signs notifying individuals of video surveillance on Parliament Hill.” Meanwhile, Stoddart’s report has also raised concerns about the way Veterans Affairs disposes of documents containing sensitive personal information. [The Canadian Press]

CA – OPC Receives Formal Complaint Over Gov’t Questionnaire

The Office of the Privacy Commissioner (OPC) has received a formal complaint about a controversial questionnaire distributed to current and prospective border officers. OPC Spokeswoman Anne-Marie Hayden said the agency is “looking at investigating” the subject. Aimed at determining an individual’s suitability for employment, the questionnaire asks about substance abuse and other potentially invasive queries, the report states. Customs and Immigration Union Vice President Jason McMichael said of the questionnaire, “Our lawyers believe that it’s outside of privacy legislation,” adding, “Certainly, in our mind, it compromises basic civil liberties.” [Canada.com]

CA – OPC Offering $50,000 for Privacy Research Projects

The Office of the Privacy Commissioner of Canada (OPC) has launched its 2013-2014 Contributions Program, which offers up to $50,000 in funding for initiatives aimed at advancing privacy knowledge in the private sector. Privacy research projects that fall under PIPEDA will be eligible for the funding. The four priority areas highlighted by the OPC are identity integrity and privacy; IT and privacy; genetic information and privacy, and public safety and privacy. Applicants have until November 30 to submit proposals. [IT Business Canada] See also: [OPC Canada – No Mistakes, No Forgetting: Privacy in the Age of Social Media]

CA – Supreme Court Allows Anonymous Proceedings

The Court overturned in part a decision by a provincial court of appeal which denied a 15-year old girl from proceeding anonymously in an action for defamation (someone posted a fake profile on a social networking site using her picture, a slightly modified version of her name, and other particulars identifying her – the picture was accompanied by unflattering commentary about the girl’s appearance along with sexually explicit reference). The Court considered – privacy rights (recognition of the inherent vulnerability of children has consistent and deep roots in Canadian law and results in the protection of young people’s privacy rights based on age, not the sensitivity of the particular child), and the protection of children from cyberbulling (common sense and the evidence show that young victims of sexualized bullying are particularly vulnerable to the harms of revictimization upon publication, and the right to protection will disappear for most children without the further protection of anonymity); once the girl’s identity is protected through her right to proceed anonymously, there is little justification for a publication ban on the non‑identifying content of the profile. [A.B. v Bragg Communications Inc. et al. – 2012 SCC 46 – the Supreme Court of Canada]

Consumer

US – Study: Most Americans Don’t Want To Be Tracked

A study by the Berkeley Center for Law and Technology found that most Americans don’t find online ads useful and do not want information to be collected about their online behavior. The study asked 1,230 Internet users what they’d like a do-not-track mechanism to do, and 60% chose the option, “prevent websites from collecting information about them.” Nearly 90% of respondents had never heard of the FTC’s proposal for a do-not-track mechanism—which the authors of the study refer to as “a modest intervention.” [The New York Times] See also: [Omer Tene Opinion: Privacy Law in “Midlife Crisis” ]

E-Government

US – Campaigns Relying on Data Mining To Push Voter Turnout

This year’s presidential campaigns are using data mining to glean intimate details of voters’ lives and use them to prompt a vote for their respective candidate. The Democratic and Republican National Committees have spent a combined total of at least $13 million this year on data acquisition—including details such as what kind of beer voters drink, if they tend to enjoy frequent vacations or whether they watch college football—in order to contact voters with targeted calls. Experiments indicate such tactics tend to increase voter turnout, the report states. [The New York Times]

US – Gov’t Report Calls for Big Data Career Track

A new industry report calls on the government to create a formal career track for employees managing Big Data. The TechAmerica Foundation’s Big Data Commission is calling for “a new federal academy to train and certify employees to capture, store, share, manage and analyze vast volumes of data” and cites agencies currently using Big Data techniques, such as NASA and the Internal Revenue Service. “The biggest issue is making sure that you have and can get to the relevant information that you need to make better decisions, improve processes, reduce fraud, waste and abuse and have better predictive capabilities,” said one expert. [Federal Times]

Electronic Records

US – Research Hampered by Limited Access to Death Files

The Social Security Administration’s (SSA) limit on access to death records amid concerns about potential identity theft has resulting effects on research initiatives. The SSA decided last year that, under the law, state records on deaths are exempted from public disclosures. Researchers conducting studies on diseases such as cancer and cardiovascular treatments say they depended on access to that data, and their work has been slowed by the changes. A spokesman for the financial industry said such limited access makes it increasingly difficult to detect the theft of Social Security numbers from deceased individuals. [The New York Times]

US – A Major Glitch for Digitized Health-Care Records

A comprehensive evaluation of the scientific literature has confirmed what many researchers suspected: The savings claimed by government agencies and vendors of health IT are little more than hype. To conduct the study, faculty at McMaster University in Hamilton, Ontario, and its programs for assessment of technology in health — and other research centers, including in the U.S. — sifted through almost 36,000 studies of health IT. The studies included information about highly valued computerized alerts – when drugs are prescribed, for instance – to prevent drug interactions and dosage errors. From among those studies the researchers identified 31 that specifically examined the outcomes in light of the technology’s cost-savings claims. With a few isolated exceptions, the preponderance of evidence shows that the systems had not improved health or saved money. For instance, various studies found the percentage of alerts overridden by doctors — because they knew that the alerted drug interactions were in fact harmless — ranging from 50% to 97%. The authors of “The Economics of Health Information Technology in Medication Management: A Systematic Review of Economic Evaluations” found no evidence from four to five decades of studies that health IT reduces overall health costs. Three studies examined in that McMaster review incorporated the gold standard of evidence: large randomized, controlled trials. They provide the best measure of the effects of health IT systems on total medical costs. A study from Regenstrief, a leading health IT research center associated with the Indiana University School of Medicine, found that there were no savings, and another from the same center found a significant increase in costs of $2,200 per doctor per year. The third study measured a small and statistically questionable savings of $22 per patient each year. In short, the most rigorous studies to date contradict the widely broadcast claims that the national investment in health IT — some $1 trillion will be spent, by our estimate — will pay off in reducing medical costs. Those studies that do claim savings rarely include the full cost of installation, training and maintenance — a large chunk of that trillion dollars — for the nation’s nearly 6,000 hospitals and more than 600,000 physicians.[The Wall Street Journal]

Encryption

EU – Certificate Authorities Major Point of Internet Vulnerability

The primary systemic vulnerability of the HTTPS process is the fact that any certificate authority (“CA”) can vouch for any domain name, making each of the hundreds of CA’s in over 50 jurisdictions a single point of failure for potentially all HTTPS communications; the EU proposal to amend the existing regulation on electronic signatures contains some of the first regulatory explorations on HTTPS governance, but is lacking – the proposal targets only European CAs (it fails to address the role of browsers, websites and end-users and how should one allocate responsibilities between them), there should be agreed constitutional values that provide baseline requirements for governance (a coherent security vision is needed that balances the availability, confidentiality and integrity of information), a yearly audit is mandatory only for qualified trust service providers (not for trusted service providers, which are most CAs), trust service providers may submit a security audit report to confirm compliance with security requirements (but the value of these audits is questionable, given that DigiNotar passed their annual audits mandated by Dutch law), and the proposal’s new legislative basis for supervisory activities with regard to security practices and security breach notifications in the HTTPS ecosystem seems to be overbroad and too narrow at the same time (e.g. the flexibility regarding the exercise of executive power may be overbroad from the viewpoint of legitimacy and the rigidity regarding the “tasks” of supervising may be too narrow to include future possible tasks of a supervisory body that may be necessary to ensure adequate enforcement). [Certificate Authority Collapse (Draft) – Axel M. Arnbak and A. N. M. van Eijk, University of Amsterdam, Institute for Information Law] AND [Phil Zimmermann’s “Silent Circle” crypto system]

EU Developments

UK – ICO to Commence Cookie Crackdown

The Information Commissioner’s Office (ICO) is beginning to crack down on companies not complying with cookie regulations. KPMG Partner Steve Bonner said, “There is still a wait-and-see element among companies. It is much like when you are speeding along the motorway with no police car in sight and everyone else also driving 100 miles an hour. It doesn’t feel risky. But when the police car suddenly pulls out of the lay-by, it will be interesting to see what happens.” Noncompliant organizations may be liable for fines of up to £500,000. [Source] See also: [Information Commissioner’s Office, United Kingdom – North Yorkshire Police Force – Data Protection Audit Report Executive Summary]

UK – ICO: Private Sector Ahead on Compliance

Audits by the Information Commissioner’s Office (ICO) indicate that the private sector is “leading the way“ while data protection compliance “concerns remain” for the public sector. “The private-sector organizations we have audited so far should be commended for their positive approach to looking after people’s data,” said the ICO’s Louise Byers, adding, “However, this does not mean that businesses in the UK should rest on their laurels.” She also noted that, generally, the public-sector entities audited had appropriate information governance and training practices in place but need to do more in terms of data security, the report states. [COMPUTERWORLD]

EU – Regulators Say Google’s New Privacy Policy Does Not Pass Muster

Privacy regulators in the European Union (EU) say that Google’s revised privacy policy fails to comply with EU data protection laws. A group of privacy regulators from EU member states plan to send a letter to Google asking the company to revise the policy so that it will be in harmony with EU information privacy laws. The letter also asks Google to explain why and how it will share user data across services and says that Google must obtain “explicit consent” before aggregating users’ data from its various services. [BBC] [ZDNet] [CNet]

EU – German MEP Calls for Tighter Rules on Social Networks

A member of the European Parliament has called for tighter controls of online social networks under the EU’s proposed data protection framework. Germany’s Jan Philipp Albrecht, who is heading up the European Parliament’s work on the draft framework, says a recent incident involving Facebook users’ allegations that their personal messages appeared on their public profiles indicates the need for increased user control over data. “The informed and explicit agreement of all those affected by data processing must be a guiding principle,” said Albrecht. The CNIL met with Facebook last week over the incident and accepted Facebook’s explanation that the incident was a misunderstanding and not a breach. [Reuters] See also: [European Data Protection Supervisor – Opinion on the Commission Proposal for a Regulation of the European Parliament and of the Council on Trust and Confidence in Electronic Transactions in the Internal Market (Electronic Trust Services Regulation)] See also: [The Right to Be Untagged: As Facebook Disables Facial Recognition for EU Consumers, US Consumers Are Left Wondering What’s Next for Them – Anita Ramasastry, Justia.com] AND [Office of the Privacy Commissioner for Personal Data, Hong Kong – Outsourcing the Processing of Personal Data to Data Processors]

UK – ICO Fines Police 120,000 Pounds

Greater Manchester Police has paid a fine of 120,000 pounds after a breach involving the theft of a memory stick containing sensitive information, Publicservice.co.uk reports. The stick was not password-protected and was stolen from an officer’s home. It contained details on more than 1,000 individuals connected to crime investigations. The Information Commissioner’s Office (ICO) found that Greater Manchester Police regularly used unencrypted memory sticks to transport data, the report states. The police experienced a similar breach in 2010 and has since then failed to implement the proper safeguards and data protection training, the ICO found. [PublicService.co.uk]

EU – MEPs Release Data Protection Recommendations

MEP Jan Philipp Albrecht, rapporteur for the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, has released “Working Document 2” on the General Data Protection Regulation draft. Albrecht recommends clarifying the definitions of “personal data” and “data subject” and says consent should “remain a cornerstone of the EU approach to data protection.” Meanwhile, Vice President of the European Parliament Alexander Alvaro has released “Lifecycle Data Protection Management ,” in which he emphasizes the need to modernize data protection legislation in a way “that allows consumers to continue having trust in technological advances as well as in their own ability to determine how their personal data is processed.” [Source] [Federal Commissioner for Data Protection and Freedom of Information, Germany – Guide for the Privacy-Compliant Storage of Traffic Data] [Privacy Bill 2006 – National Parliament of Ireland] [European Commission – Unleashing the Potential of Cloud Computing in Europe – Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions]

US – U.S. Officials Head to Europe to Talk Privacy

Officials from the U.S. Department of Commerce (DoC), Federal Trade Commission (FTC) and Chamber of Commerce recently traveled to Europe to discuss privacy issues. DoC General Counsel Cameron Kerry met with Irish Data Protection Commissioner Billy Hawkes and Department of Justice officials this week to discuss cross-border data flows. The FTC’s Director of the Bureau of Consumer Protection David Vladek was in Brussels supporting efforts by the Internet Cooperation for Assigned Names and Numbers to store more data on website operators and retain it for two years. Adam Schlosser of the U.S. Chamber of Commerce, also in Brussels, lobbied for changes to the proposed EU Data Protection Directive, while Department of Justice officials voiced their concerns. [TechWeekEurope]

Facts & Stats

US – Facebook: COPPA Changes Violate Constitutional Rights

Facebook says proposed COPPA changes violate free speech rights. In a filing with the Federal Trade Commission (FTC), Facebook said the proposed provision preventing children under the age of 13 from “liking” or recommending websites violates the First Amendment. “The Supreme Court has recognized on numerous occasions that teens are entitled to First Amendment protection,” the company said. The changes would also prevent websites from installing cookies to track children’s web movements. Facebook has asked the FTC for clarification that “websites will still be allowed to advertise directly to children,” the report states. [The Hill] See also: [FTC – In the Matter of DesignerWare, LLC et al. – Complaint and Agreement Containing Consent Order]

WW – OECD 2012 Internet Economy Outlook Report Released

“Today the OECD has released its 2012 Internet Economy Outlook, a comprehensive look at the Internet’s ongoing role in transforming the global economy. The report opens with a landmark chapter on measuring the Internet economy. This is a significant addition to the research literature on this subject in part because, as the OECD notes, “there is still no widely accepted methodology for assigning an economic value to the Internet.” They find that up to 13% of business sector value added in the United States in 2010 could be attributed to Internet-related activities-as much as transportation, construction and utilities combined.” [Source]

Filtering

US – Facebook Launches New Help Center, Faces Criticism for Targeted Ads

Facebook has redesigned its help center and dashboard to help users understand privacy settings. Launched Tuesday, the center aims to help users manage their privacy settings and read about changes to the site, the report states. Meanwhile, the French data protection authority has said Facebook users’ privacy was not breached last week following concerns that private messages were being posted on public profiles. The site continues to face criticism for allowing marketers to target ads to consumers based on their web browsing activities or the phone and e-mail addresses they’ve listed on their profiles. [The Washington Post]

Finance

US – Finance Concerned New Laws Conflict with FINRA Regs

New laws passed in some states and proposed in others prohibiting employers from requiring social media passwords from employees and applicants have the financial industry questioning whether they conflict with the communications monitoring required by the Financial Industry Regulatory Authority (FINRA). Many employees use one account for both personal and business uses, and under FINRA regulations, personal accounts used for business are to be treated as business accounts. One expert says such concerns about the California law may be an overreaction, however, as the law allows access to employees’ social media accounts for investigations of misconduct and violations of laws and regulations. [Compliance Week] [FTC v. Wyndham Worldwide Corporation et al. – FTC Response to Wyndham Hotels and Resorts’ Motion to Dismiss – United States District Court for the District of Arizona]

FOI

CA – Gov’t to Establish Online Access-to-Information Portal

Government plans to launch a pilot project early next year that will allow citizens to request internal documents under the Access to Information Act via the Internet. At the start, the initiative would involve three departments but would later expand to include most federal agencies. Mexico has a similar portal, and the U.S. recently established its own. [The Globe and Mail]

CA – New Brunswick Gets “F” for Disclosures

A Newspapers Canada audit gives the New Brunswick government a grade of “F” for its response to freedom of information requests. The province received a “C” for the speed of its responses. Information and Privacy Commissioner Anne Bertrand expressed disappointment with the findings, which were released this week in the 2012 Freedom of Information Audit report. “It’s quite surprising in 2012 that some governments would approach this way of governing in secrecy or behind closed doors.” [CBC News] See also: [FOI Group Appeals Denial of BC Health Contracts] AND SEE [IPC ON – Reconsideration Order PO-3107-R – Appeals PA07-409 and PA08-127 – Ministry of Finance]

Genetics

US – Bioethics Committee Releases Report on Genome Sequencing

The Presidential Commission for the Study of Bioethical Issues has released a report on the privacy concerns of whole genome sequencing, a process in which it’s possible to determine a person’s complete DNA makeup using DNA samples taken from everyday items like cigarette butts, dental floss, gum or used tissues. Reuters reports the commission’s chairwoman noted the “enormous promise” of sequencing for human health and medicine but added there is a “potential for misuse of this very personal data.” Genome sequencing is set to become part of mainstream medical care, the report states. The report recommends privacy protections including that no sequencing should be performed without a person’s consent. [Source]

Google

EU – Regulators Call for Changes to Google’s Privacy Policy

The New York Times reports on a press conference hosted by the French data protection authority, the CNIL, where regulators called upon Google to clarify its 10-month-old privacy policy or face potential sanctions. In a letter to Google, the regulators noted the revised privacy policy “did not appear to adhere to Europe’s approach to data collection, which requires explicit prior consent by individuals and that the data collected be kept at a minimum,” the report states. CNIL Chairwoman Isabelle Falque-Pierrotin said the agency will give Google three or four months to respond to the concerns. In a statement Google Global Privacy Counsel Peter Fleischer said, “We have received the report and are reviewing it now. Our new privacy policy demonstrates our longstanding commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law.” Dutch DPA Chairman Jacob Kohnstamm told The New York Times that privacy regulators from the 27 EU member states, Canada and some countries in Asia participated in the CNIL inquiry and “endorsed the request to Google, which outlines areas for changes to improve protection of personal data.” [New York Times] [CNIL To Report on Google’s Privacy Policy]

Lawsuit Alleges Gmail Scanning Violates Privacy

A lawsuit filed in BC Supreme Court alleges Google gathered information sent to and from Gmail accounts. The lawsuit seeks class-action status and could potentially include “anyone in the province who has ever sent an e-mail to a Gmail account,” the report states. The suit alleges Google intercepts and collects personal information from e-mails sent to Gmail users in order to sell targeted advertising opportunities to third parties. Google says it has no comment on the allegations at this time. [The Vancouver Sun]

EU – Regulators to Examine Google Policy, EPIC Challenges FTC

EU data protection commissioners will look at whether Google’s changes to its privacy policy earlier this year comply with EU privacy laws. The revision created a single policy for all Google services and resulted in the consolidation of data into a single location, the report states, drawing questions from regulators including the French data protection authority. Meanwhile, the Electronic Privacy and Information Center has released a statement alleging the U.S. FTC has “withheld from public disclosure” information about its recent audit of Google’s privacy program. [The Guardian]

US – Google Asks for Dismissal of Suit

In its motion to dismiss a class-action lawsuit, Google has said the class is contorting state law “in ways the California legislature never intended.” The suit alleges Gmail scans e-mails for content and intercepts messages between Gmail and non-Gmail users. It accuses Google of violating the California Invasion of Privacy Act. Asking U.S. District Judge Lucy Koh to dismiss the case, Google says its “fully automated processes involve no human review of any kind” and added that the plaintiffs fail to articulate harm and instead “rely on conclusory allegations that their privacy rights were infringed in the abstract.” [Courthouse News Service]

Health / Medical

US – Calls for Prescription Drug Info Raise Concerns

In the wake of a “prescription drug epidemic that led to 113 overdose deaths,” administrators with Florida’s Sarasota County Sheriff’s Office have been seeking additional information from doctors through “a form patients could sign that would waive their privacy rights and allow detectives to examine…records without getting permission from a judge.” Citing HIPAA concerns, among other factors, the report notes the move has “drawn sharp criticism” from some in the medical community. One lawyer suggests the forms violate patients’ privacy rights under HIPAA. [The Herald-Tribune]

US – Court: Stored Communications Act “Ill-fitted” to Modern Issues

The South Carolina Supreme Court ruled that accessing e-mails in a cheating husband’s inbox did not violate the Stored Communications Act, but the judges all agreed that the act, now 26 years old, “is ill-fitted to address many modern day issues.” The e-mails were accessed by the wife’s daughter-in-law who was able to guess the man’s security question. The e-mails were then printed and shared with the wife’s divorce attorney and a private investigator. “The Stored Communication Act makes a hazy distinction between obtaining e-mails that have not been read or messages that have been read and stored elsewhere versus e-mails that have been read and remain in an inbox,” the report states. [The Augusta Chronicle]

US – ONC Seeking Comment on Online Verification

The Office of the National Coordinator for Health IT (ONC) is seeking public opinion on how individuals’ identities should be verified when accessing online health records. The ONC will share the comments with the federal advisory Health IT Policy and Standards Committees October 29 during an online hearing on credentialing patients so they may use online tools. “We want to make sure we facilitate electronic data access and e-mail in a way that protects the privacy, confidentiality and security of that information,” said Deven McGraw, chair of the ONC Privacy and Security Tiger Team. [Government Health IT]

WW – Teenage Patients need Social Privacy Online: Study

Teenage patients who use a social network are less concerned with “informational privacy” (i.e., the collection of personal information by government and companies), than with “social privacy” (i.e., the control over the interaction with others); a desire to represent themselves as “regular”, and not sick, means that they engage in privacy protective behaviours, controlling the audience of their message (through restrictive privacy settings, selective befriending and audience segregation), and the content of the message (no status updates regarding their diagnosis or treatment). To keep up this self-definition as a regular teenager, patients do not seek out others with similar diagnoses or use social networks geared towards patients or particular illnesses. Health care organizations need to create policies governing interactions between health care providers and patients using social media – social media has replaced e-mail, including to communicate with health care staff about medication, and due to the length of time spent in treatment, patients have befriended hospital staff on social networks. [Not all my Friends Need to Know: a Qualititative Study of Teenage Patients, Privacy and Social Media – Maja van der Velden and Khaled El Emam, Journal of the American Medical Informatics Association (2012)]

Horror Stories

US – Social Security Numbers of Military Heroes Posted Online

A breach has exposed the Social Security numbers (SSNs) of war veterans from Iraq and Afghanistan. A civilian contractor posted 31 decorated veterans’ SSNs among a list of 500 names and profiles onto a website. A spokesman said the army launched an investigation and ordered the contractor to take the site down. “We take this matter seriously,” the spokesman said. Meanwhile, the University of Chicago is offering to pay for one year of credit monitoring to those affected by a breach involving 9,100 employees’ SSNs. A recent survey found that 26% of Americans have been told their personal information has been breached. [The Washington Times]

US – Hospital Fires Employees for Accessing Patient’s Files

A “small number” of hospital employees have been fired from Ohio’s Akron General Medical Center for violating hospital and federal privacy rules. John H. Wise is accused of shooting and killing his wife at the hospital where she was a patient in the intensive-care unit. A hospital spokesman says the employees were terminated for inappropriately accessing the woman’s patient records. “It doesn’t happen a lot, fortunately, because employees know, but you can’t let the curiosity get the better of you,” the spokesman said. “That’s human nature and we understand that, but it still doesn’t justify the fact that the policies were violated.” [Source]

US – Data Losses Prompt Investigations, Reassurances

An investigation is underway at Northwest Florida State College involving more than 200,000 students and 3,000 employees. 50 employees, including the school’s president, have reported issues with identity theft. MPBN reports Maine’s Attorney General is looking into an incident involving misplaced consumer data at TD Bank after a box of back-up computer data went missing in March. Meanwhile, strategy game developer Wargaming.net says a recent security breach at digital goods reseller PlaySpan “affects only a select group” of Wargaming’s “World of Tanks” players, and no financial data was compromised. [CNN]

WW – Hackers Post Personal Details from 53 Universities Worldwide

A breach is affecting thousands of personal records from 53 universities around the world. Hackers published records from schools including Harvard, Stanford, Cornell, Princeton, Johns Hopkins and the University of Zurich. Details included 36,000 e-mail addresses as well as names, usernames, passwords, addresses and phone numbers of students, faculty and staff, the report states. The hackers claiming responsibility call themselves Team GhostShell and cited “changing education laws in Europe and spikes in tuition fees in the United States” as their motives. [The New York Times]

Identity Issues

EU – EDPS: Common Standards Should Govern E-ID Schemes

In a new opinion, the European Data Protection Supervisor (EDPS) has recommended that “trust service providers” and other electronic identification issuers should be required to meet a common set of data security standards under the proposed Electronic Trust Services Regulation. The EDPS said “the proposed regulation should establish a minimum set of requirements, in particular with respect to the circumstances, formats and procedures associated to security as well as the criteria, conditions and requirements, including the determination of what constitutes the state of the art in terms of security for electronic trust services.” [Out-Law.com]

UK – UK launching “virtual ID Card” System; Critics Fear It’s An Instant Target

The Government will announce details this month of a controversial national identity scheme which will allow people to use their mobile phones and social media profiles as official identification documents for accessing public services. People wishing to apply for services ranging from tax credits to fishing licences and passports will be asked to choose from a list of familiar online log-ins, including those they already use on social media sites, banks, and large retailers such as supermarkets, to prove their identity. Once they have logged in correctly by computer or mobile phone, the site will send a message to the government agency authenticating that user’s identity. The Cabinet Office is understood to have held discussions with the Post Office, high street banks, mobile phone companies and technology giants ranging from Facebook and Microsoft to Google, PayPal and BT. Ministers are anxious that the identity programme is not denounced as a “Big Brother” national ID card by the back door, which is why data will not be kept centrally by any government department. Indeed, it is hoped the Identity Assurance Programme, which is being led by the Cabinet Office, will mean the end to any prospect of a physical national ID card being introduced in the UK. The identification systems used by the private companies have been subjected to security testing before being awarded their “Identity Provider” (IDP) kitemark, meaning that they have made the list of between five and 20 approved organisations that will be announced on 22 October. The public will be able to use their log-ins from a set list of “trusted” private organisations to access Government services, which are being grouped together on a single website called Gov.uk, which will be accessible by mobile. [Independent]

Intellectual Property

US – ISPs Monitoring Program Will Aim to Discourage Copyright Infringement

By the end of 2012, major Internet service providers (ISPs) in the US will have in place monitoring systems that will help implement a six-strikes plan to discourage illegal filesharing. Called the “Copyright Alert System,” the plan result in increasingly severe responses for each successive strike, although “each strike is dozens or scores or hundreds of infringements,” according to Gigi Sohn, president of Public Knowledge, a digital rights group. The first several strikes will result in warnings; subsequent strikes could result in users being redirected to a certain page until they contact the ISP to discuss the matter or having their Internet speeds throttled. The plan involves monitoring peer-to-peer filesharing services. Much of the response is aimed at being educational rather than punitive. [WIRED]

Internet / WWW

EU – Article 29 Working Party: ICANN Updates May Be Unlawful

As the Internet Corporation for Assigned Names and Numbers (ICANN) updates its Registrar Accreditation Agreement, the European Commission’s Article 29 Working Party has said some of the changes may be illegal. The Working Party has written to ICANN to address its annual re-verification of contact details, which it calls “excessive and therefore unlawful” and a new data retention proposal that would keep personal information on registrants including phone numbers, e-mail addresses and credit card data, “for two years after the registration ceases,” the report states. The Working Party says such retention “does not stem from any legal requirement in Europe” and there is no “legitimate purpose” for the data collection. [Infosecurity Magazine] [Article 29 Data Protection Working Party – Letter to Internet Corporation for Assigned Names and Numbers (ICANN)]

EU – Commission Publishes Cloud Computing Guide

In the private sector, 64% of firms in Europe are using cloud services, but spending is limited and these services are still on trial, being used for non-business critical services (smaller firms are seeking to reassure themselves that the cloud is “safe” before investing, e.g. by waiting for governments to lead by example in cloud adoption); adoption of the cloud by the public sector follows similar patterns as the private sector, raising concerns around the suitability of business processes for the cloud, how to manage the transition from legacy systems to cloud systems, and what are the best contract models (so far cloud usage is complementary to existing systems, and not yielding the high cost savings that governments seek). The top 4 actions most important to cloud adoption are greater accountability and liability for security by cloud service providers (most providers work on a “best efforts” basis, and it is unclear if the cloud services fall within the exemption for liability in the e-Commerce Directive for intermediary services that are mere conduits or provide caching or hosting services), ensuring portability between cloud services (important if the organization uses cloud services in more than one area), improving broadband connections (the lack of reliable and inexpensive broadband connections are a constraint for users), and security certification for cloud service vendors (users are not in a position to evaluate providers’ claims as to their implementation of standards and security). [Source] See also: [Information Commissioner’s Office, United Kingdom – Guidance on the Use of Cloud Computing]

CA – Appeals Court Rules on Internet Case

The Ontario Court of Appeal on Tuesday upheld the conviction of a man who claimed his privacy was violated when his Internet service provider released his name and address to police. The man was later convicted of child pornography offences, the report states. The court said, “The appellant’s name and address was not the kind of information that would reveal intimate personal details or lifestyle choices.” According to the report, “The ruling is significant because it’s the first time the province’s top court has weighed in on whether a computer user has a reasonable expectation of privacy when accessing the Internet.” [The Ottawa Citizen]

US – Privacy Groups Ask FTC to Investigate Facebook’s Involvement with Datalogix

The Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy want the US Federal Trade Commission (FTC) to investigate whether Facebook is violating the terms of a privacy settlement reached with the agency. Facebook has entered into an agreement with data-mining company Datalogix to measure the effectiveness of ads on the social networking site. Facebook has issued a statement saying that it is “confident that we are [in] compliance with our legal obligations.” The two groups seeking the FTC investigation say that “Facebook did not attempt to notify users of its decision to disclose user information to Datalogix” and that Facebook’s arrangement for users to opt out of the arrangement is “confusing and ineffective.” [NextGov]

Law Enforcement

CA – Ontario Court Affirms Law Enforcement Access to ISP Data

The court dismissed an appeal by a individual whose criminal conviction resulted from a police search of his residence and computer based upon information voluntarily provided to the police by his internet service provider (“ISP”); the police request complied with PIPEDA as it was specific and narrow (e.g. seeking only the subscriber’s name and address and information that would reveal nothing personal about the appellant or his internet usage, and narrowly identifying 3 specific instances of internet activity) and referred specifically to the nature of the offences being investigated (which were serious and which the ISP was entitled to know with regard to deciding whether to disclose the information), and the ISP’s service was an integral and essential component of the offences being investigated (e.g. this connection would make it more reasonable to expect that the ISP would cooperate with the police request). The search warrant was adequate; the justice of the peace could infer that prohibited content had likely been accessed and stored on the appellant’s computer, and technical and affidavit evidence indicated that the prohibited material likely remained on the computer long after it was downloaded and could likely be recovered by police even if deleted. [R. v. Ward – 2012 ONCA 660 – Court of Appeal for Ontario]

CA – Ontario Court Affirms Law Enforcement Access to ISP Data II

The Court relied on its decision in R. v. Ward to find that the police did not infringe an individual’s Charter rights by obtaining his name and address from his ISP using only a Law Enforcement Request, rather than a warrant or production order.[R v. Cuttell – 2012 ONCA 661 – Court of Appeal for Ontario]

Location

US – GAO Pushes for Work on Location Data Privacy

A report by the Government Accountability Office (GAO) calls attention to the vague treatment of location data in many corporate privacy policies. “Companies were collecting consumers’ location data, but did not clearly state how the companies were using these data or what third parties they may share them with,” The GAO report states. National Journal reports that while the GAO pushes for federal action, just two specific recommendations are made, including that the FTC outline its views on mobile location-data privacy and that the Commerce Department set concrete goals for its work with consumer advocates and industry to develop voluntary standards. Some politicians are using the report as evidence for legislation in this area. [Source]

US – GAO Report: Agencies Need to be Clearer About Mobile Device Location Data Use

According to a report from the US Government Accountability Office (GAO), federal agencies need to take steps to protect mobile phone users’ location data. The report says that mobile carriers’ descriptions of their collection and use of customer location data is often vague. While having the location information can be helpful for navigation and timely emergency response, it can also be used to profile users, commit identity fraud, and to conduct surveillance. The GAO recommends the development of “specific goals, time frames, and performance measures for the multi-stakeholder process to create industry codes of conduct.” [The Hill] [ComputerWorld] [GAO,gov]

Offshore

SG – Exploring the State of the PDPA

Singapore recently had its first reading of its Personal Data Protection Act in Parliament, prompting Hariati Azizan of The Star Online to query when Malaysia’s Personal Data Protect Act (PDPA) will be enforced. Malaysia’s Information, Communications and Culture Minister Datuk Seri Dr Rais Yatim announced in February that the PDPA would be enforced by the middle of 2012. According to the report, enforcement details will be supplied by the ministry “as early as next month.” Meanwhile, a Malaysian government representative said, “Even though the PDPA has not been enforced yet, there are other relevant laws that can be used to take action against the offenders…” [Source] See also: [Taiwan’s New Personal Data Protection Act Becomes Effective October 1, 2012 – Baker & Mackenzie] and [Office of the Privacy Commissioner for Personal Data, Hong Kong – An Overview of the Major Provisions of the Personal Data (Privacy) (Amendment) Ordinance 2012]

PH – Court Suspends Cybersecurity Law

The Supreme Court of the Philippines has suspended the Cybercrime Prevention Act of 2012. The government will respond to 15 petitions filed in opposition to the law, which critics have said could lead to imprisonment for sharing social media posts, the report states. The law “establishes penalties for various computer-related crimes, including child pornography, identity theft, online fraud and illegally accessing computer networks.” One senator called the law’s temporary suspension “the first victory in our battle to defend our freedom and right of expression.” [The New York Times]

SG – Parliament Passes Personal Data Protection Bill

The Singapore Parliament has passed a personal data protection bill aimed at protecting information in the private sector. The bill includes a Do-Not-Call registry and the creation of a new enforcement agency—the Personal Data Protection Commission (PDPC)—to regulate private-sector use of personal data. Slated to become official in January, the act will require individuals be informed of and provide consent to the processing of their data by private organizations, and individuals may seek compensation through private rights of action, the report states. The PDPC may fine noncompliant organizations up to S$1 million. [ZDNet]

HK – PCPD Reports Violations in Loyalty-Card Programs

Privacy Commissioner for Personal Data Allan Chiang has released investigation reports saying three companies violated customers’ privacy by collecting their Hong Kong Identity Card or passport numbers for a loyalty program. The numbers were collected in order to create default passwords for the programs’ online services and, according to Chiang’s report, the practice amounts to unnecessary and excessive collection. Citing increased public awareness due to the “Octopus incident ,” Chiang said, “I expect that corporations in Hong Kong should have learnt a lesson and paid more attention to data privacy regulations.” [The Standard]

Online Privacy

US – Facebook Testing Promoted (Paid) Posts In the U.S.

“On Wednesday, the company introduced a feature that allows U.S. users with fewer than 5,000 friends to promote their updates – for a fee. The users’ posts would gain prime placement on their friends news feeds.” [Washington Post] seealso: [Not all my Friends Need to Know: a Qualititative Study of Teenage Patients, Privacy and Social Media – Maja van der Velden and Khaled El Emam, Journal of the American Medical Informatics Association (2012)]

US – Exploring the Privacy of Private Messages

A recent online video allegedly shows that Facebook scans links sent via private messages and registers them as though the user “likes” the page sent. “It’s just one example of how online messages that seem private are often actually examined by computers for data,” the report states, adding, “it is not clear from Facebook’s data use policy that regular users would expect links in their messages to be scanned this way.” Facebook has responded that “absolutely no private information has been exposed” and users’ privacy settings were not affected. [The Wall Street Journal]

US – Officials, DAA and Microsoft Battle Over DNT

The Digital Advertising Alliance (DAA) has responded to Microsoft’s new default-on do-not-track (DNT) browser, saying it is not an appropriate standard for customers, reports The Next Web. But Sens. Joe Barton (R-TX) and Edward Markey (D-MA) say the DAA is putting “profits over privacy.” Microsoft is holding its ground, citing a study of its customers that showed 75% want the company to turn on DNT for them. Meanwhile, EU Digital Agenda Commissioner Neelie Kroes is voicing her concern about the delay and the “turn taken” in the discussions at the World Wide Web Consortium, which missed a June deadline to come up with a better system for DNT. [Source]

WW – In Amsterdam, A Lack of Consensus on Do Not Track

The World Wide Web Consortium held (W3C) meetings in Amsterdam and there was a lack of consensus among stakeholders on how to bring a Do-Not-Track option to websites. The report states that “the stakes for Internet users are high and boil down to who determines the limits and protections of online privacy on the Internet…” The meeting continues today. While the W3C’s Thomas Roessler says he has “some measure of confidence we will come up with a workable solution,” the head of the European Commission’s Article 29 Working Party, Jacob Kohnstamm, an observer at the meeting, said, “It seems the process has been hijacked by commercial interests.” U.S. FTC Chairman Jon Leibowitz said, “There is enormous and bipartisan momentum for Do-Not-Track options for consumers if there is no agreement by the end of this year.” [The New York Times]

WW – Do-Not-Track Standards Discussion Heats Up

Senate Commerce Committee Chairman Jay Rockefeller (D-WV) has told FTC Chairman Jon Liebowitz that “self regulation for the purposes of consumer privacy protection has failed,” but he encouraged the FTC to work with the World Wide Web Consortium to develop Do-Not-Track (DNT) standards. Rockefeller has also introduced DNT legislation. Liebowitz has said the industry “appears to be backing off from its commitments” to DNT. Meanwhile, the Center for Democracy & Technology wrote, “in recent days, we have suddenly seen an all-out blitz of attacks on Do Not Track, both in Washington and Silicon Valley.” Industry representatives have sent a letter to Microsoft’s top executives to call the company’s default DNT setting “unacceptable.” [Broadcasting & Cable]

US – DMA Launches “Data-Driven Marketing” PR Campaign

The Direct Marketing Association (DMA) has launched a $1 million public relations campaign aimed at improving the image and curbing government “regulation of the consumer data-mining industry.” Titled the “Data-Driven Marketing Institute,” the campaign intends to prevent “needless regulation or enforcement that could severely hamper consumer marketing and stifle innovation” while “tamping down unfavorable media attention.” Acting DMA Chief Executive Linda A. Woolley said, “We want to set the record straight on what we think has been a lot of mischaracterization of what we do and to explain the benefits of data-driven marketing to consumers.” [New York Times]

US – Advertisers Campaign Against Do Not Track

Nine U.S. lawmakers recently wrote to the Federal Trade Commission (FTC) voicing concern over restricting the flow of data “at the heart of the Internet’s success.” The Association of National Advertisers and the Interactive Advertising Bureau have both voiced opposition to Microsoft’s default Do-Not-Track mechanism. The Digital Advertising Alliance has said self-regulation is working and should be given a chance to succeed. FTC Chairman Jon Leibowitz said the disagreement on standards could lead to a privacy arms race with browsers rushing to give consumers the most privacy protections, which may not be a bad thing, he added. [The New York Times]

US – Think-Tank Website Will Not Honor Do Not Track Requests

The website of Washington, DC-based think tank Information Technology Innovation Foundation (ITIF) will not honor users do-not-track (DNT) requests. A new feature on the website detects visitors’ DNT settings and informs those who have the preference selected that the request is denied. In a blog post, ITIF senior analyst Daniel Castro wrote, “Do Not Track is a detrimental policy that undermines the economic foundation of the Internet. Advertising revenue supports most of the free content, services, and apps available on the Internet.” [ComputerWorld] [ITIF]

US – New “Sponsored Stories” Settlement Filed

Facebook has filed another settlement in a lawsuit over its “Sponsored Stories” feature after a judge dismissed the company’s first attempt in August. The settlement includes a one-time $10 payment to affected users and an “easily accessible mechanism” for users to see how their Facebook content is being used in Sponsored Stories. It also allows parents of users under the age of 18 to opt them out of the feature, or, if the parents are not Facebook users, the company will not use minors’ data until they turn 18, the report states. [CNET News]

Other Jurisdictions

BR – Brazil to Track All Vehicles Electronically

“As of January, Brazil intends to put into action a new system that will track vehicles of all kinds via radio frequency chips. It will take a few years to accomplish, but authorities will eventually require all vehicles to have an electronic chip installed, which will match every car to its rightful owner. The chip will send the car’s identification to antennas on highways and streets, soon to be spread all over the country. Eventually, it will be illegal to own a car without one. Besides real time monitoring of traffic conditions, authorities will be able to integrate all kinds of services, such as traffic tickets, licensing and annual taxes, automatic toll charge, and much more. Benefits also include more security, since the system will make it harder for thieves to run far away with stolen vehicles, much less leave the country with one.” [Slashdot]

NZ – Breaches at Bank, Ministry Put Consumer Data at Risk

New Zealand Assistant Privacy Commissioner Katrine Evans said in a statement that her office is “very concerned” about a gap in security at the Ministry of Social Development’s Work and Income data kiosks that allowed unauthorized access to personal and confidential data. Blogger Keith Ng revealed the lapse after receiving a tip, the source of which claims to have alerted the ministry to it in the week prior, seeking financial reward. Cabinet Minister for Social Development and Employment Paula Bennett called the breach “completely and utterly unacceptable” and apologized. [Source] See also: ^Draft Regulation Of Law No. 29733 Personal Data Protection Law – Official Gazette of Peru^

Privacy (US)

US – California AG and Insurer Reach Lawsuit Settlement

California Attorney General Kamala Harris and Anthem Blue Cross have reached a $150,000 settlement in Los Angeles Superior Court over a data breach incident involving Social Security numbers. Between April 2011 and March 2012, letters were mailed to Medicare Supplement and Medicare Part D subscribers that included the recipients’ Social Security numbers, a violation of California state law. An Anthem spokeswoman said there has been no indication that recipients’ data was abused and the organization has created a new alert system for sensitive subscriber information, the report states. [Associated Press] See also: [United States of America (for the FTC) v. Artist Arena LLC – Complaint and Consent Decree and Order – United States District Court Southern District of New York] and also: [Sean Lane et al. v. Facebook, Inc. et al. – 2012 U.S. App. LEXIS 19767 – United States Court Of Appeals For The Ninth Circuit] and [Coffman v. Central Bank & Trust Co. – 2012 U.S. Dist. LEXIS 136757 – United States District Court for the Eastern District of Kentucky] and [FTC – In the Matter of DesignerWare, LLC et al. – Complaint and Agreement Containing Consent Order]

US – Rockfeller Seeks Answers from Data Brokers

The chairman of the Senate Commerce Committee has asked for detailed information from online data brokers on how they compile and sell consumer information, Broadcasting & Cable reports. Sen. Jay Rockefeller (D-WV) sent letters to data brokers including Reed-Elsevier, Spokeo and Experian seeking answers on data collection—including its granularity, who has access to it and for what purposes. “Collecting, storing and selling information about Americans raises all types of questions that require careful scrutiny,” Rockefeller said, adding that consumers “deserve to know what’s being collected about them and how companies profit from their information.” [Source] See also [House Bill – An Act Regarding the Protection of Geolocation Information – U.S. House of Representatives] AND [Assembly Bill 439 – An Act relating to Health Care Information – California General Assembly]

US – Senate Report: Post 9/11 “Fusion Centers” Offended Civil Liberties

A newly released Senate subcommittee report has found that centers established after September 11, 2001, to share counterterrorism data with local and federal law enforcement put Americans’ civil liberties at risk. Since 2003, more than 70 “fusion centers” were established, costing an estimated $289 million to $1.4 billion. But the centers “forwarded ‘intelligence’ of uneven quality—oftentimes shoddy, rarely timely, sometimes endangering citizens’ civil liberties and Privacy Act protection,” the subcommittee report states. The report recommends the Department of Homeland Security “revisit the statutory basis for DHS support of fusion centers,” conduct assessments on information-sharing and strengthen protections of civil liberties. [NPR]

US – Federal Trade Commission Cracks Down on Phony Tech Support Schemes

The US Federal Trade Commission has filed charges against 14 companies that are allegedly involved in fraudulent tech support schemes. The scams run operations in which computer users are cold-called from someone pretending to be from a tech support center that has detected that their computer is infected with viruses. In other instances, users are lured in through ads warning them that their computers are infected. They are then instructed to allow the caller remote access to their machines and are charged for the whole process. A US District Court judge has frozen the assets of the companies allegedly involved in the schemes. The FTC has filed complaints against 14 corporate defendants and 17 individual defendants allegedly involved in six schemes. [eWeek] [InformationWeek] [ComputerWorld] [ArsTechnica]

US – 2012 IAPP Privacy Award Winners Announced

At the IAPP Privacy Academy’s Privacy Dinner, some of the best of the best among privacy innovators and experts were honored for their work in the field. In addition to a keynote speech by John Perry Barlow, the 2012 Privacy Dinner featured the announcement of this year’s HP-IAPP Innovator Awards and the Privacy Vanguard Award. Sandra R. Hughes, CIPP/US, is the winner of the 2012 IAPP Privacy Vanguard Award, and for the 2012 HP-IAPP Innovation Award, this year’s winners in the large and small organization and technology categories are the Vodafone Privacy Programme, Alberta Pensions Services, CSR and Oculis Labs. In announcing Hughes’ selection as this year’s Privacy Vanguard at the Privacy Dinner in San Jose, CA, McAfee CPO Michelle Dennedy, CIPP/US, described Hughes’ contributions to the privacy field. Accepting the Vanguard Award, Hughes spoke of her desire to continue to “do the right thing” by giving back to the privacy profession. [Source]

US – Artist Arena Agrees to $1 Million Settlement with FTC for COPPA Violations

Fan site operator Artist Arena has agreed to a $1 million settlement with the FTC for allegedly violating COPPA. The proposed settlement still awaits approval from a judge. An FTC investigation found that the company—which operates fan sites for Justin Bieber and other musicians—collected the names, e-mail addresses, birth dates and gender of children under the age of 13. FTC Chairman Jon Leibowitz said, “Marketers need to know that even a bad case of Bieber Fever doesn’t excuse their legal obligation to get parental consent before collecting personal information from children.” [The Washington Post]

US – Auditor: Ohio Law Hampering School Tracking Efforts

According to auditor Dave Yost, an Ohio law that makes students’ personal information off-limits to state agencies means keeping track of the 1.9 students in the state is difficult and costly. Yost told the state’s Board of Education the Statewide Student Identifier policy “doesn’t help anybody,” adding that moving the system in-house and lifting restrictions on student IDs could save the state an estimated $430,000 each year. “What we’re really worried about here is kids’ information not being out on the street, not being easily accessible…But we can do that by simply controlling the access and what the rules are for dissemination of that information,” Yost said. [Associated Press]

US – AG Tweets to United Airlines: Where’s Your Privacy Policy?

California Attorney General Kamala Harris used social media to commend United Airlines for its “fabulous” mobile app, but then asked via Twitter, “where is your app’s #privacy policy?” Los Angeles Times reports that Harris also linked to the California Online Privacy Protection Act, which requires commercial websites that collect Californians’ personally identifiable information to post a privacy policy. “We have to both cheer the incredible advances in technology and at the same time protect consumer privacy,” said a spokesman for Harris. United Airlines responded saying it would review the app to “ensure that our privacy policy is also easily accessible to United app users.” [Source] SEE ALSO: [FTC – Examining the Uses of Consumer Credit Data – Testimony before the Subcommittee on Financial Institutions and Consumer Credit] and also [Dean Andersen v. State Collection Service, Inc. – 2012 Wisc. App. LEXIS 746 – Court of Appeals of Wisconsin, District Two]

US – Judge Dismisses Pandora Privacy Lawsuit

A federal judge has dismissed a multibillion-dollar lawsuit claiming that Internet radio company Pandora violated its users’ privacy. The suit argued that a pre-Internet era Michigan law was violated when Pandora integrated with Facebook in 2010. Saying that no “actual injury” was demonstrated, U.S. District Judge Saundra Armstrong noted the 1988 state privacy law prohibits a class-action lawsuit “by a person who has not suffered actual loss,” adding, “Pandora argues that it merely streamed music to plaintiff’s computer and, therefore, could not have violated (state law) because it never rented, lent or sold recordings to him.” [CNET News]

US – Groups Warn the FCC on Data Collection, Sharing Practices

Broadcasting & Cable reports that a coalition of groups has cautioned the Federal Communications Commission (FCC) to be careful of how it collects and shares consumer information online in its effort to learn about Americans’ access to broadband services. The Competitive Enterprise Institute, Communications Liberty and Innovation Project, TechFeedom, Center for Media and Democracy and six other groups say they are concerned about consumers sharing information with the commission that could be shared with law enforcement and allow their Internet activity to be reviewed “without due process or judicial scrutiny,” the report states. [Source]

US – Companies Settle with FTC for List Sharing

One of the largest U.S. consumer reporting agencies has agreed to settle with the FTC over charges it “improperly sold lists of consumers who were late on their mortgage payments,” in violation of the FTC Act and the Fair Credit Reporting Act. Equifax Information Services, LLC, will pay $393,000 over allegations that its “inadequate procedures” led to the sale of more than 17,000 lists to firms that “should not have received them.” Direct Lending Source, which bought the lists and resold some of them to third parties, will pay $1.2 million. [FTC Press Release]

Privacy Enhancing Technologies (PETs)

US – Rights Group Lauds Privacy Changes in Apple’s iOS 6

The Center for Democracy and Technology (CDT) says it approves of the privacy features Apple recently incorporated to its iOS 6 operating system. In a recent blog post, the CDT said it “applauds Apple’s decision to incorporate these substantial pro-privacy elements into iOS 6, allowing users to finely control how their data gets shared with specific apps and to more easily express a desire not to be tracked by marketers,” adding, “We hope that this effort encourages mobile OS vendors to continue to iterate and compete on built-in privacy controls.” Meanwhile, in PCWorld, Tony Bradley says the enhancement of data protection controls in Microsoft’s Exchange Server will help IT admins keep data safe. [Computerworld]

WW – New Privacy Tools Emerge

The Association for Competitive Technology has introduced App Privacy Icons as part of its campaign to “provide developers with the resources to demonstrate easy-to-understand transparency about the privacy settings and features of their apps.” The icons inform web users whether an app contains advertising, collects data or shares information with social networks, the report states. Meanwhile, a group of privacy activists have launched “Terms of Service; Didn’t Read” to help users make better choices online. “We are trying to fight the unfair situation in which big websites make us sign terms-of-service agreements that are too long to read and understand,” the project description states. [eWeek]

RFID

US – Student RFID Tags Transmit Constant Signal

While some companies fight revisions to the Children’s Online Privacy Protection Act and others continue to violate it, the tracking of students through RFID badges and surveillance cameras is increasing. As of October 1, a Texas school system outfitted students at two of its campuses with badges containing RFID chips that transmit a constant signal so students can be tracked throughout the day—unlike more commonly used RFID badges that only transmit data when scanned. Privacy and civil rights activists say the badges contravene the students’ right to free speech as they can monitor which kids spend time together. [AlterNet]

Security

CA – Stoddart Questions Increased Cameras on Parliament Hill

Privacy Commissioner Jennifer Stoddart is questioning a plan to install 134 surveillance cameras on Parliament Hill, adding to the 50 that are currently there. The RCMP and House of Commons proposal would install the cameras as part of a government security overhaul. Stoddart’s report notes that a “deliberate decision” was made not to notify the public of the surveillance with signs. In an interview, Stoddart said, “Any of these massive surveillance programs are a real infringement on citizens’ rights and have not necessarily proven their worth.” [The Globe and Mail]

CA – Edmonton Police to Test Body-Worn Video

Edmonton police have begun a yearlong pilot program to test audio and video recording devices that are small enough to be worn on uniforms. The body-worn video recording systems were tested in Victoria, BC, in 2009 and were met with concerns about access and use of the recordings as well as the officers’ ability to turn the cameras on and off at will. Edmonton police are hearing similar concerns, and while Alberta’s privacy commissioner has been alerted to the plan, the office says it’s too soon to tell if there will be privacy concerns. [Toronto Sun] SEE ALSO: [Information Security Manual 2012: Principles – Department of Defence, Australian Government]

Smart Cards

UK – App Allows for Criminal Records Searches

A new mobile app allows users to search for individuals’ and companies’ criminal histories. Do No Evil costs $1 a search and scans more than two million litigation records by name and address. The report quotes a man who said the app violated his privacy, preventing him from gaining employment based on his past. The Office of the Privacy Commissioner for Personal Data has received inquiries on the app, a spokesman said, but hasn’t received official complaints. [Time Out]

Surveillance

US – License-Plate Tracking Tech Becoming Ubiquitous

The Wall Street Journal reports on the rise of license-plate tracking technology, noting it “is a case study in how storing and studying people’s everyday activities, even the seemingly mundane, has become the default rather than the exception.” The Department of Homeland Security (DHS) has awarded more than $50 million in federal grants to law enforcement agencies during the past five years for the technology, and at least two private businesses using the technology have been identified, the report states. Former DHS Chief Privacy Officer Mary Ellen Callahan, CIPP/US, once said such private databases could become the nation’s largest collection of people’s movements. Meanwhile, privacy advocates are concerned that new forms of car insurance discounts are potentially privacy-invasive. [Source]

US – SCOTUS Ends Case Against Telecoms

The U.S. Supreme Court has ended a class-action lawsuit filed six years ago against U.S. telecommunications companies for assisting the NSA in monitoring international phone calls and e-mails. The suit was “dealt a death blow in 2008 when Congress granted retroactive immunity” to the companies, the report states, and the court has turned down appeals from civil liberties groups without comment. A case is expected to come before the court later this month to decide whether NSA agents can be sued for authorizing the wiretapping, the report states. [Los Angeles Times]

UK – New Regulator Raises HD CCTV Concerns

Newly appointed Surveillance Camera Commissioner Andrew Rennison says the unregulated installation of inexpensive, high-definition CCTV cameras in Britain could identify and track individuals, creating a Big Brother state and breaching human rights laws. “The technology has overtaken our ability to regulate it,” Rennison said, adding the sophisticated cameras are “storing all the images they record” and have the ability to “run your image against a database of wanted people.” According to the report, Rennison is creating a CCTV code of conduct for Parliament. [The Telegraph] SEE ALSO: [Drones in Domestic Surveillance Operations: Fourth Amendment Implications and Legislative Responses – Congressional Research Service]

Telecom / TV

US – Privacy war heats up between ACLU, DOJ

CSO reports on arguments being levied by the American Civil Liberties Union (ACLU) and the U.S. Department of Justice (DoJ) over government surveillance of citizens’ electronic communications. The ACLU has said the Electronic Communications Privacy Act (ECPA) is outdated and does not require court approval for “non-content” information. ECPA’s standard on “non-content” data is “based on an erroneous factual premise, specifically that individuals lack a privacy interest in non-content information,” said an ACLU representative, adding that non-content data paints a “vivid picture of the private details of your life.” Meanwhile, the U.S. Court of Appeals in New Orleans is scheduled to hear a government appeal regarding a warrantless request of cellphone location records, and California Gov. Jerry Brown vetoed a bill that would have required law enforcement to get a warrant prior to obtaining location-tracking data. [Source]

US – Wireless Carrier’s Initiative Raises Privacy Concerns

A marketing initiative by Verizon Wireless has raised concerns among privacy advocates. The company’s Precision Market Insights plan aggregates customers’ locations, app usage and browsing activities and sells the data, a move that some say could violate a federal wiretap law. Verizon says it may link consumer data to third-party databases containing information about customers’ gender and ages as well as details such as “sports enthusiast, frequent diner or pet owner,” the report states. The company says the initiative is legal because the data is aggregated, does not reveal customers’ identities and provides an opt-out. Meanwhile, a Huffington Post report provides three ways to limit third-party access to iPhone user activity. [CNET News]

US Government Programs

US – DHS Issues Privacy Annual Report

82% of the DHS Federal Information Security Management Act (“FISMA”) systems were covered by a required PIAs, and 95% of systems of records notices were completed; privacy reviews were conducted on 176 intelligence products and 421 Intelligence Information Reports. DHS processed 895 of 909 FOIA requests; an electronic FOIA solution was piloted, which enables requests and appeals to be entered into the system from written or electronic requests, has options for printing or emailing acknowledgements and standard responses, calculates fees based on agency policy, and includes an advanced electronic redaction toolset for search, retrieval, and redaction. The use of privacy compliance reviews (“PCR”) was expanded, with 5 public PCRs completed in the areas of cybersecurity, information sharing and the use of social media; over 1,000 privacy complaints were received, and 51 Privacy Act amendments requests. Six public reports were issued (e.g. 3 quarterly reports under the 9/11 Commission Act, 2011 Annual FOIA Report, 2012 Chief FOIA Officer Report and 2011 Data Mining Report to Congress); 658 privacy incidents were reported to the DHS Security Operations Center (an increase of 34% of the last reporting period), primarily consisting of the alteration/compromise of information (85%), investigation unconfirmed/non-incident (13%), and misuse (2%). Source: [2012 Annual Report to Congress – Privacy Office, Department of Homeland Security]

Workplace Privacy

US – BYOD Gives Rise to Maze of Legal Risks

The growth of bring-your-own-device (BYOD) policies brings with it “a minefield of legal questions and risks.” Demand for legal services for data privacy and security “has skyrocketed” and has propelled a number of law firms to build out privacy protection practices. Meanwhile, a new Harris survey has revealed that nearly 80% of employees would not give their employers access to view what apps are on their devices. [The Washington Post] SEE ALSO: [EEOC Locks Down Employers Use of Arrest and Conviction Information – Melissa Siebert, K&L Gates – LAW.COM] and [Data Protection During Recruitment: Top 10 Tips for Managers – Helen Burgess, Senior Associate – Shoosmiths] AND Technology and the Monitoring of Employees – Employment Practice Group, Kemp Little LLP ¸

 

+++

 

16-30 September 2012

 

Biometrics

US – Voice Verification Technology Prevents Impersonators from Obtaining Voiceprints

Computer users have learned to preserve their privacy by safeguarding passwords, but with the rise of voice authentication systems, they also need to protect unique voice characteristics. Researchers at Carnegie Mellon University’s Language Technologies Institute (LTI) say that is possible with a system they developed that converts a user’s voiceprint into something akin to passwords. The system would enable people to register or check in on a voice authentication system, without their actual voice ever leaving their smartphone. This reduces the risk that a fraudster will obtain the person’s voice biometric data, which could subsequently be used to access bank, health care or other personal accounts. “When you use a speaker authentication system, you’re placing a lot of faith in the system,” said Bhiksha Raj, an associate professor of language technologies. “It’s not just that your voiceprint might be stolen from the system and used to impersonate you elsewhere. Your voice also carries a lot of information—your gender, your emotional state, your ethnicity. To preserve privacy, we need systems that can identify you without actually hearing your voice or even keeping an encrypted record of your voice.” [Source]

CA – Quebec Sets Rules For Biometric Identification Systems

In Quebec, employers need to comply with the requirements set in the Act to Establish a Legal Framework for Information Technology, which the Quebec Commission on Information Access strictly monitors. Under the act, both physiological biometry and behavioral biometry are available to employers. Usually, employers choose physiological biometry, which deals with fingerprints to record employee attendance. Kronos Touch ID Technology is used often because it does not store fingerprint images. All it requires is for the employee to enter his or her personal ID code and place his or her finger on a screen.

Biometric identification systems based on mathematical representation technology are acceptable to the Quebec Commission on Information Access as it does not store images, thus it does not infringe on the rights of an individual to privacy. The Act Respecting the Protection of Personal Information in the Private Sector is strict when it comes to employers using biometrics in Quebec. There are nine conditions summarized in its guidelines entitled “Biometrics in Quebec: Application Principles, Making an Informed Choice.” The approach first prompts employers to explore alternative choices other than biometrics. If employers do choose biometrics, they need to secure the consent of each individual or employee to be subjected to biometrics. This gives employees the option whether to give their consent or not, and employees can withhold their consent without providing any justification. Employers need to conduct information sessions so as to acquaint and make the employees understand the “ins and outs” of the biometric identification system and its necessity to be employed in the workplace. Furthermore, employers have to consult with legal counsel to make sure that human rights issues are assessed properly and that necessary legal requirements and reporting obligations to Commission are obliged with. [Source]

EU – Facebook Suspends Use of Facial Recognition Tool in EU

Facebook has suspended the use of its facial recognition tool in Europe. The feature suggests users who could be tagged in photographs posted to the site. Facebook says that the feature has been turned off for new EU users and that “templates for existing users will be deleted by 15 October.” The decision was made in response to recommendations from the Irish Data Protection Commissioner. In addition, Germany has demanded that Facebook disable the service and destroy its associated database. [BBC] [ComputerWorld] [InformationWeek] [v3.uk] [ArsTechnica] See also: [US: To lawbreakers’ angst, mug shot websites spreading]

WW – Airport Iris-Scanning May Be Wave of Future

Iris-scanning technology is being rolled out in select airports. Technology similar to AOptix’s InSight Duo iris scanner may become a standard security check at airports and border crossings around the globe, the report states, making the security experience more efficient. A company whitepaper states, “In an InSight-based eGate, a traveler would pass through border control by first scanning his biometric passport on the eGate and then authenticating his biometric record with InSight.” Privacy concerns loom, however, as researchers recently were able to reverse engineer iris code back into an iris image. Privacy expert Woodrow Hartzog said, “A significant enough breach could render an entire verification system unreliable.” [Ars Technica]

Canada

CA – Alberta Privacy Commissioner Issues Report on Privacy Breaches

Alberta’s new Privacy Commissioner, Jill Clayton, has released a report on the first two years of mandatory privacy breach reporting in Alberta (the “Breach Report”). As of the end of April 2012, 151 breach reports had been received by the Privacy Commissioner. Of these reports, 63 cases (42%) involved a real risk of significant harm. In the remainder of the matters, this threshold was not reached, PIPA was determined not to apply, or the matter was still under review. The Breach Report shows that a majority of the 63 reported cases meeting the real risk of significant harm threshold involved human error or lost or stolen unencrypted electronic devices: 22 breaches were caused by human error. These incidents included inappropriate disposal of personal information, emails sent to the wrong individuals (or viewable to all individuals in a mass email), faxes sent to the wrong person or to an unsecure fax, loss of files and portable memory sticks, and unauthorized disclosure of passwords. The most common form of human error was mail and courier errors caused by delivery to the wrong individual.

-          18 breaches were caused by theft. These breaches were primarily due to office and car break-ins resulting in the loss of computer devices, although in a few cases paper documents were also stolen.

-          14 breaches were caused by electronic system compromises. These breaches were typically found to occur as a result of targeted attacks by external hackers seeking to extract large amounts of data. In one incident, 50 million individuals were affected.

-          9 breaches were caused by a failure to adequately control access to electronic or paper files. One case in particular involved files that were accessible to the public via the Internet.

Where a real risk of significant harm was found, the Breach Report indicates that most of the personal information breached was considered to be of high sensitivity, such as social insurance numbers, drivers’ license numbers, or credit card numbers. The Breach Report also indicates that the following circumstances were likely to lead to a real risk of significant harm:

-          where information was apparently stolen for nefarious purposes;

-          where recipients could not be determined;

-          where electronic devices containing personal information had no encryption and no audit capability, making access possible and unknown; and

-          where a large number of individuals were affected and where there was a likelihood that the personal information could be used for a nefarious purpose (such as “phishing” for more personal information).

The Breach Report also offers some commentary on when reporting is not required. Where no real risk of significant harm was found, the personal information involved was typically of low sensitivity. Even where sensitive information was breached, reporting was not required where the organization used strong encryption methods or auditing capability, thus making access to the information highly unlikely. Typically, reporting was not required where recipients were few and known to the organization, or where the information was returned or confirmed destroyed in a relatively short time frame. The Breach Report offers further guidance on prevention of privacy breaches. In addition to measures intended to protect against specific risks to personal information, organizations should implement the following basic steps: [Source]

CA – Newfoundland Passes Amendments to Privacy and ATIP Laws

Despite a four-day, record-breaking, filibuster in mid-June, the provincial Conservative party of Newfoundland and Labrador passed a bill that will radically reduce public access to government information in the province. Bill 29 has drawn widespread criticism from legal experts, opposition politicians and working journalists alike, who have called the bill regressive and draconian. “It’s more of a piece of legislation that sets rules on how not to release things,” Russell Wangersky, an editor and columnist with The Telegram in St. John’s. The amendment to the province’s Access To Information and Protection of Privacy Act (ATIPPA) has the potential to drastically reduce the need of the Newfoundland government to respond to, well, anything, really. Requests that Cabinet determines are “vexatious, frivolous [or] trivial” can now be disregarded. The definition of “Cabinet confidences” has also been expanded to include documents that have been prepared for Cabinet, but which Cabinet doesn’t need to have ever seen or used. Bill 29 took its cue from a review of the ATIPPA, released in January of 2011, undertaken by career NL bureaucrat John R. Cummings, Q.C. Among other high-ranking governmental positions, Cummings has been Newfoundland’s Deputy Minister of Justice, Deputy Attorney General and Secretary to the Cabinet. The new law subsequently implemented 16 of the review’s 33 recommendations. Cummings’ review was supposed to rely heavily on a public consultation process, but Wangersky sees it differently. “The review [to] our Access to Information Privacy Act…was overseen by a former civil servant who had a number of years’ experience turning down Access to Information requests,” says Wangersky. “[Cummings] heard primarily from civil servants and government departments and came up with modifications to the Act that substantially restrict the release of documents and put more and more of a control over what can be released into the hands of Cabinet.” [Source]

CA – Kenney’s Emails Targeting Gay Community Raises Privacy Concerns

For many who received an email from Citizenship and Immigration Minister Jason Kenney about gay refugees, the message raised one important question: How did he know I’m gay? The bulk email sent from Kenney’s MP’s office to thousands was titled “LGBT (lesbian, gay, bisexual and transgender) Refugees in Iran” and began with the salutation, “Friend.” Among the recipients was Meredith Richmond of Peterborough, Ont., who, to her knowledge, had never had any contact with Kenney’s office before. She had no idea how Kenney got her personal Gmail address and seemed to know about her sexual orientation. “It felt really targeted at me,” she said. “I’m not a supporter of the Conservatives.” While Richmond had never directly emailed Kenney’s office, she was one of nearly 10,000 people who electronically signed a 2011 online petition supporting a gay artist from Nicaragua, who was then facing deportation. Toronto community organizer and former NDP candidate Michael Erickson posted the petition on the website change.org. Whenever someone “signed” the petition, the site automatically sent a form letter by email to Kenney’s office with the signatory’s reply email address. It appears those thousands of messages were harvested by the email program in Kenney’s office and saved for later use. [Source] [Elections watchdog mulls regulation of parties’ voter databanks] and [Political Parties Operate Outside Canada’s Privacy Laws] andalso: [MB: Bateman apologizes for 1,500 leaked email addresses]

CA – Toronto Real Estate Board Seeks to Bar Public from Tribunal Hearing

The Toronto Real Estate Board is sticking so vociferously to its claims that Multiple Listing Service information routinely handed out by its own agents is such a violation of privacy in the wrong hands, it tried to have the public removed from a Competition Tribunal hearing. In the face of objections from the Competition Commissioner’s legal counsel and media covering the hearing, Tribunal chair Justice Sandra Simpson agreed that no one would be barred from the hearing. But she asked that MLS data on a handful of homes for sale as of Sept. 17 be edited to remove a number of details before being entered into the public record. That included virtual tour photos of the interior of the homes, the names of the homeowners, mortgage and commission information that is more often than not on MLS listings that traditional “bricks-and-mortar” realtors give out to clients. [Source]

CA – Teen’s Identity in Facebook Privacy Case to be Kept Confidential

A Nova Scotia teenager who wants to sue the people she alleges bullied her on Facebook will be able to keep her name private but won’t be able to get a partial publication ban on the trial, the Supreme Court of Canada has ruled. The case involved a 15-year-old teen known only as “A.B.” who learned in 2010 that a fake profile of her had been set up on Facebook. It included a photo of her and a slightly modified version of her name. The fake profile discussed her physical appearance and allegedly included “scandalous sexual commentary of a private and intimate nature,” according to the court documents. She wanted to launch a civil suit and wanted the court to compel Internet provider Bragg Communications to disclose the identity of the people behind the IP address where the alleged defamation came from. But A.B. also wanted a partial publication ban on the case, to keep the details of the alleged defamation under wraps and her full name kept confidential. This week, the Supreme Court agreed that the teen’s identity should be kept confidential, saying the court has a duty to protect her because of her age. [Source]

Consumer

CA – Canadians Trust That Organizations Won’t Share Their Information” Poll

In asking Canadians what information they’re willing to share with organizations – via consumer loyalty programs, for instance – pollsters found a considerable chunk of the population agreeable to divulging everything from sexual orientation (40%) to health details (31%) to political and religious affiliations (30% and 41%, respectively). “There’s an inherent trust that organizations are going to act reasonably with your information,” says Bryan Pearson, author of The Loyalty Leap: Turning Customer Information into Customer Intimacy. Fully 48% of Canadians say they always or often read the privacy policies of companies Canadians trust that organizations won’t share their information with whom they deal – a surprisingly high figure, Mr. Pearson said. The nationally representative survey, released Tuesday, is considered to be accurate 95% of the time, with a margin of plus or minus three percentage points. It was conducted online throughout June. [The National Post]

US – U.S. Consumers Reveal Surprising Privacy Findings

Research findings LoyaltyOne released this week show that when it comes to privacy, U.S. consumers are still protecting some of their personal information as much as they do their social security number. Of the 1,000 U.S. consumers responding to an online survey, 50% said they’d be willing to give a trusted company their religious affiliation, 49% their political affiliation, 49% their sexual orientation, 36% health information, 26% mental health information, 24% browsing history and 15% for both smart phone location and number of sexual partners. Last on the list is their social security number at 11%. Several of the 2012 questions followed up on a 2011 survey and were structured to measure changes in U.S. consumer sentiments over the past year. For brands intent on deepening their customer relationships, the results signal a concerning trend — trust may be eroding. Some key year-to-year results: 78% of U.S. respondents said they do not feel they receive any benefit at all from sharing information, up from 74% in 2011 Less than half feel that companies use their personal data to better serve the consumer, an 11% slip from 2011 62% said they would share more personal data if it meant receiving relevant product and service offers, down from 66% in 2011. “Consumers are disappointed. For years they’ve provided their valuable information and they’re not realizing something of suitable worth in return,” Pearson said. “If businesses don’t act quickly to demonstrate they have the consumer’s best interest at heart, they risk an erosion of the business-to-consumer relationship.” [Source]

WW – Think Tank: Business Would Benefit by Upping Consumer Data Control

Policy think tank Demos has said businesses would benefit if they granted consumers more control over how their personal data is used. Consumers are suffering a “crisis of confidence” when it comes to information sharing, Demos said. Businesses could overcome this if they have “open, transparent and clear information-sharing relationships with customers” and allow consumers to make an “informed choice” about the ways their personal information is used. “Regulators and businesses need to find a flexible, dynamic framework, which recognizes the diversity of views on the issue, and consider how people can customize and negotiate their relationship with organizations so that it is and feels mutually beneficial.” [Out-Law.com] [DEMOS Report]

Electronic Records

US – HHS, VA Demonstrate PHI eTransfer

The U.S. Department of Health and Human Services and the Veterans’ Administration have demonstrated how sensitive patient data can be transferred electronically while maintaining confidentiality. Developed as part of the Data Segmentation for Privacy Initiative (DS4P), the demonstration showed how a patient could consent to a transfer and how data would be tagged according to sensitivity, requiring further authorization from the patient prior to additional disclosure. Office of the National Coordinator for Health IT Chief Privacy Officer Joy Pritts said, “This project helps demonstrate that with proper standards in place, existing privacy laws and policies can be implemented appropriately in an electronic environment.” [FierceEMR]

EU Developments

EU – Reding: Data Protection Directive Overhaul Could Save 2.3 Billion in Costs

EU Justice Commissioner Viviane Reding says an overhaul of EU data protection rules could save as much as €2.3 billion in administrative costs. Reding has said a single set of data rules for the EU and a one-stop-shop for data protection will make Europe a more attractive place to do business. The proposed legislation will also provide better access to personal data, Reding and Irish Data Protection Commissioner Billy Hawkes wrote in a recent piece for the Irish Examiner. Ireland will play a key role in shaping the new rules, Reding says, as it is home to many firms handling personal data. [Bloomberg] See [Letter to European Parliament re: European Commission General Data Protection Regulation – US Consumer Organizations] and also: [Article 29 Data Protection Working Party – Opinion 07/2012 on the Level of Protection of Personal Data in the Principality of Monaco – Working Paper 198]

EU – EC Releases Cloud Strategy; ICO Releases Guidelines

The European Commission (EC) has released a new strategy for “unleashing the potential of cloud computing in Europe.” Among the “key actions” in the strategy are “Cutting through the jungle of technical standards so that cloud users get interoperability, data portability and reversibility,” EU-wide certification schemes and a European Cloud Partnership with member states. EC Vice President Viviane Reding said the strategy “will enhance trust in innovative computing solutions and boost a competitive digital single market where Europeans feel safe,” adding, “That means swift adoption of the new data protection framework…”

UK – ICO Issues ‘Viable and Realistic’ Cloud Computing Guide

The Information Commissioner’s Office (ICO) released, on 27 September 2012, a cloud computing guide, recommending, among others, that cloud customers create a clear record about the categories of data they intend to move to the cloud and warns that using cloud services ‘may give rise to more personal data collected…for example, the usage statistics or transaction histories of users may be recorded’. [Source] Information Commissioner’s Office publishes guidelines on the responsible use of cloud computing. [Source] See also: [European Data Protection Supervisor – Formal Comments on DG MARKT’s Public Consultation on Procedures for Notifying and Acting on Illegal Content Hosted by Online Intermediaries]

UK – ICO Releases Google Data Protection Audit Report

The Information Commissioner’s Office (“ICO”) followed-up on a consensual audit and found that the organisation remained at a level of “reasonable assurance”; areas where the organisation improved included introducing privacy as a key theme for internal audit reviews (privacy risk is actively considered in the scoping of audits), the use of Privacy Design Documents in user-facing products (these documents are granular to the different types of products, to ensure the relevant privacy issues are addressed by an appropriate working group), and advanced, mandatory training covering privacy (building on the experience gained through the Privacy Design Document process). The organisation still needs to do more regarding historical projects lacking a Privacy Design Document (a risk-based approach was adopted to roll out Privacy Design Documents, but procedures need to ensure that the right projects are being escalated for review). [Source]

EU – Irish Data Protection Commissioner Released Report of Facebook Re-Audit

A re-audit finds that a social networking website responded to recommendations in a satisfactory way, addressing third party applications (creating an App Centre that standardised the user experience with respect to privacy and creating an audience selector, allowing users to choose who can view their activity with respect to apps), tagging of photos (users have tools to pre-approve tags, un-tag photos, block users who are harassing them with unwanted tags, and remove the record of a deleted tag), privacy and data use policy (new users are met by a “welcome dashboard” that gives a tour of the greatest areas of privacy risk and are given a privacy prompt 30 days after joining, to provide information and choice once they have a working knowledge of the site), and retention (users can delete posts, friend requests, tags and messages on a per-item basis and social plug-in data is deleted for users after 60 days, and non-users within 10 days). Issues that remain on-going include compliance management (all significant changes to the use of personal data are to be approved in a manner set out by the board of directors that takes full account of European data protection requirements), third party apps (a tool to check whether apps’ privacy policy links are live still needs to become operational), cookies (the exact form of consent needed to comply with the cookie law is still being debated among industry and regulatory authorities), and advertising (although the site does not allow targeted advertising based on sensitive categories, advertisers can still use words and terms that are sensitive in nature to filter their ad campaigns). [Source] See also: [UK Information Commissioner’s Office – Submission to the Joint Committee – Pre-Legislative Scrutiny on the Draft Communications Data Bill] and [UK: BBC issues extraordinary apology after airing private conversation with the Queen]

EU – EDPS Calls for Harmonized “Illegal Consent” Definition

European Data Protection Supervisor (EDPS) Peter Hustinx has said the European Commission (EC) should define the term “illegal content” in order to provide clarity on content host responsibilities for removal of such information. Comments by the EDPS come after an EC consultation on reforming rules governing the removal of illegal material posted online. Examples of what the EC considered illegal include content infringing on intellectual property rights, inciting hate, relating to terrorism or invading privacy. Hustinx said he “is of the view that there is a need for a more pan-European harmonized definition of the notion of illegal content for which notice-and-action procedures would be applicable.” [Out-Law.com]

Facts & Stats

US – 94 Million Exposed: The Government’s Epic Fail on Privacy

94 million is the number of Americans’ files in which personal information has been exposed, since 2009, to potential identity theft through data breaches at government agencies. This number — which was just revealed in the latest report from tech security firm Rapid7 — is only the most conservative estimate. When you take into account the difference between reported data breaches, which is what this report measures, and actual incidents, you are talking about a much, much bigger number. [Source]

Finance

WW – PCI SSC Issues App Best Practice Guidelines

The Payment Card Industry Security Standards Council (PCI SSC) has issued best practice guidelines for developers and manufacturers to provide direction in securing mobile device payment processes. The recommendations include isolating sensitive functions and data in trusted environments; using secure code best practices; minimizing third-party access; developing remote payment-disabling functions, and creating suspicious activity monitoring tools. The guidelines also look at ways to prevent the interception of account data in transit. “We have a brand new group of developers that aren’t aware of their responsibility,” said PCI SSC’s chief technology officer. “They are designing good code but don’t know all it’s being used for.” [SC Magazine] [Press Release]

FOI

CA – BC Not So Free With Information: Report

The British Columbia government responds to nearly a quarter of all requests under freedom-of-information laws by insisting it has no records to offer, according to statistics compiled by a group that argues the dramatic increase in such cases raises serious questions about public accountability. The BC Freedom of Information and Privacy Association filed a complaint this week with the province’s information and privacy commissioner, suggesting the trend is either a sign the province isn’t releasing all the information it could or, worse, a symptom of a government that avoids keeping records to skirt the law. The group compiled statistics, available on the provincial government’s website, that indicate the number of such cases has increased sharply in the past decade. In 2002-2003, there were no cases in which the government could not find any records to satisfy a request; today, that scenario accounts for 23% of all requests. [Source] See also: [City of Victoria seeks to limit requests for information] [Saskatchewan Gov’t will look into Workers Compensation Board concerns of Privacy Commissioner] and [NL: Privacy-breach penalties should be enforced, says commissioner] 

US – DND Tightens the Screws on Release of Information

Members of the Canadian military have been told to tighten the screws and withhold information, even though it may not be sensitive or a threat to national security. The unusual directive, known as a CANFORGEN, was written last year by the country’s deputy top commander in response to a media story on financial uncertainty facing National Defence. The story was deemed to have contained “information that was not meant for wider or public consumption,” but the data had not been given the designation of either secret or protected. That prompted Vice-Admiral Bruce Donaldson, the vice-chief of defence staff, to instruct those handling information to give everything that passes over their desks – or is posted on the internal department system – a second glance with an eye to keeping it hidden. “Information that is not sensitive to the national interest, and therefore not classified, should also be examined to see if it is sensitive to other than the national interest, and therefore requires an appropriate designation of either Protected A, B, or C,” said the directive, obtained by The Canadian Press under the Access to Information Act. The directive goes beyond reviewing information to protect privacy. “Sensitivity to other than the national interest is not limited to information that is personally sensitive, but also includes, for example, information that is sensitive to the organization, administration, finances or other internal functioning of the department, its relationship to outside organizations, or other government business operations.” [Source]

CA – Commissioner Urges Public Institutions to Join Global Open Data Movement

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, is calling on public institutions to take advantage of emerging technologies to make data available to the public, academics, researchers, and industry, for use in new and unanticipated ways. As long as personally identifiable information is protected from such disclosure, the open data movement bodes very well for introducing greater transparency to government institutions. The global movement towards Open Data makes vast amounts of machine-readable data freely available by way of portals, metadata, and search tools. It is one of the truest embodiments of Commissioner Cavoukian’s concept of Access by Design, by which public institutions proactively release information as part of an automatic process, fostering more transparency and accountability in government. [Source]

Genetics

US – Court to Examine Legality of Warrantless DNA Samples

The U.S. Supreme Court has decided to reexamine the constitutional privacy of an individual’s blood chemistry. In Missouri v. McNeely, the court will decide whether police can take a DNA sample from a criminal suspect without a judge’s approval, the report states. In Schmerber v. California in 1966, the court ruled that police could take a DNA sample without a warrant in an emergency case, such as drunk driving. In McNeely, the court will analyze that ruling after a police officer ordered a DNA sample from a drunk driving suspect, considering it an emergency as his blood-alcohol level would drop over time. [National Constitution Center] See also: [Do Patients Have A Right To Access Their Clinical Sequence Data? – Alison Hall, Senior Policy Adviser, PHG Foundation]

US – ACLU Asks Court to Stop DNA Collections on Felony Arrests

Through California’s DNA database of close to two million samples, more than 10,000 criminal suspects have been identified in the last five years. But the American Civil Liberties Union (ACLU) will argue to the Ninth U.S. Circuit Court of Appeals that the state’s genetic data collection efforts have become “unconstitutionally aggressive…at the expense of civil liberties,” the report states. California’s Proposition 69 allows police to take a DNA sample of every suspect arrested on felony charges. The ACLU says the practice “comes too early in the criminal justice process,” and samples should be taken only from those convicted. [The Washington Post]

Health / Medical

US – Medicare Bills Rise as Records Turn Electronic

“When the federal government began providing billions of dollars in incentives to push hospitals and physicians to use electronic medical and billing records, the goal was not only to improve efficiency and patient safety, but also to reduce health care costs. But, in reality, the move to electronic health records may be contributing to billions of dollars in higher costs for Medicare, private insurers and patients by making it easier for hospitals and physicians to bill more for their services, whether or not they provide additional care.” [New York Times]

Horror Stories

US – Breach Affects 100,000 IEEE Members

The user names and passwords of approximately 100,000 members of the Institute of Electrical and Electronics Engineers (IEEE) have been compromised in an apparent breach. The affected data was stored on an FTP server in unencrypted form. The IEEE has as many as 400,000 members worldwide, many of whom are security professionals. The incident was discovered by Romanian researcher Radu Dragusin. [Help Net Security] See also: [Health Agency Notifies 2,500 Clients of Breach]

CA – BC Health Ministry Fires Fifth Worker for Alleged Breach

A fifth employee of British Columbia’s Health Ministry has been fired over an alleged privacy breach. The worker had been one of three who had been suspended, but according to the report, the 30-year government employee in charge of data access, research and stewardship has now been released. BC Health Minister Margaret MacDiarmid has said the issues in the ongoing investigation relate to inappropriate conduct, data management and “contracting-out allegations,” the report states. “It’s been incredibly complex and it continues to be,” MacDiarmid added. [The Victoria Times Colonist] [NextGov] [Vancouver Sun] [Vancouver Sun] See also: [US: Former Howard University Hospital Employee Sentenced For Selling Personal Information About 40 Patients] and [Newfoundland’s Eastern Health says computer software will track privacy breaches]

US – Provider Settles HIPAA Case for $1.5 Million

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc., (MEEI) has agreed to settle with the U.S. Department of Health and Human Services (HHS) for $1.5 million for potential violations of the HIPAA Security Rule. The HHS Office for Civil Rights conducted an investigation after MEEI reported that an unencrypted personal laptop containing sensitive health data was stolen. The investigation found MEEI “failed to take necessary steps to comply with certain requirements of the Security Rule.” In addition to the fine, MEEI will now review, revise and maintain policies and procedures to comply with the rule and will undergo independent compliance assessments for three years. Meanwhile, Lahey Clinic Hospital has alerted patients of a breach. [Source] See also: [UK: Stolen Laptop Contained Children’s Data] and [Hospital Employee Sentenced to Six Months for Selling Data]

US – AvMed Ruling May Open the Door for Liability Cases

The recent AvMed data breach case may open the door for plaintiffs to prove they are victims of identity theft as a result of a data breach. The 11th U.S. Circuit Court of Appeals ruled earlier this month that plaintiffs in Curry v. AvMed sufficiently alleged liability against the health plan provider for the data breach affecting 1.2 million customers that led to identity theft and financial losses for some. “When a company doesn’t live up to the obligation that it’s supposed to…that person has a cause of action for that money he paid toward the protection of his personal information,” said the lawyer representing the plaintiffs. [SC Magazine]

US – Report: Most Breaches Due to Employee Error

Forrester Research has found that most data breaches are caused by events such as employees losing or misusing corporate assets or having them stolen. In the survey of more than 7,000 executives and employees in North America and Europe, 31% said theft or loss was the cause of data breaches, and 39 percent said data leaks on mobile devices are a concern. “Whether their actions are intentional or unintentional, insiders cause their fair share of breaches,” the report’s authors said, adding it’s not only a matter of appropriate tools and controls; only 56% of respondents said they were aware of their organization’s security policies. [COMPUTERWORLD]

Identity Issues

U.S. – State Dept. Admits Passport Form Was Illegal, But Still Wants It Approved

“Early last year, the State Department proposed a new “Biographical Questionnaire” for passport applicants, which would have required anyone selected to receive the new long-form DS-5513 to answer bizarre and intrusive personal trivia questions about everything from whether you were circumcised (and if so, with what accompanying religious rituals) to the dates of all of your mother’s pre- and post-natal medical appointments, your parents’ addresses one year before you were born, every address at which you have ever resided, and your lifetime employment history including the names and phone numbers of each of your supervisors at every job you have ever held.” [Papers Please]

US – Court Rules in Favor of Plaintiffs’ ID Theft Case

The 11th Circuit Court has ruled in a 2-1 opinion that the plaintiffs in a class-action lawsuit sufficiently alleged liability against a health plan provider for a data breach involving identity theft. Two laptops containing unencrypted sensitive information— including Social Security numbers—on 1.2 million AvMed customers were stolen in 2009. In Curry v. AvMed, Inc., the plaintiffs said they carefully avoided sharing their sensitive information digitally but still became victims of identity theft and suffered financial losses. The ruling “gives crucial guidance to plaintiffs seeking damages for identity theft caused by a data breach and to defendants seeking to defend against such claims,” the report states. [Information Law Group] See Curry v. AvMed, Inc., No. 11-13694, 2012 WL 2012 WL 3833035, — F.3d —- (11th Cir. Sep. 5, 2012).

Intellectual Property

EU – French Government Levies First Piracy Fine

The French government has imposed its first fine under the country’s new anti-piracy law. Alain Prevost was fined 150 euros (US $197) for downloading two songs, even though his wife has admitted that she was the person who had downloaded the files. The fine was levied against Prevost because he paid for the Internet connection over which the songs were downloaded. After receiving two warnings about the downloaded songs from Hadopi, the agency that seeks out Internet copyright violators, Prevost terminated his ISP account. He and his wife are divorcing, and he had written to Hadopi, telling them to contact her about the downloaded songs. Their replies were sent to an email address that he no longer had access to. [BBC] See also: [Dutch Court Says Links to Photos Constitute Copyright Violation | Source]

Internet / WWW

WW – Project Founder: Data Subjects Should Take Some Profit

The founder of a large-scale data project says individuals should receive a portion of the profits companies generate by capturing their personal data. The Human Face of Big Data aims to create a digital snapshot of the human race, the report states, by using a smartphone app to ask 10 million people for personal details about their lives. “Big Data is a new asset class, and yet the ones creating it seem to have no say in the process,” founder Rick Smolan said. “Why is it everyone is making money off our browser history except us?” [The Sydney Morning Herald]

US – CSA Launches Big Data Working Group

The Cloud Security Alliance (CSA) has initiated a Big Data Working Group to develop best practices for privacy and security solutions, particularly in government, healthcare and e-commerce sectors. The CSA’s charter document notes “traditional security mechanisms, which are tailored to securing small-scale static—as opposed to streaming—data are inadequate” for Big Data. In addition to developing Big Data security and privacy best practices, the group aims to help industry and government adopt best practices; create coordination efforts between organizations to develop standards; speed up efforts to research privacy and security solutions, and draft research proposals for joint government and industry funding, the report states. [Integration Developer News]

WW – Tech Companies Form Lobbying Group Aimed at Protecting Internet Freedom

Several big technology companies have joined forces to form a lobbying group to protect Internet freedom. The Internet Association was founded in large part to counteract efforts by the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) to influence legislation; both the RIAA and the MPAA lobbied hard for the Stop Online Piracy Act (SOPA), and effort that was ultimately unsuccessful. The Internet Association counts Amazon, Google, and Facebook among its members. [WIRED]

WW – Last of the IPv4 Addresses to be Allocated in Europe

RIPE, the organization that gives out IP addresses in Europe, is down to its last batch of IPv4 addresses. Companies may only make one more request for these addresses, and if the request is granted, they will receive 1,024 IPv4 addresses. All applications must describe how the organization is implementing the new IPv6 address scheme. Until this final batch, RIPE was giving out about four million IPv4 addresses every 10 days. [v3] [RIPE.net] [BBC] [InfoWorld] See also: [Majority of US Government Agencies Will Not Meet IPv6 Deadline | Source]

Law Enforcement

CA – Police Checks Routinely Violate Privacy, Report Says

A new report by the Canadian Civil Liberties Association says many Canadians, especially in Alberta, are having their privacy rights violated because police are releasing non-criminal information in routine police checks. “The status quo is unacceptable,” the report concludes. “There is an urgent need for greater fairness and clarity in the police background check process.” In the past decade, more and more organizations across Canada are requiring police checks before hiring employees or accepting volunteers. In Alberta alone, the report estimates that police run about 160,000 background checks every year. The information released contained not only information about convictions, but also about charges or contact with police which were either withdrawn or did not involve criminal activity. This includes cases involving mental health issues or where individuals were merely contacted as witnesses to crimes. “Disclosing this kind of sensitive information may undermine the presumption of innocence,” the report says. “Employers who receive negative record checks may not fully understand the distinctions between different types of police information, creating significant risk that non-conviction records will be misconstrued as a clear indication of criminal conduct.” The 50-page report calls for standards that would prohibit the release of information other than convictions, except in rare circumstances. It also says non-conviction records should be reviewed regularly and destroyed where warranted. It also says individuals should have a right to be notified on the information in their file and be able to appeal it before an independent adjudicator. While there are laws governing the release of certain information, such as under the Privacy Act and the Youth Criminal Justice Act, the report says there are no set standards for what police services can or can’t collect and release in police checks. It calls the situation across Canada “a patchwork” of policies that may violate Canada’s Charter of Rights and Freedoms. The report says the problem is particularly acute in Alberta, where it says there is too much discretion is left to individuals in police services as to what information can and should be retained and released. The report points to Ontario as an example of good practices. There, the province’s Privacy Commissioner issued an Order regarding the handling of information collected by police. [Source] [Press Release] [Report: Presumption of Guilt? The Disclosure of Non-Conviction Records in Police Background Checks]

Mobile Privacy

US – Proposed Privacy Act Makes Mobile Tracking Harder

US lawmakers have introduced a new bill that will make it tougher for companies or anyone else to track mobile users without consent. The Mobile Device Privacy Act simply makes it illegal for companies to monitor device users without their express consent. The bill was introduced by Rep. Edward Markey (D-Mass.), who is co-chair of the Bi-Partisan Congressional Privacy Caucus. The legislation is a result of concern over last year’s Carrier IQ controversy, which centered on a piece of software that wireless operators installed on smartphones in order to help track network congestion and end-user quality problems, with an eye to improving service. The software, which Sprint and others quickly disabled after the flak started, was meant to be a diagnostic tool but has the capability to be used for ill: Android developer Trevor Eckhart posted a video showing how the software logs text messages, web searches and other activities without the mobile user’s knowledge or permission – promptly setting off big privacy alarm bells. “Consumers should know and have the choice to say no to software on their mobile devices that is transmitting their personal and sensitive information,” Markey said. “This legislation will provide greater transparency into the transmission of consumers’ personal information and empower consumers to say no to such transmission.” The law requires anyone performing data collection, even with consumers’ opt-in permission, to inform the US FTC and the FCC of their tracking activities. The agencies would be given enforcement power as well. Also, the legislation would require that any tracking software contained on the device at purchase or included in software updates be disclosed upfront, giving consumers the right to refuse tracking. This disclosure must include what types of information is collected, who it is transmitted to and how it will be used.[Source]

WW – Funding Among Reasons for App Security Breaches

A recent survey has found that the majority of companies questioned experienced at least one web application security incident since last year. In the Forrester study, which questioned 240 North American and EU companies, 18% reported a breach had cost their organization $500,000 or more and indicated the incident had a negative impact on their brand. Among the reasons for the security failures were an inability to secure additional funding for technology and processes, a lack of tools for application security and pressure to quickly deliver new products and services. SQL injection was the leading cause of breaches at organizations that had experienced five to 10 incidents since 2011. [Network World] See also: [Over half of Android devices have unpatched vulnerabilities, report says] and [McAfee: New malware is proliferating]

WW – PCI Council Issues Best Practice Guidance for Mobile Apps

The Payment Card Industry Security Standards Council (PCI SSC) has released best practice guidance for mobile app developers and device manufacturers. It said that the main focus of the guidelines is to provide direction on securing mobile device payment processes and the payment environment itself by educating developers in the emerging mobile app market. Key recommendations of the report include isolating sensitive functions and data in trusted environments, implementing secure coding best practices and eliminating unnecessary third-party access and privilege escalation. Developing ways to remotely disable payment functions, in addition to creating tools for mobile apps to monitor and report suspicious activity were also among the recommendations. The guidelines focus on ways to prevent account data from being intercepted while sent or received on mobile devices or from being compromised while being processed or stored on them. [Source] [Press Release] [Guidance: PCI Mobile Payment Acceptance Security Guidelines]

Offshore

UK – ICO Issues Outsourcing Guide for Small and Medium-Sized Businesses

Summary: Where a data processor is used to process data on the data controller’s behalf, the data controller must ensure that suitable security arrangements are in place to comply with the seventh data protection principle (the processor must provide sufficient guarantees in respect of the technical and organisational security measures, and the controller must take reasonable steps to ensure compliance with those measures); if the data processor is located outside the EEA, they must comply with the eighth data protection principle (organisations that transfer personal data to a data processor in a third country will remain subject to the ICO’s powers of enforcement, and continue to be responsible for protecting the data subjects in relation to the overseas processing of their personal data by the data processor). Model contract clauses offer adequate safeguards for the protection of the rights and freedoms for international transfers of data (the clauses are in a standard form which may not be amended, however they may be incorporated in their entirety into a data processing service agreement with an overseas data processor). Before using a non-EEA based data processor, an organisation should consider whether there is any particular legislation in place in the country or territory where the chosen processor is located which might adversely affect the rights of the data subjects whose data is to be transferred. [Source]

Online Privacy

CA – Commissioner: Websites Inappropriately Sharing Users’ Personal Information

A report by Canada’s Office of the Privacy Commissioner says some leading Canadian websites are inappropriately sharing users’ personal information with third parties. Privacy Commissioner Jennifer Stoddart investigated 25 shopping, travel and media sites and found information—including names, e-mail addresses and postal codes—was being collected without consent. Stoddart has written to 11 of the sites, seeking explanations on how changes will be made to comply with Canadian privacy law, the report states. “Our research serves as a wake-up call to all online services to ensure they are complying with Canadian law—and respecting the privacy rights of people who use their sites,” Stoddart said. [Canadian Press] See also: [Experts call for Privacy Commissioner to reveal data leaking Web sites]

US – FTC Supports W3C’s Do-Not-Track Guidelines

The Federal Trade Commission (FTC) says it supports the World Wide Web Consortium’s (W3C) efforts to develop voluntary guidelines for a do-not-track system. “The commission has repeatedly and forcefully called for industry—not government—to implement a do-not-track mechanism that would allow consumers to decide whether to have their online activity…collected,” said FTC Chairman Jon Leibowitz in a letter to Congress. Leibowitz was responding to an inquiry by nine Republican lawmakers on whether the FTC was “empowered to work with an international organization like the W3C,” the report states. Meanwhile, a Georgia man is currently working on an online registry with features similar to the W3C’s do-not-track. [MediaPost] [Do-Not-Track Talks Reach a Stalemate]

US –Policy Limits Hotmail Passwords to 16 Characters

It has recently been revealed that unbeknownst to most Hotmail users, their account passwords have been limited to 16 characters, regardless of whether or not they have chosen longer passwords. A security researcher recently received an error message when he typed in his 30-character Hotmail password; he had never before received the message, and was able to access his account by entering just the first 16 characters of the password. Kaspersky Lab’s Costin Raiu wrote that “To pull off this trick with older passwords, Microsoft has two choices: Store fill plaintext passwords in their [database and] compare the first 16 [characters] only, or calculate the hash only on the first 16 [and] ignore the rest. A Microsoft representative has acknowledged that “16 characters has been the limit for years now,” and noted that “uniqueness is more important than length.” [Source] [See also: [Mobile PCI Standards Released]

US – Twitter Gives Court Protester’s Posts

After months of fighting a subpoena, Twitter has given a U.S. judge the online posts of Occupy Wall Street protester Malcolm Harris. The tweets, which were handed over to Manhattan Criminal Court Judge Matthew Sciarrino, will remain under seal while a request for a stay by Harris is heard in a higher court, the report states. The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union have filed an amicus brief supporting Twitter’s appeal. EFF’s Marcia Hofmann called it a “canary-in-a-coal-mine case,” adding “companies will look at this case and say it’s not a good idea to push back against governments we think are overreaching.” [Reuters] [Ars Technica] [CNET] [WIRED]

US – Google Adds Support for ‘Do Not Track’ Within Chrome

The development team behind Google Chrome has added the ‘Do Not Track’ privacy setting in the most recent Canary version of the Web browser. The privacy option will be available to all Chrome users before the end of the year after passing through the development and beta phases. While Google did agree to launch support for the ‘Do Not Track’ initiative earlier this year, the Chrome development team has been extremely slow in adding the feature to the browser. Alternatively, Mozilla added support for the feature in Firefox during early 2011 and Apple added the ‘Do Not Track’ privacy setting to Safari 6. In addition, Microsoft took the feature a step further and enabled the ‘Do Not Track’ function within Internet Explorer 10 without requiring the user to turn it on. [Source] [Source] [Source] [Source]

WW – Wikipedia Releases Search Data to Public But Pulls It After Privacy Concerns

Wikipedia announced they have decided to give away their search data to the public for free. Shortly after they announced this, they decided to “temporarily taken down this data to make additional improvements to the anonymization protocol related to the search queries.” [Source]

US – Confusion Over Facebook Wall Posts Leads to Privacy Scare

Facebook representatives have said recent reports that private messages were appearing on users’ timelines were false. According to Facebook, “A number of users raised concerns after what they mistakenly believed to be private messages appeared on their Timeline,” adding that an investigation revealed “that the messages were older wall posts that had always been visible on the users’ profile pages.” In response, France’s data protection authority—the CNIL—has been asked to investigate the issue. Meanwhile, the Electronic Privacy Information Center plans to ask the Federal Trade Commission to investigate the new Facebook-Datalogix deal and whether it contravenes a recent settlement. [The Wall Street Journal]

Other Jurisdictions

AU – Parliamentary Report Recommends Privacy Amendment Bill

A tabled parliamentary report recommends the House of Representatives pass the Privacy Amendment Bill 2012. The bill would clarify the role and strengthen the powers of the privacy commissioner, address credit reporting arrangements and protect personal information. According to a statement, “The committee has examined the bill to ensure that an appropriate balance between privacy protection and the convenient flow of data has been achieved.” Attorney-General Nicola Roxon said, “Both consumers and governments have a role to play to protect privacy,” adding, “In introducing these changes, the Gillard government is doing its bit to protect the privacy of Australian families.” [COMPUTERWORLD]

AU – Parliamentary Committee Endorses Fines for Breaches

A parliamentary committee has recommended passing a bill that would allow for fines of up to $1.1 million for severe or repeated privacy breaches. The suggested penalties were contained in a report tabled in the Lower House. A Senate committee is examining the bill as well and will report to Parliament this month. The bill responds to the Australian Law Reform Commission’s 2008 report, which aims to update privacy laws given technological advances. Privacy Commissioner Timothy Pilgrim says the fines would incentivize better data protection. Should the bill become law, the committee advises that the attorney general should conduct a review 12 months after implementation. [The Australian]

AU – Coalition Seeks ‘Softer’ Privacy Law

A spokesman for shadow attorney-general George Brandis said that Liberal senators would recommend softening parts of the bill around company liability for privacy breaches following a strong backlash from the industry, particularly the internet sector. If passed in their current form, the new laws would give the Federal Privacy Commissioner the ability to seek court ordered fines against companies and large organisations of up to $1.1m in cases of severe or repeated privacy breaches. Senator Brandis’s spokesman said the coalition would recommend changes to the laws that would limit company liability in cases where they can demonstrate that they’ve taken “all reasonable precautions” to prevent privacy breaches. The recommendations were only one of about half a dozen that the senators were expected to include in a parliamentary report expected to be tabled in the upper house yesterday following a short delay last week. The senators are also expected to make recommendations to make it easier for social networking companies to share information about their members with third parties and for all companies to transfer data about Australian customers. Federal Privacy Commissioner Timothy Pilgrim declined to comment for this report. [Source] SEE ALSO: [Office of the Australian Information Commissioner – Submission to the Parliamentary Joint Committee on Intelligence and Security on the Inquiry Into Potential Reforms of National Security Legislation] and [Australian Security Intelligence Organisation – Submission to the Parliamentary Joint Committee on Intelligence and Security on the Inquiry Into Potential Reforms of National Security Legislation [ Baker & McKenzie Review]

NZ – Commissioner Seeks Data Broker Enforcement Powers

New Zealand’s privacy commissioner is seeking additional powers to monitor companies that collect and sell personal data. Assistant Privacy Commissioner Blair Stewart has said the current version of the Privacy Act clears the way for enforcement only after a complaint is filed, but many citizens do not know of the existence of data brokers. The privacy commissioner has supported a Law Commission recommendation to update the law, giving the commissioner powers to serve compliance notices on organizations. Stewart said, “People don’t tend to complain about certain practices, if the sort of practices go on in the background and they can’t see what’s happening.” [Otago Daily Times] See also: [NZ Prime Minister Requests Inquiry Into Allegations of Unlawful Interception of Communications in Megaupload Case] and [Office of the Privacy Commissioner, New Zealand – Proposed Amendment No 7 to Credit Reporting Privacy Code 2004 – Information Paper] and [EU: Commission to decide on New Zealand’s adequacy in October]

Privacy (US)

US – Supreme Court to Hear Driver’s License Case

The U.S. Supreme Court will hear a case involving whether lawyers can legally obtain personal data gleaned from driver’s license records to recruit individuals for lawsuits. The appeal comes from three South Carolina residents who were solicited by lawyers to join a lawsuit against car dealers, the report states. The justices will determine whether the lawyers’ actions contravened federal privacy law pertaining to the protection of driver’s license records. The federal law does have a lawsuit exception. [Associated Press]

US – Apple Shareholders File Proposal on Privacy and Data Security

Investors in Apple Inc. have filed a shareholder proposal asking the company to publish a report explaining how its Board of Directors is overseeing privacy and data security risks. The proposal, which is intended for consideration by Apple shareholders at the company’s 2013 annual meeting, states that “Unauthorized collection, disclosure, or misuse of personal information can cause great harm to individuals and society – including discrimination, identity theft, financial loss, loss of business or employment opportunities, humiliation, reputational damage, questionable government surveillance or physical harm,” the proposal states. The shareholders assert that “Apple’s Board has a fiduciary and social responsibility to protect company assets which include the personal information of a variety of stakeholders.” In seeking a report, the shareholders state that “investors need to understand more fully how the Board is overseeing” concerns about privacy and data security. The shareholder proposal at Apple was developed in consultation with the Open Media and Information Companies Initiative – or Open MIC – a non-profit organization that works with shareholders and companies to foster more open and responsible media policies and practices. A copy of the Apple proposal is available here. [Source]

US – Exploring Privacy’s Top Thinkers and Practitioners

At the annual Privacy Law Scholars Conference held earlier this year, information privacy law scholars and other top thinkers met with practitioners from industry, advocacy and government to hash out privacy’s toughest and most pressing challenges. Law scholar Daniel Solove discusses the strong conduit that is forming between privacy scholarship and practice, and in three such examples, papers delving into Big Data, hiring discrimination in a Web 2.0 world and operationalizing Privacy by Design are explored. [IAPP Privacy Advisor]

US – Groups Ask FTC to Investigate Facebook Tracking Partnership

Facebook’s in-store tracking partnership with Datalogix aims to show advertisers whether their ads lead to sales. Facebook says the data collection doesn’t violate any FTC regulations because of an opt-out link on Datalogix’s website. The Electronic Privacy Information Center and the Center for Digital Democracy have asked the FTC to look into the partnership. Ryan Calo of the Center for Internet and Society says the opt-out link’s location isn’t best practices, and it’s unlikely that Facebook consulted the FTC before unveiling the initiative. “That opt-out option isn’t easy to find nor is it on the Facebook website,” he said. [The Atlantic Wire] [US – Facebook Now Knows What You’re Buying at Drug Stores]

US – Appeals Court Approves Facebook Beacon Settlement

In a split decision, a US federal appeals court has approved a US $9.5 million settlement in a class action lawsuit brought against Facebook over its Beacon program, which kept track of and posted information about what users purchased from Blockbuster, Overstock, and other sites. The lawsuit alleged that Beacon violated federal wiretap and video rental privacy laws. Under the terms of the settlement, Facebook admits to no wrongdoing, but does agree to put money in a so-called digital trust fund, which would provide grants to organizations studying online privacy issues. Some of those being represented by the lawsuit maintained that the award was too small and that Facebook should not have a seat on the board of the digital trust fund. In a separate case involving Facebook’s “Sponsored Stories” feature, a US District Court judge in San Francisco rejected a settlement that would have had Facebook pay US $10 million to charity and US $10 million to cover attorneys’ costs. He is the judge who approved the Beacon settlement. [Source] OTHER NEWS: [Privacy Advisor: FTC ramping up data privacy enforcement actions] and [FTC – In the Matter of Apogee One Enterprises – Complaint and Stipulated Final Judgement and Order] and [FCC – Enforcement Advisory – Political Campaigns And Promoters Are Reminded Of Restrictions On Autodialed and Prerecorded Calls

Security

US – Report: Mobile Device Theft Tops Risk List

A new report has revealed that the top healthcare privacy risk is the theft of mobile devices. Of the reported breach cases, 52% involved the theft of portable devices such as laptops, smartphones and tablets. Kaufman Rossin Director of Information Security and Compliance Jorge Rey—a co-author of the report—said there was a drop in reported breaches, indicating more organizations are complying with HIPAA, but the rise in mobile device theft “was concerning because physical security is usually your easiest area of risk to address.” [American Medical News] SEE ALSO: Analysis of Apple’s disk encryption program, FileVault 2, that first appeared in the Lion operating system. Short summary: they couldn’t break it. [Source]

UK – Body Scanners Removed by Manchester Airport

A UK airport is scrapping passenger body scanners after a three-year trial period ended without a decision from the European Commission. The airport will replace the body scanners with “privacy friendly” scanners. Manchester Airport Group Chief Operating Officer Andrew Harrison expressed frustration “that Brussels has allowed this successful trial to end,” adding, “Our security surveys and those run by the Department for Transport show passengers regularly rate their experience at Manchester as one of the best security processes in the UK, if not Europe. There’s no doubt that body scanners play a big part in these results.” [BBC News]

US – NIST Issues Risk Assessments Guidance

The National Institute of Standards and Technology has issued what could be characterized as the bible of risk assessment. Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, provides direction for conducting risk assessments and amplifies the guidance found in SP 800-39: Managing Information Security Risk. Though SP 800-30 was written for federal information systems and organizations, its lessons can be applied to other organizations in and out of government. The new guidance document, issued Sept. 18, provides direction for carrying out each of the steps in the risk assessment process, such as preparing for the assessment, conducting the assessment, communicating the results of the assessment and maintaining the assessment. It also shows how risk assessments and other organizational risk management processes complement each other. [Source] [Full announcement on the CSRC News/Announcement page] [NIST Public Business Affairs Office media release] [SP 800-30 Revision 1] [CSRC Special Publications] S [Draft Special Publication 800-88 Revision 1, Guidelines for Media Sanitization is available for public comment]

AU – Privacy Commissioner: Citizens Concerned About Smart Meter Data

Australian Privacy Commissioner Timothy Pilgrim has said smart meter technology could threaten people’s privacy. “We are starting to see people voicing concern about the level of data that these meters can collect,” Pilgrim said. Customers with smart meters must consent to having their data shared with various third parties, the report states. Pilgrim said companies have an obligation to delete or de-identify personal information that is no longer necessary. An Origin Energy spokesman said its online energy-usage portal is fully compliant with Australian privacy legislation and that the company keeps personal data for tax and compliance purposes. [The Age]

US – Meeting Scheduled to Establish Voluntary Smart Grid Code of Conduct

In response to workshops on smart grid privacy, a task force will develop a voluntary code of conduct for utilities and third parties providing consumer energy use services. The White House released “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation for the Global Digital Economy,” in February. The blueprint contains an outline for a multi-stakeholder process to develop a voluntary code in order to promote consumer confidence. As such, an initial multi-stakeholder meeting will take place December 6 in Washington, DC, and aims to develop the process and a timeline as well as to establish priorities. [Smartgrid.gov]

WW – Risk Report Finds “Sharp Increase” in Browser Exploits

Results of the IBM X-Force 2012 Mid-Year Trend and Risk Report suggest “the landscape has seen a sharp increase in browser-related exploits…along with renewed concerns around social media password security and continued disparity in mobile devices and corporate bring-your-own-device (BYOD) programs.” The report notes an upward trend in vulnerabilities. “We’ve seen an increase in the number of sophisticated and targeted attacks,” said IBM’s Clinton McFadden, adding, “As long as these targets remain lucrative, the attacks will keep coming and in response, organizations should take proactive approaches to better protect their enterprises and data.” [InfoSecurity]

Surveillance

US – Rent-to-Own Laptops Secretly Photographed Users Having Sex, FTC Says

Seven rent-to-own companies and a software maker are settling charges with the FTC alleging they spied on consumers using rented computers. Without consumers’ knowledge or consent, the companies captured screenshots of confidential and personal information, logged keystrokes and in some cases took webcam pictures. The proposed settlement bans the companies from using monitoring software and from using deceptive methods to gather information about consumers. It also forbids the companies from using geolocation tracking without consumer notice and consent and from “providing others with the means to commit illegal acts,” among other provisions. [WIRED] [Settlement] [Commentary: Web Cam Spying Settlement Indicates Need for Stronger Privacy Laws] [FTC Wrist Slaps PC Rental Firms For Spying]

US – Report Indicates “Massive Spike” in Tracking

Documents indicate a jump in law enforcement is “real-time surveillance targeting social networks and e-mail providers 80% from 2010 to 2011.” The documents, obtained through a Freedom of Information Act suit by the American Civil Liberties Union (ACLU), also indicate “a massive spike in ‘non-content’ surveillance by federal law enforcement over the last two years, jumping 60 percent from 23,535 cases in 2009 to 37,616 in 2011.” The report suggests “police are using a 1986 law intended to tell police what phone numbers were dialed for far more invasive surveillance: monitoring of whom specific social network users communicate with, what Internet addresses they’re connecting from” and other interactions. [Source]

US – Survey: More Than a Third of Public Fears Police Use of Drones

More than a third of Americans worry their privacy will suffer if drones like those used to spy on U.S. enemies overseas become the latest police tool for tracking suspected criminals at home, according to an Associated Press-National Constitution Center poll. Congress has directed the Federal Aviation Administration to come up with safety regulations that will clear the way for routine domestic use of unmanned aircraft within the next three years. The government is under pressure from a wide range of interests to open U.S. skies to drones. But privacy advocates caution that drones equipped with powerful cameras, including the latest infrared cameras that can “see” through walls, listening devices and other information-gathering technology raise the specter of a surveillance society in which the activities of ordinary citizens are monitored and recorded by the authorities. Nearly half the public, 44%, supports allowing police forces inside the U.S. to use drones to assist police work, but a significant minority – 36% – say they “strongly oppose” or “somewhat oppose” police use of drones, according to a survey last month. When asked if they were concerned that police departments’ use of drones for surveillance might cause them to lose privacy, 35% of respondents said they were “extremely concerned” or “very concerned.” An almost identical share, 36%, said they were “not too concerned” or “not concerned at all.” [Associated Press]

US – GAO Report on Drones Cites Growing Privacy Concerns

A Government Accountability Office (GAO) report has said there are growing concerns about privacy and civil liberties as unmanned aircraft systems (UAS) are introduced to the public airspace. The GAO reported, “Concerns include the potential for increased amounts of government surveillance using technologies placed on UAS, the collection and use of such data and potential violations of constitutional Fourth Amendment protections against unreasonable search and seizure.” The GAO report also revealed that no federal agency “has been statutorily designated with specific responsibility to regulate privacy matters relating to UAS for the entire federal government.” [Security Management]

Telecom / TV

US – Tech Companies Form Alliance To Lobby Washington

Major Internet companies have formed a lobbying group to address regulatory and political issues in Washington, DC. Google, Yahoo, LinkedIn, Amazon, eBay and Facebook are among those comprising The Internet Association. The group will lobby on privacy and cybersecurity issues, among others. The group’s president said it’s the Internet’s “decentralized and open model that has unleashed unprecedented entrepreneurialism. Policymakers must understand that the preservation of that freedom is essential to the vitality of the Internet itself and the resulting economic prosperity.” [Reuters] SEE ALSO: [Commission nationale de l’informatique et des libertés, France – Connected TV: What Challenges for the Protection of Privacy?]

US Government Programs

US – New York to Expand Access to DMV Information by Law Enforcement Agencies

Governor Andrew M. Cuomo has announced a new data sharing initiative that will give law enforcement agencies greater and instantaneous access to information housed by the Department of Motor Vehicles (DMV) through a secure internet portal. This information includes photos of all 16 million New York State drivers and non-drivers, vehicle registrations, drivers’ lifetime driving histories, as well as real-time notifications of traffic violations and other changes to a driver’s record.[Source]

US – White House Draft of Executive Order on Cybersecurity “Close to Completion”

US Department of Homeland Security (DHS) Secretary Janet Napolitano says that the White House’s executive order on cybersecurity is “close to completion,” but added that to ensure the safety of US networks, lawmakers will have to pass cybersecurity legislation as well. There are issues that an executive order cannot address: it cannot provide liability protection as incentives for employing cybersecurity measures and it cannot change penalties for cybercrimes. The president has not yet reviewed the draft document. [NextGov] See also: [Senator Sends Letters to Fortune 500 CEOs Asking About Cybersecurity Efforts] and [State Dept. Legal Adviser Says Cyberattacks Subject to Int’l Laws of War] and [FERC Establishes Cybersecurity Office]

US Legislation

US – Groups Disagree on Proposed COPPA Changes

Privacy advocates are urging the Federal Trade Commission (FTC) to discard a proposal by the Walt Disney Company that would change how organizations meet COPPA obligations. The company wants the FTC to alter its definition of websites “directed at children” and has proposed a “family-friendly” classification. The Center for Digital Democracy has said “children’s privacy would receive much less protection as a result” of the changes. Meanwhile, in its comments to the FTC, the Interactive Advertising Bureau has said new behavioral advertising limits “would restrict children’s access to online resources by undermining the prevailing business model.” [NationalJournal]

US – Senator Introduces Bill Requiring Warrant for E-Mail History

After more than 25 years since the passage of the Electronic Communications Privacy Act (ECPA), Sen. Patrick Leahy is hoping to get the out-of-date privacy law up to speed by introducing a new bill in the Senate Judiciary Committee. The key component of this new bill is that law enforcement officials would no longer have the ease of freely being able to read people’s personal e-mail and online communication — they’d need a warrant first. As the law now stands, police are allowed to get individual’s private correspondence by simply asking e-mail providers for the person’s message history.[Source] See also: [US: Judge preserves privacy of climate scientist’s e-mails]

US – Bill Would Require Police to Obtain Warrants for E-mail, Location Data

A new bill would require police to acquire warrants before accessing U.S. citizens’ e-mail or tracking their cell phones. Introduced by Rep. Zoe Lofgren (D-CA), the bill would require a search warrant for law enforcement access to cloud data or location information, the report states. The bill is backed by Digital Due Process, which comprises companies including Amazon.com, Apple, Google, Twitter and Microsoft. It’s anticipated that the U.S. Justice Department will combat the effort; it has previously warned that such protocols would hinder “the government’s ability to obtain important information in investigations of serious crimes,” the report states. [CNET News]

US – CA Signs Two Social Media Privacy Bills Into Law

California Gov. Jerry Brown has signed two social media privacy bills, making it illegal for businesses and universities to ask for access to people’s social media and e-mail accounts. Brown said, “The Golden State is pioneering the social media revolution, and these laws will protect all Californians from unwarranted invasions of their personal social media accounts.” Assembly Bill 1844 prevents employers from requiring user names or passwords from employees or job applicants, and Senate Bill 1349 prevents public and private universities from requiring students to disclose their user names and passwords. [Mercury News]

US – Senate Panel Delays Privacy Law Rehash

The Senate Judiciary Committee will likely wait until after the presidential elections to overhaul the Video Privacy Protection Act and the Electronic Communications Privacy Act (ECPA). Judiciary Chairman Patrick Leahy (D-VT) said panel members told him “they want further discussion” of the reforms. Earlier this week, several law enforcement groups wrote the committee saying, “Any effort to revise ECPA should involve detailed and careful consideration of the consequences of proposed changes on the ability of law enforcement investigators to conduct their work efficiently and effectively on behalf of American citizens.” [NationalJournal] SEE ALSO: [ Connecticut’s new data-breach hotline goes live Oct. 1] and [New Jersey Senate, No. 1898 – An Act Prohibiting a Requirement to Provide Information to Access an Account on a Social Networking Website by an Employee – State of New Jersey 215th Legislature] and [Departing CA Senator Simitian Hopes Others Pick Up the Privacy Torch]

Workplace Privacy

US – Managing Risks in Implementing Bring Your Own Device Programs

Companies must deal with the following issues in the context of implementing a corporate bring your own device (“BYOD”) strategy – hardware and software standards (determine what the technical minimum requirements a device must meet in order to be released for productive use in the company’s IT-system environment), rights on ownership and licenses (in order to put the device into productive use, it is very likely that the company must dispose of all rights needed to use the device with the existing IT-system environment), access and control rights (for the purpose of having legal certainty, the company must establish clear rules to determine under what circumstances it may access the employees’ devices or monitor their use), transfer rights (the fact that company data resides on the device impacts the employees’ ability to transfer the device to third parties, e.g., in case of maintenance or repair), and data protection compliance (there must be a comprehensive data protection concept in place which spans reasonable technical and organization measures to protect confidentiality of the data, and provides adequate notification of the individuals whose data are processed). [Source: Matthias Scholz, Baker and McKenzie]

EU – EU Proposal Would Complicate Workplace Evidence Gathering

If the EU adopts its new data protection proposal, companies could have a difficult time conducting internal investigations that rely on collecting documents and e-mail from employees. EU regulations already make it difficult for lawyers to gather information—including data stored on company computers and servers, the report states. But the new proposal “eliminates the most convenient way of gathering evidence for U.S. legal compliance purposes,” said DLA Piper’s Jim Halpert. He added that under current law, lawyers can gather information if given voluntary employee consent. But under the EU’s proposal, that consent, “even if freely given,” would be deemed “invalid.” [Corporate Counsel]

US – California Governor OKs Web Privacy Bill

California Gov. Jerry Brown has signed privacy bills making it illegal for employers and colleges to demand ac-cess to social media accounts. Brown announced Thursday that he signed the bill that prohibits employers from demanding usernames and passwords from employees and job applicants. The companion bill makes it illegal for colleges and universities to demand social media user-names and passwords from students. [Source] See also: [US: Lawyer’s Facebook photo causes mistrial in Miami-Dade murder case] See also: [OIPC SK – Investigation Report F-2012-003 – Saskatchewan Workers’ Compensation Board] and [OIPC SK – Investigation Report F-2012-002 – Saskatchewan Workers’ Compensation Board] and [OIPC SK – Investigation Report F-2012-005 – Saskatchewan Worker’s Compensation Board]

 

+++

 

 

01-15 September 2012

 

Biometrics

US – FBI Begins Installation of $1 Billion Face Recognition System Across America

A move by the Federal Bureau of Investigation (FBI) to upgrade its biometric database has a number of privacy and civil liberties groups raising red flags over potential privacy intrusions. The Next Generation Identification program will update the FBI’s fingerprint database and will compile mugshots, DNA data, iris scans and voice recognition to help agents track down suspects. An FBI spokesman said the agency “is tentatively planning to host a meeting of federal law enforcement and national security agencies with privacy and civil liberties groups to discuss various aspects of federal government uses of facial recognition technology later this year.” Sen. Al Franken (D-MN) has expressed privacy concerns about the database. [CNET News] [Source]

US – Alabama First State to Scan Fingerprints of Prison Visitors

The Alabama Department of Corrections has enacted a first-in-the-nation policy requiring visitors at the state’s prisons to have their fingerprint scanned before they are allowed to enter the facilities. No other state prison system in the country has a similar requirement. The change, implemented in August, has its roots in the prison system getting a new computer program, said a spokesman for the Department of Corrections. The move is drawing some criticism. State Departments of Corrections routinely require that visitors be approved, and each visitor undergoes a criminal background check. However, the fingerprint requirement is “extreme” said David Fathi, director of the American Civil Liberties Union’s National Prison Project.” If showing a driver’s license is all that is required to get on an airplane that will fly you near the White House, it should be enough to get you inside a prison to visit someone,” he said. [Source 

WW – Devices Capture Increasing Amounts of Intimate Data

A growing number of products are capable of monitoring intimate biological data—devices like wireless health monitors and, soon, “stretchable electronics” capable of measuring heart rate, brain activity, body temperature and hydration levels. One company will soon pilot a “Digital Health Feedback System” that will capture biometric data using microchips embedded in a pill and using stomach fluids to emit signals to an external sensor. The ways companies may use or share the data collected by such devices is yet to be seen. One company says customers will own the data but requires customers to grant it permission to use data for “product development and the cultivation of its data sets,” the report states. [The New York Times]

 

Canada

CA – Stop Collecting Health Numbers, SaskTel Told

Saskatchewan’s privacy commissioner says SaskTel should stop collecting health card numbers from its customers. Gary Dickson also wants the Crown-owned phone company to stop gathering social insurance numbers and other unique identifiers whenever possible. The recommendations were part of a 58-page report Dickson released this week. [Source] [Source]

CA – Ontario Trial Hinging on Cellphone Search Warrant Raises Privacy Concerns in B.C.

David Eby of the B.C. Civil Liberties Association is concerned about the outcome of a court case in Ontario ruling on whether police can search a suspect’s cellphone without a warrant. A cellphone was found on an Ontario man after he had been arrested on suspicion of armed robbery in July 2009. On the phone were images and text messages that were used against him in his trial. A warrant to examine the phone was only obtained after the police found evidence on the phone. The cellphone information was ruled admissible as evidence but that decision has gone to the Ontario Court of Appeal for a ruling on whether it was a violation of Charter of Rights and Freedoms. Police can search a bag or briefcase when they arrest someone. They need a warrant to get into your house or the trunk of your car. But a phone can carry a lot more vital information these days than a briefcase. “The issue that the courts are grappling with now is the realities of new technologies,” said Eby. He believes police should get a warrant before accessing all that information. [Source 

CA – Growing Number of Stolen ID Cards Used to Obtain Passports: RCMP Report

Criminals are increasingly using stolen social insurance numbers and doctored birth certificates to obtain legitimate driver’s licences and passports, an internal RCMP report says. And by leveraging pilfered or forged identity markers into higher-value IDs, criminals can sidestep tough anti-counterfeiting features built into government-issued identity documents, including a pending upgrade of passports with biometric chips. “Identities are being overtaken, altered or created, facilitating a number of other crimes, including many variations of fraud, typically for financial gain or to conceal a true identity,” says the March 2011 report prepared by the RCMP’s criminal intelligence division. It points to a rising use of “breeder” documents — identity records such as social insurance numbers, birth or citizenship certificates — that are stolen, tampered with or falsified, then used to sign up for credit cards or valid forms of identity. The report suggests Ottawa’s recent move to stop issuing SIN cards, instead sending the information in a letter, may not hinder identity thieves who skim someone’s mail or pick through their garbage looking for the nine-digit number. The report says the failure of governments to cross-check the authenticity of personal documents used in applications allows fraudsters to stitch together a “synthetic” identity, often combining a stolen social insurance number or altered birth certificate with a made-up name and date of birth.That means a social insurance number can be successfully paired with an entirely different name on a government application form, since the two are not routinely checked for a match, it says. And online applications make it easier for criminals to avoid face-to-face interactions when committing identity fraud, the report notes. [Source 

CA – Privacy Goes Missing With Alberta’s New Missing Persons Act: Critics

A new law that came into effect this month giving Alberta police easier access to personal records when investigating missing persons cases is being touted as a potential lifesaver by the provincial government. But critics say that however well-intentioned the Missing Persons Act is, it presents real dangers to privacy and, possibly, personal safety. The legislation, introduced more than a year ago, allows police in a missing person case to seek an order from a justice of the peace to search personal information, such as cellphone and computer records, employment, education and health files, closed circuit television records and financial histories. In emergency situations, police can also make a written demand for information without going to the courts. Justice Minister Jonathan Denis said Friday the law’s major impact is that police can now access information even if there is no reason to think a crime has been committed. Denis said the legislation is the first of its kind in Canada. But Liberal MLA Laurie Blakeman said she’s horrified by how much personal information the government is allowing police to collect under the law. [Source 

CA – Commissioner Urges Orgs to Make Privacy Part of Their Corporate Culture

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, says it is not enough for organizations to have a privacy policy in place – they must take steps on an ongoing basis to make sure it is reflected in every aspect of their operations. A new paper, released today by the Commissioner at a meeting of the Privacy Section of the Canadian Bar Association, provides a 7-step action plan on how to effectively execute an appropriate privacy policy and embed it in the concrete practices of an organization. Paper: A Policy is Not Enough: It Must be Reflected in Concrete Practices [Source: Office of the Information & Privacy Commissioner of Ontario]

 

Cloud Privacy 

HK – Cloud Security Alliance Presents Privacy Level Agreement Initiative

The Cloud Security Alliance (CSA) has announced the launch of launched a Privacy Level Agreement (PLA) Working Group in the EU and a partnership with the Hong Kong Applied Science and Technology Research Institute (ASTRI) to advance cloud computing security and build capabilities that will accelerate the development of the cloud ecosystem in Hong Kong. The PLA Working Group is comprised of independent privacy and data protection subject matter experts, privacy officers, and representatives from data protection authorities. The group will work to define compliance baselines for data protection legislation and establish best practices for defining a standard for communicating the level of privacy measures such as data protection and data security that it agrees to maintain while hosting third-party data. [Source]

 

E-Government 

CA – BC: Coquitlam Rejects Plan to Publish Voters’ Names

Coun. Terry O’Neill’s plan to improve voter turnout was flatly rejected at a council meeting in Coquitlam this week. Introduced in July, O’Neill’s motion sought to publicize the names of those who vote in a civic election, a move he hoped would improve “abysmally low” voter turnout in recent years. But the key stumbling block among his council colleagues was the issue of privacy, and the motion was defeated 8-1. O’Neill was the lone councillor to vote in favour of the motion. “No idea is perfect,” he said. “But I think this is a good idea and it’s a good start.” O’Neill got the idea after reading an Atlantic magazine article entitled, “The Ideas Report.” The report cited a U.S. study that suggests “people are more likely to follow social norms when their behaviour is observed by others” – in other words, if their names are published, they are more likely to vote. Under current provincial legislation, municipalities are mandated to produce voter lists for eight weeks after an election, a point O’Neill used to counter claims his motion would undermine privacy concerns. He also argued publishing the names of those who vote in local newspapers would instill a sense of pride, while also exerting pressure on those who choose not to vote. Coun. Selina Robinson, however, said that tactic encouraged a form of public shaming rather than public engagement. [Source]

 

Electronic Records

US – New Texas Privacy Law Adds More Hassle, Expense

Texas physicians and certain other professionals who use electronic health records must comply with a new state privacy law beginning this month that imposes more stringent requirements than HIPAA. HB300, an omnibus health information technology privacy and security bill, covers meaningful use of electronic health records, the physician quality and reporting system, e-prescribing, translator availability, drug plan authorizations, and increased documentation and certification requirements. The changes begin with a broadened definition of “covered entities,” to include almost anyone who handles protected health information. This may include business associates, healthcare payers, government units, schools, healthcare facilities, providers, researchers and physicians. Covered entities are allowed to transmit protected health information for treatment, payment, health plan operations and insurance functions, and patients must be informed — through prominently displayed notices in public areas — that this disclosure may occur for authorized purposes. Other uses will require patient authorization. Patient requests for their electronic health records must be fulfilled within 15 business days of a written query, just as physicians have been required to do for paper records under state law. Health care workers also face stricter training requirements regarding privacy issues, and penalties for violations will be ramped up significantly under the new law.[Source 

US – ONC Shelves Voluntary “Rules of the Road” Draft Regs

The Office of the National Coordinator (ONC) for Health Information Technology has stepped away from plans to set voluntary “rules of the road” for health information exchanges—including guidelines for privacy and security. In a blog post about the shelving of a Nationwide Health Information Exchange Governance Rule, ONC head Farzad Mostashari wrote, “Based on what we heard and our analysis of alternatives, we’ve decided not to continue with the formal rulemaking process at this time and instead implement an approach that provides a means for defining and implementing nationwide trusted exchange with higher agility, and lower likelihood of regret.” [GovInfoSecurity]

 

Encryption 

UK – UK Limits Spyware That May Have Targeted Dissidents

The British government has imposed export controls on U.K.-based Gamma Group’s FinSpy surveillance tool, which can remotely take over computers and phones, following reports that the systems may have been used to target political dissidents. The U.K. Secretary of State for Business Innovation and Skills informed the company that existing export restrictions apply to FinSpy, requiring Gamma to obtain a license to sell the system outside the European Union, according to an Aug. 8 letter the government sent to lawyers for London-based Privacy International, which is pressing for such restrictions. [Source]

 

EU Developments

US – Privacy, Consumer Groups Back EU’s Proposed Privacy Rules

22 U.S. privacy and consumer groups have voiced support for a tough online privacy proposal being considered by the European Union, even though some U.S. businesses and government officials have described the proposal as too regulatory. The proposal “provides important new protections for the privacy and security of consumers,” the groups wrote in a letter sent to members of the European Parliament. “We believe that the promotion of stronger privacy standards in Europe will benefit consumers around the globe, as businesses improve their privacy practices and security standards.” The privacy and consumer groups, including Consumers Union, Privacy Rights Now, the Electronic Privacy Information Center and Public Citizen, called for the E.U. to strengthen the privacy protections in the proposal. The E.U. should limit the number of compliance exceptions in the proposed General Data Protection Regulation, promote greater transparency in data practices and strengthen the public’s right to data portability, the groups said. The proposal should also limit the scope of information online businesses can collect through “legitimate interests,” the groups said. [Source]

EU – Privacy Czar: Civil Rights at Stake in Asylum Database Proposal

European Commission proposals that would give the police access to a new EU-wide fingerprint database for asylum seekers – Eurodac – is a “serious intrusion” into the rights of a vulnerable group, the European Data Protection Supervisor (EDPS) says. The EDPS said that under Commission proposals, law enforcement authorities would have access to Eurodac data. While the EDPS understands that the availability of a database with fingerprints could be a useful additional tool in combating crime, EDPS views the Commission’s amendment “a serious intrusion into the rights of a vulnerable group of people in need of protection.” The EDPS said the access might not be really necessary. “Just because the data has already been collected, it should not be used for another purpose which may have a far-reaching negative impact on the lives of individuals,” said EDPS supervisor Peter Hustinx. “To intrude upon the privacy of individuals and risk stigmatising them requires strong justification and the Commission has simply not provided sufficient reason why asylum seekers should be singled out for such treatment,” he added. [Source]

UK – ICO: Cookie Compliance Deadline Set for Some

Information Commissioner’s Office (ICO) Group Manager for Business and Industry Dave Evans said Businesses should now “know they have to respond to the law,” said Evans. The comments come after one web software firm taunted the ICO about cookie compliance. For noncompliant businesses, Evans said, “It might be a law they wish didn’t exist, but the simple fact is that it is here to stay,” adding, “for example, some sites have failed to engage with us at all, and they’re now being set a deadline to take steps towards compliance, with formal enforcement action likely if they fail to meet this deadline.” [Out-law.com] [Privacy watchdog to issue massive fines for cookie law breaches]

UK – Web Software Firm Taunts UK Data Regulator Over Cookies

A software firm has challenged the UK’s Information Commissioner’s Office to punish it over its use of web cookies. Derby-based Silktide said it created http://nocookielaw.com to highlight the “ineffective” rules put in place in May to clamp down on websites using “tracking” cookies which log user data. The site says: “Dear ICO, sue us. Send in a team of balaclava-clad ninjas in black hawk helicopters to tickle us to death with feather dusters.” The ICO has defended its role. “We welcome any opportunity to help us draw attention to this matter, as a key part of our work in ensuring compliance with the cookie law has been making businesses aware of the regulations,” a spokesman said. [Source]

UK – Parliamentary Committee Hears Evidence on Proposed Framework

The UK Parliament’s Justice Select Committee has held its first evidence session on the EU’s proposed data protection framework. The Association of Chief Police Officers, the Federation of Small Businesses and the Information Commissioner’s Office were among those who provided their opinions. While many said the regulation brings welcome changes, “the overwhelming response was to criticize the overly-engineered text” of both the regulation and the Data Protection Directive, the report states, and a key “tension in the regulation exists between the drive toward harmonization and the consequent prescriptive practices and procedures that the commission’s version of harmonization requires.” [Source]

UK – British Funeral Director Puts QR Codes on Grave Stones

Visitors to graveyards in the UK may soon be able to learn much more about the people buried there, with the introduction of quick response (QR) codes on headstones. Chester Pearce in Poole is the first funeral director to offer families the option of interactive gravestones with embedded QR codes. The £300 QR codes are etched on to small granite or metal squares before being embedded or glued on to the gravestones. When scanned using a smartphone or tablet, the code launches a personalised web page dedicated to the deceased, complete with pictures, videos and contributions from family and friends. The QR codes can also be put on memorials and tribute plaques on benches. [Source]

EU – Working Party Releases Meeting Agenda

The Article 29 Working Party has released a draft agenda ahead of its next meeting. The meeting will take place September 25 and 26 in Brussels. It will discuss “the draft application form and cooperation procedure for Binding Corporate Rules (BCR) for processors,” the draft opinion on purpose limitation and “developments on the draft data protection regulation and directive.” [Source]

EU – Uruguay Declared Adequate by EU

The European Union has confirmed that Uruguay has achieved adequacy for personal data protection, according to the website of the nation’s data protection authority. “It is a recognition to the work of the regulatory unit and control of personal data,” the website states, “and a confidence in Uruguay as a country capable of assuming the challenge of taking care of the adequate controls that are required in the use and treatment of the personal data that has been provided.” [Source]

 

Facts & Stats

US – 94 Million Records Affected by Government Breaches, Sheriff Announces Breach

The government sector reported 268 incidents of data breaches from January 2009 to May 2012, reports Help Net Security. The breaches exposed a combined total of more than 94 million records. According to research by Rapid7, the number of PII records exposed from 2010 to 2011 increased by almost 170 percent. The leading causes of such losses were unintended disclosure, loss and theft of portable devices, physical loss and hacking, the report states. Meanwhile, a Maine sheriff’s office is warning approximately 180 people who were recently arrested to monitor their personal accounts after their Social Security numbers were inadvertently made public last week for “a fairly limited period of time.” [Help Net Security] 

WW – Data Breaches are Down but Hackers Are More Selective: Symantec

The latest data breach figures from Symantec present a ‘good news, bad news’ scenario. Symantec’s August 2012 Intelligence Report compares the number of breaches for the first eight months of this year with the same period of 2011. There were an average of 14 data breaches per month so far in 2012, down from 16.5 from January to August of 2011. And the average number of identities stolen during those incidents was cut in half from 2011 to 2012 during the months of January to August. Sounds like good news. But the bad news is that, as Symantec cautions, hackers may just be getting smarter and more strategic. And although hackers are still to blame for most of the breaches (40%) the rest of us can bear some responsibility too: 21% of breaches result from data being made public accidentally and 19% are due to theft or loss. [Source]

 

Finance

CH – Banks to Notify Employees of Data Transfers

In the wake of concerns surrounding the transfer of bank data to other countries, Swiss banks have agreed to inform employees before data is sent to foreign tax investigators. Data Protection Commissioner Hanspeter Thür said five banks have “signed on to notify employees after Thür threatened to ask the Federal Administrative Court to force banks to protect employee data,” the report states, noting Thür met with bank officials to promote “a transparent process for employees” and that he has “doubts data handovers to the U.S. are legal.” [World Radio Switzerland]

AR – Argentina Government Tracking All Credit Card Purchases

The Argentina government has begun mandating banks to report credit card purchases to national tax authorities and is adding a 15% surcharge on purchases made outside the country using Argentinian bank-issued credit cards,. The changes are an effort to combat tax evasion and close off ways for people to convert pesos to U.S. dollars at the official rate—which is lower than the black market rate. The author states this is an example of how a “cashless society… has actually advanced the cause of financial repression,” adding, they are “important lessons in why a cashless society should not strip everyone of their transactional and financial privacy.” [Forbes] 

US – Bank Fraud Ringleader Sentenced

The leader of a bank fraud and identity theft scheme in Pennsylvania that targeted top-tier financial institutions and their customers has been sentenced to more than eight years in prison for his crimes. Although that sentence is steeper than in many similar ID theft cases, one legal expert says the case merited an even harsher sentence. [Source]

 

Health / Medical 

CA – Manitoba Ombudsman Wants Tougher Penalties for Snooping by Health Workers

Manitoba’s acting ombudsman says penalties for nosiness should be strengthened now that technology is making it easier for health-care workers to snoop into the private information of patients they have a grudge against. “In the old days, three people had access to your record — your doctor, his or her nurse and his or her receptionist. Now, you can have thousands of people with access to your records,” Mel Holley said. Holley has concluded an investigation into a case last year in which a worker at CancerCare Manitoba, the province’s prime centre for cancer treatment, got into the electronic patient files of a neighbour’s child who was undergoing treatment. The worker, whom Holley did not identify, did not need to see the child’s file for any work-related purpose, but did so because of a personal conflict with the youngster’s mother. [Source]

 

Horror Stories 

US – App Company Admits to Being the Source of Apple UDID leak

A Florida-based app publishing company called BlueToad has claimed it was the source of the Apple UDID leak, contradicting claims from Anonymous that it hacked them from an FBI laptop. Speaking to NBC News, BlueToad CEO Paul DeHart said data released by Anonymous closely matched data held on one of the company’s databases. DeHart believes Blue Toad was hacked several weeks ago. He apologised to those whose data was stolen, adding that an investigation is underway into the exact circumstances. Earlier this month Anonymous leaked one million UDIDs out of about 12 million it claimed to posses. It said it had hacked the data from a laptop belonging to an FBI agent as it wanted to publicly expose the monitoring and tracking by US government agencies such as the FBI. However the FBI was quick to deny it was the source of the data, saying in a statement that it could find, “no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.” Apple also denied handing over the information to the FBI. It is also phasing out the use of UDIDs, partly. There has been no response yet from the usual Twitter accounts connected to Anonymous. However one thing is clear: the dates do not match up. Anonymous said the information was hacked back in March but BlueToad believes its data breach occurred within the last two weeks. DeHart admitted that it is possible the data had been shared by whoever stolen it from BlueToad and found its way onto an FBI laptop. Web pages have been set up to check whether IDs have been compromised and Apple users can look up an UDID using a confidential partial search at http://pastehtml.com/udid [Source] [FBI Disputes Claims of Hackers’ Apple Data Breach] [Alleged FBI Hack: Much Ado about Nothing?] [Hacker group claims FBI tracking Apple users] 

US – Officials Alert Patients: Breached Data May Have Been Sold

University of Miami officials are warning patients affected by a July breach that two university employees may have sold their data. The employees accessed information including names, dates of birth, insurance policy numbers, partial Social Security numbers and some clinical information. In some cases, Social Security numbers may have been viewed in full. The university is providing two years of identity protection services, the report states. “We continue to review and refine our physical and electronic safeguards to enhance protection of all patient data,” university officials wrote in a letter. [Healthcare IT News] [Miami hospital data breach due to employee offense] 

CA – B.C. Health Ministry Suspends Workers Over Privacy Breach

Seven employees have been suspended without pay from the B.C. Ministry of Health over allegations of inappropriate access to medical information. The employees in question worked in the area of research and evidence development, which awards drug research contracts on behalf of the ministry. Government has also terminated agreements with two research contractors until after the investigation is complete. It is believed both government workers and research contractors had inappropriate access to health data. It is not clear what information, if any, has been compromised. Both the RCMP and B.C.’s Office of the Information and Privacy Commissioner have been notified about the allegations. [Source] See also: [NL: Eastern Health announces more privacy breaches] Update: [BC: McInnes: Alleged data breach a body blow to health research expansion] and [Alaska’s Health and Social Services CSO Offers Lessons Learned from a Breach] 

US – Judge Consolidates Four Breach Class Actions

A U.S. District Court Judge yesterday consolidated four proposed class-action lawsuits against LinkedIn Corp. The suits were filed in California’s Northern District in response to a June security breach and claimed $5 million in damages after hackers stole 6.5 million user passwords from the site and posted them online, the report states. The suits claim that although LinkedIn’s privacy policy says it will protect user data with “industry standards and technology,” the company used “a weak encryption format that failed to comply with basic industry standards…without implementing other crucial security measures.” [The Recorder] 

US – Judge Throws Out Consumer Complaint

A federal judge has dismissed a consumer lawsuit against 17 tech companies. U.S. District Court Judge Sam Sparks found the consumers’ written complaint is “too unwieldy” for the lawsuit to proceed, the report states. The suit was filed against the tech companies for allegedly collecting or storing users’ address books without their consent, the report states. Complaints are required to make allegations in a “short and plain statement.” Sparks said the consumers’ complaint was not “written with an eye toward this court’s busy docket” and is instead aimed at the “court of public opinion.” The consumers have until September 12 to amend the complaint. [MediaPost]

 

Identity Issues 

CA – Tighter Air Security Rules Leads To New Canadian Passports With Electronic Chip

Starting next spring, Canadian passports will be valid for up to 10 years. But it will also feature a new electronic chip on which vast amounts of data can be stored. Not that it will, insists Passport Canada. But it could – including personal commercial information like cars you’ve rented, hotel reservations made or your frequent flyer programs. Eleven years after 9/11, the new passport is part of a global tightening of air travel security that is the subject of a three-day conference starting this week at Montreal’s International Civil Aviation Organization (ICAO). [Source]

WW – Research Paper Reexamines Reidentification

Columbia University’s Daniel Barth-Jones has released a paper reexamining Latanya Sweeney’s 1997 analysis of reidentification vulnerabilities. With a “profound impact on the development of de-identification provisions” within HIPAA, Sweeney’s study has been “frequently cited as an example” of the “astonishing ease” with which medical data can be reidentified. According to Barth-Jones, this reexamination “exposes an important systemic barrier to accurate reidentification known as ‘the myth of the perfect population register.’” The author provides “recommendations for enhancements to existing HIPAA de-identification policy” and commentary on “balancing the competing goals of protection patient privacy and preserving the accuracy of scientific research and statistical analyses conducted with de-identified data.” [Source] 

US – University Decides Sex Tracking Smartphone App May Not Be Such a Great Idea

Earlier this summer, researchers from Indiana University and the Kinsey Institute launched the ultimate app for the TMI crowd: the Kinsey Reporter, which “crowdsources sexual behavior.” It works how you would expect it to work. The app acts as a digital Dr. Alfred Kinsey — the pioneering sex researcher, a.k.a. Liam Neeson — for those willing to spill their sexual secrets, asking them for reports on their flirting, kissing, cuddling, self-loving time, fetishes, use of birth control, and all other aspects of body-rubbing activity. The app managed to attract a national pool of willing guinea pigs in just over three months time, judging from this recent report: The researchers’ pitch was to share your sexy times for science to allow them to get better insight into “issues that have been challenging to study until now.” (Thanks to those pesky Peeping Tom laws.) The app assured users that all reports would be anonymous, tied solely to the participants’ geolocation, which would be tagged when they uploaded their reports. Then it would be used for research and to generate nifty reports. Though originally released in May, the app got media attention just this week after the university issued a press release. Those reports, of course, involved the word “creepy.” A few hours after the release was issued, the University’s general counsel got wind of the app’s existence, apparently for the first time, and made the decision to disable the Kinsey Reporter app and an accompanying website for further study after concerns were voiced concerns about potential privacy issues and data protection. [Source]

 

Intellectual Property 

US – Federal Appeals Court Restores Initial US $222,000 Verdict in Filesharing Case

The 8th US Circuit Court of Appeals in Missouri has reinstated the original verdict against Jammie Thomas-Rasset, the Minnesota woman who since 2006 has been challenging an illegal file-sharing lawsuit brought by the Recording Industry Association of America (RIAA). Thomas-Rasset was initially ordered to pay US $222,000 for illegally downloading and sharing 24 songs through Kazaa. The RIAA says it found more than 1,700 songs on Thomas-Rasset’s computer but for the court case, it focused on just 24. After the first trial, the judge declared a mistrial after he decided that he had given the jury inaccurate instructions. The subsequent trial also found Thomas-Rasset guilty and the jury gave a verdict of US $1.92 million, which the judge reduced to UD $54,000.  The companies went to third trial on damages, which awarded the RIAA US $1.5 million, but that was reduced to US $54,000 as well. The appeals court ruled that the US $222,000 verdict should stand. Thomas-Rasset’s lawyer says his client plans to appeal to the US Supreme Court. The RIAA no longer pursues action against individual file-sharers; instead, it is focused on working with service providers to help identify and punish those who persist in illegal downloading. [WIRED] [Ars Technica] [BBC] [Opinion]

 

Law Enforcement 

WW – Infrared-Camera Algorithm Could Scan for Drunks in Public

Computer scientists have published a paper detailing how two algorithms could be used in conjunction with thermal imaging to scan for inebriated people in public places. The paper, published in the International Journal of Electronic Security and Digital Forensics, details two different algorithms that focus on data gathered from a subject’s face — alcohol causes blood-vessel dilation at the skin’s surface, so by using this principle as a starting point the two began to compare data gathered from thermal-imaging scans. One algorithm compares a database of these facial scans of drunk and sober individuals against pixel values from different sites on a subject’s face. A similar method has been used in the past to detect infections, such as SARS, at airports — though a study carried out at the time of the 2003 outbreak warned, “although the use of infrared instruments to measure body surface temperatures has many advantages, there are human, environmental, and equipment variables that can affect the accuracy of collected data.” A second algorithm is used to map out the different areas of the face. The pair found that, when inebriated, an individual’s nose tends to become warmer while their forehead remains far cooler. To use this information against the database with the first algorithm, a second algorithm was necessary to identify and differentiate between features. The system could, the paper argues, be used to avoid embarrassing and unfounded reproaches by police officers and officials, who generally make assumptions based on behaviour and appearances alone. [Source] See also: [New Mexico: Eddy County Sheriff’s office uses tech to fight child porn]

 

Location 

US – Feds: No Constitutional Protections for Location Data

Wired reports on court arguments made by the Obama administration claiming there is “no expectation of privacy” in cellphone location data, meaning law enforcement should not need to obtain a warrant to track a suspect’s movements. Citing a 1976 Supreme Court case, the administration said data such as bank records gleaned from cellphone providers are “third-party records.” The arguments come as the government prepares for a retrial in the United States v. Jones case. The administration’s court filing states, “When a cellphone user transmits a signal to a cell tower for his call to be connected, he thereby assumes the risk that the cellphone provider will create its own internal record.” [Source]

US – FTC Issues Guidance to Promote Secure Mobile Apps

The Federal Trade Commission has just published a guide to help mobile application developers observe truth-in-advertising and basic privacy principles when marketing new mobile apps. The FTC’s new publication, Marketing Your Mobile App: Get It Right from the Start, notes that there are eight general guidelines that all app developers should consider. The FTIC guidelines are:

  1. Tell the truth about what the app can do.
  2. Disclose key information clearly and conspicuously..
  3. Build privacy considerations in from the start.
  4. Offer choices that are easy to find and easy to use.
  5. Honor privacy promises.
  6. Protect children’s privacy.
  7. Collect sensitive information only with consent.
  8. Keep user data secure. .

Berger says the FTC has no plans to ask Congress to give it more authority to deal specifically with mobile-app privacy matters, but is asking lawmakers to enact legislation to require businesses to assure the online privacy of consumers through its privacy framework. [Source]

Mobile Privacy 

US – Mobile Users Avoid, Uninstall Apps Over Privacy Concerns: Pew Report

About six in 10 mobile phone users said they have decided against downloading certain apps over privacy concerns, a new survey finds. And in many cases, they have uninstalled apps that collected too much personal information about them. According to the survey on mobile privacy released this month by the Pew Internet & American Life Project, users made those decisions when they learned how much personal information they would share by using the apps. The findings, in a survey of 2,254 adults, show that “many cell phone users take steps to manage, control or protect the personal data on their mobile devices,” according to the report’s authors. Among the findings:

—  88% of adults said they own some sort of a mobile phone, and 43% of that group downloaded applications to their phone. That’s up from 31% in 2011.

— 30% of smartphone owners said they turned off their phone’s location tracking feature because they were worried about people or companies accessing this information. That compares with just 7% for those with regular, basic cellphones.

— 41% of all cellphone owners said they backed up data on their phone, such as photos or contacts.

— Men were more likely than women to delete an app because of privacy concerns. But there was no gender difference among people who decided not to install apps in the first place due to privacy concerns.

— Those with BlackBerrys were the most likely to say they’ve lost their phone or had it stolen: 45% compared with 30% of iPhone owners and 36% of Android owners. In all, nearly one-third of all mobile phone owners said they have had their phone lost or stolen.

— People who have had their phone lost or stolen were no more likely to back up the information on their phones afterward. . [Source] 

US – Smartphone Apps Track Users Even When Shut Down

Some smartphone apps collect and transmit sensitive information stored on a phone, including location, contacts, and Web browsing histories, even when the apps are not being used by the phone’s owner, according to two researchers at the Massachusetts Institute of Technology. The popular game Angry Birds uses the phone’s GPS and Wi-Fi wireless networking features to track the owner’s location, even when he’s not playing the game, for example. Another game, Bowman, collects information from the phone’s Internet browser, including what websites the owner has been visiting. And WhatsApp, a popular text-messaging program, scans the user’s address book when it is seemingly idle. What is not known is whether apps that run on Apple Inc.’s iPhone and iPad tablet computer collect information in similar ways. The researchers only tested 36 apps written for the Android operating system, which is “open source” software. There are logical reasons for some apps to collect such data, researchers said. Rovio Entertainment Ltd., the maker of Angry Birds, makes money from the free version of the game by displaying ads on the screen. It uses location data from the phone to point players to local advertisers. But researchers questioned the need to keep tracking user locations even when the game is shut down. And there is no apparent reason a video game like Bowman needs to know about the player’s Web-surfing habits. The developers of Angry Birds and Bowman did not respond to requests for comment. WhatsApp cited its privacy policy, which says its app scans address books for phone numbers only to see if any of the user’s friends are also WhatsApp users. According to the policy statement, WhatsApp does not copy names, addresses, or e-mail­ addresses from the phone’s address book. The researchers have applied for a patent on their research, which they hope to turn into a rating system to help consumers quickly understand privacy policies for thousands of apps. They used the results of their tests to calculate an “intrusiveness score” for each app, rating the amounts of personal data it collects while in use and when idle. But they can test only a handful of the more than half a million Android apps, so they hope to develop a separate app that would “crowdsource” the process. Owners of Android phones could install the app, use it to test other apps, then publish the results on a website. Consumers could check an app’s intrusiveness score before deciding whether to install it. [Source 

US – NTIA Cancels Mobile App Privacy Meeting to Allow for Fact Gathering

The National Telecommunications and Information Administration (NTIA) has cancelled its September 19 stakeholder meeting to allow stakeholders to meet with app developers for informal briefings first. One such briefing will occur September 19. At the NTIA’s August 29 meeting, the second of a series of three, participants said they needed more information on the mobile app sphere before making decisions. As a result, such briefings have been scheduled for September 13, 14, 19 and 28. The NTIA meetings aim to establish a code of conduct framework, called for under the Obama administration’s Privacy Bill of Rights. [Broadcasting & Cable reports] 

US – Justice Dept. Says Counterterrorism Apps Pose Privacy and Security Concerns

The US Department of Justice (DOJ) is discouraging people from reporting suspicious activity through smartphone apps due to privacy concerns. Normally, information about potential threats reported by citizens is sent to regional analysis centers. Some of those centers are now allowing the reports to come to them through iPhone, iPad and other mobile device apps. The WVa app was introduced in February. The devices have the advantage of sending location information and pictures quickly, but there is concern that the apps could be misused and that they might flood emergency centers with unverified information. [NextGov] [WV]

 

Offshore 

WW – Study Says Data Privacy #1 Obstacle in Multinational Probes

Data privacy is the biggest challenge for lawyers and accountants conducting multinational investigations or cross-border litigation, according to a study released this month. The study found that 54% of those questioned said that data privacy was the greatest obstacle when handling these types of investigations or engagements. The study, published by business advisory firm FTI Consulting Inc., surveyed 114 legal and accounting professionals who have handled e-discovery matters for either multinational investigations or cross-border litigation. Respondents also said that multinational investigations were costly enterprises with 48% reporting they had spent more than $500,000 on such matters, and, most thought things would only get tougher with 76% predicting an increase in data privacy requirements in the coming years. [The Wall Street Journal 

CY – Cayman Islands: Proposed New Privacy Law Open for Comment

The Cayman public now has two months to examine and review critical draft legislation regulating the collection and use of personal data by all businesses, organisations and government entities. The new bill also deals with the individual right of people to access their own personal information and have more control over how it is used. The draft Data Protection Bill 2012 aims to provide legal protection of individual rights without being overly-bureaucratic, officials said this week, as the long awaited proposed law was published for public review. David Archbold, of the Information and Communications Technology Authority, said the bill will have tangible benefits for the Cayman Islands and be an effective tool to advance the right to privacy. “The scope of the draft Bill is quite broad, with exemptions in the public interest or for the protection of other rights and freedoms,” government officials said. The 69 page draft Data Protection Bill 2012 and the accompanying consultation papers are available at http://www.dataprotection.ky [Source]

Online Privacy

WW – Apache Web Software Overrides IE10 Do-Not-Track Setting

Apache has announced it will override Microsoft’s default do-not-track (DNT) setting. One of the authors of the DNT standard, Roy Fielding, wrote a patch for Apache that will disable Microsoft’s DNT setting. As a result, web servers using Apache software—the most commonly used software to house websites—will ignore IE10 DNT settings, the report states. Fielding said, “The only reason DNT exists is to express a non-default option,” adding, “It does not protect anyone’s privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization.” [CNET News] [PCMag] [Microsoft: DNT Default Not an Antidote to Advertising]

WW – Study: File Sharers Heavily Monitored

A study conducted by researchers at the University of Birmingham in the UK reveals that nearly all files shared via torrent sites are monitored by large Internet service companies that are possibly acting on behalf of copyright enforcers. In their study, the researchers noticed that IP addresses of file sharers were being tracked by several monitors acting as file sharers, the report states. One of the researchers said, “In the EU, there are quite strong data protection laws, and people who store personal data have to fulfill a lot of criteria, and this could definitely be looked on as personal data about the people being monitored.” [CBC News] 

US – Big Data: Which Websites Respect Your Privacy Rights the Least?

One lawyer’s has published analysis of how 25 major websites handle customer data. Andrew Nichol’s ClickWrapped.com evaluates sites on four categories, including how user data is used and when it can be disclosed. The evaluations are based on a 100-point scale, and points can be gained based on whether the site’s policy is consumer-friendly. [TIME 

US – Judge: Twitter Must Produce Posts or Face Fines

A judge has ruled that Twitter must disclose an Occupy Wall Street protester’s tweets or face a fine. New York State Supreme Court Judge Matthew A. Sciarrino Jr. has said the company must either turn over the posts or provide its earning statements from the previous two quarters so the judge can assess a fine. “I can’t put Twitter or the little blue bird in jail, so the only way to punish is monetarily,” Sciarrino said. In an exclusive for The Privacy Advisor, Mathew Schwartz asks, “Can service providers be held liable for what their users post, tweet or upload, including what others may deem to be offensive communications?” [Bloomberg]

 

Other Jurisdictions 

AU – Data Retention Laws Risky, Canberra told

The government was warned early this year that proposed new data retention laws would put Australians at higher risk of privacy breaches. The controversial proposal, which could see internet companies store up to two years’ worth of data on subscribers and users, is part of a package of legislative changes to overhaul the telecommunications interceptions regime currently before a joint parliamentary intelligence and security committee. It has come to light that last December privacy consultants Information Integrity Solutions (IIS) advised Attorney-General cola Roxon that some internet companies subject to the new laws may not have the capability to adequately protect the data. Some may also struggle to understand their obligations to protect it under the proposed laws, it warned. In a report obtained under Freedom of Information, IIS advised the government to limit the data retention period to a maximum of six months in order to mitigate the risk of privacy breaches. Under the current proposal before the committee, the legislation anticipates retaining the data for up to two years. [Source] See also: [Ukraine: New Liability For Company Officials]                                   

SA – Personal Information Bill Referred Back to Parliament

The Protection of Personal Information Bill has been referred back to Parliament for a second reading and further debate. A portfolio committee on justice and constitutional development ruled unanimously in favor of the bill, which would provide a regulatory framework for the ways in which personal data may be processed. The bill is “expected to have a significant impact on the manner in which private and public bodies process personal or identifying information as it aims to protect the free flow of information” and information access while protecting privacy, the report states. One expert advised organizations to look at the bill’s various requirements and consider steps toward compliance. [Business Report 

IS – Israeli Court Upholds DPA’s Authority to Issue Market Instructions

In a detailed, 27-page decision (Admin. App. 24867-02-11 IDI Insurance v. Database Registrar), the Tel Aviv District Court recently upheld the validity of an instruction issued by the data protection regulator restricting financial institutions from using information about a third party’s attachment of their client’s account for the financial institution’s own purposes. The court held that the regulator is authorized to issue market instructions interpreting the law. The decision is likely to have far-reaching effects on the validity and weight given to a series of detailed guidance documents and market instructions published by the Israeli Law, Information and Technology Authority (“ILITA”) over the past two years. These include instructions regarding:

  •  outsourcing data processing operations;
  • requirements for user authentication when providing remote access to personal data;
  • employee screening and employment recruitment agencies; and
  • allocation of responsibility for databases between health insurers and primary health care providers

In addition, ILITA issued a draft instruction concerning the collection of data from minors; draft guidance concerning privacy in the workplace; and, perhaps most importantly, draft data security regulations which are intended to replace the currently applicable regulations that date back to 1986 (the Privacy Protection Regulations (Conditions for Data Storage and Security and Public Sector Data Sharing), 1986).

 

Privacy (US) 

US – FTC Finalizes Myspace Settlement

The Federal Trade Commission (FTC) has finalized a settlement reached in May with Myspace. The settlement requires the company to develop a data privacy program and undergo privacy audits for two decades, the report states. The FTC found that Myspace violated its privacy policy by sharing users’ personal information with third parties without first obtaining their consent. [The Hill] 

US – Next President, Congress Face Privacy Challenges: Report

Among the top technology hurdles facing the next U.S. president and Congress is consumer privacy, according to a new report. With the FTC constrained in its regulatory power and given the nation’s “patchwork of inconsistent, sector-specific laws protecting certain categories of sensitive data…the opportunity for abuse of consumer privacy is growing every day,” the report states. Advances in technology including the increasing use of facial recognition, license plate scanners and drones all present privacy challenges. In the meantime, “Congress has been dragging its feet on a baseline consumer privacy law for over a decade.” [ABC News] 

US – Domestic Surveillance During Divorce Results In Federal Privacy Lawsuits

Dan Horn reports on a case of domestic surveillance that is noteworthy for the issues it raises. If you have a right to install surveillance systems – including audio recording and monitoring online activity – in your own home and on your own devices, what rights do your spouse and visitors to your home have with respect to their privacy? Although a Cincinnati couple’s divorce is finalized, the surveillance uncovered during their divorce proceedings resulted in two federal court lawsuits involving friends and relatives, the husband’s defense attorney, and a company that manufactures the computer monitoring software. One of those suing is a man whose e-mail communications with the wife were recorded without his knowledge or consent. [Source 

US – Obama Nominates Joshua Wright to FTC

President Obama yesterday announced the nomination of George Mason University School of Law Prof. Joshua Right to the Federal Trade Commission (FTC). If confirmed, Wright will replace Commissioner J. Thomas Rosch. Wright served as the scholar-in-residence at the FTC’s Bureau of Competition from 2007 to 2008. Wright’s academic work has focused on antitrust law, economics, consumer protection, intellectual property and contracts, the report states. The post will now require Senate confirmation. [The Hill]

 

Privacy Enhancing Technologies (PETs) 

WW – Cloudnymous Launches Cloud-Based Privacy Cloak

Startup Cloudnymous has launched a new cloud-based anonymous VPN service which lets users access any restricted or censored website. As customer data is spread evenly across the cloud, even if a server is brought down, customer data cannot easily be retrieved. The cloud-based VPN service offers “true” anonymity and protection of the user’s data through strong encryption protocols, according to the firm — and may be of particular interest to those trying to circumvent location-based restrictions online. “Cloudnymous is perfect for U.S. visitors who want to watch Hulu or listen Pandora overseas, to Asian users wanting to open public sites restricted by local laws and simply for those who want to keep privacy while surfing the Internet”, said the company. The service is based on a ‘pay per use’ system. There are no contracts; instead, users can pay $0.15 for daily paid servers, $4.95 for monthly paid servers and $0.15 per GB for traffic paid servers. Users can choose the point where the traffic “originates” from — for example, an American or European address, which would in theory circumvent blocks on services including Facebook, Skype and Pandora. According to Cloudnymous, the only logs kept on traffic flow are connection start and end times, and the amount of traffic. Names or addresses are not required to sign up — and all website, VPN traffic and internal communication is encrypted. [Source]

 

Security

UK – GCHQ Chooses Top 20 Security Controls for Businesses

The UK’s GCHQ is introducing a new program to help British businesses protect their computer systems from attacks. The program is called Cyber Security for Business and was launched on Wednesday, September 5. This marks the first time that intelligence services in the UK will be working directly with private sector organizations to help better their cybersecurity stance. GCHQ has created a guide titled Top 20 Critical Controls for Effective Cyber Defence, which is aimed at helping organizations reduce the risk of cyberthreats and prevent or deter most attacks. GCHQ director Iain Lobban says the approach will “make the bad guys’ job harder and won’t cost a fortune.” [v3] [Telegraph] [The Independent] [The Register] [SCMagazine] 

WW – Cyber Security Budgets Grow While IT Budgets Stagnate

Security budgets appear to be comparatively safeguarded, growing 8% to $60 billion in 2012, reaching $86bn by 2016.  At the same time IT budgets are relatively flat, according to Gartner. [SecurityWeek] [The Register]

 

Smart Cards 

UK – Researchers Find Flaw in Chip-and-PIN

Researchers at Cambridge University say that criminals have been exploiting certain flaws in the chip-and-pin system meant to prevent payment card fraud at ATMs and point-of-sale terminals. Chip-and-PIN, also known as EMV, relies in an embedded chip that encodes card information; payment cards are authenticated by ATMs or payment devices computing several pieces of data, including an “unpredictable number.” But the researchers have found that certain ATMs and payment terminals use incremental numbers rather than random ones. The research was prompted by a rash of reported thefts from European bank card users; the banks refused to refund their losses because they maintained that EMV made the type of fraud they were talking about impossible. The researchers suspected that the thieves had devised a way to predict the “unpredictable” numbers. [Krebs] [Research Paper]

 

Surveillance

US – Gov’t Report Questions How Privacy Applies to Drones

A report released by the Congressional Research Service last week questions government use of drones for surveillance. The Federal Aviation Administration anticipates 30,000 commercial and government drones flying U.S. skies within the next 20 years. The Supreme Court has ruled police may gather surveillance by flying planes and helicopters over homes because the areas are in public view. But the researchers say courts could decide drones are more privacy invasive; their ability to hover and remain in the air longer “may sway a court’s determination of whether certain types of warrantless drone surveillance are compatible with the Fourth Amendment,” the report states. Several lawmakers have introduced drone bills. [The Hill] [CRS Report: Drones in Domestic Surveillance Operations: Fourth Amendment Implications and Legislative Responses] [Congress report warns: drones will track faces from the sky]

 

US Government Programs 

White House Circulating Draft Cybersecurity Executive Order

A draft executive order on cybersecurity is being circulated by the Obama administration. The draft has been sent to various federal agencies for feedback and would formulate a voluntary system for firms operating critical infrastructure to adhere to government-backed cybersecurity best practices and standards, the report states. The executive order builds off part of Sen. Joe Lieberman’s (I-CT) cybersecurity legislation from earlier this year. According to the report, the order is also subject to change, and it is not yet clear if it will get final approval from the president. [The Hill] [White House draft cyber order promotes voluntary critical infrastructure protections] 

US – ‘Zombies Are Coming!’ U.S. Homeland Security Department Warns

Tongue firmly in cheek, the government urged citizens to prepare for a zombie apocalypse, part of a public health campaign to encourage better preparation for genuine disasters and emergencies. The theory: If you’re prepared for a zombie attack, the same preparations will help you during a hurricane, pandemic, earthquake or terrorist attack. The federal Centers for Disease Control and Prevention last year first launched a zombie apocalypse social media campaign for the same purposes. Among the government’s recommendations were having an emergency evacuation plan and a change of clothes, plus keeping on hand fresh water, extra medications and emergency flashlights. A few suggestions tracked closely with some of the 33 rules for dealing with zombies popularized in the 2009 movie Zombieland, which included “always carry a change of underwear” and “when in doubt, know your way out.” [Source]

 

US Legislation

US – House Approves Reauthorization of FISA Amendments Act

The US House of Representatives has voted to reauthorize the 2008 FISA Amendments Act, a law that “allows a secret national security court to approve the interception of communications in and out of the US among groups of people of interest to intelligence agencies.” While the law requires that any data collected “incidentally” are subject to rules that hides the individual’s identity and limits the use of the information, one congressman observed, “the enforcement of this provision is itself shrouded in secrecy, making the potential for abuse substantial and any remedy unlikely.” And Cato Institute analyst Julian Sanchez notes that the breadth of power that FISA allows is similar to the “general warrants” used by agents of the crown in the colonial era, prompting the adoption of the Fourth Amendment rights against unlawful search and seizure. The bill now goes to the Senate. [Washington Post] [WIRED] [Ars Technica] [NextGov] [The Washington Post]  

US – Markey Introduces Mobile Device Privacy Act

A new bill has been proposed by Rep. Ed Markey (D-MA) to “require mobile phone makers, network providers and application developers to disclose to customers any monitoring software installed on their mobile devices.” The Mobile Device Privacy Act, which Markey introduced this week, would also require permission from customers before their mobile devices could be monitored. “Apps very commonly access our sensitive information—our location, our photos, web browsing, history. Apps often do this without prior notice and even when the app isn’t actively being used,” Markey said, adding reports of such tracking have created a “significant societal issue that has to be discussed.” Software and technology groups, meanwhile, are saying legislation is not the answer, the report states. [IDG News] 

US – Senate Judiciary Geared to Revamp ECPA, VPPA

The Senate Judiciary Committee has said it will work on an update of the Video Privacy Protection Act and attach provisions to amend portions of the Electronic Communications Privacy Act. Judiciary Committee Chairman Patrick Leahy (D-VT) said in a statement, “When Congress first enacted these laws almost three decades ago, e-mail was still a novelty and most Americans viewed movies at home on VHS tapes rented at their local video store,” adding, “The explosion of cloud computing, social networking sites, video streaming and other new technologies in the years since require that Congress take action to bring our privacy laws into the digital age.” [NationalJournal]

US – FTC Extends Comment Deadline for COPPA Reforms

The Federal Trade Commission has extended to Sept. 24 the deadline to comment on proposed modifications to the Children’s Online Privacy Protection Rule, which gives parents control over what information Web sites and online services may collect from children under 12. Go to: https://ftcpublic comments

 

Workplace Privacy

IS – Draft Guidance Issued on Personal Data Protection in the Workplace

The data protection authority in Israel (ILITA) has provided draft guidance on privacy in the workplace (April 2012). Summary: Employers’ increasing collection of employee personal information throughout employment requires the application of information privacy principles in the workplace; informed consent, specified purpose, proportionality, transparency, purpose limitation, confidentiality and security, obligations related to outsourcing, and access and correction. [Source] 

US – Plaintiff Has to Turn Over Emotional Social Media Content In Employment Lawsuit

“Plaintiff sued her former employer for discrimination and emotional distress. In discovery, defendant employer sought from plaintiff all of her social media content that revealed her “emotion, feeling, or mental state,” or related to “events that could be reasonably expected to produce a significant emotion, feeling, or mental state.”“ The case is Robinson v. Jones Lang LaSalle Americas, Inc., 2012 WL 3763545 (D.Or. August 29, 2012), and the outcome is no surprise at this point. If you make a claim in court, expect the defendant’s lawyers to seek your social media content in discovery. Read more on InternetCases [Source]

 

+++

 

21-31 August 2012

Electronic Records

AU – OAIC Seeks Public Comment on PCEHR Enforcement

The Office of the Australian Information Commissioner (OAIC) is seeking public comment on how it should enforce personally controlled electronic health record (PCEHR) privacy regulations. Together with a set of enforcement guidelines, the OAIC has released a consultation paper. The guidelines detail the OAIC’s enforcement and investigative powers under the PCEHR and Privacy Acts and outline the penalties, enforceable undertakings and injunctions that can be applied in breach cases, the report states. The OAIC is asking if the draft guidelines are acceptable and provide enough clarity. The deadline for public comment is September 18. [ZDNet]

US – Hackers Claim File Containing iOS Device IDs is Evidence of FBI Tracking Project

Hackers have posted a document to Pastebin that they claim contains unique identification codes for one million iOS devices that were obtained when the laptop of an FBI agent was compromised earlier this year. The attackers claim to have obtained a file that contains Unique Device Identifiers (UDIDs), usernames, and push notification tokens for 12 million devices. They also claim that the file contains some names and associated mobile phone numbers. The attackers are suggesting that the presence of such a document indicates that the FBI may be tracking iOS devices. [ZDNet] [The Register]

Encryption

WW – Report Calculates Costs Savings from Use of Full Disk Encryption

“Is full disk encryption (FDE) worth it? A recent study conducted by the Ponemon Institute shows that the expected benefits of FDE exceed cost by a factor ranging from 4 to 20, based on a reduction in the probability that data will be compromised as the result of the loss or theft of a digital device. ‘After doing all of the math, Ponemon found that the cost of FDE on laptop and desktop computers in the U.S. per year was $235, while the cost savings from reduced data breach exposure was $4,650.’” [Source] [Source]

EU Developments

UK – ICO Defends Cookie Compliance Initiatives

The Information Commissioner’s Office (ICO) has defended its record against claims it has not investigated cookie compliance failures. An earlier report stated the ICO received 320 violation claims without investigating one. The ICO said the report was “dramatically wide of the mark,” adding, “So far, 45 (websites) have been analyzed, of which 27 have clearly taken action to increase the visibility of the information about cookies.” The ICO also said, “A progress update, including a list of all the websites contacted, will be published on our website in November…” [SC Magazine]

UK – Retailers Could Be Forced to Release Customer Data

UK ministers have announced they may require supermarkets and online retailers “to release sensitive personal data they hold about customers.” Companies could be required by law “to provide electronic copies of ‘historic transaction data’ when individuals request it,” the report states, which would mean shoppers receive “records of their purchases and spending habits.” While consumers currently have the right to request such information under the Data Protection Act, “the details are rarely in electronic form, and the process is awkward and slow,” the report states, noting, “The new rules would make access far quicker and easier.” [London Evening Standard]

Google

US – Advocacy Group Challenges FTC Settlements

Nonprofit advocacy group Consumer Watchdog “is dialing up its criticism of the proposed privacy settlement between the FTC and Google,” filing a motion in U.S. District Court seeking friend-of-the-court status and a hearing. Consumer Watchdog questioned the proposed $22.5 million settlement when it was first announced because it allows Google to deny “any violation of the FTC order, any and all liability for the claims set forth in the complaint and all material allegations of the complaint save for those regarding jurisdiction and venue,” the report states. [IDG]

US – Consumer Group, Resort Challenge FTC Settlement

The U.S. District Court of Northern California has granted Consumer Watchdog the right to challenge the legal logic behind the proposed FTC settlement with Google. The advocacy group has questioned how the FTC can charge a company with a violation while also allowing no admission of guilt. A Google representative noted, “We are confident there is no basis for this challenge,” while a Consumer Watchdog spokesman said, “The settlement is particularly the start of a very slippery slope,” adding, “It’s very important the FTC get called on this.” Meanwhile, Wyndham Hotel & Resorts LLC is challenging the FTC’s allegations that it failed to adequately secure consumer data. [POLITICO]

WW – Google to Set up Privacy Red Team

In what appears to be a response to recent high profile privacy issues involving Google and some of its services, the company is in the process of setting up a Privacy Red Team. In a job post for the role of a Data Privacy Engineer Google says the purpose of the team will be to “independently identify, research, and help resolve potential privacy risks across all of our products, services, and business processes in place today”. Google has come under fire in a number of jurisdictions for how it has infringed on the privacy of its users. Recently Google was ordered by the US Federal Trade Commission to pay a $22.5 million fine for having misrepresented to users of Apple’s Safari Internet browser that it would not place tracking “cookies” or serve targeted ads. While in Europe Google has come under fire from various Data Protection agencies for not deleting Wi-Fi data it gathered as part of its StreetView program from unsecured wireless networks. A ThreatPost report states the move by Google “to look critically at engineering and other decisions in the company’s products and services that could involve user privacy risks is perhaps a unique one.”[ZDNet] [The Register] [Net-Security] [PCMag] [InformationWeek] see also: [Why the FTC May Investigate Google and What to Do If It Happens] see also: [Paying Lip Service to Privacy: Attorney Details Steps for Organizations to Fill Privacy Gaps]

Health / Medical

US – Network Exposure and Healthcare Privacy Breaches

Under Federal law requiring disclosure, the HHS reports on data breaches of over 500 records. Since 2009 HHS has documented 435 PHI breaches impacting 20,066,249 individual records. Why are healthcare systems vulnerable to patient privacy breaches? A key vulnerability is system complexity. EHR systems store patient electronic health records and transported data insider healthcare organizations and between healthcare business units and in and out of HIEs. These systems are big and complex. In addition, the HIE and EHR IT vendors are highly fragmented, competing in typical American free market economy fashion with no vendor-neutral standards for patient privacy enforcement. Lack of vendor neutral standards leads to the implementation of proprietary interfaces between systems for electronic healthcare data transfer and exchange. Every interface developed by a healthcare systems integrator is potential attacker entry point. Risks are compounded by:

  • High porousness of the healthcare enterprise network: A porous healthcare provider network invites attackers in and trusted insiders to take good stuff out using pen drives, tablets, DropBox and Gmail.
  • Low level of ethics of top executives: Executives should be taking leadership positions in security and HIPAA compliance as an example to the rest of the employees and as proof that they believe that good security is key to protecting customers. When a top executive doesn’t let internal risk management guidelines get in the way of his personal goals, it sets the stage for additional fraud at lower echelons and fosters an environment where it’s OK to take company documents, just as long as you don’t get caught.
  • Minimal network monitoring: Organizations with minimal network monitoring are living a life of ignorance that is bliss. If there is a porous network and lack of security and compliance leadership, then even if there is a fraud event, violation of company policy in regards to fraud, online gambling or sexual harassment in the workplace; it will not be detected. Security and fraud violations that are not detected cannot be used for corrective action and future deterrence. [Source]

US – ONC to Revise Model Privacy Notice for PHRs

The Office of the National Coordinator for Health IT is calling for comments and recommendations to inform its revision of the model privacy notice for personal health records. The current model privacy notice is applicable through September 30, the report states. FierceEMR

US – HIMSS Issues Recommendations for “Medical Banking”

The Health Information and Management Systems Society has issued a set of recommendations to guide financial institutions managing revenue for healthcare organizations. Released as a whitepaper , the guidelines aim to help financial institutions involved in “medical banking” to comply with HITECH’s added security and privacy requirements. Recommendations include selecting a privacy officer, updating workforce training and considering data privacy and security accreditation or certification by an independent third party. The paper states, “As customers of financial institutions, healthcare providers and payers need assurances that financial institutions can safeguard protected health information with appropriate technology systems, infrastructure and procedures for risk management and incident management.” [Source]

US – EHR Stage 2 Final Rules Call for Encryption

This week saw the release of the two final rules for Stage 2 of the HITECH Act’s electronic health record (EHR) incentive program. The Department of Health and Human Services rules, which address meaningful use and software certification, are scheduled to be published in the Federal Register on September 4. The meaningful use rule includes requirements for risk assessment analysis addressing encryption of data stored in certified EHR technology, while the software certification rule requires EHR software “be designed to encrypt, by default, electronic health information stored locally on end-user devices,” the report states. A recent whitepaper, meanwhile, cautions against securing personal health information on portable devices. [GovInfoSecurity] [Meaningful Use Rule] [Software Certification Rule]

US – Experts “Mostly Pleased” with HITECH Stage 2 Provisions

Privacy and security experts are “mostly pleased” with the provisions included in Stage 2 of the HITECH electronic health record (EHR) incentive program. One provision requires EHR software be designed to encrypt medical records stored on devices by default, which Rebecca Herold says “will ultimately improve protection of patient information.” Two other provisions—receiving mixed reviews from the experts—include a risk assessment rule mandating security updates, but not specifically encryption, and a patient access rule requiring that five percent of discharged patients access their EHRs within a specified time period—down from 10% in the proposed rule. [Source]

Horror Stories

UK – Data Breaches in UK up More than Tenfold in Five Years

The UK Information Commissioner’s Office (ICO) says that over the past five years, data security breaches in the UK have increased more than 1,000 percent. The figure is slightly higher for local government breaches, and slightly lower for National Health Service (NHS) breaches. The dramatic increase may be attributable in part to organizations reporting more breaches than they have in the past because of increased awareness and legal requirements to keep personal data safe. Telecommunications is the only sector that showed a decline in the number of breaches reported over the given period of time. [BBC] [v3.co.uk]

AU – Cyber Thieves Steal Half a Million Australian Credit Card Numbers

A cyberattack has resulted in the theft of 500,000 credit card numbers in Australia. The incident occurred at an unnamed business in Australia and appears to be the work of hackers located in Eastern Europe. They allegedly placed keystroke loggers on point-of-sale (POS) terminals and remotely downloaded the information. The unnamed company was using default passwords on the POS terminals and stored transaction data unsecured. The thieves appear to have used an unsecured Microsoft Remote Desktop Protocol (RDP) to harvest the data. The people behind the attack are believed to be the same ones that conducted a similar attack in the US on Subway sandwich restaurants. Police are investigating the incident. [WIRED] See also: [Class-Action Filed Against Eastern Health] and [When Cybercrime Isn’t Treated as a Crime: Why Not Report Credit-Card Account Theft to Local Cops?]

US – Thumb Drive Prompts Notifications, Feds Arrest Former ER Worker

A cancer center in Texas is notifying 2,200 patients that a missing thumb drive contained their personal details. CMIO reports that it’s the third breach this year for the University of Texas MD Anderson Cancer Center in Houston. Meanwhile, federal officials have arrested a Florida man for selling the medical records of patients of Florida hospitals. Dale Munroe, who worked in the emergency room at Florida Hospital Celebration before he was fired last year, is accused of accessing and selling the records of more than 700,000 patients, according to the report. [Source]

US – Hackers Publish Stolen Data; Breaches Hit Two Orgs

A hacker collective calling itself Team GhostShell has allegedly accessed and published one million records taken from banks, government agencies and other firms and is warning of further leaks. A security expert said it is “a pretty significant breach.” In a separate incident, a Cancer Care Group laptop containing personal information of approximately 55,000 individuals was stolen from an employee in July. Meanwhile, the University of Rhode Island has disabled a server after it was discovered that the personal information of more than 1,000 faculty and staff was publicly available. [CNET News]

UK – UK Information Commissioner Investigating Tesco Website Security

The UK Information Commissioner’s Office (ICO) is investigating Tesco for alleged inadequate security practices. The retail company allegedly stores its website login and password data unhashed and unsalted. Some of the site’s pages do not use HTTPS, and the company emails users’ passwords in plaintext. Some have noted that it is unusual for the ICO to become involved when a breach has not occurred. [SCMagazine] [BBC] [ComputerWeekly]

Identity Issues

WW – Dropbox Implements Two-Factor Authentication

Dropbox has implemented two-factor authentication for Windows, Mac, and Linux users. Earlier this summer, the company said it would take steps to better protect customers’ data after hackers managed to hijack an employee’s account, access some customer email addresses, and send them spam advertising gambling sites. Dropbox attributed the attack to an employee who used the same password for his work account as for another account elsewhere, which had been compromised earlier. Dropbox will now provide users with one-time security codes, either sent to their phones in a text message, or generated with a mobile authenticator app. Users say the plan still has some problems that need to be worked out. [Krebs] [InformationWeek] [The Register] See also: [Do authenticaton questions really protect you?]

Law Enforcement

US – License Plates Scanned at Border, Data Shared With Car Insurance Group

As public scrutiny continues to mount against the use of license plate readers (LPRs) across the country, the Electronic Privacy Information Center (EPIC) has now released government documents showing that such data, which includes precise GPS location, date, and timestamps, in addition to the plate in question, are shared with an auto insurance umbrella organization. The documents, published this week as the result of a Freedom of Information Act (FOIA) request, include a six-page memorandum of understanding (MOU) from 2005 between the National Insurance Crime Bureau (NICB) and the United States Customs and Border Protection (CBP) agency. The NICB is a nonprofit organization funded by hundreds of American auto insurance corporations around the country, which “partners with insurers and law enforcement agencies to facilitate the identification, detection, and prosecution of insurance criminals.” The revelation has certainly raised some eyebrows, but the NICB now says that while insurance companies are members of the organization, they do not automatically gain access to the LPR data. Roger Morris, the NICB’s chief communications officer, clarified by e-mail that only authorized “Special Investigations Units” personnel from NICB member companies have access to such data “for theft prevention activities.” Every 24 hours, the NICB receives an electronic data transfer from all border stations, providing LPR details on all cars that have crossed in and out of the country. Mainly, the NICB says it’s looking for cars that have been (possibly fraudulently) reported stolen, but were spotted at a border. Morris added that the CPB’s LPR data—”roughly 15 million reads a month”—is kept for 12 months. That means the CBP makes approximately 500,000 LPR reads at the borders every single day, and passes that data along to the NICB. The MOU also allows the NICB to sub-contract management of this data to a “data processing service,” and requires that any misuse of the LPR data be reported to the NICB, and then reported on to the CBP. “In short, US Customs is granting a private company access to what it admits is ‘highly sensitive commercial, financial, and proprietary information,’ and then further allowing the private company to outsource the management of that ‘highly sensitive’ data to yet another private company,” wrote the ACLU Massachusetts. “The only auditing and accountability mechanisms required are self-policing and self-reporting. These documents reveal a growing problem that extends far beyond the management of license plate data. The government is increasingly collecting vast quantities of information about ordinary people accused of no crime, and increasingly it is relying on private contractors to manage, sort, and analyze this data looking for crime or even ‘pre-crime’ trends. The sharing of our license plate data with private companies should be viewed as but one troubling example of this much larger problem.” [Source]

US – Dealer uses MPLS License Plate Data in Car Repo

A South St. Paul car dealer used data stored by Minneapolis police license plate scanners to repossess a car, likely the first time the records have been used by a business in Minnesota. The data’s value for a repo man illustrates just one of the potential applications of Minneapolis’ massive database chronicling patterns of vehicles on its streets. Some privacy advocates fear that data could eventually be used for more sinister purposes. Minneapolis deploys 10 license plate readers, eight of them mounted on police cars and traffic enforcement vehicles, that scan thousands of license plates each day and store their locations – 4.9 million so far in 2012. Their primary use is to help police on patrol identify wanted vehicles in real time. [Source]

US – 6 Years of Spying on NY Muslims Didn’t Generate a Single Terror Lead: NYPD

In more than six years of spying on Muslim neighbourhoods, eavesdropping on conversations and cataloguing mosques, a secret unit of the NYPD never generated a lead or triggered a terrorism investigation, the department acknowledged in court testimony. The demographics unit is at the heart of a police spying program, built with help from the CIA, which assembled databases on where Muslims lived, shopped, worked and prayed. Police infiltrated Muslim student groups, put informants in mosques, monitored sermons and catalogued every Muslim in New York who adopted new, Americanized surnames. Police hoped the unit would serve as an early warning system for terrorism. And if police ever got a tip about, say, an Afghan terrorist in the city, they would know where he was likely to rent a room, buy groceries and watch sports. But in a June 28 deposition as part of a long-standing federal civil rights case, Assistant Chief Thomas Galati said none of the conversations the officers overheard ever led to a case. [The National Post]

Location

US – Location Privacy Act Passed in California

California state legislators have passed a new bill requiring law enforcement agencies to obtain a warrant before collecting any GPS or location data from cell phones or smart phones. The Location Privacy Bill 2012, which was sponsored by the EFF and the ACLU, has now been passed on to California Governor Jerry Brown for signing into law. In a statement the EFF said it “urge[s] Governor Brown to have California take the lead on this issue and sign SB 1434,” and that it “strikes a sensible balance between keeping the public safe and preserving our privacy.” Brown vetoed a similar initiative in 2011, however. Earlier this week, California passed a bill protecting students from having to provide access to their social media accounts. [ZDNet] [ArsTechnica]

US – Missouri Tracking Law Challenged in Court

A new cellphone tracking law recently passed in Missouri is being challenged in court on assertions that it conflicts with federal law. Missouri’s law makes it easier for police to track users’ cellphone locations in cases of emergency. According to a lawsuit filed Monday, the law should be overturned under the supremacy clause of the U.S. Constitution. The suit seeks a restraining order or injunction and class-action status, the report states. The attorney who filed the suit said, “If I take my cellphone to California, I have more rights. If I use my cellphone in Missouri, I have less rights. So really it comes down to a privacy issue.” [Associated Press]

Offshore

IN – India Pushes Sites to Remove ‘Inflammatory’ Content

India pressed social media websites including Facebook and Twitter on to remove “inflammatory” content it said helped spread rumors that caused an exodus of migrants from some cities. The government said in a statement it had already blocked access to 245 web pages it said contained doctored videos and images, and the telecommunications secretary, R Chandrashekhar, threatened legal action against the websites if they did not fully comply with the requests to take down the offending pages. [Reuters]

Online Privacy

US – Advocates Ask FTC to Investigate; FTC Extends COPPA Deadline

A group of advocacy organizations has asked the Federal Trade Commission (FTC) to investigate several viral campaigns aimed at children. The Center for Democracy & Technology—along with 16 advocacy groups—has sent a letter to the FTC with five complaints about the campaigns alleging they violate COPPA. “Such tell-a-friend campaigns, a powerful form of word-of-mouth marketing traditionally directed at teens and adults, are inherently unfair and deceptive when aimed at children,” the complaint states, noting, “The practices also violate existing privacy laws for children.” Meanwhile, the FTC announced it is extending the deadline for public comment on proposed modifications to COPPA. [ZDNet]

US – Child Advocates Ask FTC to Investigate Viral Marketing Aimed at Kids

A coalition of nearly 20 children’s advocacy, health and public interest groups focused on children’s health and privacy have asked the US Federal Trade Commission (FTC) to investigate online viral advertising programs that exploit commercial appeal to children. The groups say that the “tell-a-friend” features used by McDonald’s, General Mills, Turner Broadcasting and other companies violates the Children’s Online Privacy Protection Act (COPPA), which became law in 2000, because the actions are taken without adequate parental notification and without parental consent. Georgetown law professor and legal counsel for the Center for Digital Democracy said that the FTC should put an end to the “commercial exploitation of children.” [WIRED] [CNET] [MSNBC] [New York Times]

US – Judge Rejects Facebook Sponsored Stories Proposed Lawsuit Settlement

A US District Court judge in California has rejected the proposed settlement of a lawsuit brought against Facebook over its Sponsored Stories feature. The lawsuit was filed by five Facebook users and is seeking class action status on behalf of as many as 100 million users; it alleges that Facebook violated users’ rights by using their images in Sponsored Stories. The settlement would allow adults to limit how their images are used in Sponsored Stories; minors would be able to opt out altogether. The settlement would have Facebook change its Statement of Rights and Responsibilities and provide users with more information about how their names and pictures are used with Sponsored Stories. The settlement would also give users more control over their data. The proposed settlement would have Facebook pay US $10 million to Internet privacy organizations and to pay attorney’s fees of up to US $10 million. Judge Richard Seeborg said he had “serious concerns” about the settlement, asking why Facebook should not be asked to pay US $100 million, because it seemed as though the legal team was making money on the case, but the users they were representing were not receiving much in return. [WIRED] [ComputerWorld] See also: [Facebook cleanses pages of fraudulent “Likes”]

EU – Consumer Group Tells Facebook to Fix App Centre

The Federation of German Consumer Organizations “believes Facebook is violating privacy laws with its new app center and has set a deadline for the social network…to fix it or potentially face legal action.” The group contends the app center gives third-party applications users’ information without their knowledge. “It will consider legal action against Facebook if the site fails to fix the problem by September 4,” the report states, noting the deadline follows plans by Hamburg’s data protection commissioner to “reopen his investigation into Facebook’s policies on tagging photos, retaining and deleting data and the level of control users have over their information.” [Reuters]

US – Twitter Appeals Court Decision

Twitter has filed an appeal with the New York State Supreme Court to overrule a lower court order for the company to disclose an Occupy Wall Street protester’s tweets. The American Civil Liberties Union has filed a brief in support of the company, saying, “We are hopeful that Twitter’s appeal will overturn the criminal court’s dangerous decision and reaffirm that we retain our constitutional rights to speech and privacy online as well as offline.” [The Hill] [Twitter and your privacy] [Expert: Case Shows “Privacy Is Big Business”]

WW – Your Old Tweets Resurface with Twitter’s Data Reseller Partners

Twitter has announced its Certified Partners Program. There are currently 12 partners in the program, and they specialize in one of three categories: engagement, analytics, and data resellers. Twitter says that the certifications will “make it easier for businesses to find the right tools.” Three of the 12 partner companies–Topsy, DataSift, and Gnip–are data resellers, which means they provide access to all publicly available tweet content over several years (what Twitter calls the “Firehose”). Before data resellers like these existed, your old tweets–even public ones–would become buried as you continued to pile new ones on top of them. They’d be inaccessible after 30 days. Now, companies like DataSift have unlocked this previously inaccessible archive of every Tweet ever made in the past several years. The company collects about 250 million tweets every day, analyzing the things people talk about, the words they use, their geographic location, and even whether their tone seems negative or positive. Aside from leaving Twitter altogether, there are two ways to protect yourself from Twitter’s data resellers. 1. Go back and delete old tweets: Unlike when you’re looking for someone else’s Tweets, you can always see your own without any expiration date. DataSift is required to regularly update its files to remove Tweets that have since been deleted. 2. Set your tweets to private by protecting them: Protected tweets aren’t part of Twitter’s public stream and data resellers can’t collect them. You’ll know that a user’s Tweets are protected when you see a little lock icon next to their avatar. [Source] [Comment from PogoWasRight] See also: [DIGITAL WILL: How to share your data after death]

US – Social Media Privacy for College Athletes? California Senate Says Yes

California’s Senate has unanimously approved legislation to bar colleges and universities from requiring students to provide administrators with access to their social media usernames and passwords. Governor Jerry Brown now must sign or veto the bill by Sept. 30. California is not the first state to pass legislation protecting social media privacy for students. In March, Maryland’s Senate passed a bill to prevent public colleges and universities in the state from requiring students including athletes to provide access to their social accounts. [Source]

Other Jurisdictions

PH – Data Privacy Law Signed

President Benigno Aquino has signed the Data Privacy Act 2012. The bill is also known as “An Act Protecting Individual Information in Information and Communication Systems in the Government and the Private Sector.” The bill is based on the European Directive and requires data security standards by business process outsourcers. The president did not veto any of the bill’s provisions, the report states. Some lawmakers have said the law will spur investment in the Philippines. [ABS-CBN News] [GovInfoSecurity] [Philippines: BPO companies more bullish after signing of data privacy law] see also: [Rwanda: Proposed Communications Intercept Law – Is Our Privacy Adequately Protected?]

CN – Cabinet OKs Draft Data Protection Bill Changes

China’s Executive Yuan has approved draft legislation that seeks to make improvements on a 2010 amendment to the Personal Data Protection Act. The proposed changes would require data collectors to inform consumers prior to processing such data. The bill will go before the Legislature Yuan for final approval, the report states. [The China Post]

AU – ACC Report Issued, Commissioner Urges Culture Change

An independent report on New Zealand’s Accident Compensation Corportation (ACC) has revealed that a data breach was due to “human error” but also “systemic weaknesses within ACC’s culture, systems and processes.” Commissioned by New Zealand Privacy Commissioner Marie Shroff, the Independent Review of ACC’s Privacy and Security Information was undertaken by KPMG and former Australian Privacy Commissioner Malcolm Crompton. Shroff said the ACC “has elements of privacy protection and security” in place, but they “are not up to the standard expected” of such an organization, adding, a “culture change” will be necessary, starting “right at the top.” Meanwhile, State Services Commissioner Iain Rennie urged vigilance by public servants processing personal data. [Press Release] [Report]

Privacy (US)

US – Magistrate Says Video Privacy Law Applies to Digital Content

A US federal magistrate has ruled that information collected about which videos people watch online is protected under US privacy law, possibly putting Hulu on the spot for sharing users’ viewing habits with third parties. US Magistrate Laurel Beeler ruled that the Video Privacy Protection Act of 1988 applies to Hulu. Hulu argued, unsuccessfully, that the law applies only to video rental stores not video streaming services. Beeler wrote that, despite Hulu’s assertion that the VPPA does not specifically cover digital distribution, “Given Congress’s concern with protecting consumers’ privacy in an evolving technological world, the court rejects that argument.” [WIRED]

US – Administrative Subpoenas Raise Questions

Administrative subpoenas, which carry the signature of a federal official but not that of a judge, require telecommunications companies, Internet service providers, banks, bookstores, hospitals, and utility companies in the US to “turn over” customer records if the US Drug Enforcement Administration (DEA) or agents from other government departments believe the information is relevant to an investigation. The DEA obtained the power through a piece of 1970 legislation; that agency is believed to be one of the major users of administrative subpoenas. A DEA spokesperson said that the agency does not keep a database of the administrative subpoenas it issues. There are reportedly more than 300 US statutes that allow federal officials to bypass Fourth Amendment protections by issuing these subpoenas; government agencies are not obligated to disclose the frequency with which they use administrative subpoenas. Administrative subpoenas can be issued not only for drug investigations, but also for hazardous waste disposal, atomic energy, child exploitation, medical insurance fraud, student loans, and other investigations. [WIRED]

US – 2012 Republican Convention: GOP adopts Internet freedom plank

Part of the platform the Republican party adopted included language to protect Internet freedom, something that lawmakers and interest groups on both sides of the aisle have been calling for in recent months. The Republican plank is focused on removing regulation around technology businesses, as well as language that would protect personal data online from the government. The platform language also says that the party will “resist any effort” to move Internet governance away from its current multi-stakeholder model in favor of international or “intergovernmental” organizations. There has been some discussion of handing more control of the Web to the United Nations, as reported in May. The proposal is being championed by China, Russia and some Arab states but has gathered vocal critics from technology companies such as Google, Microsoft, Verizon and Cisco, who say such a plan would create financial risks to their businesses. The GOP platform also specifically criticized the Federal Communications Commission, saying that the agency’s net neutrality rule and other regulations show the Obama administration is “frozen in the past.” The platform proposes that the federal government inventory its spectrum to discover how much of it could be auctioned to the public. [Source]

US – Privacy Worries Surround UN Internet Regs

“What would online privacy look like if the United Nations (UN) regulated the Internet?” queries Mathew J. Schwartz. “That’s one question on the minds of privacy advocates as the International Telecommunications Union—a UN agency based in Geneva, Switzerland, that regulated telecommunications and IT issues—approaches the task of helping the UN decide if it should exert more control over Internet governance,” Schwartz writes. According to the report, some proposals “have technologists and—at least in the United States—legislators up in arms, leading to allegations that the renegotiated treaty could allow countries such as China and Russia to more easily censor the Internet.” [Privacy worries surround UN Internet regulations]

US – Sens. Call on Obama to Issue Cybersecurity Order

At least two senators have called on the Obama administration to issue an Executive Order on cybersecurity after Congress failed to pass legislation on the issue. In an open letter to the White House, Sen. Diane Feinstein (D-CA) wrote, “our critical infrastructure, our financial hubs and our ability to defend the nation are at risk; we must take action to address these vulnerabilities as soon as possible.” Feinstein did note that the administration does not have power to offer legal certainty or protection to firms that share cybersecurity data with the government, the report states. Meanwhile, some experts say impending cybersecurity initiatives further prompt the need for the Privacy and Civil Liberties Oversight Board. [Hogan Lovells’ Chronicle of Data Protection]

US – SEC Cyber-Disclosure Guidance Becoming Standard

The Securities and Exchange Commission (SEC) cyber-disclosure guidance has “become de facto rules for at least six companies” including Google and Amazon. According to letters sent by the SEC, the companies were asked to, in future filings, disclose to investors if systems had undergone a cyberattack. Companies have expressed concerns that such admissions can hurt reputations, provide competitors with important information or give rise to consumer litigation, the report states. In its deliberations on cybersecurity legislation, Congress has assessed ways to encourage firms to disclose data breaches, including a voluntary reporting system. [Bloomberg]

US – CA PUC Approves Gas Meter Privacy Protections

The California Public Utilities Commission has unanimously agreed to new rules governing the protection and use of consumers’ data captured from gas meters. Two commissioners described the protections as being balanced, enabling both consumer protections and the “responsible use of consumer information,” according to the report. The rules allow covered entities certain rights around the collection, use and disclosure of the data. [Solid State Technology] [US – As Smart Grid Grows, Privacy Concerns Proliferate]

Privacy Enhancing Technologies (PETs)

WW – Researchers Hack Brainwaves to Reveal PIN Numbers, Other Personal Data

A team of security researchers from Oxford, UC Berkeley, and the University of Geneva say that they were able to deduce digits of PIN numbers, birth months, areas of residence and other personal information by presenting 30 headset-wearing subjects with images of ATM machines, debit cards, maps, people, and random numbers in a series of experiments. The paper, titled “On the Feasibility of Side-Channel Attacks with Brain Computer Interfaces,” represents the first major attempt to uncover potential security risks in the use of the headsets. “The correct answer was found by the first guess in 20% of the cases for the experiment with the PIN, the debit cards, people, and the ATM machine,” write the researchers. “The location was exactly guessed for 30% of users, month of birth for almost 60% and the bank based on the ATM machines for almost 30%.” To detect the first digit of the PIN, researchers presented the subjects with numbers from 0 to 9, flashing on the screen in random order, one by one. Each number was repeated 16 times, over a total duration of 90 seconds. The subjects’ brainwaves were monitored for telltale peaks that would rat them out. The EEG headsets, made by companies such as Emotiv Systems and NeuroSky, have become increasingly popular for gaming and other applications. [Source]

RFID

TX – Rebellion Erupts Over School’s Student-Chipping Plan

A rebellion is developing in Texas against a plan by a school district in San Antonio that would monitor the exact location and activities of all students at all times through RFID chips they are being ordered to wear. School district officials did not respond to a request for comment, but the developing furor comes only days after a coalition of civil rights and privacy organizations publicly stated their opposition to “spychipping” the students. A “position paper” from groups including the American Civil Liberties Union, Electronic Frontier Foundation, Big Brother Watch, Citizens’ Council for Health Freedom, Constitutional Alliance, Freedom Force International, Friends of Privacy USA, the Identity Project and Privacy Activism said no students should be subjected to the “chipping” program “unless there is sufficient evidence of its safety and effectiveness.” “Children should never be used as test subjects for technology, no matter what their socio-economic status. If schools choose to move forward without complete information and are willing to accept the associated liability, they should have provisions in place to adhere to the principles of fair information practices and respect individuals’ rights to opt out based on their conscientious and religious objections,” the statement said. The paper said RFID tracking is dehumanizing, since it can “monitor how long a student or teacher spends in a bathroom stall.” The plans also violate free speech and association, since the presence of a tracking device “could dissuade individuals from exercising their rights to freedom of thought, speech and association. For example, students might avoid seeking counsel when they know their RFID tags will document their presence at locations like counselor and School Resource Officer offices.” It argued that the technology also violates religious freedom and could be subject to unauthorized use. “While RFID systems may be developed for use in a school, the RFID tags may be read covertly anywhere by anyone with the right reading device. Since RFID reading devices work by silent, invisible radio waves and the reading devices can be hidden, unauthorized or covert uses can be nearly impossible to detect,” the report said. “A student’s location could be monitored from a distance by a jealous girlfriend or boyfriend, stalker, or pedophile.” [Source]

Security

US – Data Security Now a Main Concern for US Boardrooms: Survey

An annual survey of 11,000 public company directors and 2,000 general counsels shows that for the first time data security is now a prime concern for US boards. The survey, conducted by advisory firms Corporate Board Member and FTI Consulting, shows that over half (55%) of general counsels surveyed rate data security as a major concern while 48% of the directors surveyed felt the same. A similar survey in 2008 found that only 25% of directors and 23% of general counsel noted data security as a high area of concern, which reflects a doubling of this concern in four years. TK Kerstetter, President, Corporate Board Member said about the results “While a number of companies are taking steps to become more educated on IT risks, the fact is that not enough are taking the appropriate actions to fully prepare their organization.” He went on to say “I think it is going to take several well-publicized security breaches before a majority of corporate boards finally embrace the fact that doing business today without a prudent crisis plan in place is a formula for disaster.” [ComputerWorldUK] [Yahoo!]

Surveillance

WW – Researchers Find Spyware Being Used by Police in Countries Around the World

Researchers have found evidence suggesting that governments in several countries around the world are using spyware sold by UK company Gamma International. The spyware, known as FinSpy, can monitor calls and report back about calls and GPS location; record Skype sessions on PCs; log keystrokes; and take control of cameras and microphones. The researchers found the spyware while investigating email attachments sent to Bahraini activists. FinSpy can infect PCs and “a broad range of smartphones.” Research conducted elsewhere found FinSpy command-and-control servers in Indonesia, Australia, Qatar, Ethiopia, the Czech Republic, Estonia, Mongolia, Latvia, UAE, as well as one in the US running on Amazon cloud systems. Shortly after the research was published, several of those servers were shut down. [The Register] [Source] [Software Meant to Fight Crime Is Used to Spy on Dissidents]

UK – Surveillance Device Uses Wi-Fi to See Through Walls

Researchers in England have created a prototype surveillance device that can be used to spy on people inside buildings and behind walls by tracking the frequency changes as Wi-Fi signals generated by wireless routers and access points bounce off people as they move around. The device, which is about the size of a suitcase and has two antennae and a signal processing unit, works as a “passive radar system” that can “see” through walls, according to PopSci.com. It was able to successfully determine the location, speed, and direction of a person behind a one-foot-thick brick wall, but cannot detect people standing or sitting still, the article said. The U.K. Ministry of Defence is looking into whether the device — designed by Karl Woodbridge and Kevin Chetty of the University of College London — can be used in “urban warfare” for scanning buildings, PopSci reported. The paper on the research, “Through-the-Wall Sensing of Personnel Using Passive Bistatic WiFi Radar at Standoff Distances,” appeared in the April issue of iGeoscience and Remote Sensing, IEEE Transactions. [Source]

Telecom / TV

AU – Telstra Charges Crime Victims for Privacy

Consumer advocates have called for Australia’s largest telecommunications provider to stop charging victims of crime to keep their addresses out of the public phone directory. Both Choice and the Australian Communications Consumer Action Network have criticised Telstra for charging a monthly fee for silent home phone numbers, even though the Australian Law Review Commission recommended the law be changed to stop carriers charging for the service. Despite the recommendation, the law has not been changed and Telstra charges users $2.93 monthly to keep numbers out of the White Pages. ACCAN spokeswoman Elise Davidson said the ongoing fee was an “unfair practice” that affected the country’s most at-risk telephone users. [Source]

AU – Tax Office Wants Access to Real-Time Data

The Australian Tax Office (ATO) is asking for changes to the nation’s phone-tapping laws so investigators can intercept data in real time. The office has access to stored communications such as voice mail, e-mail and SMS messages under the Telecommunications (Interception and Access) Act 1979, the report states. “Access to real-time telecommunications data would enable our investigators to quickly identify those involved in suspected fraud, establish an association between two or more people, prove that two or more people have communicated at a particular time and by what means or show that a person was at a location at a particular time,” said the ATO. [iTnews]

US Government Programs

US – White House Considering Establishing Cyberthreat Information Sharing Program

A draft document circulating in the White House suggests that the President may be considering a new program that would protect government and private industry computer networks that are part of the country’s critical infrastructure from cyberattacks. The program would call for the government to establish a continuous threat collection and information dissemination system. The program is being considered in lieu of legislation, as lawmakers have been unable to come to any agreement on a cybersecurity bill. The draft “is not close to being done,” according to a White House spokesperson. The document indicates that the program would aim for “a near-real-time common operating picture” for critical infrastructure threats and establish “strong cooperation” between government and private sector entities. [Business Week]

US – Interior Dept. Seeking Cloud Tool Capable of Wiping Mobile Devices Remotely

The US Department of the Interior has issued a request for information (RFI) seeking a tool that would allow the agency to remotely update, monitor, shut down, or wipe employees’ mobile devices, even when they are overseas. The product sought would have to work on Apple, Android, BlackBerry and Windows mobile devices; the agency prefers cloud-based tools. Just one compromised device could infect other portions of the department’s computer systems. A 2011 study from the Government Accountability Office (GAO) noted that the Interior Department had not put in place “effective controls to prevent, limit, and detect unauthorized access to its systems” nor had it “manage[d] the configuration of network devices to prevent unauthorized access and ensure system integrity.” The RFI wants tools that can determine when a mobile device is being compromised. The Interior Department is seeking to have proposals submitted by September 7, 2012. [FCW] [NextGov] [FBO]

US Legislation

US – Bills to Watch

In California, Assembly Member Fuentes’ bill (A 2055) continues its progress through the California Senate and is now on the consent calendar. The Bill contemplates allowing a search warrant to be issued when the information to be received from the use of a tracking device constitutes evidence that tends to show: a felony has been committed or is being committed; that a particular person has committed a felony or is committing a felony; or will assist in locating an individual that has committed or is committing a felony. As proposed, the bill requires that a search warrant identify the person or property to be tracked and limits the time that the device may be used to a specified number of days. The bill also requires execution of the warrant within 10 days.

Likewise, Senator Leland Yee’s Social Media Privacy Act (S 1349) has progressed to the Assembly’s consent calendar. The bill would prohibit a postsecondary educational institution from requiring, or from formally requesting in writing that a student or prospective student disclose the user name and account password for a personal social media account, or provide the institution with access to any content of that account.

In Michigan, Sen. Richard Jones introduced a bill (S 1228) that would create a Do Not Call list for political calls. “Robo calls are disruptive, and they always seem to come at dinnertime or in the middle of a ball game” said Jones “If a candidate or volunteer wants to contact a voter directly, this measure will not prevent them from doing so. This legislation simply gives citizens a choice whether or not they want to receive automated phone calls.”

In New York, two bills previously reported as awaiting signature have now been enacted. A 8992 prohibits non-governmental entities from requiring individuals to provide their social security number, unless for one of several designated purposes. And A 10569 prohibits telemarketers – regardless of where they are located – from delivering pre-recorded messages by telephone without the consent of the recipient. In addition, this measure will require outbound, pre-recorded sales calls to provide the recipient with a key-press or interactive voice response to be placed on the “do not call” list, as well as immediately disconnect the call. In the event of a voicemail, outbound sales calls will also have to deliver a message with a toll free number for recipients to call to have their names removed from the call list.

In the United States Senate, Senator Johanns of Nebraska introduced a bill (S 3467), which would enact a moratorium on aerial surveillance conducted by the Administrator of the Environmental Protection Agency. The EPA currently uses these flights to determine compliance with the Clean Water Act.

Workplace Privacy

CH – Former Swiss Bank Employee Arrested in Connection with Customer Data Leak

An employee at a private Swiss bank has been arrested for allegedly stealing data from the institution. An internal investigation turned up evidence of data abuse and an alleged perpetrator was identified. The suspect is a Zurich-based employee of the Julius Baer bank; he has been fired and was subsequently arrested. The bank has contacted customers in Germany who may have been affected by the incident. The stolen data were found on a CD that is now in the possession of German tax investigators. A German magazine recently reported that tax investigators raided the homes of several Julius Baer clients in Germany in connection with allegations of untaxed funds being held in Swiss bank accounts. [Bloomberg] [Swissinfo]

CH – Data Disclosure Angers Swiss Bank Employees

Employees at several Swiss-based banks have expressed disapproval over the disclosure of their personal information to U.S. authorities investigating American tax evaders, The Wall Street Journal reports. In some cases, employees were not told of the handover or were told but not allowed to review the data. The Swiss government, in order to avoid an indictment of its banks, allowed banks to share data of thousands of employees with the U.S. Department of Justice. A Zurich University professor said, “The Swiss should offer whatever help is required for the U.S. to track down tax dodgers, but they should make clear that they will do so within the country’s legal framework.” [Wall Street Journal]

+++

Privacy News Highlights: 01-20 August 2012

Biometrics

US – FBI to Provide Facial Recognition to Law Enforcement

A FBI initiative will provide law enforcement agencies free facial recognition software. The new software will help agencies match suspects to the FBI’s biometric database of 12 million mug shots. In his annual report to Congress, Office of the Director of National Intelligence Information Sharing Environment Program Manager Kshemendra Paul wrote, “Later this summer, the FBI will deploy the Universal Face Workstation software, a free-of-charge client application that will provide users with the tools for conducting and managing facial/photo searches with a minimal resource investment.” [NextGov] See also: [US – Senator Franken: Facial recognition may need regulating]

WW – Biometric Recognition Systems Becoming Ubiquitous

Naomi Wolf reports on the growing use of biometric identifying systems in the public space. Wolf writes that she witnessed the installation of facial recognition cameras in several Manhattan public venues, allegedly allowing “police to watch video that is tagged to individuals, in real time.” Last week, New York City officials unveiled a system that “links existing police databases with live video feeds, including cameras using vehicle license plate recognition software,” she writes, adding, “In the name of ‘national security,’ the capacity is being built to identify, track and document any citizen constantly and continuously.” [The Guardian]

WW – Consumer ID Cameras Introduced, Raise Concerns

A U.S.-based company is rolling out facial recognition services for businesses wanting to offer more specified deals to customers. Facedeal users opt in to the service by uploading photos of their faces via Facebook, allowing the service to track users’ shopping habits at businesses using the technology. The creation of a database comprised of faces has raised red flags for Ontario Information and Privacy Commissioner Ann Cavoukian. In addition to data security concerns, she warned, “You don’t know where the information is going to end up, and I always say, beware of unintended consequences.” [The Ottawa Citizen] [Source]

Canada

CA – ‘Unprecedented’ Breach of Privacy at Elections Ontario

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, recent investigation into the Elections Ontario breach, which lost the information of over 2.4 million voters from the 2011 general election, should be a summer must-read for every bureaucrat coast to coast. The 30 page-plus admonishment of election officials is unnerving, considering the missing information is a “goldmine” for identity thieves. Cavoukian called it an “unprecedented privacy breech” and lambasted Elections Ontario for failing to implement privacy safeguards in any meaningful way. In other words, they ignored their own policies. [Source] [Investigation Report]

CA – Feds’ Collection, Transfer of Online Data Cause for Concern: Privacy Watchdog

Canada’s privacy watchdog is raising red flags over the way the government handles data from people who visit their web sites. Newly-released documents suggest Privacy Commissioner Jennifer Stoddart was caught off guard when she learned last year that departments and agencies were independently collecting and storing data from people who visited their sites and, in some cases, transferring that information across borders to third parties such as Google. Stoddart’s four-page letter to Clement sent last year meticulously lays out her concerns about the privacy risks of web analytics — the practice of collecting and analyzing data from computers that visit a particular site, in an effort to determine how users interact with it. Coordinating and collecting the data that comes from web traffic can be time-consuming and laborious, which has prompted more than 40 government departments to rely on Google Analytics. Uncertainty concerning how information is treated once it leaves the government’s hands prompted Stoddart to ask that Clement place a moratorium on transferring Canadians’ data to third parties “particularly those located outside of Canada, until the privacy implications of such practices are fully addressed.” One of Stoddart’s main concerns stems from the fact that Treasury Board has neither assessed the privacy impacts of web analytics nor set up government-wide guidelines. Because of that, each federal department and agency is free to decide how it collects data, how the data is stored, and whether that information is transferred. Although a moratorium was not issued, the minister asked that the government develop minimum requirements to help inform departments on the safest ways to set up web analytics to diminish privacy concerns, a spokesman for Clement wrote. [Source] See also: [Canadian spy agency disciplines employees over security policy breaches]

CA – BC First responder Protection Law Clashes with Privacy Rights

The B.C. Information and Privacy Commissioner is slamming a law aimed at ensuring that provincial first responders have more peace of mind for their health and safety. Elizabeth Denham says the Emergency Intervention Disclosure Act, has a “serious impact on the privacy rights of individuals.” Bill 39, which was passed in May, allows police officers, firefighters and paramedics to seek court orders to access someone else’s medical records if the first responder has come into contact with bodily fluids. Denham says that the bill will not be useful, as there are “very few instances where emergency responders contract communicable diseases.” “Government should only contemplate a privacy intrusion of this nature where there is a significant demonstrated need,” she wrote in a letter to Margaret MacDiarmid, minister of labour, citizens’ services and open government. “Any initiative that limits (an individual’s right to control their bodily integrity) must strike a balance between the reasonableness of restricting an individual’s liberties with the commensurate need to infringe them. I do not see such a balance within Bill 39.”[Source]

CA – Conviction for a Privacy Breach: Councillor Skakun and Breaches of FOIPPA

The BC Supreme Court has affirmed the conviction of Prince George Councillor Brian Skakun in a prosecution for breaches of the Freedom of Information and Protection of Privacy Act (FOIPPA). This case has implications for public employees and officials with respect to the handling and disclosure of personal information. Councillor Skakun was convicted on May 24, 2011 because he released a City investigation report into interpersonal workplace conflict involving civilian staff working in the City’s RCMP detachment. Councillor Skakun appealed his Provincial Court conviction to the Supreme Court on a number of grounds, including bias by the Judge and that he was not afforded due diligence or whistleblower defences. Councillor Skakun also argued that the trial Judge was wrong in applying the FOIPPA prohibitions since he was not an officer of the City in accordance with FOIPPA. On appeal, the Judge restated a number of reasons why a Councillor is an official of the City. The Court relied on the language in the Local Government Act describing Councillors as municipal public officers. The Court affirmed that public bodies may only release personal information about individuals in its possession or control through the processes set forth in FOIPPA. In this case, the Court confirmed that none of the processes specified in FOIPPA for the release of personal information were followed. This included the fact that the head of the public body, who in this case was the City Manager, was not asked to review the report to determine what, if anything, could be the subject of lawful disclosure. The Court concluded that nothing in FOIPPA authorizes the release of personal information by a Councillor acting alone as an officer of the municipality. [Source]

Consumer

US – E-Scores Help E-Commerce, Raise Concerns

The growing use of e-scores—the digital valuations of a consumer’s purchasing potential—is becoming an important component to predictive consumer analytics but has federal regulators and consumer advocates worried it could put certain consumers at a financial disadvantage. Some advocates believe the practice creates a two-tiered system that can deny low-value consumers various opportunities. Neustar CPO Becky Burr, said the system helps companies locate and communicate with their markets. “They want to allocate their marketing money efficiently, and consumers want messages that are relevant,” she said, adding, the scores are predictions about consumer groups, not individuals. [The New York Times] See also: [NYT: Shopper Alert: Price May Drop for You Alone]

WW – Getting Customers to Share Personal Data

Customers are willing to share personal information with companies in exchange for perks like free Internet and mobile services. And the more valuable the benefits, the more information customers are willing to share, according to a recent report from PwC, “Consumer Privacy: What Are Consumers Willing to Share?“ Consumers want to be in control of the information they share, which means companies who want to build good relationships have to give them granular control of what and how they share data. And the more transparent a company can be, the more trusted it will be, the survey finds. Targeting various age groups with different perks and making sure information sharing is explicit and done with permission can also help build relationships with customers. Having strong security practices in place is a must for companies that want consumers to share data: 61% of the respondents said they would stop using a company’s online services after a breach. [Source]

US – Mobile Data Privacy Laws Misunderstood by Users

Smartphone users’ understanding of privacy laws may not be accurate, according to a recent survey by law researchers from the University of California at Berkeley. The survey considered data from 1,200 users telephoned on either a landline or a mobile phone and sought to gain insight on perceptions about privacy as it relates to data stored on mobile devices. Researchers found that over 80% of users surveyed believed that their mobile phone was as private at their personal computer. Further, 70% of users would not want their cell phone provider to use location-based data to target ads to them, nor would they wish for social networking apps to use their contact lists. [Source] See also: [Commission nationale de l’informatique et des libertés, France – Smartphones and Privacy: Towards a New Vision of Data Protection?]

E-Government

ON – Ontario Withholding ‘Sensitive’ Statistics on Abortion in the Province

The Ontario government says it recently restricted public access to records of abortion services because the data is “highly sensitive.” The change has prompted criticism from some anti-abortion groups, saying the public’s ability to request abortion data was important because statistics currently released by government entities are “shoddy.” B.C. has had a similar clause in its Freedom of Information act since 2001, restricting the disclosure of information relating to abortion services. The change came after several clinics and hospitals in the province were targeted by anti-abortion groups, as well as violence against North American abortion providers, and was intended to protect the providers. But in recent years, as provinces change the way they report abortion data, the quality of the statistics around the procedure have declined. The recent Ontario change came as part of Bill 122, aimed at greater financial accountability for the broader public sector, exempting “records relating to the provision of abortion services” from the Freedom of Information and Privacy Protection Act. This clause, which came into effect along with Bill 122 in January this year, prevents the public from requesting information from Ontario institutions related to the procedure. [Source]

US – GAO: Update Federal Privacy Law to Address Changing Technology Landscape

Technological developments such as federal agencies’ use of Web 2.0 and data-mining technologies have rendered some of the provisions of federal legislation inadequate to protect all personally identifiable information (“PII”) collected, used, and maintained by the federal government; the 3 major areas of concerns are applying privacy protections consistently to all federal collection and use of personal information (“PI”) (e.g., the Privacy Act’s protections only apply to PI when it is considered part of a “system of records” as defined by the act, but agencies routinely access such information in ways that may not fall under this definition), ensuring that use of PII is limited to a stated purpose (e.g. current law imposes only modest requirements for describing the purposes for collecting PI and how it will be used, which could allow for unnecessarily broad ranges of PII use), and establishing effective mechanisms for informing the public about privacy protections (e.g. concerns have been raised as to whether the mandatory provision of notices by agencies in the Federal Register is an effective way of informing the public). Recommendations include setting specific limits on the use of information within agencies and requiring agencies to establish formal agreements with external government entities before sharing PII, revising the system-of-records definition to cover all PII collected, used and maintained systematically by the federal government, and setting requirements to ensure that purpose, collection, and use limitations are better addressed in the content of privacy notices and revising the Privacy Act to require that all notices be published on a standard website. [Source]

E-Mail

US – Gliph’s Cutting-Edge Cloaked Email™ Protects Email Privacy

Gliph, a one-of-a-kind mobile and web app, today announced the availability of Cloaked Email, a new and innovative method for protecting the privacy of users’ email addresses. Cloaked Email allows users to both send and receive email using their normal email client, while keeping their real email address a secret. Email sent to the cloaked address is smoothly forwarded to users’ real email addresses. When the user replies, their real email address is automatically replaced with the cloak address. This design is perfect for situations like Craigslist communications and transactions, where users often prefer to keep their real identity under wraps. In addition to general privacy protection, Cloaked Email offers Gliph users a new layer of protection against potential data breaches. By registering for a website or newsletter using a Cloaked Email address instead of a real one, Gliph users can limit their exposure to breach or attack. Gliph is available for free on the App Store (https://gli.ph/iphone); the Android Marketplace (https://gli.ph/android); and as a mobile web app (https://gli.ph/m). For more information, visit http://blog.gli.ph. [Source] See also: [US: Surge in spam text messages puts privacy at risk] and also: [Canadian Update – Current Status of the New Anti-Spam Law]

Electronic Records

US – Researchers Developing Patient-Controlled Exchange System

A prototype health information exchange technology allows patients and providers to exchange digital information across unaffiliated healthcare organizations. Developed by Wake Forest School of Medicine’s Department of Biomedical Engineering, the pilot system provides patients with an access key that can be shared with providers at the patient’s discretion. Privacy advocate Deborah Peel applauded the pilot system, saying, “The majority of current (health IT) systems and data exchanges violate medical ethics and patients’ long-standing right to control PHI…Bravo to the Wake Forest research team for finally building effective electronic patient consent tools.” [Modern Healthcare] SEE ALSO: [Cornell: New technique to share personal data while protecting privacy]

Encryption

US – NIST to Release Draft of New Government Encryption Standard Guidelines

The US National Institute of Standards and Technology (NIST) plans to release a draft regarding a new government encryption standard. Currently, NIST’s standard requires that government agencies support Transport Layer Security (TLS) 1.0 encryption; the update will require TLS 1.1 and 1.2. This means that “some agencies … will need to … acquire new web server products to support” the new versions of TLS. The lag time between a release for public review and finalization of a standard is usually about six months. NIST’s draft document for public comment is expected to be released next month. [Source]

WW – RIM Denies India’s Claims That it Has Encryption Keys for Enterprise Customers

BlackBerry parent company Research in Motion (RIM) is refuting India’s claims that the company has provided the Indian government with encryption keys that allows it to access communications between BlackBerry enterprise customers. RIM has reiterated that it “cannot access information encrypted through BlackBerry Enterprise Server as [it] is not ever in possession of the encryption keys.” History supports RIM’s assertions. The company has in the past refused to relinquish customer data and has refused law enforcement requests to build back doors into its products. What is likely is that India now has a Blackberry Enterprise Server (BES) located there for consumers who don’t connect to a corporate BES.[v3.uk] [The Register]

CN – Chinese Gov’t Proposes Healthcare Privacy Draft Regulation

China’s Ministry of Health has proposed a draft regulation requiring health departments to protect and secure patient privacy. The regulation would amend the Tuberculosis (TB) Prevention and Control Regulation and is now open for public comment. The draft says, “Health departments can obtain information from units or people and inspect related venues out of the need for TB prevention and treatment” but should also maintain patient privacy. Entities that leak private information will be disciplined or prosecuted, the report states. [Xinhua]

EU Developments

EU – German DPA Reopens Investigation into Facebook Facial Recognition

Hamburg Data Protection Officer Johannes Caspar has reopened an investigation into Facebook’s facial recognition practices, saying the company is illegally amassing a photo database without users’ consent. Caspar said, “We have met repeatedly with Facebook but have not been able to get their cooperation on this issue, which has grave implications for personal data.” Caspar’s office wants Facebook to destroy its database of faces collected in Germany and alter its website to obtain express consent, the report states. Facebook said, “We believe that the photo tag suggest feature…is fully compliant with EU data protection laws.” [The New York Times]

UK – ICO Issues Guidance for SMBs

The Information Commissioner’s Office (ICO) has issued guidance on the top five areas of improvement recommended for small- and medium-size businesses. Among the suggestions, staff training and communication with customers are the most important. The office suggests organizations tell people how their data is being used; ensure proper staff training; use strong passwords; encrypt portable devices, and only retain data for as long as necessary. The ICO recommends charities and third parties conduct data protection checkups given that they often handle sensitive information. The office also offers advis